docs: provide more information on scanning Google's GCR (#1426 )

Co-authored-by: Teppei Fukuda <knqyf263@gmail.com>
docs(misconfiguration): added instruction for misconfiguration detection (#1428 )
2025-12-09 14:20:47 -08:00 · 2021-12-07 03:28:46 +02:00 · 2021-12-06 13:56:41 +02:00 · 2021-12-06 13:04:03 +02:00 · 2021-12-06 10:53:34 +02:00 · 2021-12-02 17:52:57 +09:00
179 changed files with 135473 additions and 132798 deletions
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -0,0 +1,10 @@
+version: 2
+updates:
+- package-ecosystem: github-actions
+  directory: /
+  schedule:
+    interval: daily
+- package-ecosystem: docker
+  directory: /
+  schedule:
+    interval: daily
--- a/.github/workflows/publish-chart.yaml
+++ b/.github/workflows/publish-chart.yaml
@@ -1,45 +1,82 @@
-name: Publish Chart Helm
+
+name: Publish Helm chart
+
 on:
+  workflow_dispatch:
+  pull_request:
+    branches:
+      - main
+    paths:
+      - 'helm/trivy/**'
  push:
    branches: [main]
    paths:
      - 'helm/trivy/**'
-  workflow_dispatch:
 env:
  HELM_REP: helm-charts
  GH_OWNER: aquasecurity
  CHART_DIR: helm/trivy
+  KIND_VERSION: "v0.11.1"
+  KIND_IMAGE: "kindest/node:v1.21.1@sha256:69860bda5563ac81e3c0057d654b5253219618a22ec3a346306239bba8cfa1a6"
 jobs:
-  release:
+  test-chart:
    runs-on: ubuntu-20.04
    steps:
      - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 #v2.4.0
        with:
          fetch-depth: 0
      - name: Install Helm
-        uses: azure/setup-helm@v1
+        uses: azure/setup-helm@18bc76811624f360dbd7f18c2d4ecb32c7b87bab #v1.1
        with:
          version: v3.5.0
+      - name: Set up python
+        uses: actions/setup-python@0066b88440aa9562be742e2c60ee750fc57d8849 #v2.3.0
+        with:
+          python-version: 3.7
+      - name: Setup Chart Linting
+        id: lint
+        uses: helm/chart-testing-action@5f16c27cf7a4fa9c776ff73734df3909b2b65127 #v2.1.0
+      - name: Setup Kubernetes cluster (KIND)
+        uses: helm/kind-action@94729529f85113b88f4f819c17ce61382e6d8478 #v1.2.0
+        with:
+          version: ${{ env.KIND_VERSION }}
+          image: ${{ env.KIND_IMAGE }}
+      - name: Run chart-testing
+        run: ct lint-and-install --validate-maintainers=false --charts helm/trivy
+      - name: Run chart-testing (Ingress enabled)
+        run: |
+          sed -i -e '97s,false,'true',g' ./helm/trivy/values.yaml
+          ct lint-and-install --validate-maintainers=false --charts helm/trivy
+
+  publish-chart:
+    if: github.event_name == 'push'
+    needs:
+      - test-chart
+    runs-on: ubuntu-20.04
+    steps:
+      - name: Checkout
+        uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 #v2.4.0
+        with:
+          fetch-depth: 0
      - name: Install chart-releaser
        run: |
-          wget https://github.com/helm/chart-releaser/releases/download/v1.1.1/chart-releaser_1.1.1_linux_amd64.tar.gz
-          tar xzvf chart-releaser_1.1.1_linux_amd64.tar.gz cr
+          wget https://github.com/helm/chart-releaser/releases/download/v1.3.0/chart-releaser_1.3.0_linux_amd64.tar.gz
+          echo "baed2315a9bb799efb71d512c5198a2a3b8dcd139d7f22f878777cffcd649a37  chart-releaser_1.3.0_linux_amd64.tar.gz" | sha256sum -c -
+          tar xzvf chart-releaser_1.3.0_linux_amd64.tar.gz cr
      - name: Package helm chart
        run: |
          ./cr package ${{ env.CHART_DIR }}
      - name: Upload helm chart
        # Failed with upload the same version: https://github.com/helm/chart-releaser/issues/101
        continue-on-error: true
-        ## Upload the tar in the Releases repository
        run: |
          ./cr upload -o ${{ env.GH_OWNER }} -r ${{ env.HELM_REP }} --token ${{ secrets.ORG_REPO_TOKEN }} -p .cr-release-packages
      - name: Index helm chart
        run: |
          ./cr index -o ${{ env.GH_OWNER }} -r ${{ env.HELM_REP }} -c https://${{ env.GH_OWNER }}.github.io/${{ env.HELM_REP }}/ -i index.yaml
-
      - name: Push index file
-        uses: dmnemec/copy_file_to_another_repo_action@v1.0.4
+        uses: dmnemec/copy_file_to_another_repo_action@c93037aa10fa8893de271f19978c980d0c1a9b37 #v1.1.1
        env:
          API_TOKEN_GITHUB: ${{ secrets.ORG_REPO_TOKEN }}
        with:
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -4,7 +4,7 @@ on:
    tags:
      - "v*"
 env:
-  GO_VERSION: "1.16"
+  GO_VERSION: "1.17"
  GH_USER: "aqua-bot"
 jobs:
  release:
@@ -57,15 +57,14 @@ jobs:
          username: ${{ secrets.ECR_ACCESS_KEY_ID }}
          password: ${{ secrets.ECR_SECRET_ACCESS_KEY }}
      - name: Generate SBOM
-        uses: CycloneDX/gh-gomod-generate-sbom@v0.3.0
+        uses: CycloneDX/gh-gomod-generate-sbom@v1
        with:
-          json: true
-          output: bom.json
-          version: ^v0
+          args: mod -licenses -json -output bom.json
+          version: ^v1
      - name: Release
        uses: goreleaser/goreleaser-action@v2
        with:
-          version: v0.164.0
+          version: v0.183.0
          args: release --rm-dist
        env:
          GITHUB_TOKEN: ${{ secrets.ORG_REPO_TOKEN }}
--- a/.github/workflows/stale-issues.yaml
+++ b/.github/workflows/stale-issues.yaml
@@ -7,7 +7,7 @@ jobs:
    timeout-minutes: 1
    runs-on: ubuntu-latest
    steps:
-    - uses: actions/stale@v3
+    - uses: actions/stale@v4
      with:
        repo-token: ${{ secrets.GITHUB_TOKEN }}
        stale-issue-message: 'This issue is stale because it has been labeled with inactivity.'
--- a/.github/workflows/test.yaml
+++ b/.github/workflows/test.yaml
@@ -10,7 +10,7 @@ on:
      - 'LICENSE'
  pull_request:
 env:
-  GO_VERSION: "1.16"
+  GO_VERSION: "1.17"
 jobs:
  test:
    name: Test
@@ -75,7 +75,7 @@ jobs:
    - name: Run GoReleaser
      uses: goreleaser/goreleaser-action@v2
      with:
-        version: v0.164.0
+        version: v0.183.0
        args: release --snapshot --rm-dist --skip-publish

  build-documents:
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -1,9 +1,9 @@
-Thank you for taking interest in contributing to Trivy !
+Thank you for taking interest in contributing to Trivy!

 ## Issues
 - Feel free to open issues for any reason. When you open a new issue, you'll have to select an issue kind: bug/feature/support and fill the required information based on the selected template.
 - Please spend a small amount of time giving due diligence to the issue tracker. Your issue might be a duplicate. If it is, please add your comment to the existing issue.
- Remember users might be searching for your issue in the future, so please give it a meaningful title to help others.
+- Remember that users might search for your issue in the future, so please give it a meaningful title to help others.
 - The issue should clearly explain the reason for opening, the proposal if you have any, and any relevant technical information.

 ## Pull Requests
@@ -23,6 +23,6 @@ Thank you for taking interest in contributing to Trivy !
 Trivy is composed of several different repositories that work together:

 - [Trivy](https://github.com/aquasecurity/trivy) is the client-side, user-facing, command line tool.
- [vuln-list](https://github.com/aquasecurity/vuln-list) is a vulnerabilities database, aggregated from different sources, and normalized for easy consumption. This of this as the "server" side of the trivy command line tool. **There should be no pull requests to this repo** 
+- [vuln-list](https://github.com/aquasecurity/vuln-list) is a vulnerabilities database, aggregated from different sources, and normalized for easy consumption. Think of this as the "server" side of the trivy command line tool. **There should be no pull requests to this repo** 
 - [vuln-list-update](https://github.com/aquasecurity/vuln-list-update) is the code that maintains the vuln-list database.
- [fanal](https://github.com/aquasecurity/fanal) is a library for extracting system information containers. It is being used by Trivy to find testable subjects in the container image.
+- [fanal](https://github.com/aquasecurity/fanal) is a library for extracting system information from containers. It is being used by Trivy to find testable subjects in the container image.
--- a/2
+++ b/2
@@ -1,4 +1,4 @@
-FROM alpine:3.14
+FROM alpine:3.15.0
 RUN apk --no-cache add ca-certificates git
 COPY trivy /usr/local/bin/trivy
 COPY contrib/*.tpl contrib/
--- a/README.md
+++ b/README.md
@@ -193,6 +193,12 @@ Failures: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
 # Documentation
 The official documentation, which provides detailed installation, configuration, and quick start guides, is available at https://aquasecurity.github.io/trivy/.

+---
+
+Trivy is an [Aqua Security][aquasec] open source project.  
+Learn about our open source work and portfolio [here][oss].  
+Contact us about any matter by opening a GitHub Discussion [here][discussions]
+
 [test]: https://github.com/aquasecurity/trivy/actions/workflows/test.yaml
 [test-img]: https://github.com/aquasecurity/trivy/actions/workflows/test.yaml/badge.svg
 [go-report]: https://goreportcard.com/report/github.com/aquasecurity/trivy
@@ -207,3 +213,7 @@ The official documentation, which provides detailed installation, configuration,
 [alpine]: https://ariadne.space/2021/06/08/the-vulnerability-remediation-lifecycle-of-alpine-containers/
 [action]: https://github.com/aquasecurity/trivy-action
 [vscode]: https://github.com/aquasecurity/trivy-vscode-extension
+
+[aquasec]: https://aquasec.com
+[oss]: https://www.aquasec.com/products/open-source-projects/
+[discussions]: https://github.com/aquasecurity/trivy/discussions
--- a/ci/deploy-deb.sh
+++ b/ci/deploy-deb.sh
@@ -1,7 +1,7 @@
 #!/bin/bash

 DEBIAN_RELEASES=$(debian-distro-info --supported)
-UBUNTU_RELEASES=$(ubuntu-distro-info --supported)
+UBUNTU_RELEASES=$(sort -u <(ubuntu-distro-info --supported-esm) <(ubuntu-distro-info --supported))

 cd trivy-repo/deb

--- a/contrib/Trivy.gitlab-ci.yml
+++ b/contrib/Trivy.gitlab-ci.yml
@@ -10,7 +10,7 @@ Trivy_container_scanning:
    IMAGE: "$CI_REGISTRY_IMAGE:$CI_COMMIT_SHA"
  allow_failure: true
  before_script:
-    - export TRIVY_VERSION=${TRIVY_VERSION:-v0.4.3}
+    - export TRIVY_VERSION=${TRIVY_VERSION:-v0.19.2}
    - apk add --no-cache curl docker-cli
    - docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
    - curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin ${TRIVY_VERSION}
--- a/contrib/install.sh
+++ b/contrib/install.sh
@@ -182,11 +182,11 @@ log_tag() {
 }
 log_debug() {
  log_priority 7 || return 0
-  echoerr "$(log_prefix)" "$(log_tag 7)" "$@"
+  echo "$(log_prefix)" "$(log_tag 7)" "$@"
 }
 log_info() {
  log_priority 6 || return 0
-  echoerr "$(log_prefix)" "$(log_tag 6)" "$@"
+  echo "$(log_prefix)" "$(log_tag 6)" "$@"
 }
 log_err() {
  log_priority 3 || return 0
--- a/contrib/sarif.tpl
+++ b/contrib/sarif.tpl
@@ -1,6 +1,7 @@
 {
  "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
  "version": "2.1.0",
+  {{- $rules := makeRuleMap }}
  "runs": [
    {
      "tool": {
@@ -14,42 +15,43 @@
        {{- range $result := . }}
            {{- $vulnerabilityType := .Type }}
            {{- range .Vulnerabilities -}}
-              {{- if $t_first -}}
-                {{- $t_first = false -}}
-              {{ else -}}
-                ,
-              {{- end }}
-            {
-              "id": {{ printf "%s: %s-%s %s" $result.Target .PkgName .InstalledVersion .VulnerabilityID | toJson }},
-              "name": "{{ toSarifRuleName $vulnerabilityType }}",
-              "shortDescription": {
-                "text": {{ printf "%v Package: %v" .VulnerabilityID .PkgName | printf "%q" }}
-              },
-              "fullDescription": {
-                "text": {{ endWithPeriod (escapeString .Title) | printf "%q" }}
-              },
-              "defaultConfiguration": {
-                "level": "{{ toSarifErrorLevel .Vulnerability.Severity }}"
-              }
-              {{- with $help_uri := .PrimaryURL -}}
-              ,
-              {{ $help_uri | printf "\"helpUri\": %q," -}}
-              {{- else -}}
-              ,
-              {{- end }}
-              "help": {
-                "text": {{ printf "Vulnerability %v\nSeverity: %v\nPackage: %v\nInstalled Version: %v\nFixed Version: %v\nLink: [%v](%v)" .VulnerabilityID .Vulnerability.Severity .PkgName .InstalledVersion .FixedVersion .VulnerabilityID .PrimaryURL | printf "%q"}},
-                "markdown": {{ printf "**Vulnerability %v**\n| Severity | Package | Installed Version | Fixed Version | Link |\n| --- | --- | --- | --- | --- |\n|%v|%v|%v|%v|[%v](%v)|\n" .VulnerabilityID .Vulnerability.Severity .PkgName .InstalledVersion .FixedVersion .VulnerabilityID .PrimaryURL | printf "%q"}}
-              },
-              "properties": {
-                "tags": [
-                  "vulnerability",
-                  "{{ .Vulnerability.Severity }}",
-                  {{ .PkgName | printf "%q" }}
-                ],
-                "precision": "very-high"
-              }
-            }
+                {{- if indexRule $rules .VulnerabilityID -}}
+                  {{- if $t_first -}}
+                    {{- $t_first = false -}}
+                  {{ else -}}
+                    ,
+                  {{- end }}
+                {
+                  "id": {{ .VulnerabilityID | toJson }},
+                  "name": "{{ toSarifRuleName $vulnerabilityType }}",
+                  "shortDescription": {
+                    "text": {{ .VulnerabilityID | toJson }}
+                  },
+                  "fullDescription": {
+                    "text": {{ endWithPeriod (escapeString .Title) | printf "%q" }}
+                  },
+                  "defaultConfiguration": {
+                    "level": "{{ toSarifErrorLevel .Vulnerability.Severity }}"
+                  }
+                  {{- with $help_uri := .PrimaryURL -}}
+                  ,
+                  {{ $help_uri | printf "\"helpUri\": %q," -}}
+                  {{- else -}}
+                  ,
+                  {{- end }}
+                  "help": {
+                    "text": {{ printf "Vulnerability %v\n%v\nSeverity: %v\nPackage: %v\nFixed Version: %v\nLink: [%v](%v)" .VulnerabilityID .Vulnerability.Description .Vulnerability.Severity .PkgName .FixedVersion .VulnerabilityID .PrimaryURL | printf "%q"}},                    
+                    "markdown": {{ printf "**Vulnerability %v**\n%v\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|%v|%v|%v|[%v](%v)|\n" .VulnerabilityID .Vulnerability.Description .Vulnerability.Severity .PkgName .FixedVersion .VulnerabilityID .PrimaryURL | printf "%q"}}                    
+                  },
+                  "properties": {
+                    "tags": [
+                      "vulnerability",
+                      "{{ .Vulnerability.Severity }}"
+                    ],
+                    "precision": "very-high"
+                  }
+                }
+                {{- end -}}
            {{- end -}}
         {{- end -}}
          ]
@@ -66,17 +68,20 @@
            ,
          {{- end }}
        {
-          "ruleId": {{ printf "%s: %s-%s %s" $result.Target .PkgName .InstalledVersion .VulnerabilityID | toJson }},
-          "ruleIndex": {{ $index }},
+          "ruleId": {{ .VulnerabilityID | toJson }},
+          "ruleIndex": {{ index $rules .VulnerabilityID }},
          "level": "{{ toSarifErrorLevel $vulnerability.Vulnerability.Severity }}",
          "message": {
-            "text": {{ endWithPeriod (escapeString $vulnerability.Description) | printf "%q" }}
+            "text": {{ printf "Package: %v\nInstalled Version: %v\nVulnerability %v\nSeverity: %v\nFixed Version: %v\nLink: [%v](%v)" .PkgName .InstalledVersion .VulnerabilityID .Vulnerability.Severity .FixedVersion .VulnerabilityID .PrimaryURL | printf "%q"}}
          },
          "locations": [{
            "physicalLocation": {
              "artifactLocation": {
                "uri": "{{ toPathUri $filePath }}",
                "uriBaseId": "ROOTPATH"
+              },
+              "region" : {
+                "startLine": 1
              }
            }
          }]
@@ -87,7 +92,7 @@
      "columnKind": "utf16CodeUnits",
      "originalUriBaseIds": {
        "ROOTPATH": {
-          "uri": "/"
+          "uri": "file:///"
        }
      }
    }
--- a/docs/advanced/air-gap.md
+++ b/docs/advanced/air-gap.md
@@ -2,7 +2,10 @@

 Trivy can be used in air-gapped environments.

-## Download the vulnerability database
+
+## Air-Gapped Environment for vulnerabilities
+
+### Download the vulnerability database
 At first, you need to download the vulnerability database for use in air-gapped environments.
 Go to [trivy-db][trivy-db] and download `trivy-offline.db.tgz` in the latest release.
 If you download `trivy-light-offline.db.tgz`, you have to run Trivy with `--light` option.
@@ -11,14 +14,14 @@ If you download `trivy-light-offline.db.tgz`, you have to run Trivy with `--ligh
 $ wget https://github.com/aquasecurity/trivy-db/releases/latest/download/trivy-offline.db.tgz
 ```

-## Transfer the DB file into the air-gapped environment
+### Transfer the DB file into the air-gapped environment
 The way of transfer depends on the environment.

 ```
 $ rsync -av -e ssh /path/to/trivy-offline.db.tgz [user]@[host]:dst
 ```

-## Put the DB file in Trivy's cache directory
+### Put the DB file in Trivy's cache directory
 You have to know where to put the DB file. The following command shows the default cache directory.

 ```
@@ -47,11 +50,69 @@ $ rm trivy-offline.db.tgz

 In an air-gapped environment it is your responsibility to update the Trivy database on a regular basis, so that the scanner can detect recently-identified vulnerabilities. 

-## Run Trivy with --skip-update option
+### Run Trivy with --skip-update option
 In an air-gapped environment, specify `--skip-update` so that Trivy doesn't attempt to download the latest database file.

 ```
 $ trivy image --skip-update alpine:3.12
 ```

+## Air-Gapped Environment for misconfigurations
+
+### Download misconfiguration policies
+At first, you need to download misconfiguration policies for use in air-gapped environments.
+Please follow [oras installation instruction][oras]. \
+Download `bundle.tar.gz`:
+
+```
+$ oras pull ghcr.io/aquasecurity/appshield:latest -a
+```
+
+### Transfer misconfiguration policies into the air-gapped environment
+The way of transfer depends on the environment.
+
+```
+$ rsync -av -e ssh /path/to/bundle.tar.gz [user]@[host]:dst
+```
+
+### Put the misconfiguration policies in Trivy's cache directory
+You have to know where to put the misconfiguration policies file. The following command shows the default cache directory.
+
+```
+$ ssh user@host
+$ trivy -h | grep cache
+   --cache-dir value  cache directory (default: "/home/myuser/.cache/trivy") [$TRIVY_CACHE_DIR]
+```
+
+Put the misconfiguration policies file in the cache directory + `/policy/content`.
+
+```
+$ mkdir -p /home/myuser/.cache/trivy/policy/content
+$ cd /home/myuser/.cache/trivy/policy/content
+$ mv /path/to/bundle.tar.gz .
+```
+
+Then, decompress it.
+`bundle.tar.gz ` file includes two folders: `docker`, `kubernetes` and file: `.manifest`.
+
+```
+$ tar xvf bundle.tar.gz 
+x ./docker/
+...
+x ./kubernetes/
+...
+x ./.manifest
+$ rm bundle.tar.gz
+```
+
+In an air-gapped environment it is your responsibility to update policies on a regular basis, so that the scanner can detect recently-identified misconfigurations. 
+
+### Run Trivy with --skip-policy-update option
+In an air-gapped environment, specify `--skip-policy-update` so that Trivy doesn't attempt to download the latest misconfiguration policies.
+
+```
+$ trivy conf --skip-policy-update /path/to/conf
+```
+
 [trivy-db]: https://github.com/aquasecurity/trivy-db/releases
+[oras]: https://oras.land/cli/
--- a/docs/advanced/community/references.md
+++ b/docs/advanced/community/references.md
@@ -0,0 +1,19 @@
+# External References
+There are external blogs and evaluations.
+
+## Blogs
+- [the vulnerability remediation lifecycle of Alpine containers][alpine]
+- [Continuous Container Vulnerability Testing with Trivy][semaphore]
+- [Open Source CVE Scanner Round-Up: Clair vs Anchore vs Trivy][round-up]
+- [Docker Image Security: Static Analysis Tool Comparison – Anchore Engine vs Clair vs Trivy][tool-comparison]
+
+## Links
+- [Research Spike: evaluate Trivy for scanning running containers][gitlab]
+- [Istio evaluates scanners][istio]
+
+[alpine]: https://ariadne.space/2021/06/08/the-vulnerability-remediation-lifecycle-of-alpine-containers/
+[semaphore]: https://semaphoreci.com/blog/continuous-container-vulnerability-testing-with-trivy
+[round-up]: https://boxboat.com/2020/04/24/image-scanning-tech-compared/
+[tool-comparison]: https://www.a10o.net/devsecops/docker-image-security-static-analysis-tool-comparison-anchore-engine-vs-clair-vs-trivy/
+[gitlab]: https://gitlab.com/gitlab-org/gitlab/-/issues/270888
+[istio]: https://github.com/istio/release-builder/pull/687#issuecomment-874938417
--- a/docs/advanced/community/tools.md
+++ b/docs/advanced/community/tools.md
@@ -0,0 +1,29 @@
+# Community Tools
+The open source community has been hard at work developing new tools for Trivy. You can check out some of them here.
+
+Have you created a tool that’s not listed? Add the name and description of your integration and open a pull request in the GitHub repository to get your change merged.
+
+## GitHub Actions
+
+| Actions                                    | Description                                                                      |
+| ------------------------------------------ | -------------------------------------------------------------------------------- |
+| [gitrivy][gitrivy]                         | GitHub Issue + Trivy                                                             |
+| [trivy-github-issues][trivy-github-issues] | GitHub Actions for creating GitHub Issues according to the Trivy scanning result |
+
+## CircleCI
+
+| Orb                                      | Description                               |
+| -----------------------------------------| ----------------------------------------- |
+| [fifteen5/trivy-orb][fifteen5/trivy-orb] | Orb for running Trivy, a security scanner |
+
+## Others
+
+| Name                                     | Description                               |
+| -----------------------------------------| ----------------------------------------- |
+| [Trivy Vulnerability Explorer][explorer] | Explore trivy vulnerability reports in your browser and create .trivyignore files interactively. Can be integrated in your CI/CD tooling with deep links.   |
+
+
+[trivy-github-issues]: https://github.com/marketplace/actions/trivy-github-issues
+[fifteen5/trivy-orb]: https://circleci.com/developer/orbs/orb/fifteen5/trivy-orb
+[gitrivy]: https://github.com/marketplace/actions/trivy-action
+[explorer]: https://dbsystel.github.io/trivy-vulnerability-explorer/
--- a/docs/advanced/container/embed-in-dockerfile.md
+++ b/docs/advanced/container/embed-in-dockerfile.md
@@ -10,7 +10,7 @@ FROM alpine:3.7

 RUN apk add curl \
    && curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin \
-    && trivy filesystem --exit-code 1 --no-progress /
+    && trivy rootfs --exit-code 1 --no-progress /

 $ docker build -t vulnerable-image .
 ```
@@ -21,7 +21,7 @@ insecure `curl | sh`. Also the image is not changed.
 # Run vulnerability scan on build image
 FROM build AS vulnscan
 COPY --from=aquasec/trivy:latest /usr/local/bin/trivy /usr/local/bin/trivy
-RUN trivy filesystem --exit-code 1 --no-progress /
+RUN trivy rootfs --exit-code 1 --no-progress /
 [...]
 ```

--- a/docs/advanced/container/unpacked-filesystem.md
+++ b/docs/advanced/container/unpacked-filesystem.md
@@ -6,7 +6,7 @@ In this case, Trivy works the same way when scanning containers

 ```bash
 $ docker export $(docker create alpine:3.10.2) | tar -C /tmp/rootfs -xvf -
-$ trivy fs /tmp/rootfs
+$ trivy rootfs /tmp/rootfs
 ```

 <details>
--- a/docs/advanced/integrations/bitbucket.md
+++ b/docs/advanced/integrations/bitbucket.md
@@ -0,0 +1,5 @@
+# Bitbucket Pipelines
+
+See [trivy-pipe][trivy-pipe] for the details.
+
+[trivy-pipe]: https://github.com/aquasecurity/trivy-pipe
--- a/docs/advanced/integrations/gitlab-ci.md
+++ b/docs/advanced/integrations/gitlab-ci.md
@@ -1,5 +1,11 @@
 # GitLab CI

+If you're a GitLab Ultimate customer, GitLab 14.0 and above include out-of-the-box integration with Trivy. To enable it for your project, simply add the container scanning template to your `.gitlab-ci.yml` file. For more details, please refer to [GitLab's documentation](https://docs.gitlab.com/ee/user/application_security/container_scanning/).
+
+If you're using an earlier version of GitLab, you can still use the new integration by copying the [contents of the 14.0 template](https://gitlab.com/gitlab-org/gitlab/blob/master/lib/gitlab/ci/templates/Security/Container-Scanning.gitlab-ci.yml) to your configuration.
+
+Alternatively, you can always use the example configurations below.
+
 ```yaml
 stages:
  - test
--- a/docs/advanced/private-registries/gcr.md
+++ b/docs/advanced/private-registries/gcr.md
@@ -1,7 +1,40 @@
-Trivy uses Google Cloud SDK. You don't need to install `gcloud` command.
+# Requirements
+None, Trivy uses Google Cloud SDK. You don't need to install `gcloud` command.

-If you want to use target project's repository, you can settle via `GOOGLE_APPLICATION_CREDENTIAL`.
+# Privileges
+Credential file must have the `roles/storage.objectViewer` permissions.
+More information can be found in [Google's documentation](https://cloud.google.com/container-registry/docs/access-control)
+
+## JSON File Format
+The JSON file specified should have the following format provided by google's service account mechanisms:
+
+```json
+{
+  "type": "service_account",
+  "project_id": "your_special_project",
+  "private_key_id": "XXXXXXXXXXXXXXXXXXXXxx",
+  "private_key": "-----BEGIN PRIVATE KEY-----\nNONONONO\n-----END PRIVATE KEY-----\n",
+  "client_email": "somedude@your_special_project.iam.gserviceaccount.com",
+  "client_id": "1234567890",
+  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
+  "token_uri": "https://oauth2.googleapis.com/token",
+  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
+  "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/somedude%40your_special_project.iam.gserviceaccount.com"
+}
+```
+
+# Usage
+If you want to use target project's repository, you can set them via `GOOGLE_APPLICATION_CREDENTIALS`.
 ```bash
 # must set TRIVY_USERNAME empty char
 export GOOGLE_APPLICATION_CREDENTIALS=/path/to/credential.json
 ```
+
+# Testing
+You can test credentials in the following manner (assuming they are in `/tmp` on host machine).
+
+```bash
+docker run -it --rm -v /tmp:/tmp\
+  -e GOOGLE_APPLICATION_CREDENTIALS=/tmp/service_account.json\
+  aquasec/trivy image gcr.io/your_special_project/your_special_image:your_special_tag
+```
--- a/docs/getting-started/cli/fs.md
+++ b/docs/getting-started/cli/fs.md
@@ -10,7 +10,6 @@ USAGE:
 OPTIONS:
   --template value, -t value                     output template [$TRIVY_TEMPLATE]
   --format value, -f value                       format (table, json, template) (default: "table") [$TRIVY_FORMAT]
-   --input value, -i value                        input file path instead of image name [$TRIVY_INPUT]
   --severity value, -s value                     severities of vulnerabilities to be displayed (comma separated) (default: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL") [$TRIVY_SEVERITY]
   --output value, -o value                       output file name [$TRIVY_OUTPUT]
   --exit-code value                              Exit code when vulnerabilities were found (default: 0) [$TRIVY_EXIT_CODE]
@@ -18,7 +17,6 @@ OPTIONS:
   --skip-policy-update                           skip updating built-in policies (default: false) [$TRIVY_SKIP_POLICY_UPDATE]
   --clear-cache, -c                              clear image caches without scanning (default: false) [$TRIVY_CLEAR_CACHE]
   --ignore-unfixed                               display only fixed vulnerabilities (default: false) [$TRIVY_IGNORE_UNFIXED]
-   --removed-pkgs                                 detect vulnerabilities of removed packages (only for Alpine) (default: false) [$TRIVY_REMOVED_PKGS]
   --vuln-type value                              comma-separated list of vulnerability types (os,library) (default: "os,library") [$TRIVY_VULN_TYPE]
   --security-checks value                        comma-separated list of what security issues to detect (vuln,config) (default: "vuln") [$TRIVY_SECURITY_CHECKS]
   --ignorefile value                             specify .trivyignore file (default: ".trivyignore") [$TRIVY_IGNOREFILE]
--- a/docs/getting-started/cli/rootfs.md
+++ b/docs/getting-started/cli/rootfs.md
@@ -0,0 +1,34 @@
+# Rootfs
+
+```bash
+NAME:
+   trivy rootfs - scan rootfs
+
+USAGE:
+   trivy rootfs [command options] dir
+
+OPTIONS:
+   --template value, -t value                     output template [$TRIVY_TEMPLATE]
+   --format value, -f value                       format (table, json, template) (default: "table") [$TRIVY_FORMAT]
+   --severity value, -s value                     severities of vulnerabilities to be displayed (comma separated) (default: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL") [$TRIVY_SEVERITY]
+   --output value, -o value                       output file name [$TRIVY_OUTPUT]
+   --exit-code value                              Exit code when vulnerabilities were found (default: 0) [$TRIVY_EXIT_CODE]
+   --skip-db-update, --skip-update                skip updating vulnerability database (default: false) [$TRIVY_SKIP_UPDATE, $TRIVY_SKIP_DB_UPDATE]
+   --skip-policy-update                           skip updating built-in policies (default: false) [$TRIVY_SKIP_POLICY_UPDATE]
+   --clear-cache, -c                              clear image caches without scanning (default: false) [$TRIVY_CLEAR_CACHE]
+   --ignore-unfixed                               display only fixed vulnerabilities (default: false) [$TRIVY_IGNORE_UNFIXED]
+   --vuln-type value                              comma-separated list of vulnerability types (os,library) (default: "os,library") [$TRIVY_VULN_TYPE]
+   --security-checks value                        comma-separated list of what security issues to detect (vuln,config) (default: "vuln") [$TRIVY_SECURITY_CHECKS]
+   --ignorefile value                             specify .trivyignore file (default: ".trivyignore") [$TRIVY_IGNOREFILE]
+   --cache-backend value                          cache backend (e.g. redis://localhost:6379) (default: "fs") [$TRIVY_CACHE_BACKEND]
+   --timeout value                                timeout (default: 5m0s) [$TRIVY_TIMEOUT]
+   --no-progress                                  suppress progress bar (default: false) [$TRIVY_NO_PROGRESS]
+   --ignore-policy value                          specify the Rego file to evaluate each vulnerability [$TRIVY_IGNORE_POLICY]
+   --list-all-pkgs                                enabling the option will output all packages regardless of vulnerability (default: false) [$TRIVY_LIST_ALL_PKGS]
+   --skip-files value                             specify the file paths to skip traversal [$TRIVY_SKIP_FILES]
+   --skip-dirs value                              specify the directories where the traversal is skipped [$TRIVY_SKIP_DIRS]
+   --config-policy value                          specify paths to the Rego policy files directory, applying config files [$TRIVY_CONFIG_POLICY]
+   --config-data value                            specify paths from which data for the Rego policies will be recursively loaded [$TRIVY_CONFIG_DATA]
+   --policy-namespaces value, --namespaces value  Rego namespaces (default: "users") [$TRIVY_POLICY_NAMESPACES]
+   --help, -h                                     show help (default: false)
+```
--- a/docs/getting-started/further.md
+++ b/docs/getting-started/further.md
@@ -18,11 +18,6 @@
 - [Find Image Vulnerabilities Using GitHub and Aqua Security Trivy Action][actions2]
 - [Using Trivy to Discover Vulnerabilities in VS Code Projects][vscode]

-## External Blogs
- [Open Source CVE Scanner Round-Up: Clair vs Anchore vs Trivy][round-up]
- [Docker Image Security: Static Analysis Tool Comparison – Anchore Engine vs Clair vs Trivy][tool-comparison]
- [Research Spike: evaluate Trivy for scanning running containers][gitlab]
-
 [intro]: https://www.youtube.com/watch?v=AzOBGm7XxOA
 [cncf]: https://www.youtube.com/watch?v=XnYxX9uueoQ
 [server]: https://www.youtube.com/watch?v=tNQ-VlahtYM
@@ -35,7 +30,3 @@
 [actions]: https://blog.aquasec.com/devsecops-with-trivy-github-actions
 [actions2]: https://blog.aquasec.com/github-vulnerability-scanner-trivy
 [vscode]: https://blog.aquasec.com/trivy-open-source-vulnerability-scanner-vs-code
-
-[round-up]: https://boxboat.com/2020/04/24/image-scanning-tech-compared/
-[tool-comparison]: https://www.a10o.net/devsecops/docker-image-security-static-analysis-tool-comparison-anchore-engine-vs-clair-vs-trivy/
-[gitlab]: https://gitlab.com/gitlab-org/gitlab/-/issues/270888
--- a/docs/getting-started/overview.md
+++ b/docs/getting-started/overview.md
@@ -8,7 +8,7 @@ Trivy detects two types of security issues:
 Trivy can scan three different artifacts:

 - [Container Images][container]
- [Filesystem][filesystem]
+- [Filesystem][filesystem] and [Rootfs][rootfs]
 - [Git Repositories][repo]

 Trivy can be run in two different modes:
@@ -53,7 +53,7 @@ See [Integrations][integrations] for details.
        - A remote image in Docker Registry such as Docker Hub, ECR, GCR and ACR
        - A tar archive stored in the `docker save` / `podman save` formatted file
        - An image directory compliant with [OCI Image Format][oci]
-    - local filesystem
+    - local filesystem and rootfs
    - remote git repository

 Please see [LICENSE][license] for Trivy licensing information.
@@ -64,6 +64,7 @@ Please see [LICENSE][license] for Trivy licensing information.
 [vuln]: ../vulnerability/scanning/index.md
 [misconf]: ../misconfiguration/index.md
 [container]: ../vulnerability/scanning/image.md
+[rootfs]: ../vulnerability/scanning/rootfs.md
 [filesystem]: ../vulnerability/scanning/filesystem.md
 [repo]: ../vulnerability/scanning/git-repository.md

--- a/docs/getting-started/troubleshooting.md
+++ b/docs/getting-started/troubleshooting.md
@@ -48,6 +48,17 @@ Reference : [boltdb: Opening a database][boltdb].

 [boltdb]: https://github.com/boltdb/bolt#opening-a-database

+### Error downloading vulnerability DB
+
+!!! error
+    FATAL failed to download vulnerability DB
+
+If trivy is running behind corporate firewall try to whitelist urls below:
+
+- api.github.com
+- github.com
+- github-releases.githubusercontent.com
+
 ## Homebrew
 ### Scope error
 !!! error
--- a/docs/index.md
+++ b/docs/index.md
@@ -32,8 +32,18 @@ All you need to do for scanning is to specify a target such as an image name of
  <figcaption>Demo: Misconfiguration Detection</figcaption>
 </figure>

+---
+
+Trivy is an [Aqua Security][aquasec] open source project.  
+Learn about our open source work and portfolio [here][oss].  
+Contact us about any matter by opening a GitHub Discussion [here][discussions]
+
 [vulnerability]: vulnerability/scanning/index.md
 [misconf]: misconfiguration/index.md
 [os]: vulnerability/detection/os.md
 [lang]: vulnerability/detection/language.md
-[iac]: misconfiguration/iac.md
+[iac]: misconfiguration/iac.md
+
+[aquasec]: https://aquasec.com
+[oss]: https://www.aquasec.com/products/open-source-projects/
+[discussions]: https://github.com/aquasecurity/trivy/discussions
--- a/docs/misconfiguration/comparison/cfsec.md
+++ b/docs/misconfiguration/comparison/cfsec.md
@@ -0,0 +1,25 @@
+# vs cfsec
+[cfsec][cfsec] uses static analysis of your CloudFormation templates to spot potential security issues.
+Trivy uses cfsec internally to scan both JSON and YAML configuration files, but Trivy doesn't support some features provided by cfsec.
+This section describes the differences between Trivy and cfsec.
+
+| Feature                     | Trivy                                   | cfsec                |
+| --------------------------- | --------------------------------------- | -------------------- |
+| Built-in Policies           | :material-check:                        | :material-check:     |
+| Custom Policies             | Rego[^1]                                | :material-close:     |
+| Policy Metadata[^2]         | :material-check:                        | :material-check:     |
+| Show Successes              | :material-check:                        | :material-check:     |
+| Disable Policies            | :material-check:                        | :material-check:     |
+| Show Issue Lines            | :material-close:                        | :material-check:     |
+| View Statistics             | :material-close:                        | :material-check:     |
+| Filtering by Severity       | :material-check:                        | :material-close:     |
+| Supported Formats           | Dockerfile, JSON, YAML, Terraform, etc. | CloudFormation JSON and YAML       |
+
+[^1]: CloudFormation files are not supported
+[^2]: To enrich the results such as ID, Title, Description, Severity, etc.
+
+cfsec is designed for CloudFormation.
+People who use only want to scan their CloudFormation templates should use cfsec.
+People who want to scan a wide range of configuration files should use Trivy.
+
+[cfsec]: https://github.com/aquasecurity/cfsec
--- a/docs/misconfiguration/comparison/tfsec.md
+++ b/docs/misconfiguration/comparison/tfsec.md
@@ -23,4 +23,4 @@ tfsec is designed for Terraform.
 People who use only Terraform should use tfsec.
 People who want to scan a wide range of configuration files should use Trivy.

-[tfsec]: https://github.com/tfsec/tfsec
+[tfsec]: https://github.com/aquasecurity/tfsec
--- a/docs/misconfiguration/iac.md
+++ b/docs/misconfiguration/iac.md
@@ -2,7 +2,7 @@

 ## Quick start

-Simply specify a directory containing IaC files such as Terraform and Dockerfile.
+Simply specify a directory containing IaC files such as Terraform, CloudFormation and Dockerfile.

 ``` bash
 $ trivy config [YOUR_IaC_DIRECTORY]
@@ -37,12 +37,12 @@ Trivy will automatically fetch the managed policies and will keep them up-to-dat
 The specified directory can contain mixed types of IaC files.
 Trivy automatically detects config types and applies relevant policies.

-For example, the following example holds IaC files for Terraform, Kubernetes, and Dockerfile in the same directory.
+For example, the following example holds IaC files for Terraform, CloudFormation, Kubernetes, and Dockerfile in the same directory.

 ``` bash
 $ ls iac/
 Dockerfile  deployment.yaml  main.tf
-$ trivy conf --severith HIGH,CRITICAL ./iac
+$ trivy conf --severity HIGH,CRITICAL ./iac
 ```

 <details>
@@ -149,8 +149,14 @@ You can see the config type next to each file name.
    ===================
    Tests: 23 (SUCCESSES: 14, FAILURES: 9, EXCEPTIONS: 0)
    Failures: 9 (HIGH: 6, CRITICAL: 1)
-    
+
    ...
+
+    bucket.yaml (cloudformation)
+    ============================
+    Tests: 9 (SUCCESSES: 3, FAILURES: 6, EXCEPTIONS: 0)
+    Failures: 6 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 4, CRITICAL: 0)
+
    ```

 ## Example
--- a/docs/misconfiguration/policy/builtin.md
+++ b/docs/misconfiguration/policy/builtin.md
@@ -4,22 +4,23 @@

 Built-in policies are mainly written in [Rego][rego].
 Those policies are managed under [AppShield repository][appshield].
-Only Terraform's policies are currently powered by [tfsec][tfsec].
+Terraform policies are currently powered by [tfsec][tfsec] and CloudFormation policies are powered by [cfsec][cfsec].

 | Config type    | Source                        |
 | ---------------| ----------------------------- |
 | Kubernetes     | [AppShield][kubernetes]       |
 | Dockerfile     | [AppShield][docker]           |
 | Terraform      | [tfsec][tfsec-checks]         |
+| CloudFormation | [cfsec][cfsec-checks]         |

-For suggestions or issues regarding policy content, please open an issue under [AppShield][appshield] or [tfsec][tfsec] repository.
+For suggestions or issues regarding policy content, please open an issue under [AppShield][appshield], [tfsec][tfsec] or [cfsec][cfsec] repository.

-CloudFormation and Ansible are coming soon.
+Ansible are coming soon.

 ## Policy Distribution
-AppShield policies are destributed as OPA bundle on [GitHub Container Registry][ghcr] (GHCR).
-When misconfiguration detection is enabled, Trivy pulls OPA bundle from GHCR as OCI artifact and stores it in the cache.
-Then, those policies are loaded into Trivy OPA engine and used for detecting misconfigurations.
+AppShield policies are distributed as an OPA bundle on [GitHub Container Registry][ghcr] (GHCR).
+When misconfiguration detection is enabled, Trivy pulls the OPA bundle from GHCR as an OCI artifact and stores it in the cache.
+Those policies are then loaded into Trivy OPA engine and used for detecting misconfigurations.

 ## Update Interval
 Trivy checks for updates to OPA bundle on GHCR every 24 hours and pulls it if there are any updates.
@@ -29,10 +30,12 @@ Trivy checks for updates to OPA bundle on GHCR every 24 hours and pulls it if th
 [kubernetes]: https://github.com/aquasecurity/appshield/tree/master/kubernetes
 [docker]: https://github.com/aquasecurity/appshield/tree/master/docker
 [tfsec-checks]: https://tfsec.dev/docs/aws/home/
-[tfsec]: https://github.com/tfsec/tfsec
+[tfsec]: https://github.com/aquasecurity/tfsec
+[cfsec-checks]: https://cfsec.dev/
+[cfsec]: https://github.com/aquasecurity/cfsec
 [ghcr]: https://github.com/aquasecurity/appshield/pkgs/container/appshield

 [dockerfile-bestpractice]: https://docs.docker.com/develop/develop-images/dockerfile_best-practices/
 [pss]: https://kubernetes.io/docs/concepts/security/pod-security-standards/
 [azure]: https://docs.microsoft.com/en-us/azure/security/fundamentals/network-best-practices
-[kics]: https://github.com/Checkmarx/kics/
+[kics]: https://github.com/Checkmarx/kics/
--- a/docs/vulnerability/detection/data-source.md
+++ b/docs/vulnerability/detection/data-source.md
@@ -23,7 +23,7 @@
 |                              | [GitHub Advisory Database (Composer)][php-ghsa]  | ✅              | -        |
 | Python                       | [Safety DB][python]                              | ❌              | 1 month  |
 |                              | [GitHub Advisory Database (pip)][python-ghsa]    | ✅              | -        |
-| Ruby                         | [Ruby Advisory Database][ruby]                   | ❌ (partially)  | -        |
+| Ruby                         | [Ruby Advisory Database][ruby]                   | ✅              | -        |
 |                              | [GitHub Advisory Database (RubyGems)][ruby-ghsa] | ✅              | -        |
 | Node.js                      | [Ecosystem Security Working Group][nodejs]       | ✅              | -        |
 |                              | [GitHub Advisory Database (npm)][nodejs-ghsa]    | ✅              | -        |
--- a/docs/vulnerability/detection/language.md
+++ b/docs/vulnerability/detection/language.md
@@ -2,23 +2,34 @@

 `Trivy` automatically detects the following files in the container and scans vulnerabilities in the application dependencies.

-| Language | File                                            | Dev dependencies |
-| ---------| ------------------------------------------------| -----------------|
-| Ruby     | Gemfile.lock                                    | included         |
-| Python   | Pipfile.lock                                    | excluded         |
-|          | poetry.lock                                     | included         |
-| PHP      | composer.lock                                   | excluded         |
-| Node.js  | package-lock.json                               | excluded         |
-|          | yarn.lock                                       | included         |
-| .NET     | packages.lock.json                              | included         |
-| Java     | JAR/WAR/EAR (`*.jar`, `*.war`, and `*.ear`)[^1] | included         |
-| Go       | Binaries built by Go[^2]                        | excluded         |
-|          | go.sum                                          | included         |
-
+| Language | File                     | Image[^6] | Rootfs[^7] | Filesystem[^8] |  Repository[^9] |Dev dependencies |
+|----------|--------------------------|:---------:|:----------:|:--------------:|:---------------:|-----------------|
+| Ruby     | Gemfile.lock             | -         | -          | ✅             | ✅              | included        |
+|          | gemspec                  | ✅        | ✅         | -              | -               | included        |
+| Python   | Pipfile.lock             | -         | -          | ✅             | ✅              | excluded        |
+|          | poetry.lock              | -         | -          | ✅             | ✅              | included        |
+|          | requirements.txt         | -         | -          | ✅             | ✅              | included        |
+|          | egg package[^1]          | ✅        | ✅         | -              | -               | excluded        |
+|          | wheel package[^2]        | ✅        | ✅         | -              | -               | excluded        |
+| PHP      | composer.lock            | ✅        | ✅         | ✅             | ✅              | excluded        |
+| Node.js  | package-lock.json        | -         | -          | ✅             | ✅              | excluded        |
+|          | yarn.lock                | -         | -          | ✅             | ✅              | included        |
+|          | package.json             | ✅        | ✅         | -              | -               | excluded        |
+| .NET     | packages.lock.json       | ✅        | ✅         | ✅             | ✅              | included        |
+| Java     | JAR/WAR/EAR[^3][^4]      | ✅        | ✅         | ✅             | ✅              | included        |
+| Go       | Binaries built by Go[^5] | ✅        | ✅         | -              | -               | excluded        |
+|          | go.sum                   | -         | -          | ✅             | ✅              | included        |

 The path of these files does not matter.

 Example: [Dockerfile](https://github.com/aquasecurity/trivy-ci-test/blob/main/Dockerfile)

-[^1]: It requires the Internet access
-[^2]: UPX-compressed binaries don't work
+[^1]: `*.egg-info`, `*.egg-info/PKG-INFO`, `*.egg` and `EGG-INFO/PKG-INFO`
+[^2]: `.dist-info/META-DATA`
+[^3]: `*.jar`, `*.war`, and `*.ear`
+[^4]: It requires the Internet access
+[^5]: UPX-compressed binaries don't work
+[^6]: ✅ means "enabled" and `-` means "disabled" in the image scanning
+[^7]: ✅ means "enabled" and `-` means "disabled" in the rootfs scanning
+[^8]: ✅ means "enabled" and `-` means "disabled" in the filesystem scanning
+[^9]: ✅ means "enabled" and `-` means "disabled" in the git repository scanning
--- a/docs/vulnerability/detection/os.md
+++ b/docs/vulnerability/detection/os.md
@@ -4,7 +4,7 @@ The unfixed/unfixable vulnerabilities mean that the patch has not yet been provi

 | OS                               | Supported Versions                       | Target Packages               | Detection of unfixed vulnerabilities |
 | -------------------------------- | ---------------------------------------- | ----------------------------- | :----------------------------------: |
-| Alpine Linux                     | 2.2 - 2.7, 3.0 - 3.13                    | Installed by apk              |                  NO                  |
+| Alpine Linux                     | 2.2 - 2.7, 3.0 - 3.15                    | Installed by apk              |                  NO                  |
 | Red Hat Universal Base Image[^1] | 7, 8                                     | Installed by yum/rpm          |                 YES                  |
 | Red Hat Enterprise Linux         | 6, 7, 8                                  | Installed by yum/rpm          |                 YES                  |
 | CentOS                           | 6, 7                                     | Installed by yum/rpm          |                 YES                  |
--- a/docs/vulnerability/scanning/filesystem.md
+++ b/docs/vulnerability/scanning/filesystem.md
@@ -1,6 +1,6 @@
 # Filesystem

-Scan a filesystem (such as a host machine, a virtual machine image, or an unpacked container image filesystem).
+Scan a local project including language-specific files.

