docs(filter vulnerabilities): fix link (#1880 )

fixed link to helper functions
feat(template) Add misconfigurations to gitlab codequality report (#1756 )
2025-12-07 21:30:46 -08:00 · 2022-03-30 17:56:16 +03:00 · 2022-03-30 17:55:14 +03:00 · 2022-03-30 14:43:29 +03:00 · 2022-03-28 11:30:20 +03:00 · 2022-03-27 11:31:54 +03:00
364 changed files with 16674 additions and 136756 deletions
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -1,10 +1,15 @@
 version: 2
 updates:
- package-ecosystem: github-actions
-  directory: /
-  schedule:
-    interval: daily
- package-ecosystem: docker
-  directory: /
-  schedule:
-    interval: daily
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: monthly
+  - package-ecosystem: docker
+    directory: /
+    schedule:
+      interval: monthly
+  - package-ecosystem: gomod
+    open-pull-requests-limit: 10
+    directory: /
+    schedule:
+      interval: monthly
--- a/.github/pull_request_template.md
+++ b/.github/pull_request_template.md
@@ -0,0 +1,18 @@
+## Description
+
+## Related issues
+- Close #XXX
+
+## Related PRs
+- [ ] #XXX
+- [ ] #YYY
+
+Remove this section if you don't have related PRs.
+
+## Checklist
+- [ ] I've read the [guidelines for contributing](https://github.com/aquasecurity/trivy/blob/main/CONTRIBUTING.md) to this repository.
+- [ ] I've followed the [conventions](https://github.com/aquasecurity/trivy/blob/main/CONTRIBUTING.md#title) in the PR title.
+- [ ] I've added tests that prove my fix is effective or that my feature works.
+- [ ] I've updated the [documentation](https://github.com/aquasecurity/trivy/blob/main/docs) with the relevant information (if needed).
+- [ ] I've added usage information (if the PR introduces new options)
+- [ ] I've included a "before" and "after" example to the description (if the PR is a user interface change).
--- a/.github/workflows/mkdocs-dev.yaml
+++ b/.github/workflows/mkdocs-dev.yaml
@@ -16,7 +16,7 @@ jobs:
        with:
          fetch-depth: 0
          persist-credentials: true
-      - uses: actions/setup-python@v2
+      - uses: actions/setup-python@v3
        with:
          python-version: 3.x
      - name: Install dependencies
--- a/.github/workflows/mkdocs-latest.yaml
+++ b/.github/workflows/mkdocs-latest.yaml
@@ -18,7 +18,7 @@ jobs:
        with:
          fetch-depth: 0
          persist-credentials: true
-      - uses: actions/setup-python@v2
+      - uses: actions/setup-python@v3
        with:
          python-version: 3.x
      - name: Install dependencies
--- a/.github/workflows/publish-chart.yaml
+++ b/.github/workflows/publish-chart.yaml
@@ -1,45 +1,82 @@
-name: Publish Chart Helm
+
+name: Publish Helm chart
+
 on:
+  workflow_dispatch:
+  pull_request:
+    branches:
+      - main
+    paths:
+      - 'helm/trivy/**'
  push:
    branches: [main]
    paths:
      - 'helm/trivy/**'
-  workflow_dispatch:
 env:
  HELM_REP: helm-charts
  GH_OWNER: aquasecurity
  CHART_DIR: helm/trivy
+  KIND_VERSION: "v0.11.1"
+  KIND_IMAGE: "kindest/node:v1.21.1@sha256:69860bda5563ac81e3c0057d654b5253219618a22ec3a346306239bba8cfa1a6"
 jobs:
-  release:
+  test-chart:
    runs-on: ubuntu-20.04
    steps:
      - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 #v2.4.0
        with:
          fetch-depth: 0
      - name: Install Helm
-        uses: azure/setup-helm@v1
+        uses: azure/setup-helm@18bc76811624f360dbd7f18c2d4ecb32c7b87bab #v1.1
        with:
          version: v3.5.0
+      - name: Set up python
+        uses: actions/setup-python@v3
+        with:
+          python-version: 3.7
+      - name: Setup Chart Linting
+        id: lint
+        uses: helm/chart-testing-action@6b64532d456fa490a3da177fbd181ac4c8192b58 #v2.1.0
+      - name: Setup Kubernetes cluster (KIND)
+        uses: helm/kind-action@94729529f85113b88f4f819c17ce61382e6d8478 #v1.2.0
+        with:
+          version: ${{ env.KIND_VERSION }}
+          image: ${{ env.KIND_IMAGE }}
+      - name: Run chart-testing
+        run: ct lint-and-install --validate-maintainers=false --charts helm/trivy
+      - name: Run chart-testing (Ingress enabled)
+        run: |
+          sed -i -e '117s,false,'true',g' ./helm/trivy/values.yaml
+          ct lint-and-install --validate-maintainers=false --charts helm/trivy
+
+  publish-chart:
+    if: github.event_name == 'push'
+    needs:
+      - test-chart
+    runs-on: ubuntu-20.04
+    steps:
+      - name: Checkout
+        uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 #v2.4.0
+        with:
+          fetch-depth: 0
      - name: Install chart-releaser
        run: |
-          wget https://github.com/helm/chart-releaser/releases/download/v1.1.1/chart-releaser_1.1.1_linux_amd64.tar.gz
-          tar xzvf chart-releaser_1.1.1_linux_amd64.tar.gz cr
+          wget https://github.com/helm/chart-releaser/releases/download/v1.3.0/chart-releaser_1.3.0_linux_amd64.tar.gz
+          echo "baed2315a9bb799efb71d512c5198a2a3b8dcd139d7f22f878777cffcd649a37  chart-releaser_1.3.0_linux_amd64.tar.gz" | sha256sum -c -
+          tar xzvf chart-releaser_1.3.0_linux_amd64.tar.gz cr
      - name: Package helm chart
        run: |
          ./cr package ${{ env.CHART_DIR }}
      - name: Upload helm chart
        # Failed with upload the same version: https://github.com/helm/chart-releaser/issues/101
        continue-on-error: true
-        ## Upload the tar in the Releases repository
        run: |
          ./cr upload -o ${{ env.GH_OWNER }} -r ${{ env.HELM_REP }} --token ${{ secrets.ORG_REPO_TOKEN }} -p .cr-release-packages
      - name: Index helm chart
        run: |
          ./cr index -o ${{ env.GH_OWNER }} -r ${{ env.HELM_REP }} -c https://${{ env.GH_OWNER }}.github.io/${{ env.HELM_REP }}/ -i index.yaml
-
      - name: Push index file
-        uses: dmnemec/copy_file_to_another_repo_action@v1.1.1
+        uses: dmnemec/copy_file_to_another_repo_action@c93037aa10fa8893de271f19978c980d0c1a9b37 #v1.1.1
        env:
          API_TOKEN_GITHUB: ${{ secrets.ORG_REPO_TOKEN }}
        with:
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -4,7 +4,7 @@ on:
    tags:
      - "v*"
 env:
-  GO_VERSION: "1.17"
+  GO_VERSION: "1.18"
  GH_USER: "aqua-bot"
 jobs:
  release:
@@ -12,11 +12,16 @@ jobs:
    runs-on: ubuntu-18.04 # 20.04 doesn't provide createrepo for now
    env:
      DOCKER_CLI_EXPERIMENTAL: "enabled"
+    permissions:
+      id-token: write # For cosign
+      packages: write # For GHCR
+      contents: read  # Not required for public repositories, but for clarity
    steps:
      - name: Install dependencies
        run: |
          sudo apt-get -y update
          sudo apt-get -y install rpm reprepro createrepo distro-info
+      - uses: sigstore/cosign-installer@51f8e5c6fce54e46006ae97d73b2b6315f518752 # pin@v2.0.0
      - name: Set up QEMU
        uses: docker/setup-qemu-action@v1
      - name: Set up Docker Buildx
@@ -57,15 +62,14 @@ jobs:
          username: ${{ secrets.ECR_ACCESS_KEY_ID }}
          password: ${{ secrets.ECR_SECRET_ACCESS_KEY }}
      - name: Generate SBOM
-        uses: CycloneDX/gh-gomod-generate-sbom@v0.3.0
+        uses: CycloneDX/gh-gomod-generate-sbom@v1
        with:
-          json: true
-          output: bom.json
-          version: ^v0
+          args: mod -licenses -json -output bom.json
+          version: ^v1
      - name: Release
        uses: goreleaser/goreleaser-action@v2
        with:
-          version: v0.164.0
+          version: v1.4.1
          args: release --rm-dist
        env:
          GITHUB_TOKEN: ${{ secrets.ORG_REPO_TOKEN }}
--- a/.github/workflows/scan.yaml
+++ b/.github/workflows/scan.yaml
@@ -1,25 +1,23 @@
-name: Scan
-on: [push, pull_request]
+name: Scan vulnerabilities
+on:
+  schedule:
+    - cron: '0 0 * * *'
+  workflow_dispatch:
+
 jobs:
  build:
    name: Scan Go vulnerabilities
-    runs-on: ubuntu-18.04
+    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v2

-      - name: Run Trivy vulnerability scanner to scan for Critical Vulnerabilities
-        uses: aquasecurity/trivy-action@master
+      - name: Run Trivy vulnerability scanner and create GitHub issues
+        uses: knqyf263/trivy-issue-action@v0.0.3
        with:
-          scan-type: 'fs'
-          exit-code: '1'
-          severity: 'CRITICAL'
-          skip-dirs: integration
-
-      - name: Run Trivy vulnerability scanner to scan for Medium and High Vulnerabilities
-        uses: aquasecurity/trivy-action@master
-        with:
-          scan-type: 'fs'
-          exit-code: '0'
-          severity: 'HIGH,MEDIUM'
-          skip-dirs: integration
+          assignee: knqyf263
+          severity: CRITICAL
+          skip-dirs: integration,examples
+          label: vulnerability
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
--- a/.github/workflows/test.yaml
+++ b/.github/workflows/test.yaml
@@ -10,7 +10,7 @@ on:
      - 'LICENSE'
  pull_request:
 env:
-  GO_VERSION: "1.17"
+  GO_VERSION: "1.18"
 jobs:
  test:
    name: Test
@@ -24,9 +24,9 @@ jobs:
          go-version: ${{ env.GO_VERSION }}

      - name: Lint
-        uses: golangci/golangci-lint-action@v2
+        uses: golangci/golangci-lint-action@v3.1.0
        with:
-          version: v1.41
+          version: v1.45
          args: --deadline=30m

      - name: Run unit tests
@@ -75,7 +75,7 @@ jobs:
    - name: Run GoReleaser
      uses: goreleaser/goreleaser-action@v2
      with:
-        version: v0.164.0
+        version: v1.4.1
        args: release --snapshot --rm-dist --skip-publish

  build-documents:
@@ -87,7 +87,7 @@ jobs:
      with:
        fetch-depth: 0
        persist-credentials: true
-    - uses: actions/setup-python@v2
+    - uses: actions/setup-python@v3
      with:
        python-version: 3.x
    - name: Install dependencies
--- a/.gitignore
+++ b/.gitignore
@@ -4,7 +4,7 @@
 *.dll
 *.so
 *.dylib
-trivy
+/trivy

 ## chart release
 .cr-release-packages
@@ -27,3 +27,6 @@ integration/testdata/fixtures/images

 # SBOMs generated during CI
 /bom.json
+
+# goreleaser output
+dist
--- a/.golangci.yaml
+++ b/.golangci.yaml
@@ -9,7 +9,7 @@ linters-settings:
  revive:
    ignore-generated-header: true
  gocyclo:
-    min-complexity: 10
+    min-complexity: 20
  dupl:
    threshold: 100
  goconst:
@@ -19,6 +19,10 @@ linters-settings:
    locale: US
  goimports:
    local-prefixes: github.com/aquasecurity
+  gosec:
+    excludes:
+      - G204
+      - G402

 linters:
  disable-all: true
@@ -40,6 +44,7 @@ linters:
    - misspell

 run:
+  go: 1.18
  skip-files:
    - ".*._mock.go$"
    - ".*._test.go$"
@@ -53,9 +58,6 @@ issues:
    - linters:
        - gosec
      text: "Deferring unsafe method"
-    - linters:
-        - gosec
-      text: "G204: Subprocess launched with variable"
    - linters:
        - errcheck
      text: "Close` is not checked"
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -9,14 +9,89 @@ Thank you for taking interest in contributing to Trivy!
 ## Pull Requests

 1. Every Pull Request should have an associated bug or feature issue unless you are fixing a trivial documentation issue.
-1. Your PR is more likely to be accepted if it focuses on just one change.
-1. Describe what the PR does. There's no convention enforced, but please try to be concise and descriptive. Treat the PR description as a commit message. Titles that starts with "fix"/"add"/"improve"/"remove" are good examples.
-1. Please add the associated Issue in the PR description.
-1. There's no need to add or tag reviewers.
-1. If a reviewer commented on your code or asked for changes, please remember to mark the discussion as resolved after you address it. PRs with unresolved issues should not be merged (even if the comment is unclear or requires no action from your side).
-1. Please include a comment with the results before and after your change.
-1. Your PR is more likely to be accepted if it includes tests (We have not historically been very strict about tests, but we would like to improve this!).
-1. If your PR affects the user experience in some way, please update the Readme and the CLI help accordingly.
+4. Please add the associated Issue link in the PR description.
+2. Your PR is more likely to be accepted if it focuses on just one change.
+5. There's no need to add or tag reviewers.
+6. If a reviewer commented on your code or asked for changes, please remember to respond with comment. Do not mark discussion as resolved. It's up to reviewer to mark it resolved (in case if suggested fix addresses problem properly). PRs with unresolved issues should not be merged (even if the comment is unclear or requires no action from your side).
+7. Please include a comment with the results before and after your change.
+8. Your PR is more likely to be accepted if it includes tests (We have not historically been very strict about tests, but we would like to improve this!).
+9. If your PR affects the user experience in some way, please update the README.md and the CLI help accordingly.
+
+### Title
+It is not that strict, but we use the title conventions in this repository.
+Each commit message doesn't have to follow the conventions as long as it is clear and descriptive since it will be squashed and merged.
+
+#### Format of the title
+
+```
+<type>(<scope>): <subject>
+```
+
+The `type` and `scope` should always be lowercase as shown below.
+
+**Allowed `<type>` values:**
+  - **feat** for a new feature for the user, not a new feature for build script. Such commit will trigger a release bumping a MINOR version.
+  - **fix** for a bug fix for the user, not a fix to a build script. Such commit will trigger a release bumping a PATCH version.
+  - **perf** for performance improvements. Such commit will trigger a release bumping a PATCH version.
+  - **docs** for changes to the documentation.
+  - **style** for formatting changes, missing semicolons, etc.
+  - **refactor** for refactoring production code, e.g. renaming a variable.
+  - **test** for adding missing tests, refactoring tests; no production code change.
+  - **build** for updating build configuration, development tools or other changes irrelevant to the user.
+  - **chore** for updates that do not apply to the above, such as dependency updates.
+
+**Example `<scope>` values:**
+- alpine
+- redhat
+- ruby
+- python
+- terraform
+- report
+- etc.
+ 
+The `<scope>` can be empty (e.g. if the change is a global or difficult to assign to a single component), in which case the parentheses are omitted.
+
+#### Example titles
+
+```
+feat(alma): add support for AlmaLinux
+```
+
+```
+fix(oracle): handle advisories with ksplice versions
+```
+
+```
+docs(misconf): add comparison with Conftest and TFsec
+```
+
+```
+chore(deps): bump go.uber.org/zap from 1.19.1 to 1.20.0
+```
+
+**NOTE**: please do not use `chore(deps): update fanal` and something like that if you add new features or fix bugs in Trivy-related projects.
+The PR title should describe what the PR adds or fixes even though it just updates the dependency in Trivy.
+
+### Unit tests
+Your PR must pass all the unit tests. You can test it as below.
+
+```
+$ make test
+```
+
+### Integration tests
+Your PR must pass all the integration tests. You can test it as below.
+
+```
+$ make test-integration
+```
+
+### Documentation
+You can build the documents as below and view it at http://localhost:8000.
+
+```
+$ make mkdocs-serve
+```

 ## Understand where your pull request belongs

@@ -25,4 +100,5 @@ Trivy is composed of several different repositories that work together:
 - [Trivy](https://github.com/aquasecurity/trivy) is the client-side, user-facing, command line tool.
 - [vuln-list](https://github.com/aquasecurity/vuln-list) is a vulnerabilities database, aggregated from different sources, and normalized for easy consumption. Think of this as the "server" side of the trivy command line tool. **There should be no pull requests to this repo** 
 - [vuln-list-update](https://github.com/aquasecurity/vuln-list-update) is the code that maintains the vuln-list database.
+- [trivy-db](https://github.com/aquasecurity/trivy-db) maintains the vulnerability database pulled by Trivy CLI.
 - [fanal](https://github.com/aquasecurity/fanal) is a library for extracting system information from containers. It is being used by Trivy to find testable subjects in the container image.
--- a/2
+++ b/2
@@ -1,4 +1,4 @@
-FROM alpine:3.14
+FROM alpine:3.15.0
 RUN apk --no-cache add ca-certificates git
 COPY trivy /usr/local/bin/trivy
 COPY contrib/*.tpl contrib/
--- a/Dockerfile.protoc
+++ b/Dockerfile.protoc
@@ -0,0 +1,12 @@
+FROM golang:1.17
+
+# Install protoc (cf. http://google.github.io/proto-lens/installing-protoc.html)
+ENV PROTOC_ZIP=protoc-3.19.4-linux-x86_64.zip
+RUN apt-get update && apt-get install -y unzip
+RUN curl --retry 5 -OL https://github.com/protocolbuffers/protobuf/releases/download/v3.19.4/$PROTOC_ZIP \
+    && unzip -o $PROTOC_ZIP -d /usr/local bin/protoc \
+    && unzip -o $PROTOC_ZIP -d /usr/local 'include/*' \ 
+    && rm -f $PROTOC_ZIP
+
+RUN go install github.com/twitchtv/twirp/protoc-gen-twirp@v8.1.0
+RUN go install google.golang.org/protobuf/cmd/protoc-gen-go@v1.27.1
--- a/8
+++ b/8
@@ -54,7 +54,13 @@ build:

 .PHONY: protoc
 protoc:
-	find ./rpc/ -name "*.proto" -type f -exec protoc --proto_path=$(GOSRC):. --twirp_out=. --twirp_opt=paths=source_relative --go_out=. --go_opt=paths=source_relative {} \;
+	docker build -t trivy-protoc - < Dockerfile.protoc
+	docker run --rm -it -v ${PWD}:/app -w /app trivy-protoc make _$@
+
+_protoc:
+	for path in `find ./rpc/ -name "*.proto" -type f`; do \
+		protoc --twirp_out=. --twirp_opt=paths=source_relative --go_out=. --go_opt=paths=source_relative $${path} || exit; \
+	done

 .PHONY: install
 install:
--- a/README.md
+++ b/README.md
@@ -165,7 +165,7 @@ Failures: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
 # Features

 - Comprehensive vulnerability detection
-  - OS packages (Alpine Linux, Red Hat Universal Base Image, Red Hat Enterprise Linux, CentOS, Oracle Linux, Debian, Ubuntu, Amazon Linux, openSUSE Leap, SUSE Enterprise Linux, Photon OS and Distroless)
+  - OS packages (Alpine Linux, Red Hat Universal Base Image, Red Hat Enterprise Linux, CentOS, AlmaLinux, Rocky Linux, CBL-Mariner, Oracle Linux, Debian, Ubuntu, Amazon Linux, openSUSE Leap, SUSE Enterprise Linux, Photon OS and Distroless)
  - **Language-specific packages** (Bundler, Composer, Pipenv, Poetry, npm, yarn, Cargo, NuGet, Maven, and Go)
 - Misconfiguration detection (IaC scanning) 
  - A wide variety of built-in policies are provided **out of the box**
@@ -185,6 +185,8 @@ Failures: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
  - **Suitable for CI** such as GitHub Actions, Jenkins, GitLab CI, etc.
 - Support multiple targets
  - container image, local filesystem and remote git repository
+- Supply chain security (SBOM support)
+  - Support CycloneDX

 # Integrations
 - [GitHub Actions][action]
@@ -193,6 +195,12 @@ Failures: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
 # Documentation
 The official documentation, which provides detailed installation, configuration, and quick start guides, is available at https://aquasecurity.github.io/trivy/.

+---
+
+Trivy is an [Aqua Security][aquasec] open source project.  
+Learn about our open source work and portfolio [here][oss].  
+Contact us about any matter by opening a GitHub Discussion [here][discussions]
+
 [test]: https://github.com/aquasecurity/trivy/actions/workflows/test.yaml
 [test-img]: https://github.com/aquasecurity/trivy/actions/workflows/test.yaml/badge.svg
 [go-report]: https://goreportcard.com/report/github.com/aquasecurity/trivy
@@ -207,3 +215,7 @@ The official documentation, which provides detailed installation, configuration,
 [alpine]: https://ariadne.space/2021/06/08/the-vulnerability-remediation-lifecycle-of-alpine-containers/
 [action]: https://github.com/aquasecurity/trivy-action
 [vscode]: https://github.com/aquasecurity/trivy-vscode-extension
+
+[aquasec]: https://aquasec.com
+[oss]: https://www.aquasec.com/products/open-source-projects/
+[discussions]: https://github.com/aquasecurity/trivy/discussions
--- a/ci/deploy-deb.sh
+++ b/ci/deploy-deb.sh
@@ -1,7 +1,7 @@
 #!/bin/bash

 DEBIAN_RELEASES=$(debian-distro-info --supported)
-UBUNTU_RELEASES=$(ubuntu-distro-info --supported-esm)
+UBUNTU_RELEASES=$(sort -u <(ubuntu-distro-info --supported-esm) <(ubuntu-distro-info --supported))

 cd trivy-repo/deb

@@ -9,12 +9,14 @@ for release in ${DEBIAN_RELEASES[@]} ${UBUNTU_RELEASES[@]}; do
  echo "Removing deb package of $release"
  reprepro -A i386 remove $release trivy
  reprepro -A amd64 remove $release trivy
+  reprepro -A arm64 remove $release trivy
 done

 for release in ${DEBIAN_RELEASES[@]} ${UBUNTU_RELEASES[@]}; do
  echo "Adding deb package to $release"
  reprepro includedeb $release ../../dist/*Linux-64bit.deb
  reprepro includedeb $release ../../dist/*Linux-32bit.deb
+  reprepro includedeb $release ../../dist/*Linux-ARM64.deb
 done

 git add .
--- a/contrib/asff.tpl
+++ b/contrib/asff.tpl
@@ -1,66 +1,68 @@
-[
-{{- $t_first := true -}}
-{{- range . -}}
-{{- $target := .Target -}}
-{{- range .Vulnerabilities -}}
-{{- if $t_first -}}
-  {{- $t_first = false -}}
-{{- else -}}
-  ,
-{{- end -}}
-{{- $severity := .Severity -}}
-{{- if eq $severity "UNKNOWN" -}}
-{{- $severity = "INFORMATIONAL" -}}
-{{- end -}}
-{{- $description := .Description -}}
-{{- if gt (len $description ) 1021 -}}
-    {{- $description = (substr 0 1021 $description) | printf "%v .." -}}
-{{- end}}
-    {
-        "SchemaVersion": "2018-10-08",
-        "Id": "{{ $target }}/{{ .VulnerabilityID }}",
-        "ProductArn": "arn:aws:securityhub:{{ getEnv "AWS_REGION" }}::product/aquasecurity/aquasecurity",
-        "GeneratorId": "Trivy",
-        "AwsAccountId": "{{ getEnv "AWS_ACCOUNT_ID" }}",
-        "Types": [ "Software and Configuration Checks/Vulnerabilities/CVE" ],
-        "CreatedAt": "{{ getCurrentTime }}",
-        "UpdatedAt": "{{ getCurrentTime }}",
-        "Severity": {
-            "Label": "{{ $severity }}"
-        },
-        "Title": "Trivy found a vulnerability to {{ .VulnerabilityID }} in container {{ $target }}",
-        "Description": {{ escapeString $description | printf "%q" }},
-        "Remediation": {
-            "Recommendation": {
-                "Text": "More information on this vulnerability is provided in the hyperlink",
-                "Url": "{{ .PrimaryURL }}"
-            }
-        },
-        "ProductFields": { "Product Name": "Trivy" },
-        "Resources": [
-            {
-                "Type": "Container",
-                "Id": "{{ $target }}",
-                "Partition": "aws",
-                "Region": "{{ getEnv "AWS_REGION" }}",
-                "Details": {
-                    "Container": { "ImageName": "{{ $target }}" },
-                    "Other": {
-                        "CVE ID": "{{ .VulnerabilityID }}",
-                        "CVE Title": {{ .Title | printf "%q" }},
-                        "PkgName": "{{ .PkgName }}",
-                        "Installed Package": "{{ .InstalledVersion }}",
-                        "Patched Package": "{{ .FixedVersion }}",
-                        "NvdCvssScoreV3": "{{ (index .CVSS "nvd").V3Score }}",
-                        "NvdCvssVectorV3": "{{ (index .CVSS "nvd").V3Vector }}",
-                        "NvdCvssScoreV2": "{{ (index .CVSS "nvd").V2Score }}",
-                        "NvdCvssVectorV2": "{{ (index .CVSS "nvd").V2Vector }}"
+{
+    "Findings": [
+    {{- $t_first := true -}}
+    {{- range . -}}
+    {{- $target := .Target -}}
+    {{- range .Vulnerabilities -}}
+    {{- if $t_first -}}
+      {{- $t_first = false -}}
+    {{- else -}}
+      ,
+    {{- end -}}
+    {{- $severity := .Severity -}}
+    {{- if eq $severity "UNKNOWN" -}}
+    {{- $severity = "INFORMATIONAL" -}}
+    {{- end -}}
+    {{- $description := .Description -}}
+    {{- if gt (len $description ) 1021 -}}
+        {{- $description = (substr 0 1021 $description) | printf "%v .." -}}
+    {{- end}}
+        {
+            "SchemaVersion": "2018-10-08",
+            "Id": "{{ $target }}/{{ .VulnerabilityID }}",
+            "ProductArn": "arn:aws:securityhub:{{ env "AWS_REGION" }}::product/aquasecurity/aquasecurity",
+            "GeneratorId": "Trivy",
+            "AwsAccountId": "{{ env "AWS_ACCOUNT_ID" }}",
+            "Types": [ "Software and Configuration Checks/Vulnerabilities/CVE" ],
+            "CreatedAt": "{{ now | date "2006-01-02T15:04:05.999999999Z07:00" }}",
+            "UpdatedAt": "{{ now | date "2006-01-02T15:04:05.999999999Z07:00" }}",
+            "Severity": {
+                "Label": "{{ $severity }}"
+            },
+            "Title": "Trivy found a vulnerability to {{ .VulnerabilityID }} in container {{ $target }}",
+            "Description": {{ escapeString $description | printf "%q" }},
+            "Remediation": {
+                "Recommendation": {
+                    "Text": "More information on this vulnerability is provided in the hyperlink",
+                    "Url": "{{ .PrimaryURL }}"
+                }
+            },
+            "ProductFields": { "Product Name": "Trivy" },
+            "Resources": [
+                {
+                    "Type": "Container",
+                    "Id": "{{ $target }}",
+                    "Partition": "aws",
+                    "Region": "{{ env "AWS_REGION" }}",
+                    "Details": {
+                        "Container": { "ImageName": "{{ $target }}" },
+                        "Other": {
+                            "CVE ID": "{{ .VulnerabilityID }}",
+                            "CVE Title": {{ .Title | printf "%q" }},
+                            "PkgName": "{{ .PkgName }}",
+                            "Installed Package": "{{ .InstalledVersion }}",
+                            "Patched Package": "{{ .FixedVersion }}",
+                            "NvdCvssScoreV3": "{{ (index .CVSS (sourceID "nvd")).V3Score }}",
+                            "NvdCvssVectorV3": "{{ (index .CVSS (sourceID "nvd")).V3Vector }}",
+                            "NvdCvssScoreV2": "{{ (index .CVSS (sourceID "nvd")).V2Score }}",
+                            "NvdCvssVectorV2": "{{ (index .CVSS (sourceID "nvd")).V2Vector }}"
+                        }
                    }
                }
-            }
-        ],
-        "RecordState": "ACTIVE"
-    }
-   {{- end -}}
-  {{- end }}
-]
+            ],
+            "RecordState": "ACTIVE"
+        }
+       {{- end -}}
+      {{- end }}
+    ]
+}
--- a/contrib/example_policy/advanced.rego
+++ b/contrib/example_policy/advanced.rego
@@ -5,30 +5,42 @@ import data.lib.trivy
 default ignore = false

 nvd_v3_vector = v {
-	v := input.CVSS.nvd.v3
+	v := input.CVSS.nvd.V3Vector
+}
+
+redhat_v3_vector = v {
+	v := input.CVSS.redhat.V3Vector
 }

 # Ignore a vulnerability which requires high privilege
 ignore {
-	cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
-	cvss_vector.PrivilegesRequired == "High"
+	nvd_cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
+	nvd_cvss_vector.PrivilegesRequired == "High"
+
+        # Check against RedHat scores as well as NVD
+	redhat_cvss_vector := trivy.parse_cvss_vector_v3(redhat_v3_vector)
+	redhat_cvss_vector.PrivilegesRequired == "High"
 }

 # Ignore a vulnerability which requires user interaction
 ignore {
-	cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
-	cvss_vector.UserInteraction == "Required"
+	nvd_cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
+	nvd_cvss_vector.UserInteraction == "Required"
+
+        # Check against RedHat scores as well as NVD
+	redhat_cvss_vector := trivy.parse_cvss_vector_v3(redhat_v3_vector)
+	redhat_cvss_vector.UserInteraction == "Required"
 }

 ignore {
 	input.PkgName == "openssl"

 	# Split CVSSv3 vector
-	cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
+	nvd_cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)

 	# Evaluate Attack Vector
 	ignore_attack_vectors := {"Physical", "Local"}
-	cvss_vector.AttackVector == ignore_attack_vectors[_]
+	nvd_cvss_vector.AttackVector == ignore_attack_vectors[_]
 }

 ignore {
@@ -50,11 +62,11 @@ ignore {
 	input.PkgName == "bash"

 	# Split CVSSv3 vector
-	cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
+	nvd_cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)

 	# Evaluate Attack Vector
 	ignore_attack_vectors := {"Physical", "Local", "Adjacent"}
-	cvss_vector.AttackVector == ignore_attack_vectors[_]
+	nvd_cvss_vector.AttackVector == ignore_attack_vectors[_]

 	# Evaluate severity
 	input.Severity == {"LOW", "MEDIUM", "HIGH"}[_]
@@ -64,11 +76,11 @@ ignore {
 	input.PkgName == "django"

 	# Split CVSSv3 vector
-	cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
+	nvd_cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)

 	# Evaluate Attack Vector
 	ignore_attack_vectors := {"Physical", "Local"}
-	cvss_vector.AttackVector == ignore_attack_vectors[_]
+	nvd_cvss_vector.AttackVector == ignore_attack_vectors[_]

 	# Evaluate severity
 	input.Severity == {"LOW", "MEDIUM"}[_]
@@ -86,7 +98,7 @@ ignore {
 	input.PkgName == "jquery"

 	# Split CVSSv3 vector
-	cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
+	nvd_cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)

 	# Evaluate CWE-ID
 	deny_cwe_ids := {"CWE-79"} # XSS
--- a/contrib/example_policy/basic.rego
+++ b/contrib/example_policy/basic.rego
@@ -9,7 +9,11 @@ ignore_pkgs := {"bash", "bind-license", "rpm", "vim", "vim-minimal"}
 ignore_severities := {"LOW", "MEDIUM"}

 nvd_v3_vector = v {
-	v := input.CVSS.nvd.v3
+	v := input.CVSS.nvd.V3Vector
+}
+
+redhat_v3_vector = v {
+	v := input.CVSS.redhat.V3Vector
 }

 ignore {
@@ -22,20 +26,29 @@ ignore {

 # Ignore a vulnerability which is not remotely exploitable
 ignore {
-	cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
-	cvss_vector.AttackVector != "Network"
+	nvd_cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
+	nvd_cvss_vector.AttackVector != "Network"
+
+	redhat_cvss_vector := trivy.parse_cvss_vector_v3(redhat_v3_vector)
+	redhat_cvss_vector.AttackVector != "Network"
 }

 # Ignore a vulnerability which requires high privilege
 ignore {
-	cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
-	cvss_vector.PrivilegesRequired == "High"
+	nvd_cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
+	nvd_cvss_vector.PrivilegesRequired == "High"
+
+	redhat_cvss_vector := trivy.parse_cvss_vector_v3(redhat_v3_vector)
+	redhat_cvss_vector.PrivilegesRequired == "High"
 }

 # Ignore a vulnerability which requires user interaction
 ignore {
-	cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
-	cvss_vector.UserInteraction == "Required"
+	nvd_cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
+	nvd_cvss_vector.UserInteraction == "Required"
+
+	redhat_cvss_vector := trivy.parse_cvss_vector_v3(redhat_v3_vector)
+	redhat_cvss_vector.UserInteraction == "Required"
 }

 # Ignore CSRF
--- a/contrib/gitlab-codequality.tpl
+++ b/contrib/gitlab-codequality.tpl
@@ -13,7 +13,8 @@
      "type": "issue",
      "check_name": "container_scanning",
      "categories": [ "Security" ],
-      "description": "{{ .VulnerabilityID }}: {{ .Title }}",
+      "description": {{ list .VulnerabilityID .PkgName .InstalledVersion .Title | join " - " | printf "%q" }},
+      "fingerprint": "{{ list .VulnerabilityID .PkgName .InstalledVersion $target | join "" | sha1sum }}",
      "content": {{ .Description | printf "%q" }},
      "severity": {{ if eq .Severity "LOW" -}}
                    "info"
@@ -27,12 +28,44 @@
                    "info"
                  {{- end }},
      "location": {
-        "path": "{{ .PkgName }}-{{ .InstalledVersion }}",
+        "path": "{{ $target }}",
        "lines": {
-          "begin": 1
+          "begin": 0
+        }
+      }
+    }
+    {{- end -}}
+    {{- range .Misconfigurations -}}
+    {{- if $t_first -}}
+      {{- $t_first = false -}}
+    {{ else -}}
+      ,
+    {{- end }}
+    {
+      "type": "issue",
+      "check_name": "container_scanning",
+      "categories": [ "Security" ],
+      "description": {{ list .ID .Title | join ": " | printf "%q" }},
+      "fingerprint": "{{ list .ID .Title $target | join "" | sha1sum }}",
+      "content": {{ .Description | printf "%q" }},
+      "severity": {{ if eq .Severity "LOW" -}}
+                    "info"
+                  {{- else if eq .Severity "MEDIUM" -}}
+                    "minor"
+                  {{- else if eq .Severity "HIGH" -}}
+                    "major"
+                  {{- else if eq .Severity "CRITICAL" -}}
+                    "critical"
+                  {{-  else -}}
+                    "info"
+                  {{- end }},
+      "location": {
+        "path": "{{ $target }}",
+        "lines": {
+          "begin": {{ .IacMetadata.StartLine }}
        }
      }
    }
    {{- end -}}
  {{- end }}
-]
+]
--- a/contrib/html.tpl
+++ b/contrib/html.tpl
@@ -52,7 +52,7 @@
      }
      a.toggle-more-links { cursor: pointer; }
    </style>
-    <title>{{- escapeXML ( index . 0 ).Target }} - Trivy Report - {{ getCurrentTime }}</title>
+    <title>{{- escapeXML ( index . 0 ).Target }} - Trivy Report - {{ now }} </title>
    <script>
      window.onload = function() {
        document.querySelectorAll('td.links').forEach(function(linkCell) {
@@ -82,7 +82,7 @@
    </script>
  </head>
  <body>
-    <h1>{{- escapeXML ( index . 0 ).Target }} - Trivy Report - {{ getCurrentTime }}</h1>
+    <h1>{{- escapeXML ( index . 0 ).Target }} - Trivy Report - {{ now }}</h1>
    <table>
    {{- range . }}
      <tr class="group-header"><th colspan="6">{{ escapeXML .Type }}</th></tr>
@@ -112,6 +112,31 @@
      </tr>
        {{- end }}
      {{- end }}
+      {{- if (eq (len .Misconfigurations ) 0) }}
+      <tr><th colspan="6">No Misconfigurations found</th></tr>
+      {{- else }}
+      <tr class="sub-header">
+        <th>Type</th>
+        <th>Misconf ID</th>
+        <th>Check</th>
+        <th>Severity</th>
+        <th>Message</th>
+      </tr>
+        {{- range .Misconfigurations }}
+      <tr class="severity-{{ escapeXML .Severity }}">
+        <td class="misconf-type">{{ escapeXML .Type }}</td>
+        <td>{{ escapeXML .ID }}</td>
+        <td class="misconf-check">{{ escapeXML .Title }}</td>
+        <td class="severity">{{ escapeXML .Severity }}</td>
+        <td class="link" data-more-links="off"  style="white-space:normal;"">
+          {{ escapeXML .Message }}
+          <br>
+            <a href={{ escapeXML .PrimaryURL | printf "%q" }}>{{ escapeXML .PrimaryURL }}</a>
+          </br>
+        </td>
+      </tr>
+        {{- end }}
+      {{- end }}
    {{- end }}
    </table>
 {{- else }}
--- a/contrib/install.sh
+++ b/contrib/install.sh
@@ -182,11 +182,11 @@ log_tag() {
 }
 log_debug() {
  log_priority 7 || return 0
-  echoerr "$(log_prefix)" "$(log_tag 7)" "$@"
+  echo "$(log_prefix)" "$(log_tag 7)" "$@"
 }
 log_info() {
  log_priority 6 || return 0
-  echoerr "$(log_prefix)" "$(log_tag 6)" "$@"
+  echo "$(log_prefix)" "$(log_tag 6)" "$@"
 }
 log_err() {
  log_priority 3 || return 0
--- a/contrib/junit.tpl
+++ b/contrib/junit.tpl
@@ -14,5 +14,18 @@
        </testcase>
    {{- end }}
    </testsuite>
+{{- $failures := len .Misconfigurations }}
+    <testsuite tests="{{ $failures }}" failures="{{ $failures }}" name="{{  .Target }}" errors="0" skipped="0" time="">
+    {{- if not (eq .Type "") }}
+        <properties>
+            <property name="type" value="{{ .Type }}"></property>
+        </properties>
+        {{- end -}}
+        {{ range .Misconfigurations }}
+        <testcase classname="{{ .Type }}" name="[{{ .Severity }}] {{ .ID }}" time="">
+            <failure message="{{ escapeXML .Title }}" type="description">{{ escapeXML .Description }}</failure>
+        </testcase>
+    {{- end }}
+    </testsuite>
 {{- end }}
 </testsuites>
--- a/contrib/sarif.tpl
+++ b/contrib/sarif.tpl
@@ -1,95 +0,0 @@
-{
-  "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
-  "version": "2.1.0",
-  "runs": [
-    {
-      "tool": {
-        "driver": {
-          "name": "Trivy",
-          "informationUri": "https://github.com/aquasecurity/trivy",
-          "fullName": "Trivy Vulnerability Scanner",
-          "version": "0.15.0",
-          "rules": [
-        {{- $t_first := true }}
-        {{- range $result := . }}
-            {{- $vulnerabilityType := .Type }}
-            {{- range .Vulnerabilities -}}
-              {{- if $t_first -}}
-                {{- $t_first = false -}}
-              {{ else -}}
-                ,
-              {{- end }}
-            {
-              "id": {{ printf "%s: %s-%s %s" $result.Target .PkgName .InstalledVersion .VulnerabilityID | toJson }},
-              "name": "{{ toSarifRuleName $vulnerabilityType }}",
-              "shortDescription": {
-                "text": {{ printf "%v Package: %v" .VulnerabilityID .PkgName | printf "%q" }}
-              },
-              "fullDescription": {
-                "text": {{ endWithPeriod (escapeString .Title) | printf "%q" }}
-              },
-              "defaultConfiguration": {
-                "level": "{{ toSarifErrorLevel .Vulnerability.Severity }}"
-              }
-              {{- with $help_uri := .PrimaryURL -}}
-              ,
-              {{ $help_uri | printf "\"helpUri\": %q," -}}
-              {{- else -}}
-              ,
-              {{- end }}
-              "help": {
-                "text": {{ printf "Vulnerability %v\nSeverity: %v\nPackage: %v\nInstalled Version: %v\nFixed Version: %v\nLink: [%v](%v)" .VulnerabilityID .Vulnerability.Severity .PkgName .InstalledVersion .FixedVersion .VulnerabilityID .PrimaryURL | printf "%q"}},
-                "markdown": {{ printf "**Vulnerability %v**\n| Severity | Package | Installed Version | Fixed Version | Link |\n| --- | --- | --- | --- | --- |\n|%v|%v|%v|%v|[%v](%v)|\n" .VulnerabilityID .Vulnerability.Severity .PkgName .InstalledVersion .FixedVersion .VulnerabilityID .PrimaryURL | printf "%q"}}
-              },
-              "properties": {
-                "tags": [
-                  "vulnerability",
-                  "{{ .Vulnerability.Severity }}",
-                  {{ .PkgName | printf "%q" }}
-                ],
-                "precision": "very-high"
-              }
-            }
-            {{- end -}}
-         {{- end -}}
-          ]
-        }
-      },
-      "results": [
-    {{- $t_first := true }}
-    {{- range $result := . }}
-        {{- $filePath := .Target }}
-        {{- range $index, $vulnerability := .Vulnerabilities -}}
-          {{- if $t_first -}}
-            {{- $t_first = false -}}
-          {{ else -}}
-            ,
-          {{- end }}
-        {
-          "ruleId": {{ printf "%s: %s-%s %s" $result.Target .PkgName .InstalledVersion .VulnerabilityID | toJson }},
-          "ruleIndex": {{ $index }},
-          "level": "{{ toSarifErrorLevel $vulnerability.Vulnerability.Severity }}",
-          "message": {
-            "text": {{ endWithPeriod (escapeString $vulnerability.Description) | printf "%q" }}
-          },
-          "locations": [{
-            "physicalLocation": {
-              "artifactLocation": {
-                "uri": "{{ toPathUri $filePath }}",
-                "uriBaseId": "ROOTPATH"
-              }
-            }
-          }]
-        }
-        {{- end -}}
-      {{- end -}}
-      ],
-      "columnKind": "utf16CodeUnits",
-      "originalUriBaseIds": {
-        "ROOTPATH": {
-          "uri": "/"
-        }
-      }
-    }
-  ]
-}
--- a/docs/advanced/air-gap.md
+++ b/docs/advanced/air-gap.md
@@ -1,24 +1,27 @@
 # Air-Gapped Environment

-Trivy can be used in air-gapped environments.
+Trivy can be used in air-gapped environments. Note that an allowlist is [here][allowlist].

