fix(java/pom): ignore unsupported requirements (#1514)

Co-authored-by: Andrey Levchenko <levchenko.andrey@gmail.com>

.github/workflows/publish-chart.yaml

@@ -1,45 +1,82 @@
-name: Publish Chart Helm
+
+name: Publish Helm chart
+
 on:
+  workflow_dispatch:
+  pull_request:
+    branches:
+      - main
+    paths:
+      - 'helm/trivy/**'
   push:
     branches: [main]
     paths:
       - 'helm/trivy/**'
-  workflow_dispatch:
 env:
   HELM_REP: helm-charts
   GH_OWNER: aquasecurity
   CHART_DIR: helm/trivy
+  KIND_VERSION: "v0.11.1"
+  KIND_IMAGE: "kindest/node:v1.21.1@sha256:69860bda5563ac81e3c0057d654b5253219618a22ec3a346306239bba8cfa1a6"
 jobs:
-  release:
+  test-chart:
     runs-on: ubuntu-20.04
     steps:
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 #v2.4.0
         with:
           fetch-depth: 0
       - name: Install Helm
-        uses: azure/setup-helm@v1
+        uses: azure/setup-helm@18bc76811624f360dbd7f18c2d4ecb32c7b87bab #v1.1
         with:
           version: v3.5.0
+      - name: Set up python
+        uses: actions/setup-python@0066b88440aa9562be742e2c60ee750fc57d8849 #v2.3.0
+        with:
+          python-version: 3.7
+      - name: Setup Chart Linting
+        id: lint
+        uses: helm/chart-testing-action@5f16c27cf7a4fa9c776ff73734df3909b2b65127 #v2.1.0
+      - name: Setup Kubernetes cluster (KIND)
+        uses: helm/kind-action@94729529f85113b88f4f819c17ce61382e6d8478 #v1.2.0
+        with:
+          version: ${{ env.KIND_VERSION }}
+          image: ${{ env.KIND_IMAGE }}
+      - name: Run chart-testing
+        run: ct lint-and-install --validate-maintainers=false --charts helm/trivy
+      - name: Run chart-testing (Ingress enabled)
+        run: |
+          sed -i -e '97s,false,'true',g' ./helm/trivy/values.yaml
+          ct lint-and-install --validate-maintainers=false --charts helm/trivy
+
+  publish-chart:
+    if: github.event_name == 'push'
+    needs:
+      - test-chart
+    runs-on: ubuntu-20.04
+    steps:
+      - name: Checkout
+        uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 #v2.4.0
+        with:
+          fetch-depth: 0
       - name: Install chart-releaser
         run: |
-          wget https://github.com/helm/chart-releaser/releases/download/v1.1.1/chart-releaser_1.1.1_linux_amd64.tar.gz
-          tar xzvf chart-releaser_1.1.1_linux_amd64.tar.gz cr
+          wget https://github.com/helm/chart-releaser/releases/download/v1.3.0/chart-releaser_1.3.0_linux_amd64.tar.gz
+          echo "baed2315a9bb799efb71d512c5198a2a3b8dcd139d7f22f878777cffcd649a37  chart-releaser_1.3.0_linux_amd64.tar.gz" | sha256sum -c -
+          tar xzvf chart-releaser_1.3.0_linux_amd64.tar.gz cr
       - name: Package helm chart
         run: |
           ./cr package ${{ env.CHART_DIR }}
       - name: Upload helm chart
         # Failed with upload the same version: https://github.com/helm/chart-releaser/issues/101
         continue-on-error: true
-        ## Upload the tar in the Releases repository
         run: |
           ./cr upload -o ${{ env.GH_OWNER }} -r ${{ env.HELM_REP }} --token ${{ secrets.ORG_REPO_TOKEN }} -p .cr-release-packages
       - name: Index helm chart
         run: |
           ./cr index -o ${{ env.GH_OWNER }} -r ${{ env.HELM_REP }} -c https://${{ env.GH_OWNER }}.github.io/${{ env.HELM_REP }}/ -i index.yaml
-
       - name: Push index file
-        uses: dmnemec/copy_file_to_another_repo_action@v1.1.1
+        uses: dmnemec/copy_file_to_another_repo_action@c93037aa10fa8893de271f19978c980d0c1a9b37 #v1.1.1
         env:
           API_TOKEN_GITHUB: ${{ secrets.ORG_REPO_TOKEN }}
         with:

.github/workflows/release.yaml

@@ -57,15 +57,14 @@ jobs:
           username: ${{ secrets.ECR_ACCESS_KEY_ID }}
           password: ${{ secrets.ECR_SECRET_ACCESS_KEY }}
       - name: Generate SBOM
-        uses: CycloneDX/gh-gomod-generate-sbom@v0.3.0
+        uses: CycloneDX/gh-gomod-generate-sbom@v1
         with:
-          json: true
-          output: bom.json
-          version: ^v0
+          args: mod -licenses -json -output bom.json
+          version: ^v1
       - name: Release
         uses: goreleaser/goreleaser-action@v2
         with:
-          version: v0.182.1
+          version: v0.183.0
           args: release --rm-dist
         env:
           GITHUB_TOKEN: ${{ secrets.ORG_REPO_TOKEN }}

.github/workflows/test.yaml

@@ -75,7 +75,7 @@ jobs:
     - name: Run GoReleaser
       uses: goreleaser/goreleaser-action@v2
       with:
-        version: v0.164.0
+        version: v0.183.0
         args: release --snapshot --rm-dist --skip-publish
 
   build-documents:

.gitignore

@@ -27,3 +27,6 @@ integration/testdata/fixtures/images
 
 # SBOMs generated during CI
 /bom.json
+
+# goreleaser output
+dist

Dockerfile

@@ -1,4 +1,4 @@
-FROM alpine:3.14
+FROM alpine:3.15.0
 RUN apk --no-cache add ca-certificates git
 COPY trivy /usr/local/bin/trivy
 COPY contrib/*.tpl contrib/

ci/deploy-deb.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 DEBIAN_RELEASES=$(debian-distro-info --supported)
-UBUNTU_RELEASES=$(ubuntu-distro-info --supported-esm)
+UBUNTU_RELEASES=$(sort -u <(ubuntu-distro-info --supported-esm) <(ubuntu-distro-info --supported))
 
 cd trivy-repo/deb
 
@@ -9,12 +9,14 @@ for release in ${DEBIAN_RELEASES[@]} ${UBUNTU_RELEASES[@]}; do
   echo "Removing deb package of $release"
   reprepro -A i386 remove $release trivy
   reprepro -A amd64 remove $release trivy
+  reprepro -A arm64 remove $release trivy
 done
 
 for release in ${DEBIAN_RELEASES[@]} ${UBUNTU_RELEASES[@]}; do
   echo "Adding deb package to $release"
   reprepro includedeb $release ../../dist/*Linux-64bit.deb
   reprepro includedeb $release ../../dist/*Linux-32bit.deb
+  reprepro includedeb $release ../../dist/*Linux-ARM64.deb
 done
 
 git add .

contrib/html.tpl

@@ -112,6 +112,31 @@
       </tr>
         {{- end }}
       {{- end }}
+      {{- if (eq (len .Misconfigurations ) 0) }}
+      <tr><th colspan="6">No Misconfigurations found</th></tr>
+      {{- else }}
+      <tr class="sub-header">
+        <th>Type</th>
+        <th>Misconf ID</th>
+        <th>Check</th>
+        <th>Severity</th>
+        <th>Message</th>
+      </tr>
+        {{- range .Misconfigurations }}
+      <tr class="severity-{{ escapeXML .Severity }}">
+        <td class="misconf-type">{{ escapeXML .Type }}</td>
+        <td>{{ escapeXML .ID }}</td>
+        <td class="misconf-check">{{ escapeXML .Title }}</td>
+        <td class="severity">{{ escapeXML .Severity }}</td>
+        <td class="link" data-more-links="off"  style="white-space:normal;"">
+          {{ escapeXML .Message }}
+          <br>
+            <a href={{ escapeXML .PrimaryURL | printf "%q" }}>{{ escapeXML .PrimaryURL }}</a>
+          </br>
+        </td>
+      </tr>
+        {{- end }}
+      {{- end }}
     {{- end }}
     </table>
 {{- else }}

contrib/install.sh

@@ -182,11 +182,11 @@ log_tag() {
 }
 log_debug() {
   log_priority 7 || return 0
-  echoerr "$(log_prefix)" "$(log_tag 7)" "$@"
+  echo "$(log_prefix)" "$(log_tag 7)" "$@"
 }
 log_info() {
   log_priority 6 || return 0
-  echoerr "$(log_prefix)" "$(log_tag 6)" "$@"
+  echo "$(log_prefix)" "$(log_tag 6)" "$@"
 }
 log_err() {
   log_priority 3 || return 0

contrib/sarif.tpl

@@ -1,6 +1,7 @@
 {
   "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
   "version": "2.1.0",
+  {{- $rules := makeRuleMap }}
   "runs": [
     {
       "tool": {
@@ -14,42 +15,43 @@
         {{- range $result := . }}
             {{- $vulnerabilityType := .Type }}
             {{- range .Vulnerabilities -}}
-              {{- if $t_first -}}
-                {{- $t_first = false -}}
-              {{ else -}}
-                ,
-              {{- end }}
-            {
-              "id": {{ printf "%s: %s-%s %s" $result.Target .PkgName .InstalledVersion .VulnerabilityID | toJson }},
-              "name": "{{ toSarifRuleName $vulnerabilityType }}",
-              "shortDescription": {
-                "text": {{ printf "%v Package: %v" .VulnerabilityID .PkgName | printf "%q" }}
-              },
-              "fullDescription": {
-                "text": {{ endWithPeriod (escapeString .Title) | printf "%q" }}
-              },
-              "defaultConfiguration": {
-                "level": "{{ toSarifErrorLevel .Vulnerability.Severity }}"
-              }
-              {{- with $help_uri := .PrimaryURL -}}
-              ,
-              {{ $help_uri | printf "\"helpUri\": %q," -}}
-              {{- else -}}
-              ,
-              {{- end }}
-              "help": {
-                "text": {{ printf "Vulnerability %v\nSeverity: %v\nPackage: %v\nInstalled Version: %v\nFixed Version: %v\nLink: [%v](%v)" .VulnerabilityID .Vulnerability.Severity .PkgName .InstalledVersion .FixedVersion .VulnerabilityID .PrimaryURL | printf "%q"}},
-                "markdown": {{ printf "**Vulnerability %v**\n| Severity | Package | Installed Version | Fixed Version | Link |\n| --- | --- | --- | --- | --- |\n|%v|%v|%v|%v|[%v](%v)|\n" .VulnerabilityID .Vulnerability.Severity .PkgName .InstalledVersion .FixedVersion .VulnerabilityID .PrimaryURL | printf "%q"}}
-              },
-              "properties": {
-                "tags": [
-                  "vulnerability",
-                  "{{ .Vulnerability.Severity }}",
-                  {{ .PkgName | printf "%q" }}
-                ],
-                "precision": "very-high"
-              }
-            }
+                {{- if indexRule $rules .VulnerabilityID -}}
+                  {{- if $t_first -}}
+                    {{- $t_first = false -}}
+                  {{ else -}}
+                    ,
+                  {{- end }}
+                {
+                  "id": {{ .VulnerabilityID | toJson }},
+                  "name": "{{ toSarifRuleName $vulnerabilityType }}",
+                  "shortDescription": {
+                    "text": {{ .VulnerabilityID | toJson }}
+                  },
+                  "fullDescription": {
+                    "text": {{ endWithPeriod (escapeString .Title) | printf "%q" }}
+                  },
+                  "defaultConfiguration": {
+                    "level": "{{ toSarifErrorLevel .Vulnerability.Severity }}"
+                  }
+                  {{- with $help_uri := .PrimaryURL -}}
+                  ,
+                  {{ $help_uri | printf "\"helpUri\": %q," -}}
+                  {{- else -}}
+                  ,
+                  {{- end }}
+                  "help": {
+                    "text": {{ printf "Vulnerability %v\n%v\nSeverity: %v\nPackage: %v\nFixed Version: %v\nLink: [%v](%v)" .VulnerabilityID .Vulnerability.Description .Vulnerability.Severity .PkgName .FixedVersion .VulnerabilityID .PrimaryURL | printf "%q"}},                    
+                    "markdown": {{ printf "**Vulnerability %v**\n%v\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|%v|%v|%v|[%v](%v)|\n" .VulnerabilityID .Vulnerability.Description .Vulnerability.Severity .PkgName .FixedVersion .VulnerabilityID .PrimaryURL | printf "%q"}}                    
+                  },
+                  "properties": {
+                    "tags": [
+                      "vulnerability",
+                      "{{ .Vulnerability.Severity }}"
+                    ],
+                    "precision": "very-high"
+                  }
+                }
+                {{- end -}}
             {{- end -}}
          {{- end -}}
           ]
@@ -66,17 +68,20 @@
             ,
           {{- end }}
         {
-          "ruleId": {{ printf "%s: %s-%s %s" $result.Target .PkgName .InstalledVersion .VulnerabilityID | toJson }},
-          "ruleIndex": {{ $index }},
+          "ruleId": {{ .VulnerabilityID | toJson }},
+          "ruleIndex": {{ index $rules .VulnerabilityID }},
           "level": "{{ toSarifErrorLevel $vulnerability.Vulnerability.Severity }}",
           "message": {
-            "text": {{ endWithPeriod (escapeString $vulnerability.Description) | printf "%q" }}
+            "text": {{ printf "Package: %v\nInstalled Version: %v\nVulnerability %v\nSeverity: %v\nFixed Version: %v\nLink: [%v](%v)" .PkgName .InstalledVersion .VulnerabilityID .Vulnerability.Severity .FixedVersion .VulnerabilityID .PrimaryURL | printf "%q"}}
           },
           "locations": [{
             "physicalLocation": {
               "artifactLocation": {
                 "uri": "{{ toPathUri $filePath }}",
                 "uriBaseId": "ROOTPATH"
+              },
+              "region" : {
+                "startLine": 1
               }
             }
           }]
@@ -87,7 +92,7 @@
       "columnKind": "utf16CodeUnits",
       "originalUriBaseIds": {
         "ROOTPATH": {
-          "uri": "/"
+          "uri": "file:///"
         }
       }
     }

docs/advanced/air-gap.md

@@ -2,7 +2,10 @@
 
 Trivy can be used in air-gapped environments.
 
-## Download the vulnerability database
+
+## Air-Gapped Environment for vulnerabilities
+
+### Download the vulnerability database
 At first, you need to download the vulnerability database for use in air-gapped environments.
 Go to [trivy-db][trivy-db] and download `trivy-offline.db.tgz` in the latest release.
 If you download `trivy-light-offline.db.tgz`, you have to run Trivy with `--light` option.
@@ -11,14 +14,14 @@ If you download `trivy-light-offline.db.tgz`, you have to run Trivy with `--ligh
 $ wget https://github.com/aquasecurity/trivy-db/releases/latest/download/trivy-offline.db.tgz
 ```
 
-## Transfer the DB file into the air-gapped environment
+### Transfer the DB file into the air-gapped environment
 The way of transfer depends on the environment.
 
 ```
 $ rsync -av -e ssh /path/to/trivy-offline.db.tgz [user]@[host]:dst
 ```
 
-## Put the DB file in Trivy's cache directory
+### Put the DB file in Trivy's cache directory
 You have to know where to put the DB file. The following command shows the default cache directory.
 
 ```
@@ -47,11 +50,70 @@ $ rm trivy-offline.db.tgz
 
 In an air-gapped environment it is your responsibility to update the Trivy database on a regular basis, so that the scanner can detect recently-identified vulnerabilities. 
 
-## Run Trivy with --skip-update option
+### Run Trivy with --skip-update and --offline-scan option
 In an air-gapped environment, specify `--skip-update` so that Trivy doesn't attempt to download the latest database file.
+In addition, if you want to scan Java dependencies such as JAR and pom.xml, you need to specify `--offline-scan` since Trivy tries to issue API requests for scanning Java applications by default.
 
 ```
-$ trivy image --skip-update alpine:3.12
+$ trivy image --skip-update --offline-scan alpine:3.12
+```
+
+## Air-Gapped Environment for misconfigurations
+
+### Download misconfiguration policies
+At first, you need to download misconfiguration policies for use in air-gapped environments.
+Please follow [oras installation instruction][oras]. \
+Download `bundle.tar.gz`:
+
+```
+$ oras pull ghcr.io/aquasecurity/appshield:latest -a
+```
+
+### Transfer misconfiguration policies into the air-gapped environment
+The way of transfer depends on the environment.
+
+```
+$ rsync -av -e ssh /path/to/bundle.tar.gz [user]@[host]:dst
+```
+
+### Put the misconfiguration policies in Trivy's cache directory
+You have to know where to put the misconfiguration policies file. The following command shows the default cache directory.
+
+```
+$ ssh user@host
+$ trivy -h | grep cache
+   --cache-dir value  cache directory (default: "/home/myuser/.cache/trivy") [$TRIVY_CACHE_DIR]
+```
+
+Put the misconfiguration policies file in the cache directory + `/policy/content`.
+
+```
+$ mkdir -p /home/myuser/.cache/trivy/policy/content
+$ cd /home/myuser/.cache/trivy/policy/content
+$ mv /path/to/bundle.tar.gz .
+```
+
+Then, decompress it.
+`bundle.tar.gz ` file includes two folders: `docker`, `kubernetes` and file: `.manifest`.
+
+```
+$ tar xvf bundle.tar.gz 
+x ./docker/
+...
+x ./kubernetes/
+...
+x ./.manifest
+$ rm bundle.tar.gz
+```
+
+In an air-gapped environment it is your responsibility to update policies on a regular basis, so that the scanner can detect recently-identified misconfigurations. 
+
+### Run Trivy with --skip-policy-update option
+In an air-gapped environment, specify `--skip-policy-update` so that Trivy doesn't attempt to download the latest misconfiguration policies.
+
+```
+$ trivy conf --skip-policy-update /path/to/conf
 ```
 
 [trivy-db]: https://github.com/aquasecurity/trivy-db/releases
+[oras]: https://oras.land/cli/

docs/advanced/community/references.md

@@ -0,0 +1,19 @@
+# External References
+There are external blogs and evaluations.
+
+## Blogs
+- [the vulnerability remediation lifecycle of Alpine containers][alpine]
+- [Continuous Container Vulnerability Testing with Trivy][semaphore]
+- [Open Source CVE Scanner Round-Up: Clair vs Anchore vs Trivy][round-up]
+- [Docker Image Security: Static Analysis Tool Comparison – Anchore Engine vs Clair vs Trivy][tool-comparison]
+
+## Links
+- [Research Spike: evaluate Trivy for scanning running containers][gitlab]
+- [Istio evaluates scanners][istio]
+
+[alpine]: https://ariadne.space/2021/06/08/the-vulnerability-remediation-lifecycle-of-alpine-containers/
+[semaphore]: https://semaphoreci.com/blog/continuous-container-vulnerability-testing-with-trivy
+[round-up]: https://boxboat.com/2020/04/24/image-scanning-tech-compared/
+[tool-comparison]: https://www.a10o.net/devsecops/docker-image-security-static-analysis-tool-comparison-anchore-engine-vs-clair-vs-trivy/
+[gitlab]: https://gitlab.com/gitlab-org/gitlab/-/issues/270888
+[istio]: https://github.com/istio/release-builder/pull/687#issuecomment-874938417

docs/advanced/community/tools.md

@@ -0,0 +1,37 @@
+# Community Tools
+The open source community has been hard at work developing new tools for Trivy. You can check out some of them here.
+
+Have you created a tool that’s not listed? Add the name and description of your integration and open a pull request in the GitHub repository to get your change merged.
+
+## GitHub Actions
+
+| Actions                                    | Description                                                                      |
+| ------------------------------------------ | -------------------------------------------------------------------------------- |
+| [gitrivy][gitrivy]                         | GitHub Issue + Trivy                                                             |
+| [trivy-github-issues][trivy-github-issues] | GitHub Actions for creating GitHub Issues according to the Trivy scanning result |
+
+## Semaphore
+
+| Name                                                   | Description                               |
+| -------------------------------------------------------| ----------------------------------------- |
+| [Continuous Vulnerability Testing with Trivy][semaphore-tutorial] | Tutorial on scanning code, containers, infrastructure, and Kubernetes with Semaphore CI/CD. |
+
+
+## CircleCI
+
+| Orb                                      | Description                               |
+| -----------------------------------------| ----------------------------------------- |
+| [fifteen5/trivy-orb][fifteen5/trivy-orb] | Orb for running Trivy, a security scanner |
+
+## Others
+
+| Name                                     | Description                               |
+| -----------------------------------------| ----------------------------------------- |
+| [Trivy Vulnerability Explorer][explorer] | Explore trivy vulnerability reports in your browser and create .trivyignore files interactively. Can be integrated in your CI/CD tooling with deep links.   |
+
+
+[trivy-github-issues]: https://github.com/marketplace/actions/trivy-github-issues
+[fifteen5/trivy-orb]: https://circleci.com/developer/orbs/orb/fifteen5/trivy-orb
+[gitrivy]: https://github.com/marketplace/actions/trivy-action
+[explorer]: https://dbsystel.github.io/trivy-vulnerability-explorer/
+[semaphore-tutorial]: https://semaphoreci.com/blog/continuous-container-vulnerability-testing-with-trivy

docs/advanced/container/unpacked-filesystem.md

@@ -1,6 +1,6 @@
 # Unpacked Filesystem
 
-Scan aan unpacked container image filesystem.
+Scan an unpacked container image filesystem.
 
 In this case, Trivy works the same way when scanning containers
 

docs/advanced/integrations/bitbucket.md

@@ -0,0 +1,5 @@
+# Bitbucket Pipelines
+
+See [trivy-pipe][trivy-pipe] for the details.
+
+[trivy-pipe]: https://github.com/aquasecurity/trivy-pipe

docs/advanced/private-registries/gcr.md

@@ -1,7 +1,40 @@
-Trivy uses Google Cloud SDK. You don't need to install `gcloud` command.
+# Requirements
+None, Trivy uses Google Cloud SDK. You don't need to install `gcloud` command.
 