 ```bash
 $ trivy fs /path/to/project
@@ -47,57 +47,3 @@ Total: 10 (UNKNOWN: 2, LOW: 0, MEDIUM: 6, HIGH: 2, CRITICAL: 0)
 ```

 </details>
-
-## From Inside Containers
-Scan your container from inside the container.
-
-```bash
-$ docker run --rm -it alpine:3.11
-/ # curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
-/ # trivy fs /
-```
-
-<details>
-<summary>Result</summary>
-
-```
-2021-03-08T05:22:26.378Z        INFO    Need to update DB
-2021-03-08T05:22:26.380Z        INFO    Downloading DB...
-20.37 MiB / 20.37 MiB [-------------------------------------------------------------------------------------------------------------------------------------] 100.00% 8.24 MiB p/s 2s
-2021-03-08T05:22:30.134Z        INFO    Detecting Alpine vulnerabilities...
-2021-03-08T05:22:30.138Z        INFO    Trivy skips scanning programming language libraries because no supported file was detected
-
-313430f09696 (alpine 3.11.7)
-============================
-Total: 6 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 6, CRITICAL: 0)
-
-+--------------+------------------+----------+-------------------+---------------+---------------------------------------+
-|   LIBRARY    | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                 TITLE                 |
-+--------------+------------------+----------+-------------------+---------------+---------------------------------------+
-| libcrypto1.1 | CVE-2021-23839   | HIGH     | 1.1.1i-r0         | 1.1.1j-r0     | openssl: incorrect SSLv2              |
-|              |                  |          |                   |               | rollback protection                   |
-|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-23839 |
-+              +------------------+          +                   +               +---------------------------------------+
-|              | CVE-2021-23840   |          |                   |               | openssl: integer                      |
-|              |                  |          |                   |               | overflow in CipherUpdate              |
-|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-23840 |
-+              +------------------+          +                   +               +---------------------------------------+
-|              | CVE-2021-23841   |          |                   |               | openssl: NULL pointer dereference     |
-|              |                  |          |                   |               | in X509_issuer_and_serial_hash()      |
-|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-23841 |
-+--------------+------------------+          +                   +               +---------------------------------------+
-| libssl1.1    | CVE-2021-23839   |          |                   |               | openssl: incorrect SSLv2              |
-|              |                  |          |                   |               | rollback protection                   |
-|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-23839 |
-+              +------------------+          +                   +               +---------------------------------------+
-|              | CVE-2021-23840   |          |                   |               | openssl: integer                      |
-|              |                  |          |                   |               | overflow in CipherUpdate              |
-|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-23840 |
-+              +------------------+          +                   +               +---------------------------------------+
-|              | CVE-2021-23841   |          |                   |               | openssl: NULL pointer dereference     |
-|              |                  |          |                   |               | in X509_issuer_and_serial_hash()      |
-|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-23841 |
-+--------------+------------------+----------+-------------------+---------------+---------------------------------------+
-```
-
-</details>
--- a/docs/vulnerability/scanning/git-repository.md
+++ b/docs/vulnerability/scanning/git-repository.md
@@ -6,8 +6,6 @@ Scan your remote git repository
 $ trivy repo https://github.com/knqyf263/trivy-ci-test
 ```