-## Download the vulnerability database
+## Air-Gapped Environment for vulnerabilities
+
+### Download the vulnerability database
 At first, you need to download the vulnerability database for use in air-gapped environments.
-Go to [trivy-db][trivy-db] and download `trivy-offline.db.tgz` in the latest release.
-If you download `trivy-light-offline.db.tgz`, you have to run Trivy with `--light` option.
+Please follow [oras installation instruction][oras].
+
+Download `db.tar.gz`:

 ```
-$ wget https://github.com/aquasecurity/trivy-db/releases/latest/download/trivy-offline.db.tgz
+$ oras pull ghcr.io/aquasecurity/trivy-db:2 -a
 ```

-## Transfer the DB file into the air-gapped environment
+### Transfer the DB file into the air-gapped environment
 The way of transfer depends on the environment.

 ```
-$ rsync -av -e ssh /path/to/trivy-offline.db.tgz [user]@[host]:dst
+$ rsync -av -e ssh /path/to/db.tar.gz [user]@[host]:dst
 ```

-## Put the DB file in Trivy's cache directory
+### Put the DB file in Trivy's cache directory
 You have to know where to put the DB file. The following command shows the default cache directory.

 ```
@@ -32,26 +35,79 @@ Put the DB file in the cache directory + `/db`.
 ```
 $ mkdir -p /home/myuser/.cache/trivy/db
 $ cd /home/myuser/.cache/trivy/db
-$ mv /path/to/trivy-offline.db.tgz .
-```
-
-Then, decompress it.
-`trivy-offline.db.tgz` file includes two files, `trivy.db` and `metadata.json`.
-
-```
-$ tar xvf trivy-offline.db.tgz
+$ tar xvf /path/to/db.tar.gz -C /home/myuser/.cache/trivy/db
 x trivy.db
 x metadata.json
-$ rm trivy-offline.db.tgz
+$ rm /path/to/db.tar.gz
 ```

 In an air-gapped environment it is your responsibility to update the Trivy database on a regular basis, so that the scanner can detect recently-identified vulnerabilities. 

-## Run Trivy with --skip-update option
+### Run Trivy with --skip-update and --offline-scan option
 In an air-gapped environment, specify `--skip-update` so that Trivy doesn't attempt to download the latest database file.
+In addition, if you want to scan Java dependencies such as JAR and pom.xml, you need to specify `--offline-scan` since Trivy tries to issue API requests for scanning Java applications by default.

 ```
-$ trivy image --skip-update alpine:3.12
+$ trivy image --skip-update --offline-scan alpine:3.12
 ```

-[trivy-db]: https://github.com/aquasecurity/trivy-db/releases
+## Air-Gapped Environment for misconfigurations
+
+### Download misconfiguration policies
+At first, you need to download misconfiguration policies for use in air-gapped environments.
+Please follow [oras installation instruction][oras].
+
+Download `bundle.tar.gz`:
+
+```
+$ oras pull ghcr.io/aquasecurity/appshield:latest -a
+```
+
+### Transfer misconfiguration policies into the air-gapped environment
+The way of transfer depends on the environment.
+
+```
+$ rsync -av -e ssh /path/to/bundle.tar.gz [user]@[host]:dst
+```
+
+### Put the misconfiguration policies in Trivy's cache directory
+You have to know where to put the misconfiguration policies file. The following command shows the default cache directory.
+
+```
+$ ssh user@host
+$ trivy -h | grep cache
+   --cache-dir value  cache directory (default: "/home/myuser/.cache/trivy") [$TRIVY_CACHE_DIR]
+```
+
+Put the misconfiguration policies file in the cache directory + `/policy/content`.
+
+```
+$ mkdir -p /home/myuser/.cache/trivy/policy/content
+$ cd /home/myuser/.cache/trivy/policy/content
+$ mv /path/to/bundle.tar.gz .
+```
+
+Then, decompress it.
+`bundle.tar.gz ` file includes two folders: `docker`, `kubernetes` and file: `.manifest`.
+
+```
+$ tar xvf bundle.tar.gz 
+x ./docker/
+...
+x ./kubernetes/
+...
+x ./.manifest
+$ rm bundle.tar.gz
+```
+
+In an air-gapped environment it is your responsibility to update policies on a regular basis, so that the scanner can detect recently-identified misconfigurations. 
+
+### Run Trivy with --skip-policy-update option
+In an air-gapped environment, specify `--skip-policy-update` so that Trivy doesn't attempt to download the latest misconfiguration policies.
+
+```
+$ trivy conf --skip-policy-update /path/to/conf
+```
+
+[allowlist]: ../getting-started/troubleshooting.md
+[oras]: https://oras.land/cli/
--- a/docs/advanced/community/references.md
+++ b/docs/advanced/community/references.md
@@ -0,0 +1,19 @@
+# External References
+There are external blogs and evaluations.
+
+## Blogs
+- [the vulnerability remediation lifecycle of Alpine containers][alpine]
+- [Continuous Container Vulnerability Testing with Trivy][semaphore]
+- [Open Source CVE Scanner Round-Up: Clair vs Anchore vs Trivy][round-up]
+- [Docker Image Security: Static Analysis Tool Comparison – Anchore Engine vs Clair vs Trivy][tool-comparison]
+
+## Links
+- [Research Spike: evaluate Trivy for scanning running containers][gitlab]
+- [Istio evaluates scanners][istio]
+
+[alpine]: https://ariadne.space/2021/06/08/the-vulnerability-remediation-lifecycle-of-alpine-containers/
+[semaphore]: https://semaphoreci.com/blog/continuous-container-vulnerability-testing-with-trivy
+[round-up]: https://boxboat.com/2020/04/24/image-scanning-tech-compared/
+[tool-comparison]: https://www.a10o.net/devsecops/docker-image-security-static-analysis-tool-comparison-anchore-engine-vs-clair-vs-trivy/
+[gitlab]: https://gitlab.com/gitlab-org/gitlab/-/issues/270888
+[istio]: https://github.com/istio/release-builder/pull/687#issuecomment-874938417
--- a/docs/advanced/community/tools.md
+++ b/docs/advanced/community/tools.md
@@ -0,0 +1,37 @@
+# Community Tools
+The open source community has been hard at work developing new tools for Trivy. You can check out some of them here.
+
+Have you created a tool that’s not listed? Add the name and description of your integration and open a pull request in the GitHub repository to get your change merged.
+
+## GitHub Actions
+
+| Actions                                    | Description                                                                      |
+| ------------------------------------------ | -------------------------------------------------------------------------------- |
+| [gitrivy][gitrivy]                         | GitHub Issue + Trivy                                                             |
+| [trivy-github-issues][trivy-github-issues] | GitHub Actions for creating GitHub Issues according to the Trivy scanning result |
+
+## Semaphore
+
+| Name                                                   | Description                               |
+| -------------------------------------------------------| ----------------------------------------- |
+| [Continuous Vulnerability Testing with Trivy][semaphore-tutorial] | Tutorial on scanning code, containers, infrastructure, and Kubernetes with Semaphore CI/CD. |
+
+
+## CircleCI
+
+| Orb                                      | Description                               |
+| -----------------------------------------| ----------------------------------------- |
+| [fifteen5/trivy-orb][fifteen5/trivy-orb] | Orb for running Trivy, a security scanner |
+
+## Others
+
+| Name                                     | Description                               |
+| -----------------------------------------| ----------------------------------------- |
+| [Trivy Vulnerability Explorer][explorer] | Explore trivy vulnerability reports in your browser and create .trivyignore files interactively. Can be integrated in your CI/CD tooling with deep links.   |
+
+
+[trivy-github-issues]: https://github.com/marketplace/actions/trivy-github-issues
+[fifteen5/trivy-orb]: https://circleci.com/developer/orbs/orb/fifteen5/trivy-orb
+[gitrivy]: https://github.com/marketplace/actions/trivy-action
+[explorer]: https://dbsystel.github.io/trivy-vulnerability-explorer/
+[semaphore-tutorial]: https://semaphoreci.com/blog/continuous-container-vulnerability-testing-with-trivy
--- a/docs/advanced/container/unpacked-filesystem.md
+++ b/docs/advanced/container/unpacked-filesystem.md
@@ -1,6 +1,6 @@
 # Unpacked Filesystem

-Scan aan unpacked container image filesystem.
+Scan an unpacked container image filesystem.

 In this case, Trivy works the same way when scanning containers

--- a/docs/advanced/integrations/bitbucket.md
+++ b/docs/advanced/integrations/bitbucket.md
@@ -0,0 +1,5 @@
+# Bitbucket Pipelines
+
+See [trivy-pipe][trivy-pipe] for the details.
+
+[trivy-pipe]: https://github.com/aquasecurity/trivy-pipe
--- a/docs/advanced/integrations/circleci.md
+++ b/docs/advanced/integrations/circleci.md
@@ -19,7 +19,7 @@ jobs:
            curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
      - run:
          name: Scan the local image with trivy
-          command: trivy --exit-code 0 --no-progress trivy-ci-test:${CIRCLE_SHA1}
+          command: trivy image --exit-code 0 --no-progress trivy-ci-test:${CIRCLE_SHA1}
 workflows:
  version: 2
  release:
--- a/docs/advanced/integrations/gitlab-ci.md
+++ b/docs/advanced/integrations/gitlab-ci.md
@@ -23,6 +23,8 @@ trivy:
    # See https://github.com/docker-library/docker/pull/166
    DOCKER_TLS_CERTDIR: ""
    IMAGE: trivy-ci-test:$CI_COMMIT_SHA
+    TRIVY_NO_PROGRESS: "true"
+    TRIVY_CACHE_DIR: ".trivycache/"
  before_script:
    - export TRIVY_VERSION=$(wget -qO - "https://api.github.com/repos/aquasecurity/trivy/releases/latest" | grep '"tag_name":' | sed -E 's/.*"v([^"]+)".*/\1/')
    - echo $TRIVY_VERSION
@@ -32,11 +34,11 @@ trivy:
    # Build image
    - docker build -t $IMAGE .
    # Build report
-    - ./trivy --exit-code 0 --cache-dir .trivycache/ --no-progress --format template --template "@contrib/gitlab.tpl" -o gl-container-scanning-report.json $IMAGE
+    - ./trivy image --exit-code 0 --format template --template "@contrib/gitlab.tpl" -o gl-container-scanning-report.json $IMAGE
    # Print report
-    - ./trivy --exit-code 0 --cache-dir .trivycache/ --no-progress --severity HIGH $IMAGE
+    - ./trivy image --exit-code 0 --severity HIGH $IMAGE
    # Fail on severe vulnerabilities
-    - ./trivy --exit-code 1 --cache-dir .trivycache/ --severity CRITICAL --no-progress $IMAGE
+    - ./trivy image --exit-code 1 --severity CRITICAL $IMAGE
  cache:
    paths:
      - .trivycache/
@@ -71,20 +73,22 @@ container_scanning:
    TRIVY_USERNAME: "$CI_REGISTRY_USER"
    TRIVY_PASSWORD: "$CI_REGISTRY_PASSWORD"
    TRIVY_AUTH_URL: "$CI_REGISTRY"
+    TRIVY_NO_PROGRESS: "true"
+    TRIVY_CACHE_DIR: ".trivycache/"
    FULL_IMAGE_NAME: $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG
  script:
    - trivy --version
    # cache cleanup is needed when scanning images with the same tags, it does not remove the database
    - time trivy image --clear-cache
    # update vulnerabilities db
-    - time trivy --download-db-only --no-progress --cache-dir .trivycache/
+    - time trivy image --download-db-only
    # Builds report and puts it in the default workdir $CI_PROJECT_DIR, so `artifacts:` can take it from there
-    - time trivy --exit-code 0 --cache-dir .trivycache/ --no-progress --format template --template "@/contrib/gitlab.tpl"
+    - time trivy image --exit-code 0 --format template --template "@/contrib/gitlab.tpl"
        --output "$CI_PROJECT_DIR/gl-container-scanning-report.json" "$FULL_IMAGE_NAME"
    # Prints full report
-    - time trivy --exit-code 0 --cache-dir .trivycache/ --no-progress "$FULL_IMAGE_NAME"
+    - time trivy image --exit-code 0 "$FULL_IMAGE_NAME"
    # Fail on critical vulnerabilities
-    - time trivy --exit-code 1 --cache-dir .trivycache/ --severity CRITICAL --no-progress "$FULL_IMAGE_NAME"
+    - time trivy image --exit-code 1 --severity CRITICAL "$FULL_IMAGE_NAME"
  cache:
    paths:
      - .trivycache/
@@ -126,6 +130,8 @@ trivy:
    # See https://github.com/docker-library/docker/pull/166
    DOCKER_TLS_CERTDIR: ""
    IMAGE: trivy-ci-test:$CI_COMMIT_SHA
+    TRIVY_NO_PROGRESS: "true"
+    TRIVY_CACHE_DIR: ".trivycache/"
  before_script:
    - export TRIVY_VERSION=$(wget -qO - "https://api.github.com/repos/aquasecurity/trivy/releases/latest" | grep '"tag_name":' | sed -E 's/.*"v([^"]+)".*/\1/')
    - echo $TRIVY_VERSION
@@ -134,15 +140,20 @@ trivy:
  script:
    # Build image
    - docker build -t $IMAGE .
-    # Build report
-    - ./trivy --exit-code 0 --cache-dir .trivycache/ --no-progress --format template --template "@contrib/gitlab-codeclimate.tpl" -o gl-codeclimate.json $IMAGE
+    # Image report
+    - ./trivy image --exit-code 0 --format template --template "@contrib/gitlab-codequality.tpl" -o gl-codeclimate-image.json $IMAGE
+    # Filesystem report
+    - ./trivy filesystem --security-checks config,vuln --exit-code 0 --format template --template "@contrib/gitlab-codequality.tpl" -o gl-codeclimate-fs.json .
+    # Combine report
+    - apk update && apk add jq
+    - jq -s 'add' gl-codeclimate-image.json gl-codeclimate-fs.json > gl-codeclimate.json
  cache:
    paths:
      - .trivycache/
  # Enables https://docs.gitlab.com/ee/user/application_security/container_scanning/ (Container Scanning report is available on GitLab EE Ultimate or GitLab.com Gold)
  artifacts:
    paths:
-      gl-codeclimate.json
+      - gl-codeclimate.json
    reports:
      codequality: gl-codeclimate.json
 ```
@@ -155,3 +166,11 @@ already have a code quality report in your pipeline, you can use
 be necessary to rename the artifact if you want to reuse the name. To then
 combine the previous artifact with the output of trivy, the following `jq`
 command can be used, `jq -s 'add' prev-codeclimate.json trivy-codeclimate.json > gl-codeclimate.json`.
+
+### Gitlab CI alternative template example report
+
+You'll be able to see a full report in the Gitlab pipeline code quality UI, where filesystem vulnerabilities and misconfigurations include links to the flagged files and image vulnerabilities report the image/os or runtime/library that the vulnerability originates from instead.
+
+<p align="left">
+  <img src="../../../imgs/gitlab-codequality.png" width="900">
+</p>
--- a/docs/advanced/integrations/index.md
+++ b/docs/advanced/integrations/index.md
@@ -1,4 +1,2 @@
 # Integrations
 Scan your image automatically as part of your CI workflow, failing the workflow if a vulnerability is found. When you don't want to fail the test, specify `--exit-code 0`.
-
-Since in automated scenarios such as CI/CD you are only interested in the end result, and not the full report, use the `--light` flag to optimize for this scenario and get fast results.
--- a/docs/advanced/integrations/travis-ci.md
+++ b/docs/advanced/integrations/travis-ci.md
@@ -15,8 +15,8 @@ before_install:
  - wget https://github.com/aquasecurity/trivy/releases/download/v${VERSION}/trivy_${VERSION}_Linux-64bit.tar.gz
  - tar zxvf trivy_${VERSION}_Linux-64bit.tar.gz
 script:
-  - ./trivy --exit-code 0 --severity HIGH --no-progress trivy-ci-test:${COMMIT}
-  - ./trivy --exit-code 1 --severity CRITICAL --no-progress trivy-ci-test:${COMMIT}
+  - ./trivy image --exit-code 0 --severity HIGH --no-progress trivy-ci-test:${COMMIT}
+  - ./trivy image --exit-code 1 --severity CRITICAL --no-progress trivy-ci-test:${COMMIT}
 cache:
  directories:
    - $HOME/.cache/trivy
--- a/docs/advanced/private-registries/acr.md
+++ b/docs/advanced/private-registries/acr.md
@@ -0,0 +1,27 @@
+# Requirements
+None, Trivy uses Azure SDK for Go. You don't need to install `az` command.
+
+# Privileges
+Service principal must have the `AcrPull` permissions.
+
+## Creation of a service principal
+```bash
+export SP_DATA=$(az ad sp create-for-rbac --name TrivyTest --role AcrPull --scope "/subscriptions/<subscription_id>/resourceGroups/<resource_group>/providers/Microsoft.ContainerRegistry/registries/<registry_name>")
+```
+
+# Usage
+```bash
+# must set TRIVY_USERNAME empty char
+export AZURE_CLIENT_ID$(echo $SP_DATA | jq -r .appId)
+export AZURE_CLIENT_SECRET$(echo $SP_DATA | jq -r .password)
+export AZURE_TENANT_ID$(echo $SP_DATA | jq -r .tenant)
+```
+
+# Testing
+You can test credentials in the following manner.
+
+```bash
+docker run -it --rm -v /tmp:/tmp\
+  -e AZURE_CLIENT_ID=${AZURE_CLIENT_ID} -e AZURE_CLIENT_SECRET=${AZURE_CLIENT_SECRET} \
+  -e AZURE_TENANT_ID=${AZURE_TENANT_ID} aquasec/trivy image your_special_project.azurecr.io/your_special_image:your_special_tag
+```
--- a/docs/advanced/private-registries/gcr.md
+++ b/docs/advanced/private-registries/gcr.md
@@ -1,7 +1,40 @@
-Trivy uses Google Cloud SDK. You don't need to install `gcloud` command.
+# Requirements
+None, Trivy uses Google Cloud SDK. You don't need to install `gcloud` command.

-If you want to use target project's repository, you can settle via `GOOGLE_APPLICATION_CREDENTIAL`.
+# Privileges
+Credential file must have the `roles/storage.objectViewer` permissions.
+More information can be found in [Google's documentation](https://cloud.google.com/container-registry/docs/access-control)
+
+## JSON File Format
+The JSON file specified should have the following format provided by google's service account mechanisms:
+
+```json
+{
+  "type": "service_account",
+  "project_id": "your_special_project",
+  "private_key_id": "XXXXXXXXXXXXXXXXXXXXxx",
+  "private_key": "-----BEGIN PRIVATE KEY-----\nNONONONO\n-----END PRIVATE KEY-----\n",
+  "client_email": "somedude@your_special_project.iam.gserviceaccount.com",
+  "client_id": "1234567890",
+  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
+  "token_uri": "https://oauth2.googleapis.com/token",
+  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
+  "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/somedude%40your_special_project.iam.gserviceaccount.com"
+}
+```
+
+# Usage
+If you want to use target project's repository, you can set them via `GOOGLE_APPLICATION_CREDENTIALS`.
 ```bash
 # must set TRIVY_USERNAME empty char
 export GOOGLE_APPLICATION_CREDENTIALS=/path/to/credential.json
 ```
+
+# Testing
+You can test credentials in the following manner (assuming they are in `/tmp` on host machine).
+
+```bash
+docker run -it --rm -v /tmp:/tmp\
+  -e GOOGLE_APPLICATION_CREDENTIALS=/tmp/service_account.json\
+  aquasec/trivy image gcr.io/your_special_project/your_special_image:your_special_tag
+```
--- a/docs/advanced/sbom/cyclonedx.md
+++ b/docs/advanced/sbom/cyclonedx.md
@@ -0,0 +1,233 @@
+# CycloneDX
+
+Trivy generates JSON reports in the [CycloneDX][cyclonedx] format.
+Note that XML format is not supported at the moment.
+
+You can use the regular subcommands (like `image`, `fs` and `rootfs`) and specify `cyclonedx` with the `--format` option.
+
+```
+$ trivy image --format cyclonedx --output result.json alpine:3.15
+```
+
+<details>
+<summary>Result</summary>
+
+```
+$ cat result.json | jq .
+{
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.4",
+  "serialNumber": "urn:uuid:2be5773d-7cd3-4b4b-90a5-e165474ddace",
+  "version": 1,
+  "metadata": {
+    "timestamp": "2022-02-22T15:11:40.270597Z",
+    "tools": [
+      {
+        "vendor": "aquasecurity",
+        "name": "trivy",
+        "version": "dev"
+      }
+    ],
+    "component": {
+      "bom-ref": "pkg:oci/alpine@sha256:21a3deaa0d32a8057914f36584b5288d2e5ecc984380bc0118285c70fa8c9300?repository_url=index.docker.io%2Flibrary%2Falpine&arch=amd64",
+      "type": "container",
+      "name": "alpine:3.15",
+      "version": "",
+      "purl": "pkg:oci/alpine@sha256:21a3deaa0d32a8057914f36584b5288d2e5ecc984380bc0118285c70fa8c9300?repository_url=index.docker.io%2Flibrary%2Falpine&arch=amd64",
+      "properties": [
+        {
+          "name": "aquasecurity:trivy:SchemaVersion",
+          "value": "2"
+        },
+        {
+          "name": "aquasecurity:trivy:ImageID",
+          "value": "sha256:c059bfaa849c4d8e4aecaeb3a10c2d9b3d85f5165c66ad3a4d937758128c4d18"
+        },
+        {
+          "name": "aquasecurity:trivy:RepoDigest",
+          "value": "alpine@sha256:21a3deaa0d32a8057914f36584b5288d2e5ecc984380bc0118285c70fa8c9300"
+        },
+        {
+          "name": "aquasecurity:trivy:DiffID",
+          "value": "sha256:8d3ac3489996423f53d6087c81180006263b79f206d3fdec9e66f0e27ceb8759"
+        },
+        {
+          "name": "aquasecurity:trivy:RepoTag",
+          "value": "alpine:3.15"
+        }
+      ]
+    }
+  },
+  "components": [
+    {
+      "bom-ref": "pkg:apk/alpine/alpine-baselayout@3.2.0-r18?distro=3.15.0",
+      "type": "library",
+      "name": "alpine-baselayout",
+      "version": "3.2.0-r18",
+      "licenses": [
+        {
+          "expression": "GPL-2.0-only"
+        }
+      ],
+      "purl": "pkg:apk/alpine/alpine-baselayout@3.2.0-r18?distro=3.15.0",
+      "properties": [
+        {
+          "name": "aquasecurity:trivy:SrcName",
+          "value": "alpine-baselayout"
+        },
+        {
+          "name": "aquasecurity:trivy:SrcVersion",
+          "value": "3.2.0-r18"
+        },
+        {
+          "name": "aquasecurity:trivy:LayerDigest",
+          "value": "sha256:59bf1c3509f33515622619af21ed55bbe26d24913cedbca106468a5fb37a50c3"
+        },
+        {
+          "name": "aquasecurity:trivy:LayerDiffID",
+          "value": "sha256:8d3ac3489996423f53d6087c81180006263b79f206d3fdec9e66f0e27ceb8759"
+        }
+      ]
+    },
+    ...(snip)...
+    {
+      "bom-ref": "pkg:apk/alpine/zlib@1.2.11-r3?distro=3.15.0",
+      "type": "library",
+      "name": "zlib",
+      "version": "1.2.11-r3",
+      "licenses": [
+        {
+          "expression": "Zlib"
+        }
+      ],
+      "purl": "pkg:apk/alpine/zlib@1.2.11-r3?distro=3.15.0",
+      "properties": [
+        {
+          "name": "aquasecurity:trivy:SrcName",
+          "value": "zlib"
+        },
+        {
+          "name": "aquasecurity:trivy:SrcVersion",
+          "value": "1.2.11-r3"
+        },
+        {
+          "name": "aquasecurity:trivy:LayerDigest",
+          "value": "sha256:59bf1c3509f33515622619af21ed55bbe26d24913cedbca106468a5fb37a50c3"
+        },
+        {
+          "name": "aquasecurity:trivy:LayerDiffID",
+          "value": "sha256:8d3ac3489996423f53d6087c81180006263b79f206d3fdec9e66f0e27ceb8759"
+        }
+      ]
+    },
+    {
+      "bom-ref": "3da6a469-964d-4b4e-b67d-e94ec7c88d37",
+      "type": "operating-system",
+      "name": "alpine",
+      "version": "3.15.0",
+      "properties": [
+        {
+          "name": "aquasecurity:trivy:Type",
+          "value": "alpine"
+        },
+        {
+          "name": "aquasecurity:trivy:Class",
+          "value": "os-pkgs"
+        }
+      ]
+    }
+  ],
+  "dependencies": [
+    {
+      "ref": "3da6a469-964d-4b4e-b67d-e94ec7c88d37",
+      "dependsOn": [
+        "pkg:apk/alpine/alpine-baselayout@3.2.0-r18?distro=3.15.0",
+        "pkg:apk/alpine/alpine-keys@2.4-r1?distro=3.15.0",
+        "pkg:apk/alpine/apk-tools@2.12.7-r3?distro=3.15.0",
+        "pkg:apk/alpine/busybox@1.34.1-r3?distro=3.15.0",
+        "pkg:apk/alpine/ca-certificates-bundle@20191127-r7?distro=3.15.0",
+        "pkg:apk/alpine/libc-utils@0.7.2-r3?distro=3.15.0",
+        "pkg:apk/alpine/libcrypto1.1@1.1.1l-r7?distro=3.15.0",
+        "pkg:apk/alpine/libretls@3.3.4-r2?distro=3.15.0",
+        "pkg:apk/alpine/libssl1.1@1.1.1l-r7?distro=3.15.0",
+        "pkg:apk/alpine/musl@1.2.2-r7?distro=3.15.0",
+        "pkg:apk/alpine/musl-utils@1.2.2-r7?distro=3.15.0",
+        "pkg:apk/alpine/scanelf@1.3.3-r0?distro=3.15.0",
+        "pkg:apk/alpine/ssl_client@1.34.1-r3?distro=3.15.0",
+        "pkg:apk/alpine/zlib@1.2.11-r3?distro=3.15.0"
+      ]
+    },
+    {
+      "ref": "pkg:oci/alpine@sha256:21a3deaa0d32a8057914f36584b5288d2e5ecc984380bc0118285c70fa8c9300?repository_url=index.docker.io%2Flibrary%2Falpine&arch=amd64",
+      "dependsOn": [
+        "3da6a469-964d-4b4e-b67d-e94ec7c88d37"
+      ]
+    }
+  ],
+  "vulnerabilities": [
+    {
+      "id": "CVE-2021-42386",
+      "source": {
+        "name": "alpine",
+        "url": "https://secdb.alpinelinux.org/"
+      },
+      "ratings": [
+        {
+          "source": {
+            "name": "nvd"
+          },
+          "score": 7.2,
+          "severity": "high",
+          "method": "CVSSv31",
+          "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"
+        },
+        {
+          "source": {
+            "name": "nvd"
+          },
+          "score": 6.5,
+          "severity": "medium",
+          "method": "CVSSv2",
+          "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"
+        },
+        {
+          "source": {
+            "name": "redhat"
+          },
+          "score": 6.6,
+          "severity": "medium",
+          "method": "CVSSv31",
+          "vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H"
+        }
+      ],
+      "cwes": [
+        416
+      ],
+      "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the nvalloc function",
+      "advisories": [
+        {
+          "url": "https://access.redhat.com/security/cve/CVE-2021-42386"
+        },
+        {
+          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42386"
+        }
+      ],
+      "published": "2021-11-15 21:15:00 +0000 UTC",
+      "updated": "2022-01-04 17:14:00 +0000 UTC",
+      "affects": [
+        {
+          "ref": "pkg:apk/alpine/busybox@1.33.1-r3?distro=3.14.2"
+        },
+        {
+          "ref": "pkg:apk/alpine/ssl_client@1.33.1-r3?distro=3.14.2"
+        }
+      ]
+    }
+  ]
+}
+
+```
+
+</details>
+
+[cyclonedx]: https://cyclonedx.org/
--- a/docs/advanced/sbom/index.md
+++ b/docs/advanced/sbom/index.md
@@ -0,0 +1,191 @@
+# SBOM
+Trivy currently supports the following SBOM formats.
+
+- [CycloneDX][cyclonedx]
+
+To generate SBOM, you can use the `--format` option for each subcommand such as `image` and `fs`.
+
+```
+$ trivy image --format cyclonedx --output result.json alpine:3.15
+```
+
+In addition, you can use the `trivy sbom` subcommand.
+
+```
+$ trivy sbom alpine:3.15
+```
+
+<details>
+<summary>Result</summary>
+
+```
+{
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.3",
+  "serialNumber": "urn:uuid:2be5773d-7cd3-4b4b-90a5-e165474ddace",
+  "version": 1,
+  "metadata": {
+    "timestamp": "2022-02-22T15:11:40.270597Z",
+    "tools": [
+      {
+        "vendor": "aquasecurity",
+        "name": "trivy",
+        "version": "dev"
+      }
+    ],
+    "component": {
+      "bom-ref": "pkg:oci/alpine@sha256:21a3deaa0d32a8057914f36584b5288d2e5ecc984380bc0118285c70fa8c9300?repository_url=index.docker.io%2Flibrary%2Falpine&arch=amd64",
+      "type": "container",
+      "name": "alpine:3.15",
+      "version": "",
+      "purl": "pkg:oci/alpine@sha256:21a3deaa0d32a8057914f36584b5288d2e5ecc984380bc0118285c70fa8c9300?repository_url=index.docker.io%2Flibrary%2Falpine&arch=amd64",
+      "properties": [
+        {
+          "name": "aquasecurity:trivy:SchemaVersion",
+          "value": "2"
+        },
+        {
+          "name": "aquasecurity:trivy:ImageID",
+          "value": "sha256:c059bfaa849c4d8e4aecaeb3a10c2d9b3d85f5165c66ad3a4d937758128c4d18"
+        },
+        {
+          "name": "aquasecurity:trivy:RepoDigest",
+          "value": "alpine@sha256:21a3deaa0d32a8057914f36584b5288d2e5ecc984380bc0118285c70fa8c9300"
+        },
+        {
+          "name": "aquasecurity:trivy:DiffID",
+          "value": "sha256:8d3ac3489996423f53d6087c81180006263b79f206d3fdec9e66f0e27ceb8759"
+        },
+        {
+          "name": "aquasecurity:trivy:RepoTag",
+          "value": "alpine:3.15"
+        }
+      ]
+    }
+  },
+  "components": [
+    {
+      "bom-ref": "pkg:apk/alpine/alpine-baselayout@3.2.0-r18?distro=3.15.0",
+      "type": "library",
+      "name": "alpine-baselayout",
+      "version": "3.2.0-r18",
+      "licenses": [
+        {
+          "expression": "GPL-2.0-only"
+        }
+      ],
+      "purl": "pkg:apk/alpine/alpine-baselayout@3.2.0-r18?distro=3.15.0",
+      "properties": [
+        {
+          "name": "aquasecurity:trivy:SrcName",
+          "value": "alpine-baselayout"
+        },
+        {
+          "name": "aquasecurity:trivy:SrcVersion",
+          "value": "3.2.0-r18"
+        },
+        {
+          "name": "aquasecurity:trivy:LayerDigest",
+          "value": "sha256:59bf1c3509f33515622619af21ed55bbe26d24913cedbca106468a5fb37a50c3"
+        },
+        {
+          "name": "aquasecurity:trivy:LayerDiffID",
+          "value": "sha256:8d3ac3489996423f53d6087c81180006263b79f206d3fdec9e66f0e27ceb8759"
+        }
+      ]
+    },
+    ...(snip)...
+    {
+      "bom-ref": "pkg:apk/alpine/zlib@1.2.11-r3?distro=3.15.0",
+      "type": "library",
+      "name": "zlib",
+      "version": "1.2.11-r3",
+      "licenses": [
+        {
+          "expression": "Zlib"
+        }
+      ],
+      "purl": "pkg:apk/alpine/zlib@1.2.11-r3?distro=3.15.0",
+      "properties": [
+        {
+          "name": "aquasecurity:trivy:SrcName",
+          "value": "zlib"
+        },
+        {
+          "name": "aquasecurity:trivy:SrcVersion",
+          "value": "1.2.11-r3"
+        },
+        {
+          "name": "aquasecurity:trivy:LayerDigest",
+          "value": "sha256:59bf1c3509f33515622619af21ed55bbe26d24913cedbca106468a5fb37a50c3"
+        },
+        {
+          "name": "aquasecurity:trivy:LayerDiffID",
+          "value": "sha256:8d3ac3489996423f53d6087c81180006263b79f206d3fdec9e66f0e27ceb8759"
+        }
+      ]
+    },
+    {
+      "bom-ref": "3da6a469-964d-4b4e-b67d-e94ec7c88d37",
+      "type": "operating-system",
+      "name": "alpine",
+      "version": "3.15.0",
+      "properties": [
+        {
+          "name": "aquasecurity:trivy:Type",
+          "value": "alpine"
+        },
+        {
+          "name": "aquasecurity:trivy:Class",
+          "value": "os-pkgs"
+        }
+      ]
+    }
+  ],
+  "dependencies": [
+    {
+      "ref": "3da6a469-964d-4b4e-b67d-e94ec7c88d37",
+      "dependsOn": [
+        "pkg:apk/alpine/alpine-baselayout@3.2.0-r18?distro=3.15.0",
+        "pkg:apk/alpine/alpine-keys@2.4-r1?distro=3.15.0",
+        "pkg:apk/alpine/apk-tools@2.12.7-r3?distro=3.15.0",
+        "pkg:apk/alpine/busybox@1.34.1-r3?distro=3.15.0",
+        "pkg:apk/alpine/ca-certificates-bundle@20191127-r7?distro=3.15.0",
+        "pkg:apk/alpine/libc-utils@0.7.2-r3?distro=3.15.0",
+        "pkg:apk/alpine/libcrypto1.1@1.1.1l-r7?distro=3.15.0",
+        "pkg:apk/alpine/libretls@3.3.4-r2?distro=3.15.0",
+        "pkg:apk/alpine/libssl1.1@1.1.1l-r7?distro=3.15.0",
+        "pkg:apk/alpine/musl@1.2.2-r7?distro=3.15.0",
+        "pkg:apk/alpine/musl-utils@1.2.2-r7?distro=3.15.0",
+        "pkg:apk/alpine/scanelf@1.3.3-r0?distro=3.15.0",
+        "pkg:apk/alpine/ssl_client@1.34.1-r3?distro=3.15.0",
+        "pkg:apk/alpine/zlib@1.2.11-r3?distro=3.15.0"
+      ]
+    },
+    {
+      "ref": "pkg:oci/alpine@sha256:21a3deaa0d32a8057914f36584b5288d2e5ecc984380bc0118285c70fa8c9300?repository_url=index.docker.io%2Flibrary%2Falpine&arch=amd64",
+      "dependsOn": [
+        "3da6a469-964d-4b4e-b67d-e94ec7c88d37"
+      ]
+    }
+  ]
+}
+
+```
+
+</details>
+
+`fs`, `repo` and `archive` also work with `sbom` subcommand.
+
+```
+# filesystem
+$ trivy sbom --artifact-type fs /path/to/project
+
+# repository
+$ trivy sbom --artifact-type repo github.com/aquasecurity/trivy-ci-test
+
+# container image archive
+$ trivy sbom --artifact-type archive alpine.tar
+```
+
+[cyclonedx]: cyclonedx.md
--- a/docs/getting-started/cli/client.md
+++ b/docs/getting-started/cli/client.md
@@ -9,7 +9,7 @@ USAGE:

 OPTIONS:
   --template value, -t value  output template [$TRIVY_TEMPLATE]
-   --format value, -f value    format (table, json, template) (default: "table") [$TRIVY_FORMAT]
+   --format value, -f value    format (table, json, sarif, template) (default: "table") [$TRIVY_FORMAT]
   --input value, -i value     input file path instead of image name [$TRIVY_INPUT]
   --severity value, -s value  severities of vulnerabilities to be displayed (comma separated) (default: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL") [$TRIVY_SEVERITY]
   --output value, -o value    output file name [$TRIVY_OUTPUT]
@@ -22,6 +22,7 @@ OPTIONS:
   --timeout value             timeout (default: 5m0s) [$TRIVY_TIMEOUT]
   --ignore-policy value       specify the Rego file to evaluate each vulnerability [$TRIVY_IGNORE_POLICY]
   --list-all-pkgs             enabling the option will output all packages regardless of vulnerability (default: false) [$TRIVY_LIST_ALL_PKGS]
+   --offline-scan              do not issue API requests to identify dependencies (default: false) [$TRIVY_OFFLINE_SCAN]
   --token value               for authentication [$TRIVY_TOKEN]
   --token-header value        specify a header name for token (default: "Trivy-Token") [$TRIVY_TOKEN_HEADER]
   --remote value              server address (default: "http://localhost:4954") [$TRIVY_REMOTE]
--- a/docs/getting-started/cli/config.md
+++ b/docs/getting-started/cli/config.md
@@ -9,7 +9,7 @@ USAGE:

 OPTIONS:
   --template value, -t value                     output template [$TRIVY_TEMPLATE]
-   --format value, -f value                       format (table, json, template) (default: "table") [$TRIVY_FORMAT]
+   --format value, -f value                       format (table, json, sarif, template) (default: "table") [$TRIVY_FORMAT]
   --severity value, -s value                     severities of vulnerabilities to be displayed (comma separated) (default: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL") [$TRIVY_SEVERITY]
   --output value, -o value                       output file name [$TRIVY_OUTPUT]
   --exit-code value                              Exit code when vulnerabilities were found (default: 0) [$TRIVY_EXIT_CODE]
--- a/docs/getting-started/cli/fs.md
+++ b/docs/getting-started/cli/fs.md
@@ -9,7 +9,7 @@ USAGE:

 OPTIONS:
   --template value, -t value                     output template [$TRIVY_TEMPLATE]
-   --format value, -f value                       format (table, json, template) (default: "table") [$TRIVY_FORMAT]
+   --format value, -f value                       format (table, json, sarif, template) (default: "table") [$TRIVY_FORMAT]
   --severity value, -s value                     severities of vulnerabilities to be displayed (comma separated) (default: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL") [$TRIVY_SEVERITY]
   --output value, -o value                       output file name [$TRIVY_OUTPUT]
   --exit-code value                              Exit code when vulnerabilities were found (default: 0) [$TRIVY_EXIT_CODE]
@@ -25,10 +25,15 @@ OPTIONS:
   --no-progress                                  suppress progress bar (default: false) [$TRIVY_NO_PROGRESS]
   --ignore-policy value                          specify the Rego file to evaluate each vulnerability [$TRIVY_IGNORE_POLICY]
   --list-all-pkgs                                enabling the option will output all packages regardless of vulnerability (default: false) [$TRIVY_LIST_ALL_PKGS]
+   --offline-scan                                 do not issue API requests to identify dependencies (default: false) [$TRIVY_OFFLINE_SCAN]
   --skip-files value                             specify the file paths to skip traversal [$TRIVY_SKIP_FILES]
   --skip-dirs value                              specify the directories where the traversal is skipped [$TRIVY_SKIP_DIRS]
   --config-policy value                          specify paths to the Rego policy files directory, applying config files [$TRIVY_CONFIG_POLICY]
   --config-data value                            specify paths from which data for the Rego policies will be recursively loaded [$TRIVY_CONFIG_DATA]
   --policy-namespaces value, --namespaces value  Rego namespaces (default: "users") [$TRIVY_POLICY_NAMESPACES]
+   --server value                                 server address [$TRIVY_SERVER]
+   --token value                                  for authentication [$TRIVY_TOKEN]
+   --token-header value                           specify a header name for token (default: "Trivy-Token") [$TRIVY_TOKEN_HEADER]
+   --custom-headers value                         custom headers [$TRIVY_CUSTOM_HEADERS]
   --help, -h                                     show help (default: false)
 ```
--- a/docs/getting-started/cli/image.md
+++ b/docs/getting-started/cli/image.md
@@ -9,7 +9,7 @@ USAGE:

 OPTIONS:
   --template value, -t value  output template [$TRIVY_TEMPLATE]
-   --format value, -f value    format (table, json, template) (default: "table") [$TRIVY_FORMAT]
+   --format value, -f value    format (table, json, sarif, template) (default: "table") [$TRIVY_FORMAT]
   --input value, -i value     input file path instead of image name [$TRIVY_INPUT]
   --severity value, -s value  severities of vulnerabilities to be displayed (comma separated) (default: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL") [$TRIVY_SEVERITY]
   --output value, -o value    output file name [$TRIVY_OUTPUT]
@@ -24,9 +24,9 @@ OPTIONS:
   --vuln-type value           comma-separated list of vulnerability types (os,library) (default: "os,library") [$TRIVY_VULN_TYPE]
   --ignorefile value          specify .trivyignore file (default: ".trivyignore") [$TRIVY_IGNOREFILE]
   --timeout value             timeout (default: 5m0s) [$TRIVY_TIMEOUT]
-   --light                     light mode: it's faster, but vulnerability descriptions and references are not displayed (default: false) [$TRIVY_LIGHT]
   --ignore-policy value       specify the Rego file to evaluate each vulnerability [$TRIVY_IGNORE_POLICY]
   --list-all-pkgs             enabling the option will output all packages regardless of vulnerability (default: false) [$TRIVY_LIST_ALL_PKGS]
+   --offline-scan              do not issue API requests to identify dependencies (default: false) [$TRIVY_OFFLINE_SCAN]
   --skip-files value          specify the file path to skip traversal [$TRIVY_SKIP_FILES]
   --skip-dirs value           specify the directory where the traversal is skipped [$TRIVY_SKIP_DIRS]
   --cache-backend value       cache backend (e.g. redis://localhost:6379) (default: "fs") [$TRIVY_CACHE_BACKEND]
--- a/docs/getting-started/cli/index.md
+++ b/docs/getting-started/cli/index.md
@@ -18,6 +18,7 @@ COMMANDS:
   server, s         server mode
   config, conf      scan config files
   plugin, p         manage plugins
+   version           print the version
   help, h           Shows a list of commands or help for one command

 GLOBAL OPTIONS:
--- a/docs/getting-started/cli/repo.md
+++ b/docs/getting-started/cli/repo.md
@@ -9,7 +9,7 @@ USAGE:

 OPTIONS:
   --template value, -t value  output template [$TRIVY_TEMPLATE]
-   --format value, -f value    format (table, json, template) (default: "table") [$TRIVY_FORMAT]
+   --format value, -f value    format (table, json, sarif, template) (default: "table") [$TRIVY_FORMAT]
   --input value, -i value     input file path instead of image name [$TRIVY_INPUT]
   --severity value, -s value  severities of vulnerabilities to be displayed (comma separated) (default: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL") [$TRIVY_SEVERITY]
   --output value, -o value    output file name [$TRIVY_OUTPUT]
@@ -23,8 +23,10 @@ OPTIONS:
   --cache-backend value       cache backend (e.g. redis://localhost:6379) (default: "fs") [$TRIVY_CACHE_BACKEND]
   --timeout value             timeout (default: 5m0s) [$TRIVY_TIMEOUT]
   --no-progress               suppress progress bar (default: false) [$TRIVY_NO_PROGRESS]
+   --quiet, -q                      suppress progress bar and log output (default: false) [$TRIVY_QUIET]
   --ignore-policy value       specify the Rego file to evaluate each vulnerability [$TRIVY_IGNORE_POLICY]
   --list-all-pkgs             enabling the option will output all packages regardless of vulnerability (default: false) [$TRIVY_LIST_ALL_PKGS]
+   --offline-scan              do not issue API requests to identify dependencies (default: false) [$TRIVY_OFFLINE_SCAN]
   --skip-files value          specify the file path to skip traversal [$TRIVY_SKIP_FILES]
   --skip-dirs value           specify the directory where the traversal is skipped [$TRIVY_SKIP_DIRS]
   --help, -h                  show help (default: false)
--- a/docs/getting-started/cli/rootfs.md
+++ b/docs/getting-started/cli/rootfs.md
@@ -9,7 +9,7 @@ USAGE:

 OPTIONS:
   --template value, -t value                     output template [$TRIVY_TEMPLATE]
-   --format value, -f value                       format (table, json, template) (default: "table") [$TRIVY_FORMAT]
+   --format value, -f value                       format (table, json, sarif, template) (default: "table") [$TRIVY_FORMAT]
   --severity value, -s value                     severities of vulnerabilities to be displayed (comma separated) (default: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL") [$TRIVY_SEVERITY]
   --output value, -o value                       output file name [$TRIVY_OUTPUT]
   --exit-code value                              Exit code when vulnerabilities were found (default: 0) [$TRIVY_EXIT_CODE]
@@ -25,6 +25,7 @@ OPTIONS:
   --no-progress                                  suppress progress bar (default: false) [$TRIVY_NO_PROGRESS]
   --ignore-policy value                          specify the Rego file to evaluate each vulnerability [$TRIVY_IGNORE_POLICY]
   --list-all-pkgs                                enabling the option will output all packages regardless of vulnerability (default: false) [$TRIVY_LIST_ALL_PKGS]
+   --offline-scan                                 do not issue API requests to identify dependencies (default: false) [$TRIVY_OFFLINE_SCAN]
   --skip-files value                             specify the file paths to skip traversal [$TRIVY_SKIP_FILES]
   --skip-dirs value                              specify the directories where the traversal is skipped [$TRIVY_SKIP_DIRS]
   --config-policy value                          specify paths to the Rego policy files directory, applying config files [$TRIVY_CONFIG_POLICY]
--- a/docs/getting-started/cli/sbom.md
+++ b/docs/getting-started/cli/sbom.md
@@ -0,0 +1,19 @@
+# SBOM
+
+```bash
+NAME:
+   trivy sbom - generate SBOM for an artifact
+
+USAGE:
+   trivy sbom [command options] ARTIFACT
+
+OPTIONS:
+   --output value, -o value             output file name [$TRIVY_OUTPUT]
+   --clear-cache, -c                    clear image caches without scanning (default: false) [$TRIVY_CLEAR_CACHE]
+   --ignorefile value                   specify .trivyignore file (default: ".trivyignore") [$TRIVY_IGNOREFILE]
+   --timeout value                      timeout (default: 5m0s) [$TRIVY_TIMEOUT]
+   --severity value, -s value           severities of vulnerabilities to be displayed (comma separated) (default: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL") [$TRIVY_SEVERITY]
+   --artifact-type value, --type value  input artifact type (image, fs, repo, archive) (default: "image") [$TRIVY_ARTIFACT_TYPE]
+   --sbom-format value, --format value  SBOM format (cyclonedx) (default: "cyclonedx") [$TRIVY_SBOM_FORMAT]
+   --help, -h                           show help (default: false)
+```
--- a/docs/getting-started/further.md
+++ b/docs/getting-started/further.md
@@ -18,13 +18,6 @@
 - [Find Image Vulnerabilities Using GitHub and Aqua Security Trivy Action][actions2]
 - [Using Trivy to Discover Vulnerabilities in VS Code Projects][vscode]

-## External Blogs/Links
- [the vulnerability remediation lifecycle of Alpine containers][alpine]
- [Open Source CVE Scanner Round-Up: Clair vs Anchore vs Trivy][round-up]
- [Docker Image Security: Static Analysis Tool Comparison – Anchore Engine vs Clair vs Trivy][tool-comparison]
- [Research Spike: evaluate Trivy for scanning running containers][gitlab]
- [Istio evaluates scanners][istio]
-
 [intro]: https://www.youtube.com/watch?v=AzOBGm7XxOA
 [cncf]: https://www.youtube.com/watch?v=XnYxX9uueoQ
 [server]: https://www.youtube.com/watch?v=tNQ-VlahtYM
@@ -37,9 +30,3 @@
 [actions]: https://blog.aquasec.com/devsecops-with-trivy-github-actions
 [actions2]: https://blog.aquasec.com/github-vulnerability-scanner-trivy
 [vscode]: https://blog.aquasec.com/trivy-open-source-vulnerability-scanner-vs-code
-
-[alpine]: https://ariadne.space/2021/06/08/the-vulnerability-remediation-lifecycle-of-alpine-containers/
-[round-up]: https://boxboat.com/2020/04/24/image-scanning-tech-compared/
-[tool-comparison]: https://www.a10o.net/devsecops/docker-image-security-static-analysis-tool-comparison-anchore-engine-vs-clair-vs-trivy/
-[gitlab]: https://gitlab.com/gitlab-org/gitlab/-/issues/270888
-[istio]: https://github.com/istio/release-builder/pull/687#issuecomment-874938417
--- a/docs/getting-started/installation.md
+++ b/docs/getting-started/installation.md
@@ -118,14 +118,13 @@ Example:
 === "Linux"

    ``` bash
-    docker run --rm -v [YOUR_CACHE_DIR]:/root/.cache/ aquasec/trivy:{{ git.tag[1:] }} [YOUR_IMAGE_NAME]
+    docker run --rm -v [YOUR_CACHE_DIR]:/root/.cache/ aquasec/trivy:{{ git.tag[1:] }} image [YOUR_IMAGE_NAME]
    ```

 === "macOS"

    ``` bash
-    yay -Sy trivy-bin
-    docker run --rm -v $HOME/Library/Caches:/root/.cache/ aquasec/trivy:{{ git.tag[1:] }} python:3.4-alpine
+    docker run --rm -v $HOME/Library/Caches:/root/.cache/ aquasec/trivy:{{ git.tag[1:] }} image [YOUR_IMAGE_NAME
    ```

 If you would like to scan the image on your host machine, you need to mount `docker.sock`.
--- a/docs/getting-started/overview.md
+++ b/docs/getting-started/overview.md
@@ -22,7 +22,7 @@ See [Integrations][integrations] for details.
 ## Features

 - Comprehensive vulnerability detection
-    - [OS packages][os] (Alpine, Red Hat Universal Base Image, Red Hat Enterprise Linux, CentOS, Oracle Linux, Debian, Ubuntu, Amazon Linux, openSUSE Leap, SUSE Enterprise Linux, Photon OS and Distroless)
+    - [OS packages][os] (Alpine, Red Hat Universal Base Image, Red Hat Enterprise Linux, CentOS, AlmaLinux, Rocky Linux, CBL-Mariner, Oracle Linux, Debian, Ubuntu, Amazon Linux, openSUSE Leap, SUSE Enterprise Linux, Photon OS and Distroless)
    - [**Language-specific packages**][lang] (Bundler, Composer, Pipenv, Poetry, npm, yarn, Cargo, NuGet, Maven, and Go)
 - Detect IaC misconfigurations
    - A wide variety of [built-in policies][builtin] are provided **out of the box**:
@@ -55,12 +55,11 @@ See [Integrations][integrations] for details.
        - An image directory compliant with [OCI Image Format][oci]
    - local filesystem and rootfs
    - remote git repository
+- SBOM (Software Bill of Materials) support
+    - CycloneDX 

 Please see [LICENSE][license] for Trivy licensing information.

-!!! note
-    Trivy uses vulnerability information from a variety of sources, some of which are licensed for non-commercial use only.
-
 [vuln]: ../vulnerability/scanning/index.md
 [misconf]: ../misconfiguration/index.md
 [container]: ../vulnerability/scanning/image.md
@@ -80,4 +79,4 @@ Please see [LICENSE][license] for Trivy licensing information.
 [podman]: ../advanced/container/podman.md

 [oci]: https://github.com/opencontainers/image-spec
-[license]:  https://github.com/aquasecurity/trivy/blob/main/LICENSE
+[license]:  https://github.com/aquasecurity/trivy/blob/main/LICENSE
--- a/docs/getting-started/troubleshooting.md
+++ b/docs/getting-started/troubleshooting.md
@@ -39,6 +39,22 @@ https://developer.github.com/v3/#rate-limiting
 $ GITHUB_TOKEN=XXXXXXXXXX trivy alpine:3.10
 ```

+### Maven rate limiting
+
+!!! error
+    ``` bash
+    $ trivy image ...
+    ...
+    status 403 Forbidden from http://search.maven.org/solrsearch/select
+    ```
+
+Trivy calls Maven API for better detection of JAR files, but many requests may exceed rate limiting.
+If it happens frequently, try the `--offline-scan` option to stop Trivy from making API requests.
+This option affects only vulnerability scanning. The vulnerability database and builtin policies are downloaded as usual.
+If you want to skip them as well, you can try `--skip-update` and `--skip-policy-update`.
+
+Note that a number of vulnerabilities might be fewer than without the `--offline-scan` option.
+
 ### Running in parallel takes same time as series run
 When running trivy on multiple images simultaneously, it will take same time as running trivy in series.  
 This is because of a limitation of boltdb.
@@ -53,11 +69,17 @@ Reference : [boltdb: Opening a database][boltdb].
 !!! error
    FATAL failed to download vulnerability DB

-If trivy is running behind corporate firewall try to whitelist urls below:
+If trivy is running behind corporate firewall, you have to add the following urls to your allowlist.

- api.github.com
- github.com
- github-releases.githubusercontent.com
+- ghcr.io
+- pkg-containers.githubusercontent.com
+
+### Old DB schema
+
+!!! error
+    --skip-update cannot be specified with the old DB schema.
+
+Trivy v0.23.0 or later requires Trivy DB v2. Please update your local database or follow [the instruction of air-gapped environment][air-gapped].

 ## Homebrew
 ### Scope error
@@ -107,3 +129,5 @@ Try again with `--reset` option:
 ```
 $ trivy image --reset
 ```
+
+[air-gapped]: ../advanced/air-gap.md
--- a/docs/imgs/gitlab-codequality.png
+++ b/docs/imgs/gitlab-codequality.png
--- a/docs/index.md
+++ b/docs/index.md
@@ -32,8 +32,18 @@ All you need to do for scanning is to specify a target such as an image name of
  <figcaption>Demo: Misconfiguration Detection</figcaption>
 </figure>

+---
+
+Trivy is an [Aqua Security][aquasec] open source project.  
+Learn about our open source work and portfolio [here][oss].  
+Contact us about any matter by opening a GitHub Discussion [here][discussions]
+
 [vulnerability]: vulnerability/scanning/index.md
 [misconf]: misconfiguration/index.md
 [os]: vulnerability/detection/os.md
 [lang]: vulnerability/detection/language.md
-[iac]: misconfiguration/iac.md
+[iac]: misconfiguration/iac.md
+
+[aquasec]: https://aquasec.com
+[oss]: https://www.aquasec.com/products/open-source-projects/
+[discussions]: https://github.com/aquasecurity/trivy/discussions
--- a/docs/misconfiguration/comparison/cfsec.md
+++ b/docs/misconfiguration/comparison/cfsec.md
@@ -0,0 +1,25 @@
+# vs cfsec
+[cfsec][cfsec] uses static analysis of your CloudFormation templates to spot potential security issues.
+Trivy uses cfsec internally to scan both JSON and YAML configuration files, but Trivy doesn't support some features provided by cfsec.
+This section describes the differences between Trivy and cfsec.
+
+| Feature                     | Trivy                                   | cfsec                |
+| --------------------------- | --------------------------------------- | -------------------- |
+| Built-in Policies           | :material-check:                        | :material-check:     |
+| Custom Policies             | Rego[^1]                                | :material-close:     |
+| Policy Metadata[^2]         | :material-check:                        | :material-check:     |
+| Show Successes              | :material-check:                        | :material-check:     |
+| Disable Policies            | :material-check:                        | :material-check:     |
+| Show Issue Lines            | :material-close:                        | :material-check:     |
+| View Statistics             | :material-close:                        | :material-check:     |
+| Filtering by Severity       | :material-check:                        | :material-close:     |
+| Supported Formats           | Dockerfile, JSON, YAML, Terraform, etc. | CloudFormation JSON and YAML       |
+
+[^1]: CloudFormation files are not supported
+[^2]: To enrich the results such as ID, Title, Description, Severity, etc.
+
+cfsec is designed for CloudFormation.
+People who use only want to scan their CloudFormation templates should use cfsec.
+People who want to scan a wide range of configuration files should use Trivy.
+
+[cfsec]: https://github.com/aquasecurity/cfsec
--- a/docs/misconfiguration/comparison/tfsec.md
+++ b/docs/misconfiguration/comparison/tfsec.md
@@ -23,4 +23,4 @@ tfsec is designed for Terraform.
 People who use only Terraform should use tfsec.
 People who want to scan a wide range of configuration files should use Trivy.

-[tfsec]: https://github.com/tfsec/tfsec
+[tfsec]: https://github.com/aquasecurity/tfsec
--- a/docs/misconfiguration/iac.md
+++ b/docs/misconfiguration/iac.md
@@ -2,7 +2,7 @@

 ## Quick start

-Simply specify a directory containing IaC files such as Terraform and Dockerfile.
+Simply specify a directory containing IaC files such as Terraform, CloudFormation and Dockerfile.

 ``` bash
 $ trivy config [YOUR_IaC_DIRECTORY]
@@ -37,12 +37,12 @@ Trivy will automatically fetch the managed policies and will keep them up-to-dat
 The specified directory can contain mixed types of IaC files.
 Trivy automatically detects config types and applies relevant policies.

-For example, the following example holds IaC files for Terraform, Kubernetes, and Dockerfile in the same directory.
+For example, the following example holds IaC files for Terraform, CloudFormation, Kubernetes, and Dockerfile in the same directory.

 ``` bash
 $ ls iac/
 Dockerfile  deployment.yaml  main.tf
-$ trivy conf --severith HIGH,CRITICAL ./iac
+$ trivy conf --severity HIGH,CRITICAL ./iac
 ```

 <details>
@@ -111,7 +111,7 @@ Failures: 9 (HIGH: 6, CRITICAL: 1)
 +                                          +            +                                          +          +--------------------------------------------------------+
 |                                          |            |                                          |          | Resource                                               |
 |                                          |            |                                          |          | 'aws_api_gateway_domain_name.missing_security_policy'  |
-|                                          |            |                                          |          | should include security_policy (defauls to outdated    |
+|                                          |            |                                          |          | should include security_policy (defaults to outdated   |
 |                                          |            |                                          |          | SSL/TLS policy). -->tfsec.dev/docs/aws/AWS025/         |
 +                                          +            +                                          +          +--------------------------------------------------------+
 |                                          |            |                                          |          | Resource                                               |
@@ -149,8 +149,14 @@ You can see the config type next to each file name.
    ===================
    Tests: 23 (SUCCESSES: 14, FAILURES: 9, EXCEPTIONS: 0)
    Failures: 9 (HIGH: 6, CRITICAL: 1)
-    
+
    ...
+
+    bucket.yaml (cloudformation)
+    ============================
+    Tests: 9 (SUCCESSES: 3, FAILURES: 6, EXCEPTIONS: 0)
+    Failures: 6 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 4, CRITICAL: 0)
+
    ```

 ## Example
--- a/docs/misconfiguration/options/filter.md
+++ b/docs/misconfiguration/options/filter.md
@@ -72,7 +72,7 @@ Failures: 8 (HIGH: 6, CRITICAL: 1)
 +                                          +            +                                          +          +--------------------------------------------------------+
 |                                          |            |                                          |          | Resource                                               |
 |                                          |            |                                          |          | 'aws_api_gateway_domain_name.missing_security_policy'  |
-|                                          |            |                                          |          | should include security_policy (defauls to outdated    |
+|                                          |            |                                          |          | should include security_policy (defaults to outdated   |
 |                                          |            |                                          |          | SSL/TLS policy). -->tfsec.dev/docs/aws/AWS025/         |
 +                                          +            +                                          +          +--------------------------------------------------------+
 |                                          |            |                                          |          | Resource                                               |
--- a/docs/misconfiguration/options/report.md
+++ b/docs/misconfiguration/options/report.md
@@ -3,4 +3,4 @@
 See [Reports Formats](../../vulnerability/examples/report.md) in Vulnerability section.

 !!! caution
-    Misconfiguration scanning doesn't support default templates such as XML and SARIF for now.
+    Misconfiguration scanning doesn't support default templates such as XML for now.
--- a/docs/misconfiguration/policy/builtin.md
+++ b/docs/misconfiguration/policy/builtin.md
@@ -4,22 +4,23 @@

 Built-in policies are mainly written in [Rego][rego].
 Those policies are managed under [AppShield repository][appshield].
-Only Terraform's policies are currently powered by [tfsec][tfsec].
+Terraform policies are currently powered by [tfsec][tfsec] and CloudFormation policies are powered by [cfsec][cfsec].

 | Config type    | Source                        |
 | ---------------| ----------------------------- |
 | Kubernetes     | [AppShield][kubernetes]       |
 | Dockerfile     | [AppShield][docker]           |
 | Terraform      | [tfsec][tfsec-checks]         |
+| CloudFormation | [cfsec][cfsec-checks]         |

-For suggestions or issues regarding policy content, please open an issue under [AppShield][appshield] or [tfsec][tfsec] repository.
+For suggestions or issues regarding policy content, please open an issue under [AppShield][appshield], [tfsec][tfsec] or [cfsec][cfsec] repository.

-CloudFormation and Ansible are coming soon.
+Ansible are coming soon.

 ## Policy Distribution
-AppShield policies are destributed as OPA bundle on [GitHub Container Registry][ghcr] (GHCR).
-When misconfiguration detection is enabled, Trivy pulls OPA bundle from GHCR as OCI artifact and stores it in the cache.
-Then, those policies are loaded into Trivy OPA engine and used for detecting misconfigurations.
+AppShield policies are distributed as an OPA bundle on [GitHub Container Registry][ghcr] (GHCR).
+When misconfiguration detection is enabled, Trivy pulls the OPA bundle from GHCR as an OCI artifact and stores it in the cache.
+Those policies are then loaded into Trivy OPA engine and used for detecting misconfigurations.

 ## Update Interval
 Trivy checks for updates to OPA bundle on GHCR every 24 hours and pulls it if there are any updates.
@@ -28,11 +29,13 @@ Trivy checks for updates to OPA bundle on GHCR every 24 hours and pulls it if th
 [appshield]: https://github.com/aquasecurity/appshield
 [kubernetes]: https://github.com/aquasecurity/appshield/tree/master/kubernetes
 [docker]: https://github.com/aquasecurity/appshield/tree/master/docker
-[tfsec-checks]: https://tfsec.dev/docs/aws/home/
-[tfsec]: https://github.com/tfsec/tfsec
+[tfsec-checks]: https://tfsec.dev/
+[tfsec]: https://github.com/aquasecurity/tfsec
+[cfsec-checks]: https://cfsec.dev/
+[cfsec]: https://github.com/aquasecurity/cfsec
 [ghcr]: https://github.com/aquasecurity/appshield/pkgs/container/appshield

 [dockerfile-bestpractice]: https://docs.docker.com/develop/develop-images/dockerfile_best-practices/
 [pss]: https://kubernetes.io/docs/concepts/security/pod-security-standards/
 [azure]: https://docs.microsoft.com/en-us/azure/security/fundamentals/network-best-practices
-[kics]: https://github.com/Checkmarx/kics/
+[kics]: https://github.com/Checkmarx/kics/
--- a/docs/vulnerability/detection/data-source.md
+++ b/docs/vulnerability/detection/data-source.md
@@ -11,28 +11,31 @@
 | Ubuntu         | [Ubuntu CVE Tracker][ubuntu]             |
 | RHEL/CentOS    | [OVAL][rhel-oval]                        |
 |                | [Security Data][rhel-api]                |
+| AlmaLinux      | [AlmaLinux Product Errata][alma]         |
+| Rocky Linux    | [Rocky Linux UpdateInfo][rocky]          |
 | Oracle Linux   | [OVAL][oracle]                           |
+| CBL-Mariner    | [OVAL][mariner]                          |
 | OpenSUSE/SLES	 | [CVRF][suse]                             |
 | Photon OS      | [Photon Security Advisory][photon]       |

 # Programming Language

-| Language                     | Source                                           | Commercial Use  | Delay[^1]|
-| ---------------------------- | -------------------------------------------------|:---------------:|:--------:|
-| PHP                          | [PHP Security Advisories Database][php]          | ✅              | -        |
-|                              | [GitHub Advisory Database (Composer)][php-ghsa]  | ✅              | -        |
-| Python                       | [Safety DB][python]                              | ❌              | 1 month  |
-|                              | [GitHub Advisory Database (pip)][python-ghsa]    | ✅              | -        |
-| Ruby                         | [Ruby Advisory Database][ruby]                   | ✅              | -        |
-|                              | [GitHub Advisory Database (RubyGems)][ruby-ghsa] | ✅              | -        |
-| Node.js                      | [Ecosystem Security Working Group][nodejs]       | ✅              | -        |
-|                              | [GitHub Advisory Database (npm)][nodejs-ghsa]    | ✅              | -        |
-| Java                         | [GitLab Advisories Community][gitlab]            | ✅              | 1 month  |
-|                              | [GitHub Advisory Database (Maven)][java-ghsa]    | ✅              | -        |
-| Go                           | [GitLab Advisories Community][gitlab]            | ✅              | 1 month  |
-|                              | [The Go Vulnerability Database][go]              | ✅              | -        |
-| Rust                         | [RustSec Advisory Database][rust]                | ✅              | -        |
-| .NET                         | [GitHub Advisory Database (NuGet)][dotnet-ghsa]  | ✅              | -        |
+| Language                     | Source                                              | Commercial Use  | Delay[^1]|
+| ---------------------------- | ----------------------------------------------------|:---------------:|:--------:|
+| PHP                          | [PHP Security Advisories Database][php]             | ✅              | -        |
+|                              | [GitHub Advisory Database (Composer)][php-ghsa]     | ✅              | -        |
+| Python                       | [GitHub Advisory Database (pip)][python-ghsa]       | ✅              | -        |
+|                              | [Open Source Vulnerabilities (PyPI)][python-osv]    | ✅              | -        |
+| Ruby                         | [Ruby Advisory Database][ruby]                      | ✅              | -        |
+|                              | [GitHub Advisory Database (RubyGems)][ruby-ghsa]    | ✅              | -        |
+| Node.js                      | [Ecosystem Security Working Group][nodejs]          | ✅              | -        |
+|                              | [GitHub Advisory Database (npm)][nodejs-ghsa]       | ✅              | -        |
+| Java                         | [GitLab Advisories Community][gitlab]               | ✅              | 1 month  |
+|                              | [GitHub Advisory Database (Maven)][java-ghsa]       | ✅              | -        |
+| Go                           | [GitLab Advisories Community][gitlab]               | ✅              | 1 month  |
+|                              | [The Go Vulnerability Database][go]                 | ✅              | -        |
+| Rust                         | [Open Source Vulnerabilities (crates.io)][rust-osv] | ✅              | -        |
+| .NET                         | [GitHub Advisory Database (NuGet)][dotnet-ghsa]     | ✅              | -        |

 [^1]: Intentional delay between vulnerability disclosure and registration in the DB

@@ -51,9 +54,12 @@
 [ubuntu]: https://ubuntu.com/security/cve
 [rhel-oval]: https://www.redhat.com/security/data/oval/v2/
 [rhel-api]: https://www.redhat.com/security/data/metrics/
+[alma]: https://errata.almalinux.org/
+[rocky]: https://download.rockylinux.org/pub/rocky/
 [oracle]: https://linux.oracle.com/security/oval/
 [suse]: http://ftp.suse.com/pub/projects/security/cvrf/
 [photon]: https://packages.vmware.com/photon/photon_cve_metadata/
+[mariner]: https://github.com/microsoft/CBL-MarinerVulnerabilityData/

 [php-ghsa]: https://github.com/advisories?query=ecosystem%3Acomposer
 [python-ghsa]: https://github.com/advisories?query=ecosystem%3Apip
@@ -63,11 +69,12 @@
 [dotnet-ghsa]: https://github.com/advisories?query=ecosystem%3Anuget

 [php]: https://github.com/FriendsOfPHP/security-advisories
-[python]: https://github.com/pyupio/safety-db
 [ruby]: https://github.com/rubysec/ruby-advisory-db
 [nodejs]: https://github.com/nodejs/security-wg
 [gitlab]: https://gitlab.com/gitlab-org/advisories-community
 [go]: https://github.com/golang/vulndb
-[rust]: (https://github.com/RustSec/advisory-db)
+
+[python-osv]: https://osv.dev/list?q=&ecosystem=PyPI
+[rust-osv]: https://osv.dev/list?q=&ecosystem=crates.io

 [nvd]: https://nvd.nist.gov/
--- a/docs/vulnerability/detection/language.md
+++ b/docs/vulnerability/detection/language.md
@@ -2,23 +2,26 @@

 `Trivy` automatically detects the following files in the container and scans vulnerabilities in the application dependencies.

-| Language | File                     | Image[^6] | Rootfs[^7] | Filesysetm[^8] |  Repository[^9] |Dev dependencies |
-|----------|--------------------------|:---------:|:----------:|:--------------:|:---------------:|-----------------|
-| Ruby     | Gemfile.lock             | -         | -          | ✅             | ✅              | included        |
-|          | gemspec                  | ✅        | ✅         | -              | -               | included        |
-| Python   | Pipfile.lock             | -         | -          | ✅             | ✅              | excluded        |
-|          | poetry.lock              | -         | -          | ✅             | ✅              | included        |
-|          | requirements.txt         | -         | -          | ✅             | ✅              | included        |
-|          | egg package[^1]          | ✅        | ✅         | -              | -               | excluded        |
-|          | wheel package[^2]        | ✅        | ✅         | -              | -               | excluded        |
-| PHP      | composer.lock            | ✅        | ✅         | ✅             | ✅              | excluded        |
-| Node.js  | package-lock.json        | -         | -          | ✅             | ✅              | excluded        |
-|          | yarn.lock                | -         | -          | ✅             | ✅              | included        |
-|          | package.json             | ✅        | ✅         | -              | -               | excluded        |
-| .NET     | packages.lock.json       | ✅        | ✅         | ✅             | ✅              | included        |
-| Java     | JAR/WAR/EAR[^3][^4]      | ✅        | ✅         | ✅             | ✅              | included        |
-| Go       | Binaries built by Go[^5] | ✅        | ✅         | -              | -               | excluded        |
-|          | go.sum                   | -         | -          | ✅             | ✅              | included        |
+| Language | File                     | Image[^7] | Rootfs[^8] | Filesystem[^9] | Repository[^10] |Dev dependencies |
+|----------|--------------------------|:---------:|:----------:|:--------------:|:--------------:|-----------------|
+| Ruby     | Gemfile.lock             | -         | -          |       ✅        |       ✅        | included        |
+|          | gemspec                  | ✅        | ✅         |       -        |       -        | included        |
+| Python   | Pipfile.lock             | -         | -          |       ✅        |       ✅        | excluded        |
+|          | poetry.lock              | -         | -          |       ✅        |       ✅        | included        |
+|          | requirements.txt         | -         | -          |       ✅        |       ✅        | included        |
+|          | egg package[^1]          | ✅        | ✅         |       -        |       -        | excluded        |
+|          | wheel package[^2]        | ✅        | ✅         |       -        |       -        | excluded        |
+| PHP      | composer.lock            | ✅        | ✅         |       ✅        |       ✅        | excluded        |
+| Node.js  | package-lock.json        | -         | -          |       ✅        |       ✅        | excluded        |
+|          | yarn.lock                | -         | -          |       ✅        |       ✅        | included        |
+|          | package.json             | ✅        | ✅         |       -        |       -        | excluded        |
+| .NET     | packages.lock.json       | ✅        | ✅         |       ✅        |       ✅        | included        |
+|          | packages.config          | ✅        | ✅         |       ✅        |       ✅        | excluded        |
+| Java     | JAR/WAR/PAR/EAR[^3][^4]  | ✅        | ✅         |       -        |       -        | included        |
+|          | pom.xml[^5]              | -         | -          |       ✅        |       ✅        | excluded        |
+| Go       | Binaries built by Go[^6] | ✅        | ✅         |       -        |       -        | excluded        |
+|          | go.sum                   | -         | -          |       ✅        |       ✅        | included        |
+| Rust     | Cargo.lock               | ✅        | ✅         |       ✅        |       ✅        | included        |

 The path of these files does not matter.

@@ -26,10 +29,11 @@ Example: [Dockerfile](https://github.com/aquasecurity/trivy-ci-test/blob/main/Do

 [^1]: `*.egg-info`, `*.egg-info/PKG-INFO`, `*.egg` and `EGG-INFO/PKG-INFO`
 [^2]: `.dist-info/META-DATA`
-[^3]: `*.jar`, `*.war`, and `*.ear`
-[^4]: It requires the Internet access
-[^5]: UPX-compressed binaries don't work
-[^6]: ✅ means "enabled" and `-` means "disabled" in the image scanning
-[^7]: ✅ means "enabled" and `-` means "disabled" in the rootfs scanning
-[^8]: ✅ means "enabled" and `-` means "disabled" in the filesystem scanning
-[^9]: ✅ means "enabled" and `-` means "disabled" in the git repository scanning
+[^3]: `*.jar`, `*.war`, `*.par` and `*.ear`
+[^4]: It requires Internet access
+[^5]: It requires Internet access when the POM doesn't exist in your local repository
+[^6]: UPX-compressed binaries don't work
+[^7]: ✅ means "enabled" and `-` means "disabled" in the image scanning
+[^8]: ✅ means "enabled" and `-` means "disabled" in the rootfs scanning
+[^9]: ✅ means "enabled" and `-` means "disabled" in the filesystem scanning
+[^10]: ✅ means "enabled" and `-` means "disabled" in the git repository scanning
--- a/docs/vulnerability/detection/os.md
+++ b/docs/vulnerability/detection/os.md
@@ -4,16 +4,19 @@ The unfixed/unfixable vulnerabilities mean that the patch has not yet been provi

 | OS                               | Supported Versions                       | Target Packages               | Detection of unfixed vulnerabilities |
 | -------------------------------- | ---------------------------------------- | ----------------------------- | :----------------------------------: |
-| Alpine Linux                     | 2.2 - 2.7, 3.0 - 3.13                    | Installed by apk              |                  NO                  |
+| Alpine Linux                     | 2.2 - 2.7, 3.0 - 3.15                    | Installed by apk              |                  NO                  |
 | Red Hat Universal Base Image[^1] | 7, 8                                     | Installed by yum/rpm          |                 YES                  |
 | Red Hat Enterprise Linux         | 6, 7, 8                                  | Installed by yum/rpm          |                 YES                  |
-| CentOS                           | 6, 7                                     | Installed by yum/rpm          |                 YES                  |
+| CentOS                           | 6, 7, 8                                  | Installed by yum/rpm          |                 YES                  |
+| AlmaLinux                        | 8                                        | Installed by yum/rpm          |                  NO                  |
+| Rocky Linux                      | 8                                        | Installed by yum/rpm          |                  NO                  |
 | Oracle Linux                     | 5, 6, 7, 8                               | Installed by yum/rpm          |                  NO                  |
+| CBL-Mariner                      | 1.0, 2.0                                 | Installed by yum/rpm          |                 YES                  |
 | Amazon Linux                     | 1, 2                                     | Installed by yum/rpm          |                  NO                  |
 | openSUSE Leap                    | 42, 15                                   | Installed by zypper/rpm       |                  NO                  |
 | SUSE Enterprise Linux            | 11, 12, 15                               | Installed by zypper/rpm       |                  NO                  |
-| Photon OS                        | 1.0, 2.0, 3.0                            | Installed by tdnf/yum/rpm     |                  NO                  |
-| Debian GNU/Linux                 | wheezy, jessie, stretch, buster          | Installed by apt/apt-get/dpkg |                 YES                  |
+| Photon OS                        | 1.0, 2.0, 3.0, 4.0                       | Installed by tdnf/yum/rpm     |                  NO                  |
+| Debian GNU/Linux                 | wheezy, jessie, stretch, buster, bullseye| Installed by apt/apt-get/dpkg |                 YES                  |
 | Ubuntu                           | All versions supported by Canonical      | Installed by apt/apt-get/dpkg |                 YES                  |
 | Distroless[^2]                   | Any                                      | Installed by apt/apt-get/dpkg |                 YES                  |

--- a/docs/vulnerability/examples/cache.md
+++ b/docs/vulnerability/examples/cache.md
@@ -41,3 +41,14 @@ Two options:
 ```
 $ trivy server --cache-backend redis://localhost:6379
 ```
+
+Trivy also support for connecting to Redis using TLS, you only need to specify `--redis-ca` , `--redis-cert` , and `--redis-key` option.
+
+```
+$ trivy server --cache-backend redis://localhost:6379 \
+  --redis-ca /path/to/ca-cert.pem \
+  --redis-cert /path/to/cert.pem \
+  --redis-key /path/to/key.pem
+```
+
+TLS option for redis is hidden from Trivy command-line flag, but you still can use it.
--- a/docs/vulnerability/examples/db.md
+++ b/docs/vulnerability/examples/db.md
@@ -36,39 +36,3 @@ This is useful to initialize workers in Continuous Integration systems.
 ```
 $ trivy image --download-db-only
 ```
-
-## Lightweight DB
-The lightweight DB doesn't contain vulnerability detail such as descriptions and references. Because of that, the size of the DB is smaller and the download is faster.
-
-This option is useful when you don't need vulnerability details and is suitable for CI/CD.
-To find the additional information, you can search vulnerability details on the NVD website.
-https://nvd.nist.gov/vuln/search
-
-```
-$ trivy image --light alpine:3.10
-```
-
-`--light` option doesn't display titles like the following example.
-
-<details>
-<summary>Result</summary>
-
-```
-2019-11-14T10:21:01.553+0200    INFO    Reopening vulnerability DB
-2019-11-14T10:21:02.574+0200    INFO    Detecting Alpine vulnerabilities...
-
-alpine:3.10 (alpine 3.10.2)
-===========================
-Total: 3 (UNKNOWN: 0, LOW: 1, MEDIUM: 2, HIGH: 0, CRITICAL: 0)
-
-+---------+------------------+----------+-------------------+---------------+
-| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |
-+---------+------------------+----------+-------------------+---------------+
-| openssl | CVE-2019-1549    | MEDIUM   | 1.1.1c-r0         | 1.1.1d-r0     |
-+         +------------------+          +                   +               +
-|         | CVE-2019-1563    |          |                   |               |
-+         +------------------+----------+                   +               +
-|         | CVE-2019-1547    | LOW      |                   |               |
-+---------+------------------+----------+-------------------+---------------+
-```
-</details>
--- a/docs/vulnerability/examples/filter.md
+++ b/docs/vulnerability/examples/filter.md
@@ -294,28 +294,63 @@ There is a built-in Rego library with helper functions that you can import into
 To get started, see the [example policy][policy].

 ```bash
-$ trivy image --ignore-policy contrib/example_filter/basic.rego centos:7
+$ trivy image --ignore-policy contrib/example_policy/basic.rego centos:7
 ```

 <details>
 <summary>Result</summary>

 ```bash
-centos:7 (centos 7.8.2003)
+centos:7 (centos 7.9.2009)
 ==========================
-Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
+Total: 9 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 4, CRITICAL: 5)

-+---------+------------------+----------+-------------------+---------------+--------------------------------+
-| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |             TITLE              |
-+---------+------------------+----------+-------------------+---------------+--------------------------------+
-| glib2   | CVE-2016-3191    | HIGH     | 2.56.1-5.el7      |               | pcre: workspace overflow       |
-|         |                  |          |                   |               | for (*ACCEPT) with deeply      |
-|         |                  |          |                   |               | nested parentheses (8.39/13,   |
-|         |                  |          |                   |               | 10.22/12)                      |
-+---------+------------------+----------+-------------------+---------------+--------------------------------+
+--------------+------------------+----------+-------------------+-------------------+-----------------------------------------+
+|   LIBRARY    | VULNERABILITY ID | SEVERITY | INSTALLED VERSION |   FIXED VERSION   |                  TITLE                  |
+--------------+------------------+----------+-------------------+-------------------+-----------------------------------------+
+| glib2        | CVE-2015-8385    | HIGH     | 2.56.1-7.el7      |                   | pcre: buffer overflow caused            |
+|              |                  |          |                   |                   | by named forward reference              |
+|              |                  |          |                   |                   | to duplicate group number...            |
+|              |                  |          |                   |                   | -->avd.aquasec.com/nvd/cve-2015-8385    |
+              +------------------+          +                   +-------------------+-----------------------------------------+
+|              | CVE-2016-3191    |          |                   |                   | pcre: workspace overflow for            |
+|              |                  |          |                   |                   | (*ACCEPT) with deeply nested            |
+|              |                  |          |                   |                   | parentheses (8.39/13, 10.22/12)         |
+|              |                  |          |                   |                   | -->avd.aquasec.com/nvd/cve-2016-3191    |
+              +------------------+          +                   +-------------------+-----------------------------------------+
+|              | CVE-2021-27219   |          |                   | 2.56.1-9.el7_9    | glib: integer overflow in               |
+|              |                  |          |                   |                   | g_bytes_new function on                 |
+|              |                  |          |                   |                   | 64-bit platforms due to an...           |
+|              |                  |          |                   |                   | -->avd.aquasec.com/nvd/cve-2021-27219   |
+--------------+------------------+----------+-------------------+-------------------+-----------------------------------------+
+| glibc        | CVE-2019-1010022 | CRITICAL | 2.17-317.el7      |                   | glibc: stack guard protection bypass    |
+|              |                  |          |                   |                   | -->avd.aquasec.com/nvd/cve-2019-1010022 |
+--------------+                  +          +                   +-------------------+                                         +
+| glibc-common |                  |          |                   |                   |                                         |
+|              |                  |          |                   |                   |                                         |
+--------------+------------------+          +-------------------+-------------------+-----------------------------------------+
+| nss          | CVE-2021-43527   |          | 3.53.1-3.el7_9    | 3.67.0-4.el7_9    | nss: Memory corruption in               |
+|              |                  |          |                   |                   | decodeECorDsaSignature with             |
+|              |                  |          |                   |                   | DSA signatures (and RSA-PSS)            |
+|              |                  |          |                   |                   | -->avd.aquasec.com/nvd/cve-2021-43527   |
+--------------+                  +          +                   +                   +                                         +
+| nss-sysinit  |                  |          |                   |                   |                                         |
+|              |                  |          |                   |                   |                                         |
+|              |                  |          |                   |                   |                                         |
+|              |                  |          |                   |                   |                                         |
+--------------+                  +          +                   +                   +                                         +
+| nss-tools    |                  |          |                   |                   |                                         |
+|              |                  |          |                   |                   |                                         |
+|              |                  |          |                   |                   |                                         |
+|              |                  |          |                   |                   |                                         |
+--------------+------------------+----------+-------------------+-------------------+-----------------------------------------+
+| openssl-libs | CVE-2020-1971    | HIGH     | 1:1.0.2k-19.el7   | 1:1.0.2k-21.el7_9 | openssl: EDIPARTYNAME                   |
+|              |                  |          |                   |                   | NULL pointer de-reference               |
+|              |                  |          |                   |                   | -->avd.aquasec.com/nvd/cve-2020-1971    |
+--------------+------------------+----------+-------------------+-------------------+-----------------------------------------+
 ```

 </details>

-[helper]: https://github.com/aquasecurity/trivy/tree/{{ git.tag }}/pkg/vulnerability/module.go
+[helper]: https://github.com/aquasecurity/trivy/tree/{{ git.tag }}/pkg/result/module.go
 [policy]: https://github.com/aquasecurity/trivy/tree/{{ git.tag }}/contrib/example_policy
--- a/docs/vulnerability/examples/report.md
+++ b/docs/vulnerability/examples/report.md
@@ -136,6 +136,15 @@ $ trivy image -f json -o results.json golang:1.12-alpine

 `VulnerabilityID`, `PkgName`, `InstalledVersion`, and `Severity` in `Vulnerabilities` are always filled with values, but other fields might be empty.