-If you want to use target project's repository, you can settle via `GOOGLE_APPLICATION_CREDENTIAL`.
+# Privileges
+Credential file must have the `roles/storage.objectViewer` permissions.
+More information can be found in [Google's documentation](https://cloud.google.com/container-registry/docs/access-control)
+
+## JSON File Format
+The JSON file specified should have the following format provided by google's service account mechanisms:
+
+```json
+{
+  "type": "service_account",
+  "project_id": "your_special_project",
+  "private_key_id": "XXXXXXXXXXXXXXXXXXXXxx",
+  "private_key": "-----BEGIN PRIVATE KEY-----\nNONONONO\n-----END PRIVATE KEY-----\n",
+  "client_email": "somedude@your_special_project.iam.gserviceaccount.com",
+  "client_id": "1234567890",
+  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
+  "token_uri": "https://oauth2.googleapis.com/token",
+  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
+  "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/somedude%40your_special_project.iam.gserviceaccount.com"
+}
+```
+
+# Usage
+If you want to use target project's repository, you can set them via `GOOGLE_APPLICATION_CREDENTIALS`.
 ```bash
 # must set TRIVY_USERNAME empty char
 export GOOGLE_APPLICATION_CREDENTIALS=/path/to/credential.json
 ```
+
+# Testing
+You can test credentials in the following manner (assuming they are in `/tmp` on host machine).
+
+```bash
+docker run -it --rm -v /tmp:/tmp\
+  -e GOOGLE_APPLICATION_CREDENTIALS=/tmp/service_account.json\
+  aquasec/trivy image gcr.io/your_special_project/your_special_image:your_special_tag
+```

docs/getting-started/cli/client.md

@@ -22,6 +22,7 @@ OPTIONS:
    --timeout value             timeout (default: 5m0s) [$TRIVY_TIMEOUT]
    --ignore-policy value       specify the Rego file to evaluate each vulnerability [$TRIVY_IGNORE_POLICY]
    --list-all-pkgs             enabling the option will output all packages regardless of vulnerability (default: false) [$TRIVY_LIST_ALL_PKGS]
+   --offline-scan              do not issue API requests to identify dependencies (default: false) [$TRIVY_OFFLINE_SCAN]
    --token value               for authentication [$TRIVY_TOKEN]
    --token-header value        specify a header name for token (default: "Trivy-Token") [$TRIVY_TOKEN_HEADER]
    --remote value              server address (default: "http://localhost:4954") [$TRIVY_REMOTE]

docs/getting-started/cli/fs.md

@@ -25,6 +25,7 @@ OPTIONS:
    --no-progress                                  suppress progress bar (default: false) [$TRIVY_NO_PROGRESS]
    --ignore-policy value                          specify the Rego file to evaluate each vulnerability [$TRIVY_IGNORE_POLICY]
    --list-all-pkgs                                enabling the option will output all packages regardless of vulnerability (default: false) [$TRIVY_LIST_ALL_PKGS]
+   --offline-scan                                 do not issue API requests to identify dependencies (default: false) [$TRIVY_OFFLINE_SCAN]
    --skip-files value                             specify the file paths to skip traversal [$TRIVY_SKIP_FILES]
    --skip-dirs value                              specify the directories where the traversal is skipped [$TRIVY_SKIP_DIRS]
    --config-policy value                          specify paths to the Rego policy files directory, applying config files [$TRIVY_CONFIG_POLICY]

docs/getting-started/cli/image.md

@@ -27,6 +27,7 @@ OPTIONS:
    --light                     light mode: it's faster, but vulnerability descriptions and references are not displayed (default: false) [$TRIVY_LIGHT]
    --ignore-policy value       specify the Rego file to evaluate each vulnerability [$TRIVY_IGNORE_POLICY]
    --list-all-pkgs             enabling the option will output all packages regardless of vulnerability (default: false) [$TRIVY_LIST_ALL_PKGS]
+   --offline-scan              do not issue API requests to identify dependencies (default: false) [$TRIVY_OFFLINE_SCAN]
    --skip-files value          specify the file path to skip traversal [$TRIVY_SKIP_FILES]
    --skip-dirs value           specify the directory where the traversal is skipped [$TRIVY_SKIP_DIRS]
    --cache-backend value       cache backend (e.g. redis://localhost:6379) (default: "fs") [$TRIVY_CACHE_BACKEND]

docs/getting-started/cli/repo.md

@@ -25,6 +25,7 @@ OPTIONS:
    --no-progress               suppress progress bar (default: false) [$TRIVY_NO_PROGRESS]
    --ignore-policy value       specify the Rego file to evaluate each vulnerability [$TRIVY_IGNORE_POLICY]
    --list-all-pkgs             enabling the option will output all packages regardless of vulnerability (default: false) [$TRIVY_LIST_ALL_PKGS]
+   --offline-scan              do not issue API requests to identify dependencies (default: false) [$TRIVY_OFFLINE_SCAN]
    --skip-files value          specify the file path to skip traversal [$TRIVY_SKIP_FILES]
    --skip-dirs value           specify the directory where the traversal is skipped [$TRIVY_SKIP_DIRS]
    --help, -h                  show help (default: false)

docs/getting-started/cli/rootfs.md

@@ -25,6 +25,7 @@ OPTIONS:
    --no-progress                                  suppress progress bar (default: false) [$TRIVY_NO_PROGRESS]
    --ignore-policy value                          specify the Rego file to evaluate each vulnerability [$TRIVY_IGNORE_POLICY]
    --list-all-pkgs                                enabling the option will output all packages regardless of vulnerability (default: false) [$TRIVY_LIST_ALL_PKGS]
+   --offline-scan                                 do not issue API requests to identify dependencies (default: false) [$TRIVY_OFFLINE_SCAN]
    --skip-files value                             specify the file paths to skip traversal [$TRIVY_SKIP_FILES]
    --skip-dirs value                              specify the directories where the traversal is skipped [$TRIVY_SKIP_DIRS]
    --config-policy value                          specify paths to the Rego policy files directory, applying config files [$TRIVY_CONFIG_POLICY]

docs/getting-started/further.md

@@ -18,13 +18,6 @@
 - [Find Image Vulnerabilities Using GitHub and Aqua Security Trivy Action][actions2]
 - [Using Trivy to Discover Vulnerabilities in VS Code Projects][vscode]
 
-## External Blogs/Links
-- [the vulnerability remediation lifecycle of Alpine containers][alpine]
-- [Open Source CVE Scanner Round-Up: Clair vs Anchore vs Trivy][round-up]
-- [Docker Image Security: Static Analysis Tool Comparison – Anchore Engine vs Clair vs Trivy][tool-comparison]
-- [Research Spike: evaluate Trivy for scanning running containers][gitlab]
-- [Istio evaluates scanners][istio]
-
 [intro]: https://www.youtube.com/watch?v=AzOBGm7XxOA
 [cncf]: https://www.youtube.com/watch?v=XnYxX9uueoQ
 [server]: https://www.youtube.com/watch?v=tNQ-VlahtYM
@@ -37,9 +30,3 @@
 [actions]: https://blog.aquasec.com/devsecops-with-trivy-github-actions
 [actions2]: https://blog.aquasec.com/github-vulnerability-scanner-trivy
 [vscode]: https://blog.aquasec.com/trivy-open-source-vulnerability-scanner-vs-code
-
-[alpine]: https://ariadne.space/2021/06/08/the-vulnerability-remediation-lifecycle-of-alpine-containers/
-[round-up]: https://boxboat.com/2020/04/24/image-scanning-tech-compared/
-[tool-comparison]: https://www.a10o.net/devsecops/docker-image-security-static-analysis-tool-comparison-anchore-engine-vs-clair-vs-trivy/
-[gitlab]: https://gitlab.com/gitlab-org/gitlab/-/issues/270888
-[istio]: https://github.com/istio/release-builder/pull/687#issuecomment-874938417

docs/getting-started/troubleshooting.md

@@ -39,6 +39,22 @@ https://developer.github.com/v3/#rate-limiting
 $ GITHUB_TOKEN=XXXXXXXXXX trivy alpine:3.10
 ```
 
+### Maven rate limiting
+
+!!! error
+    ``` bash
+    $ trivy image ...
+    ...
+    status 403 Forbidden from http://search.maven.org/solrsearch/select
+    ```
+
+Trivy calls Maven API for better detection of JAR files, but many requests may exceed rate limiting.
+If it happens frequently, try the `--offline-scan` option to stop Trivy from making API requests.
+This option affects only vulnerability scanning. The vulnerability database and builtin policies are downloaded as usual.
+If you want to skip them as well, you can try `--skip-update` and `--skip-policy-update`.
+
+Note that a number of vulnerabilities might be fewer than without the `--offline-scan` option.
+
 ### Running in parallel takes same time as series run
 When running trivy on multiple images simultaneously, it will take same time as running trivy in series.  
 This is because of a limitation of boltdb.

docs/misconfiguration/comparison/cfsec.md

@@ -0,0 +1,25 @@
+# vs cfsec
+[cfsec][cfsec] uses static analysis of your CloudFormation templates to spot potential security issues.
+Trivy uses cfsec internally to scan both JSON and YAML configuration files, but Trivy doesn't support some features provided by cfsec.
+This section describes the differences between Trivy and cfsec.
+
+| Feature                     | Trivy                                   | cfsec                |
+| --------------------------- | --------------------------------------- | -------------------- |
+| Built-in Policies           | :material-check:                        | :material-check:     |
+| Custom Policies             | Rego[^1]                                | :material-close:     |
+| Policy Metadata[^2]         | :material-check:                        | :material-check:     |
+| Show Successes              | :material-check:                        | :material-check:     |
+| Disable Policies            | :material-check:                        | :material-check:     |
+| Show Issue Lines            | :material-close:                        | :material-check:     |
+| View Statistics             | :material-close:                        | :material-check:     |
+| Filtering by Severity       | :material-check:                        | :material-close:     |
+| Supported Formats           | Dockerfile, JSON, YAML, Terraform, etc. | CloudFormation JSON and YAML       |
+
+[^1]: CloudFormation files are not supported
+[^2]: To enrich the results such as ID, Title, Description, Severity, etc.
+
+cfsec is designed for CloudFormation.
+People who use only want to scan their CloudFormation templates should use cfsec.
+People who want to scan a wide range of configuration files should use Trivy.
+
+[cfsec]: https://github.com/aquasecurity/cfsec

docs/misconfiguration/comparison/tfsec.md

@@ -23,4 +23,4 @@ tfsec is designed for Terraform.
 People who use only Terraform should use tfsec.
 People who want to scan a wide range of configuration files should use Trivy.
 
-[tfsec]: https://github.com/tfsec/tfsec
+[tfsec]: https://github.com/aquasecurity/tfsec

docs/misconfiguration/iac.md

@@ -2,7 +2,7 @@
 
 ## Quick start
 
-Simply specify a directory containing IaC files such as Terraform and Dockerfile.
+Simply specify a directory containing IaC files such as Terraform, CloudFormation and Dockerfile.
 
 ``` bash
 $ trivy config [YOUR_IaC_DIRECTORY]
@@ -37,12 +37,12 @@ Trivy will automatically fetch the managed policies and will keep them up-to-dat
 The specified directory can contain mixed types of IaC files.
 Trivy automatically detects config types and applies relevant policies.
 
-For example, the following example holds IaC files for Terraform, Kubernetes, and Dockerfile in the same directory.
+For example, the following example holds IaC files for Terraform, CloudFormation, Kubernetes, and Dockerfile in the same directory.
 
 ``` bash
 $ ls iac/
 Dockerfile  deployment.yaml  main.tf
-$ trivy conf --severith HIGH,CRITICAL ./iac
+$ trivy conf --severity HIGH,CRITICAL ./iac
 ```
 
 <details>
@@ -149,8 +149,14 @@ You can see the config type next to each file name.
     ===================
     Tests: 23 (SUCCESSES: 14, FAILURES: 9, EXCEPTIONS: 0)
     Failures: 9 (HIGH: 6, CRITICAL: 1)
-    
+
     ...
+
+    bucket.yaml (cloudformation)
+    ============================
+    Tests: 9 (SUCCESSES: 3, FAILURES: 6, EXCEPTIONS: 0)
+    Failures: 6 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 4, CRITICAL: 0)
+
     ```
 
 ## Example

docs/misconfiguration/policy/builtin.md

@@ -4,22 +4,23 @@
 
 Built-in policies are mainly written in [Rego][rego].
 Those policies are managed under [AppShield repository][appshield].
-Only Terraform's policies are currently powered by [tfsec][tfsec].
+Terraform policies are currently powered by [tfsec][tfsec] and CloudFormation policies are powered by [cfsec][cfsec].
 
 | Config type    | Source                        |
 | ---------------| ----------------------------- |
 | Kubernetes     | [AppShield][kubernetes]       |
 | Dockerfile     | [AppShield][docker]           |
 | Terraform      | [tfsec][tfsec-checks]         |
+| CloudFormation | [cfsec][cfsec-checks]         |
 
-For suggestions or issues regarding policy content, please open an issue under [AppShield][appshield] or [tfsec][tfsec] repository.
+For suggestions or issues regarding policy content, please open an issue under [AppShield][appshield], [tfsec][tfsec] or [cfsec][cfsec] repository.
 
-CloudFormation and Ansible are coming soon.
+Ansible are coming soon.
 
 ## Policy Distribution
-AppShield policies are destributed as OPA bundle on [GitHub Container Registry][ghcr] (GHCR).
-When misconfiguration detection is enabled, Trivy pulls OPA bundle from GHCR as OCI artifact and stores it in the cache.
-Then, those policies are loaded into Trivy OPA engine and used for detecting misconfigurations.
+AppShield policies are distributed as an OPA bundle on [GitHub Container Registry][ghcr] (GHCR).
+When misconfiguration detection is enabled, Trivy pulls the OPA bundle from GHCR as an OCI artifact and stores it in the cache.
+Those policies are then loaded into Trivy OPA engine and used for detecting misconfigurations.
 
 ## Update Interval
 Trivy checks for updates to OPA bundle on GHCR every 24 hours and pulls it if there are any updates.
@@ -29,10 +30,12 @@ Trivy checks for updates to OPA bundle on GHCR every 24 hours and pulls it if th
 [kubernetes]: https://github.com/aquasecurity/appshield/tree/master/kubernetes
 [docker]: https://github.com/aquasecurity/appshield/tree/master/docker
 [tfsec-checks]: https://tfsec.dev/docs/aws/home/
-[tfsec]: https://github.com/tfsec/tfsec
+[tfsec]: https://github.com/aquasecurity/tfsec
+[cfsec-checks]: https://cfsec.dev/
+[cfsec]: https://github.com/aquasecurity/cfsec
 [ghcr]: https://github.com/aquasecurity/appshield/pkgs/container/appshield
 
 [dockerfile-bestpractice]: https://docs.docker.com/develop/develop-images/dockerfile_best-practices/
 [pss]: https://kubernetes.io/docs/concepts/security/pod-security-standards/
 [azure]: https://docs.microsoft.com/en-us/azure/security/fundamentals/network-best-practices
-[kics]: https://github.com/Checkmarx/kics/
+[kics]: https://github.com/Checkmarx/kics/

docs/vulnerability/detection/data-source.md

@@ -68,6 +68,6 @@
 [nodejs]: https://github.com/nodejs/security-wg
 [gitlab]: https://gitlab.com/gitlab-org/advisories-community
 [go]: https://github.com/golang/vulndb
-[rust]: (https://github.com/RustSec/advisory-db)
+[rust]: https://github.com/RustSec/advisory-db
 
 [nvd]: https://nvd.nist.gov/

docs/vulnerability/detection/language.md

@@ -2,23 +2,24 @@
 
 `Trivy` automatically detects the following files in the container and scans vulnerabilities in the application dependencies.
 
-| Language | File                     | Image[^6] | Rootfs[^7] | Filesysetm[^8] |  Repository[^9] |Dev dependencies |
-|----------|--------------------------|:---------:|:----------:|:--------------:|:---------------:|-----------------|
-| Ruby     | Gemfile.lock             | -         | -          | ✅             | ✅              | included        |
-|          | gemspec                  | ✅        | ✅         | -              | -               | included        |
-| Python   | Pipfile.lock             | -         | -          | ✅             | ✅              | excluded        |
-|          | poetry.lock              | -         | -          | ✅             | ✅              | included        |
-|          | requirements.txt         | -         | -          | ✅             | ✅              | included        |
-|          | egg package[^1]          | ✅        | ✅         | -              | -               | excluded        |
-|          | wheel package[^2]        | ✅        | ✅         | -              | -               | excluded        |
-| PHP      | composer.lock            | ✅        | ✅         | ✅             | ✅              | excluded        |
-| Node.js  | package-lock.json        | -         | -          | ✅             | ✅              | excluded        |
-|          | yarn.lock                | -         | -          | ✅             | ✅              | included        |
-|          | package.json             | ✅        | ✅         | -              | -               | excluded        |
-| .NET     | packages.lock.json       | ✅        | ✅         | ✅             | ✅              | included        |
-| Java     | JAR/WAR/EAR[^3][^4]      | ✅        | ✅         | ✅             | ✅              | included        |
-| Go       | Binaries built by Go[^5] | ✅        | ✅         | -              | -               | excluded        |
-|          | go.sum                   | -         | -          | ✅             | ✅              | included        |
+| Language | File                     | Image[^7] | Rootfs[^8] | Filesystem[^9] | Repository[^10] |Dev dependencies |
+|----------|--------------------------|:---------:|:----------:|:--------------:|:--------------:|-----------------|
+| Ruby     | Gemfile.lock             | -         | -          |       ✅        |       ✅        | included        |
+|          | gemspec                  | ✅        | ✅         |       -        |       -        | included        |
+| Python   | Pipfile.lock             | -         | -          |       ✅        |       ✅        | excluded        |
+|          | poetry.lock              | -         | -          |       ✅        |       ✅        | included        |
+|          | requirements.txt         | -         | -          |       ✅        |       ✅        | included        |
+|          | egg package[^1]          | ✅        | ✅         |       -        |       -        | excluded        |
+|          | wheel package[^2]        | ✅        | ✅         |       -        |       -        | excluded        |
+| PHP      | composer.lock            | ✅        | ✅         |       ✅        |       ✅        | excluded        |
+| Node.js  | package-lock.json        | -         | -          |       ✅        |       ✅        | excluded        |
+|          | yarn.lock                | -         | -          |       ✅        |       ✅        | included        |
+|          | package.json             | ✅        | ✅         |       -        |       -        | excluded        |
+| .NET     | packages.lock.json       | ✅        | ✅         |       ✅        |       ✅        | included        |
+| Java     | JAR/WAR/EAR[^3][^4]      | ✅        | ✅         |       -        |       -        | included        |
+|          | pom.xml[^5]              | -         | -          |       ✅        |       ✅        | excluded        |
+| Go       | Binaries built by Go[^6] | ✅        | ✅         |       -        |       -        | excluded        |
+|          | go.sum                   | -         | -          |       ✅        |       ✅        | included        |
 
 The path of these files does not matter.
 
@@ -27,9 +28,10 @@ Example: [Dockerfile](https://github.com/aquasecurity/trivy-ci-test/blob/main/Do
 [^1]: `*.egg-info`, `*.egg-info/PKG-INFO`, `*.egg` and `EGG-INFO/PKG-INFO`
 [^2]: `.dist-info/META-DATA`
 [^3]: `*.jar`, `*.war`, and `*.ear`
-[^4]: It requires the Internet access
-[^5]: UPX-compressed binaries don't work
-[^6]: ✅ means "enabled" and `-` means "disabled" in the image scanning
-[^7]: ✅ means "enabled" and `-` means "disabled" in the rootfs scanning
-[^8]: ✅ means "enabled" and `-` means "disabled" in the filesystem scanning
-[^9]: ✅ means "enabled" and `-` means "disabled" in the git repository scanning
+[^4]: It requires Internet access
+[^5]: It requires Internet access when the POM doesn't exist in your local repository
+[^6]: UPX-compressed binaries don't work
+[^7]: ✅ means "enabled" and `-` means "disabled" in the image scanning
+[^8]: ✅ means "enabled" and `-` means "disabled" in the rootfs scanning
+[^9]: ✅ means "enabled" and `-` means "disabled" in the filesystem scanning
+[^10]: ✅ means "enabled" and `-` means "disabled" in the git repository scanning

docs/vulnerability/detection/os.md

@@ -4,7 +4,7 @@ The unfixed/unfixable vulnerabilities mean that the patch has not yet been provi
 
 | OS                               | Supported Versions                       | Target Packages               | Detection of unfixed vulnerabilities |
 | -------------------------------- | ---------------------------------------- | ----------------------------- | :----------------------------------: |
-| Alpine Linux                     | 2.2 - 2.7, 3.0 - 3.13                    | Installed by apk              |                  NO                  |
+| Alpine Linux                     | 2.2 - 2.7, 3.0 - 3.15                    | Installed by apk              |                  NO                  |
 | Red Hat Universal Base Image[^1] | 7, 8                                     | Installed by yum/rpm          |                 YES                  |
 | Red Hat Enterprise Linux         | 6, 7, 8                                  | Installed by yum/rpm          |                 YES                  |
 | CentOS                           | 6, 7                                     | Installed by yum/rpm          |                 YES                  |

docs/vulnerability/scanning/git-repository.md

@@ -6,8 +6,6 @@ Scan your remote git repository
 $ trivy repo https://github.com/knqyf263/trivy-ci-test
 ```
 