-Only public repositories are supported.
-
 <details>
 <summary>Result</summary>

@@ -148,3 +146,20 @@ Total: 20 (UNKNOWN: 3, LOW: 0, MEDIUM: 7, HIGH: 5, CRITICAL: 5)
 ```

 </details>
+
+## Scanning Private Repositories
+
+In order to scan private GitHub or GitLab repositories, the environment variable `GITHUB_TOKEN` or `GITLAB_TOKEN` must be set, respectively, with a valid token that has access to the private repository being scanned.
+
+The `GITHUB_TOKEN` environment variable will take precedence over `GITLAB_TOKEN`, so if a private GitLab repository will be scanned, then `GITHUB_TOKEN` must be unset.
+
+For example:
+
+```
+$ export GITHUB_TOKEN="your_private_github_token"
+$ trivy repo <your private GitHub repo URL>
+$
+$ # or
+$ export GITLAB_TOKEN="your_private_gitlab_token"
+$ trivy repo <your private GitLab repo URL>
+```
--- a/docs/vulnerability/scanning/index.md
+++ b/docs/vulnerability/scanning/index.md
@@ -1,10 +1,11 @@
 # Vulnerability Scanning

-Trivy scans [Container Images][image], [Filesystem][fs], and [Git Repositores][repo] to detect vulnerabilities.
+Trivy scans [Container Images][image], [Rootfs][rootfs], [Filesystem][fs], and [Git Repositories][repo] to detect vulnerabilities.

 ![vulnerability][vuln]

 [image]: image.md
+[rootfs]: rootfs.md
 [fs]: filesystem.md
 [repo]: git-repository.md
-[vuln]: ../../imgs/vulnerability.png
+[vuln]: ../../imgs/vulnerability.png
--- a/docs/vulnerability/scanning/rootfs.md
+++ b/docs/vulnerability/scanning/rootfs.md
@@ -0,0 +1,68 @@
+# Rootfs
+
+Scan a root filesystem (such as a host machine, a virtual machine image, or an unpacked container image filesystem).
+
+```bash
+$ trivy rootfs /path/to/rootfs
+```
+
+## From Inside Containers
+Scan your container from inside the container.
+
+```bash
+$ docker run --rm -it alpine:3.11
+/ # curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
+/ # trivy rootfs /
+```
+
+<details>
+<summary>Result</summary>
+
+```
+2021-03-08T05:22:26.378Z        INFO    Need to update DB
+2021-03-08T05:22:26.380Z        INFO    Downloading DB...
+20.37 MiB / 20.37 MiB [-------------------------------------------------------------------------------------------------------------------------------------] 100.00% 8.24 MiB p/s 2s
+2021-03-08T05:22:30.134Z        INFO    Detecting Alpine vulnerabilities...
+2021-03-08T05:22:30.138Z        INFO    Trivy skips scanning programming language libraries because no supported file was detected
+
+313430f09696 (alpine 3.11.7)
+============================
+Total: 6 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 6, CRITICAL: 0)
+
+--------------+------------------+----------+-------------------+---------------+---------------------------------------+
+|   LIBRARY    | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                 TITLE                 |
+--------------+------------------+----------+-------------------+---------------+---------------------------------------+
+| libcrypto1.1 | CVE-2021-23839   | HIGH     | 1.1.1i-r0         | 1.1.1j-r0     | openssl: incorrect SSLv2              |
+|              |                  |          |                   |               | rollback protection                   |
+|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-23839 |
+              +------------------+          +                   +               +---------------------------------------+
+|              | CVE-2021-23840   |          |                   |               | openssl: integer                      |
+|              |                  |          |                   |               | overflow in CipherUpdate              |
+|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-23840 |
+              +------------------+          +                   +               +---------------------------------------+
+|              | CVE-2021-23841   |          |                   |               | openssl: NULL pointer dereference     |
+|              |                  |          |                   |               | in X509_issuer_and_serial_hash()      |
+|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-23841 |
+--------------+------------------+          +                   +               +---------------------------------------+
+| libssl1.1    | CVE-2021-23839   |          |                   |               | openssl: incorrect SSLv2              |
+|              |                  |          |                   |               | rollback protection                   |
+|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-23839 |
+              +------------------+          +                   +               +---------------------------------------+
+|              | CVE-2021-23840   |          |                   |               | openssl: integer                      |
+|              |                  |          |                   |               | overflow in CipherUpdate              |
+|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-23840 |
+              +------------------+          +                   +               +---------------------------------------+
+|              | CVE-2021-23841   |          |                   |               | openssl: NULL pointer dereference     |
+|              |                  |          |                   |               | in X509_issuer_and_serial_hash()      |
+|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-23841 |
+--------------+------------------+----------+-------------------+---------------+---------------------------------------+
+```
+
+</details>
+
+## Other Examples
+- [Embed in Dockerfile][embedding]
+- [Unpacked container image filesystem][unpacked]
+
+[embedding]: ../../advanced/container/embed-in-dockerfile.md
+[unpacked]: ../../advanced/container/unpacked-filesystem.md
--- a/examples/misconf/mixed/configs/bucket.yaml
+++ b/examples/misconf/mixed/configs/bucket.yaml
@@ -0,0 +1,24 @@
+---
+AWSTemplateFormatVersion: "2010-09-09"
+Description: An example Stack for a bucket
+Parameters:
+  BucketName: 
+    Type: String
+    Default: naughty-bucket
+  EncryptBucket:
+    Type: Boolean
+    Default: false
+Resources:
+  S3Bucket:
+    Type: 'AWS::S3::Bucket'
+    Properties:
+      BucketName:
+        Ref: BucketName
+      PublicAccessBlockConfiguration:
+        BlockPublicAcls: false
+        BlockPublicPolicy: false
+        IgnorePublicAcls: true
+        RestrictPublicBuckets: false
+      BucketEncryption:
+        ServerSideEncryptionConfiguration:
+        - BucketKeyEnabled: !Ref EncryptBucket
--- a/go.mod
+++ b/go.mod
@@ -7,52 +7,46 @@ require (
 	github.com/Masterminds/sprig v2.22.0+incompatible
 	github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46
 	github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986
-	github.com/aquasecurity/fanal v0.0.0-20210719144537-c73c1e9f21bf
-	github.com/aquasecurity/go-dep-parser v0.0.0-20210520015931-0dd56983cc62
+	github.com/aquasecurity/fanal v0.0.0-20211130145558-2c76718ef52e
+	github.com/aquasecurity/go-dep-parser v0.0.0-20211110174639-8257534ffed3
 	github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce
 	github.com/aquasecurity/go-npm-version v0.0.0-20201110091526-0b796d180798
 	github.com/aquasecurity/go-pep440-version v0.0.0-20210121094942-22b2f8951d46
 	github.com/aquasecurity/go-version v0.0.0-20210121072130-637058cfe492
-	github.com/aquasecurity/trivy-db v0.0.0-20210531102723-aaab62dec6ee
+	github.com/aquasecurity/trivy-db v0.0.0-20210916043317-726b7b72a47b
 	github.com/caarlos0/env/v6 v6.0.0
 	github.com/cenkalti/backoff v2.2.1+incompatible
 	github.com/cheggaaa/pb/v3 v3.0.3
-	github.com/containerd/containerd v1.4.4 // indirect
-	github.com/docker/docker v20.10.3+incompatible
+	github.com/containerd/containerd v1.5.7 // indirect
+	github.com/docker/cli v20.10.9+incompatible // indirect
+	github.com/docker/docker v20.10.10+incompatible
 	github.com/docker/go-connections v0.4.0
-	github.com/elazarl/goproxy v0.0.0-20200809112317-0581fc3aee2d // indirect
 	github.com/fatih/color v1.10.0
-	github.com/go-redis/redis/v8 v8.4.0
+	github.com/go-redis/redis/v8 v8.11.4
 	github.com/goccy/go-yaml v1.8.2 // indirect
-	github.com/golang/protobuf v1.4.3
-	github.com/google/go-containerregistry v0.1.2
+	github.com/golang/protobuf v1.5.2
+	github.com/google/go-containerregistry v0.6.0
 	github.com/google/go-github/v33 v33.0.0
 	github.com/google/wire v0.4.0
-	github.com/gopherjs/gopherjs v0.0.0-20200217142428-fce0ec30dd00 // indirect
 	github.com/hashicorp/go-getter v1.5.2
 	github.com/huandu/xstrings v1.3.2 // indirect
 	github.com/knqyf263/go-apk-version v0.0.0-20200609155635-041fdbb8563f
 	github.com/knqyf263/go-deb-version v0.0.0-20190517075300-09fca494f03d
 	github.com/knqyf263/go-rpm-version v0.0.0-20170716094938-74609b86c936
-	github.com/kylelemons/godebug v1.1.0
 	github.com/masahiro331/go-mvn-version v0.0.0-20210429150710-d3157d602a08
 	github.com/mitchellh/copystructure v1.1.1 // indirect
 	github.com/olekukonko/tablewriter v0.0.5
-	github.com/open-policy-agent/opa v0.25.2
-	github.com/russross/blackfriday/v2 v2.1.0 // indirect
-	github.com/smartystreets/assertions v1.2.0 // indirect
-	github.com/spf13/afero v1.2.2
+	github.com/open-policy-agent/opa v0.34.0
+	github.com/spf13/afero v1.6.0
 	github.com/stretchr/objx v0.3.0 // indirect
 	github.com/stretchr/testify v1.7.0
-	github.com/testcontainers/testcontainers-go v0.9.1-0.20210218153226-c8e070a2f18d
+	github.com/testcontainers/testcontainers-go v0.11.1
 	github.com/twitchtv/twirp v8.1.0+incompatible
 	github.com/urfave/cli/v2 v2.3.0
-	go.uber.org/zap v1.16.0
-	golang.org/x/oauth2 v0.0.0-20201208152858-08078c50e5b5
-	golang.org/x/sync v0.0.0-20210220032951-036812b2e83c // indirect
+	go.uber.org/zap v1.19.1
+	golang.org/x/oauth2 v0.0.0-20210514164344-f6687ab2804c
 	golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1
-	google.golang.org/protobuf v1.25.0
-	gopkg.in/check.v1 v1.0.0-20200902074654-038fdea0a05b // indirect
+	google.golang.org/protobuf v1.27.1
 	gopkg.in/go-playground/validator.v9 v9.31.0 // indirect
 	gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b
 	k8s.io/utils v0.0.0-20201110183641-67b214c5f920
--- a/go.sum
+++ b/go.sum
--- a/goreleaser.yml
+++ b/goreleaser.yml
@@ -20,6 +20,7 @@ builds:
      - arm
      - arm64
      - ppc64le
+      - s390x
    goarm:
      - 7
    ignore:
@@ -54,6 +55,9 @@ nfpms:
      netbsd: NetBSD
      freebsd: FreeBSD
      dragonfly: DragonFlyBSD
+    contents:
+     - src: contrib/*.tpl
+       dst: /usr/local/share/trivy/templates

 archives:
  -
@@ -83,9 +87,9 @@ brews:
      owner: aquasecurity
      name: homebrew-trivy
    homepage: "https://github.com/aquasecurity/trivy"
-    description: ""
+    description: "Scanner for vulnerabilities in container images, file systems, and Git repositories, as well as for configuration issues"
    test: |
-      system "#{bin}/program --version"
+      system "#{bin}/trivy", "--version"

 dockers:
  - image_templates:
@@ -95,7 +99,7 @@ dockers:
      - "ghcr.io/aquasecurity/trivy:latest-amd64"
      - "public.ecr.aws/aquasecurity/trivy:latest-amd64"
      - "public.ecr.aws/aquasecurity/trivy:{{ .Version }}-amd64"
-    use_buildx: true
+    use: buildx
    goos: linux
    goarch: amd64
    ids:
@@ -119,7 +123,7 @@ dockers:
      - "ghcr.io/aquasecurity/trivy:latest-arm64"
      - "public.ecr.aws/aquasecurity/trivy:latest-arm64"
      - "public.ecr.aws/aquasecurity/trivy:{{ .Version }}-arm64"
-    use_buildx: true
+    use: buildx
    goos: linux
    goarch: arm64
    ids:
--- a/helm/trivy/Chart.yaml
+++ b/helm/trivy/Chart.yaml
@@ -1,11 +1,11 @@
 apiVersion: v2
 name: trivy
-version: 0.4.4
-appVersion: "0.18.3"
+version: 0.4.7
+appVersion: "0.21.0"
 description: Trivy helm chart
 keywords:
  - scanner
  - trivy
  - vulnerability
 sources:
- https://github.com/aquasecurity/trivy
+  - https://github.com/aquasecurity/trivy
--- a/helm/trivy/templates/ingress.yaml
+++ b/helm/trivy/templates/ingress.yaml
@@ -1,6 +1,12 @@
 {{- if .Values.ingress.enabled -}}
 {{- $fullName := include "trivy.fullname" . -}}
+{{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }}
+apiVersion: networking.k8s.io/v1
+{{- else if .Capabilities.APIVersions.Has "networking.k8s.io/v1beta1" }}
 apiVersion: networking.k8s.io/v1beta1
+{{- else }}
+apiVersion: extensions/v1beta1
+{{- end }}
 kind: Ingress
 metadata:
  name: {{ include "trivy.fullname" . }}
@@ -12,6 +18,9 @@ metadata:
    {{- toYaml . | nindent 4 }}
  {{- end }}
 spec:
+{{- if and (.Values.ingress.ingressClassName) (semverCompare ">= v1.18.0" .Capabilities.KubeVersion.Version) }}
+  ingressClassName: {{ .Values.ingress.ingressClassName }}
+{{- end }}
 {{- if .Values.ingress.tls }}
  tls:
  {{- range .Values.ingress.tls }}
@@ -28,8 +37,17 @@ spec:
      http:
        paths:
          - path: {{ $.Values.ingress.path }}
+        {{- if $.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }}
+            pathType: {{ $.Values.ingress.pathType }}
+            backend:
+              service:
+                name: {{ $fullName }}
+                port:
+                  number: {{ $.Values.service.port -}}
+          {{- else }}
            backend:
              serviceName: {{ $fullName }}
              servicePort: {{ $.Values.service.port -}}
+          {{- end }}
  {{- end }}
-{{- end }}
+{{- end }}
--- a/helm/trivy/values.yaml
+++ b/helm/trivy/values.yaml
@@ -4,7 +4,7 @@ fullnameOverride: ""
 image:
  registry: docker.io
  repository: aquasec/trivy
-  tag: 0.18.3
+  tag: 0.21.0
  pullPolicy: IfNotPresent
  pullSecret: ""

@@ -85,7 +85,7 @@ trivy:
  cache:
    redis:
      enabled: false
-      url: "" # e.g. redis://redis.redis.svc:6379
+      url: ""  # e.g. redis://redis.redis.svc:6379

 service:
  # type Kubernetes service type
@@ -95,11 +95,15 @@ service:

 ingress:
  enabled: false
+  # From Kubernetes 1.18+ this field is supported in case your ingress controller supports it. When set, you do not need to add the ingress class as annotation.
+  ingressClassName:
  annotations: {}
    # kubernetes.io/ingress.class: nginx
  hosts:
    - host: trivy.example.com
  path: "/"
+  # type is only needed for networking.k8s.io/v1 in k8s 1.19+
+  pathType: Prefix
  tls: []
  #  - secretName: trivy-example-tls
  #    hosts:
--- a/integration/client_server_test.go
+++ b/integration/client_server_test.go
@@ -1,3 +1,4 @@
+//go:build integration
 // +build integration

 package integration
@@ -5,7 +6,7 @@ package integration
 import (
 	"context"
 	"fmt"
-	"io/ioutil"
+	"io"
 	"os"
 	"path/filepath"
 	"strings"
@@ -22,10 +23,9 @@ import (
 	"github.com/aquasecurity/trivy/pkg/report"
 )

-type args struct {
+type csArgs struct {
 	Format            string
 	TemplatePath      string
-	Version           string
 	IgnoreUnfixed     bool
 	Severity          []string
 	IgnoreIDs         []string
@@ -35,24 +35,22 @@ type args struct {
 }

 func TestClientServer(t *testing.T) {
-	cases := []struct {
-		name     string
-		testArgs args
-		golden   string
-		wantErr  string
+	tests := []struct {
+		name    string
+		args    csArgs
+		golden  string
+		wantErr string
 	}{
 		{
 			name: "alpine 3.10 integration",
-			testArgs: args{
-				Version: "dev",
-				Input:   "testdata/fixtures/images/alpine-310.tar.gz",
+			args: csArgs{
+				Input: "testdata/fixtures/images/alpine-310.tar.gz",
 			},
 			golden: "testdata/alpine-310.json.golden",
 		},
 		{
 			name: "alpine 3.10 integration with --ignore-unfixed option",
-			testArgs: args{
-				Version:       "dev",
+			args: csArgs{
 				IgnoreUnfixed: true,
 				Input:         "testdata/fixtures/images/alpine-310.tar.gz",
 			},
@@ -60,8 +58,7 @@ func TestClientServer(t *testing.T) {
 		},
 		{
 			name: "alpine 3.10 integration with medium and high severity",
-			testArgs: args{
-				Version:       "dev",
+			args: csArgs{
 				IgnoreUnfixed: true,
 				Severity:      []string{"MEDIUM", "HIGH"},
 				Input:         "testdata/fixtures/images/alpine-310.tar.gz",
@@ -70,64 +67,30 @@ func TestClientServer(t *testing.T) {
 		},
 		{
 			name: "alpine 3.10 integration with .trivyignore",
-			testArgs: args{
-				Version:       "dev",
+			args: csArgs{
 				IgnoreUnfixed: false,
 				IgnoreIDs:     []string{"CVE-2019-1549", "CVE-2019-1563"},
 				Input:         "testdata/fixtures/images/alpine-310.tar.gz",
 			},
 			golden: "testdata/alpine-310-ignore-cveids.json.golden",
 		},
-		{
-			name: "alpine 3.10 integration with gitlab template",
-			testArgs: args{
-				Format:       "template",
-				TemplatePath: "@../contrib/gitlab.tpl",
-				Version:      "dev",
-				Input:        "testdata/fixtures/images/alpine-310.tar.gz",
-			},
-			golden: "testdata/alpine-310.gitlab.golden",
-		},
-		{
-			name: "alpine 3.10 integration with gitlab-codequality template",
-			testArgs: args{
-				Format:       "template",
-				TemplatePath: "@../contrib/gitlab-codequality.tpl",
-				Version:      "dev",
-				Input:        "testdata/fixtures/images/alpine-310.tar.gz",
-			},
-			golden: "testdata/alpine-310.gitlab-codequality.golden",
-		},
-		{
-			name: "alpine 3.10 integration with sarif template",
-			testArgs: args{
-				Format:       "template",
-				TemplatePath: "@../contrib/sarif.tpl",
-				Version:      "dev",
-				Input:        "testdata/fixtures/images/alpine-310.tar.gz",
-			},
-			golden: "testdata/alpine-310.sarif.golden",
-		},
 		{
 			name: "alpine 3.9 integration",
-			testArgs: args{
-				Version: "dev",
-				Input:   "testdata/fixtures/images/alpine-39.tar.gz",
+			args: csArgs{
+				Input: "testdata/fixtures/images/alpine-39.tar.gz",
 			},
 			golden: "testdata/alpine-39.json.golden",
 		},
 		{
 			name: "debian buster integration",
-			testArgs: args{
-				Version: "dev",
-				Input:   "testdata/fixtures/images/debian-buster.tar.gz",
+			args: csArgs{
+				Input: "testdata/fixtures/images/debian-buster.tar.gz",
 			},
 			golden: "testdata/debian-buster.json.golden",
 		},
 		{
 			name: "debian buster integration with --ignore-unfixed option",
-			testArgs: args{
-				Version:       "dev",
+			args: csArgs{
 				IgnoreUnfixed: true,
 				Input:         "testdata/fixtures/images/debian-buster.tar.gz",
 			},
@@ -135,24 +98,21 @@ func TestClientServer(t *testing.T) {
 		},
 		{
 			name: "debian stretch integration",
-			testArgs: args{
-				Version: "dev",
-				Input:   "testdata/fixtures/images/debian-stretch.tar.gz",
+			args: csArgs{
+				Input: "testdata/fixtures/images/debian-stretch.tar.gz",
 			},
 			golden: "testdata/debian-stretch.json.golden",
 		},
 		{
 			name: "ubuntu 18.04 integration",
-			testArgs: args{
-				Version: "dev",
-				Input:   "testdata/fixtures/images/ubuntu-1804.tar.gz",
+			args: csArgs{
+				Input: "testdata/fixtures/images/ubuntu-1804.tar.gz",
 			},
 			golden: "testdata/ubuntu-1804.json.golden",
 		},
 		{
 			name: "ubuntu 18.04 integration with --ignore-unfixed option",
-			testArgs: args{
-				Version:       "dev",
+			args: csArgs{
 				IgnoreUnfixed: true,
 				Input:         "testdata/fixtures/images/ubuntu-1804.tar.gz",
 			},
@@ -160,24 +120,21 @@ func TestClientServer(t *testing.T) {
 		},
 		{
 			name: "ubuntu 16.04 integration",
-			testArgs: args{
-				Version: "dev",
-				Input:   "testdata/fixtures/images/ubuntu-1604.tar.gz",
+			args: csArgs{
+				Input: "testdata/fixtures/images/ubuntu-1604.tar.gz",
 			},
 			golden: "testdata/ubuntu-1604.json.golden",
 		},
 		{
 			name: "centos 7 integration",
-			testArgs: args{
-				Version: "dev",
-				Input:   "testdata/fixtures/images/centos-7.tar.gz",
+			args: csArgs{
+				Input: "testdata/fixtures/images/centos-7.tar.gz",
 			},
 			golden: "testdata/centos-7.json.golden",
 		},
 		{
 			name: "centos 7 integration with --ignore-unfixed option",
-			testArgs: args{
-				Version:       "dev",
+			args: csArgs{
 				IgnoreUnfixed: true,
 				Input:         "testdata/fixtures/images/centos-7.tar.gz",
 			},
@@ -185,8 +142,7 @@ func TestClientServer(t *testing.T) {
 		},
 		{
 			name: "centos 7 integration with low and high severity",
-			testArgs: args{
-				Version:       "dev",
+			args: csArgs{
 				IgnoreUnfixed: true,
 				Severity:      []string{"LOW", "HIGH"},
 				Input:         "testdata/fixtures/images/centos-7.tar.gz",
@@ -195,32 +151,28 @@ func TestClientServer(t *testing.T) {
 		},
 		{
 			name: "centos 6 integration",
-			testArgs: args{
-				Version: "dev",
-				Input:   "testdata/fixtures/images/centos-6.tar.gz",
+			args: csArgs{
+				Input: "testdata/fixtures/images/centos-6.tar.gz",
 			},
 			golden: "testdata/centos-6.json.golden",
 		},
 		{
 			name: "ubi 7 integration",
-			testArgs: args{
-				Version: "dev",
-				Input:   "testdata/fixtures/images/ubi-7.tar.gz",
+			args: csArgs{
+				Input: "testdata/fixtures/images/ubi-7.tar.gz",
 			},
 			golden: "testdata/ubi-7.json.golden",
 		},
 		{
 			name: "distroless base integration",
-			testArgs: args{
-				Version: "dev",
-				Input:   "testdata/fixtures/images/distroless-base.tar.gz",
+			args: csArgs{
+				Input: "testdata/fixtures/images/distroless-base.tar.gz",
 			},
 			golden: "testdata/distroless-base.json.golden",
 		},
 		{
 			name: "distroless base integration with --ignore-unfixed option",
-			testArgs: args{
-				Version:       "dev",
+			args: csArgs{
 				IgnoreUnfixed: true,
 				Input:         "testdata/fixtures/images/distroless-base.tar.gz",
 			},
@@ -228,116 +180,152 @@ func TestClientServer(t *testing.T) {
 		},
 		{
 			name: "distroless python27 integration",
-			testArgs: args{
-				Version: "dev",
-				Input:   "testdata/fixtures/images/distroless-python27.tar.gz",
+			args: csArgs{
+				Input: "testdata/fixtures/images/distroless-python27.tar.gz",
 			},
 			golden: "testdata/distroless-python27.json.golden",
 		},
 		{
 			name: "amazon 1 integration",
-			testArgs: args{
-				Version: "dev",
-				Input:   "testdata/fixtures/images/amazon-1.tar.gz",
+			args: csArgs{
+				Input: "testdata/fixtures/images/amazon-1.tar.gz",
 			},
 			golden: "testdata/amazon-1.json.golden",
 		},
 		{
 			name: "amazon 2 integration",
-			testArgs: args{
-				Version: "dev",
-				Input:   "testdata/fixtures/images/amazon-2.tar.gz",
+			args: csArgs{
+				Input: "testdata/fixtures/images/amazon-2.tar.gz",
 			},
 			golden: "testdata/amazon-2.json.golden",
 		},
 		{
 			name: "oracle 6 integration",
-			testArgs: args{
-				Version: "dev",
-				Input:   "testdata/fixtures/images/oraclelinux-6-slim.tar.gz",
+			args: csArgs{
+				Input: "testdata/fixtures/images/oraclelinux-6-slim.tar.gz",
 			},
 			golden: "testdata/oraclelinux-6-slim.json.golden",
 		},
 		{
 			name: "oracle 7 integration",
-			testArgs: args{
-				Version: "dev",
-				Input:   "testdata/fixtures/images/oraclelinux-7-slim.tar.gz",
+			args: csArgs{
+				Input: "testdata/fixtures/images/oraclelinux-7-slim.tar.gz",
 			},
 			golden: "testdata/oraclelinux-7-slim.json.golden",
 		},
 		{
 			name: "oracle 8 integration",
-			testArgs: args{
-				Version: "dev",
-				Input:   "testdata/fixtures/images/oraclelinux-8-slim.tar.gz",
+			args: csArgs{
+				Input: "testdata/fixtures/images/oraclelinux-8-slim.tar.gz",
 			},
 			golden: "testdata/oraclelinux-8-slim.json.golden",
 		},
 		{
 			name: "opensuse leap 15.1 integration",
-			testArgs: args{
-				Version: "dev",
-				Input:   "testdata/fixtures/images/opensuse-leap-151.tar.gz",
+			args: csArgs{
+				Input: "testdata/fixtures/images/opensuse-leap-151.tar.gz",
 			},
 			golden: "testdata/opensuse-leap-151.json.golden",
 		},
 		{
 			name: "opensuse leap 42.3 integration",
-			testArgs: args{
-				Version: "dev",
-				Input:   "testdata/fixtures/images/opensuse-leap-423.tar.gz",
+			args: csArgs{
+				Input: "testdata/fixtures/images/opensuse-leap-423.tar.gz",
 			},
 			golden: "testdata/opensuse-leap-423.json.golden",
 		},
 		{
 			name: "photon 1.0 integration",
-			testArgs: args{
-				Version: "dev",
-				Input:   "testdata/fixtures/images/photon-10.tar.gz",
+			args: csArgs{
+				Input: "testdata/fixtures/images/photon-10.tar.gz",
 			},
 			golden: "testdata/photon-10.json.golden",
 		},
 		{
 			name: "photon 2.0 integration",
-			testArgs: args{
-				Version: "dev",
-				Input:   "testdata/fixtures/images/photon-20.tar.gz",
+			args: csArgs{
+				Input: "testdata/fixtures/images/photon-20.tar.gz",
 			},
 			golden: "testdata/photon-20.json.golden",
 		},
 		{
 			name: "photon 3.0 integration",
-			testArgs: args{
-				Version: "dev",
-				Input:   "testdata/fixtures/images/photon-30.tar.gz",
+			args: csArgs{
+				Input: "testdata/fixtures/images/photon-30.tar.gz",
 			},
 			golden: "testdata/photon-30.json.golden",
 		},
 		{
 			name: "buxybox with Cargo.lock integration",
-			testArgs: args{
-				Version: "dev",
-				Input:   "testdata/fixtures/images/busybox-with-lockfile.tar.gz",
+			args: csArgs{
+				Input: "testdata/fixtures/images/busybox-with-lockfile.tar.gz",
 			},
 			golden: "testdata/busybox-with-lockfile.json.golden",
 		},
+	}
+
+	app, addr, cacheDir := setup(t, setupOptions{})
+
+	for _, c := range tests {
+		t.Run(c.name, func(t *testing.T) {
+			osArgs, outputFile := setupClient(t, c.args, addr, cacheDir, c.golden)
+
+			// Run Trivy client
+			err := app.Run(osArgs)
+			require.NoError(t, err)
+
+			compareReports(t, c.golden, outputFile)
+		})
+	}
+}
+
+func TestClientServerWithTemplate(t *testing.T) {
+	tests := []struct {
+		name   string
+		args   csArgs
+		golden string
+	}{
+		{
+			name: "alpine 3.10 integration with gitlab template",
+			args: csArgs{
+				Format:       "template",
+				TemplatePath: "@../contrib/gitlab.tpl",
+				Input:        "testdata/fixtures/images/alpine-310.tar.gz",
+			},
+			golden: "testdata/alpine-310.gitlab.golden",
+		},
+		{
+			name: "alpine 3.10 integration with gitlab-codequality template",
+			args: csArgs{
+				Format:       "template",
+				TemplatePath: "@../contrib/gitlab-codequality.tpl",
+				Input:        "testdata/fixtures/images/alpine-310.tar.gz",
+			},
+			golden: "testdata/alpine-310.gitlab-codequality.golden",
+		},
+		{
+			name: "alpine 3.10 integration with sarif template",
+			args: csArgs{
+				Format:       "template",
+				TemplatePath: "@../contrib/sarif.tpl",
+				Input:        "testdata/fixtures/images/alpine-310.tar.gz",
+			},
+			golden: "testdata/alpine-310.sarif.golden",
+		},
 		{
 			name: "alpine 3.10 integration with ASFF template",
-			testArgs: args{
+			args: csArgs{
 				Format:       "template",
 				TemplatePath: "@../contrib/asff.tpl",
-				Version:      "dev",
 				Input:        "testdata/fixtures/images/alpine-310.tar.gz",
 			},
 			golden: "testdata/alpine-310.asff.golden",
 		},
 		{
 			name: "alpine 3.10 integration with html template",
-			testArgs: args{
+			args: csArgs{
 				Format:       "template",
 				TemplatePath: "@../contrib/html.tpl",
-				Version:      "dev",
 				Input:        "testdata/fixtures/images/alpine-310.tar.gz",
 			},
 			golden: "testdata/alpine-310.html.golden",
@@ -346,36 +334,40 @@ func TestClientServer(t *testing.T) {

 	app, addr, cacheDir := setup(t, setupOptions{})

-	for _, c := range cases {
-		t.Run(c.name, func(t *testing.T) {
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
 			report.Now = func() time.Time {
 				return time.Date(2020, 8, 10, 7, 28, 17, 958601, time.UTC)
 			}
-			os.Setenv("AWS_REGION", "test-region")
-			os.Setenv("AWS_ACCOUNT_ID", "123456789012")
-			osArgs, outputFile, cleanup := setupClient(t, c.testArgs, addr, cacheDir, c.golden)
-			defer cleanup()
+			t.Setenv("AWS_REGION", "test-region")
+			t.Setenv("AWS_ACCOUNT_ID", "123456789012")
+			osArgs, outputFile := setupClient(t, tt.args, addr, cacheDir, tt.golden)

 			// Run Trivy client
 			err := app.Run(osArgs)
 			require.NoError(t, err)

-			compare(t, c.golden, outputFile)
+			want, err := os.ReadFile(tt.golden)
+			require.NoError(t, err)
+
+			got, err := os.ReadFile(outputFile)
+			require.NoError(t, err)
+
+			assert.EqualValues(t, string(want), string(got))
 		})
 	}
 }

 func TestClientServerWithToken(t *testing.T) {
 	cases := []struct {
-		name     string
-		testArgs args
-		golden   string
-		wantErr  string
+		name    string
+		args    csArgs
+		golden  string
+		wantErr string
 	}{
 		{
 			name: "alpine 3.10 integration with token",
-			testArgs: args{
-				Version:           "dev",
+			args: csArgs{
 				Input:             "testdata/fixtures/images/alpine-310.tar.gz",
 				ClientToken:       "token",
 				ClientTokenHeader: "Trivy-Token",
@@ -384,8 +376,7 @@ func TestClientServerWithToken(t *testing.T) {
 		},
 		{
 			name: "invalid token",
-			testArgs: args{
-				Version:           "dev",
+			args: csArgs{
 				Input:             "testdata/fixtures/images/distroless-base.tar.gz",
 				ClientToken:       "invalidtoken",
 				ClientTokenHeader: "Trivy-Token",
@@ -394,8 +385,7 @@ func TestClientServerWithToken(t *testing.T) {
 		},
 		{
 			name: "invalid token header",
-			testArgs: args{
-				Version:           "dev",
+			args: csArgs{
 				Input:             "testdata/fixtures/images/distroless-base.tar.gz",
 				ClientToken:       "valid-token",
 				ClientTokenHeader: "Trivy-Token",
@@ -410,12 +400,10 @@ func TestClientServerWithToken(t *testing.T) {
 		token:       serverToken,
 		tokenHeader: serverTokenHeader,
 	})
-	defer os.RemoveAll(cacheDir)

 	for _, c := range cases {
 		t.Run(c.name, func(t *testing.T) {
-			osArgs, outputFile, cleanup := setupClient(t, c.testArgs, addr, cacheDir, c.golden)
-			defer cleanup()
+			osArgs, outputFile := setupClient(t, c.args, addr, cacheDir, c.golden)

 			// Run Trivy client
 			err := app.Run(osArgs)
@@ -428,7 +416,7 @@ func TestClientServerWithToken(t *testing.T) {
 				assert.NoError(t, err, c.name)
 			}

-			compare(t, c.golden, outputFile)
+			compareReports(t, c.golden, outputFile)
 		})
 	}
 }
@@ -443,29 +431,26 @@ func TestClientServerWithRedis(t *testing.T) {
 	defer os.RemoveAll(cacheDir)

 	// Test parameters
-	testArgs := args{
-		Version: "dev",
-		Input:   "testdata/fixtures/images/centos-7.tar.gz",
+	testArgs := csArgs{
+		Input: "testdata/fixtures/images/centos-7.tar.gz",
 	}
 	golden := "testdata/centos-7.json.golden"

 	t.Run("centos 7", func(t *testing.T) {
-		osArgs, outputFile, cleanup := setupClient(t, testArgs, addr, cacheDir, golden)
-		defer cleanup()
+		osArgs, outputFile := setupClient(t, testArgs, addr, cacheDir, golden)

 		// Run Trivy client
 		err := app.Run(osArgs)
 		require.NoError(t, err)

-		compare(t, golden, outputFile)
+		compareReports(t, golden, outputFile)
 	})

 	// Terminate the Redis container
 	require.NoError(t, redisC.Terminate(ctx))

 	t.Run("sad path", func(t *testing.T) {
-		osArgs, _, cleanup := setupClient(t, testArgs, addr, cacheDir, golden)
-		defer cleanup()
+		osArgs, _ := setupClient(t, testArgs, addr, cacheDir, golden)

 		// Run Trivy client
 		err := app.Run(osArgs)
@@ -494,7 +479,7 @@ func setup(t *testing.T, options setupOptions) (*cli.App, string, string) {
 	go func() {
 		// Setup CLI App
 		app := commands.NewApp(version)
-		app.Writer = ioutil.Discard
+		app.Writer = io.Discard
 		osArgs := setupServer(addr, options.token, options.tokenHeader, cacheDir, options.cacheBackend)

 		// Run Trivy server
@@ -507,7 +492,7 @@ func setup(t *testing.T, options setupOptions) (*cli.App, string, string) {

 	// Setup CLI App
 	app := commands.NewApp(version)
-	app.Writer = ioutil.Discard
+	app.Writer = io.Discard

 	return app, addr, cacheDir
 }
@@ -523,7 +508,7 @@ func setupServer(addr, token, tokenHeader, cacheDir, cacheBackend string) []stri
 	return osArgs
 }

-func setupClient(t *testing.T, c args, addr string, cacheDir string, golden string) ([]string, string, func()) {
+func setupClient(t *testing.T, c csArgs, addr string, cacheDir string, golden string) ([]string, string) {
 	t.Helper()
 	osArgs := []string{"trivy", "--cache-dir", cacheDir, "client", "--remote", "http://" + addr}

@@ -545,13 +530,9 @@ func setupClient(t *testing.T, c args, addr string, cacheDir string, golden stri
 		)
 	}

-	var err error
-	var ignoreTmpDir string
 	if len(c.IgnoreIDs) != 0 {
-		ignoreTmpDir, err = ioutil.TempDir("", "ignore")
-		require.NoError(t, err, "failed to create a temp dir")
-		trivyIgnore := filepath.Join(ignoreTmpDir, ".trivyignore")
-		err = ioutil.WriteFile(trivyIgnore, []byte(strings.Join(c.IgnoreIDs, "\n")), 0444)
+		trivyIgnore := filepath.Join(t.TempDir(), ".trivyignore")
+		err := os.WriteFile(trivyIgnore, []byte(strings.Join(c.IgnoreIDs, "\n")), 0444)
 		require.NoError(t, err, "failed to write .trivyignore")
 		osArgs = append(osArgs, []string{"--ignorefile", trivyIgnore}...)
 	}
@@ -563,24 +544,14 @@ func setupClient(t *testing.T, c args, addr string, cacheDir string, golden stri
 	}

 	// Setup the output file
-	var outputFile string
+	outputFile := filepath.Join(t.TempDir(), "output.json")
 	if *update {
 		outputFile = golden
-	} else {
-		output, _ := ioutil.TempFile("", "integration")
-		assert.Nil(t, output.Close())
-		outputFile = output.Name()
-	}
-
-	cleanup := func() {
-		_ = os.Remove(ignoreTmpDir)
-		if !*update {
-			_ = os.Remove(outputFile)
-		}
 	}

 	osArgs = append(osArgs, []string{"--output", outputFile}...)
-	return osArgs, outputFile, cleanup
+
+	return osArgs, outputFile
 }

 func setupRedis(t *testing.T, ctx context.Context) (testcontainers.Container, string) {
@@ -591,6 +562,8 @@ func setupRedis(t *testing.T, ctx context.Context) (testcontainers.Container, st
 		Name:         "redis",
 		Image:        imageName,
 		ExposedPorts: []string{port},
+		SkipReaper:   true,
+		AutoRemove:   true,
 	}

 	redis, err := testcontainers.GenericContainer(ctx, testcontainers.GenericContainerRequest{
@@ -608,18 +581,3 @@ func setupRedis(t *testing.T, ctx context.Context) (testcontainers.Container, st
 	addr := fmt.Sprintf("redis://%s:%s", ip, p.Port())
 	return redis, addr
 }
-
-func compare(t *testing.T, wantFile, gotFile string) {
-	t.Helper()
-	// Compare want and got
-	want, err := ioutil.ReadFile(wantFile)
-	assert.NoError(t, err)
-	got, err := ioutil.ReadFile(gotFile)
-	assert.NoError(t, err)
-
-	if strings.HasSuffix(wantFile, ".json.golden") {
-		assert.JSONEq(t, string(want), string(got))
-	} else {
-		assert.EqualValues(t, string(want), string(got))
-	}
-}
--- a/integration/docker/docker.go
+++ b/integration/docker/docker.go
@@ -6,7 +6,6 @@ import (
 	"encoding/json"
 	"fmt"
 	"io"
-	"io/ioutil"
 	"net/url"
 	"os"

@@ -78,7 +77,7 @@ func (d Docker) ReplicateImage(ctx context.Context, imageRef, imagePath string,
 	if err != nil {
 		return err
 	}
-	if _, err = io.Copy(ioutil.Discard, resp.Body); err != nil {
+	if _, err = io.Copy(io.Discard, resp.Body); err != nil {
 		return err
 	}
 	defer resp.Body.Close()
@@ -110,7 +109,7 @@ func (d Docker) ReplicateImage(ctx context.Context, imageRef, imagePath string,
 	}
 	defer pushOut.Close()

-	if _, err = io.Copy(ioutil.Discard, pushOut); err != nil {
+	if _, err = io.Copy(io.Discard, pushOut); err != nil {
 		return err
 	}
 	return nil
--- a/integration/docker_engine_test.go
+++ b/integration/docker_engine_test.go
@@ -1,3 +1,4 @@
+//go:build integration
 // +build integration

 package integration
@@ -5,8 +6,8 @@ package integration
 import (
 	"context"
 	"io"
-	"io/ioutil"
 	"os"
+	"path/filepath"
 	"strings"
 	"testing"

@@ -28,220 +29,220 @@ func TestRun_WithDockerEngine(t *testing.T) {
 		severity            []string
 		ignoreIDs           []string
 		testfile            string
-		expectedOutputFile  string
-		expectedError       string
+		wantOutputFile      string
+		wantError           string
 	}{
 		// All of these cases should pass for either
 		// $ trivy <args>
 		// $ trivy image <args>
 		{
-			name:               "happy path, valid image path, alpine:3.10",
-			imageTag:           "alpine:3.10",
-			expectedOutputFile: "testdata/alpine-310.json.golden",
-			testfile:           "testdata/fixtures/images/alpine-310.tar.gz",
+			name:           "happy path, valid image path, alpine:3.10",
+			imageTag:       "alpine:3.10",
+			wantOutputFile: "testdata/alpine-310.json.golden",
+			testfile:       "testdata/fixtures/images/alpine-310.tar.gz",
 		},
 		{
 			name:                "happy path, valid image path, with image subcommand, alpine:3.10",
 			withImageSubcommand: true,
 			imageTag:            "alpine:3.10",
-			expectedOutputFile:  "testdata/alpine-310.json.golden",
+			wantOutputFile:      "testdata/alpine-310.json.golden",
 			testfile:            "testdata/fixtures/images/alpine-310.tar.gz",
 		},
 		{
-			name:               "happy path, valid image path, alpine:3.10, ignore unfixed",
-			ignoreUnfixed:      true,
-			imageTag:           "alpine:3.10",
-			expectedOutputFile: "testdata/alpine-310-ignore-unfixed.json.golden",
-			testfile:           "testdata/fixtures/images/alpine-310.tar.gz",
+			name:           "happy path, valid image path, alpine:3.10, ignore unfixed",
+			ignoreUnfixed:  true,
+			imageTag:       "alpine:3.10",
+			wantOutputFile: "testdata/alpine-310-ignore-unfixed.json.golden",
+			testfile:       "testdata/fixtures/images/alpine-310.tar.gz",
 		},
 		{
-			name:               "happy path, valid image path, alpine:3.10, ignore unfixed, with medium and high severity",
-			ignoreUnfixed:      true,
-			severity:           []string{"MEDIUM", "HIGH"},
-			imageTag:           "alpine:3.10",
-			expectedOutputFile: "testdata/alpine-310-medium-high.json.golden",
-			testfile:           "testdata/fixtures/images/alpine-310.tar.gz",
+			name:           "happy path, valid image path, alpine:3.10, ignore unfixed, with medium and high severity",
+			ignoreUnfixed:  true,
+			severity:       []string{"MEDIUM", "HIGH"},
+			imageTag:       "alpine:3.10",
+			wantOutputFile: "testdata/alpine-310-medium-high.json.golden",
+			testfile:       "testdata/fixtures/images/alpine-310.tar.gz",
 		},
 		{
-			name:               "happy path, valid image path, alpine:3.10, with .trivyignore",
-			imageTag:           "alpine:3.10",
-			ignoreIDs:          []string{"CVE-2019-1549", "CVE-2019-1563"},
-			expectedOutputFile: "testdata/alpine-310-ignore-cveids.json.golden",
-			testfile:           "testdata/fixtures/images/alpine-310.tar.gz",
+			name:           "happy path, valid image path, alpine:3.10, with .trivyignore",
+			imageTag:       "alpine:3.10",
+			ignoreIDs:      []string{"CVE-2019-1549", "CVE-2019-1563"},
+			wantOutputFile: "testdata/alpine-310-ignore-cveids.json.golden",
+			testfile:       "testdata/fixtures/images/alpine-310.tar.gz",
 		},
 		{
-			name:               "happy path, valid image path, alpine:3.9",
-			imageTag:           "alpine:3.9",
-			expectedOutputFile: "testdata/alpine-39.json.golden",
-			testfile:           "testdata/fixtures/images/alpine-39.tar.gz",
+			name:           "happy path, valid image path, alpine:3.9",
+			imageTag:       "alpine:3.9",
+			wantOutputFile: "testdata/alpine-39.json.golden",
+			testfile:       "testdata/fixtures/images/alpine-39.tar.gz",
 		},
 		{
-			name:               "happy path, valid image path, amazonlinux:1",
-			imageTag:           "amazonlinux:1",
-			expectedOutputFile: "testdata/amazon-1.json.golden",
-			testfile:           "testdata/fixtures/images/amazon-1.tar.gz",
+			name:           "happy path, valid image path, amazonlinux:1",
+			imageTag:       "amazonlinux:1",
+			wantOutputFile: "testdata/amazon-1.json.golden",
+			testfile:       "testdata/fixtures/images/amazon-1.tar.gz",
 		},
 		{
-			name:               "happy path, valid image path, amazonlinux:2",
-			imageTag:           "amazonlinux:2",
-			expectedOutputFile: "testdata/amazon-2.json.golden",
-			testfile:           "testdata/fixtures/images/amazon-2.tar.gz",
+			name:           "happy path, valid image path, amazonlinux:2",
+			imageTag:       "amazonlinux:2",
+			wantOutputFile: "testdata/amazon-2.json.golden",
+			testfile:       "testdata/fixtures/images/amazon-2.tar.gz",
 		},
 		{
-			name:               "happy path, valid image path, centos:6",
-			imageTag:           "centos:6",
-			expectedOutputFile: "testdata/centos-6.json.golden",
-			testfile:           "testdata/fixtures/images/centos-6.tar.gz",
+			name:           "happy path, valid image path, centos:6",
+			imageTag:       "centos:6",
+			wantOutputFile: "testdata/centos-6.json.golden",
+			testfile:       "testdata/fixtures/images/centos-6.tar.gz",
 		},
 		{
-			name:               "happy path, valid image path, centos:7",
-			imageTag:           "centos:7",
-			expectedOutputFile: "testdata/centos-7.json.golden",
-			testfile:           "testdata/fixtures/images/centos-7.tar.gz",
+			name:           "happy path, valid image path, centos:7",
+			imageTag:       "centos:7",
+			wantOutputFile: "testdata/centos-7.json.golden",
+			testfile:       "testdata/fixtures/images/centos-7.tar.gz",
 		},
 		{
-			name:               "happy path, valid image path, centos:7, with --ignore-unfixed option",
-			imageTag:           "centos:7",
-			ignoreUnfixed:      true,
-			expectedOutputFile: "testdata/centos-7-ignore-unfixed.json.golden",
-			testfile:           "testdata/fixtures/images/centos-7.tar.gz",
+			name:           "happy path, valid image path, centos:7, with --ignore-unfixed option",
+			imageTag:       "centos:7",
+			ignoreUnfixed:  true,
+			wantOutputFile: "testdata/centos-7-ignore-unfixed.json.golden",
+			testfile:       "testdata/fixtures/images/centos-7.tar.gz",
 		},
 		{
-			name:               "happy path, valid image path, centos:7, with --ignore-unfixed option, with low and high severity",
-			imageTag:           "centos:7",
-			ignoreUnfixed:      true,
-			severity:           []string{"LOW", "HIGH"},
-			expectedOutputFile: "testdata/centos-7-low-high.json.golden",
-			testfile:           "testdata/fixtures/images/centos-7.tar.gz",
+			name:           "happy path, valid image path, centos:7, with --ignore-unfixed option, with low and high severity",
+			imageTag:       "centos:7",
+			ignoreUnfixed:  true,
+			severity:       []string{"LOW", "HIGH"},
+			wantOutputFile: "testdata/centos-7-low-high.json.golden",
+			testfile:       "testdata/fixtures/images/centos-7.tar.gz",
 		},
 		{
-			name:               "happy path, valid image path, debian:buster",
-			imageTag:           "debian:buster",
-			expectedOutputFile: "testdata/debian-buster.json.golden",
-			testfile:           "testdata/fixtures/images/debian-buster.tar.gz",
+			name:           "happy path, valid image path, debian:buster",
+			imageTag:       "debian:buster",
+			wantOutputFile: "testdata/debian-buster.json.golden",
+			testfile:       "testdata/fixtures/images/debian-buster.tar.gz",
 		},
 		{
-			name:               "happy path, valid image path, debian:buster, with --ignore-unfixed option",
-			ignoreUnfixed:      true,
-			imageTag:           "debian:buster",
-			expectedOutputFile: "testdata/debian-buster-ignore-unfixed.json.golden",
-			testfile:           "testdata/fixtures/images/debian-buster.tar.gz",
+			name:           "happy path, valid image path, debian:buster, with --ignore-unfixed option",
+			ignoreUnfixed:  true,
+			imageTag:       "debian:buster",
+			wantOutputFile: "testdata/debian-buster-ignore-unfixed.json.golden",
+			testfile:       "testdata/fixtures/images/debian-buster.tar.gz",
 		},
 		{
-			name:               "happy path, valid image path, debian:stretch",
-			imageTag:           "debian:stretch",
-			expectedOutputFile: "testdata/debian-stretch.json.golden",
-			testfile:           "testdata/fixtures/images/debian-stretch.tar.gz",
+			name:           "happy path, valid image path, debian:stretch",
+			imageTag:       "debian:stretch",
+			wantOutputFile: "testdata/debian-stretch.json.golden",
+			testfile:       "testdata/fixtures/images/debian-stretch.tar.gz",
 		},
 		{
-			name:               "happy path, valid image path, distroless:base",
-			imageTag:           "gcr.io/distroless/base:latest",
-			expectedOutputFile: "testdata/distroless-base.json.golden",
-			testfile:           "testdata/fixtures/images/distroless-base.tar.gz",
+			name:           "happy path, valid image path, distroless:base",
+			imageTag:       "gcr.io/distroless/base:latest",
+			wantOutputFile: "testdata/distroless-base.json.golden",
+			testfile:       "testdata/fixtures/images/distroless-base.tar.gz",
 		},
 		{
-			name:               "happy path, valid image path, distroless:base",
-			imageTag:           "gcr.io/distroless/base:latest",
-			expectedOutputFile: "testdata/distroless-base.json.golden",
-			testfile:           "testdata/fixtures/images/distroless-base.tar.gz",
+			name:           "happy path, valid image path, distroless:base",
+			imageTag:       "gcr.io/distroless/base:latest",
+			wantOutputFile: "testdata/distroless-base.json.golden",
+			testfile:       "testdata/fixtures/images/distroless-base.tar.gz",
 		},
 		{
-			name:               "happy path, valid image path, distroless:base, with --ignore-unfixed option",
-			imageTag:           "gcr.io/distroless/base:latest",
-			ignoreUnfixed:      true,
-			expectedOutputFile: "testdata/distroless-base-ignore-unfixed.json.golden",
-			testfile:           "testdata/fixtures/images/distroless-base.tar.gz",
+			name:           "happy path, valid image path, distroless:base, with --ignore-unfixed option",
+			imageTag:       "gcr.io/distroless/base:latest",
+			ignoreUnfixed:  true,
+			wantOutputFile: "testdata/distroless-base-ignore-unfixed.json.golden",
+			testfile:       "testdata/fixtures/images/distroless-base.tar.gz",
 		},
 		{
-			name:               "happy path, valid image path, distroless:python2.7",
-			imageTag:           "gcr.io/distroless/python2.7:latest",
-			expectedOutputFile: "testdata/distroless-python27.json.golden",
-			testfile:           "testdata/fixtures/images/distroless-python27.tar.gz",
+			name:           "happy path, valid image path, distroless:python2.7",
+			imageTag:       "gcr.io/distroless/python2.7:latest",
+			wantOutputFile: "testdata/distroless-python27.json.golden",
+			testfile:       "testdata/fixtures/images/distroless-python27.tar.gz",
 		},
 		{
-			name:               "happy path, valid image path, oraclelinux:6-slim",
-			imageTag:           "oraclelinux:6-slim",
-			expectedOutputFile: "testdata/oraclelinux-6-slim.json.golden",
-			testfile:           "testdata/fixtures/images/oraclelinux-6-slim.tar.gz",
+			name:           "happy path, valid image path, oraclelinux:6-slim",
+			imageTag:       "oraclelinux:6-slim",
+			wantOutputFile: "testdata/oraclelinux-6-slim.json.golden",
+			testfile:       "testdata/fixtures/images/oraclelinux-6-slim.tar.gz",
 		},
 		{
-			name:               "happy path, valid image path, oraclelinux:7-slim",
-			imageTag:           "oraclelinux:7-slim",
-			expectedOutputFile: "testdata/oraclelinux-7-slim.json.golden",
-			testfile:           "testdata/fixtures/images/oraclelinux-7-slim.tar.gz",
+			name:           "happy path, valid image path, oraclelinux:7-slim",
+			imageTag:       "oraclelinux:7-slim",
+			wantOutputFile: "testdata/oraclelinux-7-slim.json.golden",
+			testfile:       "testdata/fixtures/images/oraclelinux-7-slim.tar.gz",
 		},
 		{
-			name:               "happy path, valid image path, oraclelinux:8-slim",
-			imageTag:           "oraclelinux:8-slim",
-			expectedOutputFile: "testdata/oraclelinux-8-slim.json.golden",
-			testfile:           "testdata/fixtures/images/oraclelinux-8-slim.tar.gz",
+			name:           "happy path, valid image path, oraclelinux:8-slim",
+			imageTag:       "oraclelinux:8-slim",
+			wantOutputFile: "testdata/oraclelinux-8-slim.json.golden",
+			testfile:       "testdata/fixtures/images/oraclelinux-8-slim.tar.gz",
 		},
 		{
-			name:               "happy path, valid image path, ubuntu:16.04",
-			imageTag:           "ubuntu:16.04",
-			expectedOutputFile: "testdata/ubuntu-1604.json.golden",
-			testfile:           "testdata/fixtures/images/ubuntu-1604.tar.gz",
+			name:           "happy path, valid image path, ubuntu:16.04",
+			imageTag:       "ubuntu:16.04",
+			wantOutputFile: "testdata/ubuntu-1604.json.golden",
+			testfile:       "testdata/fixtures/images/ubuntu-1604.tar.gz",
 		},
 		{
-			name:               "happy path, valid image path, ubuntu:18.04",
-			imageTag:           "ubuntu:18.04",
-			expectedOutputFile: "testdata/ubuntu-1804.json.golden",
-			testfile:           "testdata/fixtures/images/ubuntu-1804.tar.gz",
+			name:           "happy path, valid image path, ubuntu:18.04",
+			imageTag:       "ubuntu:18.04",
+			wantOutputFile: "testdata/ubuntu-1804.json.golden",
+			testfile:       "testdata/fixtures/images/ubuntu-1804.tar.gz",
 		},
 		{
-			name:               "happy path, valid image path, ubuntu:18.04, with --ignore-unfixed option",
-			imageTag:           "ubuntu:18.04",
-			ignoreUnfixed:      true,
-			expectedOutputFile: "testdata/ubuntu-1804-ignore-unfixed.json.golden",
-			testfile:           "testdata/fixtures/images/ubuntu-1804.tar.gz",
+			name:           "happy path, valid image path, ubuntu:18.04, with --ignore-unfixed option",
+			imageTag:       "ubuntu:18.04",
+			ignoreUnfixed:  true,
+			wantOutputFile: "testdata/ubuntu-1804-ignore-unfixed.json.golden",
+			testfile:       "testdata/fixtures/images/ubuntu-1804.tar.gz",
 		},
 		{
-			name:               "happy path, valid image path, registry.redhat.io/ubi7",
-			imageTag:           "registry.redhat.io/ubi7",
-			expectedOutputFile: "testdata/ubi-7.json.golden",
-			testfile:           "testdata/fixtures/images/ubi-7.tar.gz",
+			name:           "happy path, valid image path, registry.redhat.io/ubi7",
+			imageTag:       "registry.redhat.io/ubi7",
+			wantOutputFile: "testdata/ubi-7.json.golden",
+			testfile:       "testdata/fixtures/images/ubi-7.tar.gz",
 		},
 		{
-			name:               "happy path, valid image path, opensuse leap 15.1",
-			imageTag:           "opensuse/leap:latest",
-			expectedOutputFile: "testdata/opensuse-leap-151.json.golden",
-			testfile:           "testdata/fixtures/images/opensuse-leap-151.tar.gz",
+			name:           "happy path, valid image path, opensuse leap 15.1",
+			imageTag:       "opensuse/leap:latest",
+			wantOutputFile: "testdata/opensuse-leap-151.json.golden",
+			testfile:       "testdata/fixtures/images/opensuse-leap-151.tar.gz",
 		},
 		{
-			name:               "happy path, valid image path, opensuse leap 42.3",
-			imageTag:           "opensuse/leap:42.3",
-			expectedOutputFile: "testdata/opensuse-leap-423.json.golden",
-			testfile:           "testdata/fixtures/images/opensuse-leap-423.tar.gz",
+			name:           "happy path, valid image path, opensuse leap 42.3",
+			imageTag:       "opensuse/leap:42.3",
+			wantOutputFile: "testdata/opensuse-leap-423.json.golden",
+			testfile:       "testdata/fixtures/images/opensuse-leap-423.tar.gz",
 		},
 		{
-			name:               "happy path, valid image path, photon 1.0",
-			imageTag:           "photon:1.0-20190823",
-			expectedOutputFile: "testdata/photon-10.json.golden",
-			testfile:           "testdata/fixtures/images/photon-10.tar.gz",
+			name:           "happy path, valid image path, photon 1.0",
+			imageTag:       "photon:1.0-20190823",
+			wantOutputFile: "testdata/photon-10.json.golden",
+			testfile:       "testdata/fixtures/images/photon-10.tar.gz",
 		},
 		{
-			name:               "happy path, valid image path, photon 2.0",
-			imageTag:           "photon:2.0-20190726",
-			expectedOutputFile: "testdata/photon-20.json.golden",
-			testfile:           "testdata/fixtures/images/photon-20.tar.gz",
+			name:           "happy path, valid image path, photon 2.0",
+			imageTag:       "photon:2.0-20190726",
+			wantOutputFile: "testdata/photon-20.json.golden",
+			testfile:       "testdata/fixtures/images/photon-20.tar.gz",
 		},
 		{
-			name:               "happy path, valid image path, photon 3.0",
-			imageTag:           "photon:3.0-20190823",
-			expectedOutputFile: "testdata/photon-30.json.golden",
-			testfile:           "testdata/fixtures/images/photon-30.tar.gz",
+			name:           "happy path, valid image path, photon 3.0",
+			imageTag:       "photon:3.0-20190823",
+			wantOutputFile: "testdata/photon-30.json.golden",
+			testfile:       "testdata/fixtures/images/photon-30.tar.gz",
 		},
 		{
-			name:               "buxybox with Cargo.lock integration",
-			imageTag:           "busy-cargo:latest",
-			expectedOutputFile: "testdata/busybox-with-lockfile.json.golden",
-			testfile:           "testdata/fixtures/images/busybox-with-lockfile.tar.gz",
+			name:           "buxybox with Cargo.lock integration",
+			imageTag:       "busy-cargo:latest",
+			wantOutputFile: "testdata/busybox-with-lockfile.json.golden",
+			testfile:       "testdata/fixtures/images/busybox-with-lockfile.tar.gz",
 		},
 		{
-			name:          "sad path, invalid image",
-			invalidImage:  true,
-			testfile:      "badimage:latest",
-			expectedError: "unable to inspect the image (index.docker.io/library/badimage:latest)",
+			name:         "sad path, invalid image",
+			invalidImage: true,
+			testfile:     "badimage:latest",
+			wantError:    "unable to inspect the image (index.docker.io/library/badimage:latest)",
 		},
 	}

@@ -269,16 +270,15 @@ func TestRun_WithDockerEngine(t *testing.T) {
 				// load image into docker engine
 				res, err := cli.ImageLoad(ctx, testfile, true)
 				require.NoError(t, err, tc.name)
-				io.Copy(ioutil.Discard, res.Body)
+				io.Copy(io.Discard, res.Body)

 				// tag our image to something unique
 				err = cli.ImageTag(ctx, tc.imageTag, tc.testfile)
 				require.NoError(t, err, tc.name)
 			}

-			of, err := ioutil.TempFile("", "integration-docker-engine-output-file-*")
-			require.NoError(t, err, tc.name)
-			defer os.Remove(of.Name())
+			tmpDir := t.TempDir()
+			output := filepath.Join(tmpDir, "result.json")

 			// run trivy
 			app := commands.NewApp("dev")
@@ -288,7 +288,7 @@ func TestRun_WithDockerEngine(t *testing.T) {
 				trivyArgs = append(trivyArgs, "image")
 			}

-			trivyArgs = append(trivyArgs, []string{"--skip-update", "--format=json", "--output", of.Name()}...)
+			trivyArgs = append(trivyArgs, []string{"--skip-update", "--format=json", "--output", output}...)

 			if tc.ignoreUnfixed {
 				trivyArgs = append(trivyArgs, "--ignore-unfixed")
@@ -300,7 +300,7 @@ func TestRun_WithDockerEngine(t *testing.T) {
 			}
 			if len(tc.ignoreIDs) != 0 {
 				trivyIgnore := ".trivyignore"
-				err := ioutil.WriteFile(trivyIgnore, []byte(strings.Join(tc.ignoreIDs, "\n")), 0444)
+				err := os.WriteFile(trivyIgnore, []byte(strings.Join(tc.ignoreIDs, "\n")), 0444)
 				assert.NoError(t, err, "failed to write .trivyignore")
 				defer os.Remove(trivyIgnore)
 			}
@@ -308,20 +308,18 @@ func TestRun_WithDockerEngine(t *testing.T) {

 			err = app.Run(trivyArgs)
 			switch {
-			case tc.expectedError != "":
+			case tc.wantError != "":
 				require.NotNil(t, err)
-				assert.Contains(t, err.Error(), tc.expectedError, tc.name)
+				assert.Contains(t, err.Error(), tc.wantError, tc.name)
 				return
 			default:
 				assert.NoError(t, err, tc.name)
 			}

 			// check for vulnerability output info
-			got, err := ioutil.ReadAll(of)
-			assert.NoError(t, err, tc.name)
-			want, err := ioutil.ReadFile(tc.expectedOutputFile)
-			assert.NoError(t, err, tc.name)
-			assert.JSONEq(t, string(want), string(got), tc.name)
+			got := readReport(t, output)
+			want := readReport(t, tc.wantOutputFile)
+			assert.Equal(t, want, got)

 			// cleanup
 			_, err = cli.ImageRemove(ctx, tc.testfile, types.ImageRemoveOptions{
--- a/integration/fs_test.go
+++ b/integration/fs_test.go
@@ -1,3 +1,4 @@
+//go:build integration
 // +build integration

 package integration
@@ -5,11 +6,11 @@ package integration
 import (
 	"io"
 	"os"
+	"path/filepath"
 	"strings"
 	"testing"

 	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"

 	"github.com/aquasecurity/trivy/pkg/commands"
 )
@@ -36,6 +37,14 @@ func TestFilesystem(t *testing.T) {
 			},
 			golden: "testdata/nodejs.json.golden",
 		},
+		{
+			name: "pip",
+			args: args{
+				securityChecks: "vuln",
+				input:          "testdata/fixtures/fs/pip",
+			},
+			golden: "testdata/pip.json.golden",
+		},
 		{
 			name: "dockerfile",
 			args: args{
@@ -109,15 +118,9 @@ func TestFilesystem(t *testing.T) {
 			}

 			// Setup the output file
-			var outputFile string
+			outputFile := filepath.Join(t.TempDir(), "output.json")
 			if *update {
 				outputFile = tt.golden
-			} else {
-				output, err := os.CreateTemp("", "integration")
-				require.NoError(t, err)
-				assert.Nil(t, output.Close())
-				defer os.Remove(output.Name())
-				outputFile = output.Name()
 			}

 			osArgs = append(osArgs, "--output", outputFile)
@@ -131,12 +134,10 @@ func TestFilesystem(t *testing.T) {
 			assert.Nil(t, app.Run(osArgs))

 			// Compare want and got
-			want, err := os.ReadFile(tt.golden)
-			assert.NoError(t, err)
-			got, err := os.ReadFile(outputFile)
-			assert.NoError(t, err)
+			want := readReport(t, tt.golden)
+			got := readReport(t, outputFile)

-			assert.JSONEq(t, string(want), string(got))
+			assert.Equal(t, want, got)
 		})
 	}
 }
--- a/integration/integration_test.go
+++ b/integration/integration_test.go
@@ -1,3 +1,4 @@
+//go:build integration
 // +build integration

 package integration
@@ -14,9 +15,11 @@ import (
 	"testing"
 	"time"

+	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"

 	"github.com/aquasecurity/trivy-db/pkg/db"
+	"github.com/aquasecurity/trivy/pkg/report"
 )

 var update = flag.Bool("update", false, "update golden files")
@@ -84,3 +87,29 @@ func waitPort(ctx context.Context, addr string) error {
 		}
 	}
 }
+
+func readReport(t *testing.T, filePath string) report.Report {
+	t.Helper()
+
+	f, err := os.Open(filePath)
+	require.NoError(t, err, filePath)
+	defer f.Close()
+
+	var res report.Report
+	err = json.NewDecoder(f).Decode(&res)
+	require.NoError(t, err, filePath)
+
+	// We don't compare history because the nano-seconds in "created" don't match
+	res.Metadata.ImageConfig.History = nil
+
+	// We don't compare repo tags because the archive doesn't support it
+	res.Metadata.RepoTags = nil
+
+	return res
+}
+
+func compareReports(t *testing.T, wantFile, gotFile string) {
+	want := readReport(t, wantFile)
+	got := readReport(t, gotFile)
+	assert.Equal(t, want, got)
+}
--- a/integration/registry_test.go
+++ b/integration/registry_test.go
@@ -1,3 +1,4 @@
+//go:build integration
 // +build integration

 package integration
@@ -8,7 +9,7 @@ import (
 	"crypto/x509"
 	"encoding/json"
 	"fmt"
-	"io/ioutil"
+	"io"
 	"net/http"
 	"net/url"
 	"os"
@@ -25,7 +26,6 @@ import (
 	_ "github.com/aquasecurity/fanal/analyzer"
 	testdocker "github.com/aquasecurity/trivy/integration/docker"
 	"github.com/aquasecurity/trivy/pkg/commands"
-	"github.com/aquasecurity/trivy/pkg/report"
 )

 const (
@@ -56,6 +56,8 @@ func setupRegistry(ctx context.Context, baseDir string, authURL *url.URL) (testc
 		BindMounts: map[string]string{
 			filepath.Join(baseDir, "data", "certs"): "/certs",
 		},
+		SkipReaper: true,
+		AutoRemove: true,
 		WaitingFor: wait.ForLog("listening on [::]:5443"),
 	}

@@ -75,7 +77,9 @@ func setupAuthServer(ctx context.Context, baseDir string) (testcontainers.Contai
 			filepath.Join(baseDir, "data", "auth_config"): "/config",
 			filepath.Join(baseDir, "data", "certs"):       "/certs",
 		},
-		Cmd: []string{"/config/config.yml"},
+		SkipReaper: true,
+		AutoRemove: true,
+		Cmd:        []string{"/config/config.yml"},
 	}

 	authC, err := testcontainers.GenericContainer(ctx, testcontainers.GenericContainerRequest{
@@ -170,7 +174,7 @@ func TestRegistry(t *testing.T) {
 			name:      "sad path",
 			imageName: "alpine:3.10",
 			imageFile: "testdata/fixtures/images/alpine-310.tar.gz",
-			wantErr:   "unsupported status code 401; body: Auth failed",
+			wantErr:   "unexpected status code 401 Unauthorized: Auth failed",
 		},
 	}

@@ -188,7 +192,7 @@ func TestRegistry(t *testing.T) {
 			require.NoError(t, err)

 			// 2. Scan it
-			resultFile, cleanup, err := scan(t, imageRef, baseDir, tc.golden, tc.option)
+			resultFile, err := scan(t, imageRef, baseDir, tc.golden, tc.option)

 			if tc.wantErr != "" {
 				require.NotNil(t, err)
@@ -197,75 +201,56 @@ func TestRegistry(t *testing.T) {
 			} else {
 				require.NoError(t, err)
 			}
-			defer cleanup()

-			// 3. Compare want and got
-			golden, err := os.Open(tc.golden)
-			assert.NoError(t, err)
+			// 3. Read want and got
+			want := readReport(t, tc.golden)
+			got := readReport(t, resultFile)

-			var want report.Results
-			err = json.NewDecoder(golden).Decode(&want)
-			require.NoError(t, err)
+			// 4 Update some dynamic fields
+			want.ArtifactName = s
+			for i := range want.Results {
+				want.Results[i].Target = fmt.Sprintf("%s (alpine 3.10.2)", s)
+			}
+			want.Metadata.RepoDigests = []string{
+				fmt.Sprintf("%s/alpine@sha256:acd3ca9941a85e8ed16515bfc5328e4e2f8c128caa72959a58a127b7801ee01f", registryURL.Host),
+			}

-			result, err := os.Open(resultFile)
-			assert.NoError(t, err)
-
-			var got report.Results
-			err = json.NewDecoder(result).Decode(&got)
-			require.NoError(t, err)
-
-			assert.Equal(t, want[0].Vulnerabilities, got[0].Vulnerabilities)
-			assert.Equal(t, want[0].Vulnerabilities, got[0].Vulnerabilities)
+			// 5. Compare want and got
+			assert.Equal(t, want, got)
 		})
 	}
 }

-func scan(t *testing.T, imageRef name.Reference, baseDir, goldenFile string, opt registryOption) (string, func(), error) {
-	cleanup := func() {}
-
+func scan(t *testing.T, imageRef name.Reference, baseDir, goldenFile string, opt registryOption) (string, error) {
 	// Set up testing DB
 	cacheDir := gunzipDB(t)

 	// Setup the output file
-	var outputFile string
-	if *update && goldenFile != "" {
+	outputFile := filepath.Join(t.TempDir(), "output.json")
+	if *update {
 		outputFile = goldenFile
-	} else {
-		output, err := ioutil.TempFile("", "integration")
-		if err != nil {
-			return "", cleanup, err
-		}
-		defer output.Close()
-
-		outputFile = output.Name()
-		cleanup = func() {
-			os.Remove(outputFile)
-		}
 	}

 	// Setup env
-	if err := setupEnv(imageRef, baseDir, opt); err != nil {
-		return "", cleanup, err
+	if err := setupEnv(t, imageRef, baseDir, opt); err != nil {
+		return "", err
 	}
-	defer unsetEnv()

 	// Setup CLI App
 	app := commands.NewApp("dev")
-	app.Writer = ioutil.Discard
+	app.Writer = io.Discard

 	osArgs := []string{"trivy", "--cache-dir", cacheDir, "--format", "json", "--skip-update", "--output", outputFile, imageRef.Name()}

 	// Run Trivy
 	if err := app.Run(osArgs); err != nil {
-		return "", cleanup, err
+		return "", err
 	}
-	return outputFile, cleanup, nil
+	return outputFile, nil
 }

-func setupEnv(imageRef name.Reference, baseDir string, opt registryOption) error {
-	if err := os.Setenv("TRIVY_INSECURE", "true"); err != nil {
-		return err
-	}
+func setupEnv(t *testing.T, imageRef name.Reference, baseDir string, opt registryOption) error {
+	t.Setenv("TRIVY_INSECURE", "true")

 	if opt.Username != "" && opt.Password != "" {
 		if opt.RegistryToken {
@@ -274,26 +259,10 @@ func setupEnv(imageRef name.Reference, baseDir string, opt registryOption) error
 			if err != nil {
 				return err
 			}
-			if err := os.Setenv("TRIVY_REGISTRY_TOKEN", token); err != nil {
-				return err
-			}
+			t.Setenv("TRIVY_REGISTRY_TOKEN", token)
 		} else {
-			if err := os.Setenv("TRIVY_USERNAME", opt.Username); err != nil {
-				return err
-			}
-			if err := os.Setenv("TRIVY_PASSWORD", opt.Password); err != nil {
-				return err
-			}
-		}
-	}
-	return nil
-}
-
-func unsetEnv() error {
-	envs := []string{"TRIVY_INSECURE", "TRIVY_USERNAME", "TRIVY_PASSWORD", "TRIVY_REGISTRY_TOKEN"}
-	for _, e := range envs {
-		if err := os.Unsetenv(e); err != nil {
-			return err
+			t.Setenv("TRIVY_USERNAME", opt.Username)
+			t.Setenv("TRIVY_PASSWORD", opt.Password)
 		}
 	}
 	return nil
@@ -301,7 +270,7 @@ func unsetEnv() error {

 func requestRegistryToken(imageRef name.Reference, baseDir string, opt registryOption) (string, error) {
 	// Create a CA certificate pool and add cert.pem to it
-	caCert, err := ioutil.ReadFile(filepath.Join(baseDir, "data", "certs", "cert.pem"))
+	caCert, err := os.ReadFile(filepath.Join(baseDir, "data", "certs", "cert.pem"))
 	if err != nil {
 		return "", err
 	}
--- a/integration/standalone_tar_test.go
+++ b/integration/standalone_tar_test.go
@@ -1,10 +1,12 @@
+//go:build integration
 // +build integration

 package integration

 import (
-	"io/ioutil"
+	"io"
 	"os"
+	"path/filepath"
 	"strings"
 	"testing"

@@ -376,11 +378,10 @@ func TestRun_WithTar(t *testing.T) {

 	// Setup CLI App
 	app := commands.NewApp("dev")
-	app.Writer = ioutil.Discard
+	app.Writer = io.Discard

 	for _, c := range cases {
 		t.Run(c.name, func(t *testing.T) {
-
 			osArgs := []string{"trivy"}
 			osArgs = append(osArgs, "--cache-dir", cacheDir)
 			if c.testArgs.WithImageSubcommand {
@@ -401,7 +402,7 @@ func TestRun_WithTar(t *testing.T) {
 			}
 			if len(c.testArgs.IgnoreIDs) != 0 {
 				trivyIgnore := ".trivyignore"
-				err := ioutil.WriteFile(trivyIgnore, []byte(strings.Join(c.testArgs.IgnoreIDs, "\n")), 0444)
+				err := os.WriteFile(trivyIgnore, []byte(strings.Join(c.testArgs.IgnoreIDs, "\n")), 0444)
 				assert.NoError(t, err, "failed to write .trivyignore")
 				defer os.Remove(trivyIgnore)
 			}
@@ -422,14 +423,9 @@ func TestRun_WithTar(t *testing.T) {
 			}

 			// Setup the output file
-			var outputFile string
+			outputFile := filepath.Join(t.TempDir(), "output.json")
 			if *update {
 				outputFile = c.golden
-			} else {
-				output, _ := ioutil.TempFile("", "integration")
-				assert.Nil(t, output.Close())
-				defer os.Remove(output.Name())
-				outputFile = output.Name()
 			}

 			osArgs = append(osArgs, []string{"--output", outputFile}...)
@@ -438,12 +434,7 @@ func TestRun_WithTar(t *testing.T) {
 			assert.Nil(t, app.Run(osArgs))

 			// Compare want and got
-			want, err := ioutil.ReadFile(c.golden)
-			assert.NoError(t, err)
-			got, err := ioutil.ReadFile(outputFile)
-			assert.NoError(t, err)
-
-			assert.JSONEq(t, string(want), string(got))
+			compareReports(t, c.golden, outputFile)
 		})
 	}
 }
--- a/integration/testdata/alpine-310-ignore-cveids.json.golden
+++ b/integration/testdata/alpine-310-ignore-cveids.json.golden
@@ -1,173 +1,223 @@
-[
-  {
-    "Target": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)",
-    "Class": "os-pkgs",
-    "Type": "alpine",
-    "Vulnerabilities": [
-      {
-        "VulnerabilityID": "CVE-2019-1551",
-        "PkgName": "libcrypto1.1",
-        "InstalledVersion": "1.1.1c-r0",
-        "FixedVersion": "1.1.1d-r2",
-        "Layer": {
-          "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
+{
+  "SchemaVersion": 2,
+  "ArtifactName": "testdata/fixtures/images/alpine-310.tar.gz",
+  "ArtifactType": "container_image",
+  "Metadata": {
+    "OS": {
+      "Family": "alpine",
+      "Name": "3.10.2",
+      "EOSL": true
+    },
+    "ImageID": "sha256:961769676411f082461f9ef46626dd7a2d1e2b2a38e6a44364bcbecf51e66dd4",
+    "DiffIDs": [
+      "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
+    ],
+    "ImageConfig": {
+      "architecture": "amd64",
+      "container": "0a80155a31551fcc1a36fccbbda79fcd3f0b1c7d270653d00310e6e2217c57e6",
+      "created": "2019-08-20T20:19:55.211423266Z",
+      "docker_version": "18.06.1-ce",
+      "history": [
+        {
+          "created": "2019-08-20T20:19:55.062606894Z",
+          "created_by": "/bin/sh -c #(nop) ADD file:fe64057fbb83dccb960efabbf1cd8777920ef279a7fa8dbca0a8801c651bdf7c in / "
        },
-        "SeveritySource": "nvd",
-        "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
-        "Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
-        "Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).",
-        "Severity": "MEDIUM",
-        "CweIDs": [
-          "CWE-200"
-        ],
-        "CVSS": {
-          "nvd": {
-            "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
-            "V2Score": 5
-          },
-          "redhat": {
-            "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
-            "V3Score": 4.8
-          }
-        },
-        "References": [
-          "http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
-          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
-          "https://github.com/openssl/openssl/pull/10575",
-          "https://seclists.org/bugtraq/2019/Dec/39",
-          "https://seclists.org/bugtraq/2019/Dec/46",
-          "https://security.netapp.com/advisory/ntap-20191210-0001/",
-          "https://www.debian.org/security/2019/dsa-4594",
-          "https://www.openssl.org/news/secadv/20191206.txt",
-          "https://www.tenable.com/security/tns-2019-09"
-        ],
-        "PublishedDate": "2019-12-06T18:15:00Z",
-        "LastModifiedDate": "2019-12-25T11:15:00Z"
+        {
+          "created": "2019-08-20T20:19:55.211423266Z",
+          "created_by": "/bin/sh -c #(nop)  CMD [\"/bin/sh\"]",