+## SARIF
+[Sarif][sarif] can be generated with the `--format sarif` option.
+
+```
+$ trivy image --format sarif -o report.sarif  golang:1.12-alpine
+```
+
+This SARIF file can be uploaded to GitHub code scanning results, and there is a [Trivy GitHub Action][action] for automating this process.
+
 ## Template

 ### Custom Template
@@ -183,19 +192,16 @@ $ trivy image --format template --template "@/path/to/template" golang:1.12-alpi
 ```

 ### Default Templates
+
+If Trivy is installed using rpm then default templates can be found at `/usr/local/share/trivy/templates`.
+
 #### XML
 In the following example using the template `junit.tpl` XML can be generated.
 ```
 $ trivy image --format template --template "@contrib/junit.tpl" -o junit-report.xml  golang:1.12-alpine
 ```

-#### SARIF
-In the following example using the template `sarif.tpl` [Sarif][sarif] can be generated.
-```
-$ trivy image --format template --template "@contrib/sarif.tpl" -o report.sarif  golang:1.12-alpine
-```
-This SARIF format can be uploaded to GitHub code scanning results, and there is a [Trivy GitHub Action][action] for automating this process.
-
+#### ASFF
 Trivy also supports an [ASFF template for reporting findings to AWS Security Hub][asff]

 #### HTML
@@ -204,8 +210,15 @@ Trivy also supports an [ASFF template for reporting findings to AWS Security Hub
 $ trivy image --format template --template "@contrib/html.tpl" -o report.html golang:1.12-alpine
 ```

+The following example shows use of default HTML template when Trivy is installed using rpm.
+
+```
+$ trivy image --format template --template "@/usr/local/share/trivy/templates/html.tpl" -o report.html golang:1.12-alpine
+```
+
+
 [new-json]: https://github.com/aquasecurity/trivy/discussions/1050
 [action]: https://github.com/aquasecurity/trivy-action
-[asff]: https://github.com/aquasecurity/trivy/blob/main/docs/integrations/aws-security-hub.md
+[asff]: https://github.com/aquasecurity/trivy/blob/main/docs/advanced/integrations/aws-security-hub.md
 [sarif]: https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/managing-results-from-code-scanning
 [sprig]: http://masterminds.github.io/sprig/
--- a/docs/vulnerability/scanning/filesystem.md
+++ b/docs/vulnerability/scanning/filesystem.md
@@ -6,7 +6,8 @@ Scan a local project including language-specific files.
 $ trivy fs /path/to/project
 ```

-## Local Project
+## Standalone mode
+### Local Project
 Trivy will look for vulnerabilities based on lock files such as Gemfile.lock and package-lock.json.

 ```
@@ -47,3 +48,56 @@ Total: 10 (UNKNOWN: 2, LOW: 0, MEDIUM: 6, HIGH: 2, CRITICAL: 0)
 ```

 </details>
+
+### Single file
+It's also possible to scan a single file.
+
+```
+$ trivy fs ~/src/github.com/aquasecurity/trivy-ci-test/Pipfile.lock
+```
+
+## Client/Server mode
+You must launch Trivy server in advance. 
+
+```sh
+$ trivy server
+```
+
+Then, Trivy works as a client if you specify the `--server` option.
+
+```sh
+$ trivy fs --server http://localhost:4954 --severity CRITICAL ./integration/testdata/fixtures/fs/pom/
+```
+
+<details>
+<summary>Result</summary>
+
+```
+pom.xml (pom)
+=============
+Total: 4 (CRITICAL: 4)
+
+---------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+
+|                   LIBRARY                   | VULNERABILITY ID | SEVERITY | INSTALLED VERSION |         FIXED VERSION          |                 TITLE                 |
+---------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+
+| com.fasterxml.jackson.core:jackson-databind | CVE-2017-17485   | CRITICAL | 2.9.1             | 2.8.11, 2.9.4                  | jackson-databind: Unsafe              |
+|                                             |                  |          |                   |                                | deserialization due to                |
+|                                             |                  |          |                   |                                | incomplete black list (incomplete     |
+|                                             |                  |          |                   |                                | fix for CVE-2017-15095)...            |
+|                                             |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2017-17485 |
+                                             +------------------+          +                   +--------------------------------+---------------------------------------+
+|                                             | CVE-2020-9546    |          |                   | 2.7.9.7, 2.8.11.6, 2.9.10.4    | jackson-databind: Serialization       |
+|                                             |                  |          |                   |                                | gadgets in shaded-hikari-config       |
+|                                             |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2020-9546  |
+                                             +------------------+          +                   +                                +---------------------------------------+
+|                                             | CVE-2020-9547    |          |                   |                                | jackson-databind: Serialization       |
+|                                             |                  |          |                   |                                | gadgets in ibatis-sqlmap              |
+|                                             |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2020-9547  |
+                                             +------------------+          +                   +                                +---------------------------------------+
+|                                             | CVE-2020-9548    |          |                   |                                | jackson-databind: Serialization       |
+|                                             |                  |          |                   |                                | gadgets in anteros-core               |
+|                                             |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2020-9548  |
+---------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+
+```
+</details>
+
--- a/docs/vulnerability/scanning/git-repository.md
+++ b/docs/vulnerability/scanning/git-repository.md
@@ -6,8 +6,6 @@ Scan your remote git repository
 $ trivy repo https://github.com/knqyf263/trivy-ci-test
 ```

-Only public repositories are supported.
-
 <details>
 <summary>Result</summary>

@@ -148,3 +146,20 @@ Total: 20 (UNKNOWN: 3, LOW: 0, MEDIUM: 7, HIGH: 5, CRITICAL: 5)
 ```

 </details>
+
+## Scanning Private Repositories
+
+In order to scan private GitHub or GitLab repositories, the environment variable `GITHUB_TOKEN` or `GITLAB_TOKEN` must be set, respectively, with a valid token that has access to the private repository being scanned.
+
+The `GITHUB_TOKEN` environment variable will take precedence over `GITLAB_TOKEN`, so if a private GitLab repository will be scanned, then `GITHUB_TOKEN` must be unset.
+
+For example:
+
+```
+$ export GITHUB_TOKEN="your_private_github_token"
+$ trivy repo <your private GitHub repo URL>
+$
+$ # or
+$ export GITLAB_TOKEN="your_private_gitlab_token"
+$ trivy repo <your private GitLab repo URL>
+```
--- a/docs/vulnerability/scanning/image.md
+++ b/docs/vulnerability/scanning/image.md
@@ -38,49 +38,52 @@ Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)
 ## Tar Files

 ```
-$ docker save ruby:2.3.0-alpine3.9 -o ruby-2.3.0.tar
-$ trivy image --input ruby-2.3.0.tar
+$ docker pull ruby:3.1-alpine3.15
+$ docker save ruby:3.1-alpine3.15 -o ruby-3.1.tar
+$ trivy image --input ruby-3.1.tar
 ```

 <details>
 <summary>Result</summary>

 ```
-2019-05-16T12:45:57.332+0900    INFO    Updating vulnerability database...
-2019-05-16T12:45:59.119+0900    INFO    Detecting Debian vulnerabilities...
+2022-02-03T10:08:19.127Z        INFO    Detected OS: alpine
+2022-02-03T10:08:19.127Z        WARN    This OS version is not on the EOL list: alpine 3.15
+2022-02-03T10:08:19.127Z        INFO    Detecting Alpine vulnerabilities...
+2022-02-03T10:08:19.127Z        INFO    Number of language-specific files: 2
+2022-02-03T10:08:19.127Z        INFO    Detecting gemspec vulnerabilities...
+2022-02-03T10:08:19.128Z        INFO    Detecting node-pkg vulnerabilities...
+2022-02-03T10:08:19.128Z        WARN    This OS version is no longer supported by the distribution: alpine 3.15.0
+2022-02-03T10:08:19.128Z        WARN    The vulnerability detection may be insufficient because security updates are not provided

-ruby-2.3.0.tar (debian 8.4)
-===========================
-Total: 7447 (UNKNOWN: 5, LOW: 326, MEDIUM: 5695, HIGH: 1316, CRITICAL: 105)
+ruby-3.1.tar (alpine 3.15.0)
+============================
+Total: 3 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 3, CRITICAL: 0)