-Only public repositories are supported.
-
 <details>
 <summary>Result</summary>
 
@@ -148,3 +146,20 @@ Total: 20 (UNKNOWN: 3, LOW: 0, MEDIUM: 7, HIGH: 5, CRITICAL: 5)
 ```
 
 </details>
+
+## Scanning Private Repositories
+
+In order to scan private GitHub or GitLab repositories, the environment variable `GITHUB_TOKEN` or `GITLAB_TOKEN` must be set, respectively, with a valid token that has access to the private repository being scanned.
+
+The `GITHUB_TOKEN` environment variable will take precedence over `GITLAB_TOKEN`, so if a private GitLab repository will be scanned, then `GITHUB_TOKEN` must be unset.
+
+For example:
+
+```
+$ export GITHUB_TOKEN="your_private_github_token"
+$ trivy repo <your private GitHub repo URL>
+$
+$ # or
+$ export GITLAB_TOKEN="your_private_gitlab_token"
+$ trivy repo <your private GitLab repo URL>
+```

examples/misconf/mixed/configs/bucket.yaml

@@ -0,0 +1,24 @@
+---
+AWSTemplateFormatVersion: "2010-09-09"
+Description: An example Stack for a bucket
+Parameters:
+  BucketName: 
+    Type: String
+    Default: naughty-bucket
+  EncryptBucket:
+    Type: Boolean
+    Default: false
+Resources:
+  S3Bucket:
+    Type: 'AWS::S3::Bucket'
+    Properties:
+      BucketName:
+        Ref: BucketName
+      PublicAccessBlockConfiguration:
+        BlockPublicAcls: false
+        BlockPublicPolicy: false
+        IgnorePublicAcls: true
+        RestrictPublicBuckets: false
+      BucketEncryption:
+        ServerSideEncryptionConfiguration:
+        - BucketKeyEnabled: !Ref EncryptBucket

go.mod

@@ -7,8 +7,8 @@ require (
 	github.com/Masterminds/sprig v2.22.0+incompatible
 	github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46
 	github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986
-	github.com/aquasecurity/fanal v0.0.0-20211014152324-29fbacfbfca4
-	github.com/aquasecurity/go-dep-parser v0.0.0-20211013074621-eb58e8565220
+	github.com/aquasecurity/fanal v0.0.0-20211224205755-c94f68b6d71a
+	github.com/aquasecurity/go-dep-parser v0.0.0-20211224170007-df43bca6b6ff
 	github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce
 	github.com/aquasecurity/go-npm-version v0.0.0-20201110091526-0b796d180798
 	github.com/aquasecurity/go-pep440-version v0.0.0-20210121094942-22b2f8951d46
@@ -17,8 +17,8 @@ require (
 	github.com/caarlos0/env/v6 v6.0.0
 	github.com/cenkalti/backoff v2.2.1+incompatible
 	github.com/cheggaaa/pb/v3 v3.0.3
-	github.com/containerd/containerd v1.5.4 // indirect
-	github.com/docker/docker v20.10.8+incompatible
+	github.com/docker/cli v20.10.9+incompatible // indirect
+	github.com/docker/docker v20.10.10+incompatible
 	github.com/docker/go-connections v0.4.0
 	github.com/fatih/color v1.10.0
 	github.com/go-redis/redis/v8 v8.11.4
@@ -28,15 +28,15 @@ require (
 	github.com/google/go-github/v33 v33.0.0
 	github.com/google/wire v0.4.0
 	github.com/hashicorp/go-getter v1.5.2
+	github.com/hashicorp/go-hclog v0.15.0 // indirect
 	github.com/huandu/xstrings v1.3.2 // indirect
 	github.com/knqyf263/go-apk-version v0.0.0-20200609155635-041fdbb8563f
 	github.com/knqyf263/go-deb-version v0.0.0-20190517075300-09fca494f03d
 	github.com/knqyf263/go-rpm-version v0.0.0-20170716094938-74609b86c936
-	github.com/kylelemons/godebug v1.1.0
 	github.com/masahiro331/go-mvn-version v0.0.0-20210429150710-d3157d602a08
 	github.com/mitchellh/copystructure v1.1.1 // indirect
 	github.com/olekukonko/tablewriter v0.0.5
-	github.com/open-policy-agent/opa v0.32.0
+	github.com/open-policy-agent/opa v0.34.0
 	github.com/spf13/afero v1.6.0
 	github.com/stretchr/objx v0.3.0 // indirect
 	github.com/stretchr/testify v1.7.0

go.sum

@@ -144,8 +144,8 @@ github.com/Microsoft/hcsshim v0.8.10/go.mod h1:g5uw8EV2mAlzqe94tfNBNdr89fnbD/n3H
 github.com/Microsoft/hcsshim v0.8.14/go.mod h1:NtVKoYxQuTLx6gEq0L96c9Ju4JbRJ4nY2ow3VK6a9Lg=
 github.com/Microsoft/hcsshim v0.8.15/go.mod h1:x38A4YbHbdxJtc0sF6oIz+RG0npwSCAvn69iY6URG00=
 github.com/Microsoft/hcsshim v0.8.16/go.mod h1:o5/SZqmR7x9JNKsW3pu+nqHm0MF8vbA+VxGOoXdC600=
-github.com/Microsoft/hcsshim v0.8.18 h1:cYnKADiM1869gvBpos3YCteeT6sZLB48lB5dmMMs8Tg=
-github.com/Microsoft/hcsshim v0.8.18/go.mod h1:+w2gRZ5ReXQhFOrvSQeNfhrYB/dg3oDwTOcER2fw4I4=
+github.com/Microsoft/hcsshim v0.8.23 h1:47MSwtKGXet80aIn+7h4YI6fwPmwIghAnsx2aOUrG2M=
+github.com/Microsoft/hcsshim v0.8.23/go.mod h1:4zegtUJth7lAvFyc6cH2gGQ5B3OFQim01nnU2M8jKDg=
 github.com/Microsoft/hcsshim/test v0.0.0-20200826032352-301c83a30e7c/go.mod h1:30A5igQ91GEmhYJF8TaRP79pMBOYynRsyOByfVV0dU4=
 github.com/Microsoft/hcsshim/test v0.0.0-20201218223536-d3e5debf77da/go.mod h1:5hlzMzRKMLyo42nCZ9oml8AdTlq/0cvIaBv6tK1RehU=
 github.com/Microsoft/hcsshim/test v0.0.0-20210227013316-43a75bb4edd3/go.mod h1:mw7qgWloBUl75W/gVH3cQszUg1+gUITj7D6NY7ywVnY=
@@ -170,8 +170,9 @@ github.com/VividCortex/ewma v1.1.1/go.mod h1:2Tkkvm3sRDVXaiyucHiACn4cqf7DpdyLvmx
 github.com/acomagu/bufpipe v1.0.3 h1:fxAGrHZTgQ9w5QqVItgzwj235/uYZYgbXitB+dLupOk=
 github.com/acomagu/bufpipe v1.0.3/go.mod h1:mxdxdup/WdsKVreO5GpW4+M/1CE2sMG4jeGJ2sYmHc4=
 github.com/agext/levenshtein v1.2.1/go.mod h1:JEDfjyjHDjOF/1e4FlBE/PkbqA9OfWu2ki2W0IB5558=
-github.com/agext/levenshtein v1.2.2 h1:0S/Yg6LYmFJ5stwQeRp6EeOcCbj7xiqQSdNelsXvaqE=
 github.com/agext/levenshtein v1.2.2/go.mod h1:JEDfjyjHDjOF/1e4FlBE/PkbqA9OfWu2ki2W0IB5558=
+github.com/agext/levenshtein v1.2.3 h1:YB2fHEn0UJagG8T1rrWknE3ZQzWM06O8AMAatNn7lmo=
+github.com/agext/levenshtein v1.2.3/go.mod h1:JEDfjyjHDjOF/1e4FlBE/PkbqA9OfWu2ki2W0IB5558=
 github.com/alecthomas/kingpin v2.2.6+incompatible/go.mod h1:59OFYbFVLKQKq+mqrL6Rw5bR0c3ACQaawgXx0QYndlE=
 github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
 github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
@@ -181,8 +182,8 @@ github.com/alecthomas/units v0.0.0-20190924025748-f65c72e2690d/go.mod h1:rBZYJk5
 github.com/alexflint/go-filemutex v0.0.0-20171022225611-72bdc8eae2ae/go.mod h1:CgnQgUtFrFz9mxFNtED3jI5tLDjKlOM+oUF/sTk6ps0=
 github.com/alicebob/gopher-json v0.0.0-20200520072559-a9ecdc9d1d3a h1:HbKu58rmZpUGpz5+4FfNmIU+FmZg2P3Xaj2v2bfNWmk=
 github.com/alicebob/gopher-json v0.0.0-20200520072559-a9ecdc9d1d3a/go.mod h1:SGnFV6hVsYE877CKEZ6tDNTjaSXYUk6QqoIK6PrAtcc=
-github.com/alicebob/miniredis/v2 v2.15.1 h1:Fw+ixAJPmKhCLBqDwHlTDqxUxp0xjEwXczEpt1B6r7k=
-github.com/alicebob/miniredis/v2 v2.15.1/go.mod h1:gquAfGbzn92jvtrSC69+6zZnwSODVXVpYDRaGhWaL6I=
+github.com/alicebob/miniredis/v2 v2.16.0 h1:ALkyFg7bSTEd1Mkrb4ppq4fnwjklA59dVtIehXCUZkU=
+github.com/alicebob/miniredis/v2 v2.16.0/go.mod h1:gquAfGbzn92jvtrSC69+6zZnwSODVXVpYDRaGhWaL6I=
 github.com/anmitsu/go-shlex v0.0.0-20161002113705-648efa622239 h1:kFOfPq6dUM1hTo4JG6LR5AXSUEsOjtdm0kw0FtQtMJA=
 github.com/anmitsu/go-shlex v0.0.0-20161002113705-648efa622239/go.mod h1:2FmKhYUyUczH0OGQWaF5ceTx0UBShxjsH6f8oGKYe2c=
 github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY=
@@ -202,10 +203,14 @@ github.com/apparentlymart/go-textseg/v13 v13.0.0 h1:Y+KvPE1NYz0xl601PVImeQfFyEy6
 github.com/apparentlymart/go-textseg/v13 v13.0.0/go.mod h1:ZK2fH7c4NqDTLtiYLvIkEghdlcqw7yxLeM89kiTRPUo=
 github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986 h1:2a30xLN2sUZcMXl50hg+PJCIDdJgIvIbVcKqLJ/ZrtM=
 github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986/go.mod h1:NT+jyeCzXk6vXR5MTkdn4z64TgGfE5HMLC8qfj5unl8=
-github.com/aquasecurity/fanal v0.0.0-20211014152324-29fbacfbfca4 h1:RrAmWx9s6pfVPGCsCJ2Chn5D2b7XLp1Y3b4V3+tAPBw=
-github.com/aquasecurity/fanal v0.0.0-20211014152324-29fbacfbfca4/go.mod h1:NCL58z+VfrTEM1JSGSbPNm069n3JSdb5cHRntnS069c=
-github.com/aquasecurity/go-dep-parser v0.0.0-20211013074621-eb58e8565220 h1:4ck6/2PNmzcNPUgFT3gCq6oVFB/Do/qiasRuBL9xGDI=
-github.com/aquasecurity/go-dep-parser v0.0.0-20211013074621-eb58e8565220/go.mod h1:Zc7Eo6tFl9l4XcqsWeabD7jHnXRBK/LdgZuu9GTSVLU=
+github.com/aquasecurity/cfsec v0.2.2 h1:hq6MZlg7XFZsrerCv297N4HRlnJM7K6LLd/l/xCz1no=
+github.com/aquasecurity/cfsec v0.2.2/go.mod h1:sUELRJqIPXTOZiHUx7TzyyFFzuk0W22IG6IWAoV8T6U=
+github.com/aquasecurity/defsec v0.0.37 h1:zdZndlKrW257b8VLK1UwfmXiyPuDrNA+wzBilHRk1LA=
+github.com/aquasecurity/defsec v0.0.37/go.mod h1:csaBEcJ3AKy44expnW0dCANEZcS/c1vcJjwBCbnKWBM=
+github.com/aquasecurity/fanal v0.0.0-20211224205755-c94f68b6d71a h1:SAGMaeEgtCWrv8VD9tq+fbCjiSdTHPXjHXY9eTv/U7o=
+github.com/aquasecurity/fanal v0.0.0-20211224205755-c94f68b6d71a/go.mod h1:xKJMgVsb+TgCMoiv3u7aethmPTkZiryr2nSShtMdRmA=
+github.com/aquasecurity/go-dep-parser v0.0.0-20211224170007-df43bca6b6ff h1:JCKEV3TgUNh9fn+8hXyIdsF9yErA0rUbCkgt2flRKt4=
+github.com/aquasecurity/go-dep-parser v0.0.0-20211224170007-df43bca6b6ff/go.mod h1:8fJ//Ob6/03lxbn4xa1F+G/giVtiVLxnZNpBp5xOxNk=
 github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce h1:QgBRgJvtEOBtUXilDb1MLi1p1MWoyFDXAu5DEUl5nwM=
 github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce/go.mod h1:HXgVzOPvXhVGLJs4ZKO817idqr/xhwsTcj17CLYY74s=
 github.com/aquasecurity/go-npm-version v0.0.0-20201110091526-0b796d180798 h1:eveqE9ivrt30CJ7dOajOfBavhZ4zPqHcZe/4tKp0alc=
@@ -217,8 +222,8 @@ github.com/aquasecurity/go-version v0.0.0-20210121072130-637058cfe492 h1:rcEG5HI
 github.com/aquasecurity/go-version v0.0.0-20210121072130-637058cfe492/go.mod h1:9Beu8XsUNNfzml7WBf3QmyPToP1wm1Gj/Vc5UJKqTzU=
 github.com/aquasecurity/testdocker v0.0.0-20210911155206-e1e85f5a1516 h1:moQmzbpLo5dxHQCyEhqzizsDSNrNhn/7uRTCZzo4A1o=
 github.com/aquasecurity/testdocker v0.0.0-20210911155206-e1e85f5a1516/go.mod h1:gTd97VdQ0rg8Mkiic3rPgNOQdprZ7feTAhiD5mGQjgM=
-github.com/aquasecurity/tfsec v0.58.11 h1:JDcjZz73PXOdNznaohonB1uluZD/gJI/TW8Iukjbn9E=
-github.com/aquasecurity/tfsec v0.58.11/go.mod h1:RcgH8QFJSE+p7Sf/WAF7chGTL/xULi7muiNdqIsUkOE=
+github.com/aquasecurity/tfsec v0.63.1 h1:KH63HTcUoab7d3PKtqFO6T8K5AY7bzLw7Kiu+EY9U64=
+github.com/aquasecurity/tfsec v0.63.1/go.mod h1:g5ZWmsfqW1FsCaPb9ux8Pzjcyss/WUB2XuRd5slqvnc=
 github.com/aquasecurity/trivy-db v0.0.0-20210916043317-726b7b72a47b h1:RaS93vlHzgreZk3CYqcNgoqukwbsBEYhAiE6qmhLwB0=
 github.com/aquasecurity/trivy-db v0.0.0-20210916043317-726b7b72a47b/go.mod h1:5h8GV7Qxp/SMJ4awWHs0KRxwVkKzcwOnRkORWOnCXRU=
 github.com/aquasecurity/vuln-list-update v0.0.0-20191016075347-3d158c2bf9a2/go.mod h1:6NhOP0CjZJL27bZZcaHECtzWdwDDm2g6yCY0QgXEGQQ=
@@ -241,8 +246,8 @@ github.com/aws/aws-sdk-go v1.20.6/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN
 github.com/aws/aws-sdk-go v1.25.11/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo=
 github.com/aws/aws-sdk-go v1.27.1/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo=
 github.com/aws/aws-sdk-go v1.31.6/go.mod h1:5zCpMtNQVjRREroY7sYe8lOMRSxkhG6MZveU8YkpAk0=
-github.com/aws/aws-sdk-go v1.41.0 h1:XUzHLFWQVhmFtmKTodnAo5QdooPQfpVfilCxIV3aLoE=
-github.com/aws/aws-sdk-go v1.41.0/go.mod h1:585smgzpB/KqRA+K3y/NL/oYRqQvpNJYvLm+LY1U59Q=
+github.com/aws/aws-sdk-go v1.42.0 h1:BMZws0t8NAhHFsfnT3B40IwD13jVDG5KerlRksctVIw=
+github.com/aws/aws-sdk-go v1.42.0/go.mod h1:585smgzpB/KqRA+K3y/NL/oYRqQvpNJYvLm+LY1U59Q=
 github.com/aybabtme/rgbterm v0.0.0-20170906152045-cc83f3b3ce59/go.mod h1:q/89r3U2H7sSsE2t6Kca0lfwTK8JdoNGS/yzM/4iH5I=
 github.com/benbjohnson/clock v1.1.0 h1:Q92kusRqC1XV2MjkWETPvjJVqKetz1OzxZB7mHJLju8=
 github.com/benbjohnson/clock v1.1.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA=
@@ -254,6 +259,7 @@ github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d h1:xDfNPAt8lFiC1U
 github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d/go.mod h1:6QX/PXZ00z/TKoufEY6K/a0k6AhaJrQKdFe6OfVXsa4=
 github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs=
 github.com/bitly/go-simplejson v0.5.0/go.mod h1:cXHtHw4XUPsvGaxgjIAn8PhEWG9NfngEKAMDJEczWVA=
+github.com/bits-and-blooms/bitset v1.2.0/go.mod h1:gIdJ4wp64HaoK2YrL1Q5/N7Y16edYb8uY+O0FJTyyDA=
 github.com/bketelsen/crypt v0.0.3-0.20200106085610-5cbc8cc4026c/go.mod h1:MKsuJmJgSg28kpZDP6UIiPt0e0Oz0kqKNGyRaWEPv84=
 github.com/bketelsen/crypt v0.0.4/go.mod h1:aI6NrJ0pMGgvZKL1iVgXLnfIFJtfV+bKCoqOes/6LfM=
 github.com/blakesmith/ar v0.0.0-20190502131153-809d4375e1fb/go.mod h1:PkYb9DJNAwrSvRx5DYA+gUcOIgTGVMNkfSCbZM8cWpI=
@@ -275,8 +281,8 @@ github.com/buger/jsonparser v0.0.0-20180808090653-f4dd9f5a6b44/go.mod h1:bbYlZJ7
 github.com/bugsnag/bugsnag-go v0.0.0-20141110184014-b1d153021fcd/go.mod h1:2oa8nejYd4cQ/b0hMIopN0lCRxU0bueqREvZLWFrtK8=
 github.com/bugsnag/osext v0.0.0-20130617224835-0dd3f918b21b/go.mod h1:obH5gd0BsqsP2LwDJ9aOkm/6J86V6lyAXCoQWGw3K50=
 github.com/bugsnag/panicwrap v0.0.0-20151223152923-e2c28503fcd0/go.mod h1:D/8v3kj0zr8ZAKg1AQ6crr+5VwKN5eIywRkfhyM/+dE=
-github.com/bytecodealliance/wasmtime-go v0.29.0 h1:NEME96y0YKAUjOkTw5/2w1OZ9TLy9FJ+Q7SWW4L/X0o=
-github.com/bytecodealliance/wasmtime-go v0.29.0/go.mod h1:q320gUxqyI8yB+ZqRuaJOEnGkAnHh6WtJjMaT2CW4wI=
+github.com/bytecodealliance/wasmtime-go v0.30.0 h1:WfYpr4WdqInt8m5/HvYinf+HrSEAIhItKIcth+qb1h4=
+github.com/bytecodealliance/wasmtime-go v0.30.0/go.mod h1:q320gUxqyI8yB+ZqRuaJOEnGkAnHh6WtJjMaT2CW4wI=
 github.com/caarlos0/ctrlc v1.0.0/go.mod h1:CdXpj4rmq0q/1Eb44M9zi2nKB0QraNKuRGYGrrHhcQw=
 github.com/caarlos0/env/v6 v6.0.0 h1:NZt6FAoB8ieKO5lEwRdwCzYxWFx7ZYF2R7UcoyaWtyc=
 github.com/caarlos0/env/v6 v6.0.0/go.mod h1:+wdyOmtjoZIW2GJOc2OYa5NoOFuWD/bIpWqm30NgtRk=
@@ -284,6 +290,7 @@ github.com/campoy/unique v0.0.0-20180121183637-88950e537e7e/go.mod h1:9IOqJGCPMS
 github.com/cavaliercoder/go-cpio v0.0.0-20180626203310-925f9528c45e/go.mod h1:oDpT4efm8tSYHXV5tHSdRvBet/b/QzxZ+XyyPehvm3A=
 github.com/cenkalti/backoff v2.2.1+incompatible h1:tNowT99t7UNflLxfYYSlKYsBpXdEet03Pg2g16Swow4=
 github.com/cenkalti/backoff v2.2.1+incompatible/go.mod h1:90ReRw6GdpyfrHakVjL/QHaoyV4aDUVVkXQJJJ3NXXM=
+github.com/cenkalti/backoff/v4 v4.1.1/go.mod h1:scbssz8iZGpm3xbr14ovlUdkxfGXNInqkPWOWmG2CLw=
 github.com/census-instrumentation/opencensus-proto v0.2.0/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
 github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
 github.com/cespare/xxhash v1.1.0 h1:a6HrQnmkObjyL+Gs60czilIUGqrzKutQD6XZog3p+ko=
@@ -292,6 +299,7 @@ github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XL
 github.com/cespare/xxhash/v2 v2.1.2 h1:YRXhKfTDauu4ajMg1TPgFO5jnlC2HCbmLXMcTG5cbYE=
 github.com/cespare/xxhash/v2 v2.1.2/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/checkpoint-restore/go-criu/v4 v4.1.0/go.mod h1:xUQBLp4RLc5zJtWY++yjOoMoB5lihDt7fai+75m+rGw=
+github.com/checkpoint-restore/go-criu/v5 v5.0.0/go.mod h1:cfwC0EG7HMUenopBsUf9d89JlCLQIfgVcNsNN0t6T2M=
 github.com/cheggaaa/pb v1.0.27 h1:wIkZHkNfC7R6GI5w7l/PdAdzXzlrbcI3p8OAlnkTsnc=
 github.com/cheggaaa/pb v1.0.27/go.mod h1:pQciLPpbU0oxA0h+VJYYLxO+XeDQb5pZijXscXHm81s=
 github.com/cheggaaa/pb/v3 v3.0.3 h1:8WApbyUmgMOz7WIxJVNK0IRDcRfAmTxcEdi0TuxjdP4=
@@ -303,6 +311,7 @@ github.com/cilium/ebpf v0.0.0-20200110133405-4032b1d8aae3/go.mod h1:MA5e5Lr8slmE
 github.com/cilium/ebpf v0.0.0-20200702112145-1c8d4c9ef775/go.mod h1:7cR51M8ViRLIdUjrmSXlK9pkrsDlLHbO8jiB8X8JnOc=
 github.com/cilium/ebpf v0.2.0/go.mod h1:To2CFviqOWL/M0gIMsvSMlqe7em/l1ALkX1PyjrX2Qs=
 github.com/cilium/ebpf v0.4.0/go.mod h1:4tRaxcgiL706VnOzHOdBlY8IEAIdxINsQBcU4xJJXRs=
+github.com/cilium/ebpf v0.6.2/go.mod h1:4tRaxcgiL706VnOzHOdBlY8IEAIdxINsQBcU4xJJXRs=
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
 github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
 github.com/cncf/udpa/go v0.0.0-20200629203442-efcf912fb354/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
@@ -340,14 +349,14 @@ github.com/containerd/containerd v1.4.0/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMX
 github.com/containerd/containerd v1.4.1-0.20201117152358-0edc412565dc/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA=
 github.com/containerd/containerd v1.4.1/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA=
 github.com/containerd/containerd v1.4.3/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA=
+github.com/containerd/containerd v1.4.9/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA=
 github.com/containerd/containerd v1.5.0-beta.1/go.mod h1:5HfvG1V2FsKesEGQ17k5/T7V960Tmcumvqn8Mc+pCYQ=
 github.com/containerd/containerd v1.5.0-beta.3/go.mod h1:/wr9AVtEM7x9c+n0+stptlo/uBBoBORwEx6ardVcmKU=
 github.com/containerd/containerd v1.5.0-beta.4/go.mod h1:GmdgZd2zA2GYIBZ0w09ZvgqEq8EfBp/m3lcVZIvPHhI=
 github.com/containerd/containerd v1.5.0-rc.0/go.mod h1:V/IXoMqNGgBlabz3tHD2TWDoTJseu1FGOKuoA4nNb2s=
-github.com/containerd/containerd v1.5.1/go.mod h1:0DOxVqwDy2iZvrZp2JUx/E+hS0UNTVn7dJnIOwtYR4g=
 github.com/containerd/containerd v1.5.2/go.mod h1:0DOxVqwDy2iZvrZp2JUx/E+hS0UNTVn7dJnIOwtYR4g=
-github.com/containerd/containerd v1.5.4 h1:uPF0og3ByFzDnaStfiQj3fVGTEtaSNyU+bW7GR/nqGA=
-github.com/containerd/containerd v1.5.4/go.mod h1:sx18RgvW6ABJ4iYUw7Q5x7bgFOAB9B6G7+yO0XBc4zw=
+github.com/containerd/containerd v1.5.8 h1:NmkCC1/QxyZFBny8JogwLpOy2f+VEbO/f6bV2Mqtwuw=
+github.com/containerd/containerd v1.5.8/go.mod h1:YdFSv5bTFLpG2HIYmfqDpSYYTDX+mc5qtSuYx1YUb/s=
 github.com/containerd/continuity v0.0.0-20190426062206-aaeac12a7ffc/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y=
 github.com/containerd/continuity v0.0.0-20190815185530-f2a389ac0a02/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y=
 github.com/containerd/continuity v0.0.0-20191127005431-f65d91d395eb/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y=
@@ -362,6 +371,7 @@ github.com/containerd/fifo v0.0.0-20200410184934-f15a3290365b/go.mod h1:jPQ2IAeZ
 github.com/containerd/fifo v0.0.0-20201026212402-0724c46b320c/go.mod h1:jPQ2IAeZRCYxpS/Cm1495vGFww6ecHmMk1YJH2Q5ln0=
 github.com/containerd/fifo v0.0.0-20210316144830-115abcc95a1d/go.mod h1:ocF/ME1SX5b1AOlWi9r677YJmCPSwwWnQ9O123vzpE4=
 github.com/containerd/fifo v1.0.0/go.mod h1:ocF/ME1SX5b1AOlWi9r677YJmCPSwwWnQ9O123vzpE4=
+github.com/containerd/fuse-overlayfs-snapshotter v1.0.2/go.mod h1:nRZceC8a7dRm3Ao6cJAwuJWPFiBPaibHiFntRUnzhwU=
 github.com/containerd/go-cni v1.0.1/go.mod h1:+vUpYxKvAF72G9i1WoDOiPGRtQpqsNW/ZHtSlv++smU=
 github.com/containerd/go-cni v1.0.2/go.mod h1:nrNABBHzu0ZwCug9Ije8hL2xBCYh/pjfMb1aZGrrohk=
 github.com/containerd/go-runc v0.0.0-20180907222934-5a6d9f37cfa3/go.mod h1:IV7qH3hrUgRmyYrtgEeGWJfWbgcHL9CSRruz2Vqcph0=
@@ -376,8 +386,10 @@ github.com/containerd/imgcrypt v1.1.1/go.mod h1:xpLnwiQmEUJPvQoAapeb2SNCxz7Xr6PJ
 github.com/containerd/nri v0.0.0-20201007170849-eb1350a75164/go.mod h1:+2wGSDGFYfE5+So4M5syatU0N0f0LbWpuqyMi4/BE8c=
 github.com/containerd/nri v0.0.0-20210316161719-dbaa18c31c14/go.mod h1:lmxnXF6oMkbqs39FiCt1s0R2HSMhcLel9vNL3m4AaeY=
 github.com/containerd/nri v0.1.0/go.mod h1:lmxnXF6oMkbqs39FiCt1s0R2HSMhcLel9vNL3m4AaeY=
-github.com/containerd/stargz-snapshotter v0.0.0-20201027054423-3a04e4c2c116 h1:cj2qTm4k9TlXzzwCROQK0puJc2oauyjUiegQiqpNkuk=
 github.com/containerd/stargz-snapshotter v0.0.0-20201027054423-3a04e4c2c116/go.mod h1:o59b3PCKVAf9jjiKtCc/9hLAd+5p/rfhBfm6aBcTEr4=
+github.com/containerd/stargz-snapshotter v0.6.4 h1:mox1Ozl/LicA5j0O5Xk9Q8z+nOQQLnClarhxokyw9hI=
+github.com/containerd/stargz-snapshotter v0.6.4/go.mod h1:1t0SF1gAHJhCSftWKDLVitvfF3c2qhL5hymG7C50wto=
+github.com/containerd/stargz-snapshotter/estargz v0.6.4/go.mod h1:83VWDqHnurTKliEB0YvWMiCfLDwv4Cjj1X9Vk98GJZw=
 github.com/containerd/stargz-snapshotter/estargz v0.7.0 h1:1d/rydzTywc76lnjJb6qbPCiTiCwts49AzKps/Ecblw=
 github.com/containerd/stargz-snapshotter/estargz v0.7.0/go.mod h1:83VWDqHnurTKliEB0YvWMiCfLDwv4Cjj1X9Vk98GJZw=
 github.com/containerd/ttrpc v0.0.0-20190828154514-0e0f228740de/go.mod h1:PvCDdDGpgqzQIzDW1TphrGLssLDZp2GuS+X5DkEJB8o=
@@ -385,6 +397,7 @@ github.com/containerd/ttrpc v0.0.0-20190828172938-92c8520ef9f8/go.mod h1:PvCDdDG
 github.com/containerd/ttrpc v0.0.0-20191028202541-4f1b8fe65a5c/go.mod h1:LPm1u0xBw8r8NOKoOdNMeVHSawSsltak+Ihv+etqsE8=
 github.com/containerd/ttrpc v1.0.1/go.mod h1:UAxOpgT9ziI0gJrmKvgcZivgxOp8iFPSk8httJEt98Y=
 github.com/containerd/ttrpc v1.0.2/go.mod h1:UAxOpgT9ziI0gJrmKvgcZivgxOp8iFPSk8httJEt98Y=