+          "empty_layer": true
+        }
+      ],
+      "os": "linux",
+      "rootfs": {
+        "type": "layers",
+        "diff_ids": [
+          "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
+        ]
      },
-      {
-        "VulnerabilityID": "CVE-2019-1547",
-        "PkgName": "libcrypto1.1",
-        "InstalledVersion": "1.1.1c-r0",
-        "FixedVersion": "1.1.1d-r0",
-        "Layer": {
-          "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
-        },
-        "SeveritySource": "nvd",
-        "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1547",
-        "Title": "openssl: side-channel weak encryption vulnerability",
-        "Description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
-        "Severity": "LOW",
-        "CweIDs": [
-          "CWE-311"
+      "config": {
+        "Cmd": [
+          "/bin/sh"
        ],
-        "CVSS": {
-          "nvd": {
-            "V2Vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
-            "V2Score": 1.9
-          },
-          "redhat": {
-            "V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
-            "V3Score": 5.5
-          }
-        },
-        "References": [
-          "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
-          "https://arxiv.org/abs/1909.01785",
-          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a",
-          "https://seclists.org/bugtraq/2019/Sep/25",
-          "https://security.netapp.com/advisory/ntap-20190919-0002/",
-          "https://www.openssl.org/news/secadv/20190910.txt"
+        "Env": [
+          "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
        ],
-        "PublishedDate": "2019-09-10T17:15:00Z",
-        "LastModifiedDate": "2019-09-12T16:15:00Z"
-      },
-      {
-        "VulnerabilityID": "CVE-2019-1551",
-        "PkgName": "libssl1.1",
-        "InstalledVersion": "1.1.1c-r0",
-        "FixedVersion": "1.1.1d-r2",
-        "Layer": {
-          "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
-        },
-        "SeveritySource": "nvd",
-        "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
-        "Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
-        "Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).",
-        "Severity": "MEDIUM",
-        "CweIDs": [
-          "CWE-200"
-        ],
-        "CVSS": {
-          "nvd": {
-            "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
-            "V2Score": 5
-          },
-          "redhat": {
-            "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
-            "V3Score": 4.8
-          }
-        },
-        "References": [
-          "http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
-          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
-          "https://github.com/openssl/openssl/pull/10575",
-          "https://seclists.org/bugtraq/2019/Dec/39",
-          "https://seclists.org/bugtraq/2019/Dec/46",
-          "https://security.netapp.com/advisory/ntap-20191210-0001/",
-          "https://www.debian.org/security/2019/dsa-4594",
-          "https://www.openssl.org/news/secadv/20191206.txt",
-          "https://www.tenable.com/security/tns-2019-09"
-        ],
-        "PublishedDate": "2019-12-06T18:15:00Z",
-        "LastModifiedDate": "2019-12-25T11:15:00Z"
-      },
-      {
-        "VulnerabilityID": "CVE-2019-1547",
-        "PkgName": "libssl1.1",
-        "InstalledVersion": "1.1.1c-r0",
-        "FixedVersion": "1.1.1d-r0",
-        "Layer": {
-          "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
-        },
-        "SeveritySource": "nvd",
-        "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1547",
-        "Title": "openssl: side-channel weak encryption vulnerability",
-        "Description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
-        "Severity": "LOW",
-        "CweIDs": [
-          "CWE-311"
-        ],
-        "CVSS": {
-          "nvd": {
-            "V2Vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
-            "V2Score": 1.9
-          },
-          "redhat": {
-            "V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
-            "V3Score": 5.5
-          }
-        },
-        "References": [
-          "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
-          "https://arxiv.org/abs/1909.01785",
-          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a",
-          "https://seclists.org/bugtraq/2019/Sep/25",
-          "https://security.netapp.com/advisory/ntap-20190919-0002/",
-          "https://www.openssl.org/news/secadv/20190910.txt"
-        ],
-        "PublishedDate": "2019-09-10T17:15:00Z",
-        "LastModifiedDate": "2019-09-12T16:15:00Z"
+        "Image": "sha256:06f4121dff4d0123ce11bd2e44f48da9ba9ddcd23ae376ea1f363f63ea0849b5",
+        "ArgsEscaped": true
      }
-    ]
-  }
-]
+    }
+  },
+  "Results": [
+    {
+      "Target": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)",
+      "Class": "os-pkgs",
+      "Type": "alpine",
+      "Vulnerabilities": [
+        {
+          "VulnerabilityID": "CVE-2019-1551",
+          "PkgName": "libcrypto1.1",
+          "InstalledVersion": "1.1.1c-r0",
+          "FixedVersion": "1.1.1d-r2",
+          "Layer": {
+            "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
+          },
+          "SeveritySource": "nvd",
+          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
+          "Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
+          "Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).",
+          "Severity": "MEDIUM",
+          "CweIDs": [
+            "CWE-200"
+          ],
+          "CVSS": {
+            "nvd": {
+              "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
+              "V2Score": 5
+            },
+            "redhat": {
+              "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
+              "V3Score": 4.8
+            }
+          },
+          "References": [
+            "http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
+            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
+            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
+            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
+            "https://github.com/openssl/openssl/pull/10575",
+            "https://seclists.org/bugtraq/2019/Dec/39",
+            "https://seclists.org/bugtraq/2019/Dec/46",
+            "https://security.netapp.com/advisory/ntap-20191210-0001/",
+            "https://www.debian.org/security/2019/dsa-4594",
+            "https://www.openssl.org/news/secadv/20191206.txt",
+            "https://www.tenable.com/security/tns-2019-09"
+          ],
+          "PublishedDate": "2019-12-06T18:15:00Z",
+          "LastModifiedDate": "2019-12-25T11:15:00Z"
+        },
+        {
+          "VulnerabilityID": "CVE-2019-1547",
+          "PkgName": "libcrypto1.1",
+          "InstalledVersion": "1.1.1c-r0",
+          "FixedVersion": "1.1.1d-r0",
+          "Layer": {
+            "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
+          },
+          "SeveritySource": "nvd",
+          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1547",
+          "Title": "openssl: side-channel weak encryption vulnerability",
+          "Description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
+          "Severity": "LOW",
+          "CweIDs": [
+            "CWE-311"
+          ],
+          "CVSS": {
+            "nvd": {
+              "V2Vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
+              "V2Score": 1.9
+            },
+            "redhat": {
+              "V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
+              "V3Score": 5.5
+            }
+          },
+          "References": [
+            "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
+            "https://arxiv.org/abs/1909.01785",
+            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547",
+            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46",
+            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8",
+            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a",
+            "https://seclists.org/bugtraq/2019/Sep/25",
+            "https://security.netapp.com/advisory/ntap-20190919-0002/",
+            "https://www.openssl.org/news/secadv/20190910.txt"
+          ],
+          "PublishedDate": "2019-09-10T17:15:00Z",
+          "LastModifiedDate": "2019-09-12T16:15:00Z"
+        },
+        {
+          "VulnerabilityID": "CVE-2019-1551",
+          "PkgName": "libssl1.1",
+          "InstalledVersion": "1.1.1c-r0",
+          "FixedVersion": "1.1.1d-r2",
+          "Layer": {
+            "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
+          },
+          "SeveritySource": "nvd",
+          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
+          "Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
+          "Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).",
+          "Severity": "MEDIUM",
+          "CweIDs": [
+            "CWE-200"
+          ],
+          "CVSS": {
+            "nvd": {
+              "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
+              "V2Score": 5
+            },
+            "redhat": {
+              "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
+              "V3Score": 4.8
+            }
+          },
+          "References": [
+            "http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
+            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
+            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
+            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
+            "https://github.com/openssl/openssl/pull/10575",
+            "https://seclists.org/bugtraq/2019/Dec/39",
+            "https://seclists.org/bugtraq/2019/Dec/46",
+            "https://security.netapp.com/advisory/ntap-20191210-0001/",
+            "https://www.debian.org/security/2019/dsa-4594",
+            "https://www.openssl.org/news/secadv/20191206.txt",
+            "https://www.tenable.com/security/tns-2019-09"
+          ],
+          "PublishedDate": "2019-12-06T18:15:00Z",
+          "LastModifiedDate": "2019-12-25T11:15:00Z"
+        },
+        {
+          "VulnerabilityID": "CVE-2019-1547",
+          "PkgName": "libssl1.1",
+          "InstalledVersion": "1.1.1c-r0",
+          "FixedVersion": "1.1.1d-r0",
+          "Layer": {
+            "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
+          },
+          "SeveritySource": "nvd",
+          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1547",
+          "Title": "openssl: side-channel weak encryption vulnerability",
+          "Description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
+          "Severity": "LOW",
+          "CweIDs": [
+            "CWE-311"
+          ],
+          "CVSS": {
+            "nvd": {
+              "V2Vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
+              "V2Score": 1.9
+            },
+            "redhat": {
+              "V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
+              "V3Score": 5.5
+            }
+          },
+          "References": [
+            "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
+            "https://arxiv.org/abs/1909.01785",
+            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547",
+            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46",
+            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8",
+            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a",
+            "https://seclists.org/bugtraq/2019/Sep/25",
+            "https://security.netapp.com/advisory/ntap-20190919-0002/",
+            "https://www.openssl.org/news/secadv/20190910.txt"
+          ],
+          "PublishedDate": "2019-09-10T17:15:00Z",
+          "LastModifiedDate": "2019-09-12T16:15:00Z"
+        }
+      ]
+    }
+  ]
+}
--- a/integration/testdata/alpine-310-ignore-unfixed.json.golden
+++ b/integration/testdata/alpine-310-ignore-unfixed.json.golden
@@ -1,325 +1,375 @@
-[
-  {
-    "Target": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)",
-    "Class": "os-pkgs",
-    "Type": "alpine",
-    "Vulnerabilities": [
-      {
-        "VulnerabilityID": "CVE-2019-1549",
-        "PkgName": "libcrypto1.1",
-        "InstalledVersion": "1.1.1c-r0",
-        "FixedVersion": "1.1.1d-r0",
-        "Layer": {
-          "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
+{
+  "SchemaVersion": 2,
+  "ArtifactName": "testdata/fixtures/images/alpine-310.tar.gz",
+  "ArtifactType": "container_image",
+  "Metadata": {
+    "OS": {
+      "Family": "alpine",
+      "Name": "3.10.2",
+      "EOSL": true
+    },
+    "ImageID": "sha256:961769676411f082461f9ef46626dd7a2d1e2b2a38e6a44364bcbecf51e66dd4",
+    "DiffIDs": [
+      "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
+    ],
+    "ImageConfig": {
+      "architecture": "amd64",
+      "container": "0a80155a31551fcc1a36fccbbda79fcd3f0b1c7d270653d00310e6e2217c57e6",
+      "created": "2019-08-20T20:19:55.211423266Z",
+      "docker_version": "18.06.1-ce",
+      "history": [
+        {
+          "created": "2019-08-20T20:19:55.062606894Z",
+          "created_by": "/bin/sh -c #(nop) ADD file:fe64057fbb83dccb960efabbf1cd8777920ef279a7fa8dbca0a8801c651bdf7c in / "
        },
-        "SeveritySource": "nvd",
-        "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1549",
-        "Title": "openssl: information disclosure in fork()",
-        "Description": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
-        "Severity": "MEDIUM",
-        "CweIDs": [
-          "CWE-330"
-        ],
-        "CVSS": {
-          "nvd": {
-            "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
-            "V2Score": 5
-          },
-          "redhat": {
-            "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
-            "V3Score": 4.8
-          }
-        },
-        "References": [
-          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be",
-          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/",
-          "https://security.netapp.com/advisory/ntap-20190919-0002/",
-          "https://support.f5.com/csp/article/K44070243",
-          "https://www.openssl.org/news/secadv/20190910.txt"
-        ],
-        "PublishedDate": "2019-09-10T17:15:00Z",
-        "LastModifiedDate": "2019-09-19T17:15:00Z"
+        {
+          "created": "2019-08-20T20:19:55.211423266Z",
+          "created_by": "/bin/sh -c #(nop)  CMD [\"/bin/sh\"]",
+          "empty_layer": true
+        }
+      ],
+      "os": "linux",
+      "rootfs": {
+        "type": "layers",
+        "diff_ids": [
+          "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
+        ]
      },
-      {
-        "VulnerabilityID": "CVE-2019-1551",
-        "PkgName": "libcrypto1.1",
-        "InstalledVersion": "1.1.1c-r0",
-        "FixedVersion": "1.1.1d-r2",
-        "Layer": {
-          "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
-        },
-        "SeveritySource": "nvd",
-        "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
-        "Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
-        "Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).",
-        "Severity": "MEDIUM",
-        "CweIDs": [
-          "CWE-200"
+      "config": {
+        "Cmd": [
+          "/bin/sh"
        ],
-        "CVSS": {
-          "nvd": {
-            "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
-            "V2Score": 5
-          },
-          "redhat": {
-            "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
-            "V3Score": 4.8
-          }
-        },
-        "References": [
-          "http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
-          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
-          "https://github.com/openssl/openssl/pull/10575",
-          "https://seclists.org/bugtraq/2019/Dec/39",
-          "https://seclists.org/bugtraq/2019/Dec/46",
-          "https://security.netapp.com/advisory/ntap-20191210-0001/",
-          "https://www.debian.org/security/2019/dsa-4594",
-          "https://www.openssl.org/news/secadv/20191206.txt",
-          "https://www.tenable.com/security/tns-2019-09"
+        "Env": [
+          "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
        ],
-        "PublishedDate": "2019-12-06T18:15:00Z",
-        "LastModifiedDate": "2019-12-25T11:15:00Z"
-      },
-      {
-        "VulnerabilityID": "CVE-2019-1563",
-        "PkgName": "libcrypto1.1",
-        "InstalledVersion": "1.1.1c-r0",
-        "FixedVersion": "1.1.1d-r0",
-        "Layer": {
-          "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
-        },
-        "SeveritySource": "nvd",
-        "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1563",
-        "Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
-        "Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
-        "Severity": "MEDIUM",
-        "CweIDs": [
-          "CWE-311"
-        ],
-        "CVSS": {
-          "nvd": {
-            "V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
-            "V2Score": 4.3
-          },
-          "redhat": {
-            "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
-            "V3Score": 3.7
-          }
-        },
-        "References": [
-          "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
-          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f",
-          "https://seclists.org/bugtraq/2019/Sep/25",
-          "https://security.netapp.com/advisory/ntap-20190919-0002/",
-          "https://www.openssl.org/news/secadv/20190910.txt"
-        ],
-        "PublishedDate": "2019-09-10T17:15:00Z",
-        "LastModifiedDate": "2019-09-12T11:15:00Z"
-      },
-      {
-        "VulnerabilityID": "CVE-2019-1547",
-        "PkgName": "libcrypto1.1",
-        "InstalledVersion": "1.1.1c-r0",
-        "FixedVersion": "1.1.1d-r0",
-        "Layer": {
-          "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
-        },
-        "SeveritySource": "nvd",
-        "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1547",
-        "Title": "openssl: side-channel weak encryption vulnerability",
-        "Description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
-        "Severity": "LOW",
-        "CweIDs": [
-          "CWE-311"
-        ],
-        "CVSS": {
-          "nvd": {
-            "V2Vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
-            "V2Score": 1.9
-          },
-          "redhat": {
-            "V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
-            "V3Score": 5.5
-          }
-        },
-        "References": [
-          "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
-          "https://arxiv.org/abs/1909.01785",
-          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a",
-          "https://seclists.org/bugtraq/2019/Sep/25",
-          "https://security.netapp.com/advisory/ntap-20190919-0002/",
-          "https://www.openssl.org/news/secadv/20190910.txt"
-        ],
-        "PublishedDate": "2019-09-10T17:15:00Z",
-        "LastModifiedDate": "2019-09-12T16:15:00Z"
-      },
-      {
-        "VulnerabilityID": "CVE-2019-1549",
-        "PkgName": "libssl1.1",
-        "InstalledVersion": "1.1.1c-r0",
-        "FixedVersion": "1.1.1d-r0",
-        "Layer": {
-          "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
-        },
-        "SeveritySource": "nvd",
-        "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1549",
-        "Title": "openssl: information disclosure in fork()",
-        "Description": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
-        "Severity": "MEDIUM",
-        "CweIDs": [
-          "CWE-330"
-        ],
-        "CVSS": {
-          "nvd": {
-            "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
-            "V2Score": 5
-          },
-          "redhat": {
-            "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
-            "V3Score": 4.8
-          }
-        },
-        "References": [
-          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be",
-          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/",
-          "https://security.netapp.com/advisory/ntap-20190919-0002/",
-          "https://support.f5.com/csp/article/K44070243",
-          "https://www.openssl.org/news/secadv/20190910.txt"
-        ],
-        "PublishedDate": "2019-09-10T17:15:00Z",
-        "LastModifiedDate": "2019-09-19T17:15:00Z"
-      },
-      {
-        "VulnerabilityID": "CVE-2019-1551",
-        "PkgName": "libssl1.1",
-        "InstalledVersion": "1.1.1c-r0",
-        "FixedVersion": "1.1.1d-r2",
-        "Layer": {
-          "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
-        },
-        "SeveritySource": "nvd",
-        "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
-        "Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
-        "Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).",
-        "Severity": "MEDIUM",
-        "CweIDs": [
-          "CWE-200"
-        ],
-        "CVSS": {
-          "nvd": {
-            "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
-            "V2Score": 5
-          },
-          "redhat": {
-            "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
-            "V3Score": 4.8
-          }
-        },
-        "References": [
-          "http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
-          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
-          "https://github.com/openssl/openssl/pull/10575",
-          "https://seclists.org/bugtraq/2019/Dec/39",
-          "https://seclists.org/bugtraq/2019/Dec/46",
-          "https://security.netapp.com/advisory/ntap-20191210-0001/",
-          "https://www.debian.org/security/2019/dsa-4594",
-          "https://www.openssl.org/news/secadv/20191206.txt",
-          "https://www.tenable.com/security/tns-2019-09"
-        ],
-        "PublishedDate": "2019-12-06T18:15:00Z",
-        "LastModifiedDate": "2019-12-25T11:15:00Z"
-      },
-      {
-        "VulnerabilityID": "CVE-2019-1563",
-        "PkgName": "libssl1.1",
-        "InstalledVersion": "1.1.1c-r0",
-        "FixedVersion": "1.1.1d-r0",
-        "Layer": {
-          "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
-        },
-        "SeveritySource": "nvd",
-        "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1563",
-        "Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
-        "Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
-        "Severity": "MEDIUM",
-        "CweIDs": [
-          "CWE-311"
-        ],
-        "CVSS": {
-          "nvd": {
-            "V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
-            "V2Score": 4.3
-          },
-          "redhat": {
-            "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
-            "V3Score": 3.7
-          }
-        },
-        "References": [
-          "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
-          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f",
-          "https://seclists.org/bugtraq/2019/Sep/25",
-          "https://security.netapp.com/advisory/ntap-20190919-0002/",
-          "https://www.openssl.org/news/secadv/20190910.txt"
-        ],
-        "PublishedDate": "2019-09-10T17:15:00Z",
-        "LastModifiedDate": "2019-09-12T11:15:00Z"
-      },
-      {
-        "VulnerabilityID": "CVE-2019-1547",
-        "PkgName": "libssl1.1",
-        "InstalledVersion": "1.1.1c-r0",
-        "FixedVersion": "1.1.1d-r0",
-        "Layer": {
-          "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
-        },
-        "SeveritySource": "nvd",
-        "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1547",
-        "Title": "openssl: side-channel weak encryption vulnerability",
-        "Description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
-        "Severity": "LOW",
-        "CweIDs": [
-          "CWE-311"
-        ],
-        "CVSS": {
-          "nvd": {
-            "V2Vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
-            "V2Score": 1.9
-          },
-          "redhat": {
-            "V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
-            "V3Score": 5.5
-          }
-        },
-        "References": [
-          "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
-          "https://arxiv.org/abs/1909.01785",
-          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a",
-          "https://seclists.org/bugtraq/2019/Sep/25",
-          "https://security.netapp.com/advisory/ntap-20190919-0002/",
-          "https://www.openssl.org/news/secadv/20190910.txt"
-        ],
-        "PublishedDate": "2019-09-10T17:15:00Z",
-        "LastModifiedDate": "2019-09-12T16:15:00Z"
+        "Image": "sha256:06f4121dff4d0123ce11bd2e44f48da9ba9ddcd23ae376ea1f363f63ea0849b5",
+        "ArgsEscaped": true
      }
-    ]
-  }
-]
+    }
+  },
+  "Results": [
+    {
+      "Target": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)",
+      "Class": "os-pkgs",
+      "Type": "alpine",
+      "Vulnerabilities": [
+        {
+          "VulnerabilityID": "CVE-2019-1549",
+          "PkgName": "libcrypto1.1",
+          "InstalledVersion": "1.1.1c-r0",
+          "FixedVersion": "1.1.1d-r0",
+          "Layer": {
+            "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
+          },
+          "SeveritySource": "nvd",
+          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1549",
+          "Title": "openssl: information disclosure in fork()",
+          "Description": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
+          "Severity": "MEDIUM",
+          "CweIDs": [
+            "CWE-330"
+          ],
+          "CVSS": {
+            "nvd": {
+              "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
+              "V2Score": 5
+            },
+            "redhat": {
+              "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
+              "V3Score": 4.8
+            }
+          },
+          "References": [
+            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549",
+            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be",
+            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/",
+            "https://security.netapp.com/advisory/ntap-20190919-0002/",
+            "https://support.f5.com/csp/article/K44070243",
+            "https://www.openssl.org/news/secadv/20190910.txt"
+          ],
+          "PublishedDate": "2019-09-10T17:15:00Z",
+          "LastModifiedDate": "2019-09-19T17:15:00Z"
+        },
+        {
+          "VulnerabilityID": "CVE-2019-1551",
+          "PkgName": "libcrypto1.1",
+          "InstalledVersion": "1.1.1c-r0",
+          "FixedVersion": "1.1.1d-r2",
+          "Layer": {
+            "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
+          },
+          "SeveritySource": "nvd",
+          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
+          "Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
+          "Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).",
+          "Severity": "MEDIUM",
+          "CweIDs": [
+            "CWE-200"
+          ],
+          "CVSS": {
+            "nvd": {
+              "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
+              "V2Score": 5
+            },
+            "redhat": {
+              "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
+              "V3Score": 4.8
+            }
+          },
+          "References": [
+            "http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
+            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
+            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
+            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
+            "https://github.com/openssl/openssl/pull/10575",
+            "https://seclists.org/bugtraq/2019/Dec/39",
+            "https://seclists.org/bugtraq/2019/Dec/46",
+            "https://security.netapp.com/advisory/ntap-20191210-0001/",
+            "https://www.debian.org/security/2019/dsa-4594",
+            "https://www.openssl.org/news/secadv/20191206.txt",
+            "https://www.tenable.com/security/tns-2019-09"
+          ],
+          "PublishedDate": "2019-12-06T18:15:00Z",
+          "LastModifiedDate": "2019-12-25T11:15:00Z"
+        },
+        {
+          "VulnerabilityID": "CVE-2019-1563",
+          "PkgName": "libcrypto1.1",
+          "InstalledVersion": "1.1.1c-r0",
+          "FixedVersion": "1.1.1d-r0",
+          "Layer": {
+            "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
+          },
+          "SeveritySource": "nvd",
+          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1563",
+          "Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
+          "Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
+          "Severity": "MEDIUM",
+          "CweIDs": [
+            "CWE-311"
+          ],
+          "CVSS": {
+            "nvd": {
+              "V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
+              "V2Score": 4.3
+            },
+            "redhat": {
+              "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
+              "V3Score": 3.7
+            }
+          },
+          "References": [
+            "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
+            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563",
+            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64",
+            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97",
+            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f",
+            "https://seclists.org/bugtraq/2019/Sep/25",
+            "https://security.netapp.com/advisory/ntap-20190919-0002/",
+            "https://www.openssl.org/news/secadv/20190910.txt"
+          ],
+          "PublishedDate": "2019-09-10T17:15:00Z",
+          "LastModifiedDate": "2019-09-12T11:15:00Z"
+        },
+        {
+          "VulnerabilityID": "CVE-2019-1547",
+          "PkgName": "libcrypto1.1",
+          "InstalledVersion": "1.1.1c-r0",
+          "FixedVersion": "1.1.1d-r0",
+          "Layer": {
+            "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
+          },
+          "SeveritySource": "nvd",
+          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1547",
+          "Title": "openssl: side-channel weak encryption vulnerability",
+          "Description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
+          "Severity": "LOW",
+          "CweIDs": [
+            "CWE-311"
+          ],
+          "CVSS": {
+            "nvd": {
+              "V2Vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
+              "V2Score": 1.9
+            },
+            "redhat": {
+              "V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
+              "V3Score": 5.5
+            }
+          },
+          "References": [
+            "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
+            "https://arxiv.org/abs/1909.01785",
+            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547",
+            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46",
+            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8",
+            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a",
+            "https://seclists.org/bugtraq/2019/Sep/25",
+            "https://security.netapp.com/advisory/ntap-20190919-0002/",
+            "https://www.openssl.org/news/secadv/20190910.txt"
+          ],
+          "PublishedDate": "2019-09-10T17:15:00Z",
+          "LastModifiedDate": "2019-09-12T16:15:00Z"
+        },
+        {
+          "VulnerabilityID": "CVE-2019-1549",
+          "PkgName": "libssl1.1",
+          "InstalledVersion": "1.1.1c-r0",
+          "FixedVersion": "1.1.1d-r0",
+          "Layer": {
+            "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
+          },
+          "SeveritySource": "nvd",
+          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1549",
+          "Title": "openssl: information disclosure in fork()",
+          "Description": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
+          "Severity": "MEDIUM",
+          "CweIDs": [
+            "CWE-330"
+          ],
+          "CVSS": {
+            "nvd": {
+              "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
+              "V2Score": 5
+            },
+            "redhat": {
+              "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
+              "V3Score": 4.8
+            }
+          },
+          "References": [
+            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549",
+            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be",
+            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/",
+            "https://security.netapp.com/advisory/ntap-20190919-0002/",
+            "https://support.f5.com/csp/article/K44070243",
+            "https://www.openssl.org/news/secadv/20190910.txt"
+          ],
+          "PublishedDate": "2019-09-10T17:15:00Z",
+          "LastModifiedDate": "2019-09-19T17:15:00Z"
+        },
+        {
+          "VulnerabilityID": "CVE-2019-1551",
+          "PkgName": "libssl1.1",
+          "InstalledVersion": "1.1.1c-r0",
+          "FixedVersion": "1.1.1d-r2",
+          "Layer": {
+            "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
+          },
+          "SeveritySource": "nvd",
+          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
+          "Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
+          "Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).",
+          "Severity": "MEDIUM",
+          "CweIDs": [
+            "CWE-200"
+          ],
+          "CVSS": {
+            "nvd": {
+              "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
+              "V2Score": 5
+            },
+            "redhat": {
+              "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
+              "V3Score": 4.8
+            }
+          },
+          "References": [
+            "http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
+            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
+            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
+            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
+            "https://github.com/openssl/openssl/pull/10575",
+            "https://seclists.org/bugtraq/2019/Dec/39",
+            "https://seclists.org/bugtraq/2019/Dec/46",
+            "https://security.netapp.com/advisory/ntap-20191210-0001/",
+            "https://www.debian.org/security/2019/dsa-4594",
+            "https://www.openssl.org/news/secadv/20191206.txt",
+            "https://www.tenable.com/security/tns-2019-09"
+          ],
+          "PublishedDate": "2019-12-06T18:15:00Z",
+          "LastModifiedDate": "2019-12-25T11:15:00Z"
+        },
+        {
+          "VulnerabilityID": "CVE-2019-1563",
+          "PkgName": "libssl1.1",
+          "InstalledVersion": "1.1.1c-r0",
+          "FixedVersion": "1.1.1d-r0",
+          "Layer": {
+            "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
+          },
+          "SeveritySource": "nvd",
+          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1563",
+          "Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
+          "Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
+          "Severity": "MEDIUM",
+          "CweIDs": [
+            "CWE-311"
+          ],
+          "CVSS": {
+            "nvd": {
+              "V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
+              "V2Score": 4.3
+            },
+            "redhat": {
+              "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
+              "V3Score": 3.7
+            }
+          },
+          "References": [
+            "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
+            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563",
+            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64",
+            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97",
+            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f",
+            "https://seclists.org/bugtraq/2019/Sep/25",
+            "https://security.netapp.com/advisory/ntap-20190919-0002/",
+            "https://www.openssl.org/news/secadv/20190910.txt"
+          ],
+          "PublishedDate": "2019-09-10T17:15:00Z",
+          "LastModifiedDate": "2019-09-12T11:15:00Z"
+        },
+        {
+          "VulnerabilityID": "CVE-2019-1547",
+          "PkgName": "libssl1.1",
+          "InstalledVersion": "1.1.1c-r0",
+          "FixedVersion": "1.1.1d-r0",
+          "Layer": {
+            "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
+          },
+          "SeveritySource": "nvd",
+          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1547",
+          "Title": "openssl: side-channel weak encryption vulnerability",
+          "Description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
+          "Severity": "LOW",
+          "CweIDs": [
+            "CWE-311"
+          ],
+          "CVSS": {
+            "nvd": {
+              "V2Vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
+              "V2Score": 1.9
+            },
+            "redhat": {
+              "V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
+              "V3Score": 5.5
+            }
+          },
+          "References": [
+            "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
+            "https://arxiv.org/abs/1909.01785",
+            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547",
+            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46",
+            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8",
+            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a",
+            "https://seclists.org/bugtraq/2019/Sep/25",
+            "https://security.netapp.com/advisory/ntap-20190919-0002/",
+            "https://www.openssl.org/news/secadv/20190910.txt"
+          ],
+          "PublishedDate": "2019-09-10T17:15:00Z",
+          "LastModifiedDate": "2019-09-12T16:15:00Z"
+        }
+      ]
+    }
+  ]
+}
--- a/integration/testdata/alpine-310-medium-high.json.golden
+++ b/integration/testdata/alpine-310-medium-high.json.golden
@@ -1,245 +1,295 @@
-[
-  {
-    "Target": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)",
-    "Class": "os-pkgs",
-    "Type": "alpine",
-    "Vulnerabilities": [
-      {
-        "VulnerabilityID": "CVE-2019-1549",
-        "PkgName": "libcrypto1.1",
-        "InstalledVersion": "1.1.1c-r0",
-        "FixedVersion": "1.1.1d-r0",
-        "Layer": {
-          "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
+{
+  "SchemaVersion": 2,
+  "ArtifactName": "testdata/fixtures/images/alpine-310.tar.gz",
+  "ArtifactType": "container_image",
+  "Metadata": {
+    "OS": {
+      "Family": "alpine",
+      "Name": "3.10.2",
+      "EOSL": true
+    },
+    "ImageID": "sha256:961769676411f082461f9ef46626dd7a2d1e2b2a38e6a44364bcbecf51e66dd4",
+    "DiffIDs": [
+      "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
+    ],
+    "ImageConfig": {
+      "architecture": "amd64",
+      "container": "0a80155a31551fcc1a36fccbbda79fcd3f0b1c7d270653d00310e6e2217c57e6",
+      "created": "2019-08-20T20:19:55.211423266Z",
+      "docker_version": "18.06.1-ce",
+      "history": [
+        {
+          "created": "2019-08-20T20:19:55.062606894Z",
+          "created_by": "/bin/sh -c #(nop) ADD file:fe64057fbb83dccb960efabbf1cd8777920ef279a7fa8dbca0a8801c651bdf7c in / "
        },
-        "SeveritySource": "nvd",
-        "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1549",
-        "Title": "openssl: information disclosure in fork()",
-        "Description": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
-        "Severity": "MEDIUM",
-        "CweIDs": [
-          "CWE-330"
-        ],
-        "CVSS": {
-          "nvd": {
-            "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
-            "V2Score": 5
-          },
-          "redhat": {
-            "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
-            "V3Score": 4.8
-          }
-        },
-        "References": [
-          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be",
-          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/",
-          "https://security.netapp.com/advisory/ntap-20190919-0002/",
-          "https://support.f5.com/csp/article/K44070243",
-          "https://www.openssl.org/news/secadv/20190910.txt"
-        ],
-        "PublishedDate": "2019-09-10T17:15:00Z",
-        "LastModifiedDate": "2019-09-19T17:15:00Z"
+        {
+          "created": "2019-08-20T20:19:55.211423266Z",
+          "created_by": "/bin/sh -c #(nop)  CMD [\"/bin/sh\"]",
+          "empty_layer": true
+        }
+      ],
+      "os": "linux",
+      "rootfs": {
+        "type": "layers",
+        "diff_ids": [
+          "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
+        ]
      },
-      {
-        "VulnerabilityID": "CVE-2019-1551",
-        "PkgName": "libcrypto1.1",
-        "InstalledVersion": "1.1.1c-r0",
-        "FixedVersion": "1.1.1d-r2",
-        "Layer": {
-          "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
-        },
-        "SeveritySource": "nvd",
-        "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
-        "Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
-        "Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).",
-        "Severity": "MEDIUM",
-        "CweIDs": [
-          "CWE-200"
+      "config": {
+        "Cmd": [
+          "/bin/sh"
        ],
-        "CVSS": {
-          "nvd": {
-            "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
-            "V2Score": 5
-          },
-          "redhat": {
-            "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
-            "V3Score": 4.8
-          }
-        },
-        "References": [
-          "http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
-          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
-          "https://github.com/openssl/openssl/pull/10575",
-          "https://seclists.org/bugtraq/2019/Dec/39",
-          "https://seclists.org/bugtraq/2019/Dec/46",
-          "https://security.netapp.com/advisory/ntap-20191210-0001/",
-          "https://www.debian.org/security/2019/dsa-4594",
-          "https://www.openssl.org/news/secadv/20191206.txt",
-          "https://www.tenable.com/security/tns-2019-09"
+        "Env": [
+          "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
        ],
-        "PublishedDate": "2019-12-06T18:15:00Z",
-        "LastModifiedDate": "2019-12-25T11:15:00Z"
-      },
-      {
-        "VulnerabilityID": "CVE-2019-1563",
-        "PkgName": "libcrypto1.1",
-        "InstalledVersion": "1.1.1c-r0",
-        "FixedVersion": "1.1.1d-r0",
-        "Layer": {
-          "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
-        },
-        "SeveritySource": "nvd",
-        "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1563",
-        "Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
-        "Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
-        "Severity": "MEDIUM",
-        "CweIDs": [
-          "CWE-311"
-        ],
-        "CVSS": {
-          "nvd": {
-            "V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
-            "V2Score": 4.3
-          },
-          "redhat": {
-            "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
-            "V3Score": 3.7
-          }
-        },
-        "References": [
-          "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
-          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f",
-          "https://seclists.org/bugtraq/2019/Sep/25",
-          "https://security.netapp.com/advisory/ntap-20190919-0002/",
-          "https://www.openssl.org/news/secadv/20190910.txt"
-        ],
-        "PublishedDate": "2019-09-10T17:15:00Z",
-        "LastModifiedDate": "2019-09-12T11:15:00Z"
-      },
-      {
-        "VulnerabilityID": "CVE-2019-1549",
-        "PkgName": "libssl1.1",
-        "InstalledVersion": "1.1.1c-r0",
-        "FixedVersion": "1.1.1d-r0",
-        "Layer": {
-          "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
-        },
-        "SeveritySource": "nvd",
-        "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1549",
-        "Title": "openssl: information disclosure in fork()",
-        "Description": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
-        "Severity": "MEDIUM",
-        "CweIDs": [
-          "CWE-330"
-        ],
-        "CVSS": {
-          "nvd": {
-            "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
-            "V2Score": 5
-          },
-          "redhat": {
-            "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
-            "V3Score": 4.8
-          }
-        },
-        "References": [
-          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be",
-          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/",
-          "https://security.netapp.com/advisory/ntap-20190919-0002/",
-          "https://support.f5.com/csp/article/K44070243",
-          "https://www.openssl.org/news/secadv/20190910.txt"
-        ],
-        "PublishedDate": "2019-09-10T17:15:00Z",
-        "LastModifiedDate": "2019-09-19T17:15:00Z"
-      },
-      {
-        "VulnerabilityID": "CVE-2019-1551",
-        "PkgName": "libssl1.1",
-        "InstalledVersion": "1.1.1c-r0",
-        "FixedVersion": "1.1.1d-r2",
-        "Layer": {
-          "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
-        },
-        "SeveritySource": "nvd",
-        "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
-        "Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
-        "Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).",
-        "Severity": "MEDIUM",
-        "CweIDs": [
-          "CWE-200"
-        ],
-        "CVSS": {
-          "nvd": {
-            "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
-            "V2Score": 5
-          },
-          "redhat": {
-            "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
-            "V3Score": 4.8
-          }
-        },
-        "References": [
-          "http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
-          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
-          "https://github.com/openssl/openssl/pull/10575",
-          "https://seclists.org/bugtraq/2019/Dec/39",
-          "https://seclists.org/bugtraq/2019/Dec/46",
-          "https://security.netapp.com/advisory/ntap-20191210-0001/",
-          "https://www.debian.org/security/2019/dsa-4594",
-          "https://www.openssl.org/news/secadv/20191206.txt",
-          "https://www.tenable.com/security/tns-2019-09"
-        ],
-        "PublishedDate": "2019-12-06T18:15:00Z",
-        "LastModifiedDate": "2019-12-25T11:15:00Z"
-      },
-      {
-        "VulnerabilityID": "CVE-2019-1563",
-        "PkgName": "libssl1.1",
-        "InstalledVersion": "1.1.1c-r0",
-        "FixedVersion": "1.1.1d-r0",
-        "Layer": {
-          "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
-        },
-        "SeveritySource": "nvd",
-        "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1563",
-        "Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
-        "Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
-        "Severity": "MEDIUM",
-        "CweIDs": [
-          "CWE-311"
-        ],
-        "CVSS": {
-          "nvd": {
-            "V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
-            "V2Score": 4.3
-          },
-          "redhat": {
-            "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
-            "V3Score": 3.7
-          }
-        },
-        "References": [
-          "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
-          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f",
-          "https://seclists.org/bugtraq/2019/Sep/25",
-          "https://security.netapp.com/advisory/ntap-20190919-0002/",
-          "https://www.openssl.org/news/secadv/20190910.txt"
-        ],
-        "PublishedDate": "2019-09-10T17:15:00Z",
-        "LastModifiedDate": "2019-09-12T11:15:00Z"
+        "Image": "sha256:06f4121dff4d0123ce11bd2e44f48da9ba9ddcd23ae376ea1f363f63ea0849b5",
+        "ArgsEscaped": true
      }
-    ]
-  }
-]
+    }
+  },
+  "Results": [
+    {
+      "Target": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)",
+      "Class": "os-pkgs",
+      "Type": "alpine",
+      "Vulnerabilities": [
+        {
+          "VulnerabilityID": "CVE-2019-1549",
+          "PkgName": "libcrypto1.1",
+          "InstalledVersion": "1.1.1c-r0",
+          "FixedVersion": "1.1.1d-r0",
+          "Layer": {
+            "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
+          },
+          "SeveritySource": "nvd",
+          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1549",
+          "Title": "openssl: information disclosure in fork()",
+          "Description": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
+          "Severity": "MEDIUM",
+          "CweIDs": [
+            "CWE-330"
+          ],
+          "CVSS": {
+            "nvd": {
+              "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
+              "V2Score": 5
+            },
+            "redhat": {
+              "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
+              "V3Score": 4.8
+            }
+          },
+          "References": [
+            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549",
+            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be",
+            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/",
+            "https://security.netapp.com/advisory/ntap-20190919-0002/",
+            "https://support.f5.com/csp/article/K44070243",
+            "https://www.openssl.org/news/secadv/20190910.txt"
+          ],
+          "PublishedDate": "2019-09-10T17:15:00Z",
+          "LastModifiedDate": "2019-09-19T17:15:00Z"
+        },
+        {
+          "VulnerabilityID": "CVE-2019-1551",
+          "PkgName": "libcrypto1.1",
+          "InstalledVersion": "1.1.1c-r0",
+          "FixedVersion": "1.1.1d-r2",
+          "Layer": {
+            "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
+          },
+          "SeveritySource": "nvd",
+          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
+          "Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
+          "Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).",
+          "Severity": "MEDIUM",
+          "CweIDs": [
+            "CWE-200"
+          ],
+          "CVSS": {
+            "nvd": {
+              "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
+              "V2Score": 5
+            },
+            "redhat": {
+              "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
+              "V3Score": 4.8
+            }
+          },
+          "References": [
+            "http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
+            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
+            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
+            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
+            "https://github.com/openssl/openssl/pull/10575",
+            "https://seclists.org/bugtraq/2019/Dec/39",
+            "https://seclists.org/bugtraq/2019/Dec/46",
+            "https://security.netapp.com/advisory/ntap-20191210-0001/",
+            "https://www.debian.org/security/2019/dsa-4594",
+            "https://www.openssl.org/news/secadv/20191206.txt",
+            "https://www.tenable.com/security/tns-2019-09"
+          ],
+          "PublishedDate": "2019-12-06T18:15:00Z",
+          "LastModifiedDate": "2019-12-25T11:15:00Z"
+        },
+        {
+          "VulnerabilityID": "CVE-2019-1563",
+          "PkgName": "libcrypto1.1",
+          "InstalledVersion": "1.1.1c-r0",
+          "FixedVersion": "1.1.1d-r0",
+          "Layer": {
+            "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
+          },
+          "SeveritySource": "nvd",
+          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1563",
+          "Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
+          "Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
+          "Severity": "MEDIUM",
+          "CweIDs": [
+            "CWE-311"
+          ],
+          "CVSS": {
+            "nvd": {
+              "V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
+              "V2Score": 4.3
+            },
+            "redhat": {
+              "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
+              "V3Score": 3.7
+            }
+          },
+          "References": [
+            "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
+            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563",
+            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64",
+            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97",
+            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f",
+            "https://seclists.org/bugtraq/2019/Sep/25",
+            "https://security.netapp.com/advisory/ntap-20190919-0002/",
+            "https://www.openssl.org/news/secadv/20190910.txt"
+          ],
+          "PublishedDate": "2019-09-10T17:15:00Z",
+          "LastModifiedDate": "2019-09-12T11:15:00Z"
+        },
+        {
+          "VulnerabilityID": "CVE-2019-1549",
+          "PkgName": "libssl1.1",
+          "InstalledVersion": "1.1.1c-r0",
+          "FixedVersion": "1.1.1d-r0",
+          "Layer": {
+            "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
+          },
+          "SeveritySource": "nvd",
+          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1549",
+          "Title": "openssl: information disclosure in fork()",
+          "Description": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
+          "Severity": "MEDIUM",
+          "CweIDs": [
+            "CWE-330"
+          ],
+          "CVSS": {
+            "nvd": {
+              "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
+              "V2Score": 5
+            },
+            "redhat": {
+              "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
+              "V3Score": 4.8
+            }
+          },
+          "References": [
+            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549",
+            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be",
+            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/",
+            "https://security.netapp.com/advisory/ntap-20190919-0002/",
+            "https://support.f5.com/csp/article/K44070243",
+            "https://www.openssl.org/news/secadv/20190910.txt"
+          ],
+          "PublishedDate": "2019-09-10T17:15:00Z",
+          "LastModifiedDate": "2019-09-19T17:15:00Z"
+        },
+        {
+          "VulnerabilityID": "CVE-2019-1551",
+          "PkgName": "libssl1.1",
+          "InstalledVersion": "1.1.1c-r0",
+          "FixedVersion": "1.1.1d-r2",
+          "Layer": {
+            "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
+          },
+          "SeveritySource": "nvd",
+          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
+          "Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
+          "Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).",
+          "Severity": "MEDIUM",
+          "CweIDs": [
+            "CWE-200"
+          ],
+          "CVSS": {
+            "nvd": {
+              "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
+              "V2Score": 5
+            },
+            "redhat": {
+              "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
+              "V3Score": 4.8
+            }
+          },
+          "References": [
+            "http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
+            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
+            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
+            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
+            "https://github.com/openssl/openssl/pull/10575",
+            "https://seclists.org/bugtraq/2019/Dec/39",
+            "https://seclists.org/bugtraq/2019/Dec/46",
+            "https://security.netapp.com/advisory/ntap-20191210-0001/",
+            "https://www.debian.org/security/2019/dsa-4594",
+            "https://www.openssl.org/news/secadv/20191206.txt",
+            "https://www.tenable.com/security/tns-2019-09"
+          ],
+          "PublishedDate": "2019-12-06T18:15:00Z",
+          "LastModifiedDate": "2019-12-25T11:15:00Z"
+        },
+        {
+          "VulnerabilityID": "CVE-2019-1563",
+          "PkgName": "libssl1.1",
+          "InstalledVersion": "1.1.1c-r0",
+          "FixedVersion": "1.1.1d-r0",
+          "Layer": {
+            "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
+          },
+          "SeveritySource": "nvd",
+          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1563",
+          "Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
+          "Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
+          "Severity": "MEDIUM",
+          "CweIDs": [
+            "CWE-311"
+          ],
+          "CVSS": {
+            "nvd": {
+              "V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
+              "V2Score": 4.3
+            },
+            "redhat": {
+              "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
+              "V3Score": 3.7
+            }
+          },
+          "References": [
+            "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
+            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563",
+            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64",
+            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97",
+            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f",
+            "https://seclists.org/bugtraq/2019/Sep/25",
+            "https://security.netapp.com/advisory/ntap-20190919-0002/",
+            "https://www.openssl.org/news/secadv/20190910.txt"
+          ],
+          "PublishedDate": "2019-09-10T17:15:00Z",
+          "LastModifiedDate": "2019-09-12T11:15:00Z"
+        }
+      ]
+    }
+  ]
+}
--- a/integration/testdata/alpine-310-registry.json.golden
+++ b/integration/testdata/alpine-310-registry.json.golden
@@ -1,332 +1,383 @@
-[
-  {
-    "Target": "localhost:55015/alpine:3.10 (alpine 3.10.2)",
-    "Type": "alpine",
-    "Vulnerabilities": [
-      {
-        "VulnerabilityID": "CVE-2019-1549",
-        "PkgName": "libcrypto1.1",
-        "InstalledVersion": "1.1.1c-r0",
-        "FixedVersion": "1.1.1d-r0",
-        "Layer": {
-          "Digest": "sha256:9d48c3bd43c520dc2784e868a780e976b207cbf493eaff8c6596eb871cbd9609",
-          "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
+{
+  "SchemaVersion": 2,
+  "ArtifactName": "testdata/fixtures/images/alpine-310.tar.gz",
+  "ArtifactType": "container_image",
+  "Metadata": {
+    "OS": {
+      "Family": "alpine",
+      "Name": "3.10.2",
+      "EOSL": true
+    },
+    "ImageID": "sha256:961769676411f082461f9ef46626dd7a2d1e2b2a38e6a44364bcbecf51e66dd4",
+    "DiffIDs": [
+      "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
+    ],
+    "ImageConfig": {
+      "architecture": "amd64",
+      "container": "0a80155a31551fcc1a36fccbbda79fcd3f0b1c7d270653d00310e6e2217c57e6",
+      "created": "2019-08-20T20:19:55.211423266Z",
+      "docker_version": "18.06.1-ce",
+      "history": [
+        {
+          "created": "2019-08-20T20:19:55.062606894Z",
+          "created_by": "/bin/sh -c #(nop) ADD file:fe64057fbb83dccb960efabbf1cd8777920ef279a7fa8dbca0a8801c651bdf7c in / "
        },
-        "SeveritySource": "nvd",
-        "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1549",
-        "Title": "openssl: information disclosure in fork()",
-        "Description": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
-        "Severity": "MEDIUM",
-        "CweIDs": [
-          "CWE-330"
-        ],
-        "CVSS": {
-          "nvd": {
-            "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
-            "V2Score": 5
-          },
-          "redhat": {
-            "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
-            "V3Score": 4.8
-          }
-        },
-        "References": [
-          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be",
-          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/",
-          "https://security.netapp.com/advisory/ntap-20190919-0002/",
-          "https://support.f5.com/csp/article/K44070243",
-          "https://www.openssl.org/news/secadv/20190910.txt"
-        ],
-        "PublishedDate": "2019-09-10T17:15:00Z",
-        "LastModifiedDate": "2019-09-19T17:15:00Z"
+        {
+          "created": "2019-08-20T20:19:55.211423266Z",
+          "created_by": "/bin/sh -c #(nop)  CMD [\"/bin/sh\"]",
+          "empty_layer": true
+        }
+      ],
+      "os": "linux",
+      "rootfs": {
+        "type": "layers",
+        "diff_ids": [
+          "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
+        ]
      },
-      {
-        "VulnerabilityID": "CVE-2019-1551",
-        "PkgName": "libcrypto1.1",
-        "InstalledVersion": "1.1.1c-r0",
-        "FixedVersion": "1.1.1d-r2",
-        "Layer": {
-          "Digest": "sha256:9d48c3bd43c520dc2784e868a780e976b207cbf493eaff8c6596eb871cbd9609",
-          "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
-        },
-        "SeveritySource": "nvd",
-        "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
-        "Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
-        "Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).",
-        "Severity": "MEDIUM",
-        "CweIDs": [
-          "CWE-200"
+      "config": {
+        "Cmd": [
+          "/bin/sh"
        ],
-        "CVSS": {
-          "nvd": {
-            "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
-            "V2Score": 5
-          },
-          "redhat": {
-            "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
-            "V3Score": 4.8
-          }
-        },
-        "References": [
-          "http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
-          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
-          "https://github.com/openssl/openssl/pull/10575",
-          "https://seclists.org/bugtraq/2019/Dec/39",
-          "https://seclists.org/bugtraq/2019/Dec/46",
-          "https://security.netapp.com/advisory/ntap-20191210-0001/",
-          "https://www.debian.org/security/2019/dsa-4594",
-          "https://www.openssl.org/news/secadv/20191206.txt",
-          "https://www.tenable.com/security/tns-2019-09"
+        "Env": [
+          "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
        ],
-        "PublishedDate": "2019-12-06T18:15:00Z",
-        "LastModifiedDate": "2019-12-25T11:15:00Z"
-      },
-      {
-        "VulnerabilityID": "CVE-2019-1563",
-        "PkgName": "libcrypto1.1",
-        "InstalledVersion": "1.1.1c-r0",
-        "FixedVersion": "1.1.1d-r0",
-        "Layer": {
-          "Digest": "sha256:9d48c3bd43c520dc2784e868a780e976b207cbf493eaff8c6596eb871cbd9609",
-          "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
-        },
-        "SeveritySource": "nvd",
-        "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1563",
-        "Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
-        "Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
-        "Severity": "MEDIUM",
-        "CweIDs": [
-          "CWE-311"
-        ],
-        "CVSS": {
-          "nvd": {
-            "V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
-            "V2Score": 4.3
-          },
-          "redhat": {
-            "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
-            "V3Score": 3.7
-          }
-        },
-        "References": [
-          "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
-          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f",
-          "https://seclists.org/bugtraq/2019/Sep/25",
-          "https://security.netapp.com/advisory/ntap-20190919-0002/",
-          "https://www.openssl.org/news/secadv/20190910.txt"
-        ],
-        "PublishedDate": "2019-09-10T17:15:00Z",
-        "LastModifiedDate": "2019-09-12T11:15:00Z"
-      },
-      {
-        "VulnerabilityID": "CVE-2019-1547",
-        "PkgName": "libcrypto1.1",
-        "InstalledVersion": "1.1.1c-r0",
-        "FixedVersion": "1.1.1d-r0",
-        "Layer": {
-          "Digest": "sha256:9d48c3bd43c520dc2784e868a780e976b207cbf493eaff8c6596eb871cbd9609",
-          "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
-        },
-        "SeveritySource": "nvd",
-        "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1547",
-        "Title": "openssl: side-channel weak encryption vulnerability",
-        "Description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
-        "Severity": "LOW",
-        "CweIDs": [
-          "CWE-311"
-        ],
-        "CVSS": {
-          "nvd": {
-            "V2Vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
-            "V2Score": 1.9
-          },
-          "redhat": {
-            "V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
-            "V3Score": 5.5
-          }
-        },
-        "References": [
-          "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
-          "https://arxiv.org/abs/1909.01785",
-          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a",
-          "https://seclists.org/bugtraq/2019/Sep/25",
-          "https://security.netapp.com/advisory/ntap-20190919-0002/",
-          "https://www.openssl.org/news/secadv/20190910.txt"
-        ],
-        "PublishedDate": "2019-09-10T17:15:00Z",
-        "LastModifiedDate": "2019-09-12T16:15:00Z"
-      },
-      {
-        "VulnerabilityID": "CVE-2019-1549",
-        "PkgName": "libssl1.1",
-        "InstalledVersion": "1.1.1c-r0",
-        "FixedVersion": "1.1.1d-r0",
-        "Layer": {
-          "Digest": "sha256:9d48c3bd43c520dc2784e868a780e976b207cbf493eaff8c6596eb871cbd9609",
-          "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
-        },
-        "SeveritySource": "nvd",
-        "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1549",
-        "Title": "openssl: information disclosure in fork()",
-        "Description": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
-        "Severity": "MEDIUM",
-        "CweIDs": [
-          "CWE-330"
-        ],
-        "CVSS": {
-          "nvd": {
-            "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
-            "V2Score": 5
-          },
-          "redhat": {
-            "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
-            "V3Score": 4.8
-          }
-        },
-        "References": [
-          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be",
-          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/",
-          "https://security.netapp.com/advisory/ntap-20190919-0002/",
-          "https://support.f5.com/csp/article/K44070243",
-          "https://www.openssl.org/news/secadv/20190910.txt"
-        ],
-        "PublishedDate": "2019-09-10T17:15:00Z",
-        "LastModifiedDate": "2019-09-19T17:15:00Z"
-      },
-      {
-        "VulnerabilityID": "CVE-2019-1551",
-        "PkgName": "libssl1.1",
-        "InstalledVersion": "1.1.1c-r0",
-        "FixedVersion": "1.1.1d-r2",
-        "Layer": {
-          "Digest": "sha256:9d48c3bd43c520dc2784e868a780e976b207cbf493eaff8c6596eb871cbd9609",
-          "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
-        },
-        "SeveritySource": "nvd",
-        "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
-        "Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
-        "Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).",
-        "Severity": "MEDIUM",
