fix(java/pom): ignore unsupported requirements (#1514)

Co-authored-by: Andrey Levchenko <levchenko.andrey@gmail.com>

.gitignore

@@ -27,3 +27,6 @@ integration/testdata/fixtures/images
 
 # SBOMs generated during CI
 /bom.json
+
+# goreleaser output
+dist

ci/deploy-deb.sh

@@ -9,12 +9,14 @@ for release in ${DEBIAN_RELEASES[@]} ${UBUNTU_RELEASES[@]}; do
   echo "Removing deb package of $release"
   reprepro -A i386 remove $release trivy
   reprepro -A amd64 remove $release trivy
+  reprepro -A arm64 remove $release trivy
 done
 
 for release in ${DEBIAN_RELEASES[@]} ${UBUNTU_RELEASES[@]}; do
   echo "Adding deb package to $release"
   reprepro includedeb $release ../../dist/*Linux-64bit.deb
   reprepro includedeb $release ../../dist/*Linux-32bit.deb
+  reprepro includedeb $release ../../dist/*Linux-ARM64.deb
 done
 
 git add .

contrib/html.tpl

@@ -112,6 +112,31 @@
       </tr>
         {{- end }}
       {{- end }}
+      {{- if (eq (len .Misconfigurations ) 0) }}
+      <tr><th colspan="6">No Misconfigurations found</th></tr>
+      {{- else }}
+      <tr class="sub-header">
+        <th>Type</th>
+        <th>Misconf ID</th>
+        <th>Check</th>
+        <th>Severity</th>
+        <th>Message</th>
+      </tr>
+        {{- range .Misconfigurations }}
+      <tr class="severity-{{ escapeXML .Severity }}">
+        <td class="misconf-type">{{ escapeXML .Type }}</td>
+        <td>{{ escapeXML .ID }}</td>
+        <td class="misconf-check">{{ escapeXML .Title }}</td>
+        <td class="severity">{{ escapeXML .Severity }}</td>
+        <td class="link" data-more-links="off"  style="white-space:normal;"">
+          {{ escapeXML .Message }}
+          <br>
+            <a href={{ escapeXML .PrimaryURL | printf "%q" }}>{{ escapeXML .PrimaryURL }}</a>
+          </br>
+        </td>
+      </tr>
+        {{- end }}
+      {{- end }}
     {{- end }}
     </table>
 {{- else }}

docs/advanced/air-gap.md

@@ -50,11 +50,12 @@ $ rm trivy-offline.db.tgz
 
 In an air-gapped environment it is your responsibility to update the Trivy database on a regular basis, so that the scanner can detect recently-identified vulnerabilities. 
 
-### Run Trivy with --skip-update option
+### Run Trivy with --skip-update and --offline-scan option
 In an air-gapped environment, specify `--skip-update` so that Trivy doesn't attempt to download the latest database file.
+In addition, if you want to scan Java dependencies such as JAR and pom.xml, you need to specify `--offline-scan` since Trivy tries to issue API requests for scanning Java applications by default.
 
 ```
-$ trivy image --skip-update alpine:3.12
+$ trivy image --skip-update --offline-scan alpine:3.12
 ```
 
 ## Air-Gapped Environment for misconfigurations

docs/advanced/community/tools.md

@@ -10,6 +10,13 @@ Have you created a tool that’s not listed? Add the name and description of you
 | [gitrivy][gitrivy]                         | GitHub Issue + Trivy                                                             |
 | [trivy-github-issues][trivy-github-issues] | GitHub Actions for creating GitHub Issues according to the Trivy scanning result |
 
+## Semaphore
+
+| Name                                                   | Description                               |
+| -------------------------------------------------------| ----------------------------------------- |
+| [Continuous Vulnerability Testing with Trivy][semaphore-tutorial] | Tutorial on scanning code, containers, infrastructure, and Kubernetes with Semaphore CI/CD. |
+
+
 ## CircleCI
 
 | Orb                                      | Description                               |
@@ -26,4 +33,5 @@ Have you created a tool that’s not listed? Add the name and description of you
 [trivy-github-issues]: https://github.com/marketplace/actions/trivy-github-issues
 [fifteen5/trivy-orb]: https://circleci.com/developer/orbs/orb/fifteen5/trivy-orb
 [gitrivy]: https://github.com/marketplace/actions/trivy-action
-[explorer]: https://dbsystel.github.io/trivy-vulnerability-explorer/
+[explorer]: https://dbsystel.github.io/trivy-vulnerability-explorer/
+[semaphore-tutorial]: https://semaphoreci.com/blog/continuous-container-vulnerability-testing-with-trivy

docs/advanced/container/unpacked-filesystem.md

@@ -1,6 +1,6 @@
 # Unpacked Filesystem
 
-Scan aan unpacked container image filesystem.
+Scan an unpacked container image filesystem.
 