+github.com/containerd/ttrpc v1.1.0/go.mod h1:XX4ZTnoOId4HklF4edwc4DcqskFZuvXB1Evzy5KFQpQ=
 github.com/containerd/typeurl v0.0.0-20180627222232-a93fcdb778cd/go.mod h1:Cm3kwCdlkCfMSHURc+r6fwoGH6/F1hH3S4sg0rLFWPc=
 github.com/containerd/typeurl v0.0.0-20190911142611-5eb25027c9fd/go.mod h1:GeKYzf2pQcqv7tJ0AoCuuhtnqhva5LNU3U+OyKxxJpk=
 github.com/containerd/typeurl v1.0.1/go.mod h1:TB1hUtrpaiO88KEK56ijojHS1+NeF0izUACaJW2mdXg=
@@ -442,8 +455,8 @@ github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/denverdino/aliyungo v0.0.0-20190125010748-a747050bb1ba/go.mod h1:dV8lFg6daOBZbT6/BDGIz6Y3WFGn8juu6G+CQ6LHtl0=
 github.com/devigned/tab v0.1.1/go.mod h1:XG9mPq0dFghrYvoBF3xdRrJzSTX1b7IQrvaL9mzjeJY=
-github.com/dgraph-io/badger/v3 v3.2103.1 h1:zaX53IRg7ycxVlkd5pYdCeFp1FynD6qBGQoQql3R3Hk=
-github.com/dgraph-io/badger/v3 v3.2103.1/go.mod h1:dULbq6ehJ5K0cGW/1TQ9iSfUk0gbSiToDWmWmTsJ53E=
+github.com/dgraph-io/badger/v3 v3.2103.2 h1:dpyM5eCJAtQCBcMCZcT4UBZchuTJgCywerHHgmxfxM8=
+github.com/dgraph-io/badger/v3 v3.2103.2/go.mod h1:RHo4/GmYcKKh5Lxu63wLEMHJ70Pac2JqZRYGhlyAo2M=
 github.com/dgraph-io/ristretto v0.1.0 h1:Jv3CGQHp9OjuMBSne1485aDpUkTKEcUqF+jm/LuerPI=
 github.com/dgraph-io/ristretto v0.1.0/go.mod h1:fux0lOrBhrVCJd3lcTHsIJhq1T2rokOu6v9Vcb3Q9ug=
 github.com/dgrijalva/jwt-go v0.0.0-20170104182250-a601269ab70c/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ=
@@ -454,12 +467,15 @@ github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f h1:lO4WD4F/r
 github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f/go.mod h1:cuUVRXasLTGF7a8hSLbxyZXjz+1KgoB3wDUb6vlszIc=
 github.com/dgryski/go-sip13 v0.0.0-20181026042036-e10d5fee7954/go.mod h1:vAd38F8PWV+bWy6jNmig1y/TA+kYO4g3RSRF0IAv0no=
 github.com/dimchansky/utfbom v1.1.0/go.mod h1:rO41eb7gLfo8SF1jd9F8HplJm1Fewwi4mQvIirEdv+8=
+github.com/dimchansky/utfbom v1.1.1/go.mod h1:SxdoEBH5qIqFocHMyGOXVAybYJdr71b1Q/j0mACtrfE=
 github.com/dnaeon/go-vcr v1.0.1/go.mod h1:aBB1+wY4s93YsC3HHjMBMrwTj2R9FHDzUr9KyGc8n1E=
 github.com/docker/cli v0.0.0-20190925022749-754388324470/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
 github.com/docker/cli v0.0.0-20191017083524-a8ff7f821017/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
 github.com/docker/cli v20.10.0-beta1.0.20201029214301-1d20b15adc38+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
-github.com/docker/cli v20.10.7+incompatible h1:pv/3NqibQKphWZiAskMzdz8w0PRbtTaEB+f6NwdU7Is=
+github.com/docker/cli v20.10.6+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
 github.com/docker/cli v20.10.7+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
+github.com/docker/cli v20.10.9+incompatible h1:OJ7YkwQA+k2Oi51lmCojpjiygKpi76P7bg91b2eJxYU=
+github.com/docker/cli v20.10.9+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
 github.com/docker/distribution v0.0.0-20190905152932-14b96e55d84c/go.mod h1:0+TTO4EOBfRPhZXAeF1Vu+W3hHZ8eLp8PgKVZlcvtFY=
 github.com/docker/distribution v2.6.0-rc.1.0.20180327202408-83389a148052+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
 github.com/docker/distribution v2.7.1-0.20190205005809-0d3efadf0154+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
@@ -471,9 +487,11 @@ github.com/docker/docker v1.4.2-0.20180531152204-71cd53e4a197/go.mod h1:eEKB0N0r
 github.com/docker/docker v1.4.2-0.20190924003213-a8608b5b67c7/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
 github.com/docker/docker v17.12.0-ce-rc1.0.20200730172259-9f28837c1d93+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
 github.com/docker/docker v20.10.0-beta1.0.20201110211921-af34b94a78a1+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
+github.com/docker/docker v20.10.3-0.20210609071616-4c2ec79bf2a8+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
+github.com/docker/docker v20.10.6+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
 github.com/docker/docker v20.10.7+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
-github.com/docker/docker v20.10.8+incompatible h1:RVqD337BgQicVCzYrrlhLDWhq6OAD2PJDUg2LsEUvKM=
-github.com/docker/docker v20.10.8+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
+github.com/docker/docker v20.10.10+incompatible h1:GKkP0T7U4ks6X3lmmHKC2QDprnpRJor2Z5a8m62R9ZM=
+github.com/docker/docker v20.10.10+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
 github.com/docker/docker-credential-helpers v0.6.3 h1:zI2p9+1NQYdnG6sMU26EX4aVGlqbInSQxQXLvzJ4RPQ=
 github.com/docker/docker-credential-helpers v0.6.3/go.mod h1:WRaJzqw3CTB9bk10avuGsjVBZsD05qeibJ1/TYlvc0Y=
 github.com/docker/go-connections v0.4.0 h1:El9xVISelRB7BuFusrZozjnkIM5YnzCViNKohAFqRJQ=
@@ -516,6 +534,7 @@ github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5Kwzbycv
 github.com/fatih/color v1.9.0/go.mod h1:eQcE1qtQxscV5RaZvpXrrb8Drkc3/DdQ+uUYCNjL+zU=
 github.com/fatih/color v1.10.0 h1:s36xzo75JdqLaaWoiEHk767eHiwo0598uUxyfiPkDsg=
 github.com/fatih/color v1.10.0/go.mod h1:ELkj/draVOlAH/xkhN6mQ50Qd0MPOk5AAr3maGEBuJM=
+github.com/felixge/httpsnoop v1.0.2/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
 github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568/go.mod h1:xEzjJPgXI435gkrCt3MPfRiAkVrwSbHsst4LCFVfpJc=
 github.com/form3tech-oss/jwt-go v3.2.2+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k=
 github.com/fortytw2/leaktest v1.2.0/go.mod h1:jDsjWgpAGjm2CA7WthBh/CdZYEPF31XHquHwclZch5g=
@@ -523,8 +542,9 @@ github.com/fortytw2/leaktest v1.3.0 h1:u8491cBMTQ8ft8aeV+adlcytMZylmA5nnwwkRZjI8
 github.com/fortytw2/leaktest v1.3.0/go.mod h1:jDsjWgpAGjm2CA7WthBh/CdZYEPF31XHquHwclZch5g=
 github.com/frankban/quicktest v1.11.3/go.mod h1:wRf/ReqHper53s+kmmSZizM8NamnL3IM0I9ntUbOk+k=
 github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
-github.com/fsnotify/fsnotify v1.4.9 h1:hsms1Qyu0jgnwNXIxa+/V/PDsU6CfLf6CNO8H7IWoS4=
 github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ=
+github.com/fsnotify/fsnotify v1.5.1 h1:mZcQUHVQUQWoPXXtuf9yuEXKudkV2sx1E06UadKWpgI=
+github.com/fsnotify/fsnotify v1.5.1/go.mod h1:T3375wBYaZdLLcVNkcVbzGHY7f1l/uK5T5Ai1i3InKU=
 github.com/fullsailor/pkcs7 v0.0.0-20190404230743-d7302db945fa/go.mod h1:KnogPXtdwXqoenmZCw6S+25EAm2MkxbG0deNDu4cbSA=
 github.com/garyburd/redigo v0.0.0-20150301180006-535138d7bcd7/go.mod h1:NR3MbYisc3/PwhQ00EMzDiPmrwpPxAn5GI05/YaO1SY=
 github.com/gdamore/encoding v1.0.0/go.mod h1:alR0ol34c49FCSBLjhosxzcPHQbf2trDkoo5dl+VrEg=
@@ -675,6 +695,7 @@ github.com/golang/protobuf v1.5.2 h1:ROPKBNFfQgOUMifHyP+KYbvpjbdoFNs+aK7DXlji0Tw
 github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
 github.com/golang/snappy v0.0.0-20180518054509-2e65f85255db/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
 github.com/golang/snappy v0.0.3/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
+github.com/golang/snappy v0.0.4-0.20210608040537-544b4180ac70/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
 github.com/golang/snappy v0.0.4 h1:yAGX7huGHXlcLOEtBnF4w7FQwA26wojNCwOYAEhLjQM=
 github.com/golang/snappy v0.0.4/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
 github.com/golangci/check v0.0.0-20180506172741-cfe4005ccda2/go.mod h1:k9Qvh+8juN+UKMCS/3jFtGICgW8O96FVaZsaxdzDkR4=
@@ -700,7 +721,6 @@ github.com/google/btree v0.0.0-20180124185431-e89373fe6b4a/go.mod h1:lNA+9X1NB3Z
 github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
 github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
 github.com/google/crfs v0.0.0-20191108021818-71d77da419c9/go.mod h1:etGhoOqfwPkooV6aqoX3eBGQOJblqdoc9XvWOeuxpPw=
-github.com/google/flatbuffers v1.12.0/go.mod h1:1AeVuKshWv4vARoZatz6mlQ0JxURH0Kv5+zNeJKJCa8=
 github.com/google/flatbuffers v1.12.1 h1:MVlul7pQNoDzWRLTw5imwYsl+usrS1TXG2H4jg6ImGw=
 github.com/google/flatbuffers v1.12.1/go.mod h1:1AeVuKshWv4vARoZatz6mlQ0JxURH0Kv5+zNeJKJCa8=
 github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
@@ -810,6 +830,7 @@ github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFb
 github.com/grpc-ecosystem/grpc-opentracing v0.0.0-20180507213350-8e809c8a8645/go.mod h1:6iZfnjpejD4L/4DwD7NryNaJyCQdzwWwH2MWhCA90Kw=
 github.com/hanwen/go-fuse v1.0.0/go.mod h1:unqXarDXqzAk0rt98O2tVndEPIpUgLD9+rwFisZH3Ok=
 github.com/hanwen/go-fuse/v2 v2.0.3/go.mod h1:0EQM6aH2ctVpvZ6a+onrQ/vaykxh2GH7hy3e13vzTUY=
+github.com/hanwen/go-fuse/v2 v2.1.0/go.mod h1:oRyA5eK+pvJyv5otpO/DgccS8y/RvYMaO00GgRLGryc=
 github.com/hashicorp/consul/api v1.1.0/go.mod h1:VmuI/Lkw1nC05EYQWNKwWGbkg+FbDBtguAZLlVdkD9Q=
 github.com/hashicorp/consul/sdk v0.1.1/go.mod h1:VKf9jXwCTEY1QZP2MOLRhb5i/I/ssyNV1vwHyQBF0x8=
 github.com/hashicorp/errwrap v0.0.0-20141028054710-7554cd9344ce/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
@@ -825,6 +846,7 @@ github.com/hashicorp/go-hclog v0.9.2/go.mod h1:5CU+agLiy3J7N7QjHK5d05KxGsuXiQLrj
 github.com/hashicorp/go-hclog v0.15.0 h1:qMuK0wxsoW4D0ddCCYwPSTm4KQv1X1ke3WmPWZ0Mvsk=
 github.com/hashicorp/go-hclog v0.15.0/go.mod h1:whpDNt7SSdeAju8AWKIWsul05p54N/39EeqMAyrmvFQ=
 github.com/hashicorp/go-immutable-radix v1.0.0/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60=
+github.com/hashicorp/go-immutable-radix v1.3.1/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60=
 github.com/hashicorp/go-msgpack v0.5.3/go.mod h1:ahLV/dePpqEmjfWmKiqvPkv/twdG7iPBM1vqhUKIvfM=
 github.com/hashicorp/go-multierror v0.0.0-20161216184304-ed905158d874/go.mod h1:JMRHfdO9jKNzS/+BTlxCjKNQHg/jZAft8U7LloJvN7I=
 github.com/hashicorp/go-multierror v1.0.0/go.mod h1:dHtQlpGsu+cZNNAkkCN/P3hoUDHhCYQXV3UM06sGGrk=
@@ -855,8 +877,8 @@ github.com/hashicorp/golang-lru v0.5.3/go.mod h1:iADmTwqILo4mZ8BN3D2Q6+9jd8WM5uG
 github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4=
 github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ=
 github.com/hashicorp/hcl/v2 v2.6.0/go.mod h1:bQTN5mpo+jewjJgh8jr0JUguIi7qPHUF6yIfAEN3jqY=
-github.com/hashicorp/hcl/v2 v2.10.1 h1:h4Xx4fsrRE26ohAk/1iGF/JBqRQbyUqu5Lvj60U54ys=
-github.com/hashicorp/hcl/v2 v2.10.1/go.mod h1:FwWsfWEjyV/CMj8s/gqAuiviY72rJ1/oayI9WftqcKg=
+github.com/hashicorp/hcl/v2 v2.11.1 h1:yTyWcXcm9XB0TEkyU/JCRU6rYy4K+mgLtzn2wlrJbcc=
+github.com/hashicorp/hcl/v2 v2.11.1/go.mod h1:FwWsfWEjyV/CMj8s/gqAuiviY72rJ1/oayI9WftqcKg=
 github.com/hashicorp/logutils v1.0.0/go.mod h1:QIAnNjmIWmVIIkWDTG1z5v++HQmx9WQRO+LraFDTW64=
 github.com/hashicorp/mdns v1.0.0/go.mod h1:tL+uN++7HEJ6SQLQ2/p+z2pH24WQKWjBPkE0mNTz8vQ=
 github.com/hashicorp/memberlist v0.1.3/go.mod h1:ajVTdAv/9Im8oMAAj5G31PhhMCZJV2pPBoIllUwCN7I=
@@ -877,6 +899,7 @@ github.com/imdario/mergo v0.3.12/go.mod h1:jmQim1M+e3UYxmgPu/WyfjB3N3VflVyUjjjwH
 github.com/inconshreveable/go-update v0.0.0-20160112193335-8152e7eb6ccf/go.mod h1:hyb9oH7vZsitZCiBt0ZvifOrB+qc8PS5IiilCIb87rg=
 github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8=
 github.com/ishidawataru/sctp v0.0.0-20191218070446-00ab2ac2db07/go.mod h1:co9pwDoBCm1kGxawmb4sPq0cSIOOWNPT4KnHotMP1Zg=
+github.com/ishidawataru/sctp v0.0.0-20210226210310-f2269e66cdee/go.mod h1:co9pwDoBCm1kGxawmb4sPq0cSIOOWNPT4KnHotMP1Zg=
 github.com/j-keck/arping v0.0.0-20160618110441-2cf9dc699c56/go.mod h1:ymszkNOg6tORTn+6F6j+Jc8TOr5osrynvN6ivFWZ2GA=
 github.com/jaguilar/vt100 v0.0.0-20150826170717-2703a27b14ea/go.mod h1:QMdK4dGB3YhEW2BmA1wgGpPYI3HZy/5gD705PXKUVSg=
 github.com/jarcoal/httpmock v1.0.5/go.mod h1:ATjnClrvW/3tijVmpL/va5Z3aAyGvqU3gCT8nX0Txik=
@@ -937,8 +960,8 @@ github.com/knqyf263/go-deb-version v0.0.0-20190517075300-09fca494f03d h1:X4cedH4
 github.com/knqyf263/go-deb-version v0.0.0-20190517075300-09fca494f03d/go.mod h1:o8sgWoz3JADecfc/cTYD92/Et1yMqMy0utV1z+VaZao=
 github.com/knqyf263/go-rpm-version v0.0.0-20170716094938-74609b86c936 h1:HDjRqotkViMNcGMGicb7cgxklx8OwnjtCBmyWEqrRvM=
 github.com/knqyf263/go-rpm-version v0.0.0-20170716094938-74609b86c936/go.mod h1:i4sF0l1fFnY1aiw08QQSwVAFxHEm311Me3WsU/X7nL0=
-github.com/knqyf263/go-rpmdb v0.0.0-20210911072402-73bd0ce46c49 h1:QazJZdFn/ApQh8OHepQiCKXGZ0QE08Bu8BnS10aHgvE=
-github.com/knqyf263/go-rpmdb v0.0.0-20210911072402-73bd0ce46c49/go.mod h1:RDPNeIkU5NWXtt0OMEoILyxwUC/DyXeRtK295wpqSi0=
+github.com/knqyf263/go-rpmdb v0.0.0-20211216113947-1369b2ee40b7 h1:xVowqxH8FU6XAG1YIIjeWiUlbDh9ZQZWpk5pz6IcxEU=
+github.com/knqyf263/go-rpmdb v0.0.0-20211216113947-1369b2ee40b7/go.mod h1:RDPNeIkU5NWXtt0OMEoILyxwUC/DyXeRtK295wpqSi0=
 github.com/knqyf263/nested v0.0.1 h1:Sv26CegUMhjt19zqbBKntjwESdxe5hxVPSk0+AKjdUc=
 github.com/knqyf263/nested v0.0.1/go.mod h1:zwhsIhMkBg90DTOJQvxPkKIypEHPYkgWHs4gybdlUmk=
 github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
@@ -964,6 +987,8 @@ github.com/leodido/go-urn v1.2.0 h1:hpXL4XnriNwQ/ABnpepYM/1vCLWNDfUNts8dX3xTG6Y=
 github.com/leodido/go-urn v1.2.0/go.mod h1:+8+nEpDfqqsY+g338gtMEUOtuK+4dEMhiQEgxpxOKII=
 github.com/liamg/clinch v1.5.6/go.mod h1:IXM+nLBuZ5sOQAYYf9+G51nkaA0WY9cszxE5nPXexhE=
 github.com/liamg/gifwrap v0.0.6/go.mod h1:oW1r2vIWLYyxW+U0io7YbpPSDIJ79FTlZ+hPnXFLW6E=
+github.com/liamg/jfather v0.0.2 h1:OXKKl9ZAAu9VqIs0D9kgiBTr6lXqlmvc72o/e/VPnHk=
+github.com/liamg/jfather v0.0.2/go.mod h1:xXBGiBoiZ6tmHhfy5Jzw8sugzajwYdi6VosIpB3/cPM=
 github.com/liamg/tml v0.3.0/go.mod h1:0h4EAV/zBOsqI91EWONedjRpO8O0itjGJVd+wG5eC+E=
 github.com/liamg/tml v0.4.0/go.mod h1:0h4EAV/zBOsqI91EWONedjRpO8O0itjGJVd+wG5eC+E=
 github.com/lib/pq v1.0.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo=
@@ -1048,8 +1073,9 @@ github.com/mitchellh/mapstructure v1.4.2/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RR
 github.com/mitchellh/osext v0.0.0-20151018003038-5e2d6d41470f/go.mod h1:OkQIRizQZAeMln+1tSwduZz7+Af5oFlKirV/MSYes2A=
 github.com/mitchellh/reflectwalk v1.0.1 h1:FVzMWA5RllMAKIdUSC8mdWo3XtwoecrH79BY70sEEpE=
 github.com/mitchellh/reflectwalk v1.0.1/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw=
-github.com/moby/buildkit v0.8.1 h1:zrGxLwffKM8nVxBvaJa7H404eQLfqlg1GB6YVIzXVQ0=
 github.com/moby/buildkit v0.8.1/go.mod h1:/kyU1hKy/aYCuP39GZA9MaKioovHku57N6cqlKZIaiQ=
+github.com/moby/buildkit v0.9.3 h1:0JmMLY45KIKFogJXv4LyWo+KmIMuvhit5TDrwBlxDp0=
+github.com/moby/buildkit v0.9.3/go.mod h1:5dZQUHg9STw/Fhl4zZiusDJKn8uje/0x952Nce4a8cg=
 github.com/moby/locker v1.0.1/go.mod h1:S7SDdo5zpBK84bzzVlKr2V0hz+7x9hWbYC/kq7oQppc=
 github.com/moby/sys/mount v0.1.0/go.mod h1:FVQFLDRWwyBjDTBNQXDlWnSFREqOo3OKX9aqhmeoo74=
 github.com/moby/sys/mount v0.1.1/go.mod h1:FVQFLDRWwyBjDTBNQXDlWnSFREqOo3OKX9aqhmeoo74=
@@ -1063,6 +1089,7 @@ github.com/moby/sys/mountinfo v0.4.1/go.mod h1:rEr8tzG/lsIZHBtN/JjGG+LMYx9eXgW2J
 github.com/moby/sys/symlink v0.1.0/go.mod h1:GGDODQmbFOjFsXvfLVn3+ZRxkch54RkSiGqsZeMYowQ=
 github.com/moby/term v0.0.0-20200312100748-672ec06f55cd/go.mod h1:DdlQx2hp0Ss5/fLikoLlEeIYiATotOjgB//nb973jeo=
 github.com/moby/term v0.0.0-20200915141129-7f0af18e79f2/go.mod h1:TjQg8pa4iejrUrjiz0MCtMV38jdMNW4doKSiBrEvCQQ=
+github.com/moby/term v0.0.0-20201110203204-bea5bbe245bf/go.mod h1:FBS0z0QWA44HXygs7VXDUOGoN/1TV3RuWkLO04am3wc=
 github.com/moby/term v0.0.0-20201216013528-df9cb8a40635 h1:rzf0wL0CHVc8CEsgyygG0Mn9CNCCPZqOPaz8RiiHYQk=
 github.com/moby/term v0.0.0-20201216013528-df9cb8a40635/go.mod h1:FBS0z0QWA44HXygs7VXDUOGoN/1TV3RuWkLO04am3wc=
 github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
@@ -1118,8 +1145,8 @@ github.com/onsi/gomega v1.10.3/go.mod h1:V9xEwhxec5O8UDM77eCW8vLymOMltsqPVYWrpDs
 github.com/onsi/gomega v1.16.0 h1:6gjqkI8iiRHMvdccRJM8rVKjCWk6ZIm6FTm3ddIe4/c=
 github.com/onsi/gomega v1.16.0/go.mod h1:HnhC7FXeEQY45zxNK3PPoIUhzk/80Xly9PcubAlGdZY=
 github.com/op/go-logging v0.0.0-20160315200505-970db520ece7/go.mod h1:HzydrMdWErDVzsI23lYNej1Htcns9BCg93Dk0bBINWk=
-github.com/open-policy-agent/opa v0.32.0 h1:AwGxE6FqZ3jJ8udsiU+7YszncmiCnJhPwi/uJUVqVSs=
-github.com/open-policy-agent/opa v0.32.0/go.mod h1:5sJdtc+1/U8zy/j30njpQl6u9rM4MzTOhG9EW1uOmsY=
+github.com/open-policy-agent/opa v0.34.0 h1:obGIZ8DSgFQ2SDt3jJwFCzcgJxthoEKQALQ1QJdUxt0=
+github.com/open-policy-agent/opa v0.34.0/go.mod h1:buysXn+6zB/b+6JgLkP4WgKZ9+UgUtFAgtemYGrL9Ik=
 github.com/opencontainers/go-digest v0.0.0-20170106003457-a6d0ee40d420/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s=
 github.com/opencontainers/go-digest v0.0.0-20180430190053-c9281466c8b2/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s=
 github.com/opencontainers/go-digest v1.0.0-rc1/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s=
@@ -1136,17 +1163,20 @@ github.com/opencontainers/runc v1.0.0-rc10/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2r
 github.com/opencontainers/runc v1.0.0-rc8.0.20190926000215-3e425f80a8c9/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rmF59PVA73FjuZG0U=
 github.com/opencontainers/runc v1.0.0-rc9/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rmF59PVA73FjuZG0U=
 github.com/opencontainers/runc v1.0.0-rc92/go.mod h1:X1zlU4p7wOlX4+WRCz+hvlRv8phdL7UqbYD+vQwNMmE=
-github.com/opencontainers/runc v1.0.0-rc93 h1:x2UMpOOVf3kQ8arv/EsDGwim8PTNqzL1/EYDr/+scOM=
 github.com/opencontainers/runc v1.0.0-rc93/go.mod h1:3NOsor4w32B2tC0Zbl8Knk4Wg84SM2ImC1fxBuqJ/H0=
+github.com/opencontainers/runc v1.0.2 h1:opHZMaswlyxz1OuGpBE53Dwe4/xF7EZTY0A2L/FpCOg=
+github.com/opencontainers/runc v1.0.2/go.mod h1:aTaHFFwQXuA71CiyxOdFFIorAoemI04suvGRQFzWTD0=
 github.com/opencontainers/runtime-spec v0.1.2-0.20190507144316-5b71a03e2700/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
 github.com/opencontainers/runtime-spec v1.0.1/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
 github.com/opencontainers/runtime-spec v1.0.2-0.20190207185410-29686dbc5559/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
 github.com/opencontainers/runtime-spec v1.0.2/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
 github.com/opencontainers/runtime-spec v1.0.3-0.20200728170252-4d89ac9fbff6/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
 github.com/opencontainers/runtime-spec v1.0.3-0.20200929063507-e6143ca7d51d/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
+github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
 github.com/opencontainers/runtime-tools v0.0.0-20181011054405-1d69bd0f9c39/go.mod h1:r3f7wjNzSs2extwzU3Y+6pKfobzPh+kKFJ3ofN+3nfs=
 github.com/opencontainers/selinux v1.6.0/go.mod h1:VVGKuOLlE7v4PJyT6h7mNWvq1rzqiriPsEqVhc+svHE=
 github.com/opencontainers/selinux v1.8.0/go.mod h1:RScLhm78qiWa2gbVCcGkC7tCGdgk3ogry1nUQF8Evvo=
+github.com/opencontainers/selinux v1.8.2/go.mod h1:MUIHuUEvKB1wtJjQdOyYRgOnLD2xAPP8dBsCoU0KuF8=
 github.com/opentracing-contrib/go-stdlib v1.0.0/go.mod h1:qtI1ogk+2JhVPIXVc6q+NHziSmy2W5GbdQZFUHADCBU=
 github.com/opentracing/opentracing-go v1.1.0/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o=
 github.com/opentracing/opentracing-go v1.2.0/go.mod h1:GxEUsuufX4nBwe+T+Wl9TAgYrxe9dPLANfrWvHYVTgc=
@@ -1154,7 +1184,7 @@ github.com/openzipkin/zipkin-go v0.1.1/go.mod h1:NtoC/o8u3JlF1lSlyPNswIbeQH9bJTm
 github.com/openzipkin/zipkin-go v0.1.3/go.mod h1:NtoC/o8u3JlF1lSlyPNswIbeQH9bJTmOf0Erfk+hxe8=
 github.com/openzipkin/zipkin-go v0.1.6/go.mod h1:QgAqvLzwWbR/WpD4A3cGpPtJrZXNIiJc5AZX7/PBEpw=
 github.com/owenrumney/go-sarif v1.0.10/go.mod h1:sgJM0ZaZ28jT8t8Iq3/mUCFBW9cX09EobIBXYOhiYBc=
-github.com/owenrumney/go-sarif v1.0.11/go.mod h1:hTBFbxU7GuVRUvwMx+eStp9M/Oun4xHCS3vqpPvket8=
+github.com/owenrumney/go-sarif v1.0.12/go.mod h1:Jk5smXU9QuCqTdh4N3PehnG+azzrf0XcQ267ZwAG8Ho=
 github.com/owenrumney/squealer v0.2.28 h1:LYsqUHal+5QlANjbZ+h44SN5kIZSfHCWKUzBAS1KwB0=
 github.com/owenrumney/squealer v0.2.28/go.mod h1:wwVPzhjiUBILIdDtnzGSEcapXczIj/tONP+ZJ49IhPY=
 github.com/parnurzeal/gorequest v0.2.16/go.mod h1:3Kh2QUMJoqw3icWAecsyzkpY7UzRfDhbRdTjtNwNiUE=
@@ -1163,6 +1193,7 @@ github.com/pborman/uuid v1.2.0/go.mod h1:X/NO0urCmaxf9VXbdlT7C2Yzkj2IKimNn4k+gtP
 github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic=
 github.com/pelletier/go-toml v1.8.0/go.mod h1:D6yutnOGMveHEPV7VQOuvI/gXY61bv+9bAOTRnLElKs=
 github.com/pelletier/go-toml v1.8.1/go.mod h1:T2/BmBdy8dvIRq1a/8aqjN41wvWlN4lrapLU/GW4pbc=