-        "CweIDs": [
-          "CWE-200"
-        ],
-        "CVSS": {
-          "nvd": {
-            "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
-            "V2Score": 5
-          },
-          "redhat": {
-            "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
-            "V3Score": 4.8
-          }
-        },
-        "References": [
-          "http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
-          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
-          "https://github.com/openssl/openssl/pull/10575",
-          "https://seclists.org/bugtraq/2019/Dec/39",
-          "https://seclists.org/bugtraq/2019/Dec/46",
-          "https://security.netapp.com/advisory/ntap-20191210-0001/",
-          "https://www.debian.org/security/2019/dsa-4594",
-          "https://www.openssl.org/news/secadv/20191206.txt",
-          "https://www.tenable.com/security/tns-2019-09"
-        ],
-        "PublishedDate": "2019-12-06T18:15:00Z",
-        "LastModifiedDate": "2019-12-25T11:15:00Z"
-      },
-      {
-        "VulnerabilityID": "CVE-2019-1563",
-        "PkgName": "libssl1.1",
-        "InstalledVersion": "1.1.1c-r0",
-        "FixedVersion": "1.1.1d-r0",
-        "Layer": {
-          "Digest": "sha256:9d48c3bd43c520dc2784e868a780e976b207cbf493eaff8c6596eb871cbd9609",
-          "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
-        },
-        "SeveritySource": "nvd",
-        "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1563",
-        "Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
-        "Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
-        "Severity": "MEDIUM",
-        "CweIDs": [
-          "CWE-311"
-        ],
-        "CVSS": {
-          "nvd": {
-            "V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
-            "V2Score": 4.3
-          },
-          "redhat": {
-            "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
-            "V3Score": 3.7
-          }
-        },
-        "References": [
-          "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
-          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f",
-          "https://seclists.org/bugtraq/2019/Sep/25",
-          "https://security.netapp.com/advisory/ntap-20190919-0002/",
-          "https://www.openssl.org/news/secadv/20190910.txt"
-        ],
-        "PublishedDate": "2019-09-10T17:15:00Z",
-        "LastModifiedDate": "2019-09-12T11:15:00Z"
-      },
-      {
-        "VulnerabilityID": "CVE-2019-1547",
-        "PkgName": "libssl1.1",
-        "InstalledVersion": "1.1.1c-r0",
-        "FixedVersion": "1.1.1d-r0",
-        "Layer": {
-          "Digest": "sha256:9d48c3bd43c520dc2784e868a780e976b207cbf493eaff8c6596eb871cbd9609",
-          "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
-        },
-        "SeveritySource": "nvd",
-        "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1547",
-        "Title": "openssl: side-channel weak encryption vulnerability",
-        "Description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
-        "Severity": "LOW",
-        "CweIDs": [
-          "CWE-311"
-        ],
-        "CVSS": {
-          "nvd": {
-            "V2Vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
-            "V2Score": 1.9
-          },
-          "redhat": {
-            "V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
-            "V3Score": 5.5
-          }
-        },
-        "References": [
-          "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
-          "https://arxiv.org/abs/1909.01785",
-          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a",
-          "https://seclists.org/bugtraq/2019/Sep/25",
-          "https://security.netapp.com/advisory/ntap-20190919-0002/",
-          "https://www.openssl.org/news/secadv/20190910.txt"
-        ],
-        "PublishedDate": "2019-09-10T17:15:00Z",
-        "LastModifiedDate": "2019-09-12T16:15:00Z"
+        "Image": "sha256:06f4121dff4d0123ce11bd2e44f48da9ba9ddcd23ae376ea1f363f63ea0849b5",
+        "ArgsEscaped": true
      }
-    ]
-  }
-]
+    }
+  },
+  "Results": [
+    {
+      "Target": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)",
+      "Class": "os-pkgs",
+      "Type": "alpine",
+      "Vulnerabilities": [
+        {
+          "VulnerabilityID": "CVE-2019-1549",
+          "PkgName": "libcrypto1.1",
+          "InstalledVersion": "1.1.1c-r0",
+          "FixedVersion": "1.1.1d-r0",
+          "Layer": {
+            "Digest": "sha256:9d48c3bd43c520dc2784e868a780e976b207cbf493eaff8c6596eb871cbd9609",
+            "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
+          },
+          "SeveritySource": "nvd",
+          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1549",
+          "Title": "openssl: information disclosure in fork()",
+          "Description": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
+          "Severity": "MEDIUM",
+          "CweIDs": [
+            "CWE-330"
+          ],
+          "CVSS": {
+            "nvd": {
+              "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
+              "V2Score": 5
+            },
+            "redhat": {
+              "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
+              "V3Score": 4.8
+            }
+          },
+          "References": [
+            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549",
+            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be",
+            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/",
+            "https://security.netapp.com/advisory/ntap-20190919-0002/",
+            "https://support.f5.com/csp/article/K44070243",
+            "https://www.openssl.org/news/secadv/20190910.txt"
+          ],
+          "PublishedDate": "2019-09-10T17:15:00Z",
+          "LastModifiedDate": "2019-09-19T17:15:00Z"
+        },
+        {
+          "VulnerabilityID": "CVE-2019-1551",
+          "PkgName": "libcrypto1.1",
+          "InstalledVersion": "1.1.1c-r0",
+          "FixedVersion": "1.1.1d-r2",
+          "Layer": {
+            "Digest": "sha256:9d48c3bd43c520dc2784e868a780e976b207cbf493eaff8c6596eb871cbd9609",
+            "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
+          },
+          "SeveritySource": "nvd",
+          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
+          "Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
+          "Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).",
+          "Severity": "MEDIUM",
+          "CweIDs": [
+            "CWE-200"
+          ],
+          "CVSS": {
+            "nvd": {
+              "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
+              "V2Score": 5
+            },
+            "redhat": {
+              "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
+              "V3Score": 4.8
+            }
+          },
+          "References": [
+            "http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
+            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
+            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
+            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
+            "https://github.com/openssl/openssl/pull/10575",
+            "https://seclists.org/bugtraq/2019/Dec/39",
+            "https://seclists.org/bugtraq/2019/Dec/46",
+            "https://security.netapp.com/advisory/ntap-20191210-0001/",
+            "https://www.debian.org/security/2019/dsa-4594",
+            "https://www.openssl.org/news/secadv/20191206.txt",
+            "https://www.tenable.com/security/tns-2019-09"
+          ],
+          "PublishedDate": "2019-12-06T18:15:00Z",
+          "LastModifiedDate": "2019-12-25T11:15:00Z"
+        },
+        {
+          "VulnerabilityID": "CVE-2019-1563",
+          "PkgName": "libcrypto1.1",
+          "InstalledVersion": "1.1.1c-r0",
+          "FixedVersion": "1.1.1d-r0",
+          "Layer": {
+            "Digest": "sha256:9d48c3bd43c520dc2784e868a780e976b207cbf493eaff8c6596eb871cbd9609",
+            "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
+          },
+          "SeveritySource": "nvd",
+          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1563",
+          "Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
+          "Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
+          "Severity": "MEDIUM",
+          "CweIDs": [
+            "CWE-311"
+          ],
+          "CVSS": {
+            "nvd": {
+              "V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
+              "V2Score": 4.3
+            },
+            "redhat": {
+              "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
+              "V3Score": 3.7
+            }
+          },
+          "References": [
+            "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
+            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563",
+            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64",
+            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97",
+            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f",
+            "https://seclists.org/bugtraq/2019/Sep/25",
+            "https://security.netapp.com/advisory/ntap-20190919-0002/",
+            "https://www.openssl.org/news/secadv/20190910.txt"
+          ],
+          "PublishedDate": "2019-09-10T17:15:00Z",
+          "LastModifiedDate": "2019-09-12T11:15:00Z"
+        },
+        {
+          "VulnerabilityID": "CVE-2019-1547",
+          "PkgName": "libcrypto1.1",
+          "InstalledVersion": "1.1.1c-r0",
+          "FixedVersion": "1.1.1d-r0",
+          "Layer": {
+            "Digest": "sha256:9d48c3bd43c520dc2784e868a780e976b207cbf493eaff8c6596eb871cbd9609",
+            "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
+          },
+          "SeveritySource": "nvd",
+          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1547",
+          "Title": "openssl: side-channel weak encryption vulnerability",
+          "Description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
+          "Severity": "LOW",
+          "CweIDs": [
+            "CWE-311"
+          ],
+          "CVSS": {
+            "nvd": {
+              "V2Vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
+              "V2Score": 1.9
+            },
+            "redhat": {
+              "V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
+              "V3Score": 5.5
+            }
+          },
+          "References": [
+            "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
+            "https://arxiv.org/abs/1909.01785",
+            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547",
+            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46",
+            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8",
+            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a",
+            "https://seclists.org/bugtraq/2019/Sep/25",
+            "https://security.netapp.com/advisory/ntap-20190919-0002/",
+            "https://www.openssl.org/news/secadv/20190910.txt"
+          ],
+          "PublishedDate": "2019-09-10T17:15:00Z",
+          "LastModifiedDate": "2019-09-12T16:15:00Z"
+        },
+        {
+          "VulnerabilityID": "CVE-2019-1549",
+          "PkgName": "libssl1.1",
+          "InstalledVersion": "1.1.1c-r0",
+          "FixedVersion": "1.1.1d-r0",
+          "Layer": {
+            "Digest": "sha256:9d48c3bd43c520dc2784e868a780e976b207cbf493eaff8c6596eb871cbd9609",
+            "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
+          },
+          "SeveritySource": "nvd",
+          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1549",
+          "Title": "openssl: information disclosure in fork()",
+          "Description": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
+          "Severity": "MEDIUM",
+          "CweIDs": [
+            "CWE-330"
+          ],
+          "CVSS": {
+            "nvd": {
+              "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
+              "V2Score": 5
+            },
+            "redhat": {
+              "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
+              "V3Score": 4.8
+            }
+          },
+          "References": [
+            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549",
+            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be",
+            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/",
+            "https://security.netapp.com/advisory/ntap-20190919-0002/",
+            "https://support.f5.com/csp/article/K44070243",
+            "https://www.openssl.org/news/secadv/20190910.txt"
+          ],
+          "PublishedDate": "2019-09-10T17:15:00Z",
+          "LastModifiedDate": "2019-09-19T17:15:00Z"
+        },
+        {
+          "VulnerabilityID": "CVE-2019-1551",
+          "PkgName": "libssl1.1",
+          "InstalledVersion": "1.1.1c-r0",
+          "FixedVersion": "1.1.1d-r2",
+          "Layer": {
+            "Digest": "sha256:9d48c3bd43c520dc2784e868a780e976b207cbf493eaff8c6596eb871cbd9609",
+            "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
+          },
+          "SeveritySource": "nvd",
+          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
+          "Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
+          "Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).",
+          "Severity": "MEDIUM",
+          "CweIDs": [
+            "CWE-200"
+          ],
+          "CVSS": {
+            "nvd": {
+              "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
+              "V2Score": 5
+            },
+            "redhat": {
+              "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
+              "V3Score": 4.8
+            }
+          },
+          "References": [
+            "http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
+            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
+            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
+            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
+            "https://github.com/openssl/openssl/pull/10575",
+            "https://seclists.org/bugtraq/2019/Dec/39",
+            "https://seclists.org/bugtraq/2019/Dec/46",
+            "https://security.netapp.com/advisory/ntap-20191210-0001/",
+            "https://www.debian.org/security/2019/dsa-4594",
+            "https://www.openssl.org/news/secadv/20191206.txt",
+            "https://www.tenable.com/security/tns-2019-09"
+          ],
+          "PublishedDate": "2019-12-06T18:15:00Z",
+          "LastModifiedDate": "2019-12-25T11:15:00Z"
+        },
+        {
+          "VulnerabilityID": "CVE-2019-1563",
+          "PkgName": "libssl1.1",
+          "InstalledVersion": "1.1.1c-r0",
+          "FixedVersion": "1.1.1d-r0",
+          "Layer": {
+            "Digest": "sha256:9d48c3bd43c520dc2784e868a780e976b207cbf493eaff8c6596eb871cbd9609",
+            "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
+          },
+          "SeveritySource": "nvd",
+          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1563",
+          "Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
+          "Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
+          "Severity": "MEDIUM",
+          "CweIDs": [
+            "CWE-311"
+          ],
+          "CVSS": {
+            "nvd": {
+              "V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
+              "V2Score": 4.3
+            },
+            "redhat": {
+              "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
+              "V3Score": 3.7
+            }
+          },
+          "References": [
+            "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
+            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563",
+            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64",
+            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97",
+            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f",
+            "https://seclists.org/bugtraq/2019/Sep/25",
+            "https://security.netapp.com/advisory/ntap-20190919-0002/",
+            "https://www.openssl.org/news/secadv/20190910.txt"
+          ],
+          "PublishedDate": "2019-09-10T17:15:00Z",
+          "LastModifiedDate": "2019-09-12T11:15:00Z"
+        },
+        {
+          "VulnerabilityID": "CVE-2019-1547",
+          "PkgName": "libssl1.1",
+          "InstalledVersion": "1.1.1c-r0",
+          "FixedVersion": "1.1.1d-r0",
+          "Layer": {
+            "Digest": "sha256:9d48c3bd43c520dc2784e868a780e976b207cbf493eaff8c6596eb871cbd9609",
+            "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
+          },
+          "SeveritySource": "nvd",
+          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1547",
+          "Title": "openssl: side-channel weak encryption vulnerability",
+          "Description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
+          "Severity": "LOW",
+          "CweIDs": [
+            "CWE-311"
+          ],
+          "CVSS": {
+            "nvd": {
+              "V2Vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
+              "V2Score": 1.9
+            },
+            "redhat": {
+              "V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
+              "V3Score": 5.5
+            }
+          },
+          "References": [
+            "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
+            "https://arxiv.org/abs/1909.01785",
+            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547",
+            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46",
+            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8",
+            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a",
+            "https://seclists.org/bugtraq/2019/Sep/25",
+            "https://security.netapp.com/advisory/ntap-20190919-0002/",
+            "https://www.openssl.org/news/secadv/20190910.txt"
+          ],
+          "PublishedDate": "2019-09-10T17:15:00Z",
+          "LastModifiedDate": "2019-09-12T16:15:00Z"
+        }
+      ]
+    }
+  ]
+}
--- a/integration/testdata/alpine-310.json.golden
+++ b/integration/testdata/alpine-310.json.golden
@@ -1,325 +1,375 @@
-[
-  {
-    "Target": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)",
-    "Class": "os-pkgs",
-    "Type": "alpine",
-    "Vulnerabilities": [
-      {
-        "VulnerabilityID": "CVE-2019-1549",
-        "PkgName": "libcrypto1.1",
-        "InstalledVersion": "1.1.1c-r0",
-        "FixedVersion": "1.1.1d-r0",
-        "Layer": {
-          "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
+{
+  "SchemaVersion": 2,
+  "ArtifactName": "testdata/fixtures/images/alpine-310.tar.gz",
+  "ArtifactType": "container_image",
+  "Metadata": {
+    "OS": {
+      "Family": "alpine",
+      "Name": "3.10.2",
+      "EOSL": true
+    },
+    "ImageID": "sha256:961769676411f082461f9ef46626dd7a2d1e2b2a38e6a44364bcbecf51e66dd4",
+    "DiffIDs": [
+      "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
+    ],
+    "ImageConfig": {
+      "architecture": "amd64",
+      "container": "0a80155a31551fcc1a36fccbbda79fcd3f0b1c7d270653d00310e6e2217c57e6",
+      "created": "2019-08-20T20:19:55.211423266Z",
+      "docker_version": "18.06.1-ce",
+      "history": [
+        {
+          "created": "2019-08-20T20:19:55.062606894Z",
+          "created_by": "/bin/sh -c #(nop) ADD file:fe64057fbb83dccb960efabbf1cd8777920ef279a7fa8dbca0a8801c651bdf7c in / "
        },
-        "SeveritySource": "nvd",
-        "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1549",
-        "Title": "openssl: information disclosure in fork()",
-        "Description": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
-        "Severity": "MEDIUM",
-        "CweIDs": [
-          "CWE-330"
-        ],
-        "CVSS": {
-          "nvd": {
-            "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
-            "V2Score": 5
-          },
-          "redhat": {
-            "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
-            "V3Score": 4.8
-          }
-        },
-        "References": [
-          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be",
-          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/",
-          "https://security.netapp.com/advisory/ntap-20190919-0002/",
-          "https://support.f5.com/csp/article/K44070243",
-          "https://www.openssl.org/news/secadv/20190910.txt"
-        ],
-        "PublishedDate": "2019-09-10T17:15:00Z",
-        "LastModifiedDate": "2019-09-19T17:15:00Z"
+        {
+          "created": "2019-08-20T20:19:55.211423266Z",
+          "created_by": "/bin/sh -c #(nop)  CMD [\"/bin/sh\"]",
+          "empty_layer": true
+        }
+      ],
+      "os": "linux",
+      "rootfs": {
+        "type": "layers",
+        "diff_ids": [
+          "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
+        ]
      },
-      {
-        "VulnerabilityID": "CVE-2019-1551",
-        "PkgName": "libcrypto1.1",
-        "InstalledVersion": "1.1.1c-r0",
-        "FixedVersion": "1.1.1d-r2",
-        "Layer": {
-          "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
-        },
-        "SeveritySource": "nvd",
-        "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
-        "Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
-        "Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).",
-        "Severity": "MEDIUM",
-        "CweIDs": [
-          "CWE-200"
+      "config": {
+        "Cmd": [
+          "/bin/sh"
        ],
-        "CVSS": {
-          "nvd": {
-            "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
-            "V2Score": 5
-          },
-          "redhat": {
-            "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
-            "V3Score": 4.8
-          }
-        },
-        "References": [
-          "http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
-          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
-          "https://github.com/openssl/openssl/pull/10575",
-          "https://seclists.org/bugtraq/2019/Dec/39",
-          "https://seclists.org/bugtraq/2019/Dec/46",
-          "https://security.netapp.com/advisory/ntap-20191210-0001/",
-          "https://www.debian.org/security/2019/dsa-4594",
-          "https://www.openssl.org/news/secadv/20191206.txt",
-          "https://www.tenable.com/security/tns-2019-09"
+        "Env": [
+          "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
        ],
-        "PublishedDate": "2019-12-06T18:15:00Z",
-        "LastModifiedDate": "2019-12-25T11:15:00Z"
-      },
-      {
-        "VulnerabilityID": "CVE-2019-1563",
-        "PkgName": "libcrypto1.1",
-        "InstalledVersion": "1.1.1c-r0",
-        "FixedVersion": "1.1.1d-r0",
-        "Layer": {
-          "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
-        },
-        "SeveritySource": "nvd",
-        "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1563",
-        "Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
-        "Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
-        "Severity": "MEDIUM",
-        "CweIDs": [
-          "CWE-311"
-        ],
-        "CVSS": {
-          "nvd": {
-            "V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
-            "V2Score": 4.3
-          },
-          "redhat": {
-            "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
-            "V3Score": 3.7
-          }
-        },
-        "References": [
-          "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
-          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f",
-          "https://seclists.org/bugtraq/2019/Sep/25",
-          "https://security.netapp.com/advisory/ntap-20190919-0002/",
-          "https://www.openssl.org/news/secadv/20190910.txt"
-        ],
-        "PublishedDate": "2019-09-10T17:15:00Z",
-        "LastModifiedDate": "2019-09-12T11:15:00Z"
-      },
-      {
-        "VulnerabilityID": "CVE-2019-1547",
-        "PkgName": "libcrypto1.1",
-        "InstalledVersion": "1.1.1c-r0",
-        "FixedVersion": "1.1.1d-r0",
-        "Layer": {
-          "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
-        },
-        "SeveritySource": "nvd",
-        "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1547",
-        "Title": "openssl: side-channel weak encryption vulnerability",
-        "Description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
-        "Severity": "LOW",
-        "CweIDs": [
-          "CWE-311"
-        ],
-        "CVSS": {
-          "nvd": {
-            "V2Vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
-            "V2Score": 1.9
-          },
-          "redhat": {
-            "V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
-            "V3Score": 5.5
-          }
-        },
-        "References": [
-          "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
-          "https://arxiv.org/abs/1909.01785",
-          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a",
-          "https://seclists.org/bugtraq/2019/Sep/25",
-          "https://security.netapp.com/advisory/ntap-20190919-0002/",
-          "https://www.openssl.org/news/secadv/20190910.txt"
-        ],
-        "PublishedDate": "2019-09-10T17:15:00Z",
-        "LastModifiedDate": "2019-09-12T16:15:00Z"
-      },
-      {
-        "VulnerabilityID": "CVE-2019-1549",
-        "PkgName": "libssl1.1",
-        "InstalledVersion": "1.1.1c-r0",
-        "FixedVersion": "1.1.1d-r0",
-        "Layer": {
-          "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
-        },
-        "SeveritySource": "nvd",
-        "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1549",
-        "Title": "openssl: information disclosure in fork()",
-        "Description": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
-        "Severity": "MEDIUM",
-        "CweIDs": [
-          "CWE-330"
-        ],
-        "CVSS": {
-          "nvd": {
-            "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
-            "V2Score": 5
-          },
-          "redhat": {
-            "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
-            "V3Score": 4.8
-          }
-        },
-        "References": [
-          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be",
-          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/",
-          "https://security.netapp.com/advisory/ntap-20190919-0002/",
-          "https://support.f5.com/csp/article/K44070243",
-          "https://www.openssl.org/news/secadv/20190910.txt"
-        ],
-        "PublishedDate": "2019-09-10T17:15:00Z",
-        "LastModifiedDate": "2019-09-19T17:15:00Z"
-      },
-      {
-        "VulnerabilityID": "CVE-2019-1551",
-        "PkgName": "libssl1.1",
-        "InstalledVersion": "1.1.1c-r0",
-        "FixedVersion": "1.1.1d-r2",
-        "Layer": {
-          "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
-        },
-        "SeveritySource": "nvd",
-        "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
-        "Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
-        "Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).",
-        "Severity": "MEDIUM",
-        "CweIDs": [
-          "CWE-200"
-        ],
-        "CVSS": {
-          "nvd": {
-            "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
-            "V2Score": 5
-          },
-          "redhat": {
-            "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
-            "V3Score": 4.8
-          }
-        },
-        "References": [
-          "http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
-          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
-          "https://github.com/openssl/openssl/pull/10575",
-          "https://seclists.org/bugtraq/2019/Dec/39",
-          "https://seclists.org/bugtraq/2019/Dec/46",
-          "https://security.netapp.com/advisory/ntap-20191210-0001/",
-          "https://www.debian.org/security/2019/dsa-4594",
-          "https://www.openssl.org/news/secadv/20191206.txt",
-          "https://www.tenable.com/security/tns-2019-09"
-        ],
-        "PublishedDate": "2019-12-06T18:15:00Z",
-        "LastModifiedDate": "2019-12-25T11:15:00Z"
-      },
-      {
-        "VulnerabilityID": "CVE-2019-1563",
-        "PkgName": "libssl1.1",
-        "InstalledVersion": "1.1.1c-r0",
-        "FixedVersion": "1.1.1d-r0",
-        "Layer": {
-          "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
-        },
-        "SeveritySource": "nvd",
-        "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1563",
-        "Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
-        "Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
-        "Severity": "MEDIUM",
-        "CweIDs": [
-          "CWE-311"
-        ],
-        "CVSS": {
-          "nvd": {
-            "V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
-            "V2Score": 4.3
-          },
-          "redhat": {
-            "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
-            "V3Score": 3.7
-          }
-        },
-        "References": [
-          "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
-          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f",
-          "https://seclists.org/bugtraq/2019/Sep/25",
-          "https://security.netapp.com/advisory/ntap-20190919-0002/",
-          "https://www.openssl.org/news/secadv/20190910.txt"
-        ],
-        "PublishedDate": "2019-09-10T17:15:00Z",
-        "LastModifiedDate": "2019-09-12T11:15:00Z"
-      },
-      {
-        "VulnerabilityID": "CVE-2019-1547",
-        "PkgName": "libssl1.1",
-        "InstalledVersion": "1.1.1c-r0",
-        "FixedVersion": "1.1.1d-r0",
-        "Layer": {
-          "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
-        },
-        "SeveritySource": "nvd",
-        "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1547",
-        "Title": "openssl: side-channel weak encryption vulnerability",
-        "Description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
-        "Severity": "LOW",
-        "CweIDs": [
-          "CWE-311"
-        ],
-        "CVSS": {
-          "nvd": {
-            "V2Vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
-            "V2Score": 1.9
-          },
-          "redhat": {
-            "V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
-            "V3Score": 5.5
-          }
-        },
-        "References": [
-          "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
-          "https://arxiv.org/abs/1909.01785",
-          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a",
-          "https://seclists.org/bugtraq/2019/Sep/25",
-          "https://security.netapp.com/advisory/ntap-20190919-0002/",
-          "https://www.openssl.org/news/secadv/20190910.txt"
-        ],
-        "PublishedDate": "2019-09-10T17:15:00Z",
-        "LastModifiedDate": "2019-09-12T16:15:00Z"
+        "Image": "sha256:06f4121dff4d0123ce11bd2e44f48da9ba9ddcd23ae376ea1f363f63ea0849b5",
+        "ArgsEscaped": true
      }
-    ]
-  }
-]
+    }
+  },
+  "Results": [
+    {
+      "Target": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)",
+      "Class": "os-pkgs",
+      "Type": "alpine",
+      "Vulnerabilities": [
+        {
+          "VulnerabilityID": "CVE-2019-1549",
+          "PkgName": "libcrypto1.1",
+          "InstalledVersion": "1.1.1c-r0",
+          "FixedVersion": "1.1.1d-r0",
+          "Layer": {
+            "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
+          },
+          "SeveritySource": "nvd",
+          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1549",
+          "Title": "openssl: information disclosure in fork()",
+          "Description": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
+          "Severity": "MEDIUM",
+          "CweIDs": [
+            "CWE-330"
+          ],
+          "CVSS": {
+            "nvd": {
+              "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
+              "V2Score": 5
+            },
+            "redhat": {
+              "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
+              "V3Score": 4.8
+            }
+          },
+          "References": [
+            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549",
+            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be",
+            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/",
+            "https://security.netapp.com/advisory/ntap-20190919-0002/",
+            "https://support.f5.com/csp/article/K44070243",
+            "https://www.openssl.org/news/secadv/20190910.txt"
+          ],
+          "PublishedDate": "2019-09-10T17:15:00Z",
+          "LastModifiedDate": "2019-09-19T17:15:00Z"
+        },
+        {
+          "VulnerabilityID": "CVE-2019-1551",
+          "PkgName": "libcrypto1.1",
+          "InstalledVersion": "1.1.1c-r0",
+          "FixedVersion": "1.1.1d-r2",
+          "Layer": {
+            "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
+          },
+          "SeveritySource": "nvd",
+          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
+          "Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
+          "Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).",
+          "Severity": "MEDIUM",
+          "CweIDs": [
+            "CWE-200"
+          ],
+          "CVSS": {
+            "nvd": {
+              "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
+              "V2Score": 5
+            },
+            "redhat": {
+              "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
+              "V3Score": 4.8
+            }
+          },
+          "References": [
+            "http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
+            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
+            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
+            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
+            "https://github.com/openssl/openssl/pull/10575",
+            "https://seclists.org/bugtraq/2019/Dec/39",
+            "https://seclists.org/bugtraq/2019/Dec/46",
+            "https://security.netapp.com/advisory/ntap-20191210-0001/",
+            "https://www.debian.org/security/2019/dsa-4594",
+            "https://www.openssl.org/news/secadv/20191206.txt",
+            "https://www.tenable.com/security/tns-2019-09"
+          ],
+          "PublishedDate": "2019-12-06T18:15:00Z",
+          "LastModifiedDate": "2019-12-25T11:15:00Z"
+        },
+        {
+          "VulnerabilityID": "CVE-2019-1563",
+          "PkgName": "libcrypto1.1",
+          "InstalledVersion": "1.1.1c-r0",
+          "FixedVersion": "1.1.1d-r0",
+          "Layer": {
+            "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
+          },
+          "SeveritySource": "nvd",
+          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1563",
+          "Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
+          "Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
+          "Severity": "MEDIUM",
+          "CweIDs": [
+            "CWE-311"
+          ],
+          "CVSS": {
+            "nvd": {
+              "V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
+              "V2Score": 4.3
+            },
+            "redhat": {
+              "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
+              "V3Score": 3.7
+            }
+          },
+          "References": [
+            "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
+            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563",
+            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64",
+            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97",
+            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f",
+            "https://seclists.org/bugtraq/2019/Sep/25",
+            "https://security.netapp.com/advisory/ntap-20190919-0002/",
+            "https://www.openssl.org/news/secadv/20190910.txt"
+          ],
+          "PublishedDate": "2019-09-10T17:15:00Z",
+          "LastModifiedDate": "2019-09-12T11:15:00Z"
+        },
+        {
+          "VulnerabilityID": "CVE-2019-1547",
+          "PkgName": "libcrypto1.1",
+          "InstalledVersion": "1.1.1c-r0",
+          "FixedVersion": "1.1.1d-r0",
+          "Layer": {
+            "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
+          },
+          "SeveritySource": "nvd",
+          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1547",
+          "Title": "openssl: side-channel weak encryption vulnerability",
+          "Description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
+          "Severity": "LOW",
+          "CweIDs": [
+            "CWE-311"
+          ],
+          "CVSS": {
+            "nvd": {
+              "V2Vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
+              "V2Score": 1.9
+            },
+            "redhat": {
+              "V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
+              "V3Score": 5.5
+            }
+          },
+          "References": [
+            "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
+            "https://arxiv.org/abs/1909.01785",
+            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547",
+            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46",
+            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8",
+            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a",
+            "https://seclists.org/bugtraq/2019/Sep/25",
+            "https://security.netapp.com/advisory/ntap-20190919-0002/",
+            "https://www.openssl.org/news/secadv/20190910.txt"
+          ],
+          "PublishedDate": "2019-09-10T17:15:00Z",
+          "LastModifiedDate": "2019-09-12T16:15:00Z"
+        },
+        {
+          "VulnerabilityID": "CVE-2019-1549",
+          "PkgName": "libssl1.1",
+          "InstalledVersion": "1.1.1c-r0",
+          "FixedVersion": "1.1.1d-r0",
+          "Layer": {
+            "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
+          },
+          "SeveritySource": "nvd",
+          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1549",
+          "Title": "openssl: information disclosure in fork()",
+          "Description": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
+          "Severity": "MEDIUM",
+          "CweIDs": [
+            "CWE-330"
+          ],
+          "CVSS": {
+            "nvd": {
+              "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
+              "V2Score": 5
+            },
+            "redhat": {
+              "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
+              "V3Score": 4.8
+            }
+          },
+          "References": [
+            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549",
+            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be",
+            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/",
+            "https://security.netapp.com/advisory/ntap-20190919-0002/",
+            "https://support.f5.com/csp/article/K44070243",
+            "https://www.openssl.org/news/secadv/20190910.txt"
+          ],
+          "PublishedDate": "2019-09-10T17:15:00Z",
+          "LastModifiedDate": "2019-09-19T17:15:00Z"
+        },
+        {
+          "VulnerabilityID": "CVE-2019-1551",
+          "PkgName": "libssl1.1",
+          "InstalledVersion": "1.1.1c-r0",
+          "FixedVersion": "1.1.1d-r2",
+          "Layer": {
+            "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
+          },
+          "SeveritySource": "nvd",
+          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
+          "Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
+          "Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).",
+          "Severity": "MEDIUM",
+          "CweIDs": [
+            "CWE-200"
+          ],
+          "CVSS": {
+            "nvd": {
+              "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
+              "V2Score": 5
+            },
+            "redhat": {
+              "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
+              "V3Score": 4.8
+            }
+          },
+          "References": [
+            "http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
+            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
+            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
+            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
+            "https://github.com/openssl/openssl/pull/10575",
+            "https://seclists.org/bugtraq/2019/Dec/39",
+            "https://seclists.org/bugtraq/2019/Dec/46",
+            "https://security.netapp.com/advisory/ntap-20191210-0001/",
+            "https://www.debian.org/security/2019/dsa-4594",
+            "https://www.openssl.org/news/secadv/20191206.txt",
+            "https://www.tenable.com/security/tns-2019-09"
+          ],
+          "PublishedDate": "2019-12-06T18:15:00Z",
+          "LastModifiedDate": "2019-12-25T11:15:00Z"
+        },
+        {
+          "VulnerabilityID": "CVE-2019-1563",
+          "PkgName": "libssl1.1",
+          "InstalledVersion": "1.1.1c-r0",
+          "FixedVersion": "1.1.1d-r0",
+          "Layer": {
+            "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
+          },
+          "SeveritySource": "nvd",
+          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1563",
+          "Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
+          "Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
+          "Severity": "MEDIUM",
+          "CweIDs": [
+            "CWE-311"
+          ],
+          "CVSS": {
+            "nvd": {
+              "V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
+              "V2Score": 4.3
+            },
+            "redhat": {
+              "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
+              "V3Score": 3.7
+            }
+          },
+          "References": [
+            "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
+            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563",
+            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64",
+            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97",
+            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f",
+            "https://seclists.org/bugtraq/2019/Sep/25",
+            "https://security.netapp.com/advisory/ntap-20190919-0002/",
+            "https://www.openssl.org/news/secadv/20190910.txt"
+          ],
+          "PublishedDate": "2019-09-10T17:15:00Z",
+          "LastModifiedDate": "2019-09-12T11:15:00Z"
+        },
+        {
+          "VulnerabilityID": "CVE-2019-1547",
+          "PkgName": "libssl1.1",
+          "InstalledVersion": "1.1.1c-r0",
+          "FixedVersion": "1.1.1d-r0",
+          "Layer": {
+            "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
+          },
+          "SeveritySource": "nvd",
+          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1547",
+          "Title": "openssl: side-channel weak encryption vulnerability",
+          "Description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
+          "Severity": "LOW",
+          "CweIDs": [
+            "CWE-311"
+          ],
+          "CVSS": {
+            "nvd": {
+              "V2Vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
+              "V2Score": 1.9
+            },
+            "redhat": {
+              "V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
+              "V3Score": 5.5
+            }
+          },
+          "References": [
+            "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
+            "https://arxiv.org/abs/1909.01785",
+            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547",
+            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46",
+            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8",
+            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a",
+            "https://seclists.org/bugtraq/2019/Sep/25",
+            "https://security.netapp.com/advisory/ntap-20190919-0002/",
+            "https://www.openssl.org/news/secadv/20190910.txt"
+          ],
+          "PublishedDate": "2019-09-10T17:15:00Z",
+          "LastModifiedDate": "2019-09-12T16:15:00Z"
+        }
+      ]
+    }
+  ]
+}
--- a/integration/testdata/alpine-310.sarif.golden
+++ b/integration/testdata/alpine-310.sarif.golden
@@ -10,341 +10,257 @@
          "fullName": "Trivy Vulnerability Scanner",
          "version": "0.15.0",
          "rules": [
-            {
-              "id": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2): libcrypto1.1-1.1.1c-r0 CVE-2019-1549",
-              "name": "OS Package Vulnerability (Alpine)",
-              "shortDescription": {
-                "text": "CVE-2019-1549 Package: libcrypto1.1"
-              },
-              "fullDescription": {
-                "text": "openssl: information disclosure in fork()."
-              },
-              "defaultConfiguration": {
-                "level": "warning"
-              },
-              "helpUri": "https://avd.aquasec.com/nvd/cve-2019-1549",
-              "help": {
-                "text": "Vulnerability CVE-2019-1549\nSeverity: MEDIUM\nPackage: libcrypto1.1\nInstalled Version: 1.1.1c-r0\nFixed Version: 1.1.1d-r0\nLink: [CVE-2019-1549](https://avd.aquasec.com/nvd/cve-2019-1549)",
-                "markdown": "**Vulnerability CVE-2019-1549**\n| Severity | Package | Installed Version | Fixed Version | Link |\n| --- | --- | --- | --- | --- |\n|MEDIUM|libcrypto1.1|1.1.1c-r0|1.1.1d-r0|[CVE-2019-1549](https://avd.aquasec.com/nvd/cve-2019-1549)|\n"
-              },
-              "properties": {
-                "tags": [
-                  "vulnerability",
-                  "MEDIUM",
-                  "libcrypto1.1"
-                ],
-                "precision": "very-high"
-              }
-            },
-            {
-              "id": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2): libcrypto1.1-1.1.1c-r0 CVE-2019-1551",
-              "name": "OS Package Vulnerability (Alpine)",
-              "shortDescription": {
-                "text": "CVE-2019-1551 Package: libcrypto1.1"
-              },
-              "fullDescription": {
-                "text": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64."
-              },
-              "defaultConfiguration": {
-                "level": "warning"
-              },
-              "helpUri": "https://avd.aquasec.com/nvd/cve-2019-1551",
-              "help": {
-                "text": "Vulnerability CVE-2019-1551\nSeverity: MEDIUM\nPackage: libcrypto1.1\nInstalled Version: 1.1.1c-r0\nFixed Version: 1.1.1d-r2\nLink: [CVE-2019-1551](https://avd.aquasec.com/nvd/cve-2019-1551)",
-                "markdown": "**Vulnerability CVE-2019-1551**\n| Severity | Package | Installed Version | Fixed Version | Link |\n| --- | --- | --- | --- | --- |\n|MEDIUM|libcrypto1.1|1.1.1c-r0|1.1.1d-r2|[CVE-2019-1551](https://avd.aquasec.com/nvd/cve-2019-1551)|\n"
-              },
-              "properties": {
-                "tags": [
-                  "vulnerability",
-                  "MEDIUM",
-                  "libcrypto1.1"
-                ],
-                "precision": "very-high"
-              }
-            },
-            {
-              "id": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2): libcrypto1.1-1.1.1c-r0 CVE-2019-1563",
-              "name": "OS Package Vulnerability (Alpine)",
-              "shortDescription": {
-                "text": "CVE-2019-1563 Package: libcrypto1.1"
-              },
-              "fullDescription": {
-                "text": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey."
-              },
-              "defaultConfiguration": {
-                "level": "warning"
-              },
-              "helpUri": "https://avd.aquasec.com/nvd/cve-2019-1563",
-              "help": {
-                "text": "Vulnerability CVE-2019-1563\nSeverity: MEDIUM\nPackage: libcrypto1.1\nInstalled Version: 1.1.1c-r0\nFixed Version: 1.1.1d-r0\nLink: [CVE-2019-1563](https://avd.aquasec.com/nvd/cve-2019-1563)",
-                "markdown": "**Vulnerability CVE-2019-1563**\n| Severity | Package | Installed Version | Fixed Version | Link |\n| --- | --- | --- | --- | --- |\n|MEDIUM|libcrypto1.1|1.1.1c-r0|1.1.1d-r0|[CVE-2019-1563](https://avd.aquasec.com/nvd/cve-2019-1563)|\n"
-              },
-              "properties": {
-                "tags": [
-                  "vulnerability",
-                  "MEDIUM",
-                  "libcrypto1.1"
-                ],
-                "precision": "very-high"
-              }
-            },
-            {
-              "id": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2): libcrypto1.1-1.1.1c-r0 CVE-2019-1547",
-              "name": "OS Package Vulnerability (Alpine)",
-              "shortDescription": {
-                "text": "CVE-2019-1547 Package: libcrypto1.1"
-              },
-              "fullDescription": {
-                "text": "openssl: side-channel weak encryption vulnerability."
-              },
-              "defaultConfiguration": {
-                "level": "note"
-              },
-              "helpUri": "https://avd.aquasec.com/nvd/cve-2019-1547",
-              "help": {
-                "text": "Vulnerability CVE-2019-1547\nSeverity: LOW\nPackage: libcrypto1.1\nInstalled Version: 1.1.1c-r0\nFixed Version: 1.1.1d-r0\nLink: [CVE-2019-1547](https://avd.aquasec.com/nvd/cve-2019-1547)",
-                "markdown": "**Vulnerability CVE-2019-1547**\n| Severity | Package | Installed Version | Fixed Version | Link |\n| --- | --- | --- | --- | --- |\n|LOW|libcrypto1.1|1.1.1c-r0|1.1.1d-r0|[CVE-2019-1547](https://avd.aquasec.com/nvd/cve-2019-1547)|\n"
-              },
-              "properties": {
-                "tags": [
-                  "vulnerability",
-                  "LOW",
-                  "libcrypto1.1"
-                ],
-                "precision": "very-high"
-              }
-            },
-            {
-              "id": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2): libssl1.1-1.1.1c-r0 CVE-2019-1549",
-              "name": "OS Package Vulnerability (Alpine)",
-              "shortDescription": {
-                "text": "CVE-2019-1549 Package: libssl1.1"
-              },
-              "fullDescription": {
-                "text": "openssl: information disclosure in fork()."
-              },
-              "defaultConfiguration": {
-                "level": "warning"
-              },
-              "helpUri": "https://avd.aquasec.com/nvd/cve-2019-1549",
-              "help": {
-                "text": "Vulnerability CVE-2019-1549\nSeverity: MEDIUM\nPackage: libssl1.1\nInstalled Version: 1.1.1c-r0\nFixed Version: 1.1.1d-r0\nLink: [CVE-2019-1549](https://avd.aquasec.com/nvd/cve-2019-1549)",
-                "markdown": "**Vulnerability CVE-2019-1549**\n| Severity | Package | Installed Version | Fixed Version | Link |\n| --- | --- | --- | --- | --- |\n|MEDIUM|libssl1.1|1.1.1c-r0|1.1.1d-r0|[CVE-2019-1549](https://avd.aquasec.com/nvd/cve-2019-1549)|\n"
-              },
-              "properties": {
-                "tags": [
-                  "vulnerability",
-                  "MEDIUM",
-                  "libssl1.1"
-                ],
-                "precision": "very-high"
-              }
-            },
-            {
-              "id": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2): libssl1.1-1.1.1c-r0 CVE-2019-1551",
-              "name": "OS Package Vulnerability (Alpine)",
-              "shortDescription": {
-                "text": "CVE-2019-1551 Package: libssl1.1"
-              },
-              "fullDescription": {
-                "text": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64."
-              },
-              "defaultConfiguration": {
-                "level": "warning"
-              },
-              "helpUri": "https://avd.aquasec.com/nvd/cve-2019-1551",
-              "help": {
-                "text": "Vulnerability CVE-2019-1551\nSeverity: MEDIUM\nPackage: libssl1.1\nInstalled Version: 1.1.1c-r0\nFixed Version: 1.1.1d-r2\nLink: [CVE-2019-1551](https://avd.aquasec.com/nvd/cve-2019-1551)",
-                "markdown": "**Vulnerability CVE-2019-1551**\n| Severity | Package | Installed Version | Fixed Version | Link |\n| --- | --- | --- | --- | --- |\n|MEDIUM|libssl1.1|1.1.1c-r0|1.1.1d-r2|[CVE-2019-1551](https://avd.aquasec.com/nvd/cve-2019-1551)|\n"
-              },
-              "properties": {
-                "tags": [
-                  "vulnerability",
-                  "MEDIUM",
-                  "libssl1.1"
-                ],
-                "precision": "very-high"
-              }
-            },
-            {
-              "id": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2): libssl1.1-1.1.1c-r0 CVE-2019-1563",
-              "name": "OS Package Vulnerability (Alpine)",
-              "shortDescription": {
-                "text": "CVE-2019-1563 Package: libssl1.1"
-              },
-              "fullDescription": {
-                "text": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey."
-              },
-              "defaultConfiguration": {
-                "level": "warning"
-              },
-              "helpUri": "https://avd.aquasec.com/nvd/cve-2019-1563",
-              "help": {
-                "text": "Vulnerability CVE-2019-1563\nSeverity: MEDIUM\nPackage: libssl1.1\nInstalled Version: 1.1.1c-r0\nFixed Version: 1.1.1d-r0\nLink: [CVE-2019-1563](https://avd.aquasec.com/nvd/cve-2019-1563)",
-                "markdown": "**Vulnerability CVE-2019-1563**\n| Severity | Package | Installed Version | Fixed Version | Link |\n| --- | --- | --- | --- | --- |\n|MEDIUM|libssl1.1|1.1.1c-r0|1.1.1d-r0|[CVE-2019-1563](https://avd.aquasec.com/nvd/cve-2019-1563)|\n"
-              },
-              "properties": {
-                "tags": [
-                  "vulnerability",
-                  "MEDIUM",
-                  "libssl1.1"
-                ],
-                "precision": "very-high"
-              }
-            },
-            {
-              "id": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2): libssl1.1-1.1.1c-r0 CVE-2019-1547",
-              "name": "OS Package Vulnerability (Alpine)",
-              "shortDescription": {
-                "text": "CVE-2019-1547 Package: libssl1.1"
-              },
-              "fullDescription": {
-                "text": "openssl: side-channel weak encryption vulnerability."
-              },
-              "defaultConfiguration": {
-                "level": "note"
-              },
-              "helpUri": "https://avd.aquasec.com/nvd/cve-2019-1547",
-              "help": {
-                "text": "Vulnerability CVE-2019-1547\nSeverity: LOW\nPackage: libssl1.1\nInstalled Version: 1.1.1c-r0\nFixed Version: 1.1.1d-r0\nLink: [CVE-2019-1547](https://avd.aquasec.com/nvd/cve-2019-1547)",
-                "markdown": "**Vulnerability CVE-2019-1547**\n| Severity | Package | Installed Version | Fixed Version | Link |\n| --- | --- | --- | --- | --- |\n|LOW|libssl1.1|1.1.1c-r0|1.1.1d-r0|[CVE-2019-1547](https://avd.aquasec.com/nvd/cve-2019-1547)|\n"
-              },
-              "properties": {
-                "tags": [
-                  "vulnerability",
-                  "LOW",
-                  "libssl1.1"
-                ],
-                "precision": "very-high"
-              }
-            }]
+                {
+                  "id": "CVE-2019-1549",
+                  "name": "OsPackageVulnerability",
+                  "shortDescription": {
+                    "text": "CVE-2019-1549"
+                  },
+                  "fullDescription": {
+                    "text": "openssl: information disclosure in fork()."
+                  },
+                  "defaultConfiguration": {
+                    "level": "warning"
+                  },
+                  "helpUri": "https://avd.aquasec.com/nvd/cve-2019-1549",
+                  "help": {
+                    "text": "Vulnerability CVE-2019-1549\nOpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).\nSeverity: MEDIUM\nPackage: libcrypto1.1\nFixed Version: 1.1.1d-r0\nLink: [CVE-2019-1549](https://avd.aquasec.com/nvd/cve-2019-1549)",                    
+                    "markdown": "**Vulnerability CVE-2019-1549**\nOpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|MEDIUM|libcrypto1.1|1.1.1d-r0|[CVE-2019-1549](https://avd.aquasec.com/nvd/cve-2019-1549)|\n"                    
+                  },
+                  "properties": {
+                    "tags": [
+                      "vulnerability",
+                      "MEDIUM"
+                    ],
+                    "precision": "very-high"
+                  }
+                },
+                {
+                  "id": "CVE-2019-1551",
+                  "name": "OsPackageVulnerability",
+                  "shortDescription": {
+                    "text": "CVE-2019-1551"
+                  },
+                  "fullDescription": {
+                    "text": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64."
+                  },
+                  "defaultConfiguration": {
+                    "level": "warning"
+                  },
+                  "helpUri": "https://avd.aquasec.com/nvd/cve-2019-1551",
+                  "help": {
+                    "text": "Vulnerability CVE-2019-1551\nThere is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).\nSeverity: MEDIUM\nPackage: libcrypto1.1\nFixed Version: 1.1.1d-r2\nLink: [CVE-2019-1551](https://avd.aquasec.com/nvd/cve-2019-1551)",                    
+                    "markdown": "**Vulnerability CVE-2019-1551**\nThere is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|MEDIUM|libcrypto1.1|1.1.1d-r2|[CVE-2019-1551](https://avd.aquasec.com/nvd/cve-2019-1551)|\n"                    
+                  },
+                  "properties": {
+                    "tags": [
+                      "vulnerability",
+                      "MEDIUM"
+                    ],
+                    "precision": "very-high"
+                  }
+                },
+                {
+                  "id": "CVE-2019-1563",
+                  "name": "OsPackageVulnerability",
+                  "shortDescription": {
+                    "text": "CVE-2019-1563"
+                  },
+                  "fullDescription": {
+                    "text": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey."
+                  },
+                  "defaultConfiguration": {
+                    "level": "warning"
+                  },
+                  "helpUri": "https://avd.aquasec.com/nvd/cve-2019-1563",
+                  "help": {
+                    "text": "Vulnerability CVE-2019-1563\nIn situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).\nSeverity: MEDIUM\nPackage: libcrypto1.1\nFixed Version: 1.1.1d-r0\nLink: [CVE-2019-1563](https://avd.aquasec.com/nvd/cve-2019-1563)",                    
+                    "markdown": "**Vulnerability CVE-2019-1563**\nIn situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|MEDIUM|libcrypto1.1|1.1.1d-r0|[CVE-2019-1563](https://avd.aquasec.com/nvd/cve-2019-1563)|\n"                    
+                  },
+                  "properties": {
+                    "tags": [
+                      "vulnerability",
+                      "MEDIUM"
+                    ],
+                    "precision": "very-high"
+                  }
+                },
+                {
+                  "id": "CVE-2019-1547",
+                  "name": "OsPackageVulnerability",
+                  "shortDescription": {
+                    "text": "CVE-2019-1547"
+                  },
+                  "fullDescription": {
+                    "text": "openssl: side-channel weak encryption vulnerability."
+                  },
+                  "defaultConfiguration": {
+                    "level": "note"
+                  },
+                  "helpUri": "https://avd.aquasec.com/nvd/cve-2019-1547",
+                  "help": {
+                    "text": "Vulnerability CVE-2019-1547\nNormally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).\nSeverity: LOW\nPackage: libcrypto1.1\nFixed Version: 1.1.1d-r0\nLink: [CVE-2019-1547](https://avd.aquasec.com/nvd/cve-2019-1547)",                    
+                    "markdown": "**Vulnerability CVE-2019-1547**\nNormally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|LOW|libcrypto1.1|1.1.1d-r0|[CVE-2019-1547](https://avd.aquasec.com/nvd/cve-2019-1547)|\n"                    
+                  },
+                  "properties": {
+                    "tags": [
+                      "vulnerability",
+                      "LOW"
+                    ],
+                    "precision": "very-high"
+                  }
+                }]
        }
      },
      "results": [
        {
-          "ruleId": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2): libcrypto1.1-1.1.1c-r0 CVE-2019-1549",
+          "ruleId": "CVE-2019-1549",
          "ruleIndex": 0,
          "level": "warning",
          "message": {
-            "text": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c)."
+            "text": "Package: libcrypto1.1\nInstalled Version: 1.1.1c-r0\nVulnerability CVE-2019-1549\nSeverity: MEDIUM\nFixed Version: 1.1.1d-r0\nLink: [CVE-2019-1549](https://avd.aquasec.com/nvd/cve-2019-1549)"
          },
          "locations": [{
            "physicalLocation": {
              "artifactLocation": {
                "uri": "testdata/fixtures/images/alpine-310.tar.gz",
                "uriBaseId": "ROOTPATH"
+              },
+              "region" : {
+                "startLine": 1
              }
            }
          }]
        },
        {
-          "ruleId": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2): libcrypto1.1-1.1.1c-r0 CVE-2019-1551",
+          "ruleId": "CVE-2019-1551",
          "ruleIndex": 1,
          "level": "warning",
          "message": {
-            "text": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t)."
+            "text": "Package: libcrypto1.1\nInstalled Version: 1.1.1c-r0\nVulnerability CVE-2019-1551\nSeverity: MEDIUM\nFixed Version: 1.1.1d-r2\nLink: [CVE-2019-1551](https://avd.aquasec.com/nvd/cve-2019-1551)"
          },
          "locations": [{
            "physicalLocation": {
              "artifactLocation": {
                "uri": "testdata/fixtures/images/alpine-310.tar.gz",
                "uriBaseId": "ROOTPATH"
+              },
+              "region" : {
+                "startLine": 1
              }
            }
          }]
        },
        {
-          "ruleId": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2): libcrypto1.1-1.1.1c-r0 CVE-2019-1563",
+          "ruleId": "CVE-2019-1563",
          "ruleIndex": 2,
          "level": "warning",
          "message": {
-            "text": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s)."
+            "text": "Package: libcrypto1.1\nInstalled Version: 1.1.1c-r0\nVulnerability CVE-2019-1563\nSeverity: MEDIUM\nFixed Version: 1.1.1d-r0\nLink: [CVE-2019-1563](https://avd.aquasec.com/nvd/cve-2019-1563)"
          },
          "locations": [{
            "physicalLocation": {
              "artifactLocation": {
                "uri": "testdata/fixtures/images/alpine-310.tar.gz",
                "uriBaseId": "ROOTPATH"
+              },
+              "region" : {
+                "startLine": 1
              }
            }
          }]
        },
        {
-          "ruleId": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2): libcrypto1.1-1.1.1c-r0 CVE-2019-1547",
+          "ruleId": "CVE-2019-1547",
          "ruleIndex": 3,
          "level": "note",
          "message": {
-            "text": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s)."
+            "text": "Package: libcrypto1.1\nInstalled Version: 1.1.1c-r0\nVulnerability CVE-2019-1547\nSeverity: LOW\nFixed Version: 1.1.1d-r0\nLink: [CVE-2019-1547](https://avd.aquasec.com/nvd/cve-2019-1547)"
          },
          "locations": [{
            "physicalLocation": {
              "artifactLocation": {
                "uri": "testdata/fixtures/images/alpine-310.tar.gz",
                "uriBaseId": "ROOTPATH"
+              },
+              "region" : {
+                "startLine": 1
              }
            }
          }]
        },
        {
-          "ruleId": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2): libssl1.1-1.1.1c-r0 CVE-2019-1549",
-          "ruleIndex": 4,
+          "ruleId": "CVE-2019-1549",
+          "ruleIndex": 0,
          "level": "warning",
          "message": {
-            "text": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c)."
+            "text": "Package: libssl1.1\nInstalled Version: 1.1.1c-r0\nVulnerability CVE-2019-1549\nSeverity: MEDIUM\nFixed Version: 1.1.1d-r0\nLink: [CVE-2019-1549](https://avd.aquasec.com/nvd/cve-2019-1549)"
          },
          "locations": [{
            "physicalLocation": {
              "artifactLocation": {
                "uri": "testdata/fixtures/images/alpine-310.tar.gz",
                "uriBaseId": "ROOTPATH"
+              },
+              "region" : {
+                "startLine": 1
              }
            }
          }]
        },
        {
-          "ruleId": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2): libssl1.1-1.1.1c-r0 CVE-2019-1551",
-          "ruleIndex": 5,
+          "ruleId": "CVE-2019-1551",
+          "ruleIndex": 1,
          "level": "warning",
          "message": {
-            "text": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t)."
+            "text": "Package: libssl1.1\nInstalled Version: 1.1.1c-r0\nVulnerability CVE-2019-1551\nSeverity: MEDIUM\nFixed Version: 1.1.1d-r2\nLink: [CVE-2019-1551](https://avd.aquasec.com/nvd/cve-2019-1551)"
          },
          "locations": [{
            "physicalLocation": {
              "artifactLocation": {
                "uri": "testdata/fixtures/images/alpine-310.tar.gz",
                "uriBaseId": "ROOTPATH"
+              },
+              "region" : {
+                "startLine": 1
              }
            }
          }]
        },
        {
-          "ruleId": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2): libssl1.1-1.1.1c-r0 CVE-2019-1563",
-          "ruleIndex": 6,
+          "ruleId": "CVE-2019-1563",
+          "ruleIndex": 2,
          "level": "warning",
          "message": {
-            "text": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s)."
+            "text": "Package: libssl1.1\nInstalled Version: 1.1.1c-r0\nVulnerability CVE-2019-1563\nSeverity: MEDIUM\nFixed Version: 1.1.1d-r0\nLink: [CVE-2019-1563](https://avd.aquasec.com/nvd/cve-2019-1563)"
          },
          "locations": [{
            "physicalLocation": {
              "artifactLocation": {
                "uri": "testdata/fixtures/images/alpine-310.tar.gz",
                "uriBaseId": "ROOTPATH"
+              },
+              "region" : {
+                "startLine": 1
              }
            }
          }]
        },
        {
-          "ruleId": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2): libssl1.1-1.1.1c-r0 CVE-2019-1547",
-          "ruleIndex": 7,
+          "ruleId": "CVE-2019-1547",
+          "ruleIndex": 3,
          "level": "note",
          "message": {
-            "text": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s)."
+            "text": "Package: libssl1.1\nInstalled Version: 1.1.1c-r0\nVulnerability CVE-2019-1547\nSeverity: LOW\nFixed Version: 1.1.1d-r0\nLink: [CVE-2019-1547](https://avd.aquasec.com/nvd/cve-2019-1547)"
          },
          "locations": [{
            "physicalLocation": {
              "artifactLocation": {
                "uri": "testdata/fixtures/images/alpine-310.tar.gz",
                "uriBaseId": "ROOTPATH"
+              },
+              "region" : {
+                "startLine": 1
              }
            }
          }]
@@ -352,7 +268,7 @@
      "columnKind": "utf16CodeUnits",
      "originalUriBaseIds": {