 In this case, Trivy works the same way when scanning containers
 

docs/getting-started/cli/client.md

@@ -22,6 +22,7 @@ OPTIONS:
    --timeout value             timeout (default: 5m0s) [$TRIVY_TIMEOUT]
    --ignore-policy value       specify the Rego file to evaluate each vulnerability [$TRIVY_IGNORE_POLICY]
    --list-all-pkgs             enabling the option will output all packages regardless of vulnerability (default: false) [$TRIVY_LIST_ALL_PKGS]
+   --offline-scan              do not issue API requests to identify dependencies (default: false) [$TRIVY_OFFLINE_SCAN]
    --token value               for authentication [$TRIVY_TOKEN]
    --token-header value        specify a header name for token (default: "Trivy-Token") [$TRIVY_TOKEN_HEADER]
    --remote value              server address (default: "http://localhost:4954") [$TRIVY_REMOTE]

docs/getting-started/cli/fs.md

@@ -25,6 +25,7 @@ OPTIONS:
    --no-progress                                  suppress progress bar (default: false) [$TRIVY_NO_PROGRESS]
    --ignore-policy value                          specify the Rego file to evaluate each vulnerability [$TRIVY_IGNORE_POLICY]
    --list-all-pkgs                                enabling the option will output all packages regardless of vulnerability (default: false) [$TRIVY_LIST_ALL_PKGS]
+   --offline-scan                                 do not issue API requests to identify dependencies (default: false) [$TRIVY_OFFLINE_SCAN]
    --skip-files value                             specify the file paths to skip traversal [$TRIVY_SKIP_FILES]
    --skip-dirs value                              specify the directories where the traversal is skipped [$TRIVY_SKIP_DIRS]
    --config-policy value                          specify paths to the Rego policy files directory, applying config files [$TRIVY_CONFIG_POLICY]

docs/getting-started/cli/image.md

@@ -27,6 +27,7 @@ OPTIONS:
    --light                     light mode: it's faster, but vulnerability descriptions and references are not displayed (default: false) [$TRIVY_LIGHT]
    --ignore-policy value       specify the Rego file to evaluate each vulnerability [$TRIVY_IGNORE_POLICY]
    --list-all-pkgs             enabling the option will output all packages regardless of vulnerability (default: false) [$TRIVY_LIST_ALL_PKGS]
+   --offline-scan              do not issue API requests to identify dependencies (default: false) [$TRIVY_OFFLINE_SCAN]
    --skip-files value          specify the file path to skip traversal [$TRIVY_SKIP_FILES]
    --skip-dirs value           specify the directory where the traversal is skipped [$TRIVY_SKIP_DIRS]
    --cache-backend value       cache backend (e.g. redis://localhost:6379) (default: "fs") [$TRIVY_CACHE_BACKEND]

docs/getting-started/cli/repo.md

@@ -25,6 +25,7 @@ OPTIONS:
    --no-progress               suppress progress bar (default: false) [$TRIVY_NO_PROGRESS]
    --ignore-policy value       specify the Rego file to evaluate each vulnerability [$TRIVY_IGNORE_POLICY]
    --list-all-pkgs             enabling the option will output all packages regardless of vulnerability (default: false) [$TRIVY_LIST_ALL_PKGS]
+   --offline-scan              do not issue API requests to identify dependencies (default: false) [$TRIVY_OFFLINE_SCAN]
    --skip-files value          specify the file path to skip traversal [$TRIVY_SKIP_FILES]
    --skip-dirs value           specify the directory where the traversal is skipped [$TRIVY_SKIP_DIRS]
    --help, -h                  show help (default: false)