-+------------------------------+---------------------+----------+----------------------------+----------------------------------+-----------------------------------------------------+
-|           LIBRARY            |  VULNERABILITY ID   | SEVERITY |     INSTALLED VERSION      |          FIXED VERSION           |                        TITLE                        |
-+------------------------------+---------------------+----------+----------------------------+----------------------------------+-----------------------------------------------------+
-| apt                          | CVE-2019-3462       | CRITICAL | 1.0.9.8.3                  | 1.0.9.8.5                        | Incorrect sanitation of the                         |
-|                              |                     |          |                            |                                  | 302 redirect field in HTTP                          |
-|                              |                     |          |                            |                                  | transport method of...                              |
-+                              +---------------------+----------+                            +----------------------------------+-----------------------------------------------------+
-|                              | CVE-2016-1252       | MEDIUM   |                            | 1.0.9.8.4                        | The apt package in Debian                           |
-|                              |                     |          |                            |                                  | jessie before 1.0.9.8.4, in                         |
-|                              |                     |          |                            |                                  | Debian unstable before...                           |
-+                              +---------------------+----------+                            +----------------------------------+-----------------------------------------------------+
-|                              | CVE-2011-3374       | LOW      |                            |                                  |                                                     |
-+------------------------------+---------------------+----------+----------------------------+----------------------------------+-----------------------------------------------------+
-| bash                         | CVE-2016-7543       | HIGH     | 4.3-11                     | 4.3-11+deb8u1                    | bash: Specially crafted                             |
-|                              |                     |          |                            |                                  | SHELLOPTS+PS4 variables allows                      |
-|                              |                     |          |                            |                                  | command substitution                                |
-+                              +---------------------+          +                            +----------------------------------+-----------------------------------------------------+
-|                              | CVE-2019-9924       |          |                            | 4.3-11+deb8u2                    | bash: BASH_CMD is writable in                       |
-|                              |                     |          |                            |                                  | restricted bash shells                              |
-+                              +---------------------+----------+                            +----------------------------------+-----------------------------------------------------+
-|                              | CVE-2016-0634       | MEDIUM   |                            | 4.3-11+deb8u1                    | bash: Arbitrary code execution                      |
-|                              |                     |          |                            |                                  | via malicious hostname                              |
-+                              +---------------------+----------+                            +----------------------------------+-----------------------------------------------------+
-|                              | CVE-2016-9401       | LOW      |                            | 4.3-11+deb8u2                    | bash: popd controlled free                          |
-+                              +---------------------+          +                            +----------------------------------+-----------------------------------------------------+
-|                              | TEMP-0841856-B18BAF |          |                            |                                  |                                                     |
-+------------------------------+---------------------+----------+----------------------------+----------------------------------+-----------------------------------------------------
-...
+----------+------------------+----------+-------------------+---------------+---------------------------------------+
+| LIBRARY  | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                 TITLE                 |
+----------+------------------+----------+-------------------+---------------+---------------------------------------+
+| gmp      | CVE-2021-43618   | HIGH     | 6.2.1-r0          | 6.2.1-r1      | gmp: Integer overflow and resultant   |
+|          |                  |          |                   |               | buffer overflow via crafted input     |
+|          |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-43618 |
+----------+                  +          +                   +               +                                       +
+| gmp-dev  |                  |          |                   |               |                                       |
+|          |                  |          |                   |               |                                       |
+|          |                  |          |                   |               |                                       |
+----------+                  +          +                   +               +                                       +
+| libgmpxx |                  |          |                   |               |                                       |
+|          |                  |          |                   |               |                                       |
+|          |                  |          |                   |               |                                       |
+----------+------------------+----------+-------------------+---------------+---------------------------------------+
+
+Node.js (node-pkg)
+==================
+Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
+
+
+Ruby (gemspec)
+==============
+Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
 ```

 </details>
--- a/examples/misconf/custom-policy/hcl/policy/full_open.rego
+++ b/examples/misconf/custom-policy/hcl/policy/full_open.rego
@@ -11,6 +11,6 @@ __rego_input__ := {"selector": [{"type": "hcl"}]}

 deny[msg] {
 	input.environment == "dev"
-	contains(input.service.http[name].listen_addr, "0.0.0.0")
+	contains(input.service.http[name][_].listen_addr, "0.0.0.0")
 	msg = sprintf("'%s' listens on 0.0.0.0 in dev environment", [name])
 }
--- a/examples/misconf/custom-policy/hcl/policy/full_open_test.rego
+++ b/examples/misconf/custom-policy/hcl/policy/full_open_test.rego
@@ -1,39 +1,43 @@
 package user.hcl.ID004

 test_denied {
-	msg := "'web_proxy' listens on 0.0.0.0 in dev environment"
 	deny[msg] with input as {
-	    "environment": "dev",
-	    "service": {
-	        "http": {
-	            "web_proxy": {
-	                "listen_addr": "0.0.0.0:8080",
-	                "process": {
-	                    "main": {
-	                        "command": ["/usr/local/bin/awesome-app", "server"],
-	                    },
-	                },
-	            },
-	        },
-	    },
+		"environment": "dev",
+		"service": {"http": {"web_proxy": [{
+			"listen_addr": "0.0.0.0:8080",
+			"process": {
+				"main": [{"command": [
+					"/usr/local/bin/awesome-app",
+					"server",
+				]}],
+				"mgmt": [{"command": [
+					"/usr/local/bin/awesome-app",
+					"mgmt",
+				]}],
+			},
+		}]}},
 	}
+
+	msg == "'web_proxy' listens on 0.0.0.0 in dev environment"
 }

 test_allowed {
 	r := deny with input as {
-	    "environment": "dev",
-	    "service": {
-	        "http": {
-	            "web_proxy": {
-	                "listen_addr": "127.0.0.1:8080",
-	                "process": {
-	                    "main": {
-	                        "command": ["/usr/local/bin/awesome-app", "server"],
-	                    },
-	                },
-	            },
-	        },
-	    },
+		"environment": "dev",
+		"service": {"http": {"web_proxy": [{
+			"listen_addr": "127.0.0.1:8080",
+			"process": {
+				"main": [{"command": [
+					"/usr/local/bin/awesome-app",
+					"server",
+				]}],
+				"mgmt": [{"command": [
+					"/usr/local/bin/awesome-app",
+					"mgmt",
+				]}],
+			},
+		}]}},
 	}
+
 	count(r) == 0
 }
--- a/examples/misconf/mixed/README.md
+++ b/examples/misconf/mixed/README.md
@@ -67,7 +67,7 @@ Failures: 8 (HIGH: 6, CRITICAL: 1)
 +                                          +            +                                          +          +--------------------------------------------------------+
 |                                          |            |                                          |          | Resource                                               |
 |                                          |            |                                          |          | 'aws_api_gateway_domain_name.missing_security_policy'  |
-|                                          |            |                                          |          | should include security_policy (defauls to outdated    |
+|                                          |            |                                          |          | should include security_policy (defaults to outdated   |
 |                                          |            |                                          |          | SSL/TLS policy). -->tfsec.dev/docs/aws/AWS025/         |
 +                                          +            +                                          +          +--------------------------------------------------------+
 |                                          |            |                                          |          | Resource                                               |
--- a/examples/misconf/mixed/configs/bucket.yaml
+++ b/examples/misconf/mixed/configs/bucket.yaml
@@ -0,0 +1,24 @@
+---
+AWSTemplateFormatVersion: "2010-09-09"
+Description: An example Stack for a bucket
+Parameters:
+  BucketName: 
+    Type: String
+    Default: naughty-bucket
+  EncryptBucket:
+    Type: Boolean
+    Default: false
+Resources:
+  S3Bucket:
+    Type: 'AWS::S3::Bucket'
+    Properties:
+      BucketName:
+        Ref: BucketName
+      PublicAccessBlockConfiguration:
+        BlockPublicAcls: false
+        BlockPublicPolicy: false
+        IgnorePublicAcls: true
+        RestrictPublicBuckets: false
+      BucketEncryption:
+        ServerSideEncryptionConfiguration:
+        - BucketKeyEnabled: !Ref EncryptBucket
--- a/go.mod
+++ b/go.mod
@@ -1,53 +1,201 @@
 module github.com/aquasecurity/trivy

-go 1.16
+go 1.18

 require (
-	github.com/Masterminds/goutils v1.1.1 // indirect
-	github.com/Masterminds/sprig v2.22.0+incompatible
+	github.com/CycloneDX/cyclonedx-go v0.5.0
+	github.com/Masterminds/sprig/v3 v3.2.2
 	github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46
 	github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986
-	github.com/aquasecurity/fanal v0.0.0-20211005172059-69527b46560c
-	github.com/aquasecurity/go-dep-parser v0.0.0-20210919151457-76db061b9305
+	github.com/aquasecurity/fanal v0.0.0-20220324154234-b2df5b98f8cd
+	github.com/aquasecurity/go-dep-parser v0.0.0-20220302151315-ff6d77c26988
 	github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce
 	github.com/aquasecurity/go-npm-version v0.0.0-20201110091526-0b796d180798
 	github.com/aquasecurity/go-pep440-version v0.0.0-20210121094942-22b2f8951d46
 	github.com/aquasecurity/go-version v0.0.0-20210121072130-637058cfe492
-	github.com/aquasecurity/trivy-db v0.0.0-20210916043317-726b7b72a47b
-	github.com/caarlos0/env/v6 v6.0.0
+	github.com/aquasecurity/trivy-db v0.0.0-20220327074450-74195d9604b2
+	github.com/caarlos0/env/v6 v6.9.1
 	github.com/cenkalti/backoff v2.2.1+incompatible
-	github.com/cheggaaa/pb/v3 v3.0.3
-	github.com/containerd/containerd v1.5.4 // indirect
-	github.com/docker/docker v20.10.8+incompatible
+	github.com/cheggaaa/pb/v3 v3.0.8
+	github.com/docker/docker v20.10.12+incompatible
 	github.com/docker/go-connections v0.4.0
-	github.com/fatih/color v1.10.0
-	github.com/go-redis/redis/v8 v8.11.3
-	github.com/goccy/go-yaml v1.8.2 // indirect
+	github.com/fatih/color v1.13.0
+	github.com/go-redis/redis/v8 v8.11.4
 	github.com/golang/protobuf v1.5.2
-	github.com/google/go-containerregistry v0.6.0
-	github.com/google/go-github/v33 v33.0.0
-	github.com/google/wire v0.4.0
-	github.com/hashicorp/go-getter v1.5.2
-	github.com/huandu/xstrings v1.3.2 // indirect
+	github.com/google/go-containerregistry v0.7.1-0.20211214010025-a65b7844a475
+	github.com/google/uuid v1.3.0
+	github.com/google/wire v0.5.0
+	github.com/hashicorp/go-getter v1.5.11
 	github.com/knqyf263/go-apk-version v0.0.0-20200609155635-041fdbb8563f
 	github.com/knqyf263/go-deb-version v0.0.0-20190517075300-09fca494f03d
 	github.com/knqyf263/go-rpm-version v0.0.0-20170716094938-74609b86c936
-	github.com/kylelemons/godebug v1.1.0
 	github.com/masahiro331/go-mvn-version v0.0.0-20210429150710-d3157d602a08
-	github.com/mitchellh/copystructure v1.1.1 // indirect
 	github.com/olekukonko/tablewriter v0.0.5
-	github.com/open-policy-agent/opa v0.32.0
-	github.com/spf13/afero v1.6.0
-	github.com/stretchr/objx v0.3.0 // indirect
+	github.com/open-policy-agent/opa v0.37.2
+	github.com/owenrumney/go-sarif/v2 v2.1.1
+	github.com/package-url/packageurl-go v0.1.1-0.20220203205134-d70459300c8a
+	github.com/spf13/afero v1.8.1 // indirect
 	github.com/stretchr/testify v1.7.0
-	github.com/testcontainers/testcontainers-go v0.11.1
-	github.com/twitchtv/twirp v8.1.0+incompatible
+	github.com/testcontainers/testcontainers-go v0.12.0
+	github.com/twitchtv/twirp v8.1.1+incompatible
 	github.com/urfave/cli/v2 v2.3.0
-	go.uber.org/zap v1.19.1
-	golang.org/x/oauth2 v0.0.0-20210514164344-f6687ab2804c
+	go.uber.org/zap v1.21.0
+	golang.org/x/exp v0.0.0-20220321124402-2d6d886f8a82
+	golang.org/x/sys v0.0.0-20220204135822-1c1b9b1eba6a // indirect
 	golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1
 	google.golang.org/protobuf v1.27.1
-	gopkg.in/go-playground/validator.v9 v9.31.0 // indirect
 	gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b
 	k8s.io/utils v0.0.0-20201110183641-67b214c5f920
 )
+
+require (
+	cloud.google.com/go v0.99.0 // indirect
+	cloud.google.com/go/storage v1.14.0 // indirect
+	github.com/Azure/azure-sdk-for-go v61.4.0+incompatible // indirect
+	github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78 // indirect
+	github.com/Azure/go-autorest v14.2.0+incompatible // indirect
+	github.com/Azure/go-autorest/autorest v0.11.24 // indirect
+	github.com/Azure/go-autorest/autorest/adal v0.9.18 // indirect
+	github.com/Azure/go-autorest/autorest/azure/auth v0.5.11 // indirect
+	github.com/Azure/go-autorest/autorest/azure/cli v0.4.5 // indirect
+	github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect
+	github.com/Azure/go-autorest/logger v0.2.1 // indirect
+	github.com/Azure/go-autorest/tracing v0.6.0 // indirect
+	github.com/BurntSushi/toml v1.0.0 // indirect
+	github.com/GoogleCloudPlatform/docker-credential-gcr v1.5.0 // indirect
+	github.com/Masterminds/goutils v1.1.1 // indirect
+	github.com/Masterminds/semver/v3 v3.1.1 // indirect
+	github.com/Microsoft/go-winio v0.5.1 // indirect
+	github.com/Microsoft/hcsshim v0.9.2 // indirect
+	github.com/OneOfOne/xxhash v1.2.8 // indirect
+	github.com/ProtonMail/go-crypto v0.0.0-20210428141323-04723f9f07d7 // indirect
+	github.com/VividCortex/ewma v1.1.1 // indirect
+	github.com/acomagu/bufpipe v1.0.3 // indirect
+	github.com/agext/levenshtein v1.2.3 // indirect
+	github.com/apparentlymart/go-cidr v1.1.0 // indirect
+	github.com/apparentlymart/go-textseg/v13 v13.0.0 // indirect
+	github.com/aquasecurity/defsec v0.17.1 // indirect
+	github.com/aquasecurity/tfsec v1.8.0 // indirect
+	github.com/aws/aws-sdk-go v1.43.8 // indirect
+	github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d // indirect
+	github.com/bmatcuk/doublestar v1.3.4 // indirect
+	github.com/briandowns/spinner v1.12.0 // indirect
+	github.com/cespare/xxhash/v2 v2.1.2 // indirect
+	github.com/containerd/cgroups v1.0.3 // indirect
+	github.com/containerd/containerd v1.5.9 // indirect
+	github.com/containerd/continuity v0.2.2 // indirect
+	github.com/containerd/stargz-snapshotter/estargz v0.10.1 // indirect
+	github.com/containerd/typeurl v1.0.2 // indirect
+	github.com/cpuguy83/go-md2man/v2 v2.0.1 // indirect
+	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect
+	github.com/dimchansky/utfbom v1.1.1 // indirect
+	github.com/docker/cli v20.10.11+incompatible // indirect
+	github.com/docker/distribution v2.7.1+incompatible // indirect
+	github.com/docker/docker-credential-helpers v0.6.4 // indirect
+	github.com/docker/go-units v0.4.0 // indirect
+	github.com/emirpasic/gods v1.12.0 // indirect
+	github.com/ghodss/yaml v1.0.0 // indirect
+	github.com/go-git/gcfg v1.5.0 // indirect
+	github.com/go-git/go-billy/v5 v5.3.1 // indirect
+	github.com/go-git/go-git/v5 v5.4.2 // indirect
+	github.com/gobwas/glob v0.2.3 // indirect
+	github.com/goccy/go-yaml v1.8.2 // indirect
+	github.com/gogo/protobuf v1.3.2 // indirect
+	github.com/golang-jwt/jwt/v4 v4.2.0 // indirect
+	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
+	github.com/googleapis/gax-go/v2 v2.1.1 // indirect
+	github.com/hashicorp/errwrap v1.1.0 // indirect
+	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
+	github.com/hashicorp/go-multierror v1.1.1 // indirect
+	github.com/hashicorp/go-retryablehttp v0.7.0 // indirect
+	github.com/hashicorp/go-safetemp v1.0.0 // indirect
+	github.com/hashicorp/go-uuid v1.0.2 // indirect
+	github.com/hashicorp/go-version v1.4.0 // indirect
+	github.com/hashicorp/hcl v1.0.0 // indirect
+	github.com/hashicorp/hcl/v2 v2.11.1 // indirect
+	github.com/huandu/xstrings v1.3.1 // indirect
+	github.com/imdario/mergo v0.3.12 // indirect
+	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
+	github.com/jmespath/go-jmespath v0.4.0 // indirect
+	github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 // indirect
+	github.com/kevinburke/ssh_config v0.0.0-20201106050909-4977a11b4351 // indirect
+	github.com/klauspost/compress v1.14.2 // indirect
+	github.com/knqyf263/go-rpmdb v0.0.0-20220209103220-0f7a6d951a6d // indirect
+	github.com/knqyf263/nested v0.0.1 // indirect
+	github.com/liamg/iamgo v0.0.6 // indirect
+	github.com/liamg/jfather v0.0.7 // indirect
+	github.com/magiconair/properties v1.8.5 // indirect
+	github.com/mattn/go-colorable v0.1.12 // indirect
+	github.com/mattn/go-isatty v0.0.14 // indirect
+	github.com/mattn/go-runewidth v0.0.12 // indirect
+	github.com/mitchellh/copystructure v1.0.0 // indirect
+	github.com/mitchellh/go-homedir v1.1.0 // indirect
+	github.com/mitchellh/go-testing-interface v1.0.0 // indirect
+	github.com/mitchellh/go-wordwrap v1.0.1 // indirect
+	github.com/mitchellh/mapstructure v1.4.3 // indirect
+	github.com/mitchellh/reflectwalk v1.0.0 // indirect
+	github.com/moby/buildkit v0.9.3 // indirect
+	github.com/moby/sys/mount v0.2.0 // indirect
+	github.com/moby/sys/mountinfo v0.6.0 // indirect
+	github.com/moby/term v0.0.0-20201216013528-df9cb8a40635 // indirect
+	github.com/morikuni/aec v1.0.0 // indirect
+	github.com/opencontainers/go-digest v1.0.0 // indirect
+	github.com/opencontainers/image-spec v1.0.2 // indirect
+	github.com/opencontainers/runc v1.1.0 // indirect
+	github.com/owenrumney/squealer v0.3.1 // indirect
+	github.com/pkg/errors v0.9.1 // indirect
+	github.com/pmezard/go-difflib v1.0.0 // indirect
+	github.com/rcrowley/go-metrics v0.0.0-20200313005456-10cdbea86bc0 // indirect
+	github.com/remyoudompheng/bigfft v0.0.0-20200410134404-eec4a21b6bb0 // indirect
+	github.com/rivo/uniseg v0.2.0 // indirect
+	github.com/russross/blackfriday/v2 v2.1.0 // indirect
+	github.com/saracen/walker v0.0.0-20191201085201-324a081bae7e // indirect
+	github.com/sergi/go-diff v1.1.0 // indirect
+	github.com/shopspring/decimal v1.2.0 // indirect
+	github.com/sirupsen/logrus v1.8.1 // indirect
+	github.com/spf13/cast v1.4.1 // indirect
+	github.com/stretchr/objx v0.3.0 // indirect
+	github.com/tmccombs/hcl2json v0.3.4 // indirect
+	github.com/ulikunitz/xz v0.5.8 // indirect
+	github.com/vbatts/tar-split v0.11.2 // indirect
+	github.com/xanzy/ssh-agent v0.3.0 // indirect
+	github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
+	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
+	github.com/yashtewari/glob-intersection v0.0.0-20180916065949-5c77d914dd0b // indirect
+	github.com/zclconf/go-cty v1.10.0 // indirect
+	github.com/zclconf/go-cty-yaml v1.0.2 // indirect
+	go.etcd.io/bbolt v1.3.6 // indirect
+	go.opencensus.io v0.23.0 // indirect
+	go.uber.org/atomic v1.7.0 // indirect
+	go.uber.org/multierr v1.6.0 // indirect
+	golang.org/x/crypto v0.0.0-20220208233918-bba287dce954 // indirect
+	golang.org/x/mod v0.6.0-dev.0.20211013180041-c96bc1413d57 // indirect
+	golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd // indirect
+	golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8 // indirect
+	golang.org/x/sync v0.0.0-20210220032951-036812b2e83c // indirect
+	golang.org/x/text v0.3.7 // indirect
+	golang.org/x/tools v0.1.8 // indirect
+	google.golang.org/api v0.62.0 // indirect
+	google.golang.org/appengine v1.6.7 // indirect
+	google.golang.org/genproto v0.0.0-20220204002441-d6cc3cc0770e // indirect
+	google.golang.org/grpc v1.44.0 // indirect
+	gopkg.in/cheggaaa/pb.v1 v1.0.28 // indirect
+	gopkg.in/go-playground/validator.v9 v9.31.0 // indirect
+	gopkg.in/warnings.v0 v0.1.2 // indirect
+	gopkg.in/yaml.v2 v2.4.0 // indirect
+	lukechampine.com/uint128 v1.1.1 // indirect
+	modernc.org/cc/v3 v3.35.22 // indirect
+	modernc.org/ccgo/v3 v3.15.1 // indirect
+	modernc.org/libc v1.14.1 // indirect
+	modernc.org/mathutil v1.4.1 // indirect
+	modernc.org/memory v1.0.5 // indirect
+	modernc.org/opt v0.1.1 // indirect
+	modernc.org/sqlite v1.14.5 // indirect
+	modernc.org/strutil v1.1.1 // indirect
+	modernc.org/token v1.0.0 // indirect
+	sigs.k8s.io/yaml v1.3.0 // indirect
+)
+
+// To resolve CVE-2021-3538. Note that it is used only for testing.
+replace github.com/satori/go.uuid v1.2.0 => github.com/satori/go.uuid v1.2.1-0.20181016170032-d91630c85102
--- a/go.sum
+++ b/go.sum
--- a/goreleaser.yml
+++ b/goreleaser.yml
@@ -13,18 +13,22 @@ builds:
      - darwin
      - linux
      - freebsd
-      - openbsd
    goarch:
      - amd64
      - 386
      - arm
      - arm64
-      - ppc64le
+      - s390x
    goarm:
      - 7
    ignore:
      - goos: darwin
        goarch: 386
+      # modernc.org/sqlite doesn't support the following pairs
+      - goos: freebsd
+        goarch: arm
+      - goos: freebsd
+        goarch: arm64

 release:
    extra_files:
@@ -86,9 +90,9 @@ brews:
      owner: aquasecurity
      name: homebrew-trivy
    homepage: "https://github.com/aquasecurity/trivy"
-    description: ""
+    description: "Scanner for vulnerabilities in container images, file systems, and Git repositories, as well as for configuration issues"
    test: |
-      system "#{bin}/trivy --version"
+      system "#{bin}/trivy", "--version"

 dockers:
  - image_templates:
@@ -98,20 +102,21 @@ dockers:
      - "ghcr.io/aquasecurity/trivy:latest-amd64"
      - "public.ecr.aws/aquasecurity/trivy:latest-amd64"
      - "public.ecr.aws/aquasecurity/trivy:{{ .Version }}-amd64"
-    use_buildx: true
+    use: buildx
    goos: linux
    goarch: amd64
    ids:
      - trivy
    build_flag_templates:
-      - "--label=org.label-schema.schema-version=1.0"
-      - "--label=org.label-schema.name={{ .ProjectName }}"
-      - "--label=org.label-schema.description=A Fast Vulnerability Scanner for Containers"
-      - "--label=org.label-schema.vendor=Aqua Security"
-      - "--label=org.label-schema.version={{ .Version }}"
-      - "--label=org.label-schema.build-date={{ .Date }}"
-      - "--label=org.label-schema.vcs=https://github.com/aquasecurity/trivy"
-      - "--label=org.label-schema.vcs-ref={{ .FullCommit }}"
+      - "--label=org.opencontainers.image.title={{ .ProjectName }}"
+      - "--label=org.opencontainers.image.description=A Fast Vulnerability Scanner for Containers"
+      - "--label=org.opencontainers.image.vendor=Aqua Security"
+      - "--label=org.opencontainers.image.version={{ .Version }}"
+      - "--label=org.opencontainers.image.created={{ .Date }}"
+      - "--label=org.opencontainers.image.source=https://github.com/aquasecurity/trivy"
+      - "--label=org.opencontainers.image.revision={{ .FullCommit }}"
+      - "--label=org.opencontainers.image.url=https://www.aquasec.com/products/trivy/"
+      - "--label=org.opencontainers.image.documentation=https://aquasecurity.github.io/trivy/v{{ .Version }}/"
      - "--platform=linux/amd64"
    extra_files:
    - contrib/
@@ -122,46 +127,88 @@ dockers:
      - "ghcr.io/aquasecurity/trivy:latest-arm64"
      - "public.ecr.aws/aquasecurity/trivy:latest-arm64"
      - "public.ecr.aws/aquasecurity/trivy:{{ .Version }}-arm64"
-    use_buildx: true
+    use: buildx
    goos: linux
    goarch: arm64
    ids:
      - trivy
    build_flag_templates:
-      - "--label=org.label-schema.schema-version=1.0"
-      - "--label=org.label-schema.name={{ .ProjectName }}"
-      - "--label=org.label-schema.description=A Fast Vulnerability Scanner for Containers"
-      - "--label=org.label-schema.vendor=Aqua Security"
-      - "--label=org.label-schema.version={{ .Version }}"
-      - "--label=org.label-schema.build-date={{ .Date }}"
-      - "--label=org.label-schema.vcs=https://github.com/aquasecurity/trivy"
-      - "--label=org.label-schema.vcs-ref={{ .FullCommit }}"
+      - "--label=org.opencontainers.image.title={{ .ProjectName }}"
+      - "--label=org.opencontainers.image.description=A Fast Vulnerability Scanner for Containers"
+      - "--label=org.opencontainers.image.vendor=Aqua Security"
+      - "--label=org.opencontainers.image.version={{ .Version }}"
+      - "--label=org.opencontainers.image.created={{ .Date }}"
+      - "--label=org.opencontainers.image.source=https://github.com/aquasecurity/trivy"
+      - "--label=org.opencontainers.image.revision={{ .FullCommit }}"
+      - "--label=org.opencontainers.image.url=https://www.aquasec.com/products/trivy/"
+      - "--label=org.opencontainers.image.documentation=https://aquasecurity.github.io/trivy/v{{ .Version }}/"
      - "--platform=linux/arm64"
    extra_files:
    - contrib/
+  - image_templates:
+      - "docker.io/aquasec/trivy:{{ .Version }}-s390x"
+      - "docker.io/aquasec/trivy:latest-s390x"
+      - "ghcr.io/aquasecurity/trivy:{{ .Version }}-s390x"
+      - "ghcr.io/aquasecurity/trivy:latest-s390x"
+      - "public.ecr.aws/aquasecurity/trivy:latest-s390x"
+      - "public.ecr.aws/aquasecurity/trivy:{{ .Version }}-s390x"
+    use: buildx
+    goos: linux
+    goarch: s390x
+    ids:
+      - trivy
+    build_flag_templates:
+      - "--label=org.opencontainers.image.title={{ .ProjectName }}"
+      - "--label=org.opencontainers.image.description=A Fast Vulnerability Scanner for Containers"
+      - "--label=org.opencontainers.image.vendor=Aqua Security"
+      - "--label=org.opencontainers.image.version={{ .Version }}"
+      - "--label=org.opencontainers.image.created={{ .Date }}"
+      - "--label=org.opencontainers.image.source=https://github.com/aquasecurity/trivy"
+      - "--label=org.opencontainers.image.revision={{ .FullCommit }}"
+      - "--label=org.opencontainers.image.url=https://www.aquasec.com/products/trivy/"
+      - "--label=org.opencontainers.image.documentation=https://aquasecurity.github.io/trivy/v{{ .Version }}/"
+      - "--platform=linux/s390x"
+    extra_files:
+    - contrib/

 docker_manifests:
  - name_template: 'aquasec/trivy:{{ .Version }}'
    image_templates:
    - 'aquasec/trivy:{{ .Version }}-amd64'
    - 'aquasec/trivy:{{ .Version }}-arm64'
+    - 'aquasec/trivy:{{ .Version }}-s390x'
  - name_template: 'ghcr.io/aquasecurity/trivy:{{ .Version }}'
    image_templates:
    - 'ghcr.io/aquasecurity/trivy:{{ .Version }}-amd64'
    - 'ghcr.io/aquasecurity/trivy:{{ .Version }}-arm64'
+    - 'ghcr.io/aquasecurity/trivy:{{ .Version }}-s390x'
  - name_template: 'public.ecr.aws/aquasecurity/trivy:{{ .Version }}'
    image_templates:
    - 'public.ecr.aws/aquasecurity/trivy:{{ .Version }}-amd64'
    - 'public.ecr.aws/aquasecurity/trivy:{{ .Version }}-arm64'
+    - 'public.ecr.aws/aquasecurity/trivy:{{ .Version }}-s390x'
  - name_template: 'aquasec/trivy:latest'
    image_templates:
    - 'aquasec/trivy:{{ .Version }}-amd64'
    - 'aquasec/trivy:{{ .Version }}-arm64'
+    - 'aquasec/trivy:{{ .Version }}-s390x'
  - name_template: 'ghcr.io/aquasecurity/trivy:latest'
    image_templates:
    - 'ghcr.io/aquasecurity/trivy:{{ .Version }}-amd64'
    - 'ghcr.io/aquasecurity/trivy:{{ .Version }}-arm64'
+    - 'ghcr.io/aquasecurity/trivy:{{ .Version }}-s390x'
  - name_template: 'public.ecr.aws/aquasecurity/trivy:latest'
-    image_templates: 
+    image_templates:
    - 'public.ecr.aws/aquasecurity/trivy:{{ .Version }}-amd64'
    - 'public.ecr.aws/aquasecurity/trivy:{{ .Version }}-arm64'
+    - 'public.ecr.aws/aquasecurity/trivy:{{ .Version }}-s390x'
+
+docker_signs:
+- cmd: cosign
+  env:
+  - COSIGN_EXPERIMENTAL=1
+  artifacts: manifests
+  output: true
+  args:
+  - 'sign'
+  - '${artifact}'
--- a/helm/trivy/Chart.yaml
+++ b/helm/trivy/Chart.yaml
@@ -1,11 +1,11 @@
 apiVersion: v2
 name: trivy
-version: 0.4.4
-appVersion: "0.18.3"
+version: 0.4.12
+appVersion: 0.24.0
 description: Trivy helm chart
 keywords:
  - scanner
  - trivy
  - vulnerability
 sources:
- https://github.com/aquasecurity/trivy
+  - https://github.com/aquasecurity/trivy
--- a/helm/trivy/README.md
+++ b/helm/trivy/README.md
@@ -62,19 +62,25 @@ The following table lists the configurable parameters of the Trivy chart and the
 | `image.pullPolicy`                    | Image pull policy                                                       | `IfNotPresent` |
 | `image.pullSecret`                    | The name of an imagePullSecret used to pull trivy image from e.g. Docker Hub or a private registry  | |
 | `replicaCount`                        | Number of Trivy Pods to run                                   | `1`            |
-| `trivy.debugMode`             | The flag to enable or disable Trivy debug mode                          | `false` |
-| `trivy.gitHubToken`           | The GitHub access token to download Trivy DB. More info: https://github.com/aquasecurity/trivy#github-rate-limiting                          |      |
-| `trivy.skipUpdate`            | The flag to enable or disable Trivy DB downloads from GitHub            | `false`        |
+| `trivy.debugMode`                     | The flag to enable or disable Trivy debug mode                          | `false` |
+| `trivy.gitHubToken`                   | The GitHub access token to download Trivy DB. More info: https://github.com/aquasecurity/trivy#github-rate-limiting                          |      |
+| `trivy.registryUsername`              | The username used to log in at dockerhub. More info: https://aquasecurity.github.io/trivy/dev/advanced/private-registries/docker-hub/ |      |
+| `trivy.registryPassword`              | The password used to log in at dockerhub. More info: https://aquasecurity.github.io/trivy/dev/advanced/private-registries/docker-hub/ |      |
+| `trivy.registryCredentialsExistingSecret` | Name of Secret containing dockerhub credentials. Alternative to the 2 parameters above, has precedence if set.                    |      |
+| `trivy.serviceAccount.annotations`        | Additional annotations to add to the Kubernetes service account resource |     |
+| `trivy.skipUpdate`                    | The flag to enable or disable Trivy DB downloads from GitHub            | `false`        |
 | `trivy.cache.redis.enabled`           | Enable Redis as caching backend                                         | `false` |
 | `trivy.cache.redis.url`               | Specify redis connection url, e.g. redis://redis.redis.svc:6379         | `` |
+| `trivy.serverToken`                   | The token to authenticate Trivy client with Trivy server                | `` |
+| `service.name`                        | If specified, the name used for the Trivy service                       |     |
 | `service.type`                        | Kubernetes service type                                                 | `ClusterIP` |
 | `service.port`                        | Kubernetes service port                                                 | `4954`      |
 | `httpProxy`                           | The URL of the HTTP proxy server                                        |     |
 | `httpsProxy`                          | The URL of the HTTPS proxy server                                       |     |
 | `noProxy`                             | The URLs that the proxy settings do not apply to                        |     |
 | `nodeSelector`                        | Node labels for pod assignment                                              |     |
-| `affinity`                        | Affinity settings for pod assignment                                              |     |
-| `tolerations`                        | Tolerations for pod assignment                                              |     |
+| `affinity`                            | Affinity settings for pod assignment                                              |     |
+| `tolerations`                         | Tolerations for pod assignment                                              |     |

 The above parameters map to the env variables defined in [trivy](https://github.com/aquasecurity/trivy#configuration).

--- a/helm/trivy/templates/_helpers.tpl
+++ b/helm/trivy/templates/_helpers.tpl
@@ -50,6 +50,6 @@ Return the proper imageRef as used by the container template spec.
 {{- define "trivy.imageRef" -}}
 {{- $registryName := .Values.image.registry -}}
 {{- $repositoryName := .Values.image.repository -}}
-{{- $tag := .Values.image.tag | toString -}}
+{{- $tag := .Values.image.tag | default .Chart.AppVersion | toString -}}
 {{- printf "%s/%s:%s" $registryName $repositoryName $tag -}}
 {{- end -}}
--- a/helm/trivy/templates/configmap.yaml
+++ b/helm/trivy/templates/configmap.yaml
@@ -0,0 +1,23 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "trivy.fullname" . }}
+  labels:
+{{ include "trivy.labels" . | indent 4 }}
+data:
+  TRIVY_LISTEN: "0.0.0.0:{{ .Values.service.port }}"
+  TRIVY_CACHE_DIR: "/home/scanner/.cache/trivy"
+{{- if .Values.trivy.cache.redis.enabled }}
+  TRIVY_CACHE_BACKEND: {{ .Values.trivy.cache.redis.url | quote }}
+{{- end }}
+  TRIVY_DEBUG: {{ .Values.trivy.debugMode | quote }}
+  TRIVY_SKIP_UPDATE: {{ .Values.trivy.skipUpdate | quote }}
+{{- if .Values.httpProxy }}
+  HTTP_PROXY: {{ .Values.httpProxy | quote }}
+{{- end }}
+{{- if .Values.httpsProxy }}
+  HTTPS_PROXY: {{ .Values.httpsProxy | quote }}
+{{- end }}
+{{- if .Values.noProxy }}
+  NO_PROXY: {{ .Values.noProxy | quote }}
+{{- end }}
--- a/helm/trivy/templates/ingress.yaml
+++ b/helm/trivy/templates/ingress.yaml
@@ -1,6 +1,12 @@
 {{- if .Values.ingress.enabled -}}
 {{- $fullName := include "trivy.fullname" . -}}
+{{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }}
+apiVersion: networking.k8s.io/v1
+{{- else if .Capabilities.APIVersions.Has "networking.k8s.io/v1beta1" }}
 apiVersion: networking.k8s.io/v1beta1
+{{- else }}
+apiVersion: extensions/v1beta1
+{{- end }}
 kind: Ingress
 metadata:
  name: {{ include "trivy.fullname" . }}
@@ -12,6 +18,9 @@ metadata:
    {{- toYaml . | nindent 4 }}
  {{- end }}
 spec:
+{{- if and (.Values.ingress.ingressClassName) (semverCompare ">= v1.18.0" .Capabilities.KubeVersion.Version) }}
+  ingressClassName: {{ .Values.ingress.ingressClassName }}
+{{- end }}
 {{- if .Values.ingress.tls }}
  tls:
  {{- range .Values.ingress.tls }}
@@ -28,8 +37,17 @@ spec:
      http:
        paths:
          - path: {{ $.Values.ingress.path }}
+        {{- if $.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }}
+            pathType: {{ $.Values.ingress.pathType }}
+            backend:
+              service:
+                name: {{ $fullName }}
+                port:
+                  number: {{ $.Values.service.port -}}
+          {{- else }}
            backend:
              serviceName: {{ $fullName }}
              servicePort: {{ $.Values.service.port -}}
+          {{- end }}
  {{- end }}
-{{- end }}
+{{- end }}
--- a/helm/trivy/templates/podsecuritypolicy.yaml
+++ b/helm/trivy/templates/podsecuritypolicy.yaml
@@ -1,4 +1,5 @@
 {{- if .Values.rbac.pspEnabled }}
+  {{- if .Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy" }}
 apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
 metadata:
@@ -35,4 +36,5 @@ spec:
  readOnlyRootFilesystem: true
  requiredDropCapabilities:
    - ALL
-{{- end }}
+  {{- end }}
+{{- end }}
--- a/helm/trivy/templates/role.yaml
+++ b/helm/trivy/templates/role.yaml
@@ -7,10 +7,12 @@ metadata:
 {{ include "trivy.labels" . | indent 4 }}
  namespace: {{ .Release.Namespace }}
 {{- if .Values.rbac.pspEnabled }}
+  {{- if .Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy" }}
 rules:
 - apiGroups:      ['policy']
  resources:      ['podsecuritypolicies']
  verbs:          ['use']
  resourceNames:  [{{ include "trivy.fullname" . }}]
+  {{- end }}
+{{- end }}
 {{- end }}
-{{- end }}
--- a/helm/trivy/templates/secret.yaml
+++ b/helm/trivy/templates/secret.yaml
@@ -6,4 +6,9 @@ metadata:
 {{ include "trivy.labels" . | indent 4 }}
 type: Opaque
 data:
-  gitHubToken: {{ .Values.trivy.gitHubToken | default "" | b64enc | quote }}
+  GITHUB_TOKEN: {{ .Values.trivy.gitHubToken | default "" | b64enc | quote }}
+  TRIVY_TOKEN: {{ .Values.trivy.serverToken | default "" | b64enc | quote }}
+{{- if not .Values.trivy.registryCredentialsExistingSecret }}
+  TRIVY_USERNAME: {{ .Values.trivy.registryUsername | default "" | b64enc | quote }}
+  TRIVY_PASSWORD: {{ .Values.trivy.registryPassword | default "" | b64enc | quote }}
+{{- end -}}
--- a/helm/trivy/templates/service.yaml
+++ b/helm/trivy/templates/service.yaml
@@ -1,7 +1,7 @@
 apiVersion: v1
 kind: Service
 metadata:
-  name: {{ include "trivy.fullname" . }}
+  name: {{ .Values.service.name | default (include "trivy.fullname" .) }}
  labels:
 {{ include "trivy.labels" . | indent 4 }}
 spec:
--- a/helm/trivy/templates/serviceaccount.yaml
+++ b/helm/trivy/templates/serviceaccount.yaml
@@ -4,4 +4,8 @@ metadata:
  name: {{ include "trivy.fullname" . }}
  labels:
 {{ include "trivy.labels" . | indent 4 }}
+{{- if (.Values.trivy.serviceAccount).annotations }}
+  annotations:
+{{ toYaml .Values.trivy.serviceAccount.annotations | indent 4 }}
+{{- end }}
  namespace: {{ .Release.Namespace }}
--- a/helm/trivy/templates/statefulset.yaml
+++ b/helm/trivy/templates/statefulset.yaml
@@ -4,6 +4,9 @@ metadata:
  name: {{ include "trivy.fullname" . }}
  labels:
 {{ include "trivy.labels" . | indent 4 }}
+    {{- with .Values.trivy.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
 spec:
  podManagementPolicy: "Parallel"
  serviceName: {{ include "trivy.fullname" . }}
@@ -29,6 +32,9 @@ spec:
      labels:
        app.kubernetes.io/name: {{ include "trivy.name" . }}
        app.kubernetes.io/instance: {{ .Release.Name }}
+        {{- with .Values.trivy.labels }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
    spec:
      serviceAccountName: {{ include "trivy.fullname" . }}
      automountServiceAccountToken: false
@@ -62,30 +68,24 @@ spec:
          {{- end }}
          args:
            - server
+          {{- if .Values.trivy.registryCredentialsExistingSecret }}
          env:
-            - name: "TRIVY_LISTEN"
-              value: "0.0.0.0:{{ .Values.service.port | default 4954 }}"
-            - name: "TRIVY_CACHE_DIR"
-              value: "/home/scanner/.cache/trivy"
-            {{- if .Values.trivy.cache.redis.enabled }}
-            - name: "TRIVY_CACHE_BACKEND"
-              value: {{ .Values.trivy.cache.redis.url | quote }}
-            {{- end }}
-            - name: "TRIVY_DEBUG"
-              value: {{ .Values.trivy.debugMode | default false | quote }}
-            - name: "TRIVY_SKIP_UPDATE"
-              value: {{ .Values.trivy.skipUpdate | default false | quote }}
-            - name: "GITHUB_TOKEN"
+            - name: TRIVY_USERNAME
              valueFrom:
                secretKeyRef:
-                  name: {{ include "trivy.fullname" . }}
-                  key: gitHubToken
-            - name: "HTTP_PROXY"
-              value: {{ .Values.httpProxy | quote }}
-            - name: "HTTPS_PROXY"
-              value: {{ .Values.httpsProxy | quote }}
-            - name: "NO_PROXY"
-              value: {{ .Values.noProxy | quote }}
+                  name: {{ .Values.trivy.registryCredentialsExistingSecret }}
+                  key: TRIVY_USERNAME
+            - name: TRIVY_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.trivy.registryCredentialsExistingSecret }}
+                  key: TRIVY_PASSWORD
+          {{- end }}
+          envFrom:
+            - configMapRef:
+                name: {{ include "trivy.fullname" . }}
+            - secretRef:
+                name: {{ include "trivy.fullname" . }}
          ports:
            - name: trivy-http
              containerPort: {{ .Values.service.port }}
--- a/helm/trivy/values.yaml
+++ b/helm/trivy/values.yaml
@@ -4,7 +4,9 @@ fullnameOverride: ""
 image:
  registry: docker.io
  repository: aquasec/trivy
-  tag: 0.18.3
+  # tag is an override of the image tag, which is by default set by the
+  # appVersion field in Chart.yaml.
+  tag: ""
  pullPolicy: IfNotPresent
  pullSecret: ""

@@ -68,6 +70,24 @@ trivy:
  # You can create a GitHub token by following the instructions in
  # https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line
  gitHubToken: ""
+  # Docker registry credentials
+  # See also: https://aquasecurity.github.io/trivy/dev/advanced/private-registries/docker-hub/
+  #
+  # Either
+  # Directly in this file
+  #
+  # TRIVY_USERNAME
+  registryUsername: ""
+  # TRIVY_PASSWORD
+  registryPassword: ""
+  #
+  # Or
+  # From an existing secret
+  #
+  # The secret must be Opaque and just contain "TRIVY_USERNAME: your_user" and "TRIVY_PASSWORD: your_password" as k/v pairs.
+  # NOTE: When this is set the previous parameters are ignored.
+  #
+  # registryCredentialsExistingSecret: name-of-existing-secret
  # skipUpdate the flag to enable or disable Trivy DB downloads from GitHub
  #
  # You might want to enable this flag in test or CI/CD environments to avoid GitHub rate limiting issues.
@@ -85,9 +105,18 @@ trivy:
  cache:
    redis:
      enabled: false
-      url: "" # e.g. redis://redis.redis.svc:6379
+      url: ""  # e.g. redis://redis.redis.svc:6379
+  serviceAccount:
+    annotations: {}
+      # eks.amazonaws.com/role-arn: arn:aws:iam::ACCOUNT_ID:role/IAM_ROLE_NAME
+  # If you want to add custom labels to your statefulset and podTemplate
+  labels: {}
+  # serverToken is the token to authenticate Trivy client with Trivy server.
+  serverToken: ""

 service:
+  # If specified, the name used for the Trivy service.
+  name:
  # type Kubernetes service type
  type: ClusterIP
  # port Kubernetes service port
@@ -95,11 +124,15 @@ service:

 ingress:
  enabled: false
+  # From Kubernetes 1.18+ this field is supported in case your ingress controller supports it. When set, you do not need to add the ingress class as annotation.
+  ingressClassName:
  annotations: {}
    # kubernetes.io/ingress.class: nginx
  hosts:
    - host: trivy.example.com
  path: "/"
+  # type is only needed for networking.k8s.io/v1 in k8s 1.19+
+  pathType: Prefix
  tls: []
  #  - secretName: trivy-example-tls
  #    hosts:
--- a/integration/client_server_test.go
+++ b/integration/client_server_test.go
@@ -5,6 +5,7 @@ package integration

 import (
 	"context"
+	"encoding/json"
 	"fmt"
 	"io"
 	"os"
@@ -13,6 +14,7 @@ import (
 	"testing"
 	"time"

+	cdx "github.com/CycloneDX/cyclonedx-go"
 	"github.com/docker/go-connections/nat"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
@@ -24,6 +26,8 @@ import (
 )

 type csArgs struct {
+	Command           string
+	RemoteAddrOption  string
 	Format            string
 	TemplatePath      string
 	IgnoreUnfixed     bool
@@ -32,6 +36,8 @@ type csArgs struct {
 	Input             string
 	ClientToken       string
 	ClientTokenHeader string
+	ListAllPackages   bool
+	Target            string
 }

 func TestClientServer(t *testing.T) {
@@ -42,54 +48,46 @@ func TestClientServer(t *testing.T) {
 		wantErr string
 	}{
 		{
-			name: "alpine 3.10 integration",
-			args: csArgs{
-				Input: "testdata/fixtures/images/alpine-310.tar.gz",
-			},
-			golden: "testdata/alpine-310.json.golden",
-		},
-		{
-			name: "alpine 3.10 integration with --ignore-unfixed option",
-			args: csArgs{
-				IgnoreUnfixed: true,
-				Input:         "testdata/fixtures/images/alpine-310.tar.gz",
-			},
-			golden: "testdata/alpine-310-ignore-unfixed.json.golden",
-		},
-		{
-			name: "alpine 3.10 integration with medium and high severity",
-			args: csArgs{
-				IgnoreUnfixed: true,
-				Severity:      []string{"MEDIUM", "HIGH"},
-				Input:         "testdata/fixtures/images/alpine-310.tar.gz",
-			},
-			golden: "testdata/alpine-310-medium-high.json.golden",
-		},
-		{
-			name: "alpine 3.10 integration with .trivyignore",
-			args: csArgs{
-				IgnoreUnfixed: false,
-				IgnoreIDs:     []string{"CVE-2019-1549", "CVE-2019-1563"},
-				Input:         "testdata/fixtures/images/alpine-310.tar.gz",
-			},
-			golden: "testdata/alpine-310-ignore-cveids.json.golden",
-		},
-		{
-			name: "alpine 3.9 integration",
+			name: "alpine 3.9",
 			args: csArgs{
 				Input: "testdata/fixtures/images/alpine-39.tar.gz",
 			},
 			golden: "testdata/alpine-39.json.golden",
 		},
 		{
-			name: "debian buster integration",
+			name: "alpine 3.9 with high and critical severity",
+			args: csArgs{
+				IgnoreUnfixed: true,
+				Severity:      []string{"HIGH", "CRITICAL"},
+				Input:         "testdata/fixtures/images/alpine-39.tar.gz",
+			},
+			golden: "testdata/alpine-39-high-critical.json.golden",
+		},
+		{
+			name: "alpine 3.9 with .trivyignore",
+			args: csArgs{
+				IgnoreUnfixed: false,
+				IgnoreIDs:     []string{"CVE-2019-1549", "CVE-2019-14697"},
+				Input:         "testdata/fixtures/images/alpine-39.tar.gz",
+			},
+			golden: "testdata/alpine-39-ignore-cveids.json.golden",
+		},
+		{
+			name: "alpine 3.10",
+			args: csArgs{
+				Input: "testdata/fixtures/images/alpine-310.tar.gz",
+			},
+			golden: "testdata/alpine-310.json.golden",
+		},
+		{
+			name: "debian buster/10",
 			args: csArgs{
 				Input: "testdata/fixtures/images/debian-buster.tar.gz",
 			},
 			golden: "testdata/debian-buster.json.golden",
 		},
 		{
-			name: "debian buster integration with --ignore-unfixed option",
+			name: "debian buster/10 with --ignore-unfixed option",
 			args: csArgs{
 				IgnoreUnfixed: true,
 				Input:         "testdata/fixtures/images/debian-buster.tar.gz",
@@ -97,43 +95,28 @@ func TestClientServer(t *testing.T) {
 			golden: "testdata/debian-buster-ignore-unfixed.json.golden",
 		},
 		{
-			name: "debian stretch integration",
+			name: "debian stretch/9",
 			args: csArgs{
 				Input: "testdata/fixtures/images/debian-stretch.tar.gz",
 			},
 			golden: "testdata/debian-stretch.json.golden",
 		},
 		{
-			name: "ubuntu 18.04 integration",
+			name: "ubuntu 18.04",
 			args: csArgs{
 				Input: "testdata/fixtures/images/ubuntu-1804.tar.gz",
 			},
 			golden: "testdata/ubuntu-1804.json.golden",
 		},
 		{
-			name: "ubuntu 18.04 integration with --ignore-unfixed option",
-			args: csArgs{
-				IgnoreUnfixed: true,
-				Input:         "testdata/fixtures/images/ubuntu-1804.tar.gz",
-			},
-			golden: "testdata/ubuntu-1804-ignore-unfixed.json.golden",
-		},
-		{
-			name: "ubuntu 16.04 integration",
-			args: csArgs{
-				Input: "testdata/fixtures/images/ubuntu-1604.tar.gz",
-			},
-			golden: "testdata/ubuntu-1604.json.golden",
-		},
-		{
-			name: "centos 7 integration",
+			name: "centos 7",
 			args: csArgs{
 				Input: "testdata/fixtures/images/centos-7.tar.gz",
 			},
 			golden: "testdata/centos-7.json.golden",
 		},
 		{
-			name: "centos 7 integration with --ignore-unfixed option",
+			name: "centos 7 with --ignore-unfixed option",
 			args: csArgs{
 				IgnoreUnfixed: true,
 				Input:         "testdata/fixtures/images/centos-7.tar.gz",
@@ -141,127 +124,114 @@ func TestClientServer(t *testing.T) {
 			golden: "testdata/centos-7-ignore-unfixed.json.golden",
 		},
 		{
-			name: "centos 7 integration with low and high severity",
+			name: "centos 7 with medium severity",
 			args: csArgs{
 				IgnoreUnfixed: true,
-				Severity:      []string{"LOW", "HIGH"},
+				Severity:      []string{"MEDIUM"},
 				Input:         "testdata/fixtures/images/centos-7.tar.gz",
 			},
-			golden: "testdata/centos-7-low-high.json.golden",
+			golden: "testdata/centos-7-medium.json.golden",
 		},
 		{
-			name: "centos 6 integration",
+			name: "centos 6",
 			args: csArgs{
 				Input: "testdata/fixtures/images/centos-6.tar.gz",
 			},
 			golden: "testdata/centos-6.json.golden",
 		},
 		{
-			name: "ubi 7 integration",
+			name: "ubi 7",
 			args: csArgs{
 				Input: "testdata/fixtures/images/ubi-7.tar.gz",
 			},
 			golden: "testdata/ubi-7.json.golden",
 		},