        "ROOTPATH": {
-          "uri": "/"
+          "uri": "file:///"
        }
      }
    }
--- a/integration/testdata/alpine-39.json.golden
+++ b/integration/testdata/alpine-39.json.golden
@@ -1,385 +1,435 @@
-[
-  {
-    "Target": "testdata/fixtures/images/alpine-39.tar.gz (alpine 3.9.4)",
-    "Class": "os-pkgs",
-    "Type": "alpine",
-    "Vulnerabilities": [
-      {
-        "VulnerabilityID": "CVE-2019-1549",
-        "PkgName": "libcrypto1.1",
-        "InstalledVersion": "1.1.1b-r1",
-        "FixedVersion": "1.1.1d-r0",
-        "Layer": {
-          "DiffID": "sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81"
+{
+  "SchemaVersion": 2,
+  "ArtifactName": "testdata/fixtures/images/alpine-39.tar.gz",
+  "ArtifactType": "container_image",
+  "Metadata": {
+    "OS": {
+      "Family": "alpine",
+      "Name": "3.9.4",
+      "EOSL": true
+    },
+    "ImageID": "sha256:055936d3920576da37aa9bc460d70c5f212028bda1c08c0879aedf03d7a66ea1",
+    "DiffIDs": [
+      "sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81"
+    ],
+    "ImageConfig": {
+      "architecture": "amd64",
+      "container": "c10d36fa368a7ea673683682666758adf35efe98e10989505f4f566b5b18538f",
+      "created": "2019-05-11T00:07:03.510395965Z",
+      "docker_version": "18.06.1-ce",
+      "history": [
+        {
+          "created": "2019-05-11T00:07:03.358250803Z",
+          "created_by": "/bin/sh -c #(nop) ADD file:a86aea1f3a7d68f6ae03397b99ea77f2e9ee901c5c59e59f76f93adbb4035913 in / "
        },
-        "SeveritySource": "nvd",
-        "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1549",
-        "Title": "openssl: information disclosure in fork()",
-        "Description": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
-        "Severity": "MEDIUM",
-        "CweIDs": [
-          "CWE-330"
-        ],
-        "CVSS": {
-          "nvd": {
-            "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
-            "V2Score": 5
-          },
-          "redhat": {
-            "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
-            "V3Score": 4.8
-          }
-        },
-        "References": [
-          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be",
-          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/",
-          "https://security.netapp.com/advisory/ntap-20190919-0002/",
-          "https://support.f5.com/csp/article/K44070243",
-          "https://www.openssl.org/news/secadv/20190910.txt"
-        ],
-        "PublishedDate": "2019-09-10T17:15:00Z",
-        "LastModifiedDate": "2019-09-19T17:15:00Z"
+        {
+          "created": "2019-05-11T00:07:03.510395965Z",
+          "created_by": "/bin/sh -c #(nop)  CMD [\"/bin/sh\"]",
+          "empty_layer": true
+        }
+      ],
+      "os": "linux",
+      "rootfs": {
+        "type": "layers",
+        "diff_ids": [
+          "sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81"
+        ]
      },
-      {
-        "VulnerabilityID": "CVE-2019-1551",
-        "PkgName": "libcrypto1.1",
-        "InstalledVersion": "1.1.1b-r1",
-        "FixedVersion": "1.1.1d-r2",
-        "Layer": {
-          "DiffID": "sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81"
-        },
-        "SeveritySource": "nvd",
-        "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
-        "Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
-        "Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).",
-        "Severity": "MEDIUM",
-        "CweIDs": [
-          "CWE-200"
+      "config": {
+        "Cmd": [
+          "/bin/sh"
        ],
-        "CVSS": {
-          "nvd": {
-            "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
-            "V2Score": 5
-          },
-          "redhat": {
-            "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
-            "V3Score": 4.8
-          }
-        },
-        "References": [
-          "http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
-          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
-          "https://github.com/openssl/openssl/pull/10575",
-          "https://seclists.org/bugtraq/2019/Dec/39",
-          "https://seclists.org/bugtraq/2019/Dec/46",
-          "https://security.netapp.com/advisory/ntap-20191210-0001/",
-          "https://www.debian.org/security/2019/dsa-4594",
-          "https://www.openssl.org/news/secadv/20191206.txt",
-          "https://www.tenable.com/security/tns-2019-09"
+        "Env": [
+          "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
        ],
-        "PublishedDate": "2019-12-06T18:15:00Z",
-        "LastModifiedDate": "2019-12-25T11:15:00Z"
-      },
-      {
-        "VulnerabilityID": "CVE-2019-1563",
-        "PkgName": "libcrypto1.1",
-        "InstalledVersion": "1.1.1b-r1",
-        "FixedVersion": "1.1.1d-r0",
-        "Layer": {
-          "DiffID": "sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81"
-        },
-        "SeveritySource": "nvd",
-        "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1563",
-        "Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
-        "Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
-        "Severity": "MEDIUM",
-        "CweIDs": [
-          "CWE-311"
-        ],
-        "CVSS": {
-          "nvd": {
-            "V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
-            "V2Score": 4.3
-          },
-          "redhat": {
-            "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
-            "V3Score": 3.7
-          }
-        },
-        "References": [
-          "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
-          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f",
-          "https://seclists.org/bugtraq/2019/Sep/25",
-          "https://security.netapp.com/advisory/ntap-20190919-0002/",
-          "https://www.openssl.org/news/secadv/20190910.txt"
-        ],
-        "PublishedDate": "2019-09-10T17:15:00Z",
-        "LastModifiedDate": "2019-09-12T11:15:00Z"
-      },
-      {
-        "VulnerabilityID": "CVE-2019-1547",
-        "PkgName": "libcrypto1.1",
-        "InstalledVersion": "1.1.1b-r1",
-        "FixedVersion": "1.1.1d-r0",
-        "Layer": {
-          "DiffID": "sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81"
-        },
-        "SeveritySource": "nvd",
-        "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1547",
-        "Title": "openssl: side-channel weak encryption vulnerability",
-        "Description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
-        "Severity": "LOW",
-        "CweIDs": [
-          "CWE-311"
-        ],
-        "CVSS": {
-          "nvd": {
-            "V2Vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
-            "V2Score": 1.9
-          },
-          "redhat": {
-            "V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
-            "V3Score": 5.5
-          }
-        },
-        "References": [
-          "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
-          "https://arxiv.org/abs/1909.01785",
-          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a",
-          "https://seclists.org/bugtraq/2019/Sep/25",
-          "https://security.netapp.com/advisory/ntap-20190919-0002/",
-          "https://www.openssl.org/news/secadv/20190910.txt"
-        ],
-        "PublishedDate": "2019-09-10T17:15:00Z",
-        "LastModifiedDate": "2019-09-12T16:15:00Z"
-      },
-      {
-        "VulnerabilityID": "CVE-2019-1549",
-        "PkgName": "libssl1.1",
-        "InstalledVersion": "1.1.1b-r1",
-        "FixedVersion": "1.1.1d-r0",
-        "Layer": {
-          "DiffID": "sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81"
-        },
-        "SeveritySource": "nvd",
-        "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1549",
-        "Title": "openssl: information disclosure in fork()",
-        "Description": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
-        "Severity": "MEDIUM",
-        "CweIDs": [
-          "CWE-330"
-        ],
-        "CVSS": {
-          "nvd": {
-            "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
-            "V2Score": 5
-          },
-          "redhat": {
-            "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
-            "V3Score": 4.8
-          }
-        },
-        "References": [
-          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be",
-          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/",
-          "https://security.netapp.com/advisory/ntap-20190919-0002/",
-          "https://support.f5.com/csp/article/K44070243",
-          "https://www.openssl.org/news/secadv/20190910.txt"
-        ],
-        "PublishedDate": "2019-09-10T17:15:00Z",
-        "LastModifiedDate": "2019-09-19T17:15:00Z"
-      },
-      {
-        "VulnerabilityID": "CVE-2019-1551",
-        "PkgName": "libssl1.1",
-        "InstalledVersion": "1.1.1b-r1",
-        "FixedVersion": "1.1.1d-r2",
-        "Layer": {
-          "DiffID": "sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81"
-        },
-        "SeveritySource": "nvd",
-        "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
-        "Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
-        "Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).",
-        "Severity": "MEDIUM",
-        "CweIDs": [
-          "CWE-200"
-        ],
-        "CVSS": {
-          "nvd": {
-            "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
-            "V2Score": 5
-          },
-          "redhat": {
-            "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
-            "V3Score": 4.8
-          }
-        },
-        "References": [
-          "http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
-          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
-          "https://github.com/openssl/openssl/pull/10575",
-          "https://seclists.org/bugtraq/2019/Dec/39",
-          "https://seclists.org/bugtraq/2019/Dec/46",
-          "https://security.netapp.com/advisory/ntap-20191210-0001/",
-          "https://www.debian.org/security/2019/dsa-4594",
-          "https://www.openssl.org/news/secadv/20191206.txt",
-          "https://www.tenable.com/security/tns-2019-09"
-        ],
-        "PublishedDate": "2019-12-06T18:15:00Z",
-        "LastModifiedDate": "2019-12-25T11:15:00Z"
-      },
-      {
-        "VulnerabilityID": "CVE-2019-1563",
-        "PkgName": "libssl1.1",
-        "InstalledVersion": "1.1.1b-r1",
-        "FixedVersion": "1.1.1d-r0",
-        "Layer": {
-          "DiffID": "sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81"
-        },
-        "SeveritySource": "nvd",
-        "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1563",
-        "Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
-        "Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
-        "Severity": "MEDIUM",
-        "CweIDs": [
-          "CWE-311"
-        ],
-        "CVSS": {
-          "nvd": {
-            "V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
-            "V2Score": 4.3
-          },
-          "redhat": {
-            "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
-            "V3Score": 3.7
-          }
-        },
-        "References": [
-          "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
-          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f",
-          "https://seclists.org/bugtraq/2019/Sep/25",
-          "https://security.netapp.com/advisory/ntap-20190919-0002/",
-          "https://www.openssl.org/news/secadv/20190910.txt"
-        ],
-        "PublishedDate": "2019-09-10T17:15:00Z",
-        "LastModifiedDate": "2019-09-12T11:15:00Z"
-      },
-      {
-        "VulnerabilityID": "CVE-2019-1547",
-        "PkgName": "libssl1.1",
-        "InstalledVersion": "1.1.1b-r1",
-        "FixedVersion": "1.1.1d-r0",
-        "Layer": {
-          "DiffID": "sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81"
-        },
-        "SeveritySource": "nvd",
-        "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1547",
-        "Title": "openssl: side-channel weak encryption vulnerability",
-        "Description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
-        "Severity": "LOW",
-        "CweIDs": [
-          "CWE-311"
-        ],
-        "CVSS": {
-          "nvd": {
-            "V2Vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
-            "V2Score": 1.9
-          },
-          "redhat": {
-            "V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
-            "V3Score": 5.5
-          }
-        },
-        "References": [
-          "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
-          "https://arxiv.org/abs/1909.01785",
-          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a",
-          "https://seclists.org/bugtraq/2019/Sep/25",
-          "https://security.netapp.com/advisory/ntap-20190919-0002/",
-          "https://www.openssl.org/news/secadv/20190910.txt"
-        ],
-        "PublishedDate": "2019-09-10T17:15:00Z",
-        "LastModifiedDate": "2019-09-12T16:15:00Z"
-      },
-      {
-        "VulnerabilityID": "CVE-2019-14697",
-        "PkgName": "musl",
-        "InstalledVersion": "1.1.20-r4",
-        "FixedVersion": "1.1.20-r5",
-        "Layer": {
-          "DiffID": "sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81"
-        },
-        "SeveritySource": "nvd",
-        "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-14697",
-        "Description": "musl libc through 1.1.23 has an x87 floating-point stack adjustment imbalance, related to the math/i386/ directory. In some cases, use of this library could introduce out-of-bounds writes that are not present in an application's source code.",
-        "Severity": "CRITICAL",
-        "CweIDs": [
-          "CWE-787"
-        ],
-        "CVSS": {
-          "nvd": {
-            "V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
-            "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
-            "V2Score": 7.5,
-            "V3Score": 9.8
-          }
-        },
-        "References": [
-          "http://www.openwall.com/lists/oss-security/2019/08/06/4",
-          "https://www.openwall.com/lists/musl/2019/08/06/1"
-        ],
-        "PublishedDate": "2019-08-06T16:15:00Z",
-        "LastModifiedDate": "2019-08-14T17:28:00Z"
-      },
-      {
-        "VulnerabilityID": "CVE-2019-14697",
-        "PkgName": "musl-utils",
-        "InstalledVersion": "1.1.20-r4",
-        "FixedVersion": "1.1.20-r5",
-        "Layer": {
-          "DiffID": "sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81"
-        },
-        "SeveritySource": "nvd",
-        "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-14697",
-        "Description": "musl libc through 1.1.23 has an x87 floating-point stack adjustment imbalance, related to the math/i386/ directory. In some cases, use of this library could introduce out-of-bounds writes that are not present in an application's source code.",
-        "Severity": "CRITICAL",
-        "CweIDs": [
-          "CWE-787"
-        ],
-        "CVSS": {
-          "nvd": {
-            "V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
-            "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
-            "V2Score": 7.5,
-            "V3Score": 9.8
-          }
-        },
-        "References": [
-          "http://www.openwall.com/lists/oss-security/2019/08/06/4",
-          "https://www.openwall.com/lists/musl/2019/08/06/1"
-        ],
-        "PublishedDate": "2019-08-06T16:15:00Z",
-        "LastModifiedDate": "2019-08-14T17:28:00Z"
+        "Image": "sha256:09f2bbe58e774849d74dc1391c2e01731896c745c4aba1ecf69a283bdb4b537a",
+        "ArgsEscaped": true
      }
-    ]
-  }
-]
+    }
+  },
+  "Results": [
+    {
+      "Target": "testdata/fixtures/images/alpine-39.tar.gz (alpine 3.9.4)",
+      "Class": "os-pkgs",
+      "Type": "alpine",
+      "Vulnerabilities": [
+        {
+          "VulnerabilityID": "CVE-2019-1549",
+          "PkgName": "libcrypto1.1",
+          "InstalledVersion": "1.1.1b-r1",
+          "FixedVersion": "1.1.1d-r0",
+          "Layer": {
+            "DiffID": "sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81"
+          },
+          "SeveritySource": "nvd",
+          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1549",
+          "Title": "openssl: information disclosure in fork()",
+          "Description": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
+          "Severity": "MEDIUM",
+          "CweIDs": [
+            "CWE-330"
+          ],
+          "CVSS": {
+            "nvd": {
+              "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
+              "V2Score": 5
+            },
+            "redhat": {
+              "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
+              "V3Score": 4.8
+            }
+          },
+          "References": [
+            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549",
+            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be",
+            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/",
+            "https://security.netapp.com/advisory/ntap-20190919-0002/",
+            "https://support.f5.com/csp/article/K44070243",
+            "https://www.openssl.org/news/secadv/20190910.txt"
+          ],
+          "PublishedDate": "2019-09-10T17:15:00Z",
+          "LastModifiedDate": "2019-09-19T17:15:00Z"
+        },
+        {
+          "VulnerabilityID": "CVE-2019-1551",
+          "PkgName": "libcrypto1.1",
+          "InstalledVersion": "1.1.1b-r1",
+          "FixedVersion": "1.1.1d-r2",
+          "Layer": {
+            "DiffID": "sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81"
+          },
+          "SeveritySource": "nvd",
+          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
+          "Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
+          "Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).",
+          "Severity": "MEDIUM",
+          "CweIDs": [
+            "CWE-200"
+          ],
+          "CVSS": {
+            "nvd": {
+              "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
+              "V2Score": 5
+            },
+            "redhat": {
+              "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
+              "V3Score": 4.8
+            }
+          },
+          "References": [
+            "http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
+            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
+            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
+            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
+            "https://github.com/openssl/openssl/pull/10575",
+            "https://seclists.org/bugtraq/2019/Dec/39",
+            "https://seclists.org/bugtraq/2019/Dec/46",
+            "https://security.netapp.com/advisory/ntap-20191210-0001/",
+            "https://www.debian.org/security/2019/dsa-4594",
+            "https://www.openssl.org/news/secadv/20191206.txt",
+            "https://www.tenable.com/security/tns-2019-09"
+          ],
+          "PublishedDate": "2019-12-06T18:15:00Z",
+          "LastModifiedDate": "2019-12-25T11:15:00Z"
+        },
+        {
+          "VulnerabilityID": "CVE-2019-1563",
+          "PkgName": "libcrypto1.1",
+          "InstalledVersion": "1.1.1b-r1",
+          "FixedVersion": "1.1.1d-r0",
+          "Layer": {
+            "DiffID": "sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81"
+          },
+          "SeveritySource": "nvd",
+          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1563",
+          "Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
+          "Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
+          "Severity": "MEDIUM",
+          "CweIDs": [
+            "CWE-311"
+          ],
+          "CVSS": {
+            "nvd": {
+              "V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
+              "V2Score": 4.3
+            },
+            "redhat": {
+              "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
+              "V3Score": 3.7
+            }
+          },
+          "References": [
+            "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
+            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563",
+            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64",
+            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97",
+            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f",
+            "https://seclists.org/bugtraq/2019/Sep/25",
+            "https://security.netapp.com/advisory/ntap-20190919-0002/",
+            "https://www.openssl.org/news/secadv/20190910.txt"
+          ],
+          "PublishedDate": "2019-09-10T17:15:00Z",
+          "LastModifiedDate": "2019-09-12T11:15:00Z"
+        },
+        {
+          "VulnerabilityID": "CVE-2019-1547",
+          "PkgName": "libcrypto1.1",
+          "InstalledVersion": "1.1.1b-r1",
+          "FixedVersion": "1.1.1d-r0",
+          "Layer": {
+            "DiffID": "sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81"
+          },
+          "SeveritySource": "nvd",
+          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1547",
+          "Title": "openssl: side-channel weak encryption vulnerability",
+          "Description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
+          "Severity": "LOW",
+          "CweIDs": [
+            "CWE-311"
+          ],
+          "CVSS": {
+            "nvd": {
+              "V2Vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
+              "V2Score": 1.9
+            },
+            "redhat": {
+              "V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
+              "V3Score": 5.5
+            }
+          },
+          "References": [
+            "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
+            "https://arxiv.org/abs/1909.01785",
+            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547",
+            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46",
+            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8",
+            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a",
+            "https://seclists.org/bugtraq/2019/Sep/25",
+            "https://security.netapp.com/advisory/ntap-20190919-0002/",
+            "https://www.openssl.org/news/secadv/20190910.txt"
+          ],
+          "PublishedDate": "2019-09-10T17:15:00Z",
+          "LastModifiedDate": "2019-09-12T16:15:00Z"
+        },
+        {
+          "VulnerabilityID": "CVE-2019-1549",
+          "PkgName": "libssl1.1",
+          "InstalledVersion": "1.1.1b-r1",
+          "FixedVersion": "1.1.1d-r0",
+          "Layer": {
+            "DiffID": "sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81"
+          },
+          "SeveritySource": "nvd",
+          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1549",
+          "Title": "openssl: information disclosure in fork()",
+          "Description": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
+          "Severity": "MEDIUM",
+          "CweIDs": [
+            "CWE-330"
+          ],
+          "CVSS": {
+            "nvd": {
+              "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
+              "V2Score": 5
+            },
+            "redhat": {
+              "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
+              "V3Score": 4.8
+            }
+          },
+          "References": [
+            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549",
+            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be",
+            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/",
+            "https://security.netapp.com/advisory/ntap-20190919-0002/",
+            "https://support.f5.com/csp/article/K44070243",
+            "https://www.openssl.org/news/secadv/20190910.txt"
+          ],
+          "PublishedDate": "2019-09-10T17:15:00Z",
+          "LastModifiedDate": "2019-09-19T17:15:00Z"
+        },
+        {
+          "VulnerabilityID": "CVE-2019-1551",
+          "PkgName": "libssl1.1",
+          "InstalledVersion": "1.1.1b-r1",
+          "FixedVersion": "1.1.1d-r2",
+          "Layer": {
+            "DiffID": "sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81"
+          },
+          "SeveritySource": "nvd",
+          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
+          "Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
+          "Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).",
+          "Severity": "MEDIUM",
+          "CweIDs": [
+            "CWE-200"
+          ],
+          "CVSS": {
+            "nvd": {
+              "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
+              "V2Score": 5
+            },
+            "redhat": {
+              "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
+              "V3Score": 4.8
+            }
+          },
+          "References": [
+            "http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
+            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
+            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
+            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
+            "https://github.com/openssl/openssl/pull/10575",
+            "https://seclists.org/bugtraq/2019/Dec/39",
+            "https://seclists.org/bugtraq/2019/Dec/46",
+            "https://security.netapp.com/advisory/ntap-20191210-0001/",
+            "https://www.debian.org/security/2019/dsa-4594",
+            "https://www.openssl.org/news/secadv/20191206.txt",
+            "https://www.tenable.com/security/tns-2019-09"
+          ],
+          "PublishedDate": "2019-12-06T18:15:00Z",
+          "LastModifiedDate": "2019-12-25T11:15:00Z"
+        },
+        {
+          "VulnerabilityID": "CVE-2019-1563",
+          "PkgName": "libssl1.1",
+          "InstalledVersion": "1.1.1b-r1",
+          "FixedVersion": "1.1.1d-r0",
+          "Layer": {
+            "DiffID": "sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81"
+          },
+          "SeveritySource": "nvd",
+          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1563",
+          "Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
+          "Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
+          "Severity": "MEDIUM",
+          "CweIDs": [
+            "CWE-311"
+          ],
+          "CVSS": {
+            "nvd": {
+              "V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
+              "V2Score": 4.3
+            },
+            "redhat": {
+              "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
+              "V3Score": 3.7
+            }
+          },
+          "References": [
+            "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
+            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563",
+            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64",
+            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97",
+            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f",
+            "https://seclists.org/bugtraq/2019/Sep/25",
+            "https://security.netapp.com/advisory/ntap-20190919-0002/",
+            "https://www.openssl.org/news/secadv/20190910.txt"
+          ],
+          "PublishedDate": "2019-09-10T17:15:00Z",
+          "LastModifiedDate": "2019-09-12T11:15:00Z"
+        },
+        {
+          "VulnerabilityID": "CVE-2019-1547",
+          "PkgName": "libssl1.1",
+          "InstalledVersion": "1.1.1b-r1",
+          "FixedVersion": "1.1.1d-r0",
+          "Layer": {
+            "DiffID": "sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81"
+          },
+          "SeveritySource": "nvd",
+          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1547",
+          "Title": "openssl: side-channel weak encryption vulnerability",
+          "Description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
+          "Severity": "LOW",
+          "CweIDs": [
+            "CWE-311"
+          ],
+          "CVSS": {
+            "nvd": {
+              "V2Vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
+              "V2Score": 1.9
+            },
+            "redhat": {
+              "V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
+              "V3Score": 5.5
+            }
+          },
+          "References": [
+            "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
+            "https://arxiv.org/abs/1909.01785",
+            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547",
+            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46",
+            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8",
+            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a",
+            "https://seclists.org/bugtraq/2019/Sep/25",
+            "https://security.netapp.com/advisory/ntap-20190919-0002/",
+            "https://www.openssl.org/news/secadv/20190910.txt"
+          ],
+          "PublishedDate": "2019-09-10T17:15:00Z",
+          "LastModifiedDate": "2019-09-12T16:15:00Z"
+        },
+        {
+          "VulnerabilityID": "CVE-2019-14697",
+          "PkgName": "musl",
+          "InstalledVersion": "1.1.20-r4",
+          "FixedVersion": "1.1.20-r5",
+          "Layer": {
+            "DiffID": "sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81"
+          },
+          "SeveritySource": "nvd",
+          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-14697",
+          "Description": "musl libc through 1.1.23 has an x87 floating-point stack adjustment imbalance, related to the math/i386/ directory. In some cases, use of this library could introduce out-of-bounds writes that are not present in an application's source code.",
+          "Severity": "CRITICAL",
+          "CweIDs": [
+            "CWE-787"
+          ],
+          "CVSS": {
+            "nvd": {
+              "V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
+              "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+              "V2Score": 7.5,
+              "V3Score": 9.8
+            }
+          },
+          "References": [
+            "http://www.openwall.com/lists/oss-security/2019/08/06/4",
+            "https://www.openwall.com/lists/musl/2019/08/06/1"
+          ],
+          "PublishedDate": "2019-08-06T16:15:00Z",
+          "LastModifiedDate": "2019-08-14T17:28:00Z"
+        },
+        {
+          "VulnerabilityID": "CVE-2019-14697",
+          "PkgName": "musl-utils",
+          "InstalledVersion": "1.1.20-r4",
+          "FixedVersion": "1.1.20-r5",
+          "Layer": {
+            "DiffID": "sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81"
+          },
+          "SeveritySource": "nvd",
+          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-14697",
+          "Description": "musl libc through 1.1.23 has an x87 floating-point stack adjustment imbalance, related to the math/i386/ directory. In some cases, use of this library could introduce out-of-bounds writes that are not present in an application's source code.",
+          "Severity": "CRITICAL",
+          "CweIDs": [
+            "CWE-787"
+          ],
+          "CVSS": {
+            "nvd": {
+              "V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
+              "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+              "V2Score": 7.5,
+              "V3Score": 9.8
+            }
+          },
+          "References": [
+            "http://www.openwall.com/lists/oss-security/2019/08/06/4",
+            "https://www.openwall.com/lists/musl/2019/08/06/1"
+          ],
+          "PublishedDate": "2019-08-06T16:15:00Z",
+          "LastModifiedDate": "2019-08-14T17:28:00Z"
+        }
+      ]
+    }
+  ]
+}
--- a/integration/testdata/amazon-1.json.golden
+++ b/integration/testdata/amazon-1.json.golden
--- a/integration/testdata/amazon-2.json.golden
+++ b/integration/testdata/amazon-2.json.golden
--- a/integration/testdata/busybox-with-lockfile.json.golden
+++ b/integration/testdata/busybox-with-lockfile.json.golden
@@ -1,136 +1,186 @@
-[
-  {
-    "Target": "Cargo.lock",
-    "Class": "lang-pkgs",
-    "Type": "cargo",
-    "Vulnerabilities": [
-      {
-        "VulnerabilityID": "RUSTSEC-2019-0001",
-        "PkgName": "ammonia",
-        "InstalledVersion": "1.9.0",
-        "FixedVersion": "\u003e= 2.1.0",
-        "Layer": {
-          "DiffID": "sha256:ea6f6933da66090da8bfe233d68f083792a68f944cd2d8f9fbb52da795813a4f"
+{
+  "SchemaVersion": 2,
+  "ArtifactName": "testdata/fixtures/images/busybox-with-lockfile.tar.gz",
+  "ArtifactType": "container_image",
+  "Metadata": {
+    "ImageID": "sha256:17c82adee8b5ffec7d6e30dba333bb37986add86afeb4a07754407bb049faedb",
+    "DiffIDs": [
+      "sha256:a6d503001157aedc826853f9b67f26d35966221b158bff03849868ae4a821116",
+      "sha256:ea6f6933da66090da8bfe233d68f083792a68f944cd2d8f9fbb52da795813a4f"
+    ],
+    "ImageConfig": {
+      "architecture": "amd64",
+      "created": "2020-04-26T16:23:28.996276377Z",
+      "docker_version": "19.03.8",
+      "history": [
+        {
+          "created": "2020-03-10T00:19:32.83969331Z",
+          "created_by": "/bin/sh -c #(nop) ADD file:450bea8cddb743ed282cb1ade3d1614033172b93ef531c69a4e49fda3016cef0 in / "
        },
-        "PrimaryURL": "https://rustsec.org/advisories/RUSTSEC-2019-0001",
-        "Title": "Uncontrolled recursion leads to abort in HTML serialization",
-        "Description": "Affected versions of this crate did use recursion for serialization of HTML\nDOM trees.\n\nThis allows an attacker to cause abort due to stack overflow by providing\na pathologically nested input.\n\nThe flaw was corrected by serializing the DOM tree iteratively instead.",
-        "Severity": "UNKNOWN",
-        "References": [
-          "https://github.com/rust-ammonia/ammonia/blob/master/CHANGELOG.md#210"
+        {
+          "created": "2020-03-10T00:19:33.019716493Z",
+          "created_by": "/bin/sh -c #(nop)  CMD [\"sh\"]",
+          "empty_layer": true
+        },
+        {
+          "created": "2020-04-26T16:23:28.996276377Z",
+          "created_by": "/bin/sh -c #(nop) ADD 343df0159abcc51b06b4e56bfd4c06d2003b88947ed93b0cec6214ae5985669e in . "
+        }
+      ],
+      "os": "linux",
+      "rootfs": {
+        "type": "layers",
+        "diff_ids": [
+          "sha256:a6d503001157aedc826853f9b67f26d35966221b158bff03849868ae4a821116",
+          "sha256:ea6f6933da66090da8bfe233d68f083792a68f944cd2d8f9fbb52da795813a4f"
        ]
      },
-      {
-        "VulnerabilityID": "RUSTSEC-2016-0001",
-        "PkgName": "openssl",
-        "InstalledVersion": "0.8.3",
-        "FixedVersion": "\u003e= 0.9.0",
-        "Layer": {
-          "DiffID": "sha256:ea6f6933da66090da8bfe233d68f083792a68f944cd2d8f9fbb52da795813a4f"
-        },
-        "PrimaryURL": "https://rustsec.org/advisories/RUSTSEC-2016-0001",
-        "Title": "SSL/TLS MitM vulnerability due to insecure defaults",
-        "Description": "All versions of rust-openssl prior to 0.9.0 contained numerous insecure defaults\nincluding off-by-default certificate verification and no API to perform hostname\nverification.\n\nUnless configured correctly by a developer, these defaults could allow an attacker\nto perform man-in-the-middle attacks.\n\nThe problem was addressed in newer versions by enabling certificate verification\nby default and exposing APIs to perform hostname verification. Use the\n`SslConnector` and `SslAcceptor` types to take advantage of these new features\n(as opposed to the lower-level `SslContext` type).",
-        "Severity": "UNKNOWN",
-        "References": [
-          "https://github.com/sfackler/rust-openssl/releases/tag/v0.9.0"
-        ]
-      },
-      {
-        "VulnerabilityID": "RUSTSEC-2019-0035",
-        "PkgName": "rand_core",
-        "InstalledVersion": "0.3.1",
-        "FixedVersion": "\u003e= 0.4.2",
-        "Layer": {
-          "DiffID": "sha256:ea6f6933da66090da8bfe233d68f083792a68f944cd2d8f9fbb52da795813a4f"
-        },
-        "PrimaryURL": "https://rustsec.org/advisories/RUSTSEC-2019-0035",
-        "Title": "Unaligned memory access",
-        "Description": "Affected versions of this crate violated alignment when casting byte slices to\ninteger slices, resulting in undefined behavior.\n\nThe flaw was corrected by Ralf Jung and Diggory Hardy.",
-        "Severity": "UNKNOWN",
-        "References": [
-          "https://github.com/rust-random/rand/blob/master/rand_core/CHANGELOG.md#050---2019-06-06"
-        ]
-      },
-      {
-        "VulnerabilityID": "RUSTSEC-2019-0035",
-        "PkgName": "rand_core",
-        "InstalledVersion": "0.4.0",
-        "FixedVersion": "\u003e= 0.4.2",
-        "Layer": {
-          "DiffID": "sha256:ea6f6933da66090da8bfe233d68f083792a68f944cd2d8f9fbb52da795813a4f"
-        },
-        "PrimaryURL": "https://rustsec.org/advisories/RUSTSEC-2019-0035",
-        "Title": "Unaligned memory access",
-        "Description": "Affected versions of this crate violated alignment when casting byte slices to\ninteger slices, resulting in undefined behavior.\n\nThe flaw was corrected by Ralf Jung and Diggory Hardy.",
-        "Severity": "UNKNOWN",
-        "References": [
-          "https://github.com/rust-random/rand/blob/master/rand_core/CHANGELOG.md#050---2019-06-06"
-        ]
-      },
-      {
-        "VulnerabilityID": "RUSTSEC-2018-0018",
-        "PkgName": "smallvec",
-        "InstalledVersion": "0.6.9",
-        "FixedVersion": "\u003e= 0.6.13",
-        "Layer": {
-          "DiffID": "sha256:ea6f6933da66090da8bfe233d68f083792a68f944cd2d8f9fbb52da795813a4f"
-        },
-        "PrimaryURL": "https://rustsec.org/advisories/RUSTSEC-2018-0018",
-        "Title": "smallvec creates uninitialized value of any type",
-        "Description": "Affected versions of this crate called `mem::uninitialized()` to create values of a user-supplied type `T`.\nThis is unsound e.g. if `T` is a reference type (which must be non-null and thus may not remain uninitialized).\n \nThe flaw was corrected by avoiding the use of `mem::uninitialized()`, using `MaybeUninit` instead.",
-        "Severity": "UNKNOWN",
-        "References": [
-          "https://github.com/servo/rust-smallvec/issues/126"
-        ]
-      },
-      {
-        "VulnerabilityID": "RUSTSEC-2019-0009",
-        "PkgName": "smallvec",
-        "InstalledVersion": "0.6.9",
-        "FixedVersion": "\u003e= 0.6.10",
-        "Layer": {
-          "DiffID": "sha256:ea6f6933da66090da8bfe233d68f083792a68f944cd2d8f9fbb52da795813a4f"
-        },
-        "PrimaryURL": "https://rustsec.org/advisories/RUSTSEC-2019-0009",
-        "Title": "Double-free and use-after-free in SmallVec::grow()",
-        "Description": "Attempting to call `grow` on a spilled SmallVec with a value equal to the current capacity causes it to free the existing data. This performs a double free immediately and may lead to use-after-free on subsequent accesses to the SmallVec contents.\n\nAn attacker that controls the value passed to `grow` may exploit this flaw to obtain memory contents or gain remote code execution.\n\nCredits to @ehuss for discovering, reporting and fixing the bug.",
-        "Severity": "UNKNOWN",
-        "References": [
-          "https://github.com/servo/rust-smallvec/issues/148"
-        ]
-      },
-      {
-        "VulnerabilityID": "RUSTSEC-2019-0012",
-        "PkgName": "smallvec",
-        "InstalledVersion": "0.6.9",
-        "FixedVersion": "\u003e= 0.6.10",
-        "Layer": {
-          "DiffID": "sha256:ea6f6933da66090da8bfe233d68f083792a68f944cd2d8f9fbb52da795813a4f"
-        },
-        "PrimaryURL": "https://rustsec.org/advisories/RUSTSEC-2019-0012",
-        "Title": "Memory corruption in SmallVec::grow()",
-        "Description": "Attempting to call `grow` on a spilled SmallVec with a value less than the current capacity causes corruption of memory allocator data structures.\n\nAn attacker that controls the value passed to `grow` may exploit this flaw to obtain memory contents or gain remote code execution.\n\nCredits to @ehuss for discovering, reporting and fixing the bug.",
-        "Severity": "UNKNOWN",
-        "References": [
-          "https://github.com/servo/rust-smallvec/issues/149"
-        ]
-      },
-      {
-        "VulnerabilityID": "RUSTSEC-2018-0017",
-        "PkgName": "tempdir",
-        "InstalledVersion": "0.3.7",
-        "Layer": {
-          "DiffID": "sha256:ea6f6933da66090da8bfe233d68f083792a68f944cd2d8f9fbb52da795813a4f"
-        },
-        "PrimaryURL": "https://rustsec.org/advisories/RUSTSEC-2018-0017",
-        "Title": "`tempdir` crate has been deprecated; use `tempfile` instead",
-        "Description": "The [`tempdir`](https://crates.io/crates/tempdir) crate has been deprecated\nand the functionality is merged into [`tempfile`](https://crates.io/crates/tempfile).",
-        "Severity": "UNKNOWN",
-        "References": [
-          "https://github.com/rust-lang-deprecated/tempdir/pull/46"
-        ]
+      "config": {
+        "Cmd": [
+          "sh"
+        ],
+        "Env": [
+          "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+        ],
+        "Image": "sha256:83aa35aa1c79e4b6957e018da6e322bfca92bf3b4696a211b42502543c242d6f",
+        "ArgsEscaped": true
      }
-    ]
-  }
-]
+    }
+  },
+  "Results": [
+    {
+      "Target": "Cargo.lock",
+      "Class": "lang-pkgs",
+      "Type": "cargo",
+      "Vulnerabilities": [
+        {
+          "VulnerabilityID": "RUSTSEC-2019-0001",
+          "PkgName": "ammonia",
+          "InstalledVersion": "1.9.0",
+          "FixedVersion": "\u003e= 2.1.0",
+          "Layer": {
+            "DiffID": "sha256:ea6f6933da66090da8bfe233d68f083792a68f944cd2d8f9fbb52da795813a4f"
+          },
+          "PrimaryURL": "https://rustsec.org/advisories/RUSTSEC-2019-0001",
+          "Title": "Uncontrolled recursion leads to abort in HTML serialization",
+          "Description": "Affected versions of this crate did use recursion for serialization of HTML\nDOM trees.\n\nThis allows an attacker to cause abort due to stack overflow by providing\na pathologically nested input.\n\nThe flaw was corrected by serializing the DOM tree iteratively instead.",
+          "Severity": "UNKNOWN",
+          "References": [
+            "https://github.com/rust-ammonia/ammonia/blob/master/CHANGELOG.md#210"
+          ]
+        },
+        {
+          "VulnerabilityID": "RUSTSEC-2016-0001",
+          "PkgName": "openssl",
+          "InstalledVersion": "0.8.3",
+          "FixedVersion": "\u003e= 0.9.0",
+          "Layer": {
+            "DiffID": "sha256:ea6f6933da66090da8bfe233d68f083792a68f944cd2d8f9fbb52da795813a4f"
+          },
+          "PrimaryURL": "https://rustsec.org/advisories/RUSTSEC-2016-0001",
+          "Title": "SSL/TLS MitM vulnerability due to insecure defaults",
+          "Description": "All versions of rust-openssl prior to 0.9.0 contained numerous insecure defaults\nincluding off-by-default certificate verification and no API to perform hostname\nverification.\n\nUnless configured correctly by a developer, these defaults could allow an attacker\nto perform man-in-the-middle attacks.\n\nThe problem was addressed in newer versions by enabling certificate verification\nby default and exposing APIs to perform hostname verification. Use the\n`SslConnector` and `SslAcceptor` types to take advantage of these new features\n(as opposed to the lower-level `SslContext` type).",
+          "Severity": "UNKNOWN",
+          "References": [
+            "https://github.com/sfackler/rust-openssl/releases/tag/v0.9.0"
+          ]
+        },
+        {
+          "VulnerabilityID": "RUSTSEC-2019-0035",
+          "PkgName": "rand_core",
+          "InstalledVersion": "0.3.1",
+          "FixedVersion": "\u003e= 0.4.2",
+          "Layer": {
+            "DiffID": "sha256:ea6f6933da66090da8bfe233d68f083792a68f944cd2d8f9fbb52da795813a4f"
+          },
+          "PrimaryURL": "https://rustsec.org/advisories/RUSTSEC-2019-0035",
+          "Title": "Unaligned memory access",
+          "Description": "Affected versions of this crate violated alignment when casting byte slices to\ninteger slices, resulting in undefined behavior.\n\nThe flaw was corrected by Ralf Jung and Diggory Hardy.",
+          "Severity": "UNKNOWN",
+          "References": [
+            "https://github.com/rust-random/rand/blob/master/rand_core/CHANGELOG.md#050---2019-06-06"
+          ]
+        },
+        {
+          "VulnerabilityID": "RUSTSEC-2019-0035",
+          "PkgName": "rand_core",
+          "InstalledVersion": "0.4.0",
+          "FixedVersion": "\u003e= 0.4.2",
+          "Layer": {
+            "DiffID": "sha256:ea6f6933da66090da8bfe233d68f083792a68f944cd2d8f9fbb52da795813a4f"
+          },
+          "PrimaryURL": "https://rustsec.org/advisories/RUSTSEC-2019-0035",
+          "Title": "Unaligned memory access",
+          "Description": "Affected versions of this crate violated alignment when casting byte slices to\ninteger slices, resulting in undefined behavior.\n\nThe flaw was corrected by Ralf Jung and Diggory Hardy.",
+          "Severity": "UNKNOWN",
+          "References": [
+            "https://github.com/rust-random/rand/blob/master/rand_core/CHANGELOG.md#050---2019-06-06"
+          ]
+        },
+        {
+          "VulnerabilityID": "RUSTSEC-2018-0018",
+          "PkgName": "smallvec",
+          "InstalledVersion": "0.6.9",
+          "FixedVersion": "\u003e= 0.6.13",
+          "Layer": {
+            "DiffID": "sha256:ea6f6933da66090da8bfe233d68f083792a68f944cd2d8f9fbb52da795813a4f"
+          },
+          "PrimaryURL": "https://rustsec.org/advisories/RUSTSEC-2018-0018",
+          "Title": "smallvec creates uninitialized value of any type",
+          "Description": "Affected versions of this crate called `mem::uninitialized()` to create values of a user-supplied type `T`.\nThis is unsound e.g. if `T` is a reference type (which must be non-null and thus may not remain uninitialized).\n \nThe flaw was corrected by avoiding the use of `mem::uninitialized()`, using `MaybeUninit` instead.",
+          "Severity": "UNKNOWN",
+          "References": [
+            "https://github.com/servo/rust-smallvec/issues/126"
+          ]
+        },
+        {
+          "VulnerabilityID": "RUSTSEC-2019-0009",
+          "PkgName": "smallvec",
+          "InstalledVersion": "0.6.9",
+          "FixedVersion": "\u003e= 0.6.10",
+          "Layer": {
+            "DiffID": "sha256:ea6f6933da66090da8bfe233d68f083792a68f944cd2d8f9fbb52da795813a4f"
+          },
+          "PrimaryURL": "https://rustsec.org/advisories/RUSTSEC-2019-0009",
+          "Title": "Double-free and use-after-free in SmallVec::grow()",
+          "Description": "Attempting to call `grow` on a spilled SmallVec with a value equal to the current capacity causes it to free the existing data. This performs a double free immediately and may lead to use-after-free on subsequent accesses to the SmallVec contents.\n\nAn attacker that controls the value passed to `grow` may exploit this flaw to obtain memory contents or gain remote code execution.\n\nCredits to @ehuss for discovering, reporting and fixing the bug.",
+          "Severity": "UNKNOWN",
+          "References": [
+            "https://github.com/servo/rust-smallvec/issues/148"
+          ]
+        },
+        {
+          "VulnerabilityID": "RUSTSEC-2019-0012",
+          "PkgName": "smallvec",
+          "InstalledVersion": "0.6.9",
+          "FixedVersion": "\u003e= 0.6.10",
+          "Layer": {
+            "DiffID": "sha256:ea6f6933da66090da8bfe233d68f083792a68f944cd2d8f9fbb52da795813a4f"
+          },
+          "PrimaryURL": "https://rustsec.org/advisories/RUSTSEC-2019-0012",
+          "Title": "Memory corruption in SmallVec::grow()",
+          "Description": "Attempting to call `grow` on a spilled SmallVec with a value less than the current capacity causes corruption of memory allocator data structures.\n\nAn attacker that controls the value passed to `grow` may exploit this flaw to obtain memory contents or gain remote code execution.\n\nCredits to @ehuss for discovering, reporting and fixing the bug.",
+          "Severity": "UNKNOWN",
+          "References": [
+            "https://github.com/servo/rust-smallvec/issues/149"
+          ]
+        },
+        {
+          "VulnerabilityID": "RUSTSEC-2018-0017",
+          "PkgName": "tempdir",
+          "InstalledVersion": "0.3.7",
+          "Layer": {
+            "DiffID": "sha256:ea6f6933da66090da8bfe233d68f083792a68f944cd2d8f9fbb52da795813a4f"
+          },
+          "PrimaryURL": "https://rustsec.org/advisories/RUSTSEC-2018-0017",
+          "Title": "`tempdir` crate has been deprecated; use `tempfile` instead",
+          "Description": "The [`tempdir`](https://crates.io/crates/tempdir) crate has been deprecated\nand the functionality is merged into [`tempfile`](https://crates.io/crates/tempfile).",
+          "Severity": "UNKNOWN",
+          "References": [
+            "https://github.com/rust-lang-deprecated/tempdir/pull/46"
+          ]
+        }
+      ]
+    }
+  ]
+}
--- a/integration/testdata/centos-6.json.golden
+++ b/integration/testdata/centos-6.json.golden
--- a/integration/testdata/centos-7-ignore-unfixed.json.golden
+++ b/integration/testdata/centos-7-ignore-unfixed.json.golden
--- a/integration/testdata/centos-7-low-high.json.golden
+++ b/integration/testdata/centos-7-low-high.json.golden
--- a/integration/testdata/centos-7.json.golden
+++ b/integration/testdata/centos-7.json.golden
--- a/integration/testdata/debian-buster-ignore-unfixed.json.golden
+++ b/integration/testdata/debian-buster-ignore-unfixed.json.golden
--- a/integration/testdata/debian-buster.json.golden
+++ b/integration/testdata/debian-buster.json.golden
--- a/integration/testdata/debian-stretch.json.golden
+++ b/integration/testdata/debian-stretch.json.golden
--- a/integration/testdata/distroless-base-ignore-unfixed.json.golden
+++ b/integration/testdata/distroless-base-ignore-unfixed.json.golden
@@ -1,87 +1,134 @@
-[
-  {
-    "Target": "testdata/fixtures/images/distroless-base.tar.gz (debian 9.9)",
-    "Class": "os-pkgs",
-    "Type": "debian",
-    "Vulnerabilities": [
-      {
-        "VulnerabilityID": "CVE-2019-1563",
-        "PkgName": "libssl1.1",
-        "InstalledVersion": "1.1.0k-1~deb9u1",
-        "FixedVersion": "1.1.0l-1~deb9u1",
-        "Layer": {
-          "DiffID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5"
+{
+  "SchemaVersion": 2,
+  "ArtifactName": "testdata/fixtures/images/distroless-base.tar.gz",
+  "ArtifactType": "container_image",
+  "Metadata": {
+    "OS": {
+      "Family": "debian",
+      "Name": "9.9"
+    },
+    "ImageID": "sha256:7f04a8d247173b1f2546d22913af637bbab4e7411e00ae6207da8d94c445750d",
+    "DiffIDs": [
+      "sha256:932da51564135c98a49a34a193d6cd363d8fa4184d957fde16c9d8527b3f3b02",
+      "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5"
+    ],
+    "ImageConfig": {
+      "architecture": "amd64",
+      "author": "Bazel",
+      "created": "1970-01-01T00:00:00Z",
+      "history": [
+        {
+          "author": "Bazel",
+          "created": "1970-01-01T00:00:00Z",
+          "created_by": "bazel build ..."
        },
-        "SeveritySource": "nvd",
-        "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1563",
-        "Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
-        "Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
-        "Severity": "MEDIUM",
-        "CweIDs": [
-          "CWE-311"
-        ],
-        "CVSS": {
-          "nvd": {
-            "V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
-            "V2Score": 4.3
-          },
-          "redhat": {
-            "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
-            "V3Score": 3.7
-          }
-        },
-        "References": [
-          "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
-          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f",
-          "https://seclists.org/bugtraq/2019/Sep/25",
-          "https://security.netapp.com/advisory/ntap-20190919-0002/",
-          "https://www.openssl.org/news/secadv/20190910.txt"
-        ],
-        "PublishedDate": "2019-09-10T17:15:00Z",
-        "LastModifiedDate": "2019-09-12T11:15:00Z"
+        {
+          "author": "Bazel",
+          "created": "1970-01-01T00:00:00Z",
+          "created_by": "bazel build ..."
+        }
+      ],
+      "os": "linux",
+      "rootfs": {
+        "type": "layers",
+        "diff_ids": [
+          "sha256:932da51564135c98a49a34a193d6cd363d8fa4184d957fde16c9d8527b3f3b02",
+          "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5"
+        ]
      },
-      {
-        "VulnerabilityID": "CVE-2019-1563",
-        "PkgName": "openssl",
-        "InstalledVersion": "1.1.0k-1~deb9u1",
-        "FixedVersion": "1.1.0l-1~deb9u1",
-        "Layer": {
-          "DiffID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5"
-        },
-        "SeveritySource": "nvd",
-        "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1563",
-        "Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
-        "Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
-        "Severity": "MEDIUM",
-        "CweIDs": [
-          "CWE-311"
-        ],
-        "CVSS": {
-          "nvd": {
-            "V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
-            "V2Score": 4.3
-          },
-          "redhat": {
-            "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
-            "V3Score": 3.7
-          }
-        },
-        "References": [
-          "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
-          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f",
-          "https://seclists.org/bugtraq/2019/Sep/25",
-          "https://security.netapp.com/advisory/ntap-20190919-0002/",
-          "https://www.openssl.org/news/secadv/20190910.txt"
-        ],
-        "PublishedDate": "2019-09-10T17:15:00Z",
-        "LastModifiedDate": "2019-09-12T11:15:00Z"
+      "config": {
+        "Env": [
+          "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
+          "SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt"
+        ]
      }
-    ]
-  }
-]
+    }
+  },
+  "Results": [
+    {
+      "Target": "testdata/fixtures/images/distroless-base.tar.gz (debian 9.9)",
+      "Class": "os-pkgs",
+      "Type": "debian",
+      "Vulnerabilities": [
+        {
+          "VulnerabilityID": "CVE-2019-1563",
+          "PkgName": "libssl1.1",
+          "InstalledVersion": "1.1.0k-1~deb9u1",
+          "FixedVersion": "1.1.0l-1~deb9u1",
+          "Layer": {
+            "DiffID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5"
+          },
+          "SeveritySource": "nvd",
+          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1563",
+          "Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
+          "Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
+          "Severity": "MEDIUM",
+          "CweIDs": [
+            "CWE-311"
+          ],
+          "CVSS": {
+            "nvd": {
+              "V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
+              "V2Score": 4.3
+            },
+            "redhat": {
+              "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
+              "V3Score": 3.7
+            }
+          },
+          "References": [
+            "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
+            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563",
+            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64",
+            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97",
+            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f",
+            "https://seclists.org/bugtraq/2019/Sep/25",
+            "https://security.netapp.com/advisory/ntap-20190919-0002/",
+            "https://www.openssl.org/news/secadv/20190910.txt"
+          ],
+          "PublishedDate": "2019-09-10T17:15:00Z",
+          "LastModifiedDate": "2019-09-12T11:15:00Z"
+        },
+        {
+          "VulnerabilityID": "CVE-2019-1563",
+          "PkgName": "openssl",
+          "InstalledVersion": "1.1.0k-1~deb9u1",
+          "FixedVersion": "1.1.0l-1~deb9u1",
+          "Layer": {
+            "DiffID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5"
+          },
+          "SeveritySource": "nvd",
+          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1563",
+          "Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
+          "Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
+          "Severity": "MEDIUM",
+          "CweIDs": [
+            "CWE-311"
+          ],
+          "CVSS": {
+            "nvd": {
+              "V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
+              "V2Score": 4.3
+            },
+            "redhat": {
+              "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
+              "V3Score": 3.7
+            }
+          },
+          "References": [
+            "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
+            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563",
+            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64",
+            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97",
+            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f",
+            "https://seclists.org/bugtraq/2019/Sep/25",
+            "https://security.netapp.com/advisory/ntap-20190919-0002/",
+            "https://www.openssl.org/news/secadv/20190910.txt"
+          ],
+          "PublishedDate": "2019-09-10T17:15:00Z",
+          "LastModifiedDate": "2019-09-12T11:15:00Z"
+        }
+      ]
+    }
+  ]
+}
--- a/integration/testdata/distroless-base.json.golden
+++ b/integration/testdata/distroless-base.json.golden
--- a/integration/testdata/distroless-python27.json.golden
+++ b/integration/testdata/distroless-python27.json.golden
--- a/integration/testdata/dockerfile-custom-policies.json.golden
+++ b/integration/testdata/dockerfile-custom-policies.json.golden
@@ -1,40 +1,51 @@
-[
-  {
-    "Target": "Dockerfile",
-    "Class": "config",
-    "Type": "dockerfile",
-    "MisconfSummary": {
-      "Successes": 0,
-      "Failures": 2,
-      "Exceptions": 0
-    },
-    "Misconfigurations": [
-      {
-        "Type": "N/A",
-        "ID": "N/A",
-        "Title": "N/A",
-        "Message": "something bad: bar",
-        "Namespace": "user.bar",
-        "Query": "data.user.bar.deny",
-        "Severity": "UNKNOWN",
-        "Status": "FAIL",
-        "Layer": {
-          "DiffID": "sha256:8dc85f0b450296556c427e94db1d76a25fdce31334a4fcedac370f1aa59c86dc"
-        }
+{
+  "SchemaVersion": 2,
+  "ArtifactName": "testdata/fixtures/fs/custom-policy",
+  "ArtifactType": "filesystem",
+  "Metadata": {
+    "ImageConfig": {
+      "architecture": "",
+      "created": "0001-01-01T00:00:00Z",
+      "os": "",
+      "rootfs": {
+        "type": "",
+        "diff_ids": null
      },
-      {
-        "Type": "N/A",
-        "ID": "N/A",
-        "Title": "N/A",
-        "Message": "something bad: foo",
-        "Namespace": "user.foo",
-        "Query": "data.user.foo.deny",
-        "Severity": "UNKNOWN",
-        "Status": "FAIL",
-        "Layer": {
-          "DiffID": "sha256:8dc85f0b450296556c427e94db1d76a25fdce31334a4fcedac370f1aa59c86dc"
+      "config": {}
+    }
+  },
+  "Results": [
+    {
+      "Target": "Dockerfile",
+      "Class": "config",
+      "Type": "dockerfile",
+      "MisconfSummary": {
+        "Successes": 0,
+        "Failures": 2,
+        "Exceptions": 0
+      },
+      "Misconfigurations": [
+        {
+          "Type": "N/A",
+          "ID": "N/A",
+          "Title": "N/A",
+          "Message": "something bad: bar",
+          "Namespace": "user.bar",
+          "Query": "data.user.bar.deny",
+          "Severity": "UNKNOWN",
+          "Status": "FAIL"
+        },
+        {
+          "Type": "N/A",
+          "ID": "N/A",
+          "Title": "N/A",
+          "Message": "something bad: foo",
+          "Namespace": "user.foo",
+          "Query": "data.user.foo.deny",
+          "Severity": "UNKNOWN",
+          "Status": "FAIL"
        }
-      }
-    ]
-  }
-]
+      ]
+    }
+  ]
+}
--- a/integration/testdata/dockerfile-namespace-exception.json.golden
+++ b/integration/testdata/dockerfile-namespace-exception.json.golden
@@ -1,12 +1,29 @@
-[
-  {
-    "Target": "Dockerfile",
-    "Class": "config",
-    "Type": "dockerfile",
-    "MisconfSummary": {
-      "Successes": 0,
-      "Failures": 0,
-      "Exceptions": 1
+{
+  "SchemaVersion": 2,
+  "ArtifactName": "testdata/fixtures/fs/namespace-exception",
+  "ArtifactType": "filesystem",
+  "Metadata": {
+    "ImageConfig": {
+      "architecture": "",
+      "created": "0001-01-01T00:00:00Z",
+      "os": "",
+      "rootfs": {
+        "type": "",
+        "diff_ids": null
+      },
+      "config": {}
    }
-  }
-]
+  },
+  "Results": [
+    {
+      "Target": "Dockerfile",
+      "Class": "config",
+      "Type": "dockerfile",
+      "MisconfSummary": {
+        "Successes": 0,
+        "Failures": 0,
+        "Exceptions": 1
+      }
+    }
+  ]
+}
--- a/integration/testdata/dockerfile-rule-exception.json.golden
+++ b/integration/testdata/dockerfile-rule-exception.json.golden
@@ -1,12 +1,29 @@
-[
-  {
-    "Target": "Dockerfile",
-    "Class": "config",
-    "Type": "dockerfile",
-    "MisconfSummary": {
-      "Successes": 0,
-      "Failures": 0,
-      "Exceptions": 1
+{
+  "SchemaVersion": 2,
+  "ArtifactName": "testdata/fixtures/fs/rule-exception",
+  "ArtifactType": "filesystem",
+  "Metadata": {
+    "ImageConfig": {
+      "architecture": "",
+      "created": "0001-01-01T00:00:00Z",
+      "os": "",
+      "rootfs": {
+        "type": "",
+        "diff_ids": null
+      },
+      "config": {}
    }
-  }
-]
+  },
+  "Results": [
+    {
+      "Target": "Dockerfile",
+      "Class": "config",
+      "Type": "dockerfile",
+      "MisconfSummary": {
+        "Successes": 0,
+        "Failures": 0,
+        "Exceptions": 1
+      }
+    }
+  ]
+}
--- a/integration/testdata/dockerfile.json.golden
+++ b/integration/testdata/dockerfile.json.golden
@@ -1,34 +1,48 @@
-[
-  {
-    "Target": "Dockerfile",
-    "Class": "config",
-    "Type": "dockerfile",
-    "MisconfSummary": {
-      "Successes": 0,
-      "Failures": 1,
-      "Exceptions": 0
-    },
-    "Misconfigurations": [
-      {
-        "Type": "Dockerfile Security Check",
-        "ID": "DS002",
-        "Title": "Image user should not be 'root'",
-        "Description": "It is a good practice to run the container as a non-root user.",
-        "Message": "Specify at least 1 USER command in Dockerfile",
-        "Namespace": "appshield.dockerfile.DS002",
-        "Query": "data.appshield.dockerfile.DS002.deny",
-        "Resolution": "Add 'USER \u003cnon root user name\u003e' line to the Dockerfile",
-        "Severity": "HIGH",
-        "PrimaryURL": "https://avd.aquasec.com/appshield/ds002",
-        "References": [
-          "https://docs.docker.com/develop/develop-images/dockerfile_best-practices/",
-          "https://avd.aquasec.com/appshield/ds002"
-        ],
-        "Status": "FAIL",
-        "Layer": {
-          "DiffID": "sha256:2f8334a38883ba260fc9cab989110b8eea18721ee15c319b83fa3eba8d5981ca"
+{
+  "SchemaVersion": 2,
+  "ArtifactName": "testdata/fixtures/fs/dockerfile",
+  "ArtifactType": "filesystem",
+  "Metadata": {
+    "ImageConfig": {
+      "architecture": "",
+      "created": "0001-01-01T00:00:00Z",
+      "os": "",
+      "rootfs": {
+        "type": "",
+        "diff_ids": null
+      },
+      "config": {}
+    }
+  },
+  "Results": [
+    {
+      "Target": "Dockerfile",
+      "Class": "config",
+      "Type": "dockerfile",
+      "MisconfSummary": {
+        "Successes": 0,
+        "Failures": 1,
+        "Exceptions": 0
+      },
+      "Misconfigurations": [
+        {
+          "Type": "Dockerfile Security Check",
+          "ID": "DS002",
+          "Title": "Image user should not be 'root'",
+          "Description": "It is a good practice to run the container as a non-root user.",
+          "Message": "Specify at least 1 USER command in Dockerfile",
+          "Namespace": "appshield.dockerfile.DS002",
+          "Query": "data.appshield.dockerfile.DS002.deny",
+          "Resolution": "Add 'USER \u003cnon root user name\u003e' line to the Dockerfile",
+          "Severity": "HIGH",
+          "PrimaryURL": "https://avd.aquasec.com/appshield/ds002",
+          "References": [
+            "https://docs.docker.com/develop/develop-images/dockerfile_best-practices/",
+            "https://avd.aquasec.com/appshield/ds002"
+          ],
+          "Status": "FAIL"
        }
-      }
-    ]
-  }
-]
+      ]
+    }
+  ]
+}
--- a/integration/testdata/fixtures/fs/pip/requirements.txt
+++ b/integration/testdata/fixtures/fs/pip/requirements.txt
@@ -0,0 +1,6 @@
+click==8.0.0
+Flask==2.0.0
+itsdangerous==2.0.0
+Jinja2==3.0.0
+MarkupSafe>2.0.0
+Werkzeug==0.11
--- a/integration/testdata/fluentd-multiple-lockfiles.json.golden
+++ b/integration/testdata/fluentd-multiple-lockfiles.json.golden
@@ -1,200 +1,326 @@
-[
-  {
-    "Target": "testdata/fixtures/images/fluentd-multiple-lockfiles.tar.gz (debian 10.2)",
-    "Class": "os-pkgs",
-    "Type": "debian",
-    "Vulnerabilities": [
-      {
-        "VulnerabilityID": "CVE-2019-5188",
-        "PkgName": "e2fsprogs",
-        "InstalledVersion": "1.44.5-1+deb10u2",
-        "FixedVersion": "1.44.5-1+deb10u3",
-        "Layer": {
-          "DiffID": "sha256:831c5620387fb9efec59fc82a42b948546c6be601e3ab34a87108ecf852aa15f"
+{
+  "SchemaVersion": 2,
+  "ArtifactName": "testdata/fixtures/images/fluentd-multiple-lockfiles.tar.gz",
+  "ArtifactType": "container_image",
+  "Metadata": {
+    "OS": {
+      "Family": "debian",
+      "Name": "10.2"
+    },
+    "ImageID": "sha256:5a992077baba51b97f27591a10d54d2f2723dc9c81a3fe419e261023f2554933",
+    "DiffIDs": [
+      "sha256:831c5620387fb9efec59fc82a42b948546c6be601e3ab34a87108ecf852aa15f",
+      "sha256:02874b2b269dea8dde0f7edb4c9906904dfe38a09de1a214f20c650cfb15c60e",
+      "sha256:3752e1f6fd759c795c13aff2c93c081529366e27635ba6621e849b0f9cfc77f0",
+      "sha256:75e43d55939745950bc3f8fad56c5834617c4339f0f54755e69a0dd5372624e9",
+      "sha256:788c00e2cfc8f2a018ae4344ccf0b2c226ebd756d7effd1ce50eea1a4252cd89",
+      "sha256:25165eb51d15842f870f97873e0a58409d5e860e6108e3dd829bd10e484c0065"
+    ],
+    "ImageConfig": {
+      "architecture": "amd64",
+      "container": "232f3fc7ddffd71dc3ff52c6c0c3a5feea2f51acffd9b53850a8fc6f1a15319a",
+      "created": "2020-03-04T13:59:39.161374106Z",
+      "docker_version": "19.03.4",
+      "history": [
+        {
+          "created": "2019-11-22T14:55:09.912242636Z",
+          "created_by": "/bin/sh -c #(nop) ADD file:bc8179c87c8dbb3d962bed1801f99e7c860ff03797cde6ad19b107d43b973ada in / "
        },
-        "SeveritySource": "nvd",
-        "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-5188",
-        "Title": "e2fsprogs: Out-of-bounds write in  e2fsck/rehash.c",
-        "Description": "A code execution vulnerability exists in the directory rehashing functionality of E2fsprogs e2fsck 1.45.4. A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.",
-        "Severity": "MEDIUM",
-        "CweIDs": [
-          "CWE-787"
-        ],
-        "CVSS": {
-          "nvd": {
-            "V2Vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
-            "V2Score": 4.6
-          },
-          "redhat": {
-            "V3Vector": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
-            "V3Score": 7.5
-          }
+        {
+          "created": "2019-11-22T14:55:10.253859615Z",
+          "created_by": "/bin/sh -c #(nop)  CMD [\"bash\"]",
+          "empty_layer": true
        },
-        "References": [
-          "http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00004.html",
-          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5188",
-          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2AKETJ6BREDUHRWQTV35SPGG5C6H7KSI/",
-          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6DOBCYQKCTTWXBLMUPJ5TX3FY7JNCOKY/",