+github.com/pelletier/go-toml v1.9.1/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c=
 github.com/pelletier/go-toml v1.9.3/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c=
 github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU=
 github.com/peterh/liner v0.0.0-20170211195444-bf27d3ba8e1d/go.mod h1:xIteQHvHuaLYG9IFj6mSxM0fCKrs34IrEQUhOYuGPHc=
@@ -1354,7 +1385,10 @@ github.com/tmccombs/hcl2json v0.3.1/go.mod h1:ljY0/prd2IFUF3cagQjV3cpPEEQKzqyGqn
 github.com/tommy-muehle/go-mnd v1.1.1/go.mod h1:dSUh0FtTP8VhvkL1S+gUR1OKd9ZnSaozuI6r3m6wOig=
 github.com/tommy-muehle/go-mnd v1.3.1-0.20200224220436-e6f9a994e8fa/go.mod h1:dSUh0FtTP8VhvkL1S+gUR1OKd9ZnSaozuI6r3m6wOig=
 github.com/tonistiigi/fsutil v0.0.0-20201103201449-0834f99b7b85/go.mod h1:a7cilN64dG941IOXfhJhlH0qB92hxJ9A1ewrdUmJ6xo=
+github.com/tonistiigi/fsutil v0.0.0-20210609172227-d72af97c0eaf/go.mod h1:lJAxK//iyZ3yGbQswdrPTxugZIDM7sd4bEsD0x3XMHk=
+github.com/tonistiigi/go-actions-cache v0.0.0-20211002214948-4d48f2ff622a/go.mod h1:YiIBjH5gP7mao3t0dBrNNBGuKYdeJmcAJjYLXr43k6A=
 github.com/tonistiigi/units v0.0.0-20180711220420-6950e57a87ea/go.mod h1:WPnis/6cRcDZSUvVmezrxJPkiO87ThFYsoUiMwWNDJk=
+github.com/tonistiigi/vt100 v0.0.0-20210615222946-8066bb97264f/go.mod h1:ulncasL3N9uLrVann0m+CDlJKWsIAP34MPcOJF6VRvc=
 github.com/twitchtv/twirp v8.1.0+incompatible h1:KGXanpa9LXdVE/V5P/tA27rkKFmXRGCtSNT7zdeeVOY=
 github.com/twitchtv/twirp v8.1.0+incompatible/go.mod h1:RRJoFSAmTEh2weEqWtpPE3vFK5YBhA6bqp2l1kfCC5A=
 github.com/uber/jaeger-client-go v2.25.0+incompatible/go.mod h1:WVhlPFC8FDjOFMMWRy2pZqQJSXxYSwNYOkTr/Z6d3Kk=
@@ -1423,9 +1457,9 @@ github.com/zclconf/go-cty v1.2.0/go.mod h1:hOPWgoHbaTUnI5k4D2ld+GRpFJSCe6bCM7m1q
 github.com/zclconf/go-cty v1.6.1/go.mod h1:VDR4+I79ubFBGm1uJac1226K5yANQFHeauxPBoP54+o=
 github.com/zclconf/go-cty v1.8.0/go.mod h1:vVKLxnk3puL4qRAv72AO+W99LUD4da90g3uUAzyuvAk=
 github.com/zclconf/go-cty v1.8.3/go.mod h1:vVKLxnk3puL4qRAv72AO+W99LUD4da90g3uUAzyuvAk=
-github.com/zclconf/go-cty v1.8.4/go.mod h1:vVKLxnk3puL4qRAv72AO+W99LUD4da90g3uUAzyuvAk=
-github.com/zclconf/go-cty v1.9.1 h1:viqrgQwFl5UpSxc046qblj78wZXVDFnSOufaOTER+cc=
 github.com/zclconf/go-cty v1.9.1/go.mod h1:vVKLxnk3puL4qRAv72AO+W99LUD4da90g3uUAzyuvAk=
+github.com/zclconf/go-cty v1.10.0 h1:mp9ZXQeIcN8kAwuqorjH+Q+njbJKjLrvB2yIh4q7U+0=
+github.com/zclconf/go-cty v1.10.0/go.mod h1:vVKLxnk3puL4qRAv72AO+W99LUD4da90g3uUAzyuvAk=
 github.com/zclconf/go-cty-debug v0.0.0-20191215020915-b22d67c1ba0b/go.mod h1:ZRKQfBXbGkpdV6QMzT3rU1kSTAnfu1dO8dPKjYprgj8=
 github.com/zclconf/go-cty-yaml v1.0.2 h1:dNyg4QLTrv2IfJpm7Wtxi55ed5gLGOlPrZ6kMd51hY0=
 github.com/zclconf/go-cty-yaml v1.0.2/go.mod h1:IP3Ylp0wQpYm50IHK8OZWKMu6sPJIUgKa8XhiVHura0=
@@ -1452,12 +1486,28 @@ go.opencensus.io v0.22.4/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
 go.opencensus.io v0.22.5/go.mod h1:5pWMHQbX5EPX2/62yrJeAkowc+lfs/XD7Uxpq3pI6kk=
 go.opencensus.io v0.23.0 h1:gqCw0LfLxScz8irSi8exQc7fyQ0fKQU/qnC/X8+V/1M=
 go.opencensus.io v0.23.0/go.mod h1:XItmlyltB5F7CS4xOC1DcqMoFqwtC6OG2xF7mCv7P7E=
+go.opentelemetry.io/contrib v0.21.0/go.mod h1:EH4yDYeNoaTqn/8yCWQmfNB78VHfGX2Jt2bvnvzBlGM=
+go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.21.0/go.mod h1:Vm5u/mtkj1OMhtao0v+BGo2LUoLCgHYXvRmj0jWITlE=
+go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace v0.21.0/go.mod h1:a9cocRplhIBkUAJmak+BPDx+LVL7cTmqUPB0uBcTA4k=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.21.0/go.mod h1:JQAtechjxLEL81EjmbRwxBq/XEzGaHcsPuDHAx54hg4=
+go.opentelemetry.io/otel v1.0.0-RC1/go.mod h1:x9tRa9HK4hSSq7jf2TKbqFbtt58/TGk0f9XiEYISI1I=
+go.opentelemetry.io/otel/exporters/jaeger v1.0.0-RC1/go.mod h1:FXJnjGCoTQL6nQ8OpFJ0JI1DrdOvMoVx49ic0Hg4+D4=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.0.0-RC1/go.mod h1:FliQjImlo7emZVjixV8nbDMAa4iAkcWTE9zzSEOiEPw=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.0.0-RC1/go.mod h1:cDwRc2Jrh5Gku1peGK8p9rRuX/Uq2OtVmLicjlw2WYU=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.0.0-RC1/go.mod h1:OYKzEoxgXFvehW7X12WYT4/a2BlASJK9l7RtG4A91fg=
+go.opentelemetry.io/otel/internal/metric v0.21.0/go.mod h1:iOfAaY2YycsXfYD4kaRSbLx2LKmfpKObWBEv9QK5zFo=
+go.opentelemetry.io/otel/metric v0.21.0/go.mod h1:JWCt1bjivC4iCrz/aCrM1GSw+ZcvY44KCbaeeRhzHnc=
+go.opentelemetry.io/otel/oteltest v1.0.0-RC1/go.mod h1:+eoIG0gdEOaPNftuy1YScLr1Gb4mL/9lpDkZ0JjMRq4=
+go.opentelemetry.io/otel/sdk v1.0.0-RC1/go.mod h1:kj6yPn7Pgt5ByRuwesbaWcRLA+V7BSDg3Hf8xRvsvf8=
+go.opentelemetry.io/otel/trace v1.0.0-RC1/go.mod h1:86UHmyHWFEtWjfWPSbu0+d0Pf9Q6e1U+3ViBOc+NXAg=
+go.opentelemetry.io/proto/otlp v0.9.0/go.mod h1:1vKfU9rv61e9EVGthD1zNvUbiwPcimSsOPU9brfSHJg=
 go.uber.org/atomic v1.3.2/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
 go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
 go.uber.org/atomic v1.6.0/go.mod h1:sABNBOSYdrvTF6hTgEIbc7YasKWGhgEQZyfxyTvoXHQ=
 go.uber.org/atomic v1.7.0 h1:ADUqmZGgLDDfbSL9ZmPxKTybcoEYHgpYfELNoN+7hsw=
 go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=
 go.uber.org/automaxprocs v1.4.0/go.mod h1:/mTEdr7LvHhs0v7mjdxDreTz1OG5zdZGqgOnhWiR/+Q=
+go.uber.org/goleak v1.1.10/go.mod h1:8a7PlsEVH3e/a/GLqe5IIrQx6GzcnRmZEufDUTk4A7A=
 go.uber.org/goleak v1.1.11-0.20210813005559-691160354723 h1:sHOAIxRGBp443oHZIPB+HsUGaksVCXVQENPxwTfQdH4=
 go.uber.org/goleak v1.1.11-0.20210813005559-691160354723/go.mod h1:cwTWslyiVhfpKIDGSZEM2HlOvcqm+tG4zioyIeLoqMQ=
 go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/0=
@@ -1735,18 +1785,21 @@ golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210220050731-9a76102bfb43/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210305230114-8fe3ee5dd75b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210313202042-bd2e13477e9c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210315160823-c6e025ad8005/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210320140829-1e4c9ba3b0c4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210324051608-47abb6519492/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210403161142-5e06dd20ab57/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210426230700-d19ff857e887/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210502180810-71e4cd670f79/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210514084401-e8d321eab015/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210603081109-ebe580a85c40/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210603125802-9665404d3644/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210823070655-63515b42dcdf h1:2ucpDCmfkl8Bd/FsLtiD653Wf96cW37s+iGx93zsu4k=
 golang.org/x/sys v0.0.0-20210823070655-63515b42dcdf/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=

goreleaser.yml

@@ -20,6 +20,7 @@ builds:
       - arm
       - arm64
       - ppc64le
+      - s390x
     goarm:
       - 7
     ignore:
@@ -86,9 +87,9 @@ brews:
       owner: aquasecurity
       name: homebrew-trivy
     homepage: "https://github.com/aquasecurity/trivy"
-    description: ""
+    description: "Scanner for vulnerabilities in container images, file systems, and Git repositories, as well as for configuration issues"
     test: |
-      system "#{bin}/trivy --version"
+      system "#{bin}/trivy", "--version"
 
 dockers:
   - image_templates:
@@ -98,7 +99,7 @@ dockers:
       - "ghcr.io/aquasecurity/trivy:latest-amd64"
       - "public.ecr.aws/aquasecurity/trivy:latest-amd64"
       - "public.ecr.aws/aquasecurity/trivy:{{ .Version }}-amd64"
-    use_buildx: true
+    use: buildx
     goos: linux
     goarch: amd64
     ids:
@@ -122,7 +123,7 @@ dockers:
       - "ghcr.io/aquasecurity/trivy:latest-arm64"
       - "public.ecr.aws/aquasecurity/trivy:latest-arm64"
       - "public.ecr.aws/aquasecurity/trivy:{{ .Version }}-arm64"
-    use_buildx: true
+    use: buildx
     goos: linux
     goarch: arm64
     ids:

helm/trivy/Chart.yaml

@@ -1,11 +1,11 @@
 apiVersion: v2
 name: trivy
-version: 0.4.4
-appVersion: "0.18.3"
+version: 0.4.8
+appVersion: "0.21.0"
 description: Trivy helm chart
 keywords:
   - scanner
   - trivy
   - vulnerability
 sources:
-- https://github.com/aquasecurity/trivy
+  - https://github.com/aquasecurity/trivy

helm/trivy/templates/configmap.yaml

@@ -0,0 +1,23 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "trivy.fullname" . }}
+  labels:
+{{ include "trivy.labels" . | indent 4 }}
+data:
+  TRIVY_LISTEN: "0.0.0.0:{{ .Values.service.port }}"
+  TRIVY_CACHE_DIR: "/home/scanner/.cache/trivy"
+{{- if .Values.trivy.cache.redis.enabled }}
+  TRIVY_CACHE_BACKEND: {{ .Values.trivy.cache.redis.url | quote }}
+{{- end }}
+  TRIVY_DEBUG: {{ .Values.trivy.debugMode | quote }}
+  TRIVY_SKIP_UPDATE: {{ .Values.trivy.skipUpdate | quote }}
+{{- if .Values.httpProxy }}
+  HTTP_PROXY: {{ .Values.httpProxy | quote }}
+{{- end }}
+{{- if .Values.httpsProxy }}
+  HTTPS_PROXY: {{ .Values.httpsProxy | quote }}
+{{- end }}
+{{- if .Values.noProxy }}
+  NO_PROXY: {{ .Values.noProxy | quote }}
+{{- end }}

helm/trivy/templates/ingress.yaml

@@ -1,6 +1,12 @@
 {{- if .Values.ingress.enabled -}}
 {{- $fullName := include "trivy.fullname" . -}}
+{{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }}
+apiVersion: networking.k8s.io/v1
+{{- else if .Capabilities.APIVersions.Has "networking.k8s.io/v1beta1" }}
 apiVersion: networking.k8s.io/v1beta1
+{{- else }}
+apiVersion: extensions/v1beta1
+{{- end }}
 kind: Ingress
 metadata:
   name: {{ include "trivy.fullname" . }}
@@ -12,6 +18,9 @@ metadata:
     {{- toYaml . | nindent 4 }}
   {{- end }}
 spec:
+{{- if and (.Values.ingress.ingressClassName) (semverCompare ">= v1.18.0" .Capabilities.KubeVersion.Version) }}
+  ingressClassName: {{ .Values.ingress.ingressClassName }}
+{{- end }}
 {{- if .Values.ingress.tls }}
   tls:
   {{- range .Values.ingress.tls }}
@@ -28,8 +37,17 @@ spec:
       http:
         paths:
           - path: {{ $.Values.ingress.path }}
+        {{- if $.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }}
+            pathType: {{ $.Values.ingress.pathType }}
+            backend:
+              service:
+                name: {{ $fullName }}
+                port:
+                  number: {{ $.Values.service.port -}}
+          {{- else }}
             backend:
               serviceName: {{ $fullName }}
               servicePort: {{ $.Values.service.port -}}
+          {{- end }}
   {{- end }}
-{{- end }}
+{{- end }}

helm/trivy/templates/secret.yaml

@@ -6,4 +6,4 @@ metadata:
 {{ include "trivy.labels" . | indent 4 }}
 type: Opaque
 data:
-  gitHubToken: {{ .Values.trivy.gitHubToken | default "" | b64enc | quote }}
+  GITHUB_TOKEN: {{ .Values.trivy.gitHubToken | default "" | b64enc | quote }}

helm/trivy/templates/statefulset.yaml

@@ -62,30 +62,11 @@ spec:
           {{- end }}
           args:
             - server
-          env:
-            - name: "TRIVY_LISTEN"
-              value: "0.0.0.0:{{ .Values.service.port | default 4954 }}"
-            - name: "TRIVY_CACHE_DIR"
-              value: "/home/scanner/.cache/trivy"
-            {{- if .Values.trivy.cache.redis.enabled }}
-            - name: "TRIVY_CACHE_BACKEND"
-              value: {{ .Values.trivy.cache.redis.url | quote }}
-            {{- end }}
-            - name: "TRIVY_DEBUG"
-              value: {{ .Values.trivy.debugMode | default false | quote }}
-            - name: "TRIVY_SKIP_UPDATE"
-              value: {{ .Values.trivy.skipUpdate | default false | quote }}
-            - name: "GITHUB_TOKEN"
-              valueFrom:
-                secretKeyRef:
-                  name: {{ include "trivy.fullname" . }}
-                  key: gitHubToken
-            - name: "HTTP_PROXY"
-              value: {{ .Values.httpProxy | quote }}
-            - name: "HTTPS_PROXY"
-              value: {{ .Values.httpsProxy | quote }}
-            - name: "NO_PROXY"
-              value: {{ .Values.noProxy | quote }}
+          envFrom:
+            - configMapRef:
+                name: {{ include "trivy.fullname" . }}
+            - secretRef:
+                name: {{ include "trivy.fullname" . }}
           ports:
             - name: trivy-http
               containerPort: {{ .Values.service.port }}

helm/trivy/values.yaml

@@ -4,7 +4,7 @@ fullnameOverride: ""
 image:
   registry: docker.io
   repository: aquasec/trivy
-  tag: 0.18.3
+  tag: 0.21.0
   pullPolicy: IfNotPresent
   pullSecret: ""
 
@@ -85,7 +85,7 @@ trivy:
   cache:
     redis:
       enabled: false
-      url: "" # e.g. redis://redis.redis.svc:6379
+      url: ""  # e.g. redis://redis.redis.svc:6379
 
 service:
   # type Kubernetes service type
@@ -95,11 +95,15 @@ service:
 
 ingress:
   enabled: false
+  # From Kubernetes 1.18+ this field is supported in case your ingress controller supports it. When set, you do not need to add the ingress class as annotation.
+  ingressClassName:
   annotations: {}
     # kubernetes.io/ingress.class: nginx
   hosts:
     - host: trivy.example.com
   path: "/"
+  # type is only needed for networking.k8s.io/v1 in k8s 1.19+
+  pathType: Prefix
   tls: []
   #  - secretName: trivy-example-tls
   #    hosts:

integration/testdata/alpine-310.html.golden

@@ -232,6 +232,7 @@
           <a href="https://www.openssl.org/news/secadv/20190910.txt">https://www.openssl.org/news/secadv/20190910.txt</a>
         </td>
       </tr>
+      <tr><th colspan="6">No Misconfigurations found</th></tr>
     </table>
   </body>
 </html>

integration/testdata/alpine-310.sarif.golden

@@ -10,341 +10,257 @@
           "fullName": "Trivy Vulnerability Scanner",
           "version": "0.15.0",
           "rules": [
-            {
-              "id": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2): libcrypto1.1-1.1.1c-r0 CVE-2019-1549",
-              "name": "OS Package Vulnerability (Alpine)",
-              "shortDescription": {
-                "text": "CVE-2019-1549 Package: libcrypto1.1"
-              },
-              "fullDescription": {
-                "text": "openssl: information disclosure in fork()."
-              },
-              "defaultConfiguration": {
-                "level": "warning"
-              },
-              "helpUri": "https://avd.aquasec.com/nvd/cve-2019-1549",
-              "help": {
-                "text": "Vulnerability CVE-2019-1549\nSeverity: MEDIUM\nPackage: libcrypto1.1\nInstalled Version: 1.1.1c-r0\nFixed Version: 1.1.1d-r0\nLink: [CVE-2019-1549](https://avd.aquasec.com/nvd/cve-2019-1549)",
-                "markdown": "**Vulnerability CVE-2019-1549**\n| Severity | Package | Installed Version | Fixed Version | Link |\n| --- | --- | --- | --- | --- |\n|MEDIUM|libcrypto1.1|1.1.1c-r0|1.1.1d-r0|[CVE-2019-1549](https://avd.aquasec.com/nvd/cve-2019-1549)|\n"
-              },
-              "properties": {
-                "tags": [
-                  "vulnerability",
-                  "MEDIUM",
-                  "libcrypto1.1"
-                ],
-                "precision": "very-high"
-              }
-            },
-            {
-              "id": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2): libcrypto1.1-1.1.1c-r0 CVE-2019-1551",
-              "name": "OS Package Vulnerability (Alpine)",
-              "shortDescription": {
-                "text": "CVE-2019-1551 Package: libcrypto1.1"
-              },
-              "fullDescription": {
-                "text": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64."
-              },
-              "defaultConfiguration": {
-                "level": "warning"
-              },
-              "helpUri": "https://avd.aquasec.com/nvd/cve-2019-1551",
-              "help": {
-                "text": "Vulnerability CVE-2019-1551\nSeverity: MEDIUM\nPackage: libcrypto1.1\nInstalled Version: 1.1.1c-r0\nFixed Version: 1.1.1d-r2\nLink: [CVE-2019-1551](https://avd.aquasec.com/nvd/cve-2019-1551)",
-                "markdown": "**Vulnerability CVE-2019-1551**\n| Severity | Package | Installed Version | Fixed Version | Link |\n| --- | --- | --- | --- | --- |\n|MEDIUM|libcrypto1.1|1.1.1c-r0|1.1.1d-r2|[CVE-2019-1551](https://avd.aquasec.com/nvd/cve-2019-1551)|\n"
-              },
-              "properties": {
-                "tags": [
-                  "vulnerability",
-                  "MEDIUM",
-                  "libcrypto1.1"
-                ],
-                "precision": "very-high"
-              }
-            },
-            {
-              "id": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2): libcrypto1.1-1.1.1c-r0 CVE-2019-1563",
-              "name": "OS Package Vulnerability (Alpine)",
-              "shortDescription": {
-                "text": "CVE-2019-1563 Package: libcrypto1.1"
-              },
-              "fullDescription": {
-                "text": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey."
-              },
-              "defaultConfiguration": {
-                "level": "warning"
-              },
-              "helpUri": "https://avd.aquasec.com/nvd/cve-2019-1563",
-              "help": {
-                "text": "Vulnerability CVE-2019-1563\nSeverity: MEDIUM\nPackage: libcrypto1.1\nInstalled Version: 1.1.1c-r0\nFixed Version: 1.1.1d-r0\nLink: [CVE-2019-1563](https://avd.aquasec.com/nvd/cve-2019-1563)",
-                "markdown": "**Vulnerability CVE-2019-1563**\n| Severity | Package | Installed Version | Fixed Version | Link |\n| --- | --- | --- | --- | --- |\n|MEDIUM|libcrypto1.1|1.1.1c-r0|1.1.1d-r0|[CVE-2019-1563](https://avd.aquasec.com/nvd/cve-2019-1563)|\n"
-              },
-              "properties": {
-                "tags": [
-                  "vulnerability",
-                  "MEDIUM",
-                  "libcrypto1.1"
-                ],
-                "precision": "very-high"
-              }
-            },
-            {
-              "id": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2): libcrypto1.1-1.1.1c-r0 CVE-2019-1547",
-              "name": "OS Package Vulnerability (Alpine)",
-              "shortDescription": {
-                "text": "CVE-2019-1547 Package: libcrypto1.1"
-              },
-              "fullDescription": {
-                "text": "openssl: side-channel weak encryption vulnerability."
-              },
-              "defaultConfiguration": {
-                "level": "note"
-              },
-              "helpUri": "https://avd.aquasec.com/nvd/cve-2019-1547",
-              "help": {
-                "text": "Vulnerability CVE-2019-1547\nSeverity: LOW\nPackage: libcrypto1.1\nInstalled Version: 1.1.1c-r0\nFixed Version: 1.1.1d-r0\nLink: [CVE-2019-1547](https://avd.aquasec.com/nvd/cve-2019-1547)",
-                "markdown": "**Vulnerability CVE-2019-1547**\n| Severity | Package | Installed Version | Fixed Version | Link |\n| --- | --- | --- | --- | --- |\n|LOW|libcrypto1.1|1.1.1c-r0|1.1.1d-r0|[CVE-2019-1547](https://avd.aquasec.com/nvd/cve-2019-1547)|\n"
-              },
-              "properties": {
-                "tags": [
-                  "vulnerability",
-                  "LOW",
-                  "libcrypto1.1"
-                ],
-                "precision": "very-high"
-              }
-            },
-            {
-              "id": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2): libssl1.1-1.1.1c-r0 CVE-2019-1549",
-              "name": "OS Package Vulnerability (Alpine)",
-              "shortDescription": {
-                "text": "CVE-2019-1549 Package: libssl1.1"
-              },
-              "fullDescription": {
-                "text": "openssl: information disclosure in fork()."
-              },
-              "defaultConfiguration": {
-                "level": "warning"
-              },
-              "helpUri": "https://avd.aquasec.com/nvd/cve-2019-1549",
-              "help": {