 		{
-			name: "distroless base integration",
+			name: "almalinux 8",
+			args: csArgs{
+				Input: "testdata/fixtures/images/almalinux-8.tar.gz",
+			},
+			golden: "testdata/almalinux-8.json.golden",
+		},
+		{
+			name: "rocky linux 8",
+			args: csArgs{
+				Input: "testdata/fixtures/images/rockylinux-8.tar.gz",
+			},
+			golden: "testdata/rockylinux-8.json.golden",
+		},
+		{
+			name: "distroless base",
 			args: csArgs{
 				Input: "testdata/fixtures/images/distroless-base.tar.gz",
 			},
 			golden: "testdata/distroless-base.json.golden",
 		},
 		{
-			name: "distroless base integration with --ignore-unfixed option",
-			args: csArgs{
-				IgnoreUnfixed: true,
-				Input:         "testdata/fixtures/images/distroless-base.tar.gz",
-			},
-			golden: "testdata/distroless-base-ignore-unfixed.json.golden",
-		},
-		{
-			name: "distroless python27 integration",
+			name: "distroless python27",
 			args: csArgs{
 				Input: "testdata/fixtures/images/distroless-python27.tar.gz",
 			},
 			golden: "testdata/distroless-python27.json.golden",
 		},
 		{
-			name: "amazon 1 integration",
+			name: "amazon 1",
 			args: csArgs{
 				Input: "testdata/fixtures/images/amazon-1.tar.gz",
 			},
 			golden: "testdata/amazon-1.json.golden",
 		},
 		{
-			name: "amazon 2 integration",
+			name: "amazon 2",
 			args: csArgs{
 				Input: "testdata/fixtures/images/amazon-2.tar.gz",
 			},
 			golden: "testdata/amazon-2.json.golden",
 		},
 		{
-			name: "oracle 6 integration",
-			args: csArgs{
-				Input: "testdata/fixtures/images/oraclelinux-6-slim.tar.gz",
-			},
-			golden: "testdata/oraclelinux-6-slim.json.golden",
-		},
-		{
-			name: "oracle 7 integration",
-			args: csArgs{
-				Input: "testdata/fixtures/images/oraclelinux-7-slim.tar.gz",
-			},
-			golden: "testdata/oraclelinux-7-slim.json.golden",
-		},
-		{
-			name: "oracle 8 integration",
+			name: "oracle 8",
 			args: csArgs{
 				Input: "testdata/fixtures/images/oraclelinux-8-slim.tar.gz",
 			},
 			golden: "testdata/oraclelinux-8-slim.json.golden",
 		},
 		{
-			name: "opensuse leap 15.1 integration",
+			name: "opensuse leap 15.1",
 			args: csArgs{
 				Input: "testdata/fixtures/images/opensuse-leap-151.tar.gz",
 			},
 			golden: "testdata/opensuse-leap-151.json.golden",
 		},
 		{
-			name: "opensuse leap 42.3 integration",
-			args: csArgs{
-				Input: "testdata/fixtures/images/opensuse-leap-423.tar.gz",
-			},
-			golden: "testdata/opensuse-leap-423.json.golden",
-		},
-		{
-			name: "photon 1.0 integration",
-			args: csArgs{
-				Input: "testdata/fixtures/images/photon-10.tar.gz",
-			},
-			golden: "testdata/photon-10.json.golden",
-		},
-		{
-			name: "photon 2.0 integration",
-			args: csArgs{
-				Input: "testdata/fixtures/images/photon-20.tar.gz",
-			},
-			golden: "testdata/photon-20.json.golden",
-		},
-		{
-			name: "photon 3.0 integration",
+			name: "photon 3.0",
 			args: csArgs{
 				Input: "testdata/fixtures/images/photon-30.tar.gz",
 			},
 			golden: "testdata/photon-30.json.golden",
 		},
 		{
-			name: "buxybox with Cargo.lock integration",
+			name: "CBL-Mariner 1.0",
+			args: csArgs{
+				Input: "testdata/fixtures/images/mariner-1.0.tar.gz",
+			},
+			golden: "testdata/mariner-1.0.json.golden",
+		},
+		{
+			name: "buxybox with Cargo.lock",
 			args: csArgs{
 				Input: "testdata/fixtures/images/busybox-with-lockfile.tar.gz",
 			},
 			golden: "testdata/busybox-with-lockfile.json.golden",
 		},
+		{
+			name: "scan pox.xml with fs command in client/server mode",
+			args: csArgs{
+				Command:          "fs",
+				RemoteAddrOption: "--server",
+				Target:           "testdata/fixtures/fs/pom/",
+			},
+			golden: "testdata/pom.json.golden",
+		},
 	}

 	app, addr, cacheDir := setup(t, setupOptions{})
@@ -286,7 +256,7 @@ func TestClientServerWithTemplate(t *testing.T) {
 		golden string
 	}{
 		{
-			name: "alpine 3.10 integration with gitlab template",
+			name: "alpine 3.10 with gitlab template",
 			args: csArgs{
 				Format:       "template",
 				TemplatePath: "@../contrib/gitlab.tpl",
@@ -295,7 +265,7 @@ func TestClientServerWithTemplate(t *testing.T) {
 			golden: "testdata/alpine-310.gitlab.golden",
 		},
 		{
-			name: "alpine 3.10 integration with gitlab-codequality template",
+			name: "alpine 3.10 with gitlab-codequality template",
 			args: csArgs{
 				Format:       "template",
 				TemplatePath: "@../contrib/gitlab-codequality.tpl",
@@ -304,16 +274,15 @@ func TestClientServerWithTemplate(t *testing.T) {
 			golden: "testdata/alpine-310.gitlab-codequality.golden",
 		},
 		{
-			name: "alpine 3.10 integration with sarif template",
+			name: "alpine 3.10 with sarif format",
 			args: csArgs{
-				Format:       "template",
-				TemplatePath: "@../contrib/sarif.tpl",
-				Input:        "testdata/fixtures/images/alpine-310.tar.gz",
+				Format: "sarif",
+				Input:  "testdata/fixtures/images/alpine-310.tar.gz",
 			},
 			golden: "testdata/alpine-310.sarif.golden",
 		},
 		{
-			name: "alpine 3.10 integration with ASFF template",
+			name: "alpine 3.10 with ASFF template",
 			args: csArgs{
 				Format:       "template",
 				TemplatePath: "@../contrib/asff.tpl",
@@ -322,7 +291,7 @@ func TestClientServerWithTemplate(t *testing.T) {
 			golden: "testdata/alpine-310.asff.golden",
 		},
 		{
-			name: "alpine 3.10 integration with html template",
+			name: "alpine 3.10 with html template",
 			args: csArgs{
 				Format:       "template",
 				TemplatePath: "@../contrib/html.tpl",
@@ -332,13 +301,23 @@ func TestClientServerWithTemplate(t *testing.T) {
 		},
 	}

+	report.CustomTemplateFuncMap = map[string]interface{}{
+		"now": func() time.Time {
+			return time.Date(2020, 8, 10, 7, 28, 17, 958601, time.UTC)
+		},
+		"date": func(format string, t time.Time) string {
+			return t.Format(format)
+		},
+	}
+
+	t.Cleanup(func() {
+		report.CustomTemplateFuncMap = map[string]interface{}{}
+	})
+
 	app, addr, cacheDir := setup(t, setupOptions{})

 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			report.Now = func() time.Time {
-				return time.Date(2020, 8, 10, 7, 28, 17, 958601, time.UTC)
-			}
 			t.Setenv("AWS_REGION", "test-region")
 			t.Setenv("AWS_ACCOUNT_ID", "123456789012")
 			osArgs, outputFile := setupClient(t, tt.args, addr, cacheDir, tt.golden)
@@ -358,6 +337,55 @@ func TestClientServerWithTemplate(t *testing.T) {
 	}
 }

+func TestClientServerWithCycloneDX(t *testing.T) {
+	tests := []struct {
+		name                  string
+		args                  csArgs
+		wantComponentsCount   int
+		wantDependenciesCount int
+		wantDependsOnCount    []int
+	}{
+		{
+			name: "fluentd with RubyGems with CycloneDX format",
+			args: csArgs{
+				Format: "cyclonedx",
+				Input:  "testdata/fixtures/images/fluentd-multiple-lockfiles.tar.gz",
+			},
+			wantComponentsCount:   161,
+			wantDependenciesCount: 2,
+			wantDependsOnCount: []int{
+				105,
+				56,
+			},
+		},
+	}
+
+	app, addr, cacheDir := setup(t, setupOptions{})
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			osArgs, outputFile := setupClient(t, tt.args, addr, cacheDir, "")
+
+			// Run Trivy client
+			err := app.Run(osArgs)
+			require.NoError(t, err)
+
+			f, err := os.Open(outputFile)
+			require.NoError(t, err)
+			defer f.Close()
+
+			var got cdx.BOM
+			err = json.NewDecoder(f).Decode(&got)
+			require.NoError(t, err)
+
+			assert.EqualValues(t, tt.wantComponentsCount, len(*got.Components))
+			assert.EqualValues(t, tt.wantDependenciesCount, len(*got.Dependencies))
+			for i, dep := range *got.Dependencies {
+				assert.EqualValues(t, tt.wantDependsOnCount[i], len(*dep.Dependencies))
+			}
+		})
+	}
+}
+
 func TestClientServerWithToken(t *testing.T) {
 	cases := []struct {
 		name    string
@@ -366,13 +394,13 @@ func TestClientServerWithToken(t *testing.T) {
 		wantErr string
 	}{
 		{
-			name: "alpine 3.10 integration with token",
+			name: "alpine 3.9 with token",
 			args: csArgs{
-				Input:             "testdata/fixtures/images/alpine-310.tar.gz",
+				Input:             "testdata/fixtures/images/alpine-39.tar.gz",
 				ClientToken:       "token",
 				ClientTokenHeader: "Trivy-Token",
 			},
-			golden: "testdata/alpine-310.json.golden",
+			golden: "testdata/alpine-39.json.golden",
 		},
 		{
 			name: "invalid token",
@@ -387,8 +415,8 @@ func TestClientServerWithToken(t *testing.T) {
 			name: "invalid token header",
 			args: csArgs{
 				Input:             "testdata/fixtures/images/distroless-base.tar.gz",
-				ClientToken:       "valid-token",
-				ClientTokenHeader: "Trivy-Token",
+				ClientToken:       "token",
+				ClientTokenHeader: "Unknown-Header",
 			},
 			wantErr: "twirp error unauthenticated: invalid token",
 		},
@@ -428,15 +456,15 @@ func TestClientServerWithRedis(t *testing.T) {

 	// Set up Trivy server
 	app, addr, cacheDir := setup(t, setupOptions{cacheBackend: addr})
-	defer os.RemoveAll(cacheDir)
+	t.Cleanup(func() { os.RemoveAll(cacheDir) })

 	// Test parameters
 	testArgs := csArgs{
-		Input: "testdata/fixtures/images/centos-7.tar.gz",
+		Input: "testdata/fixtures/images/alpine-39.tar.gz",
 	}
-	golden := "testdata/centos-7.json.golden"
+	golden := "testdata/alpine-39.json.golden"

-	t.Run("centos 7", func(t *testing.T) {
+	t.Run("alpine 3.9", func(t *testing.T) {
 		osArgs, outputFile := setupClient(t, testArgs, addr, cacheDir, golden)

 		// Run Trivy client
@@ -470,7 +498,7 @@ func setup(t *testing.T, options setupOptions) (*cli.App, string, string) {
 	version := "dev"

 	// Set up testing DB
-	cacheDir := gunzipDB(t)
+	cacheDir := initDB(t)

 	port, err := getFreePort()
 	assert.NoError(t, err)
@@ -509,8 +537,14 @@ func setupServer(addr, token, tokenHeader, cacheDir, cacheBackend string) []stri
 }

 func setupClient(t *testing.T, c csArgs, addr string, cacheDir string, golden string) ([]string, string) {
+	if c.Command == "" {
+		c.Command = "client"
+	}
+	if c.RemoteAddrOption == "" {
+		c.RemoteAddrOption = "--remote"
+	}
 	t.Helper()
-	osArgs := []string{"trivy", "--cache-dir", cacheDir, "client", "--remote", "http://" + addr}
+	osArgs := []string{"trivy", "--cache-dir", cacheDir, c.Command, c.RemoteAddrOption, "http://" + addr}

 	if c.Format != "" {
 		osArgs = append(osArgs, "--format", c.Format)
@@ -526,7 +560,7 @@ func setupClient(t *testing.T, c csArgs, addr string, cacheDir string, golden st
 	}
 	if len(c.Severity) != 0 {
 		osArgs = append(osArgs,
-			[]string{"--severity", strings.Join(c.Severity, ",")}...,
+			"--severity", strings.Join(c.Severity, ","),
 		)
 	}

@@ -534,22 +568,26 @@ func setupClient(t *testing.T, c csArgs, addr string, cacheDir string, golden st
 		trivyIgnore := filepath.Join(t.TempDir(), ".trivyignore")
 		err := os.WriteFile(trivyIgnore, []byte(strings.Join(c.IgnoreIDs, "\n")), 0444)
 		require.NoError(t, err, "failed to write .trivyignore")
-		osArgs = append(osArgs, []string{"--ignorefile", trivyIgnore}...)
+		osArgs = append(osArgs, "--ignorefile", trivyIgnore)
 	}
 	if c.ClientToken != "" {
-		osArgs = append(osArgs, []string{"--token", c.ClientToken, "--token-header", c.ClientTokenHeader}...)
+		osArgs = append(osArgs, "--token", c.ClientToken, "--token-header", c.ClientTokenHeader)
 	}
 	if c.Input != "" {
-		osArgs = append(osArgs, []string{"--input", c.Input}...)
+		osArgs = append(osArgs, "--input", c.Input)
 	}

-	// Setup the output file
+	// Set up the output file
 	outputFile := filepath.Join(t.TempDir(), "output.json")
 	if *update {
 		outputFile = golden
 	}

-	osArgs = append(osArgs, []string{"--output", outputFile}...)
+	osArgs = append(osArgs, "--output", outputFile)
+
+	if c.Target != "" {
+		osArgs = append(osArgs, c.Target)
+	}

 	return osArgs, outputFile
 }
--- a/integration/docker/docker.go
+++ b/integration/docker/docker.go
@@ -1,116 +0,0 @@
-package docker
-
-import (
-	"context"
-	"encoding/base64"
-	"encoding/json"
-	"fmt"
-	"io"
-	"net/url"
-	"os"
-
-	"github.com/docker/docker/client"
-
-	"github.com/docker/docker/api/types"
-)
-
-// RegistryConfig holds the config for docker registry
-type RegistryConfig struct {
-	URL      *url.URL
-	Username string
-	Password string
-}
-
-// GetAuthConfig returns the docker registry authConfig
-func (c RegistryConfig) GetAuthConfig() types.AuthConfig {
-	return types.AuthConfig{
-		Username:      c.Username,
-		Password:      c.Password,
-		ServerAddress: c.URL.Host,
-	}
-}
-
-// GetRegistryAuth returns the json encoded docker registry auth
-func (c RegistryConfig) GetRegistryAuth() (string, error) {
-	authConfig := types.AuthConfig{
-		Username: c.Username,
-		Password: c.Password,
-	}
-	encodedJSON, err := json.Marshal(authConfig)
-	if err != nil {
-		return "", err
-	}
-	return base64.URLEncoding.EncodeToString(encodedJSON), nil
-}
-
-// Docker returns docker client
-type Docker struct {
-	cli *client.Client
-}
-
-// New is the factory method to return docker client
-func New() (Docker, error) {
-	cli, err := client.NewClientWithOpts(client.FromEnv, client.WithAPIVersionNegotiation())
-	if err != nil {
-		return Docker{}, err
-	}
-	return Docker{
-		cli: cli,
-	}, nil
-}
-
-// ReplicateImage tags the given imagePath and pushes it to the given dest registry.
-func (d Docker) ReplicateImage(ctx context.Context, imageRef, imagePath string, dest RegistryConfig) error {
-	// remove existing Image if any
-	_, _ = d.cli.ImageRemove(ctx, imageRef, types.ImageRemoveOptions{
-		Force:         true,
-		PruneChildren: true,
-	})
-
-	testfile, err := os.Open(imagePath)
-	if err != nil {
-		return err
-	}
-
-	// load image into docker engine
-	resp, err := d.cli.ImageLoad(ctx, testfile, true)
-	if err != nil {
-		return err
-	}
-	if _, err = io.Copy(io.Discard, resp.Body); err != nil {
-		return err
-	}
-	defer resp.Body.Close()
-
-	targetImageRef := fmt.Sprintf("%s/%s", dest.URL.Host, imageRef)
-
-	if err = d.cli.ImageTag(ctx, imageRef, targetImageRef); err != nil {
-		return err
-	}
-	defer func() {
-		_, _ = d.cli.ImageRemove(ctx, imageRef, types.ImageRemoveOptions{
-			Force:         true,
-			PruneChildren: true,
-		})
-		_, _ = d.cli.ImageRemove(ctx, targetImageRef, types.ImageRemoveOptions{
-			Force:         true,
-			PruneChildren: true,
-		})
-	}()
-
-	auth, err := dest.GetRegistryAuth()
-	if err != nil {
-		return err
-	}
-
-	pushOut, err := d.cli.ImagePush(ctx, targetImageRef, types.ImagePushOptions{RegistryAuth: auth})
-	if err != nil {
-		return err
-	}
-	defer pushOut.Close()
-
-	if _, err = io.Copy(io.Discard, pushOut); err != nil {
-		return err
-	}
-	return nil
-}
--- a/integration/docker_engine_test.go
+++ b/integration/docker_engine_test.go
@@ -19,235 +19,185 @@ import (
 	"github.com/aquasecurity/trivy/pkg/commands"
 )

-func TestRun_WithDockerEngine(t *testing.T) {
-	testCases := []struct {
-		name                string
-		withImageSubcommand bool
-		imageTag            string
-		invalidImage        bool
-		ignoreUnfixed       bool
-		severity            []string
-		ignoreIDs           []string
-		testfile            string
-		wantOutputFile      string
-		wantError           string
+func TestDockerEngine(t *testing.T) {
+	tests := []struct {
+		name          string
+		imageTag      string
+		invalidImage  bool
+		ignoreUnfixed bool
+		severity      []string
+		ignoreIDs     []string
+		input         string
+		golden        string
+		wantErr       string
 	}{
-		// All of these cases should pass for either
-		// $ trivy <args>
-		// $ trivy image <args>
 		{
-			name:           "happy path, valid image path, alpine:3.10",
-			imageTag:       "alpine:3.10",
-			wantOutputFile: "testdata/alpine-310.json.golden",
-			testfile:       "testdata/fixtures/images/alpine-310.tar.gz",
+			name:     "alpine:3.9",
+			imageTag: "alpine:3.9",
+			input:    "testdata/fixtures/images/alpine-39.tar.gz",
+			golden:   "testdata/alpine-39.json.golden",
 		},
 		{
-			name:                "happy path, valid image path, with image subcommand, alpine:3.10",
-			withImageSubcommand: true,
-			imageTag:            "alpine:3.10",
-			wantOutputFile:      "testdata/alpine-310.json.golden",
-			testfile:            "testdata/fixtures/images/alpine-310.tar.gz",
+			name:     "alpine:3.9, with high and critical severity",
+			severity: []string{"HIGH", "CRITICAL"},
+			imageTag: "alpine:3.9",
+			input:    "testdata/fixtures/images/alpine-39.tar.gz",
+			golden:   "testdata/alpine-39-high-critical.json.golden",
 		},
 		{
-			name:           "happy path, valid image path, alpine:3.10, ignore unfixed",
-			ignoreUnfixed:  true,
-			imageTag:       "alpine:3.10",
-			wantOutputFile: "testdata/alpine-310-ignore-unfixed.json.golden",
-			testfile:       "testdata/fixtures/images/alpine-310.tar.gz",
+			name:      "alpine:3.9, with .trivyignore",
+			imageTag:  "alpine:3.9",
+			ignoreIDs: []string{"CVE-2019-1549", "CVE-2019-14697"},
+			input:     "testdata/fixtures/images/alpine-39.tar.gz",
+			golden:    "testdata/alpine-39-ignore-cveids.json.golden",
 		},
 		{
-			name:           "happy path, valid image path, alpine:3.10, ignore unfixed, with medium and high severity",
-			ignoreUnfixed:  true,
-			severity:       []string{"MEDIUM", "HIGH"},
-			imageTag:       "alpine:3.10",
-			wantOutputFile: "testdata/alpine-310-medium-high.json.golden",
-			testfile:       "testdata/fixtures/images/alpine-310.tar.gz",
+			name:     "alpine:3.10",
+			imageTag: "alpine:3.10",
+			input:    "testdata/fixtures/images/alpine-310.tar.gz",
+			golden:   "testdata/alpine-310.json.golden",
 		},
 		{
-			name:           "happy path, valid image path, alpine:3.10, with .trivyignore",
-			imageTag:       "alpine:3.10",
-			ignoreIDs:      []string{"CVE-2019-1549", "CVE-2019-1563"},
-			wantOutputFile: "testdata/alpine-310-ignore-cveids.json.golden",
-			testfile:       "testdata/fixtures/images/alpine-310.tar.gz",
+			name:     "amazonlinux:1",
+			imageTag: "amazonlinux:1",
+			input:    "testdata/fixtures/images/amazon-1.tar.gz",
+			golden:   "testdata/amazon-1.json.golden",
 		},
 		{
-			name:           "happy path, valid image path, alpine:3.9",
-			imageTag:       "alpine:3.9",
-			wantOutputFile: "testdata/alpine-39.json.golden",
-			testfile:       "testdata/fixtures/images/alpine-39.tar.gz",
+			name:     "amazonlinux:2",
+			imageTag: "amazonlinux:2",
+			input:    "testdata/fixtures/images/amazon-2.tar.gz",
+			golden:   "testdata/amazon-2.json.golden",
 		},
 		{
-			name:           "happy path, valid image path, amazonlinux:1",
-			imageTag:       "amazonlinux:1",
-			wantOutputFile: "testdata/amazon-1.json.golden",
-			testfile:       "testdata/fixtures/images/amazon-1.tar.gz",
+			name:     "almalinux 8",
+			imageTag: "almalinux:8",
+			input:    "testdata/fixtures/images/almalinux-8.tar.gz",
+			golden:   "testdata/almalinux-8.json.golden",
 		},
 		{
-			name:           "happy path, valid image path, amazonlinux:2",
-			imageTag:       "amazonlinux:2",
-			wantOutputFile: "testdata/amazon-2.json.golden",
-			testfile:       "testdata/fixtures/images/amazon-2.tar.gz",
+			name:     "rocky linux 8",
+			imageTag: "rockylinux:8",
+			input:    "testdata/fixtures/images/rockylinux-8.tar.gz",
+			golden:   "testdata/rockylinux-8.json.golden",
 		},
 		{
-			name:           "happy path, valid image path, centos:6",
-			imageTag:       "centos:6",
-			wantOutputFile: "testdata/centos-6.json.golden",
-			testfile:       "testdata/fixtures/images/centos-6.tar.gz",
+			name:     "centos 6",
+			imageTag: "centos:6",
+			input:    "testdata/fixtures/images/centos-6.tar.gz",
+			golden:   "testdata/centos-6.json.golden",
 		},
 		{
-			name:           "happy path, valid image path, centos:7",
-			imageTag:       "centos:7",
-			wantOutputFile: "testdata/centos-7.json.golden",
-			testfile:       "testdata/fixtures/images/centos-7.tar.gz",
+			name:     "centos 7",
+			imageTag: "centos:7",
+			input:    "testdata/fixtures/images/centos-7.tar.gz",
+			golden:   "testdata/centos-7.json.golden",
 		},
 		{
-			name:           "happy path, valid image path, centos:7, with --ignore-unfixed option",
-			imageTag:       "centos:7",
-			ignoreUnfixed:  true,
-			wantOutputFile: "testdata/centos-7-ignore-unfixed.json.golden",
-			testfile:       "testdata/fixtures/images/centos-7.tar.gz",
+			name:          "centos 7, with --ignore-unfixed option",
+			imageTag:      "centos:7",
+			ignoreUnfixed: true,
+			input:         "testdata/fixtures/images/centos-7.tar.gz",
+			golden:        "testdata/centos-7-ignore-unfixed.json.golden",
 		},
 		{
-			name:           "happy path, valid image path, centos:7, with --ignore-unfixed option, with low and high severity",
-			imageTag:       "centos:7",
-			ignoreUnfixed:  true,
-			severity:       []string{"LOW", "HIGH"},
-			wantOutputFile: "testdata/centos-7-low-high.json.golden",
-			testfile:       "testdata/fixtures/images/centos-7.tar.gz",
+			name:          "centos 7, with --ignore-unfixed option, with medium severity",
+			imageTag:      "centos:7",
+			ignoreUnfixed: true,
+			severity:      []string{"MEDIUM"},
+			input:         "testdata/fixtures/images/centos-7.tar.gz",
+			golden:        "testdata/centos-7-medium.json.golden",
 		},
 		{
-			name:           "happy path, valid image path, debian:buster",
-			imageTag:       "debian:buster",
-			wantOutputFile: "testdata/debian-buster.json.golden",
-			testfile:       "testdata/fixtures/images/debian-buster.tar.gz",
+			name:     "registry.redhat.io/ubi7",
+			imageTag: "registry.redhat.io/ubi7",
+			input:    "testdata/fixtures/images/ubi-7.tar.gz",
+			golden:   "testdata/ubi-7.json.golden",
 		},
 		{
-			name:           "happy path, valid image path, debian:buster, with --ignore-unfixed option",
-			ignoreUnfixed:  true,
-			imageTag:       "debian:buster",
-			wantOutputFile: "testdata/debian-buster-ignore-unfixed.json.golden",
-			testfile:       "testdata/fixtures/images/debian-buster.tar.gz",
+			name:     "debian buster/10",
+			imageTag: "debian:buster",
+			input:    "testdata/fixtures/images/debian-buster.tar.gz",
+			golden:   "testdata/debian-buster.json.golden",
 		},
 		{
-			name:           "happy path, valid image path, debian:stretch",
-			imageTag:       "debian:stretch",
-			wantOutputFile: "testdata/debian-stretch.json.golden",
-			testfile:       "testdata/fixtures/images/debian-stretch.tar.gz",
+			name:          "debian buster/10, with --ignore-unfixed option",
+			ignoreUnfixed: true,
+			imageTag:      "debian:buster",
+			input:         "testdata/fixtures/images/debian-buster.tar.gz",
+			golden:        "testdata/debian-buster-ignore-unfixed.json.golden",
 		},
 		{
-			name:           "happy path, valid image path, distroless:base",
-			imageTag:       "gcr.io/distroless/base:latest",
-			wantOutputFile: "testdata/distroless-base.json.golden",
-			testfile:       "testdata/fixtures/images/distroless-base.tar.gz",
+			name:     "debian stretch/9",
+			imageTag: "debian:stretch",
+			input:    "testdata/fixtures/images/debian-stretch.tar.gz",
+			golden:   "testdata/debian-stretch.json.golden",
 		},
 		{
-			name:           "happy path, valid image path, distroless:base",
-			imageTag:       "gcr.io/distroless/base:latest",
-			wantOutputFile: "testdata/distroless-base.json.golden",
-			testfile:       "testdata/fixtures/images/distroless-base.tar.gz",
+			name:     "distroless base",
+			imageTag: "gcr.io/distroless/base:latest",
+			input:    "testdata/fixtures/images/distroless-base.tar.gz",
+			golden:   "testdata/distroless-base.json.golden",
 		},
 		{
-			name:           "happy path, valid image path, distroless:base, with --ignore-unfixed option",
-			imageTag:       "gcr.io/distroless/base:latest",
-			ignoreUnfixed:  true,
-			wantOutputFile: "testdata/distroless-base-ignore-unfixed.json.golden",
-			testfile:       "testdata/fixtures/images/distroless-base.tar.gz",
+			name:     "distroless python2.7",
+			imageTag: "gcr.io/distroless/python2.7:latest",
+			input:    "testdata/fixtures/images/distroless-python27.tar.gz",
+			golden:   "testdata/distroless-python27.json.golden",
 		},
 		{
-			name:           "happy path, valid image path, distroless:python2.7",
-			imageTag:       "gcr.io/distroless/python2.7:latest",
-			wantOutputFile: "testdata/distroless-python27.json.golden",
-			testfile:       "testdata/fixtures/images/distroless-python27.tar.gz",
+			name:     "oracle linux 8",
+			imageTag: "oraclelinux:8-slim",
+			input:    "testdata/fixtures/images/oraclelinux-8-slim.tar.gz",
+			golden:   "testdata/oraclelinux-8-slim.json.golden",
 		},
 		{
-			name:           "happy path, valid image path, oraclelinux:6-slim",
-			imageTag:       "oraclelinux:6-slim",
-			wantOutputFile: "testdata/oraclelinux-6-slim.json.golden",
-			testfile:       "testdata/fixtures/images/oraclelinux-6-slim.tar.gz",
+			name:     "ubuntu 18.04",
+			imageTag: "ubuntu:18.04",
+			input:    "testdata/fixtures/images/ubuntu-1804.tar.gz",
+			golden:   "testdata/ubuntu-1804.json.golden",
 		},
 		{
-			name:           "happy path, valid image path, oraclelinux:7-slim",
-			imageTag:       "oraclelinux:7-slim",
-			wantOutputFile: "testdata/oraclelinux-7-slim.json.golden",
-			testfile:       "testdata/fixtures/images/oraclelinux-7-slim.tar.gz",
+			name:          "ubuntu 18.04, with --ignore-unfixed option",
+			imageTag:      "ubuntu:18.04",
+			ignoreUnfixed: true,
+			input:         "testdata/fixtures/images/ubuntu-1804.tar.gz",
+			golden:        "testdata/ubuntu-1804-ignore-unfixed.json.golden",
 		},
 		{
-			name:           "happy path, valid image path, oraclelinux:8-slim",
-			imageTag:       "oraclelinux:8-slim",
-			wantOutputFile: "testdata/oraclelinux-8-slim.json.golden",
-			testfile:       "testdata/fixtures/images/oraclelinux-8-slim.tar.gz",
+			name:     "opensuse leap 15.1",
+			imageTag: "opensuse/leap:latest",
+			input:    "testdata/fixtures/images/opensuse-leap-151.tar.gz",
+			golden:   "testdata/opensuse-leap-151.json.golden",
 		},
 		{
-			name:           "happy path, valid image path, ubuntu:16.04",
-			imageTag:       "ubuntu:16.04",
-			wantOutputFile: "testdata/ubuntu-1604.json.golden",
-			testfile:       "testdata/fixtures/images/ubuntu-1604.tar.gz",
+			name:     "photon 3.0",
+			imageTag: "photon:3.0-20190823",
+			input:    "testdata/fixtures/images/photon-30.tar.gz",
+			golden:   "testdata/photon-30.json.golden",
 		},
 		{
-			name:           "happy path, valid image path, ubuntu:18.04",
-			imageTag:       "ubuntu:18.04",
-			wantOutputFile: "testdata/ubuntu-1804.json.golden",
-			testfile:       "testdata/fixtures/images/ubuntu-1804.tar.gz",
+			name:     "CBL-Mariner 1.0",
+			imageTag: "cblmariner.azurecr.io/base/core:1.0",
+			input:    "testdata/fixtures/images/mariner-1.0.tar.gz",
+			golden:   "testdata/mariner-1.0.json.golden",
 		},
 		{
-			name:           "happy path, valid image path, ubuntu:18.04, with --ignore-unfixed option",
-			imageTag:       "ubuntu:18.04",
-			ignoreUnfixed:  true,
-			wantOutputFile: "testdata/ubuntu-1804-ignore-unfixed.json.golden",
-			testfile:       "testdata/fixtures/images/ubuntu-1804.tar.gz",
-		},
-		{
-			name:           "happy path, valid image path, registry.redhat.io/ubi7",
-			imageTag:       "registry.redhat.io/ubi7",
-			wantOutputFile: "testdata/ubi-7.json.golden",
-			testfile:       "testdata/fixtures/images/ubi-7.tar.gz",
-		},
-		{
-			name:           "happy path, valid image path, opensuse leap 15.1",
-			imageTag:       "opensuse/leap:latest",
-			wantOutputFile: "testdata/opensuse-leap-151.json.golden",
-			testfile:       "testdata/fixtures/images/opensuse-leap-151.tar.gz",
-		},
-		{
-			name:           "happy path, valid image path, opensuse leap 42.3",
-			imageTag:       "opensuse/leap:42.3",
-			wantOutputFile: "testdata/opensuse-leap-423.json.golden",
-			testfile:       "testdata/fixtures/images/opensuse-leap-423.tar.gz",
-		},
-		{
-			name:           "happy path, valid image path, photon 1.0",
-			imageTag:       "photon:1.0-20190823",
-			wantOutputFile: "testdata/photon-10.json.golden",
-			testfile:       "testdata/fixtures/images/photon-10.tar.gz",
-		},
-		{
-			name:           "happy path, valid image path, photon 2.0",
-			imageTag:       "photon:2.0-20190726",
-			wantOutputFile: "testdata/photon-20.json.golden",
-			testfile:       "testdata/fixtures/images/photon-20.tar.gz",
-		},
-		{
-			name:           "happy path, valid image path, photon 3.0",
-			imageTag:       "photon:3.0-20190823",
-			wantOutputFile: "testdata/photon-30.json.golden",
-			testfile:       "testdata/fixtures/images/photon-30.tar.gz",
-		},
-		{
-			name:           "buxybox with Cargo.lock integration",
-			imageTag:       "busy-cargo:latest",
-			wantOutputFile: "testdata/busybox-with-lockfile.json.golden",
-			testfile:       "testdata/fixtures/images/busybox-with-lockfile.tar.gz",
+			name:     "busybox with Cargo.lock",
+			imageTag: "busy-cargo:latest",
+			input:    "testdata/fixtures/images/busybox-with-lockfile.tar.gz",
+			golden:   "testdata/busybox-with-lockfile.json.golden",
 		},
 		{
 			name:         "sad path, invalid image",
 			invalidImage: true,
-			testfile:     "badimage:latest",
-			wantError:    "unable to inspect the image (index.docker.io/library/badimage:latest)",
+			input:        "badimage:latest",
+			wantErr:      "unable to inspect the image (badimage:latest)",
 		},
 	}

 	// Set up testing DB
-	cacheDir := gunzipDB(t)
+	cacheDir := initDB(t)

 	ctx := context.Background()
 	defer ctx.Done()
@@ -255,26 +205,26 @@ func TestRun_WithDockerEngine(t *testing.T) {
 	cli, err := client.NewClientWithOpts(client.FromEnv, client.WithAPIVersionNegotiation())
 	require.NoError(t, err)

-	for _, tc := range testCases {
-		t.Run(tc.name, func(t *testing.T) {
-			if !tc.invalidImage {
-				testfile, err := os.Open(tc.testfile)
-				require.NoError(t, err, tc.name)
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if !tt.invalidImage {
+				testfile, err := os.Open(tt.input)
+				require.NoError(t, err, tt.name)

 				// ensure image doesnt already exists
-				_, _ = cli.ImageRemove(ctx, tc.testfile, types.ImageRemoveOptions{
+				_, _ = cli.ImageRemove(ctx, tt.input, types.ImageRemoveOptions{
 					Force:         true,
 					PruneChildren: true,
 				})

 				// load image into docker engine
 				res, err := cli.ImageLoad(ctx, testfile, true)
-				require.NoError(t, err, tc.name)
+				require.NoError(t, err, tt.name)
 				io.Copy(io.Discard, res.Body)

 				// tag our image to something unique
-				err = cli.ImageTag(ctx, tc.imageTag, tc.testfile)
-				require.NoError(t, err, tc.name)
+				err = cli.ImageTag(ctx, tt.imageTag, tt.input)
+				require.NoError(t, err, tt.name)
 			}

 			tmpDir := t.TempDir()
@@ -282,55 +232,47 @@ func TestRun_WithDockerEngine(t *testing.T) {

 			// run trivy
 			app := commands.NewApp("dev")
-			trivyArgs := []string{"trivy"}
-			trivyArgs = append(trivyArgs, "--cache-dir", cacheDir)
-			if tc.withImageSubcommand {
-				trivyArgs = append(trivyArgs, "image")
-			}
+			trivyArgs := []string{"trivy", "--cache-dir", cacheDir, "image",
+				"--skip-update", "--format=json", "--output", output}

-			trivyArgs = append(trivyArgs, []string{"--skip-update", "--format=json", "--output", output}...)
-
-			if tc.ignoreUnfixed {
+			if tt.ignoreUnfixed {
 				trivyArgs = append(trivyArgs, "--ignore-unfixed")
 			}
-			if len(tc.severity) != 0 {
+			if len(tt.severity) != 0 {
 				trivyArgs = append(trivyArgs,
-					[]string{"--severity", strings.Join(tc.severity, ",")}...,
+					[]string{"--severity", strings.Join(tt.severity, ",")}...,
 				)
 			}
-			if len(tc.ignoreIDs) != 0 {
+			if len(tt.ignoreIDs) != 0 {
 				trivyIgnore := ".trivyignore"
-				err := os.WriteFile(trivyIgnore, []byte(strings.Join(tc.ignoreIDs, "\n")), 0444)
+				err = os.WriteFile(trivyIgnore, []byte(strings.Join(tt.ignoreIDs, "\n")), 0444)
 				assert.NoError(t, err, "failed to write .trivyignore")
 				defer os.Remove(trivyIgnore)
 			}
-			trivyArgs = append(trivyArgs, tc.testfile)
+			trivyArgs = append(trivyArgs, tt.input)

 			err = app.Run(trivyArgs)
-			switch {
-			case tc.wantError != "":
+			if tt.wantErr != "" {
 				require.NotNil(t, err)
-				assert.Contains(t, err.Error(), tc.wantError, tc.name)
+				assert.Contains(t, err.Error(), tt.wantErr, tt.name)
 				return
-			default:
-				assert.NoError(t, err, tc.name)
 			}

+			assert.NoError(t, err, tt.name)
+
 			// check for vulnerability output info
-			got := readReport(t, output)
-			want := readReport(t, tc.wantOutputFile)
-			assert.Equal(t, want, got)
+			compareReports(t, tt.golden, output)

 			// cleanup
-			_, err = cli.ImageRemove(ctx, tc.testfile, types.ImageRemoveOptions{
+			_, err = cli.ImageRemove(ctx, tt.input, types.ImageRemoveOptions{
 				Force:         true,
 				PruneChildren: true,
 			})
-			_, err = cli.ImageRemove(ctx, tc.imageTag, types.ImageRemoveOptions{
+			_, err = cli.ImageRemove(ctx, tt.imageTag, types.ImageRemoveOptions{
 				Force:         true,
 				PruneChildren: true,
 			})
-			assert.NoError(t, err, tc.name)
+			assert.NoError(t, err, tt.name)
 		})
 	}
 }
--- a/integration/fs_test.go
+++ b/integration/fs_test.go
@@ -22,6 +22,7 @@ func TestFilesystem(t *testing.T) {
 		ignoreIDs      []string
 		policyPaths    []string
 		namespaces     []string
+		listAllPkgs    bool
 		input          string
 	}
 	tests := []struct {
@@ -41,10 +42,19 @@ func TestFilesystem(t *testing.T) {
 			name: "pip",
 			args: args{
 				securityChecks: "vuln",
+				listAllPkgs:    true,
 				input:          "testdata/fixtures/fs/pip",
 			},
 			golden: "testdata/pip.json.golden",
 		},
+		{
+			name: "pom",
+			args: args{
+				securityChecks: "vuln",
+				input:          "testdata/fixtures/fs/pom",
+			},
+			golden: "testdata/pom.json.golden",
+		},
 		{
 			name: "dockerfile",
 			args: args{
@@ -85,12 +95,12 @@ func TestFilesystem(t *testing.T) {
 	}

 	// Set up testing DB
-	cacheDir := gunzipDB(t)
+	cacheDir := initDB(t)

 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			osArgs := []string{"trivy", "--cache-dir", cacheDir, "fs", "--skip-db-update", "--skip-policy-update",
-				"--format", "json", "--security-checks", tt.args.securityChecks}
+				"--format", "json", "--offline-scan", "--security-checks", tt.args.securityChecks}

 			if len(tt.args.policyPaths) != 0 {
 				for _, policyPath := range tt.args.policyPaths {
@@ -105,9 +115,7 @@ func TestFilesystem(t *testing.T) {
 			}

 			if len(tt.args.severity) != 0 {
-				osArgs = append(osArgs,
-					[]string{"--severity", strings.Join(tt.args.severity, ",")}...,
-				)
+				osArgs = append(osArgs, "--severity", strings.Join(tt.args.severity, ","))
 			}

 			if len(tt.args.ignoreIDs) != 0 {
@@ -123,6 +131,10 @@ func TestFilesystem(t *testing.T) {
 				outputFile = tt.golden
 			}

+			if tt.args.listAllPkgs {
+				osArgs = append(osArgs, "--list-all-pkgs")
+			}
+
 			osArgs = append(osArgs, "--output", outputFile)
 			osArgs = append(osArgs, tt.args.input)

@@ -134,10 +146,7 @@ func TestFilesystem(t *testing.T) {
 			assert.Nil(t, app.Run(osArgs))

 			// Compare want and got
-			want := readReport(t, tt.golden)
-			got := readReport(t, outputFile)
-
-			assert.Equal(t, want, got)
+			compareReports(t, tt.golden, outputFile)
 		})
 	}
 }
--- a/integration/integration_test.go
+++ b/integration/integration_test.go
@@ -4,11 +4,9 @@
 package integration

 import (
-	"compress/gzip"
 	"context"
 	"encoding/json"
 	"flag"
-	"io"
 	"net"
 	"os"
 	"path/filepath"
@@ -19,44 +17,43 @@ import (
 	"github.com/stretchr/testify/require"

 	"github.com/aquasecurity/trivy-db/pkg/db"
-	"github.com/aquasecurity/trivy/pkg/report"
+	"github.com/aquasecurity/trivy-db/pkg/metadata"
+	"github.com/aquasecurity/trivy/pkg/dbtest"
+	"github.com/aquasecurity/trivy/pkg/types"
 )

 var update = flag.Bool("update", false, "update golden files")

-func gunzipDB(t *testing.T) string {
-	gz, err := os.Open("testdata/trivy.db.gz")
+func initDB(t *testing.T) string {
+	fixtureDir := filepath.Join("testdata", "fixtures", "db")
+	entries, err := os.ReadDir(fixtureDir)
 	require.NoError(t, err)

-	zr, err := gzip.NewReader(gz)
-	require.NoError(t, err)
+	var fixtures []string
+	for _, entry := range entries {
+		if entry.IsDir() {
+			continue
+		}
+		fixtures = append(fixtures, filepath.Join(fixtureDir, entry.Name()))
+	}

-	tmpDir := t.TempDir()
-	dbPath := db.Path(tmpDir)
-	dbDir := filepath.Dir(dbPath)
-	err = os.MkdirAll(dbDir, 0700)
-	require.NoError(t, err)
+	cacheDir := dbtest.InitDB(t, fixtures)
+	defer db.Close()

-	file, err := os.Create(dbPath)
-	require.NoError(t, err)
-	defer file.Close()
-
-	_, err = io.Copy(file, zr)
-	require.NoError(t, err)
+	dbDir := filepath.Dir(db.Path(cacheDir))

 	metadataFile := filepath.Join(dbDir, "metadata.json")
-	b, err := json.Marshal(db.Metadata{
-		Version:    1,
-		Type:       1,
-		NextUpdate: time.Time{},
-		UpdatedAt:  time.Time{},
+	f, err := os.Create(metadataFile)
+	require.NoError(t, err)
+
+	err = json.NewEncoder(f).Encode(metadata.Metadata{
+		Version:    db.SchemaVersion,
+		NextUpdate: time.Now().Add(24 * time.Hour),
+		UpdatedAt:  time.Now(),
 	})
 	require.NoError(t, err)

-	err = os.WriteFile(metadataFile, b, 0600)
-	require.NoError(t, err)
-
-	return tmpDir
+	return cacheDir
 }

 func getFreePort() (int, error) {
@@ -88,14 +85,14 @@ func waitPort(ctx context.Context, addr string) error {
 	}
 }

-func readReport(t *testing.T, filePath string) report.Report {
+func readReport(t *testing.T, filePath string) types.Report {
 	t.Helper()

 	f, err := os.Open(filePath)
 	require.NoError(t, err, filePath)
 	defer f.Close()

-	var res report.Report
+	var res types.Report
 	err = json.NewDecoder(f).Decode(&res)
 	require.NoError(t, err, filePath)

@@ -105,6 +102,8 @@ func readReport(t *testing.T, filePath string) report.Report {
 	// We don't compare repo tags because the archive doesn't support it
 	res.Metadata.RepoTags = nil

+	res.Metadata.RepoDigests = nil
+
 	return res
 }

--- a/integration/registry_test.go
+++ b/integration/registry_test.go
@@ -4,6 +4,8 @@
 package integration

 import (
+	"bytes"
+	"compress/gzip"
 	"context"
 	"crypto/tls"
 	"crypto/x509"
@@ -17,19 +19,20 @@ import (
 	"testing"

 	"github.com/docker/go-connections/nat"
+	"github.com/google/go-containerregistry/pkg/authn"
 	"github.com/google/go-containerregistry/pkg/name"
+	"github.com/google/go-containerregistry/pkg/v1/remote"
+	"github.com/google/go-containerregistry/pkg/v1/tarball"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	testcontainers "github.com/testcontainers/testcontainers-go"
 	"github.com/testcontainers/testcontainers-go/wait"

-	_ "github.com/aquasecurity/fanal/analyzer"
-	testdocker "github.com/aquasecurity/trivy/integration/docker"
 	"github.com/aquasecurity/trivy/pkg/commands"
 )

 const (
-	registryImage = "registry:2"
+	registryImage = "registry:2.7.0"
 	registryPort  = "5443/tcp"

 	authImage    = "cesanta/docker_auth:1"
@@ -52,9 +55,10 @@ func setupRegistry(ctx context.Context, baseDir string, authURL *url.URL) (testc
 			"REGISTRY_AUTH_TOKEN_SERVICE":        "registry.docker.io",
 			"REGISTRY_AUTH_TOKEN_ISSUER":         "Trivy auth server",
 			"REGISTRY_AUTH_TOKEN_ROOTCERTBUNDLE": "/certs/cert.pem",
+			"REGISTRY_AUTH_TOKEN_AUTOREDIRECT":   "false",
 		},
 		BindMounts: map[string]string{
-			filepath.Join(baseDir, "data", "certs"): "/certs",
+			"/certs": filepath.Join(baseDir, "data", "certs"),
 		},
 		SkipReaper: true,
 		AutoRemove: true,
@@ -74,8 +78,8 @@ func setupAuthServer(ctx context.Context, baseDir string) (testcontainers.Contai
 		Image:        authImage,
 		ExposedPorts: []string{authPort},
 		BindMounts: map[string]string{
-			filepath.Join(baseDir, "data", "auth_config"): "/config",
-			filepath.Join(baseDir, "data", "certs"):       "/certs",
+			"/config": filepath.Join(baseDir, "data", "auth_config"),
+			"/certs":  filepath.Join(baseDir, "data", "certs"),
 		},
 		SkipReaper: true,
 		AutoRemove: true,
@@ -133,13 +137,12 @@ func TestRegistry(t *testing.T) {
 	registryURL, err := getURL(ctx, registryC, registryPort)
 	require.NoError(t, err)

-	config := testdocker.RegistryConfig{
-		URL:      registryURL,
+	auth := &authn.Basic{
 		Username: authUsername,
 		Password: authPassword,
 	}

-	testCases := []struct {
+	tests := []struct {
 		name      string
 		imageName string
 		imageFile string
@@ -178,29 +181,25 @@ func TestRegistry(t *testing.T) {
 		},
 	}

-	for _, tc := range testCases {
+	for _, tc := range tests {
 		t.Run(tc.name, func(t *testing.T) {
-			d, err := testdocker.New()
-			require.NoError(t, err)
-
 			s := fmt.Sprintf("%s/%s", registryURL.Host, tc.imageName)
 			imageRef, err := name.ParseReference(s)
 			require.NoError(t, err)

 			// 1. Load a test image from the tar file, tag it and push to the test registry.
-			err = d.ReplicateImage(ctx, tc.imageName, tc.imageFile, config)
+			err = replicateImage(imageRef, tc.imageFile, auth)
 			require.NoError(t, err)

 			// 2. Scan it
 			resultFile, err := scan(t, imageRef, baseDir, tc.golden, tc.option)

 			if tc.wantErr != "" {
-				require.NotNil(t, err)
+				require.Error(t, err)
 				require.Contains(t, err.Error(), tc.wantErr, err)
 				return
-			} else {
-				require.NoError(t, err)
 			}
+			require.NoError(t, err)

 			// 3. Read want and got
 			want := readReport(t, tc.golden)
@@ -211,9 +210,6 @@ func TestRegistry(t *testing.T) {
 			for i := range want.Results {
 				want.Results[i].Target = fmt.Sprintf("%s (alpine 3.10.2)", s)
 			}
-			want.Metadata.RepoDigests = []string{
-				fmt.Sprintf("%s/alpine@sha256:acd3ca9941a85e8ed16515bfc5328e4e2f8c128caa72959a58a127b7801ee01f", registryURL.Host),
-			}

 			// 5. Compare want and got
 			assert.Equal(t, want, got)
@@ -223,7 +219,7 @@ func TestRegistry(t *testing.T) {

 func scan(t *testing.T, imageRef name.Reference, baseDir, goldenFile string, opt registryOption) (string, error) {
 	// Set up testing DB
-	cacheDir := gunzipDB(t)
+	cacheDir := initDB(t)

 	// Setup the output file
 	outputFile := filepath.Join(t.TempDir(), "output.json")
@@ -240,7 +236,8 @@ func scan(t *testing.T, imageRef name.Reference, baseDir, goldenFile string, opt
 	app := commands.NewApp("dev")
 	app.Writer = io.Discard

-	osArgs := []string{"trivy", "--cache-dir", cacheDir, "--format", "json", "--skip-update", "--output", outputFile, imageRef.Name()}
+	osArgs := []string{"trivy", "--cache-dir", cacheDir, "image", "--format", "json", "--skip-update",
+		"--output", outputFile, imageRef.Name()}

 	// Run Trivy
 	if err := app.Run(osArgs); err != nil {
@@ -316,3 +313,32 @@ func requestRegistryToken(imageRef name.Reference, baseDir string, opt registryO

 	return r.AccessToken, nil
 }
+
+// ReplicateImage tags the given imagePath and pushes it to the given dest registry.
+func replicateImage(imageRef name.Reference, imagePath string, auth authn.Authenticator) error {
+	img, err := tarball.Image(func() (io.ReadCloser, error) {
+		b, err := os.ReadFile(imagePath)
+		if err != nil {
+			return nil, err
+		}
+		gr, err := gzip.NewReader(bytes.NewReader(b))
+		if err != nil {
+			return nil, err
+		}
+		return io.NopCloser(gr), nil
+	}, nil)
+	if err != nil {
+		return err
+	}
+
+	t := &http.Transport{
+		TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
+	}
+
+	err = remote.Write(imageRef, img, remote.WithAuth(auth), remote.WithTransport(t))
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
--- a/integration/standalone_tar_test.go
+++ b/integration/standalone_tar_test.go
@@ -15,105 +15,84 @@ import (
 	"github.com/aquasecurity/trivy/pkg/commands"
 )

-func TestRun_WithTar(t *testing.T) {
+func TestTar(t *testing.T) {
 	type args struct {
-		Version             string
-		WithImageSubcommand bool
-		SkipUpdate          bool
-		IgnoreUnfixed       bool
-		Severity            []string
-		IgnoreIDs           []string
-		Format              string
-		Input               string
-		SkipDirs            []string
-		SkipFiles           []string
+		IgnoreUnfixed bool
+		Severity      []string
+		IgnoreIDs     []string
+		Format        string
+		Input         string
+		SkipDirs      []string
+		SkipFiles     []string
 	}
-	cases := []struct {
+	tests := []struct {
 		name     string
 		testArgs args
 		golden   string
 	}{
 		{
-			name: "alpine 3.10 integration",
+			name: "alpine 3.9",
 			testArgs: args{
-				Version:    "dev",
-				SkipUpdate: true,
-				Format:     "json",
-				Input:      "testdata/fixtures/images/alpine-310.tar.gz",
-			},
-			golden: "testdata/alpine-310.json.golden",
-		},
-		{
-			name: "alpine 3.10 integration with image subcommand",
-			testArgs: args{
-				Version:             "dev",
-				WithImageSubcommand: true,
-				SkipUpdate:          true,
-				Format:              "json",
-				Input:               "testdata/fixtures/images/alpine-310.tar.gz",
-			},
-			golden: "testdata/alpine-310.json.golden",
-		},
-		{
-			name: "alpine 3.10 integration with --ignore-unfixed option",
-			testArgs: args{
-				Version:       "dev",
-				SkipUpdate:    true,
-				IgnoreUnfixed: true,
-				Format:        "json",
-				Input:         "testdata/fixtures/images/alpine-310.tar.gz",
-			},
-			golden: "testdata/alpine-310-ignore-unfixed.json.golden",
-		},
-		{
-			name: "alpine 3.10 integration with medium and high severity",
-			testArgs: args{
-				Version:       "dev",
-				SkipUpdate:    true,
-				IgnoreUnfixed: true,
-				Severity:      []string{"MEDIUM", "HIGH"},
-				Format:        "json",
-				Input:         "testdata/fixtures/images/alpine-310.tar.gz",
-			},
-			golden: "testdata/alpine-310-medium-high.json.golden",
-		},
-		{
-			name: "alpine 3.10 integration with .trivyignore",
-			testArgs: args{
-				Version:       "dev",
-				SkipUpdate:    true,
-				IgnoreUnfixed: false,
-				IgnoreIDs:     []string{"CVE-2019-1549", "CVE-2019-1563"},
-				Format:        "json",
-				Input:         "testdata/fixtures/images/alpine-310.tar.gz",
-			},
-			golden: "testdata/alpine-310-ignore-cveids.json.golden",
-		},
-		{
-			name: "alpine 3.9 integration",
-			testArgs: args{
-				Version:    "dev",
-				SkipUpdate: true,
-				Format:     "json",
-				Input:      "testdata/fixtures/images/alpine-39.tar.gz",
+				Format: "json",
+				Input:  "testdata/fixtures/images/alpine-39.tar.gz",
 			},
 			golden: "testdata/alpine-39.json.golden",
 		},
 		{
-			name: "debian buster integration",
+			name: "alpine 3.9 with high and critical severity",
 			testArgs: args{
-				Version:    "dev",
-				SkipUpdate: true,
-				Format:     "json",
-				Input:      "testdata/fixtures/images/debian-buster.tar.gz",
+				IgnoreUnfixed: true,
+				Severity:      []string{"HIGH", "CRITICAL"},
+				Format:        "json",
+				Input:         "testdata/fixtures/images/alpine-39.tar.gz",
+			},
+			golden: "testdata/alpine-39-high-critical.json.golden",
+		},
+		{
+			name: "alpine 3.9 with .trivyignore",
+			testArgs: args{
+				IgnoreUnfixed: false,
+				IgnoreIDs:     []string{"CVE-2019-1549", "CVE-2019-14697"},
+				Format:        "json",
+				Input:         "testdata/fixtures/images/alpine-39.tar.gz",
+			},
+			golden: "testdata/alpine-39-ignore-cveids.json.golden",
+		},
+		{
+			name: "alpine 3.10",
+			testArgs: args{
+				Format: "json",
+				Input:  "testdata/fixtures/images/alpine-310.tar.gz",
+			},
+			golden: "testdata/alpine-310.json.golden",
+		},
+		{
+			name: "amazon linux 1",
+			testArgs: args{
+				Format: "json",
+				Input:  "testdata/fixtures/images/amazon-1.tar.gz",
+			},
+			golden: "testdata/amazon-1.json.golden",
+		},
+		{
+			name: "amazon linux 2",
+			testArgs: args{
+				Format: "json",
+				Input:  "testdata/fixtures/images/amazon-2.tar.gz",
+			},
+			golden: "testdata/amazon-2.json.golden",
+		},
+		{
+			name: "debian buster/10",
+			testArgs: args{
+				Format: "json",
+				Input:  "testdata/fixtures/images/debian-buster.tar.gz",
 			},
 			golden: "testdata/debian-buster.json.golden",
 		},
 		{
-			name: "debian buster integration with --ignore-unfixed option",
+			name: "debian buster/10 with --ignore-unfixed option",
 			testArgs: args{
-				Version:       "dev",
-				SkipUpdate:    true,
 				IgnoreUnfixed: true,
 				Format:        "json",
 				Input:         "testdata/fixtures/images/debian-buster.tar.gz",
@@ -121,30 +100,24 @@ func TestRun_WithTar(t *testing.T) {
 			golden: "testdata/debian-buster-ignore-unfixed.json.golden",
 		},
 		{
-			name: "debian stretch integration",
+			name: "debian stretch/9",
 			testArgs: args{
-				Version:    "dev",
-				SkipUpdate: true,
-				Format:     "json",
-				Input:      "testdata/fixtures/images/debian-stretch.tar.gz",
+				Format: "json",
+				Input:  "testdata/fixtures/images/debian-stretch.tar.gz",
 			},
 			golden: "testdata/debian-stretch.json.golden",
 		},
 		{
-			name: "ubuntu 18.04 integration",
+			name: "ubuntu 18.04",
 			testArgs: args{
-				Version:    "dev",
-				SkipUpdate: true,
-				Format:     "json",
-				Input:      "testdata/fixtures/images/ubuntu-1804.tar.gz",
+				Format: "json",
+				Input:  "testdata/fixtures/images/ubuntu-1804.tar.gz",
 			},
 			golden: "testdata/ubuntu-1804.json.golden",
 		},
 		{
-			name: "ubuntu 18.04 integration with --ignore-unfixed option",
+			name: "ubuntu 18.04 with --ignore-unfixed option",
 			testArgs: args{
-				Version:       "dev",
-				SkipUpdate:    true,
 				IgnoreUnfixed: true,
 				Format:        "json",
 				Input:         "testdata/fixtures/images/ubuntu-1804.tar.gz",
@@ -152,30 +125,16 @@ func TestRun_WithTar(t *testing.T) {
 			golden: "testdata/ubuntu-1804-ignore-unfixed.json.golden",
 		},
 		{
-			name: "ubuntu 16.04 integration",
+			name: "centos 7",
 			testArgs: args{
-				Version:    "dev",
-				SkipUpdate: true,
-				Format:     "json",
-				Input:      "testdata/fixtures/images/ubuntu-1604.tar.gz",
-			},
-			golden: "testdata/ubuntu-1604.json.golden",
-		},
-		{
-			name: "centos 7 integration",
-			testArgs: args{
-				Version:    "dev",
-				SkipUpdate: true,
-				Format:     "json",
-				Input:      "testdata/fixtures/images/centos-7.tar.gz",
+				Format: "json",
+				Input:  "testdata/fixtures/images/centos-7.tar.gz",
 			},
 			golden: "testdata/centos-7.json.golden",
 		},
 		{
-			name: "centos 7 integration with --ignore-unfixed option",
+			name: "centos 7with --ignore-unfixed option",
 			testArgs: args{