-          "https://talosintelligence.com/vulnerability_reports/TALOS-2019-0973",
-          "https://usn.ubuntu.com/4249-1/",
-          "https://usn.ubuntu.com/usn/usn-4249-1"
-        ],
-        "PublishedDate": "2020-01-08T16:15:00Z",
-        "LastModifiedDate": "2020-01-28T06:15:00Z"
+        {
+          "created": "2020-03-04T13:58:17.973854594Z",
+          "created_by": "/bin/sh -c #(nop)  ARG DEBIAN_FRONTEND=noninteractive",
+          "empty_layer": true
+        },
+        {
+          "created": "2020-03-04T13:58:18.12120844Z",
+          "created_by": "/bin/sh -c #(nop) COPY file:4e7fdb1bc31a0f689d88f6af28d4f0352e89a2ac598c523e9637da3de75bfada in /tmp/install.sh "
+        },
+        {
+          "created": "2020-03-04T13:58:18.26894021Z",
+          "created_by": "/bin/sh -c #(nop) COPY file:c03560fcb4f0aff4cecd93039c348ba4992564740c77e3d6049a44fe79ca44ab in /Gemfile "
+        },
+        {
+          "created": "2020-03-04T13:59:37.96119583Z",
+          "created_by": "|1 DEBIAN_FRONTEND=noninteractive /bin/sh -c chmod +x /tmp/install.sh \u0026\u0026     /bin/bash -l -c /tmp/install.sh \u0026\u0026     rm /tmp/*"
+        },
+        {
+          "created": "2020-03-04T13:59:38.583719926Z",
+          "created_by": "/bin/sh -c #(nop) COPY file:f742fdea941d5baccbf9a9c45ccc9cd943377f3c3e07da787a8d8d9f92a8b3d3 in /etc/fluent/fluent.conf "
+        },
+        {
+          "created": "2020-03-04T13:59:38.72131564Z",
+          "created_by": "/bin/sh -c #(nop) COPY file:a9ce963551c165ec55bb4d982d96336caa97e8c70011eb4ca58927956bd08e2a in /run.sh "
+        },
+        {
+          "created": "2020-03-04T13:59:38.844116271Z",
+          "created_by": "/bin/sh -c #(nop)  EXPOSE 80",
+          "empty_layer": true
+        },
+        {
+          "created": "2020-03-04T13:59:38.99446051Z",
+          "created_by": "/bin/sh -c #(nop)  ENV LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libjemalloc.so.2",
+          "empty_layer": true
+        },
+        {
+          "created": "2020-03-04T13:59:39.161374106Z",
+          "created_by": "/bin/sh -c #(nop)  CMD [\"/run.sh\"]",
+          "empty_layer": true
+        }
+      ],
+      "os": "linux",
+      "rootfs": {
+        "type": "layers",
+        "diff_ids": [
+          "sha256:831c5620387fb9efec59fc82a42b948546c6be601e3ab34a87108ecf852aa15f",
+          "sha256:02874b2b269dea8dde0f7edb4c9906904dfe38a09de1a214f20c650cfb15c60e",
+          "sha256:3752e1f6fd759c795c13aff2c93c081529366e27635ba6621e849b0f9cfc77f0",
+          "sha256:75e43d55939745950bc3f8fad56c5834617c4339f0f54755e69a0dd5372624e9",
+          "sha256:788c00e2cfc8f2a018ae4344ccf0b2c226ebd756d7effd1ce50eea1a4252cd89",
+          "sha256:25165eb51d15842f870f97873e0a58409d5e860e6108e3dd829bd10e484c0065"
+        ]
      },
-      {
-        "VulnerabilityID": "CVE-2019-5188",
-        "PkgName": "libcom-err2",
-        "InstalledVersion": "1.44.5-1+deb10u2",
-        "FixedVersion": "1.44.5-1+deb10u3",
-        "Layer": {
-          "DiffID": "sha256:831c5620387fb9efec59fc82a42b948546c6be601e3ab34a87108ecf852aa15f"
-        },
-        "SeveritySource": "nvd",
-        "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-5188",
-        "Title": "e2fsprogs: Out-of-bounds write in  e2fsck/rehash.c",
-        "Description": "A code execution vulnerability exists in the directory rehashing functionality of E2fsprogs e2fsck 1.45.4. A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.",
-        "Severity": "MEDIUM",
-        "CweIDs": [
-          "CWE-787"
+      "config": {
+        "Cmd": [
+          "/run.sh"
        ],
-        "CVSS": {
-          "nvd": {
-            "V2Vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
-            "V2Score": 4.6
-          },
-          "redhat": {
-            "V3Vector": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
-            "V3Score": 7.5
-          }
-        },
-        "References": [
-          "http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00004.html",
-          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5188",
-          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2AKETJ6BREDUHRWQTV35SPGG5C6H7KSI/",
-          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6DOBCYQKCTTWXBLMUPJ5TX3FY7JNCOKY/",
-          "https://talosintelligence.com/vulnerability_reports/TALOS-2019-0973",
-          "https://usn.ubuntu.com/4249-1/",
-          "https://usn.ubuntu.com/usn/usn-4249-1"
+        "Env": [
+          "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
+          "LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libjemalloc.so.2"
        ],
-        "PublishedDate": "2020-01-08T16:15:00Z",
-        "LastModifiedDate": "2020-01-28T06:15:00Z"
-      },
-      {
-        "VulnerabilityID": "CVE-2019-5188",
-        "PkgName": "libext2fs2",
-        "InstalledVersion": "1.44.5-1+deb10u2",
-        "FixedVersion": "1.44.5-1+deb10u3",
-        "Layer": {
-          "DiffID": "sha256:831c5620387fb9efec59fc82a42b948546c6be601e3ab34a87108ecf852aa15f"
-        },
-        "SeveritySource": "nvd",
-        "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-5188",
-        "Title": "e2fsprogs: Out-of-bounds write in  e2fsck/rehash.c",
-        "Description": "A code execution vulnerability exists in the directory rehashing functionality of E2fsprogs e2fsck 1.45.4. A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.",
-        "Severity": "MEDIUM",
-        "CweIDs": [
-          "CWE-787"
-        ],
-        "CVSS": {
-          "nvd": {
-            "V2Vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
-            "V2Score": 4.6
-          },
-          "redhat": {
-            "V3Vector": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
-            "V3Score": 7.5
-          }
-        },
-        "References": [
-          "http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00004.html",
-          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5188",
-          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2AKETJ6BREDUHRWQTV35SPGG5C6H7KSI/",
-          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6DOBCYQKCTTWXBLMUPJ5TX3FY7JNCOKY/",
-          "https://talosintelligence.com/vulnerability_reports/TALOS-2019-0973",
-          "https://usn.ubuntu.com/4249-1/",
-          "https://usn.ubuntu.com/usn/usn-4249-1"
-        ],
-        "PublishedDate": "2020-01-08T16:15:00Z",
-        "LastModifiedDate": "2020-01-28T06:15:00Z"
-      },
-      {
-        "VulnerabilityID": "CVE-2019-18224",
-        "PkgName": "libidn2-0",
-        "InstalledVersion": "2.0.5-1",
-        "FixedVersion": "2.0.5-1+deb10u1",
-        "Layer": {
-          "DiffID": "sha256:831c5620387fb9efec59fc82a42b948546c6be601e3ab34a87108ecf852aa15f"
-        },
-        "SeveritySource": "nvd",
-        "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-18224",
-        "Title": "libidn2: heap-based buffer overflow in idn2_to_ascii_4i in lib/lookup.c",
-        "Description": "idn2_to_ascii_4i in lib/lookup.c in GNU libidn2 before 2.1.1 has a heap-based buffer overflow via a long domain string.",
-        "Severity": "HIGH",
-        "CweIDs": [
-          "CWE-787"
-        ],
-        "CVSS": {
-          "nvd": {
-            "V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
-            "V2Score": 7.5
-          },
-          "redhat": {
-            "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
-            "V3Score": 5.6
-          }
-        },
-        "References": [
-          "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=12420",
-          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18224",
-          "https://github.com/libidn/libidn2/commit/e4d1558aa2c1c04a05066ee8600f37603890ba8c",
-          "https://github.com/libidn/libidn2/compare/libidn2-2.1.0...libidn2-2.1.1",
-          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JDQVQ2XPV5BTZUFINT7AFJSKNNBVURNJ/",
-          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MINU5RKDFE6TKAFY5DRFN3WSFDS4DYVS/",
-          "https://usn.ubuntu.com/4168-1/",
-          "https://usn.ubuntu.com/usn/usn-4168-1"
-        ],
-        "PublishedDate": "2019-10-21T17:15:00Z",
-        "LastModifiedDate": "2019-10-29T19:15:00Z"
-      },
-      {
-        "VulnerabilityID": "CVE-2019-5188",
-        "PkgName": "libss2",
-        "InstalledVersion": "1.44.5-1+deb10u2",
-        "FixedVersion": "1.44.5-1+deb10u3",
-        "Layer": {
-          "DiffID": "sha256:831c5620387fb9efec59fc82a42b948546c6be601e3ab34a87108ecf852aa15f"
-        },
-        "SeveritySource": "nvd",
-        "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-5188",
-        "Title": "e2fsprogs: Out-of-bounds write in  e2fsck/rehash.c",
-        "Description": "A code execution vulnerability exists in the directory rehashing functionality of E2fsprogs e2fsck 1.45.4. A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.",
-        "Severity": "MEDIUM",
-        "CweIDs": [
-          "CWE-787"
-        ],
-        "CVSS": {
-          "nvd": {
-            "V2Vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
-            "V2Score": 4.6
-          },
-          "redhat": {
-            "V3Vector": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
-            "V3Score": 7.5
-          }
-        },
-        "References": [
-          "http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00004.html",
-          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5188",
-          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2AKETJ6BREDUHRWQTV35SPGG5C6H7KSI/",
-          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6DOBCYQKCTTWXBLMUPJ5TX3FY7JNCOKY/",
-          "https://talosintelligence.com/vulnerability_reports/TALOS-2019-0973",
-          "https://usn.ubuntu.com/4249-1/",
-          "https://usn.ubuntu.com/usn/usn-4249-1"
-        ],
-        "PublishedDate": "2020-01-08T16:15:00Z",
-        "LastModifiedDate": "2020-01-28T06:15:00Z"
+        "Image": "sha256:2a538358cddc4824e9eff1531e0c63ae5e3cda85d2984c647df9b1c816b9b86b",
+        "ExposedPorts": {
+          "80/tcp": {}
+        }
      }
-    ]
-  }
-]
+    }
+  },
+  "Results": [
+    {
+      "Target": "testdata/fixtures/images/fluentd-multiple-lockfiles.tar.gz (debian 10.2)",
+      "Class": "os-pkgs",
+      "Type": "debian",
+      "Vulnerabilities": [
+        {
+          "VulnerabilityID": "CVE-2019-5188",
+          "PkgName": "e2fsprogs",
+          "InstalledVersion": "1.44.5-1+deb10u2",
+          "FixedVersion": "1.44.5-1+deb10u3",
+          "Layer": {
+            "DiffID": "sha256:831c5620387fb9efec59fc82a42b948546c6be601e3ab34a87108ecf852aa15f"
+          },
+          "SeveritySource": "nvd",
+          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-5188",
+          "Title": "e2fsprogs: Out-of-bounds write in  e2fsck/rehash.c",
+          "Description": "A code execution vulnerability exists in the directory rehashing functionality of E2fsprogs e2fsck 1.45.4. A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.",
+          "Severity": "MEDIUM",
+          "CweIDs": [
+            "CWE-787"
+          ],
+          "CVSS": {
+            "nvd": {
+              "V2Vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
+              "V2Score": 4.6
+            },
+            "redhat": {
+              "V3Vector": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
+              "V3Score": 7.5
+            }
+          },
+          "References": [
+            "http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00004.html",
+            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5188",
+            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2AKETJ6BREDUHRWQTV35SPGG5C6H7KSI/",
+            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6DOBCYQKCTTWXBLMUPJ5TX3FY7JNCOKY/",
+            "https://talosintelligence.com/vulnerability_reports/TALOS-2019-0973",
+            "https://usn.ubuntu.com/4249-1/",
+            "https://usn.ubuntu.com/usn/usn-4249-1"
+          ],
+          "PublishedDate": "2020-01-08T16:15:00Z",
+          "LastModifiedDate": "2020-01-28T06:15:00Z"
+        },
+        {
+          "VulnerabilityID": "CVE-2019-5188",
+          "PkgName": "libcom-err2",
+          "InstalledVersion": "1.44.5-1+deb10u2",
+          "FixedVersion": "1.44.5-1+deb10u3",
+          "Layer": {
+            "DiffID": "sha256:831c5620387fb9efec59fc82a42b948546c6be601e3ab34a87108ecf852aa15f"
+          },
+          "SeveritySource": "nvd",
+          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-5188",
+          "Title": "e2fsprogs: Out-of-bounds write in  e2fsck/rehash.c",
+          "Description": "A code execution vulnerability exists in the directory rehashing functionality of E2fsprogs e2fsck 1.45.4. A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.",
+          "Severity": "MEDIUM",
+          "CweIDs": [
+            "CWE-787"
+          ],
+          "CVSS": {
+            "nvd": {
+              "V2Vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
+              "V2Score": 4.6
+            },
+            "redhat": {
+              "V3Vector": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
+              "V3Score": 7.5
+            }
+          },
+          "References": [
+            "http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00004.html",
+            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5188",
+            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2AKETJ6BREDUHRWQTV35SPGG5C6H7KSI/",
+            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6DOBCYQKCTTWXBLMUPJ5TX3FY7JNCOKY/",
+            "https://talosintelligence.com/vulnerability_reports/TALOS-2019-0973",
+            "https://usn.ubuntu.com/4249-1/",
+            "https://usn.ubuntu.com/usn/usn-4249-1"
+          ],
+          "PublishedDate": "2020-01-08T16:15:00Z",
+          "LastModifiedDate": "2020-01-28T06:15:00Z"
+        },
+        {
+          "VulnerabilityID": "CVE-2019-5188",
+          "PkgName": "libext2fs2",
+          "InstalledVersion": "1.44.5-1+deb10u2",
+          "FixedVersion": "1.44.5-1+deb10u3",
+          "Layer": {
+            "DiffID": "sha256:831c5620387fb9efec59fc82a42b948546c6be601e3ab34a87108ecf852aa15f"
+          },
+          "SeveritySource": "nvd",
+          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-5188",
+          "Title": "e2fsprogs: Out-of-bounds write in  e2fsck/rehash.c",
+          "Description": "A code execution vulnerability exists in the directory rehashing functionality of E2fsprogs e2fsck 1.45.4. A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.",
+          "Severity": "MEDIUM",
+          "CweIDs": [
+            "CWE-787"
+          ],
+          "CVSS": {
+            "nvd": {
+              "V2Vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
+              "V2Score": 4.6
+            },
+            "redhat": {
+              "V3Vector": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
+              "V3Score": 7.5
+            }
+          },
+          "References": [
+            "http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00004.html",
+            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5188",
+            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2AKETJ6BREDUHRWQTV35SPGG5C6H7KSI/",
+            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6DOBCYQKCTTWXBLMUPJ5TX3FY7JNCOKY/",
+            "https://talosintelligence.com/vulnerability_reports/TALOS-2019-0973",
+            "https://usn.ubuntu.com/4249-1/",
+            "https://usn.ubuntu.com/usn/usn-4249-1"
+          ],
+          "PublishedDate": "2020-01-08T16:15:00Z",
+          "LastModifiedDate": "2020-01-28T06:15:00Z"
+        },
+        {
+          "VulnerabilityID": "CVE-2019-18224",
+          "PkgName": "libidn2-0",
+          "InstalledVersion": "2.0.5-1",
+          "FixedVersion": "2.0.5-1+deb10u1",
+          "Layer": {
+            "DiffID": "sha256:831c5620387fb9efec59fc82a42b948546c6be601e3ab34a87108ecf852aa15f"
+          },
+          "SeveritySource": "nvd",
+          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-18224",
+          "Title": "libidn2: heap-based buffer overflow in idn2_to_ascii_4i in lib/lookup.c",
+          "Description": "idn2_to_ascii_4i in lib/lookup.c in GNU libidn2 before 2.1.1 has a heap-based buffer overflow via a long domain string.",
+          "Severity": "HIGH",
+          "CweIDs": [
+            "CWE-787"
+          ],
+          "CVSS": {
+            "nvd": {
+              "V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
+              "V2Score": 7.5
+            },
+            "redhat": {
+              "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
+              "V3Score": 5.6
+            }
+          },
+          "References": [
+            "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=12420",
+            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18224",
+            "https://github.com/libidn/libidn2/commit/e4d1558aa2c1c04a05066ee8600f37603890ba8c",
+            "https://github.com/libidn/libidn2/compare/libidn2-2.1.0...libidn2-2.1.1",
+            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JDQVQ2XPV5BTZUFINT7AFJSKNNBVURNJ/",
+            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MINU5RKDFE6TKAFY5DRFN3WSFDS4DYVS/",
+            "https://usn.ubuntu.com/4168-1/",
+            "https://usn.ubuntu.com/usn/usn-4168-1"
+          ],
+          "PublishedDate": "2019-10-21T17:15:00Z",
+          "LastModifiedDate": "2019-10-29T19:15:00Z"
+        },
+        {
+          "VulnerabilityID": "CVE-2019-5188",
+          "PkgName": "libss2",
+          "InstalledVersion": "1.44.5-1+deb10u2",
+          "FixedVersion": "1.44.5-1+deb10u3",
+          "Layer": {
+            "DiffID": "sha256:831c5620387fb9efec59fc82a42b948546c6be601e3ab34a87108ecf852aa15f"
+          },
+          "SeveritySource": "nvd",
+          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-5188",
+          "Title": "e2fsprogs: Out-of-bounds write in  e2fsck/rehash.c",
+          "Description": "A code execution vulnerability exists in the directory rehashing functionality of E2fsprogs e2fsck 1.45.4. A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.",
+          "Severity": "MEDIUM",
+          "CweIDs": [
+            "CWE-787"
+          ],
+          "CVSS": {
+            "nvd": {
+              "V2Vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
+              "V2Score": 4.6
+            },
+            "redhat": {
+              "V3Vector": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
+              "V3Score": 7.5
+            }
+          },
+          "References": [
+            "http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00004.html",
+            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5188",
+            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2AKETJ6BREDUHRWQTV35SPGG5C6H7KSI/",
+            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6DOBCYQKCTTWXBLMUPJ5TX3FY7JNCOKY/",
+            "https://talosintelligence.com/vulnerability_reports/TALOS-2019-0973",
+            "https://usn.ubuntu.com/4249-1/",
+            "https://usn.ubuntu.com/usn/usn-4249-1"
+          ],
+          "PublishedDate": "2020-01-08T16:15:00Z",
+          "LastModifiedDate": "2020-01-28T06:15:00Z"
+        }
+      ]
+    },
+    {
+      "Target": "Ruby",
+      "Class": "lang-pkgs",
+      "Type": "gemspec",
+      "Vulnerabilities": [
+        {
+          "VulnerabilityID": "CVE-2020-8165",
+          "PkgName": "activesupport",
+          "PkgPath": "var/lib/gems/2.5.0/specifications/activesupport-6.0.2.1.gemspec",
+          "InstalledVersion": "6.0.2.1",
+          "FixedVersion": "~\u003e 5.2.4.3, \u003e= 6.0.3.1",
+          "Layer": {
+            "DiffID": "sha256:75e43d55939745950bc3f8fad56c5834617c4339f0f54755e69a0dd5372624e9"
+          },
+          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-8165",
+          "Title": "Potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore",
+          "Description": "There is potentially unexpected behaviour in the MemCacheStore and RedisCacheStore where, when\nuntrusted user input is written to the cache store using the `raw: true` parameter, re-reading the result\nfrom the cache can evaluate the user input as a Marshalled object instead of plain text. Vulnerable code looks like:\n\n```\ndata = cache.fetch(\"demo\", raw: true) { untrusted_string }\n```\n\nVersions Affected:  rails \u003c 5.2.5, rails \u003c 6.0.4\nNot affected:       Applications not using MemCacheStore or RedisCacheStore. Applications that do not use the `raw` option when storing untrusted user input.\nFixed Versions:     rails \u003e= 5.2.4.3, rails \u003e= 6.0.3.1\n\nImpact\n------\n\nUnmarshalling of untrusted user input can have impact up to and including RCE. At a minimum,\nthis vulnerability allows an attacker to inject untrusted Ruby objects into a web application.\n\nIn addition to upgrading to the latest versions of Rails, developers should ensure that whenever\nthey are calling `Rails.cache.fetch` they are using consistent values of the `raw` parameter for both\nreading and writing, especially in the case of the RedisCacheStore which does not, prior to these changes,\ndetect if data was serialized using the raw option upon deserialization.\n\nWorkarounds\n-----------\n\nIt is recommended that application developers apply the suggested patch or upgrade to the latest release as\nsoon as possible. If this is not possible, we recommend ensuring that all user-provided strings cached using\nthe `raw` argument should be double-checked to ensure that they conform to the expected format.\n",
+          "Severity": "UNKNOWN",
+          "References": [
+            "https://groups.google.com/forum/#!topic/rubyonrails-security/bv6fW4S0Y1c"
+          ]
+        }
+      ]
+    }
+  ]
+}
--- a/integration/testdata/nodejs.json.golden
+++ b/integration/testdata/nodejs.json.golden
@@ -1,227 +1,229 @@
-[
-  {
-    "Target": "package-lock.json",
-    "Class": "lang-pkgs",
-    "Type": "npm",
-    "Vulnerabilities": [
-      {
-        "VulnerabilityID": "CVE-2019-11358",
-        "PkgName": "jquery",
-        "InstalledVersion": "3.3.9",
-        "FixedVersion": "3.4.0",
-        "Layer": {
-          "DiffID": "sha256:0b7517474d221ce39e6d69d41dabef6ae965464eef0d7037ba80361160c0d63c"
-        },
-        "SeveritySource": "nodejs-security-wg",
-        "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-11358",
-        "Title": "js-jquery: prototype pollution in object's prototype leading to denial of service or remote code execution or property injection",
-        "Description": "jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.",
-        "Severity": "MEDIUM",
-        "CweIDs": [
-          "CWE-79"
-        ],
-        "CVSS": {
-          "nvd": {
-            "V2Vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
-            "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
-            "V2Score": 4.3,
-            "V3Score": 6.1
-          },
-          "redhat": {
-            "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
-            "V3Score": 5.6
-          }
-        },
-        "References": [
-          "http://packetstormsecurity.com/files/152787/dotCMS-5.1.1-Vulnerable-Dependencies.html",
-          "http://packetstormsecurity.com/files/153237/RetireJS-CORS-Issue-Script-Execution.html",
-          "http://seclists.org/fulldisclosure/2019/May/10",
-          "http://seclists.org/fulldisclosure/2019/May/11",
-          "http://seclists.org/fulldisclosure/2019/May/13",
-          "http://www.openwall.com/lists/oss-security/2019/06/03/2",
-          "http://www.securityfocus.com/bid/108023",
-          "https://access.redhat.com/errata/RHSA-2019:1456",
-          "https://backdropcms.org/security/backdrop-sa-core-2019-009",
-          "https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/",
-          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358",
-          "https://github.com/DanielRuf/snyk-js-jquery-174006?files=1",
-          "https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b",
-          "https://github.com/jquery/jquery/pull/4333",
-          "https://github.com/rails/jquery-rails/blob/master/CHANGELOG.md#434",
-          "https://hackerone.com/reports/454365",
-          "https://lists.apache.org/thread.html/08720ef215ee7ab3386c05a1a90a7d1c852bf0706f176a7816bf65fc@%3Ccommits.airflow.apache.org%3E",
-          "https://lists.apache.org/thread.html/5928aa293e39d248266472210c50f176cac1535220f2486e6a7fa844@%3Ccommits.airflow.apache.org%3E",
-          "https://lists.apache.org/thread.html/6097cdbd6f0a337bedd9bb5cc441b2d525ff002a96531de367e4259f@%3Ccommits.airflow.apache.org%3E",
-          "https://lists.apache.org/thread.html/88fb0362fd40e5b605ea8149f63241537b8b6fb5bfa315391fc5cbb7@%3Ccommits.airflow.apache.org%3E",
-          "https://lists.apache.org/thread.html/b736d0784cf02f5a30fbb4c5902762a15ad6d47e17e2c5a17b7d6205@%3Ccommits.airflow.apache.org%3E",
-          "https://lists.debian.org/debian-lts-announce/2019/05/msg00006.html",
-          "https://lists.debian.org/debian-lts-announce/2019/05/msg00029.html",
-          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4UOAZIFCSZ3ENEFOR5IXX6NFAD3HV7FA/",
-          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5IABSKTYZ5JUGL735UKGXL5YPRYOPUYI/",
-          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KYH3OAGR2RTCHRA5NOKX2TES7SNQMWGO/",
-          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QV3PKZC3PQCO3273HAT76PAQZFBEO4KP/",
-          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RLXRX23725JL366CNZGJZ7AQQB7LHQ6F/",
-          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WZW27UCJ5CYFL4KFFFMYMIBNMIU2ALG5/",
-          "https://nvd.nist.gov/vuln/detail/CVE-2019-11358",
-          "https://seclists.org/bugtraq/2019/Apr/32",
-          "https://seclists.org/bugtraq/2019/Jun/12",
-          "https://seclists.org/bugtraq/2019/May/18",
-          "https://snyk.io/vuln/SNYK-JS-JQUERY-174006",
-          "https://www.debian.org/security/2019/dsa-4434",
-          "https://www.debian.org/security/2019/dsa-4460",
-          "https://www.drupal.org/sa-core-2019-006"
-        ],
-        "PublishedDate": "2019-04-20T00:29:00Z",
-        "LastModifiedDate": "2019-06-12T17:29:00Z"
+{
+  "SchemaVersion": 2,
+  "ArtifactName": "testdata/fixtures/fs/nodejs",
+  "ArtifactType": "filesystem",
+  "Metadata": {
+    "ImageConfig": {
+      "architecture": "",
+      "created": "0001-01-01T00:00:00Z",
+      "os": "",
+      "rootfs": {
+        "type": "",
+        "diff_ids": null
      },
-      {
-        "VulnerabilityID": "CVE-2019-10744",
-        "PkgName": "lodash",
-        "InstalledVersion": "4.17.4",
-        "FixedVersion": "4.17.12",
-        "Layer": {
-          "DiffID": "sha256:0b7517474d221ce39e6d69d41dabef6ae965464eef0d7037ba80361160c0d63c"
-        },
-        "SeveritySource": "nvd",
-        "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-10744",
-        "Title": "nodejs-lodash: prototype pollution in defaultsDeep function leading to modifying properties",
-        "Description": "Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.",
-        "Severity": "CRITICAL",
-        "CweIDs": [
-          "CWE-20"
-        ],
-        "CVSS": {
-          "nvd": {
-            "V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
-            "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
-            "V2Score": 7.5,
-            "V3Score": 9.8
+      "config": {}
+    }
+  },
+  "Results": [
+    {
+      "Target": "package-lock.json",
+      "Class": "lang-pkgs",
+      "Type": "npm",
+      "Vulnerabilities": [
+        {
+          "VulnerabilityID": "CVE-2019-11358",
+          "PkgName": "jquery",
+          "InstalledVersion": "3.3.9",
+          "FixedVersion": ">=3.4.0",
+          "SeveritySource": "nodejs-security-wg",
+          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-11358",
+          "Title": "js-jquery: prototype pollution in object's prototype leading to denial of service or remote code execution or property injection",
+          "Description": "jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.",
+          "Severity": "MEDIUM",
+          "CweIDs": [
+            "CWE-79"
+          ],
+          "CVSS": {
+            "nvd": {
+              "V2Vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
+              "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
+              "V2Score": 4.3,
+              "V3Score": 6.1
+            },
+            "redhat": {
+              "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
+              "V3Score": 5.6
+            }
          },
-          "redhat": {
-            "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
-            "V3Score": 9.1
-          }
+          "References": [
+            "http://packetstormsecurity.com/files/152787/dotCMS-5.1.1-Vulnerable-Dependencies.html",
+            "http://packetstormsecurity.com/files/153237/RetireJS-CORS-Issue-Script-Execution.html",
+            "http://seclists.org/fulldisclosure/2019/May/10",
+            "http://seclists.org/fulldisclosure/2019/May/11",
+            "http://seclists.org/fulldisclosure/2019/May/13",
+            "http://www.openwall.com/lists/oss-security/2019/06/03/2",
+            "http://www.securityfocus.com/bid/108023",
+            "https://access.redhat.com/errata/RHSA-2019:1456",
+            "https://backdropcms.org/security/backdrop-sa-core-2019-009",
+            "https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/",
+            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358",
+            "https://github.com/DanielRuf/snyk-js-jquery-174006?files=1",
+            "https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b",
+            "https://github.com/jquery/jquery/pull/4333",
+            "https://github.com/rails/jquery-rails/blob/master/CHANGELOG.md#434",
+            "https://hackerone.com/reports/454365",
+            "https://lists.apache.org/thread.html/08720ef215ee7ab3386c05a1a90a7d1c852bf0706f176a7816bf65fc@%3Ccommits.airflow.apache.org%3E",
+            "https://lists.apache.org/thread.html/5928aa293e39d248266472210c50f176cac1535220f2486e6a7fa844@%3Ccommits.airflow.apache.org%3E",
+            "https://lists.apache.org/thread.html/6097cdbd6f0a337bedd9bb5cc441b2d525ff002a96531de367e4259f@%3Ccommits.airflow.apache.org%3E",
+            "https://lists.apache.org/thread.html/88fb0362fd40e5b605ea8149f63241537b8b6fb5bfa315391fc5cbb7@%3Ccommits.airflow.apache.org%3E",
+            "https://lists.apache.org/thread.html/b736d0784cf02f5a30fbb4c5902762a15ad6d47e17e2c5a17b7d6205@%3Ccommits.airflow.apache.org%3E",
+            "https://lists.debian.org/debian-lts-announce/2019/05/msg00006.html",
+            "https://lists.debian.org/debian-lts-announce/2019/05/msg00029.html",
+            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4UOAZIFCSZ3ENEFOR5IXX6NFAD3HV7FA/",
+            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5IABSKTYZ5JUGL735UKGXL5YPRYOPUYI/",
+            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KYH3OAGR2RTCHRA5NOKX2TES7SNQMWGO/",
+            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QV3PKZC3PQCO3273HAT76PAQZFBEO4KP/",
+            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RLXRX23725JL366CNZGJZ7AQQB7LHQ6F/",
+            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WZW27UCJ5CYFL4KFFFMYMIBNMIU2ALG5/",
+            "https://nvd.nist.gov/vuln/detail/CVE-2019-11358",
+            "https://seclists.org/bugtraq/2019/Apr/32",
+            "https://seclists.org/bugtraq/2019/Jun/12",
+            "https://seclists.org/bugtraq/2019/May/18",
+            "https://snyk.io/vuln/SNYK-JS-JQUERY-174006",
+            "https://www.debian.org/security/2019/dsa-4434",
+            "https://www.debian.org/security/2019/dsa-4460",
+            "https://www.drupal.org/sa-core-2019-006"
+          ],
+          "PublishedDate": "2019-04-20T00:29:00Z",
+          "LastModifiedDate": "2019-06-12T17:29:00Z"
        },
-        "References": [
-          "https://access.redhat.com/errata/RHSA-2019:3024",
-          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10744",
-          "https://github.com/lodash/lodash/issues/4348",
-          "https://github.com/lodash/lodash/pull/4336",
-          "https://nvd.nist.gov/vuln/detail/CVE-2019-10744",
-          "https://security.netapp.com/advisory/ntap-20191004-0005/",
-          "https://snyk.io/vuln/SNYK-JS-LODASH-450202"
-        ],
-        "PublishedDate": "2019-07-26T00:15:00Z",
-        "LastModifiedDate": "2019-10-04T09:15:00Z"
-      },
-      {
-        "VulnerabilityID": "CVE-2018-16487",
-        "PkgName": "lodash",
-        "InstalledVersion": "4.17.4",
-        "FixedVersion": "4.17.11",
-        "Layer": {
-          "DiffID": "sha256:0b7517474d221ce39e6d69d41dabef6ae965464eef0d7037ba80361160c0d63c"
-        },
-        "SeveritySource": "nodejs-security-wg",
-        "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2018-16487",
-        "Title": "lodash: Prototype pollution in utilities function",
-        "Description": "A prototype pollution vulnerability was found in lodash \u003c4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.",
-        "Severity": "HIGH",
-        "CweIDs": [
-          "CWE-254"
-        ],
-        "CVSS": {
-          "nvd": {
-            "V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
-            "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
-            "V2Score": 7.5,
-            "V3Score": 9.8
+        {
+          "VulnerabilityID": "CVE-2019-10744",
+          "PkgName": "lodash",
+          "InstalledVersion": "4.17.4",
+          "FixedVersion": "4.17.12",
+          "SeveritySource": "nvd",
+          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-10744",
+          "Title": "nodejs-lodash: prototype pollution in defaultsDeep function leading to modifying properties",
+          "Description": "Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.",
+          "Severity": "CRITICAL",
+          "CweIDs": [
+            "CWE-20"
+          ],
+          "CVSS": {
+            "nvd": {
+              "V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
+              "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+              "V2Score": 7.5,
+              "V3Score": 9.8
+            },
+            "redhat": {
+              "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
+              "V3Score": 9.1
+            }
          },
-          "redhat": {
-            "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
-            "V3Score": 5.6
-          }
+          "References": [
+            "https://access.redhat.com/errata/RHSA-2019:3024",
+            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10744",
+            "https://github.com/lodash/lodash/issues/4348",
+            "https://github.com/lodash/lodash/pull/4336",
+            "https://nvd.nist.gov/vuln/detail/CVE-2019-10744",
+            "https://security.netapp.com/advisory/ntap-20191004-0005/",
+            "https://snyk.io/vuln/SNYK-JS-LODASH-450202"
+          ],
+          "PublishedDate": "2019-07-26T00:15:00Z",
+          "LastModifiedDate": "2019-10-04T09:15:00Z"
        },
-        "References": [
-          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16487",
-          "https://hackerone.com/reports/380873",
-          "https://nvd.nist.gov/vuln/detail/CVE-2018-16487",
-          "https://security.netapp.com/advisory/ntap-20190919-0004/",
-          "https://www.npmjs.com/advisories/782"
-        ],
-        "PublishedDate": "2019-02-01T18:29:00Z",
-        "LastModifiedDate": "2019-09-19T17:15:00Z"
-      },
-      {
-        "VulnerabilityID": "CVE-2019-1010266",
-        "PkgName": "lodash",
-        "InstalledVersion": "4.17.4",
-        "FixedVersion": "4.17.11",
-        "Layer": {
-          "DiffID": "sha256:0b7517474d221ce39e6d69d41dabef6ae965464eef0d7037ba80361160c0d63c"
-        },
-        "SeveritySource": "nvd",
-        "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1010266",
-        "Title": "Moderate severity vulnerability that affects lodash",
-        "Description": "lodash prior to 4.17.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.17.11.",
-        "Severity": "MEDIUM",
-        "CweIDs": [
-          "CWE-400"
-        ],
-        "CVSS": {
-          "nvd": {
-            "V2Vector": "AV:N/AC:L/Au:S/C:N/I:N/A:P",
-            "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
-            "V2Score": 4,
-            "V3Score": 6.5
-          }
-        },
-        "References": [
-          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1010266",
-          "https://github.com/lodash/lodash/issues/3359",
-          "https://github.com/lodash/lodash/wiki/Changelog",
-          "https://nvd.nist.gov/vuln/detail/CVE-2019-1010266",
-          "https://security.netapp.com/advisory/ntap-20190919-0004/",
-          "https://snyk.io/vuln/SNYK-JS-LODASH-73639"
-        ],
-        "PublishedDate": "2019-07-17T21:15:00Z",
-        "LastModifiedDate": "2019-09-19T17:15:00Z"
-      },
-      {
-        "VulnerabilityID": "CVE-2018-3721",
-        "PkgName": "lodash",
-        "InstalledVersion": "4.17.4",
-        "FixedVersion": "4.17.5",
-        "Layer": {
-          "DiffID": "sha256:0b7517474d221ce39e6d69d41dabef6ae965464eef0d7037ba80361160c0d63c"
-        },
-        "SeveritySource": "nodejs-security-wg",
-        "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2018-3721",
-        "Title": "lodash: Prototype pollution in utilities function",
-        "Description": "lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of \"Object\" via __proto__, causing the addition or modification of an existing property that will exist on all objects.",
-        "Severity": "LOW",
-        "CVSS": {
-          "nvd": {
-            "V2Vector": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
-            "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
-            "V2Score": 4,
-            "V3Score": 6.5
+        {
+          "VulnerabilityID": "CVE-2018-16487",
+          "PkgName": "lodash",
+          "InstalledVersion": "4.17.4",
+          "FixedVersion": ">=4.17.11",
+          "SeveritySource": "nodejs-security-wg",
+          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2018-16487",
+          "Title": "lodash: Prototype pollution in utilities function",
+          "Description": "A prototype pollution vulnerability was found in lodash \u003c4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.",
+          "Severity": "HIGH",
+          "CweIDs": [
+            "CWE-254"
+          ],
+          "CVSS": {
+            "nvd": {
+              "V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
+              "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+              "V2Score": 7.5,
+              "V3Score": 9.8
+            },
+            "redhat": {
+              "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
+              "V3Score": 5.6
+            }
          },
-          "redhat": {
-            "V3Vector": "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
-            "V3Score": 2.9
-          }
+          "References": [
+            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16487",
+            "https://hackerone.com/reports/380873",
+            "https://nvd.nist.gov/vuln/detail/CVE-2018-16487",
+            "https://security.netapp.com/advisory/ntap-20190919-0004/",
+            "https://www.npmjs.com/advisories/782"
+          ],
+          "PublishedDate": "2019-02-01T18:29:00Z",
+          "LastModifiedDate": "2019-09-19T17:15:00Z"
        },
-        "References": [
-          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3721",
-          "https://github.com/lodash/lodash/commit/d8e069cc3410082e44eb18fcf8e7f3d08ebe1d4a",
-          "https://hackerone.com/reports/310443",
-          "https://nvd.nist.gov/vuln/detail/CVE-2018-3721",
-          "https://security.netapp.com/advisory/ntap-20190919-0004/"
-        ],
-        "PublishedDate": "2018-06-07T02:29:00Z",
-        "LastModifiedDate": "2019-10-03T00:03:00Z"
-      }
-    ]
-  }
-]
+        {
+          "VulnerabilityID": "CVE-2019-1010266",
+          "PkgName": "lodash",
+          "InstalledVersion": "4.17.4",
+          "FixedVersion": "4.17.11",
+          "SeveritySource": "nvd",
+          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1010266",
+          "Title": "Moderate severity vulnerability that affects lodash",
+          "Description": "lodash prior to 4.17.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.17.11.",
+          "Severity": "MEDIUM",
+          "CweIDs": [
+            "CWE-400"
+          ],
+          "CVSS": {
+            "nvd": {
+              "V2Vector": "AV:N/AC:L/Au:S/C:N/I:N/A:P",
+              "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
+              "V2Score": 4,
+              "V3Score": 6.5
+            }
+          },
+          "References": [
+            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1010266",
+            "https://github.com/lodash/lodash/issues/3359",
+            "https://github.com/lodash/lodash/wiki/Changelog",
+            "https://nvd.nist.gov/vuln/detail/CVE-2019-1010266",
+            "https://security.netapp.com/advisory/ntap-20190919-0004/",
+            "https://snyk.io/vuln/SNYK-JS-LODASH-73639"
+          ],
+          "PublishedDate": "2019-07-17T21:15:00Z",
+          "LastModifiedDate": "2019-09-19T17:15:00Z"
+        },
+        {
+          "VulnerabilityID": "CVE-2018-3721",
+          "PkgName": "lodash",
+          "InstalledVersion": "4.17.4",
+          "FixedVersion": ">=4.17.5",
+          "SeveritySource": "nodejs-security-wg",
+          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2018-3721",
+          "Title": "lodash: Prototype pollution in utilities function",
+          "Description": "lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of \"Object\" via __proto__, causing the addition or modification of an existing property that will exist on all objects.",
+          "Severity": "LOW",
+          "CVSS": {
+            "nvd": {
+              "V2Vector": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
+              "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
+              "V2Score": 4,
+              "V3Score": 6.5
+            },
+            "redhat": {
+              "V3Vector": "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
+              "V3Score": 2.9
+            }
+          },
+          "References": [
+            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3721",
+            "https://github.com/lodash/lodash/commit/d8e069cc3410082e44eb18fcf8e7f3d08ebe1d4a",
+            "https://hackerone.com/reports/310443",
+            "https://nvd.nist.gov/vuln/detail/CVE-2018-3721",
+            "https://security.netapp.com/advisory/ntap-20190919-0004/"
+          ],
+          "PublishedDate": "2018-06-07T02:29:00Z",
+          "LastModifiedDate": "2019-10-03T00:03:00Z"
+        }
+      ]
+    }
+  ]
+}
--- a/integration/testdata/opensuse-leap-151.json.golden
+++ b/integration/testdata/opensuse-leap-151.json.golden
@@ -1,297 +1,354 @@
-[
-  {
-    "Target": "testdata/fixtures/images/opensuse-leap-151.tar.gz (opensuse.leap 15.1)",
-    "Class": "os-pkgs",
-    "Type": "opensuse.leap",
-    "Vulnerabilities": [
-      {
-        "VulnerabilityID": "openSUSE-SU-2019:2596-1",
-        "PkgName": "cpio",
-        "InstalledVersion": "2.12-lp151.2.68",
-        "FixedVersion": "2.12-lp151.3.3.1",
-        "Layer": {
-          "DiffID": "sha256:f7f9ae80878a1c56d8f9ca977a5d844168f7afc0c1429feef9366e713eac06ff"
-        },
-        "Title": "Security update for cpio",
-        "Description": "This update for cpio fixes the following issues:\n\n- CVE-2019-14866: Fixed an improper validation of the values written \n  in the header of a TAR file through the to_oct() function which could \n  have led to unexpected TAR generation (bsc#1155199).\n\nThis update was imported from the SUSE:SLE-15:Update update project.",
-        "Severity": "MEDIUM",
-        "References": [
-          "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00076.html",
-          "https://www.suse.com/support/security/rating/"
+{
+  "SchemaVersion": 2,
+  "ArtifactName": "testdata/fixtures/images/opensuse-leap-151.tar.gz",
+  "ArtifactType": "container_image",
+  "Metadata": {
+    "OS": {
+      "Family": "opensuse.leap",
+      "Name": "15.1",
+      "EOSL": true
+    },
+    "ImageID": "sha256:fef5ad254f6378f08071cfa2daaf05a1ce9857141c944b67a40742e63e65cecc",
+    "DiffIDs": [
+      "sha256:f7f9ae80878a1c56d8f9ca977a5d844168f7afc0c1429feef9366e713eac06ff"
+    ],
+    "ImageConfig": {
+      "architecture": "amd64",
+      "author": "Fabian Vogt \u003cfvogt@suse.com\u003e",
+      "created": "2019-11-05T15:54:41Z",
+      "history": [
+        {
+          "created": "2019-11-05T15:54:41Z",
+          "created_by": "KIWI 9.17.16"
+        }
+      ],
+      "os": "linux",
+      "rootfs": {
+        "type": "layers",
+        "diff_ids": [
+          "sha256:f7f9ae80878a1c56d8f9ca977a5d844168f7afc0c1429feef9366e713eac06ff"
        ]
      },
-      {
-        "VulnerabilityID": "openSUSE-SU-2020:0166-1",
-        "PkgName": "libcom_err2",
-        "InstalledVersion": "1.43.8-lp151.5.6.1",
-        "FixedVersion": "1.43.8-lp151.5.12.1",
-        "Layer": {
-          "DiffID": "sha256:f7f9ae80878a1c56d8f9ca977a5d844168f7afc0c1429feef9366e713eac06ff"
-        },
-        "Title": "Security update for e2fsprogs",
-        "Description": "This update for e2fsprogs fixes the following issues:\n\n- CVE-2019-5188: Fixed a code execution vulnerability in the directory rehashing functionality (bsc#1160571).\n\nThis update was imported from the SUSE:SLE-15:Update update project.",
-        "Severity": "MEDIUM",
-        "References": [
-          "http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00004.html",
-          "https://www.suse.com/support/security/rating/"
-        ]
-      },
-      {
-        "VulnerabilityID": "openSUSE-SU-2020:0022-1",
-        "PkgName": "libgcrypt20",
-        "InstalledVersion": "1.8.2-lp151.9.4.1",
-        "FixedVersion": "1.8.2-lp151.9.7.1",
-        "Layer": {
-          "DiffID": "sha256:f7f9ae80878a1c56d8f9ca977a5d844168f7afc0c1429feef9366e713eac06ff"
-        },
-        "Title": "Security update for libgcrypt",
-        "Description": "This update for libgcrypt fixes the following issues:\n\nSecurity issues fixed:\n\n- CVE-2019-13627: Mitigation against an ECDSA timing attack (bsc#1148987).\n\nBug fixes:\n\n- Added CMAC AES self test (bsc#1155339).\n- Added CMAC TDES self test missing (bsc#1155338).\n- Fix test dsa-rfc6979 in FIPS mode.\n\nThis update was imported from the SUSE:SLE-15-SP1:Update update project.",
-        "Severity": "MEDIUM",
-        "References": [
-          "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00018.html",
-          "https://www.suse.com/support/security/rating/"
-        ]
-      },
-      {
-        "VulnerabilityID": "openSUSE-SU-2019:2611-1",
-        "PkgName": "libidn2-0",
-        "InstalledVersion": "2.0.4-lp151.2.3",
-        "FixedVersion": "2.2.0-lp151.3.3.1",
-        "Layer": {
-          "DiffID": "sha256:f7f9ae80878a1c56d8f9ca977a5d844168f7afc0c1429feef9366e713eac06ff"
-        },
-        "Title": "Security update for libidn2",
-        "Description": "This update for libidn2 to version 2.2.0 fixes the following issues:\n\n- CVE-2019-12290: Fixed an improper round-trip check when converting A-labels to U-labels (bsc#1154884).\n- CVE-2019-18224: Fixed a heap-based buffer overflow that was caused by long domain strings (bsc#1154887).\n\nThis update was imported from the SUSE:SLE-15:Update update project.",
-        "Severity": "MEDIUM",
-        "References": [
-          "http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00009.html",
-          "https://www.suse.com/support/security/rating/"
-        ]
-      },
-      {
-        "VulnerabilityID": "openSUSE-SU-2019:2551-1",
-        "PkgName": "libncurses6",
-        "InstalledVersion": "6.1-lp151.5.41",
-        "FixedVersion": "6.1-lp151.6.3.1",
-        "Layer": {
-          "DiffID": "sha256:f7f9ae80878a1c56d8f9ca977a5d844168f7afc0c1429feef9366e713eac06ff"
-        },
-        "Title": "Security update for ncurses",
-        "Description": "This update for ncurses fixes the following issues:\n\nSecurity issues fixed:\n\n- CVE-2019-17594: Fixed a heap-based buffer over-read in the _nc_find_entry function (bsc#1154036).\n- CVE-2019-17595: Fixed a heap-based buffer over-read in the fmt_entry function (bsc#1154037).\n\nNon-security issue fixed:\n\n- Removed screen.xterm from terminfo database (bsc#1103320).\n\nThis update was imported from the SUSE:SLE-15:Update update project.",
-        "Severity": "MEDIUM",
-        "References": [
-          "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html",
-          "https://www.suse.com/support/security/rating/"
-        ]
-      },
-      {
-        "VulnerabilityID": "openSUSE-SU-2020:0062-1",
-        "PkgName": "libopenssl1_1",
-        "InstalledVersion": "1.1.0i-lp151.8.3.1",
-        "FixedVersion": "1.1.0i-lp151.8.6.1",
-        "Layer": {
-          "DiffID": "sha256:f7f9ae80878a1c56d8f9ca977a5d844168f7afc0c1429feef9366e713eac06ff"
-        },
-        "Title": "Security update for openssl-1_1",
-        "Description": "This update for openssl-1_1 fixes the following issues:\n\nSecurity issue fixed:\n\n- CVE-2019-1551: Fixed an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli (bsc#1158809).                             \n\nVarious FIPS related improvements were done:\n\n- FIPS: Backport SSH KDF to openssl (jsc#SLE-8789, bsc#1157775).\n- Port FIPS patches from SLE-12 (bsc#1158101).\n- Use SHA-2 in the RSA pairwise consistency check (bsc#1155346).\n\nThis update was imported from the SUSE:SLE-15-SP1:Update update project.",
-        "Severity": "MEDIUM",
-        "References": [
-          "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html",
-          "https://www.suse.com/support/security/rating/"
-        ]
-      },
-      {
-        "VulnerabilityID": "openSUSE-SU-2020:0255-1",
-        "PkgName": "libsolv-tools",
-        "InstalledVersion": "0.7.6-lp151.2.3.2",
-        "FixedVersion": "0.7.10-lp151.2.10.1",
-        "Layer": {
-          "DiffID": "sha256:f7f9ae80878a1c56d8f9ca977a5d844168f7afc0c1429feef9366e713eac06ff"
-        },
-        "Title": "Security update for libsolv, libzypp, zypper",
-        "Description": "This update for libsolv, libzypp, zypper fixes the following issues:\n\n\nSecurity issue fixed:\n\n- CVE-2019-18900: Fixed assert cookie file that was world readable (bsc#1158763).\n\nBug fixes\n\n- Fixed removing orphaned packages dropped by to-be-installed products (bsc#1155819).\n- Adds libzypp API to mark all obsolete kernels according to the existing purge-kernel script rules (bsc#1155198).\n- Do not enforce 'en' being in RequestedLocales If the user decides to have a system without explicit language support he may do so (bsc#1155678).                                            \n- Load only target resolvables for zypper rm (bsc#1157377).\n- Fix broken search by filelist (bsc#1135114).\n- Replace python by a bash script in zypper-log (fixes#304, fixes#306, bsc#1156158).\n- Do not sort out requested locales which are not available (bsc#1155678).\n- Prevent listing duplicate matches in tables. XML result is provided within the new list-patches-byissue element (bsc#1154805).                                                              \n- XML add patch issue-date and issue-list (bsc#1154805).\n- Fix zypper lp --cve/bugzilla/issue options (bsc#1155298).\n- Always execute commit when adding/removing locales (fixes bsc#1155205).\n- Fix description of --table-style,-s in man page (bsc#1154804).\n\nThis update was imported from the SUSE:SLE-15-SP1:Update update project.",
-        "Severity": "MEDIUM",
-        "References": [
-          "http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00036.html",
-          "https://www.suse.com/support/security/rating/"
-        ]
-      },
-      {
-        "VulnerabilityID": "openSUSE-SU-2019:2689-1",
-        "PkgName": "libssh4",
-        "InstalledVersion": "0.8.7-lp151.2.3.1",
-        "FixedVersion": "0.8.7-lp151.2.6.1",
-        "Layer": {
-          "DiffID": "sha256:f7f9ae80878a1c56d8f9ca977a5d844168f7afc0c1429feef9366e713eac06ff"
-        },
-        "Title": "Security update for libssh",
-        "Description": "This update for libssh fixes the following issues:\n\n- CVE-2019-14889: Fixed an arbitrary command execution (bsc#1158095).\n\nThis update was imported from the SUSE:SLE-15-SP1:Update update project.",
-        "Severity": "HIGH",
-        "References": [
-          "http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00033.html",
-          "https://www.suse.com/support/security/rating/"
-        ]
-      },
-      {
-        "VulnerabilityID": "openSUSE-SU-2020:0102-1",
-        "PkgName": "libssh4",
-        "InstalledVersion": "0.8.7-lp151.2.3.1",
-        "FixedVersion": "0.8.7-lp151.2.9.1",
-        "Layer": {
-          "DiffID": "sha256:f7f9ae80878a1c56d8f9ca977a5d844168f7afc0c1429feef9366e713eac06ff"
-        },
-        "Title": "Security update for libssh",
-        "Description": "This update for libssh fixes the following issues:\n\n- CVE-2019-14889: Fixed an unwanted command execution in scp caused by unsanitized location (bsc#1158095).\n\nThis update was imported from the SUSE:SLE-15-SP1:Update update project.",
-        "Severity": "HIGH",
-        "References": [
-          "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00047.html",
-          "https://www.suse.com/support/security/rating/"
-        ]
-      },
-      {
-        "VulnerabilityID": "openSUSE-SU-2020:0208-1",
-        "PkgName": "libsystemd0",
-        "InstalledVersion": "234-lp151.26.4.1",
-        "FixedVersion": "234-lp151.26.7.1",
-        "Layer": {
-          "DiffID": "sha256:f7f9ae80878a1c56d8f9ca977a5d844168f7afc0c1429feef9366e713eac06ff"
-        },
-        "Title": "Security update for systemd",
-        "Description": "This update for systemd fixes the following issues:\n\n- CVE-2020-1712 (bsc#bsc#1162108)\n  Fix a heap use-after-free vulnerability, when asynchronous\n  Polkit queries were performed while handling Dbus messages. A local\n  unprivileged attacker could have abused this flaw to crash systemd services or\n  potentially execute code and elevate their privileges, by sending specially\n  crafted Dbus messages.\n\n- Use suse.pool.ntp.org server pool on SLE distros (jsc#SLE-7683)\n\n- libblkid: open device in nonblock mode. (bsc#1084671)\n- udev/cdrom_id: Do not open CD-rom in exclusive mode. (bsc#1154256)\n- bus_open leak sd_event_source when udevadm trigger。 (bsc#1161436 CVE-2019-20386)\n- fileio: introduce read_full_virtual_file() for reading virtual files in sysfs, procfs (bsc#1133495 bsc#1159814)\n- fileio: initialize errno to zero before we do fread()\n- fileio: try to read one byte too much in read_full_stream()\n- logind: consider 'greeter' sessions suitable as 'display' sessions of a user (bsc#1158485)\n- logind: never elect a session that is stopping as display\n\n- journal: include kmsg lines from the systemd process which exec()d us (#8078)\n- udevd: don't use monitor after manager_exit()\n- udevd: capitalize log messages in on_sigchld()\n- udevd: merge conditions to decrease indentation\n- Revert 'udevd: fix crash when workers time out after exit is signal caught'\n- core: fragments of masked units ought not be considered for NeedDaemonReload (#7060) (bsc#1156482)\n- udevd: fix crash when workers time out after exit is signal caught\n- udevd: wait for workers to finish when exiting (bsc#1106383)\n\n- Improve bash completion support (bsc#1155207)\n  * shell-completion: systemctl: do not list template units in {re,}start\n  * shell-completion: systemctl: pass current word to all list_unit*\n  * bash-completion: systemctl: pass current partial unit to list-unit* (bsc#1155207)\n  * bash-completion: systemctl: use systemctl --no-pager\n  * bash-completion: also suggest template unit files\n  * bash-completion: systemctl: add missing options and verbs\n  * bash-completion: use the first argument instead of the global variable (#6457)\n\n- networkd: VXLan Make group and remote variable separate (bsc#1156213)\n- networkd: vxlan require Remote= to be a non multicast address (#8117) (bsc#1156213)\n- fs-util: let's avoid unnecessary strerror()\n- fs-util: introduce inotify_add_watch_and_warn() helper\n- ask-password: improve log message when inotify limit is reached (bsc#1155574)\n- shared/install: failing with -ELOOP can be due to the use of an alias in install_error() (bsc#1151377)\n- man: alias names can't be used with enable command (bsc#1151377)\n\n- Add boot option to not use swap at system start (jsc#SLE-7689)\n\n- Allow YaST to select Iranian (Persian, Farsi) keyboard layout\n  (bsc#1092920)\n  \nThis update was imported from the SUSE:SLE-15:Update update project.",
-        "Severity": "HIGH",
-        "References": [
-          "http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00014.html",
-          "https://www.suse.com/support/security/rating/"
-        ]
-      },
-      {
-        "VulnerabilityID": "openSUSE-SU-2020:0208-1",
-        "PkgName": "libudev1",
-        "InstalledVersion": "234-lp151.26.4.1",
-        "FixedVersion": "234-lp151.26.7.1",
-        "Layer": {
-          "DiffID": "sha256:f7f9ae80878a1c56d8f9ca977a5d844168f7afc0c1429feef9366e713eac06ff"
-        },
-        "Title": "Security update for systemd",
-        "Description": "This update for systemd fixes the following issues:\n\n- CVE-2020-1712 (bsc#bsc#1162108)\n  Fix a heap use-after-free vulnerability, when asynchronous\n  Polkit queries were performed while handling Dbus messages. A local\n  unprivileged attacker could have abused this flaw to crash systemd services or\n  potentially execute code and elevate their privileges, by sending specially\n  crafted Dbus messages.\n\n- Use suse.pool.ntp.org server pool on SLE distros (jsc#SLE-7683)\n\n- libblkid: open device in nonblock mode. (bsc#1084671)\n- udev/cdrom_id: Do not open CD-rom in exclusive mode. (bsc#1154256)\n- bus_open leak sd_event_source when udevadm trigger。 (bsc#1161436 CVE-2019-20386)\n- fileio: introduce read_full_virtual_file() for reading virtual files in sysfs, procfs (bsc#1133495 bsc#1159814)\n- fileio: initialize errno to zero before we do fread()\n- fileio: try to read one byte too much in read_full_stream()\n- logind: consider 'greeter' sessions suitable as 'display' sessions of a user (bsc#1158485)\n- logind: never elect a session that is stopping as display\n\n- journal: include kmsg lines from the systemd process which exec()d us (#8078)\n- udevd: don't use monitor after manager_exit()\n- udevd: capitalize log messages in on_sigchld()\n- udevd: merge conditions to decrease indentation\n- Revert 'udevd: fix crash when workers time out after exit is signal caught'\n- core: fragments of masked units ought not be considered for NeedDaemonReload (#7060) (bsc#1156482)\n- udevd: fix crash when workers time out after exit is signal caught\n- udevd: wait for workers to finish when exiting (bsc#1106383)\n\n- Improve bash completion support (bsc#1155207)\n  * shell-completion: systemctl: do not list template units in {re,}start\n  * shell-completion: systemctl: pass current word to all list_unit*\n  * bash-completion: systemctl: pass current partial unit to list-unit* (bsc#1155207)\n  * bash-completion: systemctl: use systemctl --no-pager\n  * bash-completion: also suggest template unit files\n  * bash-completion: systemctl: add missing options and verbs\n  * bash-completion: use the first argument instead of the global variable (#6457)\n\n- networkd: VXLan Make group and remote variable separate (bsc#1156213)\n- networkd: vxlan require Remote= to be a non multicast address (#8117) (bsc#1156213)\n- fs-util: let's avoid unnecessary strerror()\n- fs-util: introduce inotify_add_watch_and_warn() helper\n- ask-password: improve log message when inotify limit is reached (bsc#1155574)\n- shared/install: failing with -ELOOP can be due to the use of an alias in install_error() (bsc#1151377)\n- man: alias names can't be used with enable command (bsc#1151377)\n\n- Add boot option to not use swap at system start (jsc#SLE-7689)\n\n- Allow YaST to select Iranian (Persian, Farsi) keyboard layout\n  (bsc#1092920)\n  \nThis update was imported from the SUSE:SLE-15:Update update project.",
-        "Severity": "HIGH",
-        "References": [
-          "http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00014.html",
-          "https://www.suse.com/support/security/rating/"
-        ]
-      },
-      {
-        "VulnerabilityID": "openSUSE-SU-2019:2612-1",
-        "PkgName": "libxml2-2",
-        "InstalledVersion": "2.9.7-lp151.5.3.1",
-        "FixedVersion": "2.9.7-lp151.5.6.1",
-        "Layer": {
-          "DiffID": "sha256:f7f9ae80878a1c56d8f9ca977a5d844168f7afc0c1429feef9366e713eac06ff"
-        },
-        "Title": "Security update for libxml2",
-        "Description": "This update for libxml2 doesn't fix any additional security issues, but correct its rpm changelog to reflect\nall CVEs that have been fixed over the past.\nThis update was imported from the SUSE:SLE-15:Update update project.",
-        "Severity": "UNKNOWN",
-        "References": [
-          "http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00010.html",
-          "https://www.suse.com/support/security/rating/"
-        ]
-      },
-      {
-        "VulnerabilityID": "openSUSE-SU-2020:0255-1",
-        "PkgName": "libzypp",
-        "InstalledVersion": "17.15.0-lp151.2.3.2",
-        "FixedVersion": "17.19.0-lp151.2.10.1",
-        "Layer": {
-          "DiffID": "sha256:f7f9ae80878a1c56d8f9ca977a5d844168f7afc0c1429feef9366e713eac06ff"
-        },
-        "Title": "Security update for libsolv, libzypp, zypper",
-        "Description": "This update for libsolv, libzypp, zypper fixes the following issues:\n\n\nSecurity issue fixed:\n\n- CVE-2019-18900: Fixed assert cookie file that was world readable (bsc#1158763).\n\nBug fixes\n\n- Fixed removing orphaned packages dropped by to-be-installed products (bsc#1155819).\n- Adds libzypp API to mark all obsolete kernels according to the existing purge-kernel script rules (bsc#1155198).\n- Do not enforce 'en' being in RequestedLocales If the user decides to have a system without explicit language support he may do so (bsc#1155678).                                            \n- Load only target resolvables for zypper rm (bsc#1157377).\n- Fix broken search by filelist (bsc#1135114).\n- Replace python by a bash script in zypper-log (fixes#304, fixes#306, bsc#1156158).\n- Do not sort out requested locales which are not available (bsc#1155678).\n- Prevent listing duplicate matches in tables. XML result is provided within the new list-patches-byissue element (bsc#1154805).                                                              \n- XML add patch issue-date and issue-list (bsc#1154805).\n- Fix zypper lp --cve/bugzilla/issue options (bsc#1155298).\n- Always execute commit when adding/removing locales (fixes bsc#1155205).\n- Fix description of --table-style,-s in man page (bsc#1154804).\n\nThis update was imported from the SUSE:SLE-15-SP1:Update update project.",
-        "Severity": "MEDIUM",
-        "References": [
-          "http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00036.html",
-          "https://www.suse.com/support/security/rating/"
-        ]
-      },
-      {
-        "VulnerabilityID": "openSUSE-SU-2019:2551-1",
-        "PkgName": "ncurses-utils",
-        "InstalledVersion": "6.1-lp151.5.41",
-        "FixedVersion": "6.1-lp151.6.3.1",
-        "Layer": {
-          "DiffID": "sha256:f7f9ae80878a1c56d8f9ca977a5d844168f7afc0c1429feef9366e713eac06ff"
-        },
-        "Title": "Security update for ncurses",
-        "Description": "This update for ncurses fixes the following issues:\n\nSecurity issues fixed:\n\n- CVE-2019-17594: Fixed a heap-based buffer over-read in the _nc_find_entry function (bsc#1154036).\n- CVE-2019-17595: Fixed a heap-based buffer over-read in the fmt_entry function (bsc#1154037).\n\nNon-security issue fixed:\n\n- Removed screen.xterm from terminfo database (bsc#1103320).\n\nThis update was imported from the SUSE:SLE-15:Update update project.",
-        "Severity": "MEDIUM",
-        "References": [
-          "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html",
-          "https://www.suse.com/support/security/rating/"
-        ]
-      },
-      {
-        "VulnerabilityID": "openSUSE-SU-2020:0062-1",
-        "PkgName": "openssl-1_1",
-        "InstalledVersion": "1.1.0i-lp151.8.3.1",
-        "FixedVersion": "1.1.0i-lp151.8.6.1",
-        "Layer": {
-          "DiffID": "sha256:f7f9ae80878a1c56d8f9ca977a5d844168f7afc0c1429feef9366e713eac06ff"
-        },
-        "Title": "Security update for openssl-1_1",
-        "Description": "This update for openssl-1_1 fixes the following issues:\n\nSecurity issue fixed:\n\n- CVE-2019-1551: Fixed an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli (bsc#1158809).                             \n\nVarious FIPS related improvements were done:\n\n- FIPS: Backport SSH KDF to openssl (jsc#SLE-8789, bsc#1157775).\n- Port FIPS patches from SLE-12 (bsc#1158101).\n- Use SHA-2 in the RSA pairwise consistency check (bsc#1155346).\n\nThis update was imported from the SUSE:SLE-15-SP1:Update update project.",
-        "Severity": "MEDIUM",
-        "References": [
-          "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html",
-          "https://www.suse.com/support/security/rating/"
-        ]
-      },
-      {
-        "VulnerabilityID": "openSUSE-SU-2019:2672-1",
-        "PkgName": "permissions",
-        "InstalledVersion": "20181116-lp151.4.6.1",
-        "FixedVersion": "20181116-lp151.4.9.1",
-        "Layer": {
-          "DiffID": "sha256:f7f9ae80878a1c56d8f9ca977a5d844168f7afc0c1429feef9366e713eac06ff"
-        },
-        "Title": "Security update for permissions",
-        "Description": "This update for permissions fixes the following issues:\n\n- CVE-2019-3688: Changed wrong ownership in /usr/sbin/pinger to root:squid\n  which could have allowed a squid user to gain persistence by changing the \n  binary (bsc#1093414).\n- CVE-2019-3690: Fixed a privilege escalation through untrusted symbolic \n  links (bsc#1150734).\n- Fixed a regression which caused sagmentation fault (bsc#1157198).\n\nThis update was imported from the SUSE:SLE-15-SP1:Update update project.",
-        "Severity": "MEDIUM",
-        "References": [
-          "http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00024.html",
-          "https://www.suse.com/support/security/rating/"
-        ]
-      },
-      {
-        "VulnerabilityID": "openSUSE-SU-2019:2551-1",
-        "PkgName": "terminfo-base",
-        "InstalledVersion": "6.1-lp151.5.41",
-        "FixedVersion": "6.1-lp151.6.3.1",
-        "Layer": {
-          "DiffID": "sha256:f7f9ae80878a1c56d8f9ca977a5d844168f7afc0c1429feef9366e713eac06ff"
-        },
-        "Title": "Security update for ncurses",
-        "Description": "This update for ncurses fixes the following issues:\n\nSecurity issues fixed:\n\n- CVE-2019-17594: Fixed a heap-based buffer over-read in the _nc_find_entry function (bsc#1154036).\n- CVE-2019-17595: Fixed a heap-based buffer over-read in the fmt_entry function (bsc#1154037).\n\nNon-security issue fixed:\n\n- Removed screen.xterm from terminfo database (bsc#1103320).\n\nThis update was imported from the SUSE:SLE-15:Update update project.",
-        "Severity": "MEDIUM",
-        "References": [
-          "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html",
-          "https://www.suse.com/support/security/rating/"
-        ]
-      },
-      {
-        "VulnerabilityID": "openSUSE-SU-2020:0255-1",
-        "PkgName": "zypper",
-        "InstalledVersion": "1.14.30-lp151.2.3.1",
-        "FixedVersion": "1.14.33-lp151.2.10.1",
-        "Layer": {