-                "text": "Vulnerability CVE-2019-1549\nSeverity: MEDIUM\nPackage: libssl1.1\nInstalled Version: 1.1.1c-r0\nFixed Version: 1.1.1d-r0\nLink: [CVE-2019-1549](https://avd.aquasec.com/nvd/cve-2019-1549)",
-                "markdown": "**Vulnerability CVE-2019-1549**\n| Severity | Package | Installed Version | Fixed Version | Link |\n| --- | --- | --- | --- | --- |\n|MEDIUM|libssl1.1|1.1.1c-r0|1.1.1d-r0|[CVE-2019-1549](https://avd.aquasec.com/nvd/cve-2019-1549)|\n"
-              },
-              "properties": {
-                "tags": [
-                  "vulnerability",
-                  "MEDIUM",
-                  "libssl1.1"
-                ],
-                "precision": "very-high"
-              }
-            },
-            {
-              "id": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2): libssl1.1-1.1.1c-r0 CVE-2019-1551",
-              "name": "OS Package Vulnerability (Alpine)",
-              "shortDescription": {
-                "text": "CVE-2019-1551 Package: libssl1.1"
-              },
-              "fullDescription": {
-                "text": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64."
-              },
-              "defaultConfiguration": {
-                "level": "warning"
-              },
-              "helpUri": "https://avd.aquasec.com/nvd/cve-2019-1551",
-              "help": {
-                "text": "Vulnerability CVE-2019-1551\nSeverity: MEDIUM\nPackage: libssl1.1\nInstalled Version: 1.1.1c-r0\nFixed Version: 1.1.1d-r2\nLink: [CVE-2019-1551](https://avd.aquasec.com/nvd/cve-2019-1551)",
-                "markdown": "**Vulnerability CVE-2019-1551**\n| Severity | Package | Installed Version | Fixed Version | Link |\n| --- | --- | --- | --- | --- |\n|MEDIUM|libssl1.1|1.1.1c-r0|1.1.1d-r2|[CVE-2019-1551](https://avd.aquasec.com/nvd/cve-2019-1551)|\n"
-              },
-              "properties": {
-                "tags": [
-                  "vulnerability",
-                  "MEDIUM",
-                  "libssl1.1"
-                ],
-                "precision": "very-high"
-              }
-            },
-            {
-              "id": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2): libssl1.1-1.1.1c-r0 CVE-2019-1563",
-              "name": "OS Package Vulnerability (Alpine)",
-              "shortDescription": {
-                "text": "CVE-2019-1563 Package: libssl1.1"
-              },
-              "fullDescription": {
-                "text": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey."
-              },
-              "defaultConfiguration": {
-                "level": "warning"
-              },
-              "helpUri": "https://avd.aquasec.com/nvd/cve-2019-1563",
-              "help": {
-                "text": "Vulnerability CVE-2019-1563\nSeverity: MEDIUM\nPackage: libssl1.1\nInstalled Version: 1.1.1c-r0\nFixed Version: 1.1.1d-r0\nLink: [CVE-2019-1563](https://avd.aquasec.com/nvd/cve-2019-1563)",
-                "markdown": "**Vulnerability CVE-2019-1563**\n| Severity | Package | Installed Version | Fixed Version | Link |\n| --- | --- | --- | --- | --- |\n|MEDIUM|libssl1.1|1.1.1c-r0|1.1.1d-r0|[CVE-2019-1563](https://avd.aquasec.com/nvd/cve-2019-1563)|\n"
-              },
-              "properties": {
-                "tags": [
-                  "vulnerability",
-                  "MEDIUM",
-                  "libssl1.1"
-                ],
-                "precision": "very-high"
-              }
-            },
-            {
-              "id": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2): libssl1.1-1.1.1c-r0 CVE-2019-1547",
-              "name": "OS Package Vulnerability (Alpine)",
-              "shortDescription": {
-                "text": "CVE-2019-1547 Package: libssl1.1"
-              },
-              "fullDescription": {
-                "text": "openssl: side-channel weak encryption vulnerability."
-              },
-              "defaultConfiguration": {
-                "level": "note"
-              },
-              "helpUri": "https://avd.aquasec.com/nvd/cve-2019-1547",
-              "help": {
-                "text": "Vulnerability CVE-2019-1547\nSeverity: LOW\nPackage: libssl1.1\nInstalled Version: 1.1.1c-r0\nFixed Version: 1.1.1d-r0\nLink: [CVE-2019-1547](https://avd.aquasec.com/nvd/cve-2019-1547)",
-                "markdown": "**Vulnerability CVE-2019-1547**\n| Severity | Package | Installed Version | Fixed Version | Link |\n| --- | --- | --- | --- | --- |\n|LOW|libssl1.1|1.1.1c-r0|1.1.1d-r0|[CVE-2019-1547](https://avd.aquasec.com/nvd/cve-2019-1547)|\n"
-              },
-              "properties": {
-                "tags": [
-                  "vulnerability",
-                  "LOW",
-                  "libssl1.1"
-                ],
-                "precision": "very-high"
-              }
-            }]
+                {
+                  "id": "CVE-2019-1549",
+                  "name": "OsPackageVulnerability",
+                  "shortDescription": {
+                    "text": "CVE-2019-1549"
+                  },
+                  "fullDescription": {
+                    "text": "openssl: information disclosure in fork()."
+                  },
+                  "defaultConfiguration": {
+                    "level": "warning"
+                  },
+                  "helpUri": "https://avd.aquasec.com/nvd/cve-2019-1549",
+                  "help": {
+                    "text": "Vulnerability CVE-2019-1549\nOpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).\nSeverity: MEDIUM\nPackage: libcrypto1.1\nFixed Version: 1.1.1d-r0\nLink: [CVE-2019-1549](https://avd.aquasec.com/nvd/cve-2019-1549)",                    
+                    "markdown": "**Vulnerability CVE-2019-1549**\nOpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|MEDIUM|libcrypto1.1|1.1.1d-r0|[CVE-2019-1549](https://avd.aquasec.com/nvd/cve-2019-1549)|\n"                    
+                  },
+                  "properties": {
+                    "tags": [
+                      "vulnerability",
+                      "MEDIUM"
+                    ],
+                    "precision": "very-high"
+                  }
+                },
+                {
+                  "id": "CVE-2019-1551",
+                  "name": "OsPackageVulnerability",
+                  "shortDescription": {
+                    "text": "CVE-2019-1551"
+                  },
+                  "fullDescription": {
+                    "text": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64."
+                  },
+                  "defaultConfiguration": {
+                    "level": "warning"
+                  },
+                  "helpUri": "https://avd.aquasec.com/nvd/cve-2019-1551",
+                  "help": {
+                    "text": "Vulnerability CVE-2019-1551\nThere is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).\nSeverity: MEDIUM\nPackage: libcrypto1.1\nFixed Version: 1.1.1d-r2\nLink: [CVE-2019-1551](https://avd.aquasec.com/nvd/cve-2019-1551)",                    
+                    "markdown": "**Vulnerability CVE-2019-1551**\nThere is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|MEDIUM|libcrypto1.1|1.1.1d-r2|[CVE-2019-1551](https://avd.aquasec.com/nvd/cve-2019-1551)|\n"                    
+                  },
+                  "properties": {
+                    "tags": [
+                      "vulnerability",
+                      "MEDIUM"
+                    ],
+                    "precision": "very-high"
+                  }
+                },
+                {
+                  "id": "CVE-2019-1563",
+                  "name": "OsPackageVulnerability",
+                  "shortDescription": {
+                    "text": "CVE-2019-1563"
+                  },
+                  "fullDescription": {
+                    "text": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey."
+                  },
+                  "defaultConfiguration": {
+                    "level": "warning"
+                  },
+                  "helpUri": "https://avd.aquasec.com/nvd/cve-2019-1563",
+                  "help": {
+                    "text": "Vulnerability CVE-2019-1563\nIn situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).\nSeverity: MEDIUM\nPackage: libcrypto1.1\nFixed Version: 1.1.1d-r0\nLink: [CVE-2019-1563](https://avd.aquasec.com/nvd/cve-2019-1563)",                    
+                    "markdown": "**Vulnerability CVE-2019-1563**\nIn situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|MEDIUM|libcrypto1.1|1.1.1d-r0|[CVE-2019-1563](https://avd.aquasec.com/nvd/cve-2019-1563)|\n"                    
+                  },
+                  "properties": {
+                    "tags": [
+                      "vulnerability",
+                      "MEDIUM"
+                    ],
+                    "precision": "very-high"
+                  }
+                },
+                {
+                  "id": "CVE-2019-1547",
+                  "name": "OsPackageVulnerability",
+                  "shortDescription": {
+                    "text": "CVE-2019-1547"
+                  },
+                  "fullDescription": {
+                    "text": "openssl: side-channel weak encryption vulnerability."
+                  },
+                  "defaultConfiguration": {
+                    "level": "note"
+                  },
+                  "helpUri": "https://avd.aquasec.com/nvd/cve-2019-1547",
+                  "help": {
+                    "text": "Vulnerability CVE-2019-1547\nNormally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).\nSeverity: LOW\nPackage: libcrypto1.1\nFixed Version: 1.1.1d-r0\nLink: [CVE-2019-1547](https://avd.aquasec.com/nvd/cve-2019-1547)",                    
+                    "markdown": "**Vulnerability CVE-2019-1547**\nNormally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|LOW|libcrypto1.1|1.1.1d-r0|[CVE-2019-1547](https://avd.aquasec.com/nvd/cve-2019-1547)|\n"                    
+                  },
+                  "properties": {
+                    "tags": [
+                      "vulnerability",
+                      "LOW"
+                    ],
+                    "precision": "very-high"
+                  }
+                }]
         }
       },
       "results": [
         {
-          "ruleId": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2): libcrypto1.1-1.1.1c-r0 CVE-2019-1549",
+          "ruleId": "CVE-2019-1549",
           "ruleIndex": 0,
           "level": "warning",
           "message": {
-            "text": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c)."
+            "text": "Package: libcrypto1.1\nInstalled Version: 1.1.1c-r0\nVulnerability CVE-2019-1549\nSeverity: MEDIUM\nFixed Version: 1.1.1d-r0\nLink: [CVE-2019-1549](https://avd.aquasec.com/nvd/cve-2019-1549)"
           },
           "locations": [{
             "physicalLocation": {
               "artifactLocation": {
                 "uri": "testdata/fixtures/images/alpine-310.tar.gz",
                 "uriBaseId": "ROOTPATH"
+              },
+              "region" : {
+                "startLine": 1
               }
             }
           }]
         },
         {
-          "ruleId": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2): libcrypto1.1-1.1.1c-r0 CVE-2019-1551",
+          "ruleId": "CVE-2019-1551",
           "ruleIndex": 1,
           "level": "warning",
           "message": {
-            "text": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t)."
+            "text": "Package: libcrypto1.1\nInstalled Version: 1.1.1c-r0\nVulnerability CVE-2019-1551\nSeverity: MEDIUM\nFixed Version: 1.1.1d-r2\nLink: [CVE-2019-1551](https://avd.aquasec.com/nvd/cve-2019-1551)"
           },
           "locations": [{
             "physicalLocation": {
               "artifactLocation": {
                 "uri": "testdata/fixtures/images/alpine-310.tar.gz",
                 "uriBaseId": "ROOTPATH"
+              },
+              "region" : {
+                "startLine": 1
               }
             }
           }]
         },
         {
-          "ruleId": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2): libcrypto1.1-1.1.1c-r0 CVE-2019-1563",
+          "ruleId": "CVE-2019-1563",
           "ruleIndex": 2,
           "level": "warning",
           "message": {
-            "text": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s)."
+            "text": "Package: libcrypto1.1\nInstalled Version: 1.1.1c-r0\nVulnerability CVE-2019-1563\nSeverity: MEDIUM\nFixed Version: 1.1.1d-r0\nLink: [CVE-2019-1563](https://avd.aquasec.com/nvd/cve-2019-1563)"
           },
           "locations": [{
             "physicalLocation": {
               "artifactLocation": {
                 "uri": "testdata/fixtures/images/alpine-310.tar.gz",
                 "uriBaseId": "ROOTPATH"
+              },
+              "region" : {
+                "startLine": 1
               }
             }
           }]
         },
         {
-          "ruleId": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2): libcrypto1.1-1.1.1c-r0 CVE-2019-1547",
+          "ruleId": "CVE-2019-1547",
           "ruleIndex": 3,
           "level": "note",
           "message": {
-            "text": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s)."
+            "text": "Package: libcrypto1.1\nInstalled Version: 1.1.1c-r0\nVulnerability CVE-2019-1547\nSeverity: LOW\nFixed Version: 1.1.1d-r0\nLink: [CVE-2019-1547](https://avd.aquasec.com/nvd/cve-2019-1547)"
           },
           "locations": [{
             "physicalLocation": {
               "artifactLocation": {
                 "uri": "testdata/fixtures/images/alpine-310.tar.gz",
                 "uriBaseId": "ROOTPATH"
+              },
+              "region" : {
+                "startLine": 1
               }
             }
           }]
         },
         {
-          "ruleId": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2): libssl1.1-1.1.1c-r0 CVE-2019-1549",
-          "ruleIndex": 4,
+          "ruleId": "CVE-2019-1549",
+          "ruleIndex": 0,
           "level": "warning",
           "message": {
-            "text": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c)."
+            "text": "Package: libssl1.1\nInstalled Version: 1.1.1c-r0\nVulnerability CVE-2019-1549\nSeverity: MEDIUM\nFixed Version: 1.1.1d-r0\nLink: [CVE-2019-1549](https://avd.aquasec.com/nvd/cve-2019-1549)"
           },
           "locations": [{
             "physicalLocation": {
               "artifactLocation": {
                 "uri": "testdata/fixtures/images/alpine-310.tar.gz",
                 "uriBaseId": "ROOTPATH"
+              },
+              "region" : {
+                "startLine": 1
               }
             }
           }]
         },
         {
-          "ruleId": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2): libssl1.1-1.1.1c-r0 CVE-2019-1551",
-          "ruleIndex": 5,
+          "ruleId": "CVE-2019-1551",
+          "ruleIndex": 1,
           "level": "warning",
           "message": {
-            "text": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t)."
+            "text": "Package: libssl1.1\nInstalled Version: 1.1.1c-r0\nVulnerability CVE-2019-1551\nSeverity: MEDIUM\nFixed Version: 1.1.1d-r2\nLink: [CVE-2019-1551](https://avd.aquasec.com/nvd/cve-2019-1551)"
           },
           "locations": [{
             "physicalLocation": {
               "artifactLocation": {
                 "uri": "testdata/fixtures/images/alpine-310.tar.gz",
                 "uriBaseId": "ROOTPATH"
+              },
+              "region" : {
+                "startLine": 1
               }
             }
           }]
         },
         {
-          "ruleId": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2): libssl1.1-1.1.1c-r0 CVE-2019-1563",
-          "ruleIndex": 6,
+          "ruleId": "CVE-2019-1563",
+          "ruleIndex": 2,
           "level": "warning",
           "message": {
-            "text": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s)."
+            "text": "Package: libssl1.1\nInstalled Version: 1.1.1c-r0\nVulnerability CVE-2019-1563\nSeverity: MEDIUM\nFixed Version: 1.1.1d-r0\nLink: [CVE-2019-1563](https://avd.aquasec.com/nvd/cve-2019-1563)"
           },
           "locations": [{
             "physicalLocation": {
               "artifactLocation": {
                 "uri": "testdata/fixtures/images/alpine-310.tar.gz",
                 "uriBaseId": "ROOTPATH"
+              },
+              "region" : {
+                "startLine": 1
               }
             }
           }]
         },
         {
-          "ruleId": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2): libssl1.1-1.1.1c-r0 CVE-2019-1547",
-          "ruleIndex": 7,
+          "ruleId": "CVE-2019-1547",
+          "ruleIndex": 3,
           "level": "note",
           "message": {
-            "text": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s)."
+            "text": "Package: libssl1.1\nInstalled Version: 1.1.1c-r0\nVulnerability CVE-2019-1547\nSeverity: LOW\nFixed Version: 1.1.1d-r0\nLink: [CVE-2019-1547](https://avd.aquasec.com/nvd/cve-2019-1547)"
           },
           "locations": [{
             "physicalLocation": {
               "artifactLocation": {
                 "uri": "testdata/fixtures/images/alpine-310.tar.gz",
                 "uriBaseId": "ROOTPATH"
+              },
+              "region" : {
+                "startLine": 1
               }
             }
           }]
@@ -352,7 +268,7 @@
       "columnKind": "utf16CodeUnits",
       "originalUriBaseIds": {
         "ROOTPATH": {
-          "uri": "/"
+          "uri": "file:///"
         }
       }
     }

integration/testdata/nodejs.json.golden

@@ -24,7 +24,7 @@
           "VulnerabilityID": "CVE-2019-11358",
           "PkgName": "jquery",
           "InstalledVersion": "3.3.9",
-          "FixedVersion": "3.4.0",
+          "FixedVersion": ">=3.4.0",
           "SeveritySource": "nodejs-security-wg",
           "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-11358",
           "Title": "js-jquery: prototype pollution in object's prototype leading to denial of service or remote code execution or property injection",
@@ -92,7 +92,7 @@
           "PkgName": "lodash",
           "InstalledVersion": "4.17.4",
           "FixedVersion": "4.17.12",
-          "SeveritySource": "nvd",
+          "SeveritySource": "ghsa-npm",
           "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-10744",
           "Title": "nodejs-lodash: prototype pollution in defaultsDeep function leading to modifying properties",
           "Description": "Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.",
@@ -128,7 +128,7 @@
           "VulnerabilityID": "CVE-2018-16487",
           "PkgName": "lodash",
           "InstalledVersion": "4.17.4",
-          "FixedVersion": "4.17.11",
+          "FixedVersion": ">=4.17.11",
           "SeveritySource": "nodejs-security-wg",
           "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2018-16487",
           "Title": "lodash: Prototype pollution in utilities function",
@@ -164,7 +164,7 @@
           "PkgName": "lodash",
           "InstalledVersion": "4.17.4",
           "FixedVersion": "4.17.11",
-          "SeveritySource": "nvd",
+          "SeveritySource": "ghsa-npm",
           "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1010266",
           "Title": "Moderate severity vulnerability that affects lodash",
           "Description": "lodash prior to 4.17.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.17.11.",
@@ -195,7 +195,7 @@
           "VulnerabilityID": "CVE-2018-3721",