-				Version:       "dev",
-				SkipUpdate:    true,
 				IgnoreUnfixed: true,
 				Format:        "json",
 				Input:         "testdata/fixtures/images/centos-7.tar.gz",
@@ -183,249 +142,158 @@ func TestRun_WithTar(t *testing.T) {
 			golden: "testdata/centos-7-ignore-unfixed.json.golden",
 		},
 		{
-			name: "centos 7 integration with low and high severity",
+			name: "centos 7 with medium severity",
 			testArgs: args{
-				Version:       "dev",
-				SkipUpdate:    true,
 				IgnoreUnfixed: true,
-				Severity:      []string{"LOW", "HIGH"},
+				Severity:      []string{"MEDIUM"},
 				Format:        "json",
 				Input:         "testdata/fixtures/images/centos-7.tar.gz",
 			},
-			golden: "testdata/centos-7-low-high.json.golden",
+			golden: "testdata/centos-7-medium.json.golden",
 		},
 		{
-			name: "centos 6 integration",
+			name: "centos 6",
 			testArgs: args{
-				Version:    "dev",
-				SkipUpdate: true,
-				Format:     "json",
-				Input:      "testdata/fixtures/images/centos-6.tar.gz",
+				Format: "json",
+				Input:  "testdata/fixtures/images/centos-6.tar.gz",
 			},
 			golden: "testdata/centos-6.json.golden",
 		},
 		{
-			name: "ubi 7 integration",
+			name: "ubi 7",
 			testArgs: args{
-				Version:    "dev",
-				SkipUpdate: true,
-				Format:     "json",
-				Input:      "testdata/fixtures/images/ubi-7.tar.gz",
+				Format: "json",
+				Input:  "testdata/fixtures/images/ubi-7.tar.gz",
 			},
 			golden: "testdata/ubi-7.json.golden",
 		},
 		{
-			name: "distroless base integration",
+			name: "almalinux 8",
 			testArgs: args{
-				Version:    "dev",
-				SkipUpdate: true,
-				Format:     "json",
-				Input:      "testdata/fixtures/images/distroless-base.tar.gz",
+				Format: "json",
+				Input:  "testdata/fixtures/images/almalinux-8.tar.gz",
+			},
+			golden: "testdata/almalinux-8.json.golden",
+		},
+		{
+			name: "rocky linux 8",
+			testArgs: args{
+				Format: "json",
+				Input:  "testdata/fixtures/images/rockylinux-8.tar.gz",
+			},
+			golden: "testdata/rockylinux-8.json.golden",
+		},
+		{
+			name: "distroless base",
+			testArgs: args{
+				Format: "json",
+				Input:  "testdata/fixtures/images/distroless-base.tar.gz",
 			},
 			golden: "testdata/distroless-base.json.golden",
 		},
 		{
-			name: "distroless base integration with --ignore-unfixed option",
+			name: "distroless python27",
 			testArgs: args{
-				Version:       "dev",
-				SkipUpdate:    true,
-				IgnoreUnfixed: true,
-				Format:        "json",
-				Input:         "testdata/fixtures/images/distroless-base.tar.gz",
-			},
-			golden: "testdata/distroless-base-ignore-unfixed.json.golden",
-		},
-		{
-			name: "distroless python27 integration",
-			testArgs: args{
-				Version:    "dev",
-				SkipUpdate: true,
-				Format:     "json",
-				Input:      "testdata/fixtures/images/distroless-python27.tar.gz",
+				Format: "json",
+				Input:  "testdata/fixtures/images/distroless-python27.tar.gz",
 			},
 			golden: "testdata/distroless-python27.json.golden",
 		},
 		{
-			name: "amazon 1 integration",
+			name: "oracle linux 8",
 			testArgs: args{
-				Version:    "dev",
-				SkipUpdate: true,
-				Format:     "json",
-				Input:      "testdata/fixtures/images/amazon-1.tar.gz",
-			},
-			golden: "testdata/amazon-1.json.golden",
-		},
-		{
-			name: "amazon 2 integration",
-			testArgs: args{
-				Version:    "dev",
-				SkipUpdate: true,
-				Format:     "json",
-				Input:      "testdata/fixtures/images/amazon-2.tar.gz",
-			},
-			golden: "testdata/amazon-2.json.golden",
-		},
-		{
-			name: "oracle 6 integration",
-			testArgs: args{
-				Version:    "dev",
-				SkipUpdate: true,
-				Format:     "json",
-				Input:      "testdata/fixtures/images/oraclelinux-6-slim.tar.gz",
-			},
-			golden: "testdata/oraclelinux-6-slim.json.golden",
-		},
-		{
-			name: "oracle 7 integration",
-			testArgs: args{
-				Version:    "dev",
-				SkipUpdate: true,
-				Format:     "json",
-				Input:      "testdata/fixtures/images/oraclelinux-7-slim.tar.gz",
-			},
-			golden: "testdata/oraclelinux-7-slim.json.golden",
-		},
-		{
-			name: "oracle 8 integration",
-			testArgs: args{
-				Version:    "dev",
-				SkipUpdate: true,
-				Format:     "json",
-				Input:      "testdata/fixtures/images/oraclelinux-8-slim.tar.gz",
+				Format: "json",
+				Input:  "testdata/fixtures/images/oraclelinux-8-slim.tar.gz",
 			},
 			golden: "testdata/oraclelinux-8-slim.json.golden",
 		},
 		{
-			name: "opensuse leap 15.1 integration",
+			name: "opensuse leap 15.1",
 			testArgs: args{
-				Version:    "dev",
-				SkipUpdate: true,
-				Format:     "json",
-				Input:      "testdata/fixtures/images/opensuse-leap-151.tar.gz",
+				Format: "json",
+				Input:  "testdata/fixtures/images/opensuse-leap-151.tar.gz",
 			},
 			golden: "testdata/opensuse-leap-151.json.golden",
 		},
 		{
-			name: "opensuse leap 42.3 integration",
+			name: "photon 3.0",
 			testArgs: args{
-				Version:    "dev",
-				SkipUpdate: true,
-				Format:     "json",
-				Input:      "testdata/fixtures/images/opensuse-leap-423.tar.gz",
-			},
-			golden: "testdata/opensuse-leap-423.json.golden",
-		},
-		{
-			name: "photon 1.0 integration",
-			testArgs: args{
-				Version:    "dev",
-				SkipUpdate: true,
-				Format:     "json",
-				Input:      "testdata/fixtures/images/photon-10.tar.gz",
-			},
-			golden: "testdata/photon-10.json.golden",
-		},
-		{
-			name: "photon 2.0 integration",
-			testArgs: args{
-				Version:    "dev",
-				SkipUpdate: true,
-				Format:     "json",
-				Input:      "testdata/fixtures/images/photon-20.tar.gz",
-			},
-			golden: "testdata/photon-20.json.golden",
-		},
-		{
-			name: "photon 3.0 integration",
-			testArgs: args{
-				Version:    "dev",
-				SkipUpdate: true,
-				Format:     "json",
-				Input:      "testdata/fixtures/images/photon-30.tar.gz",
+				Format: "json",
+				Input:  "testdata/fixtures/images/photon-30.tar.gz",
 			},
 			golden: "testdata/photon-30.json.golden",
 		},
+		{
+			name: "CBL-Mariner 1.0",
+			testArgs: args{
+				Format: "json",
+				Input:  "testdata/fixtures/images/mariner-1.0.tar.gz",
+			},
+			golden: "testdata/mariner-1.0.json.golden",
+		},
 		{
 			name: "buxybox with Cargo.lock integration",
 			testArgs: args{
-				Version:    "dev",
-				SkipUpdate: true,
-				Format:     "json",
-				Input:      "testdata/fixtures/images/busybox-with-lockfile.tar.gz",
+				Format: "json",
+				Input:  "testdata/fixtures/images/busybox-with-lockfile.tar.gz",
 			},
 			golden: "testdata/busybox-with-lockfile.json.golden",
 		},
 		{
-			name: "fluentd with multiple lock files",
+			name: "fluentd with RubyGems",
 			testArgs: args{
-				Version:       "dev",
-				SkipUpdate:    true,
 				IgnoreUnfixed: true,
 				Format:        "json",
 				Input:         "testdata/fixtures/images/fluentd-multiple-lockfiles.tar.gz",
-				SkipFiles:     []string{"/Gemfile.lock"},
-				SkipDirs: []string{
-					"/var/lib/gems/2.5.0/gems/http_parser.rb-0.6.0",
-					"/var/lib/gems/2.5.0/gems/fluent-plugin-detect-exceptions-0.0.13",
-				},
 			},
-			golden: "testdata/fluentd-multiple-lockfiles.json.golden",
+			golden: "testdata/fluentd-gems.json.golden",
 		},
 	}

 	// Set up testing DB
-	cacheDir := gunzipDB(t)
+	cacheDir := initDB(t)

 	// Setup CLI App
 	app := commands.NewApp("dev")
 	app.Writer = io.Discard

-	for _, c := range cases {
-		t.Run(c.name, func(t *testing.T) {
-			osArgs := []string{"trivy"}
-			osArgs = append(osArgs, "--cache-dir", cacheDir)
-			if c.testArgs.WithImageSubcommand {
-				osArgs = append(osArgs, "image")
-			}
-			osArgs = append(osArgs, "--format", c.testArgs.Format)
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			osArgs := []string{"trivy", "--cache-dir", cacheDir, "image", "--format", tt.testArgs.Format, "--skip-update"}

-			if c.testArgs.SkipUpdate {
-				osArgs = append(osArgs, "--skip-update")
-			}
-			if c.testArgs.IgnoreUnfixed {
+			if tt.testArgs.IgnoreUnfixed {
 				osArgs = append(osArgs, "--ignore-unfixed")
 			}
-			if len(c.testArgs.Severity) != 0 {
-				osArgs = append(osArgs,
-					[]string{"--severity", strings.Join(c.testArgs.Severity, ",")}...,
-				)
+			if len(tt.testArgs.Severity) != 0 {
+				osArgs = append(osArgs, "--severity", strings.Join(tt.testArgs.Severity, ","))
 			}
-			if len(c.testArgs.IgnoreIDs) != 0 {
+			if len(tt.testArgs.IgnoreIDs) != 0 {
 				trivyIgnore := ".trivyignore"
-				err := os.WriteFile(trivyIgnore, []byte(strings.Join(c.testArgs.IgnoreIDs, "\n")), 0444)
+				err := os.WriteFile(trivyIgnore, []byte(strings.Join(tt.testArgs.IgnoreIDs, "\n")), 0444)
 				assert.NoError(t, err, "failed to write .trivyignore")
 				defer os.Remove(trivyIgnore)
 			}
-			if c.testArgs.Input != "" {
-				osArgs = append(osArgs, "--input", c.testArgs.Input)
+			if tt.testArgs.Input != "" {
+				osArgs = append(osArgs, "--input", tt.testArgs.Input)
 			}

-			if len(c.testArgs.SkipFiles) != 0 {
-				for _, skipFile := range c.testArgs.SkipFiles {
+			// TODO: test skip files/dirs
+			if len(tt.testArgs.SkipFiles) != 0 {
+				for _, skipFile := range tt.testArgs.SkipFiles {
 					osArgs = append(osArgs, "--skip-files", skipFile)
 				}
 			}

-			if len(c.testArgs.SkipDirs) != 0 {
-				for _, skipDir := range c.testArgs.SkipDirs {
+			if len(tt.testArgs.SkipDirs) != 0 {
+				for _, skipDir := range tt.testArgs.SkipDirs {
 					osArgs = append(osArgs, "--skip-dirs", skipDir)
 				}
 			}

-			// Setup the output file
+			// Set up the output file
 			outputFile := filepath.Join(t.TempDir(), "output.json")
 			if *update {
-				outputFile = c.golden
+				outputFile = tt.golden
 			}

 			osArgs = append(osArgs, []string{"--output", outputFile}...)
@@ -434,7 +302,7 @@ func TestRun_WithTar(t *testing.T) {
 			assert.Nil(t, app.Run(osArgs))

 			// Compare want and got
-			compareReports(t, c.golden, outputFile)
+			compareReports(t, tt.golden, outputFile)
 		})
 	}
 }
--- a/integration/testdata/almalinux-8.json.golden
+++ b/integration/testdata/almalinux-8.json.golden
@@ -0,0 +1,122 @@
+{
+  "SchemaVersion": 2,
+  "ArtifactName": "testdata/fixtures/images/almalinux-8.tar.gz",
+  "ArtifactType": "container_image",
+  "Metadata": {
+    "OS": {
+      "Family": "alma",
+      "Name": "8.5"
+    },
+    "ImageID": "sha256:4ca63ce1d8a90da2ed4f2d5e93e8e9db2f32d0fabf0718a2edebbe0e70826622",
+    "DiffIDs": [
+      "sha256:124d41c237c5e823577dda97e87cebaecce62d585c725d07e709ce410681de4d"
+    ],
+    "ImageConfig": {
+      "architecture": "amd64",
+      "container": "a467f67a48d469e1975b7414f33f2cf87121d4cc59d2ee029ea58e6b81774769",
+      "created": "2021-11-13T12:10:27.09871973Z",
+      "docker_version": "20.10.7",
+      "history": [
+        {
+          "created": "2021-11-13T12:10:26.29818864Z",
+          "created_by": "/bin/sh -c #(nop) ADD file:2e002305ccb9d8a4dcef52509c4c50b9a15e76c9c49ca6abda3e0d7091c63fa7 in / "
+        },
+        {
+          "created": "2021-11-13T12:10:27.09871973Z",
+          "created_by": "/bin/sh -c #(nop)  CMD [\"/bin/bash\"]",
+          "empty_layer": true
+        }
+      ],
+      "os": "linux",
+      "rootfs": {
+        "type": "layers",
+        "diff_ids": [
+          "sha256:124d41c237c5e823577dda97e87cebaecce62d585c725d07e709ce410681de4d"
+        ]
+      },
+      "config": {
+        "Cmd": [
+          "/bin/bash"
+        ],
+        "Env": [
+          "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+        ],
+        "Image": "sha256:d38d2eac03bc19e080df596d6148863a0f8293f3a277a7524f378da79a1feb0f"
+      }
+    }
+  },
+  "Results": [
+    {
+      "Target": "testdata/fixtures/images/almalinux-8.tar.gz (alma 8.5)",
+      "Class": "os-pkgs",
+      "Type": "alma",
+      "Vulnerabilities": [
+        {
+          "VulnerabilityID": "CVE-2021-3712",
+          "PkgName": "openssl-libs",
+          "InstalledVersion": "1:1.1.1k-4.el8",
+          "FixedVersion": "1:1.1.1k-5.el8_5",
+          "Layer": {
+            "DiffID": "sha256:124d41c237c5e823577dda97e87cebaecce62d585c725d07e709ce410681de4d"
+          },
+          "SeveritySource": "alma",
+          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-3712",
+          "DataSource": {
+            "ID": "alma",
+            "Name": "AlmaLinux Product Errata",
+            "URL": "https://errata.almalinux.org/"
+          },
+          "Title": "openssl: Read buffer overruns processing ASN.1 strings",
+          "Description": "ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's own \"d2i\" functions (and other similar parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array by directly setting the \"data\" and \"length\" fields in the ASN1_STRING array. This can also happen by using the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for strings that have been directly constructed. Where an application requests an ASN.1 structure to be printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the application without NUL terminating the \"data\" field, then a read buffer overrun can occur. The same thing can also occur during name constraints processing of certificates (for example if a certificate has been directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack). It could also result in the disclosure of private memory contents (such as private keys, or sensitive plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected 1.0.2-1.0.2y).",
+          "Severity": "MEDIUM",
+          "CweIDs": [
+            "CWE-125"
+          ],
+          "CVSS": {
+            "nvd": {
+              "V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:P",
+              "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H",
+              "V2Score": 5.8,
+              "V3Score": 7.4
+            },
+            "redhat": {
+              "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H",
+              "V3Score": 7.4
+            }
+          },
+          "References": [
+            "http://www.openwall.com/lists/oss-security/2021/08/26/2",
+            "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-3712.json",
+            "https://access.redhat.com/security/cve/CVE-2021-3712",
+            "https://crates.io/crates/openssl-src",
+            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3712",
+            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=94d23fcff9b2a7a8368dfe52214d5c2569882c11",
+            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=ccb0a11145ee72b042d10593a64eaf9e8a55ec12",
+            "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10366",
+            "https://linux.oracle.com/cve/CVE-2021-3712.html",
+            "https://linux.oracle.com/errata/ELSA-2022-9023.html",
+            "https://lists.apache.org/thread.html/r18995de860f0e63635f3008fd2a6aca82394249476d21691e7c59c9e@%3Cdev.tomcat.apache.org%3E",
+            "https://lists.apache.org/thread.html/rad5d9f83f0d11fb3f8bb148d179b8a9ad7c6a17f18d70e5805a713d1@%3Cdev.tomcat.apache.org%3E",
+            "https://lists.debian.org/debian-lts-announce/2021/09/msg00014.html",
+            "https://lists.debian.org/debian-lts-announce/2021/09/msg00021.html",
+            "https://nvd.nist.gov/vuln/detail/CVE-2021-3712",
+            "https://rustsec.org/advisories/RUSTSEC-2021-0098.html",
+            "https://security.netapp.com/advisory/ntap-20210827-0010/",
+            "https://ubuntu.com/security/notices/USN-5051-1",
+            "https://ubuntu.com/security/notices/USN-5051-2",
+            "https://ubuntu.com/security/notices/USN-5051-3",
+            "https://ubuntu.com/security/notices/USN-5051-4 (regression only in trusty/esm)",
+            "https://ubuntu.com/security/notices/USN-5088-1",
+            "https://www.debian.org/security/2021/dsa-4963",
+            "https://www.openssl.org/news/secadv/20210824.txt",
+            "https://www.oracle.com/security-alerts/cpuoct2021.html",
+            "https://www.tenable.com/security/tns-2021-16",
+            "https://www.tenable.com/security/tns-2022-02"
+          ],
+          "PublishedDate": "2021-08-24T15:15:00Z",
+          "LastModifiedDate": "2022-01-06T09:15:00Z"
+        }
+      ]
+    }
+  ]
+}
--- a/integration/testdata/alpine-310-ignore-cveids.json.golden
+++ b/integration/testdata/alpine-310-ignore-cveids.json.golden
@@ -1,223 +0,0 @@
-{
-  "SchemaVersion": 2,
-  "ArtifactName": "testdata/fixtures/images/alpine-310.tar.gz",
-  "ArtifactType": "container_image",
-  "Metadata": {
-    "OS": {
-      "Family": "alpine",
-      "Name": "3.10.2",
-      "EOSL": true
-    },
-    "ImageID": "sha256:961769676411f082461f9ef46626dd7a2d1e2b2a38e6a44364bcbecf51e66dd4",
-    "DiffIDs": [
-      "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
-    ],
-    "ImageConfig": {
-      "architecture": "amd64",
-      "container": "0a80155a31551fcc1a36fccbbda79fcd3f0b1c7d270653d00310e6e2217c57e6",
-      "created": "2019-08-20T20:19:55.211423266Z",
-      "docker_version": "18.06.1-ce",
-      "history": [
-        {
-          "created": "2019-08-20T20:19:55.062606894Z",
-          "created_by": "/bin/sh -c #(nop) ADD file:fe64057fbb83dccb960efabbf1cd8777920ef279a7fa8dbca0a8801c651bdf7c in / "
-        },
-        {
-          "created": "2019-08-20T20:19:55.211423266Z",
-          "created_by": "/bin/sh -c #(nop)  CMD [\"/bin/sh\"]",
-          "empty_layer": true
-        }
-      ],
-      "os": "linux",
-      "rootfs": {
-        "type": "layers",
-        "diff_ids": [
-          "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
-        ]
-      },
-      "config": {
-        "Cmd": [
-          "/bin/sh"
-        ],
-        "Env": [
-          "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
-        ],
-        "Image": "sha256:06f4121dff4d0123ce11bd2e44f48da9ba9ddcd23ae376ea1f363f63ea0849b5",
-        "ArgsEscaped": true
-      }
-    }
-  },
-  "Results": [
-    {
-      "Target": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)",
-      "Class": "os-pkgs",
-      "Type": "alpine",
-      "Vulnerabilities": [
-        {
-          "VulnerabilityID": "CVE-2019-1551",
-          "PkgName": "libcrypto1.1",
-          "InstalledVersion": "1.1.1c-r0",
-          "FixedVersion": "1.1.1d-r2",
-          "Layer": {
-            "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
-          },
-          "SeveritySource": "nvd",
-          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
-          "Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
-          "Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).",
-          "Severity": "MEDIUM",
-          "CweIDs": [
-            "CWE-200"
-          ],
-          "CVSS": {
-            "nvd": {
-              "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
-              "V2Score": 5
-            },
-            "redhat": {
-              "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
-              "V3Score": 4.8
-            }
-          },
-          "References": [
-            "http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
-            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
-            "https://github.com/openssl/openssl/pull/10575",
-            "https://seclists.org/bugtraq/2019/Dec/39",
-            "https://seclists.org/bugtraq/2019/Dec/46",
-            "https://security.netapp.com/advisory/ntap-20191210-0001/",
-            "https://www.debian.org/security/2019/dsa-4594",
-            "https://www.openssl.org/news/secadv/20191206.txt",
-            "https://www.tenable.com/security/tns-2019-09"
-          ],
-          "PublishedDate": "2019-12-06T18:15:00Z",
-          "LastModifiedDate": "2019-12-25T11:15:00Z"
-        },
-        {
-          "VulnerabilityID": "CVE-2019-1547",
-          "PkgName": "libcrypto1.1",
-          "InstalledVersion": "1.1.1c-r0",
-          "FixedVersion": "1.1.1d-r0",
-          "Layer": {
-            "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
-          },
-          "SeveritySource": "nvd",
-          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1547",
-          "Title": "openssl: side-channel weak encryption vulnerability",
-          "Description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
-          "Severity": "LOW",
-          "CweIDs": [
-            "CWE-311"
-          ],
-          "CVSS": {
-            "nvd": {
-              "V2Vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
-              "V2Score": 1.9
-            },
-            "redhat": {
-              "V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
-              "V3Score": 5.5
-            }
-          },
-          "References": [
-            "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
-            "https://arxiv.org/abs/1909.01785",
-            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a",
-            "https://seclists.org/bugtraq/2019/Sep/25",
-            "https://security.netapp.com/advisory/ntap-20190919-0002/",
-            "https://www.openssl.org/news/secadv/20190910.txt"
-          ],
-          "PublishedDate": "2019-09-10T17:15:00Z",
-          "LastModifiedDate": "2019-09-12T16:15:00Z"
-        },
-        {
-          "VulnerabilityID": "CVE-2019-1551",
-          "PkgName": "libssl1.1",
-          "InstalledVersion": "1.1.1c-r0",
-          "FixedVersion": "1.1.1d-r2",
-          "Layer": {
-            "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
-          },
-          "SeveritySource": "nvd",
-          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
-          "Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
-          "Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).",
-          "Severity": "MEDIUM",
-          "CweIDs": [
-            "CWE-200"
-          ],
-          "CVSS": {
-            "nvd": {
-              "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
-              "V2Score": 5
-            },
-            "redhat": {
-              "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
-              "V3Score": 4.8
-            }
-          },
-          "References": [
-            "http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
-            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
-            "https://github.com/openssl/openssl/pull/10575",
-            "https://seclists.org/bugtraq/2019/Dec/39",
-            "https://seclists.org/bugtraq/2019/Dec/46",
-            "https://security.netapp.com/advisory/ntap-20191210-0001/",
-            "https://www.debian.org/security/2019/dsa-4594",
-            "https://www.openssl.org/news/secadv/20191206.txt",
-            "https://www.tenable.com/security/tns-2019-09"
-          ],
-          "PublishedDate": "2019-12-06T18:15:00Z",
-          "LastModifiedDate": "2019-12-25T11:15:00Z"
-        },
-        {
-          "VulnerabilityID": "CVE-2019-1547",
-          "PkgName": "libssl1.1",
-          "InstalledVersion": "1.1.1c-r0",
-          "FixedVersion": "1.1.1d-r0",
-          "Layer": {
-            "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
-          },
-          "SeveritySource": "nvd",
-          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1547",
-          "Title": "openssl: side-channel weak encryption vulnerability",
-          "Description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
-          "Severity": "LOW",
-          "CweIDs": [
-            "CWE-311"
-          ],
-          "CVSS": {
-            "nvd": {
-              "V2Vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
-              "V2Score": 1.9
-            },
-            "redhat": {
-              "V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
-              "V3Score": 5.5
-            }
-          },
-          "References": [
-            "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
-            "https://arxiv.org/abs/1909.01785",
-            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a",
-            "https://seclists.org/bugtraq/2019/Sep/25",
-            "https://security.netapp.com/advisory/ntap-20190919-0002/",
-            "https://www.openssl.org/news/secadv/20190910.txt"
-          ],
-          "PublishedDate": "2019-09-10T17:15:00Z",
-          "LastModifiedDate": "2019-09-12T16:15:00Z"
-        }
-      ]
-    }
-  ]
-}
--- a/integration/testdata/alpine-310-ignore-unfixed.json.golden
+++ b/integration/testdata/alpine-310-ignore-unfixed.json.golden
@@ -1,375 +0,0 @@
-{
-  "SchemaVersion": 2,
-  "ArtifactName": "testdata/fixtures/images/alpine-310.tar.gz",
-  "ArtifactType": "container_image",
-  "Metadata": {
-    "OS": {
-      "Family": "alpine",
-      "Name": "3.10.2",
-      "EOSL": true
-    },
-    "ImageID": "sha256:961769676411f082461f9ef46626dd7a2d1e2b2a38e6a44364bcbecf51e66dd4",
-    "DiffIDs": [
-      "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
-    ],
-    "ImageConfig": {
-      "architecture": "amd64",
-      "container": "0a80155a31551fcc1a36fccbbda79fcd3f0b1c7d270653d00310e6e2217c57e6",
-      "created": "2019-08-20T20:19:55.211423266Z",
-      "docker_version": "18.06.1-ce",
-      "history": [
-        {
-          "created": "2019-08-20T20:19:55.062606894Z",
-          "created_by": "/bin/sh -c #(nop) ADD file:fe64057fbb83dccb960efabbf1cd8777920ef279a7fa8dbca0a8801c651bdf7c in / "
-        },
-        {
-          "created": "2019-08-20T20:19:55.211423266Z",
-          "created_by": "/bin/sh -c #(nop)  CMD [\"/bin/sh\"]",
-          "empty_layer": true
-        }
-      ],
-      "os": "linux",
-      "rootfs": {
-        "type": "layers",
-        "diff_ids": [
-          "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
-        ]
-      },
-      "config": {
-        "Cmd": [
-          "/bin/sh"
-        ],
-        "Env": [
-          "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
-        ],
-        "Image": "sha256:06f4121dff4d0123ce11bd2e44f48da9ba9ddcd23ae376ea1f363f63ea0849b5",
-        "ArgsEscaped": true
-      }
-    }
-  },
-  "Results": [
-    {
-      "Target": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)",
-      "Class": "os-pkgs",
-      "Type": "alpine",
-      "Vulnerabilities": [
-        {
-          "VulnerabilityID": "CVE-2019-1549",
-          "PkgName": "libcrypto1.1",
-          "InstalledVersion": "1.1.1c-r0",
-          "FixedVersion": "1.1.1d-r0",
-          "Layer": {
-            "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
-          },
-          "SeveritySource": "nvd",
-          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1549",
-          "Title": "openssl: information disclosure in fork()",
-          "Description": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
-          "Severity": "MEDIUM",
-          "CweIDs": [
-            "CWE-330"
-          ],
-          "CVSS": {
-            "nvd": {
-              "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
-              "V2Score": 5
-            },
-            "redhat": {
-              "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
-              "V3Score": 4.8
-            }
-          },
-          "References": [
-            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be",
-            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/",
-            "https://security.netapp.com/advisory/ntap-20190919-0002/",
-            "https://support.f5.com/csp/article/K44070243",
-            "https://www.openssl.org/news/secadv/20190910.txt"
-          ],
-          "PublishedDate": "2019-09-10T17:15:00Z",
-          "LastModifiedDate": "2019-09-19T17:15:00Z"
-        },
-        {
-          "VulnerabilityID": "CVE-2019-1551",
-          "PkgName": "libcrypto1.1",
-          "InstalledVersion": "1.1.1c-r0",
-          "FixedVersion": "1.1.1d-r2",
-          "Layer": {
-            "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
-          },
-          "SeveritySource": "nvd",
-          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
-          "Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
-          "Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).",
-          "Severity": "MEDIUM",
-          "CweIDs": [
-            "CWE-200"
-          ],
-          "CVSS": {
-            "nvd": {
-              "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
-              "V2Score": 5
-            },
-            "redhat": {
-              "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
-              "V3Score": 4.8
-            }
-          },
-          "References": [
-            "http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
-            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
-            "https://github.com/openssl/openssl/pull/10575",
-            "https://seclists.org/bugtraq/2019/Dec/39",
-            "https://seclists.org/bugtraq/2019/Dec/46",
-            "https://security.netapp.com/advisory/ntap-20191210-0001/",
-            "https://www.debian.org/security/2019/dsa-4594",
-            "https://www.openssl.org/news/secadv/20191206.txt",
-            "https://www.tenable.com/security/tns-2019-09"
-          ],
-          "PublishedDate": "2019-12-06T18:15:00Z",
-          "LastModifiedDate": "2019-12-25T11:15:00Z"
-        },
-        {
-          "VulnerabilityID": "CVE-2019-1563",
-          "PkgName": "libcrypto1.1",
-          "InstalledVersion": "1.1.1c-r0",
-          "FixedVersion": "1.1.1d-r0",
-          "Layer": {
-            "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
-          },
-          "SeveritySource": "nvd",
-          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1563",
-          "Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
-          "Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
-          "Severity": "MEDIUM",
-          "CweIDs": [
-            "CWE-311"
-          ],
-          "CVSS": {
-            "nvd": {
-              "V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
-              "V2Score": 4.3
-            },
-            "redhat": {
-              "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
-              "V3Score": 3.7
-            }
-          },
-          "References": [
-            "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
-            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f",
-            "https://seclists.org/bugtraq/2019/Sep/25",
-            "https://security.netapp.com/advisory/ntap-20190919-0002/",
-            "https://www.openssl.org/news/secadv/20190910.txt"
-          ],
-          "PublishedDate": "2019-09-10T17:15:00Z",
-          "LastModifiedDate": "2019-09-12T11:15:00Z"
-        },
-        {
-          "VulnerabilityID": "CVE-2019-1547",
-          "PkgName": "libcrypto1.1",
-          "InstalledVersion": "1.1.1c-r0",
-          "FixedVersion": "1.1.1d-r0",
-          "Layer": {
-            "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
-          },
-          "SeveritySource": "nvd",
-          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1547",
-          "Title": "openssl: side-channel weak encryption vulnerability",
-          "Description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
-          "Severity": "LOW",
-          "CweIDs": [
-            "CWE-311"
-          ],
-          "CVSS": {
-            "nvd": {
-              "V2Vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
-              "V2Score": 1.9
-            },
-            "redhat": {
-              "V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
-              "V3Score": 5.5
-            }
-          },
-          "References": [
-            "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
-            "https://arxiv.org/abs/1909.01785",
-            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a",
-            "https://seclists.org/bugtraq/2019/Sep/25",
-            "https://security.netapp.com/advisory/ntap-20190919-0002/",
-            "https://www.openssl.org/news/secadv/20190910.txt"
-          ],
-          "PublishedDate": "2019-09-10T17:15:00Z",
-          "LastModifiedDate": "2019-09-12T16:15:00Z"
-        },
-        {
-          "VulnerabilityID": "CVE-2019-1549",
-          "PkgName": "libssl1.1",
-          "InstalledVersion": "1.1.1c-r0",
-          "FixedVersion": "1.1.1d-r0",
-          "Layer": {
-            "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
-          },
-          "SeveritySource": "nvd",
-          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1549",
-          "Title": "openssl: information disclosure in fork()",
-          "Description": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
-          "Severity": "MEDIUM",
-          "CweIDs": [
-            "CWE-330"
-          ],
-          "CVSS": {
-            "nvd": {
-              "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
-              "V2Score": 5
-            },
-            "redhat": {
-              "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
-              "V3Score": 4.8
-            }
-          },
-          "References": [
-            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be",
-            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/",
-            "https://security.netapp.com/advisory/ntap-20190919-0002/",
-            "https://support.f5.com/csp/article/K44070243",
-            "https://www.openssl.org/news/secadv/20190910.txt"
-          ],
-          "PublishedDate": "2019-09-10T17:15:00Z",
-          "LastModifiedDate": "2019-09-19T17:15:00Z"
-        },
-        {
-          "VulnerabilityID": "CVE-2019-1551",
-          "PkgName": "libssl1.1",
-          "InstalledVersion": "1.1.1c-r0",
-          "FixedVersion": "1.1.1d-r2",
-          "Layer": {
-            "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
-          },
-          "SeveritySource": "nvd",
-          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
-          "Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
-          "Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).",
-          "Severity": "MEDIUM",
-          "CweIDs": [
-            "CWE-200"
-          ],
-          "CVSS": {
-            "nvd": {
-              "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
-              "V2Score": 5
-            },
-            "redhat": {
-              "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
-              "V3Score": 4.8
-            }
-          },
-          "References": [
-            "http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
-            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
-            "https://github.com/openssl/openssl/pull/10575",
-            "https://seclists.org/bugtraq/2019/Dec/39",
-            "https://seclists.org/bugtraq/2019/Dec/46",
-            "https://security.netapp.com/advisory/ntap-20191210-0001/",
-            "https://www.debian.org/security/2019/dsa-4594",
-            "https://www.openssl.org/news/secadv/20191206.txt",
-            "https://www.tenable.com/security/tns-2019-09"
-          ],
-          "PublishedDate": "2019-12-06T18:15:00Z",
-          "LastModifiedDate": "2019-12-25T11:15:00Z"
-        },
-        {
-          "VulnerabilityID": "CVE-2019-1563",
-          "PkgName": "libssl1.1",
-          "InstalledVersion": "1.1.1c-r0",
-          "FixedVersion": "1.1.1d-r0",
-          "Layer": {
-            "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
-          },
-          "SeveritySource": "nvd",
-          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1563",
-          "Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
-          "Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
-          "Severity": "MEDIUM",
-          "CweIDs": [
-            "CWE-311"
-          ],
-          "CVSS": {
-            "nvd": {
-              "V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
-              "V2Score": 4.3
-            },
-            "redhat": {
-              "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
-              "V3Score": 3.7
-            }
-          },
-          "References": [
-            "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
-            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f",
-            "https://seclists.org/bugtraq/2019/Sep/25",
-            "https://security.netapp.com/advisory/ntap-20190919-0002/",
-            "https://www.openssl.org/news/secadv/20190910.txt"
-          ],
-          "PublishedDate": "2019-09-10T17:15:00Z",
-          "LastModifiedDate": "2019-09-12T11:15:00Z"
-        },
-        {
-          "VulnerabilityID": "CVE-2019-1547",
-          "PkgName": "libssl1.1",
-          "InstalledVersion": "1.1.1c-r0",
-          "FixedVersion": "1.1.1d-r0",
-          "Layer": {
-            "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
-          },
-          "SeveritySource": "nvd",
-          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1547",
-          "Title": "openssl: side-channel weak encryption vulnerability",
-          "Description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
-          "Severity": "LOW",
-          "CweIDs": [
-            "CWE-311"
-          ],
-          "CVSS": {
-            "nvd": {
-              "V2Vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
-              "V2Score": 1.9
-            },
-            "redhat": {
-              "V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
-              "V3Score": 5.5
-            }
-          },
-          "References": [
-            "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
-            "https://arxiv.org/abs/1909.01785",
-            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a",
-            "https://seclists.org/bugtraq/2019/Sep/25",
-            "https://security.netapp.com/advisory/ntap-20190919-0002/",
-            "https://www.openssl.org/news/secadv/20190910.txt"
-          ],
-          "PublishedDate": "2019-09-10T17:15:00Z",
-          "LastModifiedDate": "2019-09-12T16:15:00Z"
-        }
-      ]
-    }
-  ]
-}
--- a/integration/testdata/alpine-310-medium-high.json.golden
+++ b/integration/testdata/alpine-310-medium-high.json.golden
@@ -1,295 +0,0 @@
-{
-  "SchemaVersion": 2,
-  "ArtifactName": "testdata/fixtures/images/alpine-310.tar.gz",
-  "ArtifactType": "container_image",
-  "Metadata": {
-    "OS": {
-      "Family": "alpine",
-      "Name": "3.10.2",
-      "EOSL": true
-    },
-    "ImageID": "sha256:961769676411f082461f9ef46626dd7a2d1e2b2a38e6a44364bcbecf51e66dd4",
-    "DiffIDs": [
-      "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
-    ],
-    "ImageConfig": {
-      "architecture": "amd64",
-      "container": "0a80155a31551fcc1a36fccbbda79fcd3f0b1c7d270653d00310e6e2217c57e6",
-      "created": "2019-08-20T20:19:55.211423266Z",
-      "docker_version": "18.06.1-ce",
-      "history": [
-        {
-          "created": "2019-08-20T20:19:55.062606894Z",
-          "created_by": "/bin/sh -c #(nop) ADD file:fe64057fbb83dccb960efabbf1cd8777920ef279a7fa8dbca0a8801c651bdf7c in / "
-        },
-        {
-          "created": "2019-08-20T20:19:55.211423266Z",
-          "created_by": "/bin/sh -c #(nop)  CMD [\"/bin/sh\"]",
-          "empty_layer": true
-        }
-      ],
-      "os": "linux",
-      "rootfs": {
-        "type": "layers",
-        "diff_ids": [
-          "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
-        ]
-      },
-      "config": {
-        "Cmd": [
-          "/bin/sh"
-        ],
-        "Env": [
-          "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
-        ],
-        "Image": "sha256:06f4121dff4d0123ce11bd2e44f48da9ba9ddcd23ae376ea1f363f63ea0849b5",
-        "ArgsEscaped": true
-      }
-    }
-  },
-  "Results": [
-    {
-      "Target": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)",
-      "Class": "os-pkgs",
-      "Type": "alpine",
-      "Vulnerabilities": [
-        {
-          "VulnerabilityID": "CVE-2019-1549",
-          "PkgName": "libcrypto1.1",
-          "InstalledVersion": "1.1.1c-r0",
-          "FixedVersion": "1.1.1d-r0",
-          "Layer": {
-            "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
-          },
-          "SeveritySource": "nvd",
-          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1549",
-          "Title": "openssl: information disclosure in fork()",
-          "Description": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
-          "Severity": "MEDIUM",
-          "CweIDs": [
-            "CWE-330"
-          ],
-          "CVSS": {
-            "nvd": {
-              "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
-              "V2Score": 5
-            },
-            "redhat": {
-              "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
-              "V3Score": 4.8
-            }
-          },
-          "References": [
-            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be",
-            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/",
-            "https://security.netapp.com/advisory/ntap-20190919-0002/",
-            "https://support.f5.com/csp/article/K44070243",
-            "https://www.openssl.org/news/secadv/20190910.txt"
-          ],
-          "PublishedDate": "2019-09-10T17:15:00Z",
-          "LastModifiedDate": "2019-09-19T17:15:00Z"
-        },
-        {
-          "VulnerabilityID": "CVE-2019-1551",
-          "PkgName": "libcrypto1.1",
-          "InstalledVersion": "1.1.1c-r0",
-          "FixedVersion": "1.1.1d-r2",
-          "Layer": {
-            "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
-          },
-          "SeveritySource": "nvd",
-          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
-          "Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
-          "Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).",
-          "Severity": "MEDIUM",
-          "CweIDs": [
-            "CWE-200"
-          ],
-          "CVSS": {
-            "nvd": {
-              "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
-              "V2Score": 5
-            },
-            "redhat": {
-              "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
-              "V3Score": 4.8
-            }
-          },
-          "References": [
-            "http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
-            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
-            "https://github.com/openssl/openssl/pull/10575",
-            "https://seclists.org/bugtraq/2019/Dec/39",
-            "https://seclists.org/bugtraq/2019/Dec/46",
-            "https://security.netapp.com/advisory/ntap-20191210-0001/",
-            "https://www.debian.org/security/2019/dsa-4594",
-            "https://www.openssl.org/news/secadv/20191206.txt",
-            "https://www.tenable.com/security/tns-2019-09"
-          ],
-          "PublishedDate": "2019-12-06T18:15:00Z",
-          "LastModifiedDate": "2019-12-25T11:15:00Z"
-        },
-        {
-          "VulnerabilityID": "CVE-2019-1563",
-          "PkgName": "libcrypto1.1",
-          "InstalledVersion": "1.1.1c-r0",
-          "FixedVersion": "1.1.1d-r0",
-          "Layer": {
-            "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
-          },
-          "SeveritySource": "nvd",
-          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1563",
-          "Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
-          "Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
-          "Severity": "MEDIUM",
-          "CweIDs": [
-            "CWE-311"
-          ],
-          "CVSS": {
-            "nvd": {
-              "V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
-              "V2Score": 4.3
-            },
-            "redhat": {
-              "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
-              "V3Score": 3.7
-            }
-          },
-          "References": [
-            "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
-            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f",
-            "https://seclists.org/bugtraq/2019/Sep/25",
-            "https://security.netapp.com/advisory/ntap-20190919-0002/",
-            "https://www.openssl.org/news/secadv/20190910.txt"
-          ],
-          "PublishedDate": "2019-09-10T17:15:00Z",
-          "LastModifiedDate": "2019-09-12T11:15:00Z"
-        },
-        {
-          "VulnerabilityID": "CVE-2019-1549",
-          "PkgName": "libssl1.1",
-          "InstalledVersion": "1.1.1c-r0",
-          "FixedVersion": "1.1.1d-r0",
-          "Layer": {
-            "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
-          },
-          "SeveritySource": "nvd",
-          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1549",
-          "Title": "openssl: information disclosure in fork()",
-          "Description": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
-          "Severity": "MEDIUM",
-          "CweIDs": [
-            "CWE-330"
-          ],
-          "CVSS": {
-            "nvd": {
-              "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
-              "V2Score": 5
-            },
-            "redhat": {
-              "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
-              "V3Score": 4.8
-            }
-          },
-          "References": [
-            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be",
-            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/",
-            "https://security.netapp.com/advisory/ntap-20190919-0002/",
-            "https://support.f5.com/csp/article/K44070243",
-            "https://www.openssl.org/news/secadv/20190910.txt"
-          ],
-          "PublishedDate": "2019-09-10T17:15:00Z",
-          "LastModifiedDate": "2019-09-19T17:15:00Z"
-        },
-        {
-          "VulnerabilityID": "CVE-2019-1551",
-          "PkgName": "libssl1.1",
-          "InstalledVersion": "1.1.1c-r0",
-          "FixedVersion": "1.1.1d-r2",
-          "Layer": {
-            "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
-          },
-          "SeveritySource": "nvd",
-          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
-          "Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
-          "Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).",
-          "Severity": "MEDIUM",
-          "CweIDs": [
-            "CWE-200"
-          ],
-          "CVSS": {
-            "nvd": {
-              "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
-              "V2Score": 5
-            },
-            "redhat": {
-              "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
-              "V3Score": 4.8
-            }
-          },
-          "References": [
-            "http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
-            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
-            "https://github.com/openssl/openssl/pull/10575",
-            "https://seclists.org/bugtraq/2019/Dec/39",
-            "https://seclists.org/bugtraq/2019/Dec/46",
-            "https://security.netapp.com/advisory/ntap-20191210-0001/",
-            "https://www.debian.org/security/2019/dsa-4594",
-            "https://www.openssl.org/news/secadv/20191206.txt",
-            "https://www.tenable.com/security/tns-2019-09"
-          ],
-          "PublishedDate": "2019-12-06T18:15:00Z",
-          "LastModifiedDate": "2019-12-25T11:15:00Z"
-        },
-        {
-          "VulnerabilityID": "CVE-2019-1563",
-          "PkgName": "libssl1.1",
-          "InstalledVersion": "1.1.1c-r0",
-          "FixedVersion": "1.1.1d-r0",
-          "Layer": {
-            "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
-          },
-          "SeveritySource": "nvd",
-          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1563",
-          "Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
-          "Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
-          "Severity": "MEDIUM",
-          "CweIDs": [
-            "CWE-311"
-          ],
-          "CVSS": {
-            "nvd": {
-              "V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
-              "V2Score": 4.3
-            },
-            "redhat": {
-              "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
-              "V3Score": 3.7
-            }
-          },
-          "References": [
-            "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
-            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f",
-            "https://seclists.org/bugtraq/2019/Sep/25",
-            "https://security.netapp.com/advisory/ntap-20190919-0002/",
-            "https://www.openssl.org/news/secadv/20190910.txt"
-          ],
-          "PublishedDate": "2019-09-10T17:15:00Z",
-          "LastModifiedDate": "2019-09-12T11:15:00Z"
-        }
-      ]
-    }
-  ]
-}
--- a/integration/testdata/alpine-310-registry.json.golden
+++ b/integration/testdata/alpine-310-registry.json.golden
@@ -1,6 +1,6 @@
 {
  "SchemaVersion": 2,
-  "ArtifactName": "testdata/fixtures/images/alpine-310.tar.gz",
+  "ArtifactName": "localhost:63577/alpine:3.10",
  "ArtifactType": "container_image",
  "Metadata": {
    "OS": {
@@ -12,6 +12,12 @@
    "DiffIDs": [
      "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
    ],
+    "RepoTags": [
+      "localhost:63577/alpine:3.10"
+    ],
+    "RepoDigests": [
+      "localhost:63577/alpine@sha256:d9b1a0d4fab413443a22e550cb8720de487295cebca3f9b2fcbf8882192a9bf9"
+    ],
    "ImageConfig": {
      "architecture": "amd64",
      "container": "0a80155a31551fcc1a36fccbbda79fcd3f0b1c7d270653d00310e6e2217c57e6",
@@ -49,7 +55,7 @@
  },
  "Results": [
    {
-      "Target": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)",
+      "Target": "localhost:63577/alpine:3.10 (alpine 3.10.2)",
      "Class": "os-pkgs",
      "Type": "alpine",
      "Vulnerabilities": [
@@ -59,11 +65,16 @@