docs/getting-started/cli/rootfs.md

@@ -25,6 +25,7 @@ OPTIONS:
    --no-progress                                  suppress progress bar (default: false) [$TRIVY_NO_PROGRESS]
    --ignore-policy value                          specify the Rego file to evaluate each vulnerability [$TRIVY_IGNORE_POLICY]
    --list-all-pkgs                                enabling the option will output all packages regardless of vulnerability (default: false) [$TRIVY_LIST_ALL_PKGS]
+   --offline-scan                                 do not issue API requests to identify dependencies (default: false) [$TRIVY_OFFLINE_SCAN]
    --skip-files value                             specify the file paths to skip traversal [$TRIVY_SKIP_FILES]
    --skip-dirs value                              specify the directories where the traversal is skipped [$TRIVY_SKIP_DIRS]
    --config-policy value                          specify paths to the Rego policy files directory, applying config files [$TRIVY_CONFIG_POLICY]

docs/getting-started/troubleshooting.md

@@ -39,6 +39,22 @@ https://developer.github.com/v3/#rate-limiting
 $ GITHUB_TOKEN=XXXXXXXXXX trivy alpine:3.10
 ```
 
+### Maven rate limiting
+
+!!! error
+    ``` bash
+    $ trivy image ...
+    ...
+    status 403 Forbidden from http://search.maven.org/solrsearch/select
+    ```
+
+Trivy calls Maven API for better detection of JAR files, but many requests may exceed rate limiting.
+If it happens frequently, try the `--offline-scan` option to stop Trivy from making API requests.
+This option affects only vulnerability scanning. The vulnerability database and builtin policies are downloaded as usual.
+If you want to skip them as well, you can try `--skip-update` and `--skip-policy-update`.
+
+Note that a number of vulnerabilities might be fewer than without the `--offline-scan` option.
+
 ### Running in parallel takes same time as series run
 When running trivy on multiple images simultaneously, it will take same time as running trivy in series.  
 This is because of a limitation of boltdb.

docs/vulnerability/detection/data-source.md

@@ -68,6 +68,6 @@
 [nodejs]: https://github.com/nodejs/security-wg
 [gitlab]: https://gitlab.com/gitlab-org/advisories-community
 [go]: https://github.com/golang/vulndb
-[rust]: (https://github.com/RustSec/advisory-db)
+[rust]: https://github.com/RustSec/advisory-db
 
 [nvd]: https://nvd.nist.gov/

docs/vulnerability/detection/language.md

@@ -2,23 +2,24 @@
 
 `Trivy` automatically detects the following files in the container and scans vulnerabilities in the application dependencies.
 
-| Language | File                     | Image[^6] | Rootfs[^7] | Filesystem[^8] |  Repository[^9] |Dev dependencies |
+| Language | File                     | Image[^7] | Rootfs[^8] | Filesystem[^9] | Repository[^10] |Dev dependencies |
-|----------|--------------------------|:---------:|:----------:|:--------------:|:---------------:|-----------------|
+|----------|--------------------------|:---------:|:----------:|:--------------:|:--------------:|-----------------|
-| Ruby     | Gemfile.lock             | -         | -          | ✅             | ✅              | included        |
+| Ruby     | Gemfile.lock             | -         | -          |       ✅        |       ✅        | included        |
-|          | gemspec                  | ✅        | ✅         | -              | -               | included        |
+|          | gemspec                  | ✅        | ✅         |       -        |       -        | included        |
-| Python   | Pipfile.lock             | -         | -          | ✅             | ✅              | excluded        |
+| Python   | Pipfile.lock             | -         | -          |       ✅        |       ✅        | excluded        |
-|          | poetry.lock              | -         | -          | ✅             | ✅              | included        |
+|          | poetry.lock              | -         | -          |       ✅        |       ✅        | included        |
-|          | requirements.txt         | -         | -          | ✅             | ✅              | included        |
+|          | requirements.txt         | -         | -          |       ✅        |       ✅        | included        |
-|          | egg package[^1]          | ✅        | ✅         | -              | -               | excluded        |
+|          | egg package[^1]          | ✅        | ✅         |       -        |       -        | excluded        |