           "PkgName": "lodash",
           "InstalledVersion": "4.17.4",
-          "FixedVersion": "4.17.5",
+          "FixedVersion": ">=4.17.5",
           "SeveritySource": "nodejs-security-wg",
           "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2018-3721",
           "Title": "lodash: Prototype pollution in utilities function",

mkdocs.yml

@@ -66,6 +66,7 @@ nav:
       - Comparison:
           - vs Conftest: misconfiguration/comparison/conftest.md
           - vs tfsec: misconfiguration/comparison/tfsec.md
+          - vs cfsec: misconfiguration/comparison/cfsec.md
   - Advanced:
       - Overview: advanced/index.md
       - Plugins: advanced/plugins.md
@@ -76,6 +77,7 @@ nav:
           - CircleCI: advanced/integrations/circleci.md
           - Travis CI: advanced/integrations/travis-ci.md
           - GitLab CI: advanced/integrations/gitlab-ci.md
+          - Bitbucket Pipelines: advanced/integrations/bitbucket.md
           - AWS CodePipeline: advanced/integrations/aws-codepipeline.md
           - AWS Security Hub: advanced/integrations/aws-security-hub.md
       - Container Image:
@@ -92,6 +94,9 @@ nav:
       - Modes:
           - Standalone: advanced/modes/standalone.md
           - Client/Server: advanced/modes/client-server.md
+      - Community:
+          - Tools: advanced/community/tools.md
+          - References: advanced/community/references.md
       - Maintainer:
           - Help Wanted: advanced/contrib/help-wanted.md
           - Triage: advanced/contrib/triage.md

pkg/commands/app.go

@@ -18,6 +18,7 @@ import (
 	"github.com/aquasecurity/trivy/pkg/commands/plugin"
 	"github.com/aquasecurity/trivy/pkg/commands/server"
 	tdb "github.com/aquasecurity/trivy/pkg/db"
+	"github.com/aquasecurity/trivy/pkg/log"
 	"github.com/aquasecurity/trivy/pkg/result"
 	"github.com/aquasecurity/trivy/pkg/types"
 	"github.com/aquasecurity/trivy/pkg/utils"
@@ -225,6 +226,12 @@ var (
 		EnvVars: []string{"TRIVY_SKIP_DIRS"},
 	}
 
+	offlineScan = cli.BoolFlag{
+		Name:    "offline-scan",
+		Usage:   "do not issue API requests to identify dependencies",
+		EnvVars: []string{"TRIVY_OFFLINE_SCAN"},
+	}
+
 	// For misconfigurations
 	configPolicy = cli.StringSliceFlag{
 		Name:    "config-policy",
@@ -309,6 +316,7 @@ var (
 		&ignorePolicy,
 		&listAllPackages,
 		&cacheBackendFlag,
+		&offlineScan,
 		stringSliceFlag(skipFiles),
 		stringSliceFlag(skipDirs),
 	}
@@ -344,7 +352,10 @@ func NewApp(version string) *cli.App {
 
 	runAsPlugin := os.Getenv("TRIVY_RUN_AS_PLUGIN")
 	if runAsPlugin == "" {
-		app.Action = artifact.ImageRun
+		app.Action = func(ctx *cli.Context) error {
+			log.Logger.Warn("The root command will be removed. Please migrate to 'trivy image' command. See https://github.com/aquasecurity/trivy/discussions/1515")
+			return artifact.ImageRun(ctx)
+		}
 	} else {
 		app.Action = func(ctx *cli.Context) error {
 			return plugin.RunWithArgs(ctx.Context, runAsPlugin, ctx.Args().Slice())
@@ -465,6 +476,7 @@ func NewFilesystemCommand() *cli.Command {
 			&noProgressFlag,
 			&ignorePolicy,
 			&listAllPackages,
+			&offlineScan,
 			stringSliceFlag(skipFiles),
 			stringSliceFlag(skipDirs),
 			stringSliceFlag(configPolicy),
@@ -499,6 +511,7 @@ func NewRootfsCommand() *cli.Command {
 			&noProgressFlag,
 			&ignorePolicy,
 			&listAllPackages,
+			&offlineScan,
 			stringSliceFlag(skipFiles),
 			stringSliceFlag(skipDirs),
 			stringSliceFlag(configPolicy),
@@ -536,6 +549,7 @@ func NewRepositoryCommand() *cli.Command {
 			&noProgressFlag,
 			&ignorePolicy,
 			&listAllPackages,
+			&offlineScan,
 			stringSliceFlag(skipFiles),
 			stringSliceFlag(skipDirs),
 		},
@@ -569,6 +583,7 @@ func NewClientCommand() *cli.Command {
 			stringSliceFlag(skipDirs),
 			stringSliceFlag(configPolicy),
 			&listAllPackages,
+			&offlineScan,
 
 			// original flags
 			&token,
@@ -667,6 +682,18 @@ func NewPluginCommand() *cli.Command {
 				ArgsUsage: "PLUGIN_NAME",
 				Action:    plugin.Uninstall,
 			},
+			{
+				Name:    "list",
+				Aliases: []string{"l"},
+				Usage:   "list installed plugin",
+				Action:  plugin.List,
+			},
+			{
+				Name:      "info",
+				Usage:     "information about a plugin",
+				ArgsUsage: "PLUGIN_NAME",
+				Action:    plugin.Information,
+			},
 			{
 				Name:      "run",
 				Aliases:   []string{"r"},
@@ -674,6 +701,12 @@ func NewPluginCommand() *cli.Command {
 				ArgsUsage: "PLUGIN_NAME [PLUGIN_OPTIONS]",
 				Action:    plugin.Run,
 			},
+			{
+				Name:      "update",
+				Usage:     "update an existing plugin",
+				ArgsUsage: "PLUGIN_NAME",
+				Action:    plugin.Update,
+			},
 		},
 	}
 }

pkg/commands/artifact/run.go

@@ -203,6 +203,7 @@ func scan(ctx context.Context, opt Option, initializeScanner InitializeScanner,
 		DisabledAnalyzers: disabledAnalyzers(opt),
 		SkipFiles:         opt.SkipFiles,
 		SkipDirs:          opt.SkipDirs,
+		Offline:           opt.OfflineScan,
 	}
 
 	s, cleanup, err := initializeScanner(ctx, target, cacheClient, cacheClient, opt.Timeout, artifactOpt, configScannerOptions)

pkg/commands/artifact/wire_gen.go

@@ -1,7 +1,8 @@
 // Code generated by Wire. DO NOT EDIT.
 
 //go:generate wire
-//+build !wireinject
+//go:build !wireinject
+// +build !wireinject
 
 package artifact
 

pkg/commands/client/run.go

@@ -143,7 +143,7 @@ func initializeScanner(ctx context.Context, opt Option) (scanner.Scanner, func()
 	// ScannerOptions is filled only when config scanning is enabled.
 	var configScannerOptions config.ScannerOption
 	if utils.StringInSlice(types.SecurityCheckConfig, opt.SecurityChecks) {
-		builtinPolicyPaths, err := operation.InitBuiltinPolicies(ctx, false)
+		builtinPolicyPaths, err := operation.InitBuiltinPolicies(ctx, opt.SkipPolicyUpdate)
 		if err != nil {
 			return scanner.Scanner{}, nil, xerrors.Errorf("failed to initialize default policies: %w", err)
 		}
@@ -161,6 +161,7 @@ func initializeScanner(ctx context.Context, opt Option) (scanner.Scanner, func()
 		DisabledAnalyzers: disabledAnalyzers(opt),
 		SkipFiles:         opt.SkipFiles,
 		SkipDirs:          opt.SkipDirs,
+		Offline:           opt.OfflineScan,
 	}
 
 	if opt.Input != "" {

pkg/commands/client/wire_gen.go

@@ -1,7 +1,8 @@
 // Code generated by Wire. DO NOT EDIT.
 
 //go:generate wire
-//+build !wireinject
+//go:build !wireinject
+// +build !wireinject
 
 package client
 

pkg/commands/operation/inject.go

@@ -1,3 +1,4 @@
+//go:build wireinject
 // +build wireinject
 
 package operation

pkg/commands/operation/wire_gen.go

@@ -1,7 +1,8 @@
 // Code generated by Wire. DO NOT EDIT.
 
 //go:generate wire
-//+build !wireinject
+//go:build !wireinject
+// +build !wireinject
 
 package operation
 

pkg/commands/option/artifact.go

@@ -15,8 +15,9 @@ type ArtifactOption struct {
 	Timeout    time.Duration
 	ClearCache bool
 
-	SkipDirs  []string
-	SkipFiles []string
+	SkipDirs    []string
+	SkipFiles   []string
+	OfflineScan bool
 
 	// this field is populated in Init()
 	Target string
@@ -25,11 +26,12 @@ type ArtifactOption struct {
 // NewArtifactOption is the factory method to return artifact option
 func NewArtifactOption(c *cli.Context) ArtifactOption {
 	return ArtifactOption{
-		Input:      c.String("input"),
-		Timeout:    c.Duration("timeout"),
-		ClearCache: c.Bool("clear-cache"),
-		SkipFiles:  c.StringSlice("skip-files"),
-		SkipDirs:   c.StringSlice("skip-dirs"),
+		Input:       c.String("input"),
+		Timeout:     c.Duration("timeout"),
+		ClearCache:  c.Bool("clear-cache"),
+		SkipFiles:   c.StringSlice("skip-files"),
+		SkipDirs:    c.StringSlice("skip-dirs"),
+		OfflineScan: c.Bool("offline-scan"),
 	}
 }
 

pkg/commands/plugin/plugin.go

@@ -2,6 +2,8 @@ package plugin
 
 import (
 	"context"
+	"fmt"
+	"os"
 
 	"github.com/urfave/cli/v2"
 	"golang.org/x/xerrors"
@@ -47,6 +49,65 @@ func Uninstall(c *cli.Context) error {
 	return nil
 }
 
+// Information displays information about the plugin
+func Information(c *cli.Context) error {
+	if c.NArg() != 1 {
+		cli.ShowSubcommandHelpAndExit(c, 1)
+	}
+
+	if err := initLogger(c); err != nil {
+		return xerrors.Errorf("initialize logger error: %w", err)
+	}
+
+	pluginName := c.Args().First()
+	info, err := plugin.Information(pluginName)
+	if err != nil {
+		return xerrors.Errorf("plugin information display error: %w", err)
+	}
+
+	if _, err = fmt.Fprintf(os.Stdout, info); err != nil {
+		return xerrors.Errorf("print error: %w", err)
+	}
+
+	return nil
+}
+
+// List displays a list of all of installed plugins
+func List(c *cli.Context) error {
+	if err := initLogger(c); err != nil {
+		return xerrors.Errorf("initialize error: %w", err)
+	}
+
+	info, err := plugin.List()
+	if err != nil {
+		return xerrors.Errorf("plugin list display error: %w", err)
+	}
+
+	if _, err = fmt.Fprintf(os.Stdout, info); err != nil {
+		return xerrors.Errorf("print error: %w", err)
+	}
+
+	return nil
+}
+
+// Update updates an existing plugin
+func Update(c *cli.Context) error {
+	if c.NArg() != 1 {
+		cli.ShowSubcommandHelpAndExit(c, 1)
+	}
+
+	if err := initLogger(c); err != nil {
+		return xerrors.Errorf("initialize error: %w", err)
+	}
+
+	pluginName := c.Args().First()
+	if err := plugin.Update(pluginName); err != nil {
+		return xerrors.Errorf("plugin update error: %w", err)
+	}
+
+	return nil
+}
+
 // Run runs the plugin
 func Run(c *cli.Context) error {
 	if c.NArg() < 1 {

pkg/detector/library/driver.go

@@ -37,7 +37,7 @@ func NewDriver(libType string) (Driver, error) {
 		driver = newPipDriver()
 	case ftypes.NuGet:
 		driver = newNugetDriver()
-	case ftypes.Jar:
+	case ftypes.Jar, ftypes.Pom:
 		driver = newMavenDriver()
 	case ftypes.GoBinary, ftypes.GoMod:
 		driver = Driver{
@@ -89,41 +89,34 @@ func (d *Driver) Type() string {
 
 func newRubyGemsDriver() Driver {
 	c := bundler.RubyGemsComparer{}
-	return Aggregate(vulnerability.RubyGems, ghsa.NewAdvisory(ecosystem.Rubygems, c), bundler.NewAdvisory(),
-		NewAdvisory(vulnerability.RubyGems, c))
+	return Aggregate(vulnerability.RubyGems, NewAdvisory(vulnerability.RubyGems, c), bundler.NewAdvisory(), ghsa.NewAdvisory(ecosystem.Rubygems, c))
 }
 
 func newComposerDriver() Driver {
 	c := comparer.GenericComparer{}
-	return Aggregate(vulnerability.Composer, ghsa.NewAdvisory(ecosystem.Composer, c), composer.NewAdvisory(),
-		NewAdvisory(vulnerability.Composer, c))
+	return Aggregate(vulnerability.Composer, NewAdvisory(vulnerability.Composer, c), composer.NewAdvisory(), ghsa.NewAdvisory(ecosystem.Composer, c))
 }
 
 func newCargoDriver() Driver {
-	return Aggregate(vulnerability.Cargo, cargo.NewAdvisory(),
-		NewAdvisory(vulnerability.Cargo, comparer.GenericComparer{}))
+	return Aggregate(vulnerability.Cargo, NewAdvisory(vulnerability.Cargo, comparer.GenericComparer{}), cargo.NewAdvisory())
 }
 
 func newNpmDriver() Driver {
 	c := npm.Comparer{}
-	return Aggregate(vulnerability.Npm, ghsa.NewAdvisory(ecosystem.Npm, c),
-		npm.NewAdvisory(), NewAdvisory(vulnerability.Npm, c))
+	return Aggregate(vulnerability.Npm, NewAdvisory(vulnerability.Npm, c), npm.NewAdvisory(), ghsa.NewAdvisory(ecosystem.Npm, c))
 }
 
 func newPipDriver() Driver {
 	c := comparer.GenericComparer{}
-	return Aggregate(vulnerability.Pip, ghsa.NewAdvisory(ecosystem.Pip, c),
-		python.NewAdvisory(), NewAdvisory(vulnerability.Pip, c))
+	return Aggregate(vulnerability.Pip, NewAdvisory(vulnerability.Pip, c), python.NewAdvisory(), ghsa.NewAdvisory(ecosystem.Pip, c))
 }
 
 func newNugetDriver() Driver {
 	c := comparer.GenericComparer{}
-	return Aggregate(vulnerability.NuGet, ghsa.NewAdvisory(ecosystem.Nuget, c),
-		NewAdvisory(vulnerability.NuGet, c))
+	return Aggregate(vulnerability.NuGet, NewAdvisory(vulnerability.NuGet, c), ghsa.NewAdvisory(ecosystem.Nuget, c))
 }
 
 func newMavenDriver() Driver {
 	c := maven.Comparer{}
-	return Aggregate(vulnerability.Maven, ghsa.NewAdvisory(ecosystem.Maven, c),
-		NewAdvisory(vulnerability.Maven, c))
+	return Aggregate(vulnerability.Maven, NewAdvisory(vulnerability.Maven, c), ghsa.NewAdvisory(ecosystem.Maven, c))
 }

pkg/detector/ospkg/alpine/alpine.go

@@ -41,6 +41,7 @@ var (
 		"3.12": time.Date(2022, 5, 1, 23, 59, 59, 0, time.UTC),
 		"3.13": time.Date(2022, 11, 1, 23, 59, 59, 0, time.UTC),
 		"3.14": time.Date(2023, 5, 1, 23, 59, 59, 0, time.UTC),
+		"3.15": time.Date(2023, 11, 1, 23, 59, 59, 0, time.UTC),
 	}
 )
 

pkg/plugin/plugin.go

@@ -2,13 +2,15 @@ package plugin
 
 import (
 	"context"
+	"fmt"
 	"os"
 	"os/exec"
 	"path/filepath"
 	"runtime"
+	"strings"
 
 	"golang.org/x/xerrors"
-	yaml "gopkg.in/yaml.v3"
+	"gopkg.in/yaml.v3"
 
 	"github.com/aquasecurity/trivy/pkg/downloader"
 	"github.com/aquasecurity/trivy/pkg/log"
@@ -183,6 +185,79 @@ func Uninstall(name string) error {
 	return os.RemoveAll(pluginDir)
 }
 
+// Information gets the information about an installed plugin
+func Information(name string) (string, error) {
+	pluginDir := filepath.Join(dir(), name)
+
+	if _, err := os.Stat(pluginDir); err != nil {
+		if os.IsNotExist(err) {
+			return "", xerrors.Errorf("could not find a plugin called '%s', did you install it?", name)
+		}
+		return "", xerrors.Errorf("stat error: %w", err)
+	}
+
+	plugin, err := loadMetadata(pluginDir)
+	if err != nil {
+		return "", xerrors.Errorf("unable to load metadata: %w", err)
+	}
+
+	return fmt.Sprintf(`
+Plugin: %s
+  Description: %s
+  Version:     %s
+  Usage:       %s
+`, plugin.Name, plugin.Description, plugin.Version, plugin.Usage), nil
+}
+
+// List gets a list of all installed plugins
+func List() (string, error) {
+	if _, err := os.Stat(dir()); err != nil {
+		if os.IsNotExist(err) {
+			return "No Installed Plugins\n", nil
+		}
+		return "", xerrors.Errorf("stat error: %w", err)
+	}
+	plugins, err := LoadAll()
+	if err != nil {
+		return "", xerrors.Errorf("unable to load plugins: %w", err)
+	}
+	pluginList := []string{"Installed Plugins:"}
+	for _, plugin := range plugins {
+		pluginList = append(pluginList, fmt.Sprintf("  Name:    %s\n  Version: %s\n", plugin.Name, plugin.Version))
+	}
+
+	return strings.Join(pluginList, "\n"), nil
+}
+
+// Update updates an existing plugin
+func Update(name string) error {
+	pluginDir := filepath.Join(dir(), name)
+
+	if _, err := os.Stat(pluginDir); err != nil {
+		if os.IsNotExist(err) {
+			return xerrors.Errorf("could not find a plugin called '%s' to update: %w", name, err)
+		}
+		return err
+	}
+
+	plugin, err := loadMetadata(pluginDir)
+	if err != nil {
+		return err
+	}
+	log.Logger.Infof("Updating plugin '%s'", name)
+	updated, err := Install(nil, plugin.Repository, true)
+	if err != nil {
+		return xerrors.Errorf("unable to perform an update installation: %w", err)
+	}
+
+	if plugin.Version == updated.Version {
+		log.Logger.Infof("The %s plugin is the latest version. [%s]", name, plugin.Version)
+	} else {
+		log.Logger.Infof("Updated '%s' from %s to %s", name, plugin.Version, updated.Version)
+	}
+	return nil
+}
+
 // LoadAll loads all plugins
 func LoadAll() ([]Plugin, error) {
 	pluginsDir := dir()

pkg/plugin/plugin_test.go

@@ -291,6 +291,39 @@ func TestUninstall(t *testing.T) {
 	assert.NoFileExists(t, pluginDir)
 }
 
+func TestInformation(t *testing.T) {
+	pluginName := "test_plugin"
+
+	tempDir := t.TempDir()
+	pluginDir := filepath.Join(tempDir, ".trivy", "plugins", pluginName)
+
+	t.Setenv("XDG_DATA_HOME", tempDir)
+
+	// Create the test plugin directory
+	err := os.MkdirAll(pluginDir, os.ModePerm)
+	require.NoError(t, err)
+
+	// write the plugin name
+	pluginMetadata := `name: "test_plugin"
+repository: github.com/aquasecurity/trivy-plugin-test
+version: "0.1.0"
+usage: test
+description: A simple test plugin`
+
+	err = os.WriteFile(filepath.Join(pluginDir, "plugin.yaml"), []byte(pluginMetadata), os.ModePerm)
+	require.NoError(t, err)
+
+	// Get Information for the plugin
+	info, err := plugin.Information(pluginName)
+	require.NoError(t, err)
+	assert.Equal(t, "\nPlugin: test_plugin\n  Description: A simple test plugin\n  Version:     0.1.0\n  Usage:       test\n", info)
+
+	// Get Information for unknown plugin
+	info, err = plugin.Information("unknown")
+	require.Error(t, err)
+	assert.Equal(t, "could not find a plugin called 'unknown', did you install it?", err.Error())
+}
+
 func TestLoadAll1(t *testing.T) {
 	tests := []struct {
 		name    string
@@ -345,3 +378,46 @@ func TestLoadAll1(t *testing.T) {
 		})
 	}
 }
+
+func TestUpdate(t *testing.T) {
+	pluginName := "test_plugin"
+
+	tempDir := t.TempDir()
+	pluginDir := filepath.Join(tempDir, ".trivy", "plugins", pluginName)
+
+	t.Setenv("XDG_DATA_HOME", tempDir)
+
+	// Create the test plugin directory
+	err := os.MkdirAll(pluginDir, os.ModePerm)
+	require.NoError(t, err)
+
+	// write the plugin name
+	pluginMetadata := `name: "test_plugin"
+repository: testdata/test_plugin
+version: "0.0.5"
+usage: test
+description: A simple test plugin`
+
+	err = os.WriteFile(filepath.Join(pluginDir, "plugin.yaml"), []byte(pluginMetadata), os.ModePerm)
+	require.NoError(t, err)
+
+	// verify initial version
+	verifyVersion(t, pluginName, "0.0.5")
+
+	// Update the existing plugin
+	err = plugin.Update(pluginName)
+	require.NoError(t, err)
+
+	// verify plugin updated
+	verifyVersion(t, pluginName, "0.1.0")
+}
+
+func verifyVersion(t *testing.T, pluginName, expectedVersion string) {
+	plugins, err := plugin.LoadAll()
+	require.NoError(t, err)
+	for _, plugin := range plugins {
+		if plugin.Name == pluginName {
+			assert.Equal(t, expectedVersion, plugin.Version)
+		}
+	}
+}

pkg/report/template.go

@@ -46,6 +46,16 @@ func NewTemplateWriter(output io.Writer, outputTemplate string) (*TemplateWriter
 		}
 		return escaped.String()
 	}
+	templateFuncMap["makeRuleMap"] = func() map[string]int {
+		return make(map[string]int)
+	}
+	templateFuncMap["indexRule"] = func(rules map[string]int, vulnerabilityID string) bool {
+		if _, ok := rules[vulnerabilityID]; !ok {
+			rules[vulnerabilityID] = len(rules)
+			return true
+		}
+		return false
+	}
 	templateFuncMap["toSarifErrorLevel"] = toSarifErrorLevel
 	templateFuncMap["toSarifRuleName"] = toSarifRuleName
 	templateFuncMap["endWithPeriod"] = func(input string) string {
@@ -91,19 +101,17 @@ func (tw TemplateWriter) Write(report Report) error {
 }
 
 func toSarifRuleName(vulnerabilityType string) string {
-	var ruleName string
 	switch vulnerabilityType {
 	case vulnerability.Ubuntu, vulnerability.Alpine, vulnerability.RedHat, vulnerability.RedHatOVAL,
 		vulnerability.Debian, vulnerability.DebianOVAL, vulnerability.Fedora, vulnerability.Amazon,
 		vulnerability.OracleOVAL, vulnerability.SuseCVRF, vulnerability.OpenSuseCVRF, vulnerability.Photon,
 		vulnerability.CentOS:
-		ruleName = "OS Package Vulnerability"
+		return "OsPackageVulnerability"
 	case "npm", "yarn", "nuget", "pipenv", "poetry", "bundler", "cargo", "composer":
-		ruleName = "Programming Language Vulnerability"
+		return "ProgrammingLanguageVulnerability"
 	default:
-		ruleName = "Other Vulnerability"
+		return "OtherVulnerability"
 	}
-	return fmt.Sprintf("%s (%s)", ruleName, strings.Title(vulnerabilityType))
 }
 
 func toSarifErrorLevel(severity string) string {

pkg/report/writer_internal_test.go

@@ -14,91 +14,91 @@ func TestReportWriter_toSarifRuleName(t *testing.T) {
 	}{
 		{
 			vulnerabilityType: vulnerability.Ubuntu,
-			sarifRuleName:     "OS Package Vulnerability (Ubuntu)",
+			sarifRuleName:     "OsPackageVulnerability",
 		},
 		{
 			vulnerabilityType: vulnerability.Alpine,
-			sarifRuleName:     "OS Package Vulnerability (Alpine)",
+			sarifRuleName:     "OsPackageVulnerability",
 		},
 		{
 			vulnerabilityType: vulnerability.RedHat,
-			sarifRuleName:     "OS Package Vulnerability (Redhat)",
+			sarifRuleName:     "OsPackageVulnerability",
 		},
 		{
 			vulnerabilityType: vulnerability.RedHatOVAL,