          "InstalledVersion": "1.1.1c-r0",
          "FixedVersion": "1.1.1d-r0",
          "Layer": {
-            "Digest": "sha256:9d48c3bd43c520dc2784e868a780e976b207cbf493eaff8c6596eb871cbd9609",
+            "Digest": "sha256:3489774ebf88fb1f0b08e0abb45826a3cbd9d0eb6458d5fc54729197feddffb9",
            "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
          },
          "SeveritySource": "nvd",
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1549",
+          "DataSource": {
+            "ID": "alpine",
+            "Name": "Alpine Secdb",
+            "URL": "https://secdb.alpinelinux.org/"
+          },
          "Title": "openssl: information disclosure in fork()",
          "Description": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
          "Severity": "MEDIUM",
@@ -73,7 +84,9 @@
          "CVSS": {
            "nvd": {
              "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
-              "V2Score": 5
+              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
+              "V2Score": 5,
+              "V3Score": 5.3
            },
            "redhat": {
              "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
@@ -81,15 +94,29 @@
            }
          },
          "References": [
+            "https://access.redhat.com/security/cve/CVE-2019-1549",
            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549",
            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be",
+            "https://linux.oracle.com/cve/CVE-2019-1549.html",
+            "https://linux.oracle.com/errata/ELSA-2020-1840.html",
            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/",
+            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/",
+            "https://seclists.org/bugtraq/2019/Oct/1",
            "https://security.netapp.com/advisory/ntap-20190919-0002/",
            "https://support.f5.com/csp/article/K44070243",
-            "https://www.openssl.org/news/secadv/20190910.txt"
+            "https://support.f5.com/csp/article/K44070243?utm_source=f5support\u0026amp;utm_medium=RSS",
+            "https://ubuntu.com/security/notices/USN-4376-1",
+            "https://usn.ubuntu.com/4376-1/",
+            "https://www.debian.org/security/2019/dsa-4539",
+            "https://www.openssl.org/news/secadv/20190910.txt",
+            "https://www.oracle.com/security-alerts/cpuapr2020.html",
+            "https://www.oracle.com/security-alerts/cpujan2020.html",
+            "https://www.oracle.com/security-alerts/cpujul2020.html",
+            "https://www.oracle.com/security-alerts/cpuoct2020.html",
+            "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"
          ],
          "PublishedDate": "2019-09-10T17:15:00Z",
-          "LastModifiedDate": "2019-09-19T17:15:00Z"
+          "LastModifiedDate": "2020-10-20T22:15:00Z"
        },
        {
          "VulnerabilityID": "CVE-2019-1551",
@@ -97,13 +124,18 @@
          "InstalledVersion": "1.1.1c-r0",
          "FixedVersion": "1.1.1d-r2",
          "Layer": {
-            "Digest": "sha256:9d48c3bd43c520dc2784e868a780e976b207cbf493eaff8c6596eb871cbd9609",
+            "Digest": "sha256:3489774ebf88fb1f0b08e0abb45826a3cbd9d0eb6458d5fc54729197feddffb9",
            "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
          },
          "SeveritySource": "nvd",
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
+          "DataSource": {
+            "ID": "alpine",
+            "Name": "Alpine Secdb",
+            "URL": "https://secdb.alpinelinux.org/"
+          },
          "Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
-          "Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).",
+          "Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).",
          "Severity": "MEDIUM",
          "CweIDs": [
            "CWE-200"
@@ -111,109 +143,49 @@
          "CVSS": {
            "nvd": {
              "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
-              "V2Score": 5
+              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
+              "V2Score": 5,
+              "V3Score": 5.3
            },
            "redhat": {
-              "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
+              "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
              "V3Score": 4.8
            }
          },
          "References": [
+            "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html",
            "http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
+            "https://access.redhat.com/security/cve/CVE-2019-1551",
            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
            "https://github.com/openssl/openssl/pull/10575",
+            "https://linux.oracle.com/cve/CVE-2019-1551.html",
+            "https://linux.oracle.com/errata/ELSA-2020-4514.html",
+            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/",
+            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/",
+            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/",
            "https://seclists.org/bugtraq/2019/Dec/39",
            "https://seclists.org/bugtraq/2019/Dec/46",
+            "https://security.gentoo.org/glsa/202004-10",
            "https://security.netapp.com/advisory/ntap-20191210-0001/",
+            "https://ubuntu.com/security/notices/USN-4376-1",
+            "https://ubuntu.com/security/notices/USN-4504-1",
+            "https://usn.ubuntu.com/4376-1/",
+            "https://usn.ubuntu.com/4504-1/",
            "https://www.debian.org/security/2019/dsa-4594",
+            "https://www.debian.org/security/2021/dsa-4855",
            "https://www.openssl.org/news/secadv/20191206.txt",
-            "https://www.tenable.com/security/tns-2019-09"
+            "https://www.oracle.com/security-alerts/cpuApr2021.html",
+            "https://www.oracle.com/security-alerts/cpujan2021.html",
+            "https://www.oracle.com/security-alerts/cpujul2020.html",
+            "https://www.tenable.com/security/tns-2019-09",
+            "https://www.tenable.com/security/tns-2020-03",
+            "https://www.tenable.com/security/tns-2020-11",
+            "https://www.tenable.com/security/tns-2021-10"
          ],
          "PublishedDate": "2019-12-06T18:15:00Z",
-          "LastModifiedDate": "2019-12-25T11:15:00Z"
-        },
-        {
-          "VulnerabilityID": "CVE-2019-1563",
-          "PkgName": "libcrypto1.1",
-          "InstalledVersion": "1.1.1c-r0",
-          "FixedVersion": "1.1.1d-r0",
-          "Layer": {
-            "Digest": "sha256:9d48c3bd43c520dc2784e868a780e976b207cbf493eaff8c6596eb871cbd9609",
-            "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
-          },
-          "SeveritySource": "nvd",
-          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1563",
-          "Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
-          "Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
-          "Severity": "MEDIUM",
-          "CweIDs": [
-            "CWE-311"
-          ],
-          "CVSS": {
-            "nvd": {
-              "V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
-              "V2Score": 4.3
-            },
-            "redhat": {
-              "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
-              "V3Score": 3.7
-            }
-          },
-          "References": [
-            "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
-            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f",
-            "https://seclists.org/bugtraq/2019/Sep/25",
-            "https://security.netapp.com/advisory/ntap-20190919-0002/",
-            "https://www.openssl.org/news/secadv/20190910.txt"
-          ],
-          "PublishedDate": "2019-09-10T17:15:00Z",
-          "LastModifiedDate": "2019-09-12T11:15:00Z"
-        },
-        {
-          "VulnerabilityID": "CVE-2019-1547",
-          "PkgName": "libcrypto1.1",
-          "InstalledVersion": "1.1.1c-r0",
-          "FixedVersion": "1.1.1d-r0",
-          "Layer": {
-            "Digest": "sha256:9d48c3bd43c520dc2784e868a780e976b207cbf493eaff8c6596eb871cbd9609",
-            "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
-          },
-          "SeveritySource": "nvd",
-          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1547",
-          "Title": "openssl: side-channel weak encryption vulnerability",
-          "Description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
-          "Severity": "LOW",
-          "CweIDs": [
-            "CWE-311"
-          ],
-          "CVSS": {
-            "nvd": {
-              "V2Vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
-              "V2Score": 1.9
-            },
-            "redhat": {
-              "V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
-              "V3Score": 5.5
-            }
-          },
-          "References": [
-            "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
-            "https://arxiv.org/abs/1909.01785",
-            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a",
-            "https://seclists.org/bugtraq/2019/Sep/25",
-            "https://security.netapp.com/advisory/ntap-20190919-0002/",
-            "https://www.openssl.org/news/secadv/20190910.txt"
-          ],
-          "PublishedDate": "2019-09-10T17:15:00Z",
-          "LastModifiedDate": "2019-09-12T16:15:00Z"
+          "LastModifiedDate": "2021-07-21T11:39:00Z"
        },
        {
          "VulnerabilityID": "CVE-2019-1549",
@@ -221,11 +193,16 @@
          "InstalledVersion": "1.1.1c-r0",
          "FixedVersion": "1.1.1d-r0",
          "Layer": {
-            "Digest": "sha256:9d48c3bd43c520dc2784e868a780e976b207cbf493eaff8c6596eb871cbd9609",
+            "Digest": "sha256:3489774ebf88fb1f0b08e0abb45826a3cbd9d0eb6458d5fc54729197feddffb9",
            "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
          },
          "SeveritySource": "nvd",
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1549",
+          "DataSource": {
+            "ID": "alpine",
+            "Name": "Alpine Secdb",
+            "URL": "https://secdb.alpinelinux.org/"
+          },
          "Title": "openssl: information disclosure in fork()",
          "Description": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
          "Severity": "MEDIUM",
@@ -235,7 +212,9 @@
          "CVSS": {
            "nvd": {
              "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
-              "V2Score": 5
+              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
+              "V2Score": 5,
+              "V3Score": 5.3
            },
            "redhat": {
              "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
@@ -243,15 +222,29 @@
            }
          },
          "References": [
+            "https://access.redhat.com/security/cve/CVE-2019-1549",
            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549",
            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be",
+            "https://linux.oracle.com/cve/CVE-2019-1549.html",
+            "https://linux.oracle.com/errata/ELSA-2020-1840.html",
            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/",
+            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/",
+            "https://seclists.org/bugtraq/2019/Oct/1",
            "https://security.netapp.com/advisory/ntap-20190919-0002/",
            "https://support.f5.com/csp/article/K44070243",
-            "https://www.openssl.org/news/secadv/20190910.txt"
+            "https://support.f5.com/csp/article/K44070243?utm_source=f5support\u0026amp;utm_medium=RSS",
+            "https://ubuntu.com/security/notices/USN-4376-1",
+            "https://usn.ubuntu.com/4376-1/",
+            "https://www.debian.org/security/2019/dsa-4539",
+            "https://www.openssl.org/news/secadv/20190910.txt",
+            "https://www.oracle.com/security-alerts/cpuapr2020.html",
+            "https://www.oracle.com/security-alerts/cpujan2020.html",
+            "https://www.oracle.com/security-alerts/cpujul2020.html",
+            "https://www.oracle.com/security-alerts/cpuoct2020.html",
+            "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"
          ],
          "PublishedDate": "2019-09-10T17:15:00Z",
-          "LastModifiedDate": "2019-09-19T17:15:00Z"
+          "LastModifiedDate": "2020-10-20T22:15:00Z"
        },
        {
          "VulnerabilityID": "CVE-2019-1551",
@@ -259,13 +252,18 @@
          "InstalledVersion": "1.1.1c-r0",
          "FixedVersion": "1.1.1d-r2",
          "Layer": {
-            "Digest": "sha256:9d48c3bd43c520dc2784e868a780e976b207cbf493eaff8c6596eb871cbd9609",
+            "Digest": "sha256:3489774ebf88fb1f0b08e0abb45826a3cbd9d0eb6458d5fc54729197feddffb9",
            "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
          },
          "SeveritySource": "nvd",
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
+          "DataSource": {
+            "ID": "alpine",
+            "Name": "Alpine Secdb",
+            "URL": "https://secdb.alpinelinux.org/"
+          },
          "Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
-          "Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).",
+          "Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).",
          "Severity": "MEDIUM",
          "CweIDs": [
            "CWE-200"
@@ -273,109 +271,49 @@
          "CVSS": {
            "nvd": {
              "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
-              "V2Score": 5
+              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
+              "V2Score": 5,
+              "V3Score": 5.3
            },
            "redhat": {
-              "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
+              "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
              "V3Score": 4.8
            }
          },
          "References": [
+            "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html",
            "http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
+            "https://access.redhat.com/security/cve/CVE-2019-1551",
            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
            "https://github.com/openssl/openssl/pull/10575",
+            "https://linux.oracle.com/cve/CVE-2019-1551.html",
+            "https://linux.oracle.com/errata/ELSA-2020-4514.html",
+            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/",
+            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/",
+            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/",
            "https://seclists.org/bugtraq/2019/Dec/39",
            "https://seclists.org/bugtraq/2019/Dec/46",
+            "https://security.gentoo.org/glsa/202004-10",
            "https://security.netapp.com/advisory/ntap-20191210-0001/",
+            "https://ubuntu.com/security/notices/USN-4376-1",
+            "https://ubuntu.com/security/notices/USN-4504-1",
+            "https://usn.ubuntu.com/4376-1/",
+            "https://usn.ubuntu.com/4504-1/",
            "https://www.debian.org/security/2019/dsa-4594",
+            "https://www.debian.org/security/2021/dsa-4855",
            "https://www.openssl.org/news/secadv/20191206.txt",
-            "https://www.tenable.com/security/tns-2019-09"
+            "https://www.oracle.com/security-alerts/cpuApr2021.html",
+            "https://www.oracle.com/security-alerts/cpujan2021.html",
+            "https://www.oracle.com/security-alerts/cpujul2020.html",
+            "https://www.tenable.com/security/tns-2019-09",
+            "https://www.tenable.com/security/tns-2020-03",
+            "https://www.tenable.com/security/tns-2020-11",
+            "https://www.tenable.com/security/tns-2021-10"
          ],
          "PublishedDate": "2019-12-06T18:15:00Z",
-          "LastModifiedDate": "2019-12-25T11:15:00Z"
-        },
-        {
-          "VulnerabilityID": "CVE-2019-1563",
-          "PkgName": "libssl1.1",
-          "InstalledVersion": "1.1.1c-r0",
-          "FixedVersion": "1.1.1d-r0",
-          "Layer": {
-            "Digest": "sha256:9d48c3bd43c520dc2784e868a780e976b207cbf493eaff8c6596eb871cbd9609",
-            "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
-          },
-          "SeveritySource": "nvd",
-          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1563",
-          "Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
-          "Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
-          "Severity": "MEDIUM",
-          "CweIDs": [
-            "CWE-311"
-          ],
-          "CVSS": {
-            "nvd": {
-              "V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
-              "V2Score": 4.3
-            },
-            "redhat": {
-              "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
-              "V3Score": 3.7
-            }
-          },
-          "References": [
-            "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
-            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f",
-            "https://seclists.org/bugtraq/2019/Sep/25",
-            "https://security.netapp.com/advisory/ntap-20190919-0002/",
-            "https://www.openssl.org/news/secadv/20190910.txt"
-          ],
-          "PublishedDate": "2019-09-10T17:15:00Z",
-          "LastModifiedDate": "2019-09-12T11:15:00Z"
-        },
-        {
-          "VulnerabilityID": "CVE-2019-1547",
-          "PkgName": "libssl1.1",
-          "InstalledVersion": "1.1.1c-r0",
-          "FixedVersion": "1.1.1d-r0",
-          "Layer": {
-            "Digest": "sha256:9d48c3bd43c520dc2784e868a780e976b207cbf493eaff8c6596eb871cbd9609",
-            "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
-          },
-          "SeveritySource": "nvd",
-          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1547",
-          "Title": "openssl: side-channel weak encryption vulnerability",
-          "Description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
-          "Severity": "LOW",
-          "CweIDs": [
-            "CWE-311"
-          ],
-          "CVSS": {
-            "nvd": {
-              "V2Vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
-              "V2Score": 1.9
-            },
-            "redhat": {
-              "V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
-              "V3Score": 5.5
-            }
-          },
-          "References": [
-            "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
-            "https://arxiv.org/abs/1909.01785",
-            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a",
-            "https://seclists.org/bugtraq/2019/Sep/25",
-            "https://security.netapp.com/advisory/ntap-20190919-0002/",
-            "https://www.openssl.org/news/secadv/20190910.txt"
-          ],
-          "PublishedDate": "2019-09-10T17:15:00Z",
-          "LastModifiedDate": "2019-09-12T16:15:00Z"
+          "LastModifiedDate": "2021-07-21T11:39:00Z"
        }
      ]
    }
--- a/integration/testdata/alpine-310.asff.golden
+++ b/integration/testdata/alpine-310.asff.golden
@@ -1,362 +1,184 @@
-[
-    {
-        "SchemaVersion": "2018-10-08",
-        "Id": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)/CVE-2019-1549",
-        "ProductArn": "arn:aws:securityhub:test-region::product/aquasecurity/aquasecurity",
-        "GeneratorId": "Trivy",
-        "AwsAccountId": "123456789012",
-        "Types": [ "Software and Configuration Checks/Vulnerabilities/CVE" ],
-        "CreatedAt": "2020-08-10T07:28:17.000958601Z",
-        "UpdatedAt": "2020-08-10T07:28:17.000958601Z",
-        "Severity": {
-            "Label": "MEDIUM"
-        },
-        "Title": "Trivy found a vulnerability to CVE-2019-1549 in container testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)",
-        "Description": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
-        "Remediation": {
-            "Recommendation": {
-                "Text": "More information on this vulnerability is provided in the hyperlink",
-                "Url": "https://avd.aquasec.com/nvd/cve-2019-1549"
-            }
-        },
-        "ProductFields": { "Product Name": "Trivy" },
-        "Resources": [
-            {
-                "Type": "Container",
-                "Id": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)",
-                "Partition": "aws",
-                "Region": "test-region",
-                "Details": {
-                    "Container": { "ImageName": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)" },
-                    "Other": {
-                        "CVE ID": "CVE-2019-1549",
-                        "CVE Title": "openssl: information disclosure in fork()",
-                        "PkgName": "libcrypto1.1",
-                        "Installed Package": "1.1.1c-r0",
-                        "Patched Package": "1.1.1d-r0",
-                        "NvdCvssScoreV3": "0",
-                        "NvdCvssVectorV3": "",
-                        "NvdCvssScoreV2": "5",
-                        "NvdCvssVectorV2": "AV:N/AC:L/Au:N/C:P/I:N/A:N"
+{
+    "Findings": [
+        {
+            "SchemaVersion": "2018-10-08",
+            "Id": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)/CVE-2019-1549",
+            "ProductArn": "arn:aws:securityhub:test-region::product/aquasecurity/aquasecurity",
+            "GeneratorId": "Trivy",
+            "AwsAccountId": "123456789012",
+            "Types": [ "Software and Configuration Checks/Vulnerabilities/CVE" ],
+            "CreatedAt": "2020-08-10T07:28:17.000958601Z",
+            "UpdatedAt": "2020-08-10T07:28:17.000958601Z",
+            "Severity": {
+                "Label": "MEDIUM"
+            },
+            "Title": "Trivy found a vulnerability to CVE-2019-1549 in container testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)",
+            "Description": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
+            "Remediation": {
+                "Recommendation": {
+                    "Text": "More information on this vulnerability is provided in the hyperlink",
+                    "Url": "https://avd.aquasec.com/nvd/cve-2019-1549"
+                }
+            },
+            "ProductFields": { "Product Name": "Trivy" },
+            "Resources": [
+                {
+                    "Type": "Container",
+                    "Id": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)",
+                    "Partition": "aws",
+                    "Region": "test-region",
+                    "Details": {
+                        "Container": { "ImageName": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)" },
+                        "Other": {
+                            "CVE ID": "CVE-2019-1549",
+                            "CVE Title": "openssl: information disclosure in fork()",
+                            "PkgName": "libcrypto1.1",
+                            "Installed Package": "1.1.1c-r0",
+                            "Patched Package": "1.1.1d-r0",
+                            "NvdCvssScoreV3": "5.3",
+                            "NvdCvssVectorV3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
+                            "NvdCvssScoreV2": "5",
+                            "NvdCvssVectorV2": "AV:N/AC:L/Au:N/C:P/I:N/A:N"
+                        }
                    }
                }
-            }
-        ],
-        "RecordState": "ACTIVE"
-    },
-    {
-        "SchemaVersion": "2018-10-08",
-        "Id": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)/CVE-2019-1551",
-        "ProductArn": "arn:aws:securityhub:test-region::product/aquasecurity/aquasecurity",
-        "GeneratorId": "Trivy",
-        "AwsAccountId": "123456789012",
-        "Types": [ "Software and Configuration Checks/Vulnerabilities/CVE" ],
-        "CreatedAt": "2020-08-10T07:28:17.000958601Z",
-        "UpdatedAt": "2020-08-10T07:28:17.000958601Z",
-        "Severity": {
-            "Label": "MEDIUM"
+            ],
+            "RecordState": "ACTIVE"
        },
-        "Title": "Trivy found a vulnerability to CVE-2019-1551 in container testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)",
-        "Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).",
-        "Remediation": {
-            "Recommendation": {
-                "Text": "More information on this vulnerability is provided in the hyperlink",
-                "Url": "https://avd.aquasec.com/nvd/cve-2019-1551"
-            }
-        },
-        "ProductFields": { "Product Name": "Trivy" },
-        "Resources": [
-            {
-                "Type": "Container",
-                "Id": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)",
-                "Partition": "aws",
-                "Region": "test-region",
-                "Details": {
-                    "Container": { "ImageName": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)" },
-                    "Other": {
-                        "CVE ID": "CVE-2019-1551",
-                        "CVE Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
-                        "PkgName": "libcrypto1.1",
-                        "Installed Package": "1.1.1c-r0",
-                        "Patched Package": "1.1.1d-r2",
-                        "NvdCvssScoreV3": "0",
-                        "NvdCvssVectorV3": "",
-                        "NvdCvssScoreV2": "5",
-                        "NvdCvssVectorV2": "AV:N/AC:L/Au:N/C:P/I:N/A:N"
+        {
+            "SchemaVersion": "2018-10-08",
+            "Id": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)/CVE-2019-1551",
+            "ProductArn": "arn:aws:securityhub:test-region::product/aquasecurity/aquasecurity",
+            "GeneratorId": "Trivy",
+            "AwsAccountId": "123456789012",
+            "Types": [ "Software and Configuration Checks/Vulnerabilities/CVE" ],
+            "CreatedAt": "2020-08-10T07:28:17.000958601Z",
+            "UpdatedAt": "2020-08-10T07:28:17.000958601Z",
+            "Severity": {
+                "Label": "MEDIUM"
+            },
+            "Title": "Trivy found a vulnerability to CVE-2019-1551 in container testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)",
+            "Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).",
+            "Remediation": {
+                "Recommendation": {
+                    "Text": "More information on this vulnerability is provided in the hyperlink",
+                    "Url": "https://avd.aquasec.com/nvd/cve-2019-1551"
+                }
+            },
+            "ProductFields": { "Product Name": "Trivy" },
+            "Resources": [
+                {
+                    "Type": "Container",
+                    "Id": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)",
+                    "Partition": "aws",
+                    "Region": "test-region",
+                    "Details": {
+                        "Container": { "ImageName": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)" },
+                        "Other": {
+                            "CVE ID": "CVE-2019-1551",
+                            "CVE Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
+                            "PkgName": "libcrypto1.1",
+                            "Installed Package": "1.1.1c-r0",
+                            "Patched Package": "1.1.1d-r2",
+                            "NvdCvssScoreV3": "5.3",
+                            "NvdCvssVectorV3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
+                            "NvdCvssScoreV2": "5",
+                            "NvdCvssVectorV2": "AV:N/AC:L/Au:N/C:P/I:N/A:N"
+                        }
                    }
                }
-            }
-        ],
-        "RecordState": "ACTIVE"
-    },
-    {
-        "SchemaVersion": "2018-10-08",
-        "Id": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)/CVE-2019-1563",
-        "ProductArn": "arn:aws:securityhub:test-region::product/aquasecurity/aquasecurity",
-        "GeneratorId": "Trivy",
-        "AwsAccountId": "123456789012",
-        "Types": [ "Software and Configuration Checks/Vulnerabilities/CVE" ],
-        "CreatedAt": "2020-08-10T07:28:17.000958601Z",
-        "UpdatedAt": "2020-08-10T07:28:17.000958601Z",
-        "Severity": {
-            "Label": "MEDIUM"
+            ],
+            "RecordState": "ACTIVE"
        },
-        "Title": "Trivy found a vulnerability to CVE-2019-1563 in container testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)",
-        "Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
-        "Remediation": {
-            "Recommendation": {
-                "Text": "More information on this vulnerability is provided in the hyperlink",
-                "Url": "https://avd.aquasec.com/nvd/cve-2019-1563"
-            }
-        },
-        "ProductFields": { "Product Name": "Trivy" },
-        "Resources": [
-            {
-                "Type": "Container",
-                "Id": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)",
-                "Partition": "aws",
-                "Region": "test-region",
-                "Details": {
-                    "Container": { "ImageName": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)" },
-                    "Other": {
-                        "CVE ID": "CVE-2019-1563",
-                        "CVE Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
-                        "PkgName": "libcrypto1.1",
-                        "Installed Package": "1.1.1c-r0",
-                        "Patched Package": "1.1.1d-r0",
-                        "NvdCvssScoreV3": "0",
-                        "NvdCvssVectorV3": "",
-                        "NvdCvssScoreV2": "4.3",
-                        "NvdCvssVectorV2": "AV:N/AC:M/Au:N/C:P/I:N/A:N"
+        {
+            "SchemaVersion": "2018-10-08",
+            "Id": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)/CVE-2019-1549",
+            "ProductArn": "arn:aws:securityhub:test-region::product/aquasecurity/aquasecurity",
+            "GeneratorId": "Trivy",
+            "AwsAccountId": "123456789012",
+            "Types": [ "Software and Configuration Checks/Vulnerabilities/CVE" ],
+            "CreatedAt": "2020-08-10T07:28:17.000958601Z",
+            "UpdatedAt": "2020-08-10T07:28:17.000958601Z",
+            "Severity": {
+                "Label": "MEDIUM"
+            },
+            "Title": "Trivy found a vulnerability to CVE-2019-1549 in container testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)",
+            "Description": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
+            "Remediation": {
+                "Recommendation": {
+                    "Text": "More information on this vulnerability is provided in the hyperlink",
+                    "Url": "https://avd.aquasec.com/nvd/cve-2019-1549"
+                }
+            },
+            "ProductFields": { "Product Name": "Trivy" },
+            "Resources": [
+                {
+                    "Type": "Container",
+                    "Id": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)",
+                    "Partition": "aws",
+                    "Region": "test-region",
+                    "Details": {
+                        "Container": { "ImageName": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)" },
+                        "Other": {
+                            "CVE ID": "CVE-2019-1549",
+                            "CVE Title": "openssl: information disclosure in fork()",
+                            "PkgName": "libssl1.1",
+                            "Installed Package": "1.1.1c-r0",
+                            "Patched Package": "1.1.1d-r0",
+                            "NvdCvssScoreV3": "5.3",
+                            "NvdCvssVectorV3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
+                            "NvdCvssScoreV2": "5",
+                            "NvdCvssVectorV2": "AV:N/AC:L/Au:N/C:P/I:N/A:N"
+                        }
                    }
                }
-            }
-        ],
-        "RecordState": "ACTIVE"
-    },
-    {
-        "SchemaVersion": "2018-10-08",
-        "Id": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)/CVE-2019-1547",
-        "ProductArn": "arn:aws:securityhub:test-region::product/aquasecurity/aquasecurity",
-        "GeneratorId": "Trivy",
-        "AwsAccountId": "123456789012",
-        "Types": [ "Software and Configuration Checks/Vulnerabilities/CVE" ],
-        "CreatedAt": "2020-08-10T07:28:17.000958601Z",
-        "UpdatedAt": "2020-08-10T07:28:17.000958601Z",
-        "Severity": {
-            "Label": "LOW"
+            ],
+            "RecordState": "ACTIVE"
        },
-        "Title": "Trivy found a vulnerability to CVE-2019-1547 in container testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)",
-        "Description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
-        "Remediation": {
-            "Recommendation": {
-                "Text": "More information on this vulnerability is provided in the hyperlink",
-                "Url": "https://avd.aquasec.com/nvd/cve-2019-1547"
-            }
-        },
-        "ProductFields": { "Product Name": "Trivy" },
-        "Resources": [
-            {
-                "Type": "Container",
-                "Id": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)",
-                "Partition": "aws",
-                "Region": "test-region",
-                "Details": {
-                    "Container": { "ImageName": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)" },
-                    "Other": {
-                        "CVE ID": "CVE-2019-1547",
-                        "CVE Title": "openssl: side-channel weak encryption vulnerability",
-                        "PkgName": "libcrypto1.1",
-                        "Installed Package": "1.1.1c-r0",
-                        "Patched Package": "1.1.1d-r0",
-                        "NvdCvssScoreV3": "0",
-                        "NvdCvssVectorV3": "",
-                        "NvdCvssScoreV2": "1.9",
-                        "NvdCvssVectorV2": "AV:L/AC:M/Au:N/C:P/I:N/A:N"
+        {
+            "SchemaVersion": "2018-10-08",
+            "Id": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)/CVE-2019-1551",
+            "ProductArn": "arn:aws:securityhub:test-region::product/aquasecurity/aquasecurity",
+            "GeneratorId": "Trivy",
+            "AwsAccountId": "123456789012",
+            "Types": [ "Software and Configuration Checks/Vulnerabilities/CVE" ],
+            "CreatedAt": "2020-08-10T07:28:17.000958601Z",
+            "UpdatedAt": "2020-08-10T07:28:17.000958601Z",
+            "Severity": {
+                "Label": "MEDIUM"
+            },
+            "Title": "Trivy found a vulnerability to CVE-2019-1551 in container testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)",
+            "Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).",
+            "Remediation": {
+                "Recommendation": {
+                    "Text": "More information on this vulnerability is provided in the hyperlink",
+                    "Url": "https://avd.aquasec.com/nvd/cve-2019-1551"
+                }
+            },
+            "ProductFields": { "Product Name": "Trivy" },
+            "Resources": [
+                {
+                    "Type": "Container",
+                    "Id": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)",
+                    "Partition": "aws",
+                    "Region": "test-region",
+                    "Details": {
+                        "Container": { "ImageName": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)" },
+                        "Other": {
+                            "CVE ID": "CVE-2019-1551",
+                            "CVE Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
+                            "PkgName": "libssl1.1",
+                            "Installed Package": "1.1.1c-r0",
+                            "Patched Package": "1.1.1d-r2",
+                            "NvdCvssScoreV3": "5.3",
+                            "NvdCvssVectorV3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
+                            "NvdCvssScoreV2": "5",
+                            "NvdCvssVectorV2": "AV:N/AC:L/Au:N/C:P/I:N/A:N"
+                        }
                    }
                }
-            }
-        ],
-        "RecordState": "ACTIVE"
-    },
-    {
-        "SchemaVersion": "2018-10-08",
-        "Id": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)/CVE-2019-1549",
-        "ProductArn": "arn:aws:securityhub:test-region::product/aquasecurity/aquasecurity",
-        "GeneratorId": "Trivy",
-        "AwsAccountId": "123456789012",
-        "Types": [ "Software and Configuration Checks/Vulnerabilities/CVE" ],
-        "CreatedAt": "2020-08-10T07:28:17.000958601Z",
-        "UpdatedAt": "2020-08-10T07:28:17.000958601Z",
-        "Severity": {
-            "Label": "MEDIUM"
-        },
-        "Title": "Trivy found a vulnerability to CVE-2019-1549 in container testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)",
-        "Description": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
-        "Remediation": {
-            "Recommendation": {
-                "Text": "More information on this vulnerability is provided in the hyperlink",
-                "Url": "https://avd.aquasec.com/nvd/cve-2019-1549"
-            }
-        },
-        "ProductFields": { "Product Name": "Trivy" },
-        "Resources": [
-            {
-                "Type": "Container",
-                "Id": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)",
-                "Partition": "aws",
-                "Region": "test-region",
-                "Details": {
-                    "Container": { "ImageName": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)" },
-                    "Other": {
-                        "CVE ID": "CVE-2019-1549",
-                        "CVE Title": "openssl: information disclosure in fork()",
-                        "PkgName": "libssl1.1",
-                        "Installed Package": "1.1.1c-r0",
-                        "Patched Package": "1.1.1d-r0",
-                        "NvdCvssScoreV3": "0",
-                        "NvdCvssVectorV3": "",
-                        "NvdCvssScoreV2": "5",
-                        "NvdCvssVectorV2": "AV:N/AC:L/Au:N/C:P/I:N/A:N"
-                    }
-                }
-            }
-        ],
-        "RecordState": "ACTIVE"
-    },
-    {
-        "SchemaVersion": "2018-10-08",
-        "Id": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)/CVE-2019-1551",
-        "ProductArn": "arn:aws:securityhub:test-region::product/aquasecurity/aquasecurity",
-        "GeneratorId": "Trivy",
-        "AwsAccountId": "123456789012",
-        "Types": [ "Software and Configuration Checks/Vulnerabilities/CVE" ],
-        "CreatedAt": "2020-08-10T07:28:17.000958601Z",
-        "UpdatedAt": "2020-08-10T07:28:17.000958601Z",
-        "Severity": {
-            "Label": "MEDIUM"
-        },
-        "Title": "Trivy found a vulnerability to CVE-2019-1551 in container testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)",
-        "Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).",
-        "Remediation": {
-            "Recommendation": {
-                "Text": "More information on this vulnerability is provided in the hyperlink",
-                "Url": "https://avd.aquasec.com/nvd/cve-2019-1551"
-            }
-        },
-        "ProductFields": { "Product Name": "Trivy" },
-        "Resources": [
-            {
-                "Type": "Container",
-                "Id": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)",
-                "Partition": "aws",
-                "Region": "test-region",
-                "Details": {
-                    "Container": { "ImageName": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)" },
-                    "Other": {
-                        "CVE ID": "CVE-2019-1551",
-                        "CVE Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
-                        "PkgName": "libssl1.1",
-                        "Installed Package": "1.1.1c-r0",
-                        "Patched Package": "1.1.1d-r2",
-                        "NvdCvssScoreV3": "0",
-                        "NvdCvssVectorV3": "",
-                        "NvdCvssScoreV2": "5",
-                        "NvdCvssVectorV2": "AV:N/AC:L/Au:N/C:P/I:N/A:N"
-                    }
-                }
-            }
-        ],
-        "RecordState": "ACTIVE"
-    },
-    {
-        "SchemaVersion": "2018-10-08",
-        "Id": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)/CVE-2019-1563",
-        "ProductArn": "arn:aws:securityhub:test-region::product/aquasecurity/aquasecurity",
-        "GeneratorId": "Trivy",
-        "AwsAccountId": "123456789012",
-        "Types": [ "Software and Configuration Checks/Vulnerabilities/CVE" ],
-        "CreatedAt": "2020-08-10T07:28:17.000958601Z",
-        "UpdatedAt": "2020-08-10T07:28:17.000958601Z",
-        "Severity": {
-            "Label": "MEDIUM"
-        },
-        "Title": "Trivy found a vulnerability to CVE-2019-1563 in container testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)",
-        "Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
-        "Remediation": {
-            "Recommendation": {
-                "Text": "More information on this vulnerability is provided in the hyperlink",
-                "Url": "https://avd.aquasec.com/nvd/cve-2019-1563"
-            }
-        },
-        "ProductFields": { "Product Name": "Trivy" },
-        "Resources": [
-            {
-                "Type": "Container",
-                "Id": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)",
-                "Partition": "aws",
-                "Region": "test-region",
-                "Details": {
-                    "Container": { "ImageName": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)" },
-                    "Other": {
-                        "CVE ID": "CVE-2019-1563",
-                        "CVE Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
-                        "PkgName": "libssl1.1",
-                        "Installed Package": "1.1.1c-r0",
-                        "Patched Package": "1.1.1d-r0",
-                        "NvdCvssScoreV3": "0",
-                        "NvdCvssVectorV3": "",
-                        "NvdCvssScoreV2": "4.3",
-                        "NvdCvssVectorV2": "AV:N/AC:M/Au:N/C:P/I:N/A:N"
-                    }
-                }
-            }
-        ],
-        "RecordState": "ACTIVE"
-    },
-    {
-        "SchemaVersion": "2018-10-08",
-        "Id": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)/CVE-2019-1547",
-        "ProductArn": "arn:aws:securityhub:test-region::product/aquasecurity/aquasecurity",
-        "GeneratorId": "Trivy",
-        "AwsAccountId": "123456789012",
-        "Types": [ "Software and Configuration Checks/Vulnerabilities/CVE" ],
-        "CreatedAt": "2020-08-10T07:28:17.000958601Z",
-        "UpdatedAt": "2020-08-10T07:28:17.000958601Z",
-        "Severity": {
-            "Label": "LOW"
-        },
-        "Title": "Trivy found a vulnerability to CVE-2019-1547 in container testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)",
-        "Description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
-        "Remediation": {
-            "Recommendation": {
-                "Text": "More information on this vulnerability is provided in the hyperlink",
-                "Url": "https://avd.aquasec.com/nvd/cve-2019-1547"
-            }
-        },
-        "ProductFields": { "Product Name": "Trivy" },
-        "Resources": [
-            {
-                "Type": "Container",
-                "Id": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)",
-                "Partition": "aws",
-                "Region": "test-region",
-                "Details": {
-                    "Container": { "ImageName": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)" },
-                    "Other": {
-                        "CVE ID": "CVE-2019-1547",
-                        "CVE Title": "openssl: side-channel weak encryption vulnerability",
-                        "PkgName": "libssl1.1",
-                        "Installed Package": "1.1.1c-r0",
-                        "Patched Package": "1.1.1d-r0",
-                        "NvdCvssScoreV3": "0",
-                        "NvdCvssVectorV3": "",
-                        "NvdCvssScoreV2": "1.9",
-                        "NvdCvssVectorV2": "AV:L/AC:M/Au:N/C:P/I:N/A:N"
-                    }
-                }
-            }
-        ],
-        "RecordState": "ACTIVE"
-    }
-]
+            ],
+            "RecordState": "ACTIVE"
+        }
+    ]
+}
--- a/integration/testdata/alpine-310.gitlab-codequality.golden
+++ b/integration/testdata/alpine-310.gitlab-codequality.golden
@@ -3,13 +3,14 @@
      "type": "issue",
      "check_name": "container_scanning",
      "categories": [ "Security" ],
-      "description": "CVE-2019-1549: openssl: information disclosure in fork()",
+      "description": "CVE-2019-1549 - libcrypto1.1 - 1.1.1c-r0 - openssl: information disclosure in fork()",
+      "fingerprint": "aeda1fbbe0e7f685887445359f8078c98eafd6de",
      "content": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
      "severity": "minor",
      "location": {
-        "path": "libcrypto1.1-1.1.1c-r0",
+        "path": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)",
        "lines": {
-          "begin": 1
+          "begin": 0
        }
      }
    },
@@ -17,13 +18,14 @@
      "type": "issue",
      "check_name": "container_scanning",
      "categories": [ "Security" ],
-      "description": "CVE-2019-1551: openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
-      "content": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).",
+      "description": "CVE-2019-1551 - libcrypto1.1 - 1.1.1c-r0 - openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
+      "fingerprint": "473af5b2ba6b728fa3f356551c4b07a3b64d4f2a",
+      "content": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).",
      "severity": "minor",
      "location": {
-        "path": "libcrypto1.1-1.1.1c-r0",
+        "path": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)",
        "lines": {
-          "begin": 1
+          "begin": 0
        }
      }
    },
@@ -31,41 +33,14 @@
      "type": "issue",
      "check_name": "container_scanning",
      "categories": [ "Security" ],
-      "description": "CVE-2019-1563: openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
-      "content": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
-      "severity": "minor",
-      "location": {
-        "path": "libcrypto1.1-1.1.1c-r0",
-        "lines": {
-          "begin": 1
-        }
-      }
-    },
-    {
-      "type": "issue",
-      "check_name": "container_scanning",
-      "categories": [ "Security" ],
-      "description": "CVE-2019-1547: openssl: side-channel weak encryption vulnerability",
-      "content": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
-      "severity": "info",
-      "location": {
-        "path": "libcrypto1.1-1.1.1c-r0",
-        "lines": {
-          "begin": 1
-        }
-      }
-    },
-    {
-      "type": "issue",
-      "check_name": "container_scanning",
-      "categories": [ "Security" ],
-      "description": "CVE-2019-1549: openssl: information disclosure in fork()",
+      "description": "CVE-2019-1549 - libssl1.1 - 1.1.1c-r0 - openssl: information disclosure in fork()",
+      "fingerprint": "45d39f7ecf688270aeab0da7fcad5c0cf5a57886",
      "content": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
      "severity": "minor",
      "location": {
-        "path": "libssl1.1-1.1.1c-r0",
+        "path": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)",
        "lines": {
-          "begin": 1
+          "begin": 0
        }
      }
    },
@@ -73,42 +48,15 @@
      "type": "issue",
      "check_name": "container_scanning",
      "categories": [ "Security" ],
-      "description": "CVE-2019-1551: openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
-      "content": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).",
+      "description": "CVE-2019-1551 - libssl1.1 - 1.1.1c-r0 - openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
+      "fingerprint": "28d484eb3b3439c4991f14b3b1b26cc339eee128",
+      "content": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).",
      "severity": "minor",
      "location": {
-        "path": "libssl1.1-1.1.1c-r0",
+        "path": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)",
        "lines": {
-          "begin": 1
-        }
-      }
-    },
-    {
-      "type": "issue",
-      "check_name": "container_scanning",
-      "categories": [ "Security" ],
-      "description": "CVE-2019-1563: openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
-      "content": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
-      "severity": "minor",
-      "location": {
-        "path": "libssl1.1-1.1.1c-r0",
-        "lines": {
-          "begin": 1
-        }
-      }
-    },
-    {
-      "type": "issue",
-      "check_name": "container_scanning",
-      "categories": [ "Security" ],
-      "description": "CVE-2019-1547: openssl: side-channel weak encryption vulnerability",
-      "content": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
-      "severity": "info",
-      "location": {
-        "path": "libssl1.1-1.1.1c-r0",
-        "lines": {
-          "begin": 1
+          "begin": 0
        }
      }
    }
-]
+]
--- a/Show More
+++ b/Show More