-          "DiffID": "sha256:f7f9ae80878a1c56d8f9ca977a5d844168f7afc0c1429feef9366e713eac06ff"
-        },
-        "Title": "Security update for libsolv, libzypp, zypper",
-        "Description": "This update for libsolv, libzypp, zypper fixes the following issues:\n\n\nSecurity issue fixed:\n\n- CVE-2019-18900: Fixed assert cookie file that was world readable (bsc#1158763).\n\nBug fixes\n\n- Fixed removing orphaned packages dropped by to-be-installed products (bsc#1155819).\n- Adds libzypp API to mark all obsolete kernels according to the existing purge-kernel script rules (bsc#1155198).\n- Do not enforce 'en' being in RequestedLocales If the user decides to have a system without explicit language support he may do so (bsc#1155678).                                            \n- Load only target resolvables for zypper rm (bsc#1157377).\n- Fix broken search by filelist (bsc#1135114).\n- Replace python by a bash script in zypper-log (fixes#304, fixes#306, bsc#1156158).\n- Do not sort out requested locales which are not available (bsc#1155678).\n- Prevent listing duplicate matches in tables. XML result is provided within the new list-patches-byissue element (bsc#1154805).                                                              \n- XML add patch issue-date and issue-list (bsc#1154805).\n- Fix zypper lp --cve/bugzilla/issue options (bsc#1155298).\n- Always execute commit when adding/removing locales (fixes bsc#1155205).\n- Fix description of --table-style,-s in man page (bsc#1154804).\n\nThis update was imported from the SUSE:SLE-15-SP1:Update update project.",
-        "Severity": "MEDIUM",
-        "References": [
-          "http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00036.html",
-          "https://www.suse.com/support/security/rating/"
-        ]
+      "config": {
+        "Cmd": [
+          "/bin/bash"
+        ],
+        "Labels": {
+          "org.openbuildservice.disturl": "obs://build.opensuse.org/openSUSE:Leap:15.1:Images/images/740264e3294afe7ca32a3ea9deb863d2-opensuse-leap-image:docker",
+          "org.opencontainers.image.created": "2019-11-05T15:54:10.571514200Z",
+          "org.opencontainers.image.description": "Image containing a minimal environment for containers based on openSUSE Leap 15.1.",
+          "org.opencontainers.image.title": "openSUSE Leap 15.1 Base Container",
+          "org.opencontainers.image.url": "https://www.opensuse.org/",
+          "org.opencontainers.image.vendor": "openSUSE Project",
+          "org.opencontainers.image.version": "15.1.3.67",
+          "org.opensuse.base.created": "2019-11-05T15:54:10.571514200Z",
+          "org.opensuse.base.description": "Image containing a minimal environment for containers based on openSUSE Leap 15.1.",
+          "org.opensuse.base.disturl": "obs://build.opensuse.org/openSUSE:Leap:15.1:Images/images/740264e3294afe7ca32a3ea9deb863d2-opensuse-leap-image:docker",
+          "org.opensuse.base.reference": "registry.opensuse.org/opensuse/leap:15.1.3.67",
+          "org.opensuse.base.title": "openSUSE Leap 15.1 Base Container",
+          "org.opensuse.base.url": "https://www.opensuse.org/",
+          "org.opensuse.base.vendor": "openSUSE Project",
+          "org.opensuse.base.version": "15.1.3.67",
+          "org.opensuse.reference": "registry.opensuse.org/opensuse/leap:15.1.3.67"
+        }
      }
-    ]
-  }
-]
+    }
+  },
+  "Results": [
+    {
+      "Target": "testdata/fixtures/images/opensuse-leap-151.tar.gz (opensuse.leap 15.1)",
+      "Class": "os-pkgs",
+      "Type": "opensuse.leap",
+      "Vulnerabilities": [
+        {
+          "VulnerabilityID": "openSUSE-SU-2019:2596-1",
+          "PkgName": "cpio",
+          "InstalledVersion": "2.12-lp151.2.68",
+          "FixedVersion": "2.12-lp151.3.3.1",
+          "Layer": {
+            "DiffID": "sha256:f7f9ae80878a1c56d8f9ca977a5d844168f7afc0c1429feef9366e713eac06ff"
+          },
+          "Title": "Security update for cpio",
+          "Description": "This update for cpio fixes the following issues:\n\n- CVE-2019-14866: Fixed an improper validation of the values written \n  in the header of a TAR file through the to_oct() function which could \n  have led to unexpected TAR generation (bsc#1155199).\n\nThis update was imported from the SUSE:SLE-15:Update update project.",
+          "Severity": "MEDIUM",
+          "References": [
+            "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00076.html",
+            "https://www.suse.com/support/security/rating/"
+          ]
+        },
+        {
+          "VulnerabilityID": "openSUSE-SU-2020:0166-1",
+          "PkgName": "libcom_err2",
+          "InstalledVersion": "1.43.8-lp151.5.6.1",
+          "FixedVersion": "1.43.8-lp151.5.12.1",
+          "Layer": {
+            "DiffID": "sha256:f7f9ae80878a1c56d8f9ca977a5d844168f7afc0c1429feef9366e713eac06ff"
+          },
+          "Title": "Security update for e2fsprogs",
+          "Description": "This update for e2fsprogs fixes the following issues:\n\n- CVE-2019-5188: Fixed a code execution vulnerability in the directory rehashing functionality (bsc#1160571).\n\nThis update was imported from the SUSE:SLE-15:Update update project.",
+          "Severity": "MEDIUM",
+          "References": [
+            "http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00004.html",
+            "https://www.suse.com/support/security/rating/"
+          ]
+        },
+        {
+          "VulnerabilityID": "openSUSE-SU-2020:0022-1",
+          "PkgName": "libgcrypt20",
+          "InstalledVersion": "1.8.2-lp151.9.4.1",
+          "FixedVersion": "1.8.2-lp151.9.7.1",
+          "Layer": {
+            "DiffID": "sha256:f7f9ae80878a1c56d8f9ca977a5d844168f7afc0c1429feef9366e713eac06ff"
+          },
+          "Title": "Security update for libgcrypt",
+          "Description": "This update for libgcrypt fixes the following issues:\n\nSecurity issues fixed:\n\n- CVE-2019-13627: Mitigation against an ECDSA timing attack (bsc#1148987).\n\nBug fixes:\n\n- Added CMAC AES self test (bsc#1155339).\n- Added CMAC TDES self test missing (bsc#1155338).\n- Fix test dsa-rfc6979 in FIPS mode.\n\nThis update was imported from the SUSE:SLE-15-SP1:Update update project.",
+          "Severity": "MEDIUM",
+          "References": [
+            "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00018.html",
+            "https://www.suse.com/support/security/rating/"
+          ]
+        },
+        {
+          "VulnerabilityID": "openSUSE-SU-2019:2611-1",
+          "PkgName": "libidn2-0",
+          "InstalledVersion": "2.0.4-lp151.2.3",
+          "FixedVersion": "2.2.0-lp151.3.3.1",
+          "Layer": {
+            "DiffID": "sha256:f7f9ae80878a1c56d8f9ca977a5d844168f7afc0c1429feef9366e713eac06ff"
+          },
+          "Title": "Security update for libidn2",
+          "Description": "This update for libidn2 to version 2.2.0 fixes the following issues:\n\n- CVE-2019-12290: Fixed an improper round-trip check when converting A-labels to U-labels (bsc#1154884).\n- CVE-2019-18224: Fixed a heap-based buffer overflow that was caused by long domain strings (bsc#1154887).\n\nThis update was imported from the SUSE:SLE-15:Update update project.",
+          "Severity": "MEDIUM",
+          "References": [
+            "http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00009.html",
+            "https://www.suse.com/support/security/rating/"
+          ]
+        },
+        {
+          "VulnerabilityID": "openSUSE-SU-2019:2551-1",
+          "PkgName": "libncurses6",
+          "InstalledVersion": "6.1-lp151.5.41",
+          "FixedVersion": "6.1-lp151.6.3.1",
+          "Layer": {
+            "DiffID": "sha256:f7f9ae80878a1c56d8f9ca977a5d844168f7afc0c1429feef9366e713eac06ff"
+          },
+          "Title": "Security update for ncurses",
+          "Description": "This update for ncurses fixes the following issues:\n\nSecurity issues fixed:\n\n- CVE-2019-17594: Fixed a heap-based buffer over-read in the _nc_find_entry function (bsc#1154036).\n- CVE-2019-17595: Fixed a heap-based buffer over-read in the fmt_entry function (bsc#1154037).\n\nNon-security issue fixed:\n\n- Removed screen.xterm from terminfo database (bsc#1103320).\n\nThis update was imported from the SUSE:SLE-15:Update update project.",
+          "Severity": "MEDIUM",
+          "References": [
+            "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html",
+            "https://www.suse.com/support/security/rating/"
+          ]
+        },
+        {
+          "VulnerabilityID": "openSUSE-SU-2020:0062-1",
+          "PkgName": "libopenssl1_1",
+          "InstalledVersion": "1.1.0i-lp151.8.3.1",
+          "FixedVersion": "1.1.0i-lp151.8.6.1",
+          "Layer": {
+            "DiffID": "sha256:f7f9ae80878a1c56d8f9ca977a5d844168f7afc0c1429feef9366e713eac06ff"
+          },
+          "Title": "Security update for openssl-1_1",
+          "Description": "This update for openssl-1_1 fixes the following issues:\n\nSecurity issue fixed:\n\n- CVE-2019-1551: Fixed an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli (bsc#1158809).                             \n\nVarious FIPS related improvements were done:\n\n- FIPS: Backport SSH KDF to openssl (jsc#SLE-8789, bsc#1157775).\n- Port FIPS patches from SLE-12 (bsc#1158101).\n- Use SHA-2 in the RSA pairwise consistency check (bsc#1155346).\n\nThis update was imported from the SUSE:SLE-15-SP1:Update update project.",
+          "Severity": "MEDIUM",
+          "References": [
+            "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html",
+            "https://www.suse.com/support/security/rating/"
+          ]
+        },
+        {
+          "VulnerabilityID": "openSUSE-SU-2020:0255-1",
+          "PkgName": "libsolv-tools",
+          "InstalledVersion": "0.7.6-lp151.2.3.2",
+          "FixedVersion": "0.7.10-lp151.2.10.1",
+          "Layer": {
+            "DiffID": "sha256:f7f9ae80878a1c56d8f9ca977a5d844168f7afc0c1429feef9366e713eac06ff"
+          },
+          "Title": "Security update for libsolv, libzypp, zypper",
+          "Description": "This update for libsolv, libzypp, zypper fixes the following issues:\n\n\nSecurity issue fixed:\n\n- CVE-2019-18900: Fixed assert cookie file that was world readable (bsc#1158763).\n\nBug fixes\n\n- Fixed removing orphaned packages dropped by to-be-installed products (bsc#1155819).\n- Adds libzypp API to mark all obsolete kernels according to the existing purge-kernel script rules (bsc#1155198).\n- Do not enforce 'en' being in RequestedLocales If the user decides to have a system without explicit language support he may do so (bsc#1155678).                                            \n- Load only target resolvables for zypper rm (bsc#1157377).\n- Fix broken search by filelist (bsc#1135114).\n- Replace python by a bash script in zypper-log (fixes#304, fixes#306, bsc#1156158).\n- Do not sort out requested locales which are not available (bsc#1155678).\n- Prevent listing duplicate matches in tables. XML result is provided within the new list-patches-byissue element (bsc#1154805).                                                              \n- XML add patch issue-date and issue-list (bsc#1154805).\n- Fix zypper lp --cve/bugzilla/issue options (bsc#1155298).\n- Always execute commit when adding/removing locales (fixes bsc#1155205).\n- Fix description of --table-style,-s in man page (bsc#1154804).\n\nThis update was imported from the SUSE:SLE-15-SP1:Update update project.",
+          "Severity": "MEDIUM",
+          "References": [
+            "http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00036.html",
+            "https://www.suse.com/support/security/rating/"
+          ]
+        },
+        {
+          "VulnerabilityID": "openSUSE-SU-2019:2689-1",
+          "PkgName": "libssh4",
+          "InstalledVersion": "0.8.7-lp151.2.3.1",
+          "FixedVersion": "0.8.7-lp151.2.6.1",
+          "Layer": {
+            "DiffID": "sha256:f7f9ae80878a1c56d8f9ca977a5d844168f7afc0c1429feef9366e713eac06ff"
+          },
+          "Title": "Security update for libssh",
+          "Description": "This update for libssh fixes the following issues:\n\n- CVE-2019-14889: Fixed an arbitrary command execution (bsc#1158095).\n\nThis update was imported from the SUSE:SLE-15-SP1:Update update project.",
+          "Severity": "HIGH",
+          "References": [
+            "http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00033.html",
+            "https://www.suse.com/support/security/rating/"
+          ]
+        },
+        {
+          "VulnerabilityID": "openSUSE-SU-2020:0102-1",
+          "PkgName": "libssh4",
+          "InstalledVersion": "0.8.7-lp151.2.3.1",
+          "FixedVersion": "0.8.7-lp151.2.9.1",
+          "Layer": {
+            "DiffID": "sha256:f7f9ae80878a1c56d8f9ca977a5d844168f7afc0c1429feef9366e713eac06ff"
+          },
+          "Title": "Security update for libssh",
+          "Description": "This update for libssh fixes the following issues:\n\n- CVE-2019-14889: Fixed an unwanted command execution in scp caused by unsanitized location (bsc#1158095).\n\nThis update was imported from the SUSE:SLE-15-SP1:Update update project.",
+          "Severity": "HIGH",
+          "References": [
+            "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00047.html",
+            "https://www.suse.com/support/security/rating/"
+          ]
+        },
+        {
+          "VulnerabilityID": "openSUSE-SU-2020:0208-1",
+          "PkgName": "libsystemd0",
+          "InstalledVersion": "234-lp151.26.4.1",
+          "FixedVersion": "234-lp151.26.7.1",
+          "Layer": {
+            "DiffID": "sha256:f7f9ae80878a1c56d8f9ca977a5d844168f7afc0c1429feef9366e713eac06ff"
+          },
+          "Title": "Security update for systemd",
+          "Description": "This update for systemd fixes the following issues:\n\n- CVE-2020-1712 (bsc#bsc#1162108)\n  Fix a heap use-after-free vulnerability, when asynchronous\n  Polkit queries were performed while handling Dbus messages. A local\n  unprivileged attacker could have abused this flaw to crash systemd services or\n  potentially execute code and elevate their privileges, by sending specially\n  crafted Dbus messages.\n\n- Use suse.pool.ntp.org server pool on SLE distros (jsc#SLE-7683)\n\n- libblkid: open device in nonblock mode. (bsc#1084671)\n- udev/cdrom_id: Do not open CD-rom in exclusive mode. (bsc#1154256)\n- bus_open leak sd_event_source when udevadm trigger。 (bsc#1161436 CVE-2019-20386)\n- fileio: introduce read_full_virtual_file() for reading virtual files in sysfs, procfs (bsc#1133495 bsc#1159814)\n- fileio: initialize errno to zero before we do fread()\n- fileio: try to read one byte too much in read_full_stream()\n- logind: consider 'greeter' sessions suitable as 'display' sessions of a user (bsc#1158485)\n- logind: never elect a session that is stopping as display\n\n- journal: include kmsg lines from the systemd process which exec()d us (#8078)\n- udevd: don't use monitor after manager_exit()\n- udevd: capitalize log messages in on_sigchld()\n- udevd: merge conditions to decrease indentation\n- Revert 'udevd: fix crash when workers time out after exit is signal caught'\n- core: fragments of masked units ought not be considered for NeedDaemonReload (#7060) (bsc#1156482)\n- udevd: fix crash when workers time out after exit is signal caught\n- udevd: wait for workers to finish when exiting (bsc#1106383)\n\n- Improve bash completion support (bsc#1155207)\n  * shell-completion: systemctl: do not list template units in {re,}start\n  * shell-completion: systemctl: pass current word to all list_unit*\n  * bash-completion: systemctl: pass current partial unit to list-unit* (bsc#1155207)\n  * bash-completion: systemctl: use systemctl --no-pager\n  * bash-completion: also suggest template unit files\n  * bash-completion: systemctl: add missing options and verbs\n  * bash-completion: use the first argument instead of the global variable (#6457)\n\n- networkd: VXLan Make group and remote variable separate (bsc#1156213)\n- networkd: vxlan require Remote= to be a non multicast address (#8117) (bsc#1156213)\n- fs-util: let's avoid unnecessary strerror()\n- fs-util: introduce inotify_add_watch_and_warn() helper\n- ask-password: improve log message when inotify limit is reached (bsc#1155574)\n- shared/install: failing with -ELOOP can be due to the use of an alias in install_error() (bsc#1151377)\n- man: alias names can't be used with enable command (bsc#1151377)\n\n- Add boot option to not use swap at system start (jsc#SLE-7689)\n\n- Allow YaST to select Iranian (Persian, Farsi) keyboard layout\n  (bsc#1092920)\n  \nThis update was imported from the SUSE:SLE-15:Update update project.",
+          "Severity": "HIGH",
+          "References": [
+            "http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00014.html",
+            "https://www.suse.com/support/security/rating/"
+          ]
+        },
+        {
+          "VulnerabilityID": "openSUSE-SU-2020:0208-1",
+          "PkgName": "libudev1",
+          "InstalledVersion": "234-lp151.26.4.1",
+          "FixedVersion": "234-lp151.26.7.1",
+          "Layer": {
+            "DiffID": "sha256:f7f9ae80878a1c56d8f9ca977a5d844168f7afc0c1429feef9366e713eac06ff"
+          },
+          "Title": "Security update for systemd",
+          "Description": "This update for systemd fixes the following issues:\n\n- CVE-2020-1712 (bsc#bsc#1162108)\n  Fix a heap use-after-free vulnerability, when asynchronous\n  Polkit queries were performed while handling Dbus messages. A local\n  unprivileged attacker could have abused this flaw to crash systemd services or\n  potentially execute code and elevate their privileges, by sending specially\n  crafted Dbus messages.\n\n- Use suse.pool.ntp.org server pool on SLE distros (jsc#SLE-7683)\n\n- libblkid: open device in nonblock mode. (bsc#1084671)\n- udev/cdrom_id: Do not open CD-rom in exclusive mode. (bsc#1154256)\n- bus_open leak sd_event_source when udevadm trigger。 (bsc#1161436 CVE-2019-20386)\n- fileio: introduce read_full_virtual_file() for reading virtual files in sysfs, procfs (bsc#1133495 bsc#1159814)\n- fileio: initialize errno to zero before we do fread()\n- fileio: try to read one byte too much in read_full_stream()\n- logind: consider 'greeter' sessions suitable as 'display' sessions of a user (bsc#1158485)\n- logind: never elect a session that is stopping as display\n\n- journal: include kmsg lines from the systemd process which exec()d us (#8078)\n- udevd: don't use monitor after manager_exit()\n- udevd: capitalize log messages in on_sigchld()\n- udevd: merge conditions to decrease indentation\n- Revert 'udevd: fix crash when workers time out after exit is signal caught'\n- core: fragments of masked units ought not be considered for NeedDaemonReload (#7060) (bsc#1156482)\n- udevd: fix crash when workers time out after exit is signal caught\n- udevd: wait for workers to finish when exiting (bsc#1106383)\n\n- Improve bash completion support (bsc#1155207)\n  * shell-completion: systemctl: do not list template units in {re,}start\n  * shell-completion: systemctl: pass current word to all list_unit*\n  * bash-completion: systemctl: pass current partial unit to list-unit* (bsc#1155207)\n  * bash-completion: systemctl: use systemctl --no-pager\n  * bash-completion: also suggest template unit files\n  * bash-completion: systemctl: add missing options and verbs\n  * bash-completion: use the first argument instead of the global variable (#6457)\n\n- networkd: VXLan Make group and remote variable separate (bsc#1156213)\n- networkd: vxlan require Remote= to be a non multicast address (#8117) (bsc#1156213)\n- fs-util: let's avoid unnecessary strerror()\n- fs-util: introduce inotify_add_watch_and_warn() helper\n- ask-password: improve log message when inotify limit is reached (bsc#1155574)\n- shared/install: failing with -ELOOP can be due to the use of an alias in install_error() (bsc#1151377)\n- man: alias names can't be used with enable command (bsc#1151377)\n\n- Add boot option to not use swap at system start (jsc#SLE-7689)\n\n- Allow YaST to select Iranian (Persian, Farsi) keyboard layout\n  (bsc#1092920)\n  \nThis update was imported from the SUSE:SLE-15:Update update project.",
+          "Severity": "HIGH",
+          "References": [
+            "http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00014.html",
+            "https://www.suse.com/support/security/rating/"
+          ]
+        },
+        {
+          "VulnerabilityID": "openSUSE-SU-2019:2612-1",
+          "PkgName": "libxml2-2",
+          "InstalledVersion": "2.9.7-lp151.5.3.1",
+          "FixedVersion": "2.9.7-lp151.5.6.1",
+          "Layer": {
+            "DiffID": "sha256:f7f9ae80878a1c56d8f9ca977a5d844168f7afc0c1429feef9366e713eac06ff"
+          },
+          "Title": "Security update for libxml2",
+          "Description": "This update for libxml2 doesn't fix any additional security issues, but correct its rpm changelog to reflect\nall CVEs that have been fixed over the past.\nThis update was imported from the SUSE:SLE-15:Update update project.",
+          "Severity": "UNKNOWN",
+          "References": [
+            "http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00010.html",
+            "https://www.suse.com/support/security/rating/"
+          ]
+        },
+        {
+          "VulnerabilityID": "openSUSE-SU-2020:0255-1",
+          "PkgName": "libzypp",
+          "InstalledVersion": "17.15.0-lp151.2.3.2",
+          "FixedVersion": "17.19.0-lp151.2.10.1",
+          "Layer": {
+            "DiffID": "sha256:f7f9ae80878a1c56d8f9ca977a5d844168f7afc0c1429feef9366e713eac06ff"
+          },
+          "Title": "Security update for libsolv, libzypp, zypper",
+          "Description": "This update for libsolv, libzypp, zypper fixes the following issues:\n\n\nSecurity issue fixed:\n\n- CVE-2019-18900: Fixed assert cookie file that was world readable (bsc#1158763).\n\nBug fixes\n\n- Fixed removing orphaned packages dropped by to-be-installed products (bsc#1155819).\n- Adds libzypp API to mark all obsolete kernels according to the existing purge-kernel script rules (bsc#1155198).\n- Do not enforce 'en' being in RequestedLocales If the user decides to have a system without explicit language support he may do so (bsc#1155678).                                            \n- Load only target resolvables for zypper rm (bsc#1157377).\n- Fix broken search by filelist (bsc#1135114).\n- Replace python by a bash script in zypper-log (fixes#304, fixes#306, bsc#1156158).\n- Do not sort out requested locales which are not available (bsc#1155678).\n- Prevent listing duplicate matches in tables. XML result is provided within the new list-patches-byissue element (bsc#1154805).                                                              \n- XML add patch issue-date and issue-list (bsc#1154805).\n- Fix zypper lp --cve/bugzilla/issue options (bsc#1155298).\n- Always execute commit when adding/removing locales (fixes bsc#1155205).\n- Fix description of --table-style,-s in man page (bsc#1154804).\n\nThis update was imported from the SUSE:SLE-15-SP1:Update update project.",
+          "Severity": "MEDIUM",
+          "References": [
+            "http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00036.html",
+            "https://www.suse.com/support/security/rating/"
+          ]
+        },
+        {
+          "VulnerabilityID": "openSUSE-SU-2019:2551-1",
+          "PkgName": "ncurses-utils",
+          "InstalledVersion": "6.1-lp151.5.41",
+          "FixedVersion": "6.1-lp151.6.3.1",
+          "Layer": {
+            "DiffID": "sha256:f7f9ae80878a1c56d8f9ca977a5d844168f7afc0c1429feef9366e713eac06ff"
+          },
+          "Title": "Security update for ncurses",
+          "Description": "This update for ncurses fixes the following issues:\n\nSecurity issues fixed:\n\n- CVE-2019-17594: Fixed a heap-based buffer over-read in the _nc_find_entry function (bsc#1154036).\n- CVE-2019-17595: Fixed a heap-based buffer over-read in the fmt_entry function (bsc#1154037).\n\nNon-security issue fixed:\n\n- Removed screen.xterm from terminfo database (bsc#1103320).\n\nThis update was imported from the SUSE:SLE-15:Update update project.",
+          "Severity": "MEDIUM",
+          "References": [
+            "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html",
+            "https://www.suse.com/support/security/rating/"
+          ]
+        },
+        {
+          "VulnerabilityID": "openSUSE-SU-2020:0062-1",
+          "PkgName": "openssl-1_1",
+          "InstalledVersion": "1.1.0i-lp151.8.3.1",
+          "FixedVersion": "1.1.0i-lp151.8.6.1",
+          "Layer": {
+            "DiffID": "sha256:f7f9ae80878a1c56d8f9ca977a5d844168f7afc0c1429feef9366e713eac06ff"
+          },
+          "Title": "Security update for openssl-1_1",
+          "Description": "This update for openssl-1_1 fixes the following issues:\n\nSecurity issue fixed:\n\n- CVE-2019-1551: Fixed an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli (bsc#1158809).                             \n\nVarious FIPS related improvements were done:\n\n- FIPS: Backport SSH KDF to openssl (jsc#SLE-8789, bsc#1157775).\n- Port FIPS patches from SLE-12 (bsc#1158101).\n- Use SHA-2 in the RSA pairwise consistency check (bsc#1155346).\n\nThis update was imported from the SUSE:SLE-15-SP1:Update update project.",
+          "Severity": "MEDIUM",
+          "References": [
+            "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html",
+            "https://www.suse.com/support/security/rating/"
+          ]
+        },
+        {
+          "VulnerabilityID": "openSUSE-SU-2019:2672-1",
+          "PkgName": "permissions",
+          "InstalledVersion": "20181116-lp151.4.6.1",
+          "FixedVersion": "20181116-lp151.4.9.1",
+          "Layer": {
+            "DiffID": "sha256:f7f9ae80878a1c56d8f9ca977a5d844168f7afc0c1429feef9366e713eac06ff"
+          },
+          "Title": "Security update for permissions",
+          "Description": "This update for permissions fixes the following issues:\n\n- CVE-2019-3688: Changed wrong ownership in /usr/sbin/pinger to root:squid\n  which could have allowed a squid user to gain persistence by changing the \n  binary (bsc#1093414).\n- CVE-2019-3690: Fixed a privilege escalation through untrusted symbolic \n  links (bsc#1150734).\n- Fixed a regression which caused sagmentation fault (bsc#1157198).\n\nThis update was imported from the SUSE:SLE-15-SP1:Update update project.",
+          "Severity": "MEDIUM",
+          "References": [
+            "http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00024.html",
+            "https://www.suse.com/support/security/rating/"
+          ]
+        },
+        {
+          "VulnerabilityID": "openSUSE-SU-2019:2551-1",
+          "PkgName": "terminfo-base",
+          "InstalledVersion": "6.1-lp151.5.41",
+          "FixedVersion": "6.1-lp151.6.3.1",
+          "Layer": {
+            "DiffID": "sha256:f7f9ae80878a1c56d8f9ca977a5d844168f7afc0c1429feef9366e713eac06ff"
+          },
+          "Title": "Security update for ncurses",
+          "Description": "This update for ncurses fixes the following issues:\n\nSecurity issues fixed:\n\n- CVE-2019-17594: Fixed a heap-based buffer over-read in the _nc_find_entry function (bsc#1154036).\n- CVE-2019-17595: Fixed a heap-based buffer over-read in the fmt_entry function (bsc#1154037).\n\nNon-security issue fixed:\n\n- Removed screen.xterm from terminfo database (bsc#1103320).\n\nThis update was imported from the SUSE:SLE-15:Update update project.",
+          "Severity": "MEDIUM",
+          "References": [
+            "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html",
+            "https://www.suse.com/support/security/rating/"
+          ]
+        },
+        {
+          "VulnerabilityID": "openSUSE-SU-2020:0255-1",
+          "PkgName": "zypper",
+          "InstalledVersion": "1.14.30-lp151.2.3.1",
+          "FixedVersion": "1.14.33-lp151.2.10.1",
+          "Layer": {
+            "DiffID": "sha256:f7f9ae80878a1c56d8f9ca977a5d844168f7afc0c1429feef9366e713eac06ff"
+          },
+          "Title": "Security update for libsolv, libzypp, zypper",
+          "Description": "This update for libsolv, libzypp, zypper fixes the following issues:\n\n\nSecurity issue fixed:\n\n- CVE-2019-18900: Fixed assert cookie file that was world readable (bsc#1158763).\n\nBug fixes\n\n- Fixed removing orphaned packages dropped by to-be-installed products (bsc#1155819).\n- Adds libzypp API to mark all obsolete kernels according to the existing purge-kernel script rules (bsc#1155198).\n- Do not enforce 'en' being in RequestedLocales If the user decides to have a system without explicit language support he may do so (bsc#1155678).                                            \n- Load only target resolvables for zypper rm (bsc#1157377).\n- Fix broken search by filelist (bsc#1135114).\n- Replace python by a bash script in zypper-log (fixes#304, fixes#306, bsc#1156158).\n- Do not sort out requested locales which are not available (bsc#1155678).\n- Prevent listing duplicate matches in tables. XML result is provided within the new list-patches-byissue element (bsc#1154805).                                                              \n- XML add patch issue-date and issue-list (bsc#1154805).\n- Fix zypper lp --cve/bugzilla/issue options (bsc#1155298).\n- Always execute commit when adding/removing locales (fixes bsc#1155205).\n- Fix description of --table-style,-s in man page (bsc#1154804).\n\nThis update was imported from the SUSE:SLE-15-SP1:Update update project.",
+          "Severity": "MEDIUM",
+          "References": [
+            "http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00036.html",
+            "https://www.suse.com/support/security/rating/"
+          ]
+        }
+      ]
+    }
+  ]
+}
--- a/integration/testdata/opensuse-leap-423.json.golden
+++ b/integration/testdata/opensuse-leap-423.json.golden
@@ -1,7 +1,55 @@
-[
-  {
-    "Target": "testdata/fixtures/images/opensuse-leap-423.tar.gz (opensuse.leap 42.3)",
-    "Class": "os-pkgs",
-    "Type": "opensuse.leap"
-  }
-]
+{
+  "SchemaVersion": 2,
+  "ArtifactName": "testdata/fixtures/images/opensuse-leap-423.tar.gz",
+  "ArtifactType": "container_image",
+  "Metadata": {
+    "OS": {
+      "Family": "opensuse.leap",
+      "Name": "42.3",
+      "EOSL": true
+    },
+    "ImageID": "sha256:8e098189cc8dcb9cf52438dded1403b802a5822acb22e44db027705a146fef7a",
+    "DiffIDs": [
+      "sha256:55e4cf12579297bd6b98a41e0f22e56241508b5f697dcc43ab9a3d7c546acb3c"
+    ],
+    "ImageConfig": {
+      "architecture": "amd64",
+      "author": "SUSE Containers Team \u003ccontainers@suse.com\u003e",
+      "created": "2019-08-13T08:49:10Z",
+      "history": [
+        {
+          "created": "2019-08-13T08:48:40.372298552Z",
+          "created_by": "umoci config"
+        },
+        {
+          "author": "SUSE Containers Team \u003ccontainers@suse.com\u003e",
+          "created": "2019-08-13T08:49:10.375196393Z",
+          "created_by": "umoci config",
+          "empty_layer": true
+        }
+      ],
+      "os": "linux",
+      "rootfs": {
+        "type": "layers",
+        "diff_ids": [
+          "sha256:55e4cf12579297bd6b98a41e0f22e56241508b5f697dcc43ab9a3d7c546acb3c"
+        ]
+      },
+      "config": {
+        "Cmd": [
+          "/bin/bash"
+        ],
+        "Labels": {
+          "org.openbuildservice.disturl": "'obs://build.opensuse.org/Virtualization:containers:images:openSUSE-Leap-42.3/containers/e855437d458198eb2a8cf9d551fc66c3-openSUSE-Leap-42.3-container-image:docker'"
+        }
+      }
+    }
+  },
+  "Results": [
+    {
+      "Target": "testdata/fixtures/images/opensuse-leap-423.tar.gz (opensuse.leap 42.3)",
+      "Class": "os-pkgs",
+      "Type": "opensuse.leap"
+    }
+  ]
+}
--- a/integration/testdata/oraclelinux-6-slim.json.golden
+++ b/integration/testdata/oraclelinux-6-slim.json.golden
--- a/integration/testdata/oraclelinux-7-slim.json.golden
+++ b/integration/testdata/oraclelinux-7-slim.json.golden
--- a/integration/testdata/oraclelinux-8-slim.json.golden
+++ b/integration/testdata/oraclelinux-8-slim.json.golden
--- a/integration/testdata/photon-10.json.golden
+++ b/integration/testdata/photon-10.json.golden
--- a/integration/testdata/photon-20.json.golden
+++ b/integration/testdata/photon-20.json.golden
--- a/integration/testdata/photon-30.json.golden
+++ b/integration/testdata/photon-30.json.golden
--- a/integration/testdata/pip.json.golden
+++ b/integration/testdata/pip.json.golden
@@ -0,0 +1,123 @@
+{
+  "SchemaVersion": 2,
+  "ArtifactName": "testdata/fixtures/fs/pip",
+  "ArtifactType": "filesystem",
+  "Metadata": {
+    "ImageConfig": {
+      "architecture": "",
+      "created": "0001-01-01T00:00:00Z",
+      "os": "",
+      "rootfs": {
+        "type": "",
+        "diff_ids": null
+      },
+      "config": {}
+    }
+  },
+  "Results": [
+    {
+      "Target": "requirements.txt",
+      "Class": "lang-pkgs",
+      "Type": "pip",
+      "Vulnerabilities": [
+        {
+          "VulnerabilityID": "CVE-2019-14806",
+          "PkgName": "Werkzeug",
+          "InstalledVersion": "0.11",
+          "FixedVersion": "0.15.3",
+          "SeveritySource": "nvd",
+          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-14806",
+          "Title": "python-werkzeug: insufficient debugger PIN randomness vulnerability",
+          "Description": "Pallets Werkzeug before 0.15.3, when used with Docker, has insufficient debugger PIN randomness because Docker containers share the same machine id.",
+          "Severity": "HIGH",
+          "CweIDs": [
+            "CWE-331"
+          ],
+          "CVSS": {
+            "nvd": {
+              "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
+              "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
+              "V2Score": 5,
+              "V3Score": 7.5
+            },
+            "redhat": {
+              "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
+              "V3Score": 7.5
+            }
+          },
+          "References": [
+            "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00034.html",
+            "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00047.html",
+            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14806",
+            "https://github.com/pallets/werkzeug/blob/7fef41b120327d3912fbe12fb64f1951496fcf3e/src/werkzeug/debug/__init__.py#L168",
+            "https://github.com/pallets/werkzeug/commit/00bc43b1672e662e5e3b8cecd79e67fc968fa246",
+            "https://nvd.nist.gov/vuln/detail/CVE-2019-14806",
+            "https://palletsprojects.com/blog/werkzeug-0-15-3-released/"
+          ],
+          "PublishedDate": "2019-08-09T15:15:00Z",
+          "LastModifiedDate": "2019-09-11T00:15:00Z"
+        },
+        {
+          "VulnerabilityID": "CVE-2016-10516",
+          "PkgName": "Werkzeug",
+          "InstalledVersion": "0.11",
+          "FixedVersion": "0.11.11",
+          "SeveritySource": "nvd",
+          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2016-10516",
+          "Title": "python-werkzeug: Cross-site scripting in render_full function in debug/tbtools.py",
+          "Description": "Cross-site scripting (XSS) vulnerability in the render_full function in debug/tbtools.py in the debugger in Pallets Werkzeug before 0.11.11 (as used in Pallets Flask and other products) allows remote attackers to inject arbitrary web script or HTML via a field that contains an exception message.",
+          "Severity": "MEDIUM",
+          "CweIDs": [
+            "CWE-79"
+          ],
+          "CVSS": {
+            "nvd": {
+              "V2Vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
+              "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
+              "V2Score": 4.3,
+              "V3Score": 6.1
+            },
+            "redhat": {
+              "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L",
+              "V3Score": 7.1
+            }
+          },
+          "References": [
+            "http://blog.neargle.com/2016/09/21/flask-src-review-get-a-xss-from-debuger/",
+            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10516",
+            "https://github.com/pallets/werkzeug/pull/1001",
+            "https://lists.debian.org/debian-lts-announce/2017/11/msg00037.html",
+            "https://usn.ubuntu.com/usn/usn-3463-1"
+          ],
+          "PublishedDate": "2017-10-23T16:29:00Z",
+          "LastModifiedDate": "2018-02-04T02:29:00Z"
+        },
+        {
+          "VulnerabilityID": "CVE-2020-28724",
+          "PkgName": "Werkzeug",
+          "InstalledVersion": "0.11",
+          "FixedVersion": "0.11.6",
+          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-28724",
+          "Title": "Werkzeug before 0.11.6 includes an open redirect vulnerability via a double slash in the URL. See CVE-2020-28724.",
+          "Severity": "UNKNOWN"
+        },
+        {
+          "VulnerabilityID": "pyup.io-26435",
+          "PkgName": "Werkzeug",
+          "InstalledVersion": "0.11",
+          "FixedVersion": "0.12",
+          "Title": "The defaults of ``generate_password_hash`` in werkzeug 0.12 have been changed to more secure ones, see pull request ``#753``.",
+          "Severity": "UNKNOWN"
+        },
+        {
+          "VulnerabilityID": "pyup.io-36967",
+          "PkgName": "Werkzeug",
+          "InstalledVersion": "0.11",
+          "FixedVersion": "0.15.0",
+          "Title": "Werkzeug 0.15.0 refactors class:`~middleware.proxy_fix.ProxyFix` to support more headers, multiple values, and a more secure configuration.",
+          "Severity": "UNKNOWN"
+        }
+      ]
+    }
+  ]
+}
--- a/integration/testdata/ubi-7.json.golden
+++ b/integration/testdata/ubi-7.json.golden
--- a/integration/testdata/ubuntu-1604.json.golden
+++ b/integration/testdata/ubuntu-1604.json.golden
--- a/integration/testdata/ubuntu-1804-ignore-unfixed.json.golden
+++ b/integration/testdata/ubuntu-1804-ignore-unfixed.json.golden
--- a/integration/testdata/ubuntu-1804.json.golden
+++ b/integration/testdata/ubuntu-1804.json.golden
--- a/mkdocs.yml
+++ b/mkdocs.yml
@@ -21,6 +21,7 @@ nav:
              - Image: getting-started/cli/image.md
              - Config: getting-started/cli/config.md
              - Filesystem: getting-started/cli/fs.md
+              - Rootfs: getting-started/cli/rootfs.md
              - Repository: getting-started/cli/repo.md
              - Client: getting-started/cli/client.md
              - Server: getting-started/cli/server.md
@@ -29,6 +30,7 @@ nav:
          - Overview: vulnerability/scanning/index.md
          - Container Image: vulnerability/scanning/image.md
          - Filesystem: vulnerability/scanning/filesystem.md
+          - Rootfs: vulnerability/scanning/rootfs.md
          - Git Repository: vulnerability/scanning/git-repository.md
      - Detection:
          - OS Packages: vulnerability/detection/os.md
@@ -64,6 +66,7 @@ nav:
      - Comparison:
          - vs Conftest: misconfiguration/comparison/conftest.md
          - vs tfsec: misconfiguration/comparison/tfsec.md
+          - vs cfsec: misconfiguration/comparison/cfsec.md
  - Advanced:
      - Overview: advanced/index.md
      - Plugins: advanced/plugins.md
@@ -74,6 +77,7 @@ nav:
          - CircleCI: advanced/integrations/circleci.md
          - Travis CI: advanced/integrations/travis-ci.md
          - GitLab CI: advanced/integrations/gitlab-ci.md
+          - Bitbucket Pipelines: advanced/integrations/bitbucket.md
          - AWS CodePipeline: advanced/integrations/aws-codepipeline.md
          - AWS Security Hub: advanced/integrations/aws-security-hub.md
      - Container Image:
@@ -90,6 +94,9 @@ nav:
      - Modes:
          - Standalone: advanced/modes/standalone.md
          - Client/Server: advanced/modes/client-server.md
+      - Community:
+          - Tools: advanced/community/tools.md
+          - References: advanced/community/references.md
      - Maintainer:
          - Help Wanted: advanced/contrib/help-wanted.md
          - Triage: advanced/contrib/triage.md
--- a/pkg/commands/app.go
+++ b/pkg/commands/app.go
@@ -312,25 +312,6 @@ var (
 		stringSliceFlag(skipFiles),
 		stringSliceFlag(skipDirs),
 	}
-
-	// deprecated options
-	deprecatedFlags = []cli.Flag{
-		&cli.StringFlag{
-			Name:    "only-update",
-			Usage:   "deprecated",
-			EnvVars: []string{"TRIVY_ONLY_UPDATE"},
-		},
-		&cli.BoolFlag{
-			Name:    "refresh",
-			Usage:   "deprecated",
-			EnvVars: []string{"TRIVY_REFRESH"},
-		},
-		&cli.BoolFlag{
-			Name:    "auto-refresh",
-			Usage:   "deprecated",
-			EnvVars: []string{"TRIVY_AUTO_REFRESH"},
-		},
-	}
 )

 // NewApp is the factory method to return Trivy CLI
@@ -346,13 +327,13 @@ func NewApp(version string) *cli.App {
 	app.Usage = "A simple and comprehensive vulnerability scanner for containers"
 	app.EnableBashCompletion = true

-	flags := append(globalFlags, setHidden(deprecatedFlags, true)...)
-	flags = append(flags, setHidden(imageFlags, true)...)
+	flags := append(globalFlags, setHidden(imageFlags, true)...)

 	app.Flags = flags
 	app.Commands = []*cli.Command{
 		NewImageCommand(),
 		NewFilesystemCommand(),
+		NewRootfsCommand(),
 		NewRepositoryCommand(),
 		NewClientCommand(),
 		NewServerCommand(),
@@ -429,9 +410,9 @@ func showVersion(cacheDir, outputFormat, version string, outputWriter io.Writer)
 		if dbMeta != nil {
 			var dbType string
 			switch dbMeta.Type {
-			case 0:
+			case db.TypeFull:
 				dbType = "Full"
-			case 1:
+			case db.TypeLight:
 				dbType = "Light"
 			}
 			output += fmt.Sprintf(`Vulnerability DB:
@@ -464,12 +445,11 @@ func NewFilesystemCommand() *cli.Command {
 		Name:      "filesystem",
 		Aliases:   []string{"fs"},
 		ArgsUsage: "dir",
-		Usage:     "scan local filesystem",
+		Usage:     "scan local filesystem for language-specific dependencies and config files",
 		Action:    artifact.FilesystemRun,
 		Flags: []cli.Flag{
 			&templateFlag,
 			&formatFlag,
-			&inputFlag,
 			&severityFlag,
 			&outputFlag,
 			&exitCodeFlag,
@@ -477,7 +457,40 @@ func NewFilesystemCommand() *cli.Command {
 			&skipPolicyUpdateFlag,
 			&clearCacheFlag,
 			&ignoreUnfixedFlag,
-			&removedPkgsFlag,
+			&vulnTypeFlag,
+			&securityChecksFlag,
+			&ignoreFileFlag,
+			&cacheBackendFlag,
+			&timeoutFlag,
+			&noProgressFlag,
+			&ignorePolicy,
+			&listAllPackages,
+			stringSliceFlag(skipFiles),
+			stringSliceFlag(skipDirs),
+			stringSliceFlag(configPolicy),
+			stringSliceFlag(configData),
+			stringSliceFlag(policyNamespaces),
+		},
+	}
+}
+
+// NewRootfsCommand is the factory method to add filesystem command
+func NewRootfsCommand() *cli.Command {
+	return &cli.Command{
+		Name:      "rootfs",
+		ArgsUsage: "dir",
+		Usage:     "scan rootfs",
+		Action:    artifact.RootfsRun,
+		Flags: []cli.Flag{
+			&templateFlag,
+			&formatFlag,
+			&severityFlag,
+			&outputFlag,
+			&exitCodeFlag,
+			&skipDBUpdateFlag,
+			&skipPolicyUpdateFlag,
+			&clearCacheFlag,
+			&ignoreUnfixedFlag,
 			&vulnTypeFlag,
 			&securityChecksFlag,
 			&ignoreFileFlag,
@@ -552,6 +565,8 @@ func NewClientCommand() *cli.Command {
 			&ignoreFileFlag,
 			&timeoutFlag,
 			&ignorePolicy,
+			stringSliceFlag(skipFiles),
+			stringSliceFlag(skipDirs),
 			stringSliceFlag(configPolicy),
 			&listAllPackages,

--- a/pkg/commands/app_test.go
+++ b/pkg/commands/app_test.go
@@ -3,7 +3,6 @@ package commands
 import (
 	"bytes"
 	"encoding/json"
-	"io/ioutil"
 	"os"
 	"path/filepath"
 	"testing"
@@ -36,7 +35,7 @@ func Test_showVersion(t *testing.T) {
 			},
 			expectedOutput: `Version: v1.2.3
 Vulnerability DB:
-  Type: Light
+  Type: Full
  Version: 42
  UpdatedAt: 2020-03-16 23:40:20 +0000 UTC
  NextUpdate: 2020-03-16 23:57:00 +0000 UTC
@@ -81,7 +80,7 @@ Vulnerability DB:
 			case tt.args.cacheDir != "":
 				cacheDir = tt.args.cacheDir
 			default:
-				cacheDir, _ = ioutil.TempDir("", "Test_showVersion-*")
+				cacheDir, _ = os.MkdirTemp("", "Test_showVersion-*")
 				defer os.RemoveAll(cacheDir)
 			}

--- a/pkg/commands/artifact/config.go
+++ b/pkg/commands/artifact/config.go
@@ -4,20 +4,19 @@ import (
 	"github.com/urfave/cli/v2"
 	"golang.org/x/xerrors"

+	"github.com/aquasecurity/fanal/analyzer"
 	"github.com/aquasecurity/trivy/pkg/types"
 )

 // ConfigRun runs scan on config files
 func ConfigRun(ctx *cli.Context) error {
-	opt, err := NewOption(ctx)
+	opt, err := initOption(ctx)
 	if err != nil {
 		return xerrors.Errorf("option error: %w", err)
 	}

-	// initialize options
-	if err = opt.Init(); err != nil {
-		return xerrors.Errorf("failed to initialize options: %w", err)
-	}
+	// Disable OS and language analyzers
+	opt.DisabledAnalyzers = append(analyzer.TypeOSes, analyzer.TypeLanguages...)

 	// Scan only config files
 	opt.VulnType = nil
--- a/pkg/commands/artifact/fs.go
+++ b/pkg/commands/artifact/fs.go
@@ -9,30 +9,42 @@ import (

 	"github.com/aquasecurity/fanal/analyzer"
 	"github.com/aquasecurity/fanal/analyzer/config"
+	"github.com/aquasecurity/fanal/artifact"
 	"github.com/aquasecurity/fanal/cache"
 	"github.com/aquasecurity/trivy/pkg/scanner"
 )

 func filesystemScanner(ctx context.Context, dir string, ac cache.ArtifactCache, lac cache.LocalArtifactCache,
-	_ time.Duration, disabled []analyzer.Type, opt config.ScannerOption) (scanner.Scanner, func(), error) {
-	s, cleanup, err := initializeFilesystemScanner(ctx, dir, ac, lac, disabled, opt)
+	_ time.Duration, artifactOpt artifact.Option, scannerOpt config.ScannerOption) (scanner.Scanner, func(), error) {
+	s, cleanup, err := initializeFilesystemScanner(ctx, dir, ac, lac, artifactOpt, scannerOpt)
 	if err != nil {
 		return scanner.Scanner{}, func() {}, xerrors.Errorf("unable to initialize a filesystem scanner: %w", err)
 	}
 	return s, cleanup, nil
 }

-// FilesystemRun runs scan on filesystem
+// FilesystemRun runs scan on filesystem for language-specific dependencies and config files
 func FilesystemRun(ctx *cli.Context) error {
-	opt, err := NewOption(ctx)
+	opt, err := initOption(ctx)
 	if err != nil {
 		return xerrors.Errorf("option error: %w", err)
 	}

-	// initialize options
-	if err = opt.Init(); err != nil {
-		return xerrors.Errorf("failed to initialize options: %w", err)
-	}
+	// Disable the individual package scanning
+	opt.DisabledAnalyzers = analyzer.TypeIndividualPkgs
+
+	return Run(ctx.Context, opt, filesystemScanner, initFSCache)
+}
+
+// RootfsRun runs scan on rootfs.
+func RootfsRun(ctx *cli.Context) error {
+	opt, err := initOption(ctx)
+	if err != nil {
+		return xerrors.Errorf("option error: %w", err)
+	}
+
+	// Disable the lock file scanning
+	opt.DisabledAnalyzers = analyzer.TypeLockfiles

 	return Run(ctx.Context, opt, filesystemScanner, initFSCache)
 }
--- a/pkg/commands/artifact/image.go
+++ b/pkg/commands/artifact/image.go
@@ -9,13 +9,14 @@ import (

 	"github.com/aquasecurity/fanal/analyzer"
 	"github.com/aquasecurity/fanal/analyzer/config"
+	"github.com/aquasecurity/fanal/artifact"
 	"github.com/aquasecurity/fanal/cache"
 	"github.com/aquasecurity/trivy/pkg/scanner"
 )

 func archiveScanner(ctx context.Context, input string, ac cache.ArtifactCache, lac cache.LocalArtifactCache,
-	timeout time.Duration, disabled []analyzer.Type, opt config.ScannerOption) (scanner.Scanner, func(), error) {
-	s, err := initializeArchiveScanner(ctx, input, ac, lac, timeout, disabled, opt)
+	timeout time.Duration, artifactOpt artifact.Option, scannerOpt config.ScannerOption) (scanner.Scanner, func(), error) {
+	s, err := initializeArchiveScanner(ctx, input, ac, lac, timeout, artifactOpt, scannerOpt)
 	if err != nil {
 		return scanner.Scanner{}, func() {}, xerrors.Errorf("unable to initialize the archive scanner: %w", err)
 	}
@@ -23,8 +24,8 @@ func archiveScanner(ctx context.Context, input string, ac cache.ArtifactCache, l
 }

 func dockerScanner(ctx context.Context, imageName string, ac cache.ArtifactCache, lac cache.LocalArtifactCache,
-	timeout time.Duration, disabled []analyzer.Type, opt config.ScannerOption) (scanner.Scanner, func(), error) {
-	s, cleanup, err := initializeDockerScanner(ctx, imageName, ac, lac, timeout, disabled, opt)
+	timeout time.Duration, artifactOpt artifact.Option, scannerOpt config.ScannerOption) (scanner.Scanner, func(), error) {
+	s, cleanup, err := initializeDockerScanner(ctx, imageName, ac, lac, timeout, artifactOpt, scannerOpt)
 	if err != nil {
 		return scanner.Scanner{}, func() {}, xerrors.Errorf("unable to initialize a docker scanner: %w", err)
 	}
@@ -33,15 +34,13 @@ func dockerScanner(ctx context.Context, imageName string, ac cache.ArtifactCache

 // ImageRun runs scan on docker image
 func ImageRun(ctx *cli.Context) error {
-	opt, err := NewOption(ctx)
+	opt, err := initOption(ctx)
 	if err != nil {
 		return xerrors.Errorf("option error: %w", err)
 	}

-	// initialize options
-	if err = opt.Init(); err != nil {
-		return xerrors.Errorf("option initialize error: %w", err)
-	}
+	// Disable the lock file scanning
+	opt.DisabledAnalyzers = analyzer.TypeLockfiles

 	if opt.Input != "" {
 		// scan tar file
--- a/pkg/commands/artifact/inject.go
+++ b/pkg/commands/artifact/inject.go
@@ -1,3 +1,4 @@
+//go:build wireinject
 // +build wireinject

 package artifact
@@ -8,37 +9,37 @@ import (

 	"github.com/google/wire"

-	"github.com/aquasecurity/fanal/analyzer"
 	"github.com/aquasecurity/fanal/analyzer/config"
+	"github.com/aquasecurity/fanal/artifact"
 	"github.com/aquasecurity/fanal/cache"
 	"github.com/aquasecurity/trivy/pkg/result"
 	"github.com/aquasecurity/trivy/pkg/scanner"
 )

 func initializeDockerScanner(ctx context.Context, imageName string, artifactCache cache.ArtifactCache,
-	localArtifactCache cache.LocalArtifactCache, timeout time.Duration, disableAnalyzers []analyzer.Type,
+	localArtifactCache cache.LocalArtifactCache, timeout time.Duration, artifactOption artifact.Option,
 	configScannerOption config.ScannerOption) (scanner.Scanner, func(), error) {
 	wire.Build(scanner.StandaloneDockerSet)
 	return scanner.Scanner{}, nil, nil
 }

 func initializeArchiveScanner(ctx context.Context, filePath string, artifactCache cache.ArtifactCache,
-	localArtifactCache cache.LocalArtifactCache, timeout time.Duration, disableAnalyzers []analyzer.Type,
+	localArtifactCache cache.LocalArtifactCache, timeout time.Duration, artifactOption artifact.Option,
 	configScannerOption config.ScannerOption) (scanner.Scanner, error) {
 	wire.Build(scanner.StandaloneArchiveSet)
 	return scanner.Scanner{}, nil
 }

 func initializeFilesystemScanner(ctx context.Context, dir string, artifactCache cache.ArtifactCache,
-	localArtifactCache cache.LocalArtifactCache, disableAnalyzers []analyzer.Type, configScannerOption config.ScannerOption) (
-	scanner.Scanner, func(), error) {
+	localArtifactCache cache.LocalArtifactCache, artifactOption artifact.Option,
+	configScannerOption config.ScannerOption) (scanner.Scanner, func(), error) {
 	wire.Build(scanner.StandaloneFilesystemSet)
 	return scanner.Scanner{}, nil, nil
 }

 func initializeRepositoryScanner(ctx context.Context, url string, artifactCache cache.ArtifactCache,
-	localArtifactCache cache.LocalArtifactCache, disableAnalyzers []analyzer.Type, configScannerOption config.ScannerOption) (
-	scanner.Scanner, func(), error) {
+	localArtifactCache cache.LocalArtifactCache, artifactOption artifact.Option,
+	configScannerOption config.ScannerOption) (scanner.Scanner, func(), error) {
 	wire.Build(scanner.StandaloneRepositorySet)
 	return scanner.Scanner{}, nil, nil
 }
--- a/pkg/commands/artifact/option.go
+++ b/pkg/commands/artifact/option.go
@@ -4,6 +4,7 @@ import (
 	"github.com/urfave/cli/v2"
 	"golang.org/x/xerrors"

+	"github.com/aquasecurity/fanal/analyzer"
 	"github.com/aquasecurity/trivy/pkg/commands/option"
 )

@@ -17,12 +18,9 @@ type Option struct {
 	option.CacheOption
 	option.ConfigOption

-	// deprecated
-	onlyUpdate string
-	// deprecated
-	refresh bool
-	// deprecated
-	autoRefresh bool
+	// We don't want to allow disabled analyzers to be passed by users,
+	// but it differs depending on scanning modes.
+	DisabledAnalyzers []analyzer.Type
 }

 // NewOption is the factory method to return options
@@ -40,19 +38,11 @@ func NewOption(c *cli.Context) (Option, error) {
 		ReportOption:   option.NewReportOption(c),
 		CacheOption:    option.NewCacheOption(c),
 		ConfigOption:   option.NewConfigOption(c),
-
-		onlyUpdate:  c.String("only-update"),
-		refresh:     c.Bool("refresh"),
-		autoRefresh: c.Bool("auto-refresh"),
 	}, nil
 }

 // Init initializes the artifact options
 func (c *Option) Init() error {
-	if c.onlyUpdate != "" || c.refresh || c.autoRefresh {
-		c.Logger.Warn("--only-update, --refresh and --auto-refresh are unnecessary and ignored now. These commands will be removed in the next version.")
-	}
-
 	if err := c.initPreScanOptions(); err != nil {
 		return err
 	}
--- a/pkg/commands/artifact/option_test.go
+++ b/pkg/commands/artifact/option_test.go
@@ -93,25 +93,6 @@ func TestOption_Init(t *testing.T) {
 				},
 			},
 		},
-		{
-			name: "deprecated options",
-			args: []string{"--only-update", "alpine", "--severity", "LOW", "debian:buster"},
-			logs: []string{
-				"--only-update, --refresh and --auto-refresh are unnecessary and ignored now. These commands will be removed in the next version.",
-			},
-			want: Option{
-				ReportOption: option.ReportOption{
-					Severities:     []dbTypes.Severity{dbTypes.SeverityLow},
-					Output:         os.Stdout,
-					VulnType:       []string{types.VulnTypeOS, types.VulnTypeLibrary},
-					SecurityChecks: []string{types.SecurityCheckVulnerability},
-				},
-				ArtifactOption: option.ArtifactOption{
-					Target: "debian:buster",
-				},
-				onlyUpdate: "alpine",
-			},
-		},
 		{
 			name: "invalid option combination: --template enabled without --format",
 			args: []string{"--template", "@contrib/gitlab.tpl", "gitlab/gitlab-ce:12.7.2-ce.0"},
@@ -196,11 +177,9 @@ func TestOption_Init(t *testing.T) {
 			set.Bool("reset", false, "")
 			set.Bool("skip-db-update", false, "")
 			set.Bool("download-db-only", false, "")
-			set.Bool("auto-refresh", false, "")
 			set.String("severity", "CRITICAL", "")
 			set.String("vuln-type", "os,library", "")
 			set.String("security-checks", "vuln", "")
-			set.String("only-update", "", "")
 			set.String("template", "", "")
 			set.String("format", "", "")

--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
nobletrout	7beed30170	docs: provide more information on scanning Google's GCR (#1426 ) Co-authored-by: Teppei Fukuda <knqyf263@gmail.com>	2021-12-07 03:28:46 +02:00
DmitriyLewen	f50e1f42a1	docs(misconfiguration): added instruction for misconfiguration detection (#1428 ) Co-authored-by: Teppei Fukuda <knqyf263@gmail.com>	2021-12-06 13:56:41 +02:00
Guilherme Macedo	3ae4de5869	Update git-repository.md (#1430 ) Update instructions on how to scan private git repositories, as according to https://github.com/aquasecurity/fanal/pull/253 .	2021-12-06 13:04:03 +02:00
AndreyLevchenko	6e35b8f53c	fix(hooks): exclude unrelated lib types from system files filtering (#1431 )	2021-12-06 10:53:34 +02:00
afdesk	beb60b05f3	chore: run `go fmt` (#1429 )	2021-12-02 17:52:57 +09:00
afdesk	582e7fd1ba	fix(sarif): change `help` field in the sarif template. (#1423 )	2021-12-02 14:23:26 +09:00
Owen Rumney	11bc290111	Update fanal with cfsec version update (#1425 ) - new version of cfsec brought in with latest fanal - fixes issue where cfsec treats files as CloudFormation when they arent - fixes issuee where invalid content errors are surfaced to Trivy - Gets addition of service and provider on the IaC results - this is not visible to others	2021-12-01 04:15:26 +02:00
Nilushan Costa	392f68926c	Replace deprecated option in goreleaser (#1406 ) * Replace deprecated docker.use_buildx with docker.use * Bump goreleaser GitHub action to v0.183.0	2021-11-29 05:31:16 +02:00
Huang Huang	101d576025	feat(alpine): support 3.15 (#1422 )	2021-11-29 05:30:44 +02:00
Carol Valencia	bd3ba68cce	chore: test the helm chart in the PR and used the commit hash (#1414 ) Co-authored-by: carolina valencia <krol3@users.noreply.github.com>	2021-11-29 05:29:01 +02:00
dependabot[bot]	3860d6e4e9	chore(deps): bump alpine from 3.14 to 3.15.0 (#1417 ) Bumps alpine from 3.14 to 3.15.0. --- updated-dependencies: - dependency-name: alpine dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2021-11-28 09:48:31 +02:00
afdesk	4f82673a61	chore(release): add ubuntu older versions to deploy script (#1416 ) * chore(release): add ubuntu older versions to deploy script `ubuntu-distro-info --supported` returns only versions: `bionic`, `focal`, `hirsute`, `impish` and `jammy`. `ubuntu-distro-info --supported-esm` returns another versions: `trusty`, `xenial`, `bionic`, `focal` and `jammy`. for the release script we should use the union of these sets. Fixes #1194 * change `uniq` command to `-u` parameter	2021-11-28 09:43:07 +02:00
Teppei Fukuda	b9a51de862	chore(mod): tidy (#1415 )	2021-11-26 06:36:55 +02:00
AndreyLevchenko	7f248341cc	fix(rpc): fix nil layer transmit (#1410 ) * fix(rpc): fix nil layer transmit Closes #1400 * added tests	2021-11-24 10:29:13 +02:00
Naimuddin Shaik	af3eaefdb2	Lang advisory order (#1409 ) * chore(advisory reorder) Reorder language advisory. * fixed integration tests.	2021-11-24 10:27:12 +02:00
Raul Cabello Martin	07c9200eb7	chore: add support for s390x arch (#1304 )	2021-11-21 11:38:47 +02:00
Carol Valencia	8bc8a4ad60	fix(chart): ingress helm manifest-update trivy image (#1323 ) * fix: ingress helm manifest-update trivy image * chore: helm ingress Capabilities.apiVersion * feat: helm chart test gh Co-authored-by: carolina valencia <krol3@users.noreply.github.com>	2021-11-21 09:57:30 +02:00
Owen Rumney	9076a49b0f	docs: Add comparison for cfsec (#1388 ) * Add cfsec comparison * Add to mkdocs.yml	2021-11-17 16:42:17 +02:00
naoyukis	bb316d93ca	remove: delete unused functions in utils package (#1379 )	2021-11-16 14:12:18 +02:00
AndreyLevchenko	efdb29d0d4	fix(sarif): fix validation errors (#1376 )	2021-11-15 16:36:51 +02:00
Teppei Fukuda	9bcf9e72f5	docs: add Bitbucket Pipelines (#1374 )	2021-11-14 11:31:21 +02:00
Teppei Fukuda	3147097daf	docs: add community integrations (#1361 ) Co-authored-by: Carsten Hoffmann <choffmann87@googlemail.com>	2021-11-14 10:28:26 +02:00
Simon Engledew	33f74b3acb	Use a stable SARIF identifier (#1230 )	2021-11-11 20:02:40 +02:00
rahul2393	5915ffb42b	fix(python): fix parsing of requirements.txt with hash checking mode available in pip since version 8.0	2021-11-11 13:18:31 +02:00
Owen Rumney	ae4c42b975	feat(iac): Add line information (#1366 ) * feat(iac): Adding resource and Line data - adding line in file information to the misconfiguration result - updating tfsec and cfsec versions to provide this additional info * Add usage of IaC metadata * update the fanal version	2021-11-11 08:00:13 +02:00
Owen Rumney	19747d0535	feat(cloudformation): Adding support for cfsec IaC scanning (#1360 )	2021-11-09 17:42:44 +02:00
Jamie	da45061f4d	chore: send debug and info logs to stdout in install.sh, not stderr. (#1264 ) The current install.sh script logs all messages to stderr via ```echoerr()``` function. Since godownloader is no longer maintained, it seems reasonable to update install.sh here.	2021-11-09 16:54:42 +02:00
tspearconquest	cb1a4ed3a1	Update containerd to v1.5.7 and docker-cli to v20.10.9 (#1356 ) Signed-off-by: Thomas Spear <tspear@conquestcyber.com>	2021-11-09 16:00:41 +02:00
Vinod Anandan	69dae54aa1	chore: update SBOM generation (#1349 )	2021-11-01 16:44:14 +02:00
Simar	5dc8cfe55d	docs: update builtin.md (#1335 )	2021-10-25 21:22:13 +03:00
psibre	798b564ee3	chore: fix issues with Homebrew formula (#1329 )	2021-10-25 20:34:32 +03:00
psibre	21bf5e58f7	chore: bump GoReleaser to v0.183.0 (#1328 )	2021-10-25 20:33:35 +03:00
Simar	e0f4ebd7cb	docs: update iac.md for a typo (#1326 )	2021-10-25 19:40:47 +03:00
Rory McCune	23a9a5e319	docs: typo fix (#1308 ) Just fixing a typo in the docs "Filesysetm" --> "Filesystem	2021-10-25 19:39:34 +03:00
Christian Zunker	1f5d17fe13	Add new networking API features to Ingress (#1262 ) * Add new networking API features to Ingress This PR adds `v1` of the networking API introduced with k8s 1.19. It also adds the new field `ingressClassName` introduced with k8s 1.18. Fixes #1261 * Also query for the Kind in the capabilities Signed-off-by: Christian Zunker <christian.zunker@codecentric.cloud>	2021-10-20 18:59:12 +03:00
Teppei Fukuda	bcfa0287b9	chore(release): bump up GoReleaser to v0.182.1 (#1299 )	2021-10-16 06:48:44 +03:00
Teppei Fukuda	681ab1b889	fix(yarn): support quoted version (#1298 )	2021-10-15 08:22:40 +03:00
Ankush K	46051d5ec8	feat(custom-forward): Forward the extended advisory data (#1247 ) Co-authored-by: knqyf263 <knqyf263@gmail.com>	2021-10-14 21:57:30 +03:00
santhosh1729	d8d692b8ba	feat(javascript) : Initialize npm driver for javascript packages (#1289 )	2021-10-10 08:37:15 +03:00
besdollma	cc344dfbe3	fix(cli): fix incorrect comparision of DB metadata type. (#1286 ) -- Incorrect Db metadata type comparision resulted in wrong print in show version. This fixes #1275. Signed-off-by: Bes Dollma <besi7dollma@gmail.com>	2021-10-08 19:16:46 +03:00
Itay Shakury	0dec17fc3f	docs: add footer to readme (#1281 ) Co-authored-by: Teppei Fukuda <knqyf263@gmail.com>	2021-10-07 10:18:38 +03:00
Teppei Fukuda	f12446d3ba	feat(report): add package path (#1274 )	2021-10-06 10:28:48 +03:00
Teppei Fukuda	1c9ccb5e03	feat(command): add rootfs command (#1271 )	2021-10-04 21:03:34 +03:00
Huang Huang	a463e794ce	fix: update fanal (#1272 ) Fixes #1251 Fixes #1183 Fixes #1172	2021-10-04 17:47:00 +03:00
Teppei Fukuda	e0ca5eff38	feat(commands): remove deprecated options (#1270 )	2021-10-04 15:49:04 +03:00
Masahiro331	1ebb3296ee	Aggregate jar result for table (#1269 ) Co-authored-by: Teppei Fukuda <knqyf263@gmail.com>	2021-10-04 11:30:12 +03:00
Teppei Fukuda	b37f682ee2	BREAKING(report): migrate to new json schema (#1265 )	2021-10-04 10:22:24 +03:00
Teppei Fukuda	da905108b4	feat: improve --skip-dirs and --skip-files (#1249 )	2021-10-03 13:08:09 +03:00
Teppei Fukuda	bd57b4f9b5	fix(gobinary): skip large files (#1259 )	2021-10-01 19:54:47 +03:00
Fabian Windheuser	9027dc3252	Disable library analyzer for OS only scan type (#1191 )	2021-09-29 11:54:46 +03:00
fnishe	5750cc2e1a	chore: update trivy version (#1252 )	2021-09-29 10:56:44 +03:00
Eng Zer Jun	bbcce9f7b7	refactor: move from io/ioutil to io and os package (#1245 ) The io/ioutil package has been deprecated as of Go 1.16, see https://golang.org/doc/go1.16#ioutil. This commit replaces the existing io/ioutil functions with their new definitions in io and os packages. Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>	2021-09-29 10:17:02 +03:00
Minchao	6bcb4af10f	fix: brew test command (#1253 )	2021-09-27 07:25:30 +03:00
Naimuddin Shaik	8d13234554	fix:added layer info in packages (#1248 ) * added layer info in packages * fixed unit cases	2021-09-22 17:17:16 +03:00
Teppei Fukuda	982f35b424	fix(go/binary): improve debug messages (#1244 )	2021-09-20 10:28:02 +03:00
洋仔	2e170cd15a	Update db.go (#1199 ) fix args name error	2021-09-19 20:38:22 +03:00
AndreyLevchenko	cc6c67d81c	fix(deps): fix CVE-2021-32760 for github.com/containerd/containerd (#1243 ) Closes #1226	2021-09-19 09:49:15 +03:00
Teppei Fukuda	669fd1fd1d	feat(debian): support the versions that reached EOL (#1237 ) * refactor(debian): aggregate oval and json api into salsa * fix(vulnerability): use package-specific severity * chore(mod): update trivy-db	2021-09-17 13:59:46 +03:00
Teppei Fukuda	8cd7de276e	feat(alpine): support unfixed vulnerabilities (#1235 )	2021-09-16 22:20:59 +03:00
Teppei Fukuda	3bf3a46cd4	feat(report): add image config (#1231 ) * feat(report): add image config * chore(mod): update fanal * test(scanner): fix type	2021-09-15 22:19:37 +03:00
Ankush K	8edcc62a8d	feat(nodejs): support package.json (#1225 ) Co-authored-by: knqyf263 <knqyf263@gmail.com>	2021-09-15 14:23:35 +03:00
Teppei Fukuda	31c45ffc52	refactor: use testing DB instead of mock (#1234 )	2021-09-15 10:06:01 +03:00
Ankush K	d8cc8b550b	feat(ruby): support gemspec (#1224 ) Co-authored-by: knqyf263 <knqyf263@gmail.com>	2021-09-14 23:16:19 +03:00
Ankush K	dbc7a83e8c	feat(python): add packaging detector and respective hook (#1223 ) Co-authored-by: knqyf263 <knqyf263@gmail.com>	2021-09-13 20:59:11 +03:00
Ankush K	19c0b70d26	feat(license): Added support to new License field of go-dep-parser's library (#1167 )	2021-09-09 14:32:50 +03:00
afdesk	9d617777d5	fix(oracle): handle advisories contain ksplice versions (#1209 ) * fix(oracle): handle advisories contain ksplice versions Improve a handling of advisories contain ksplice versions: * when one of them doesn't have ksplice, we'll also skip it * extract kspliceX and compare it with kspliceY in advisories * if kspliceX and kspliceY are different, we will skip the advisory. Fixes #1205 * fix(oracle): handle advisories contain ksplice versions simplify code and remove duplicated tests Fixes #1205 * run go fmt	2021-09-05 11:29:13 +03:00
afdesk	5d57deaa4f	fix(docs): remove OSVDB advisories (#1215 ) Trivy no longer depends on OSVDB and can use "Ruby Advisory Database" for commercial usage. Fixes #1208	2021-09-05 08:39:10 +03:00
Guilherme Macedo	b5955597a4	docs: fix typos in CONTRIBUTING.md (#1181 ) * Fix typos in CONTRIBUTING.md Fix small typos in CONTRIBUTING.md * Fix typos in CONTRIBUTING.md Fix small typos in CONTRIBUTING.md	2021-09-02 14:51:57 +03:00
Huang Huang	b1410b27b8	Update EOL of Debian 11 (#1180 ) https://bits.debian.org/2021/08/bullseye-released.html	2021-09-02 14:32:47 +03:00
afdesk	0e777d386e	fix(plugin): resolve a closure (#1207 ) There is a closure inside a function for Action field: variable p always refers on the last plugin. solution: redefine variable inside the for loop. Fixes #1086	2021-09-02 14:29:54 +03:00
Pascal Borreli	b6d9c30eea	docs: fix typo (#1206 )	2021-09-01 18:03:14 +03:00
afdesk	5160a2eb53	fix(detector): change an argument for trivy-db getter (#1203 ) use a package name instead of SrcName for getting of advisories about Oracle packages. Fixes #1170	2021-09-01 14:27:14 +03:00
Teppei Fukuda	40ed227c23	chore(mod): update fanal (#1179 ) * chore(mod): update fanal * test(integration): fix error message * test(integration): skip reaper	2021-08-15 15:19:22 +03:00
santhosh1729	2a4400c147	Add license info to package data (#1176 )	2021-08-15 13:05:37 +03:00
Tauseef	82eb630be7	feat(nuget): support packages.config (#1095 ) Co-authored-by: Teppei Fukuda <knqyf263@gmail.com>	2021-08-12 15:27:13 +03:00
AndreyLevchenko	4a8db20a9a	feat(python): add support for requirements.txt (#1169 )	2021-08-11 11:14:37 +03:00
thiago-gitlab	8db9b6a2a6	GitLab CI integration documentation (#1168 ) Recommend the native GitLab integration.	2021-08-08 14:10:16 +03:00
AndreyLevchenko	c159501d0d	chore(gorelease) change goreleaser config to include template examples (#1138 ) Closes #1123	2021-07-28 11:05:14 +03:00
dependabot[bot]	76e63d1124	chore(deps): bump dmnemec/copy_file_to_another_repo_action (#1153 ) Bumps [dmnemec/copy_file_to_another_repo_action](https://github.com/dmnemec/copy_file_to_another_repo_action) from 1.0.4 to 1.1.1. - [Release notes](https://github.com/dmnemec/copy_file_to_another_repo_action/releases) - [Commits](https://github.com/dmnemec/copy_file_to_another_repo_action/compare/v1.0.4...v1.1.1) --- updated-dependencies: - dependency-name: dmnemec/copy_file_to_another_repo_action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2021-07-28 10:57:32 +03:00
dependabot[bot]	79b6684840	chore(deps): bump actions/stale from 3 to 4 (#1152 ) Bumps [actions/stale](https://github.com/actions/stale) from 3 to 4. - [Release notes](https://github.com/actions/stale/releases) - [Changelog](https://github.com/actions/stale/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/stale/compare/v3...v4) --- updated-dependencies: - dependency-name: actions/stale dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2021-07-28 10:56:09 +03:00
AndreyLevchenko	214fe82c7e	feat(report): add end of service life flag to OS metadata (#1142 ) Co-authored-by: knqyf263 <knqyf263@gmail.com>	2021-07-27 17:08:57 +03:00
Matthieu MOREL	c489e31f5d	chore: set up Dependabot for github-actions and docker (#1128 )	2021-07-27 16:03:43 +03:00
MaineK00n	efd812cb1a	docs: fix typo (#1149 )	2021-07-27 16:00:54 +03:00
Teppei Fukuda	3a920dc401	docs: add some external links (#1147 )	2021-07-27 15:39:55 +03:00
AndreyLevchenko	7cb1598991	chore (release): add ubuntu esm versions to deploy script (#1151 )	2021-07-26 12:49:42 +03:00
AndreyLevchenko	6a8800286e	docs(troubleshooting) add urls which are required to download vuls db (#1137 )	2021-07-21 11:07:57 +03:00