-			sarifRuleName:     "OS Package Vulnerability (Redhat-Oval)",
+			sarifRuleName:     "OsPackageVulnerability",
 		},
 		{
 			vulnerabilityType: vulnerability.Debian,
-			sarifRuleName:     "OS Package Vulnerability (Debian)",
+			sarifRuleName:     "OsPackageVulnerability",
 		},
 		{
 			vulnerabilityType: vulnerability.DebianOVAL,
-			sarifRuleName:     "OS Package Vulnerability (Debian-Oval)",
+			sarifRuleName:     "OsPackageVulnerability",
 		},
 		{
 			vulnerabilityType: vulnerability.Fedora,
-			sarifRuleName:     "OS Package Vulnerability (Fedora)",
+			sarifRuleName:     "OsPackageVulnerability",
 		},
 		{
 			vulnerabilityType: vulnerability.Amazon,
-			sarifRuleName:     "OS Package Vulnerability (Amazon)",
+			sarifRuleName:     "OsPackageVulnerability",
 		},
 		{
 			vulnerabilityType: vulnerability.OracleOVAL,
-			sarifRuleName:     "OS Package Vulnerability (Oracle-Oval)",
+			sarifRuleName:     "OsPackageVulnerability",
 		},
 		{
 			vulnerabilityType: vulnerability.SuseCVRF,
-			sarifRuleName:     "OS Package Vulnerability (Suse-Cvrf)",
+			sarifRuleName:     "OsPackageVulnerability",
 		},
 		{
 			vulnerabilityType: vulnerability.OpenSuseCVRF,
-			sarifRuleName:     "OS Package Vulnerability (Opensuse-Cvrf)",
+			sarifRuleName:     "OsPackageVulnerability",
 		},
 		{
 			vulnerabilityType: vulnerability.Photon,
-			sarifRuleName:     "OS Package Vulnerability (Photon)",
+			sarifRuleName:     "OsPackageVulnerability",
 		},
 		{
 			vulnerabilityType: vulnerability.CentOS,
-			sarifRuleName:     "OS Package Vulnerability (Centos)",
+			sarifRuleName:     "OsPackageVulnerability",
 		},
 		{
 			vulnerabilityType: "npm",
-			sarifRuleName:     "Programming Language Vulnerability (Npm)",
+			sarifRuleName:     "ProgrammingLanguageVulnerability",
 		},
 		{
 			vulnerabilityType: "yarn",
-			sarifRuleName:     "Programming Language Vulnerability (Yarn)",
+			sarifRuleName:     "ProgrammingLanguageVulnerability",
 		},
 		{
 			vulnerabilityType: "nuget",
-			sarifRuleName:     "Programming Language Vulnerability (Nuget)",
+			sarifRuleName:     "ProgrammingLanguageVulnerability",
 		},
 		{
 			vulnerabilityType: "pipenv",
-			sarifRuleName:     "Programming Language Vulnerability (Pipenv)",
+			sarifRuleName:     "ProgrammingLanguageVulnerability",
 		},
 		{
 			vulnerabilityType: "poetry",
-			sarifRuleName:     "Programming Language Vulnerability (Poetry)",
+			sarifRuleName:     "ProgrammingLanguageVulnerability",
 		},
 		{
 			vulnerabilityType: "bundler",
-			sarifRuleName:     "Programming Language Vulnerability (Bundler)",
+			sarifRuleName:     "ProgrammingLanguageVulnerability",
 		},
 		{
 			vulnerabilityType: "cargo",
-			sarifRuleName:     "Programming Language Vulnerability (Cargo)",
+			sarifRuleName:     "ProgrammingLanguageVulnerability",
 		},
 		{
 			vulnerabilityType: "composer",
-			sarifRuleName:     "Programming Language Vulnerability (Composer)",
+			sarifRuleName:     "ProgrammingLanguageVulnerability",
 		},
 		{
 			vulnerabilityType: "redis",
-			sarifRuleName:     "Other Vulnerability (Redis)",
+			sarifRuleName:     "OtherVulnerability",
 		},
 	}
 	for _, tc := range tests {

pkg/result/result.go

@@ -12,6 +12,7 @@ import (
 	"github.com/open-policy-agent/opa/rego"
 	"golang.org/x/xerrors"
 
+	ftypes "github.com/aquasecurity/fanal/types"
 	"github.com/aquasecurity/trivy-db/pkg/db"
 	dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
 	"github.com/aquasecurity/trivy-db/pkg/vulnsrc/vulnerability"
@@ -66,10 +67,10 @@ func (c Client) FillVulnerabilityInfo(vulns []types.DetectedVulnerability, repor
 		}
 
 		// Detect which data source should be used.
-		source := c.detectSource(reportType)
+		sources := c.detectSource(reportType)
 
 		// Select the severity according to the detected source.
-		severity, severitySource := c.getVendorSeverity(&vuln, source)
+		severity, severitySource := c.getVendorSeverity(&vuln, sources)
 
 		// The vendor might provide package-specific severity like Debian.
 		// For example, CVE-2015-2328 in Debian has "unimportant" for mongodb and "low" for pcre3.
@@ -84,38 +85,42 @@ func (c Client) FillVulnerabilityInfo(vulns []types.DetectedVulnerability, repor
 
 		vulns[i].Severity = severity
 		vulns[i].SeveritySource = severitySource
-		vulns[i].PrimaryURL = c.getPrimaryURL(vulnID, vuln.References, source)
+		vulns[i].PrimaryURL = c.getPrimaryURL(vulnID, vuln.References, sources)
 		vulns[i].Vulnerability.VendorSeverity = nil // Remove VendorSeverity from Results
 	}
 }
-func (c Client) detectSource(reportType string) string {
-	var source string
+func (c Client) detectSource(reportType string) []string {
+	var sources []string
 	switch reportType {
 	case vulnerability.Ubuntu, vulnerability.Alpine, vulnerability.RedHat, vulnerability.RedHatOVAL,
 		vulnerability.Debian, vulnerability.DebianOVAL, vulnerability.Fedora, vulnerability.Amazon,
 		vulnerability.OracleOVAL, vulnerability.SuseCVRF, vulnerability.OpenSuseCVRF, vulnerability.Photon:
-		source = reportType
+		sources = []string{reportType}
 	case vulnerability.CentOS: // CentOS doesn't have its own so we use RedHat
-		source = vulnerability.RedHat
+		sources = []string{vulnerability.RedHat}
 	case "npm", "yarn":
-		source = vulnerability.NodejsSecurityWg
+		sources = []string{vulnerability.NodejsSecurityWg, vulnerability.GHSANpm, vulnerability.GLAD}
 	case "nuget":
-		source = vulnerability.GHSANuget
+		sources = []string{vulnerability.GHSANuget, vulnerability.GLAD}
 	case "pipenv", "poetry":
-		source = vulnerability.PythonSafetyDB
+		sources = []string{vulnerability.PythonSafetyDB, vulnerability.GHSAPip, vulnerability.GLAD}
 	case "bundler":
-		source = vulnerability.RubySec
+		sources = []string{vulnerability.RubySec, vulnerability.GHSARubygems, vulnerability.GLAD}
 	case "cargo":
-		source = vulnerability.RustSec
+		sources = []string{vulnerability.RustSec}
 	case "composer":
-		source = vulnerability.PhpSecurityAdvisories
+		sources = []string{vulnerability.PhpSecurityAdvisories, vulnerability.GHSAComposer, vulnerability.GLAD}
+	case ftypes.Jar:
+		sources = []string{vulnerability.GHSAMaven, vulnerability.GLAD}
 	}
-	return source
+	return sources
 }
 
-func (c Client) getVendorSeverity(vuln *dbTypes.Vulnerability, source string) (string, string) {
-	if vs, ok := vuln.VendorSeverity[source]; ok {
-		return vs.String(), source
+func (c Client) getVendorSeverity(vuln *dbTypes.Vulnerability, sources []string) (string, string) {
+	for _, source := range sources {
+		if vs, ok := vuln.VendorSeverity[source]; ok {
+			return vs.String(), source
+		}
 	}
 
 	// Try NVD as a fallback if it exists
@@ -130,7 +135,7 @@ func (c Client) getVendorSeverity(vuln *dbTypes.Vulnerability, source string) (s
 	return vuln.Severity, ""
 }
 
-func (c Client) getPrimaryURL(vulnID string, refs []string, source string) string {
+func (c Client) getPrimaryURL(vulnID string, refs []string, sources []string) string {
 	switch {
 	case strings.HasPrefix(vulnID, "CVE-"):
 		return "https://avd.aquasec.com/nvd/" + strings.ToLower(vulnID)
@@ -142,11 +147,13 @@ func (c Client) getPrimaryURL(vulnID string, refs []string, source string) strin
 		return "https://security-tracker.debian.org/tracker/" + vulnID
 	}
 
-	prefixes := primaryURLPrefixes[source]
-	for _, pre := range prefixes {
-		for _, ref := range refs {
-			if strings.HasPrefix(ref, pre) {
-				return ref
+	for _, source := range sources {
+		prefixes := primaryURLPrefixes[source]
+		for _, pre := range prefixes {
+			for _, ref := range refs {
+				if strings.HasPrefix(ref, pre) {
+					return ref
+				}
 			}
 		}
 	}

pkg/result/result_test.go

@@ -263,9 +263,9 @@ func TestClient_FillVulnerabilityInfo(t *testing.T) {
 
 func TestClient_getPrimaryURL(t *testing.T) {
 	type args struct {
-		vulnID string
-		refs   []string
-		source string
+		vulnID  string
+		refs    []string
+		sources []string
 	}
 	tests := []struct {
 		name string
@@ -275,36 +275,36 @@ func TestClient_getPrimaryURL(t *testing.T) {
 		{
 			name: "CVE-ID",
 			args: args{
-				vulnID: "CVE-2014-8484",
-				refs:   []string{"http://linux.oracle.com/cve/CVE-2014-8484.html"},
-				source: vulnerability.OracleOVAL,
+				vulnID:  "CVE-2014-8484",
+				refs:    []string{"http://linux.oracle.com/cve/CVE-2014-8484.html"},
+				sources: []string{vulnerability.OracleOVAL},
 			},
 			want: "https://avd.aquasec.com/nvd/cve-2014-8484",
 		},
 		{
 			name: "RUSTSEC",
 			args: args{
-				vulnID: "RUSTSEC-2018-0017",
-				refs:   []string{"https://github.com/rust-lang-deprecated/tempdir/pull/46"},
-				source: vulnerability.RustSec,
+				vulnID:  "RUSTSEC-2018-0017",
+				refs:    []string{"https://github.com/rust-lang-deprecated/tempdir/pull/46"},
+				sources: []string{vulnerability.RustSec},
 			},
 			want: "https://rustsec.org/advisories/RUSTSEC-2018-0017",
 		},
 		{
 			name: "GHSA",
 			args: args{
-				vulnID: "GHSA-28fw-88hq-6jmm",
-				refs:   []string{},
-				source: vulnerability.PhpSecurityAdvisories,
+				vulnID:  "GHSA-28fw-88hq-6jmm",
+				refs:    []string{},
+				sources: []string{vulnerability.PhpSecurityAdvisories},
 			},
 			want: "https://github.com/advisories/GHSA-28fw-88hq-6jmm",
 		},
 		{
 			name: "Debian temp vulnerability",
 			args: args{
-				vulnID: "TEMP-0841856-B18BAF",
-				refs:   []string{},
-				source: vulnerability.DebianOVAL,
+				vulnID:  "TEMP-0841856-B18BAF",
+				refs:    []string{},
+				sources: []string{vulnerability.DebianOVAL},
 			},
 			want: "https://security-tracker.debian.org/tracker/TEMP-0841856-B18BAF",
 		},
@@ -317,7 +317,7 @@ func TestClient_getPrimaryURL(t *testing.T) {
 					"https://github.com/lodash/lodash/pull/4759",
 					"https://www.npmjs.com/advisories/1523",
 				},
-				source: vulnerability.NodejsSecurityWg,
+				sources: []string{vulnerability.NodejsSecurityWg},
 			},
 			want: "https://www.npmjs.com/advisories/1523",
 		},
@@ -329,7 +329,7 @@ func TestClient_getPrimaryURL(t *testing.T) {
 					"http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00076.html",
 					"https://www.suse.com/support/security/rating/",
 				},
-				source: vulnerability.OpenSuseCVRF,
+				sources: []string{vulnerability.OpenSuseCVRF},
 			},
 			want: "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00076.html",
 		},
@@ -337,7 +337,7 @@ func TestClient_getPrimaryURL(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			c := Client{}
-			got := c.getPrimaryURL(tt.args.vulnID, tt.args.refs, tt.args.source)
+			got := c.getPrimaryURL(tt.args.vulnID, tt.args.refs, tt.args.sources)
 			assert.Equal(t, tt.want, got)
 		})
 	}

pkg/rpc/convert.go

@@ -269,6 +269,9 @@ func ConvertFromRPCMisconfs(rpcMisconfs []*common.DetectedMisconfiguration) []ty
 
 // ConvertFromRPCLayer converts *common.Layer to fanal.Layer
 func ConvertFromRPCLayer(rpcLayer *common.Layer) ftypes.Layer {
+	if rpcLayer == nil {
+		return ftypes.Layer{}
+	}
 	return ftypes.Layer{
 		Digest: rpcLayer.Digest,
 		DiffID: rpcLayer.DiffId,

pkg/rpc/server/inject.go

@@ -1,3 +1,4 @@
+//go:build wireinject
 // +build wireinject
 
 package server

pkg/rpc/server/server_test.go

@@ -329,6 +329,18 @@ func TestCacheServer_PutBlob(t *testing.T) {
 											DiffId: "sha256:b2a1a2d80bf0c747a4f6b0ca6af5eef23f043fcdb1ed4f3a3e750aef2dc68079",
 										},
 									},
+									{
+										Name:       "node-minimal",
+										Version:    "17.1.0",
+										Release:    "5.el7",
+										Epoch:      2,
+										Arch:       "x86_64",
+										SrcName:    "node",
+										SrcVersion: "17.1.0",
+										SrcRelease: "5.el7",
+										SrcEpoch:   2,
+										Layer:      nil,
+									},
 								},
 							},
 						},
@@ -398,6 +410,18 @@ func TestCacheServer_PutBlob(t *testing.T) {
 											DiffID: "sha256:b2a1a2d80bf0c747a4f6b0ca6af5eef23f043fcdb1ed4f3a3e750aef2dc68079",
 										},
 									},
+									{
+										Name:       "node-minimal",
+										Version:    "17.1.0",
+										Release:    "5.el7",
+										Epoch:      2,
+										Arch:       "x86_64",
+										SrcName:    "node",
+										SrcVersion: "17.1.0",
+										SrcRelease: "5.el7",
+										SrcEpoch:   2,
+										Layer:      ftypes.Layer{},
+									},
 								},
 							},
 						},

pkg/rpc/server/wire_gen.go

@@ -1,7 +1,8 @@
 // Code generated by Wire. DO NOT EDIT.
 
 //go:generate wire
-//+build !wireinject
+//go:build !wireinject
+// +build !wireinject
 
 package server
 

pkg/scanner/local/scan.go

@@ -306,6 +306,13 @@ func toDetectedMisconfiguration(res ftypes.MisconfResult, defaultSeverity dbType
 		Status:      status,
 		Layer:       layer,
 		Traces:      res.Traces,
+		IacMetadata: ftypes.IacMetadata{
+			Resource:  res.Resource,
+			Provider:  res.Provider,
+			Service:   res.Service,
+			StartLine: res.StartLine,
+			EndLine:   res.EndLine,
+		},
 	}
 }
 

pkg/types/misconfiguration.go

@@ -4,19 +4,20 @@ import ftypes "github.com/aquasecurity/fanal/types"
 
 // DetectedMisconfiguration holds detected misconfigurations
 type DetectedMisconfiguration struct {
-	Type        string        `json:",omitempty"`
-	ID          string        `json:",omitempty"`
-	Title       string        `json:",omitempty"`
-	Description string        `json:",omitempty"`
-	Message     string        `json:",omitempty"`
-	Namespace   string        `json:",omitempty"`
-	Query       string        `json:",omitempty"`
-	Resolution  string        `json:",omitempty"`
-	Severity    string        `json:",omitempty"`
-	PrimaryURL  string        `json:",omitempty"`
-	References  []string      `json:",omitempty"`
-	Status      MisconfStatus `json:",omitempty"`
-	Layer       ftypes.Layer  `json:",omitempty"`
+	Type        string             `json:",omitempty"`
+	ID          string             `json:",omitempty"`
+	Title       string             `json:",omitempty"`
+	Description string             `json:",omitempty"`
+	Message     string             `json:",omitempty"`
+	Namespace   string             `json:",omitempty"`
+	Query       string             `json:",omitempty"`
+	Resolution  string             `json:",omitempty"`
+	Severity    string             `json:",omitempty"`
+	PrimaryURL  string             `json:",omitempty"`
+	References  []string           `json:",omitempty"`
+	Status      MisconfStatus      `json:",omitempty"`
+	Layer       ftypes.Layer       `json:",omitempty"`
+	IacMetadata ftypes.IacMetadata `json:",omitempty"`
 
 	// For debugging
 	Traces []string `json:",omitempty"`

pkg/utils/utils.go

@@ -5,11 +5,6 @@ import (
 	"io"
 	"os"
 	"path/filepath"
-	"strings"
-
-	"golang.org/x/xerrors"
-
-	"github.com/aquasecurity/trivy/pkg/log"
 )
 
 var cacheDir string
@@ -33,47 +28,6 @@ func SetCacheDir(dir string) {
 	cacheDir = dir
 }
 
-// FileWalk walks the directory and performs operations on files defined by walkFn
-func FileWalk(root string, targetFiles map[string]struct{}, walkFn func(r io.Reader, path string) error) error {
-	err := filepath.Walk(root, func(path string, info os.FileInfo, err error) error {
-		if err != nil {
-			return err
-		}
-		if info.IsDir() {
-			return nil
-		}
-
-		rel, err := filepath.Rel(root, path)
-		if err != nil {
-			return xerrors.Errorf("error in filepath rel: %w", err)
-		}
-
-		if _, ok := targetFiles[rel]; !ok {
-			return nil
-		}
-
-		if info.Size() == 0 {
-			log.Logger.Debugf("invalid size: %s", path)
-			return nil
-		}
-
-		f, err := os.Open(path)
-		if err != nil {
-			return xerrors.Errorf("failed to open file: %w", err)
-		}
-		defer f.Close()
-
-		if err = walkFn(f, path); err != nil {
-			return err
-		}
-		return nil
-	})
-	if err != nil {
-		return xerrors.Errorf("error in file walk: %w", err)
-	}
-	return nil
-}
-
 // StringInSlice checks if strings exist in list of strings
 func StringInSlice(a string, list []string) bool {
 	for _, b := range list {
@@ -84,24 +38,6 @@ func StringInSlice(a string, list []string) bool {
 	return false
 }
 
-// FilterTargets filters the target based on prefixPath
-func FilterTargets(prefixPath string, targets map[string]struct{}) (map[string]struct{}, error) {
-	filtered := map[string]struct{}{}
-	for filename := range targets {
-		if strings.HasPrefix(filename, prefixPath) {
-			rel, err := filepath.Rel(prefixPath, filename)
-			if err != nil {
-				return nil, xerrors.Errorf("error in filepath rel: %w", err)
-			}
-			if strings.HasPrefix(rel, ".."+string(filepath.Separator)) {
-				continue
-			}
-			filtered[rel] = struct{}{}
-		}
-	}
-	return filtered, nil
-}
-
 // CopyFile copies the file content from scr to dst
 func CopyFile(src, dst string) (int64, error) {
 	sourceFileStat, err := os.Stat(src)

pkg/utils/utils_test.go

@@ -1,14 +1,9 @@
 package utils
 
 import (
-	"io"
 	"os"
-	"path/filepath"
-	"reflect"
-	"strings"
 	"testing"
 
-	"github.com/kylelemons/godebug/pretty"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
@@ -30,116 +25,6 @@ func write(t *testing.T, name string, content string) {
 	}
 }
 
-func TestFileWalk(t *testing.T) {
-	td, err := os.MkdirTemp("", "walktest")
-	if err != nil {
-		t.Fatal(err)
-	}
-	defer os.RemoveAll(td)
-
-	if err := os.MkdirAll(filepath.Join(td, "dir"), 0755); err != nil {
-		t.Fatal(err)
-	}
-	touch(t, filepath.Join(td, "dir/foo1"))
-	touch(t, filepath.Join(td, "dir/foo2"))
-	write(t, filepath.Join(td, "dir/foo3"), "foo3")
-	write(t, filepath.Join(td, "dir/foo4"), "foo4")
-
-	sawDir := false
-	sawFoo1 := false
-	sawFoo2 := false
-	sawFoo4 := false
-	var contentFoo3 []byte
-	walker := func(r io.Reader, path string) error {
-		if strings.HasSuffix(path, "dir") {
-			sawDir = true
-		}
-		if strings.HasSuffix(path, "foo1") {
-			sawFoo1 = true
-		}
-		if strings.HasSuffix(path, "foo2") {
-			sawFoo2 = true
-		}
-		if strings.HasSuffix(path, "foo3") {
-			contentFoo3, err = io.ReadAll(r)
-			if err != nil {
-				t.Fatal(err)
-			}
-		}
-		if strings.HasSuffix(path, "foo4") {
-			sawFoo4 = true
-		}
-		return nil
-	}
-
-	targetFiles := map[string]struct{}{
-		filepath.Join("dir", "foo2"): {},
-		filepath.Join("dir", "foo3"): {},
-	}
-	err = FileWalk(td, targetFiles, walker)
-	if err != nil {
-		t.Fatal(err)
-	}
-	if sawDir {
-		t.Error("directories must not be passed to walkFn")
-	}
-	if sawFoo1 || sawFoo4 {
-		t.Error("a file not included in targetFiles must not be passed to walkFn")
-	}
-	if sawFoo2 {
-		t.Error("an empty file must not be passed to walkFn")
-	}
-	if string(contentFoo3) != "foo3" {
-		t.Error("The file content is wrong")
-	}
-}
-func TestFilterTargets(t *testing.T) {
-	vectors := map[string]struct {
-		prefix   string
-		targets  map[string]struct{} // Target files
-		expected map[string]struct{}
-		err      error // Expected error to occur
-	}{
-		"normal": {
-			prefix: "dir",
-			targets: map[string]struct{}{
-				filepath.Join("dir", "file1"): {},
-				filepath.Join("dir", "file2"): {},
-				filepath.Join("foo", "bar"):   {},
-			},
-			expected: map[string]struct{}{
-				"file1": {},
-				"file2": {},
-			},
-			err: nil,
-		},
-		"other directory with the same prefix": {
-			prefix: "dir",
-			targets: map[string]struct{}{
-				filepath.Join("dir", "file1"):  {},
-				filepath.Join("dir2", "file2"): {},
-			},
-			expected: map[string]struct{}{
-				"file1": {},
-			},
-			err: nil,
-		},
-	}
-
-	for testName, v := range vectors {
-		t.Run(testName, func(t *testing.T) {
-			actual, err := FilterTargets(v.prefix, v.targets)
-			if err != nil {
-				t.Errorf("err: got %v, want %v", v.err, err)
-			}
-			if !reflect.DeepEqual(actual, v.expected) {
-				t.Errorf("[%s]\n%s", testName, pretty.Compare(v.expected, actual))
-
-			}
-		})
-	}
-}
-
 func TestCopyFile(t *testing.T) {
 	type args struct {
 		src string