-|          | wheel package[^2]        | ✅        | ✅         | -              | -               | excluded        |
+|          | wheel package[^2]        | ✅        | ✅         |       -        |       -        | excluded        |
-| PHP      | composer.lock            | ✅        | ✅         | ✅             | ✅              | excluded        |
+| PHP      | composer.lock            | ✅        | ✅         |       ✅        |       ✅        | excluded        |
-| Node.js  | package-lock.json        | -         | -          | ✅             | ✅              | excluded        |
+| Node.js  | package-lock.json        | -         | -          |       ✅        |       ✅        | excluded        |
-|          | yarn.lock                | -         | -          | ✅             | ✅              | included        |
+|          | yarn.lock                | -         | -          |       ✅        |       ✅        | included        |
-|          | package.json             | ✅        | ✅         | -              | -               | excluded        |
+|          | package.json             | ✅        | ✅         |       -        |       -        | excluded        |
-| .NET     | packages.lock.json       | ✅        | ✅         | ✅             | ✅              | included        |
+| .NET     | packages.lock.json       | ✅        | ✅         |       ✅        |       ✅        | included        |
-| Java     | JAR/WAR/EAR[^3][^4]      | ✅        | ✅         | ✅             | ✅              | included        |
+| Java     | JAR/WAR/EAR[^3][^4]      | ✅        | ✅         |       -        |       -        | included        |
-| Go       | Binaries built by Go[^5] | ✅        | ✅         | -              | -               | excluded        |
+|          | pom.xml[^5]              | -         | -          |       ✅        |       ✅        | excluded        |
-|          | go.sum                   | -         | -          | ✅             | ✅              | included        |
+| Go       | Binaries built by Go[^6] | ✅        | ✅         |       -        |       -        | excluded        |
+|          | go.sum                   | -         | -          |       ✅        |       ✅        | included        |
 
 The path of these files does not matter.
 
@@ -27,9 +28,10 @@ Example: [Dockerfile](https://github.com/aquasecurity/trivy-ci-test/blob/main/Do
 [^1]: `*.egg-info`, `*.egg-info/PKG-INFO`, `*.egg` and `EGG-INFO/PKG-INFO`
 [^2]: `.dist-info/META-DATA`
 [^3]: `*.jar`, `*.war`, and `*.ear`
-[^4]: It requires the Internet access
+[^4]: It requires Internet access
-[^5]: UPX-compressed binaries don't work
+[^5]: It requires Internet access when the POM doesn't exist in your local repository
-[^6]: ✅ means "enabled" and `-` means "disabled" in the image scanning
+[^6]: UPX-compressed binaries don't work
-[^7]: ✅ means "enabled" and `-` means "disabled" in the rootfs scanning
+[^7]: ✅ means "enabled" and `-` means "disabled" in the image scanning
-[^8]: ✅ means "enabled" and `-` means "disabled" in the filesystem scanning
+[^8]: ✅ means "enabled" and `-` means "disabled" in the rootfs scanning
-[^9]: ✅ means "enabled" and `-` means "disabled" in the git repository scanning
+[^9]: ✅ means "enabled" and `-` means "disabled" in the filesystem scanning
+[^10]: ✅ means "enabled" and `-` means "disabled" in the git repository scanning

go.mod

@@ -7,8 +7,8 @@ require (
 	github.com/Masterminds/sprig v2.22.0+incompatible
 	github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46
 	github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986
-	github.com/aquasecurity/fanal v0.0.0-20211130145558-2c76718ef52e
+	github.com/aquasecurity/fanal v0.0.0-20211224205755-c94f68b6d71a
-	github.com/aquasecurity/go-dep-parser v0.0.0-20211110174639-8257534ffed3
+	github.com/aquasecurity/go-dep-parser v0.0.0-20211224170007-df43bca6b6ff
 	github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce
 	github.com/aquasecurity/go-npm-version v0.0.0-20201110091526-0b796d180798
 	github.com/aquasecurity/go-pep440-version v0.0.0-20210121094942-22b2f8951d46
@@ -17,7 +17,6 @@ require (
 	github.com/caarlos0/env/v6 v6.0.0
 	github.com/cenkalti/backoff v2.2.1+incompatible
 	github.com/cheggaaa/pb/v3 v3.0.3
-	github.com/containerd/containerd v1.5.7 // indirect
 	github.com/docker/cli v20.10.9+incompatible // indirect
 	github.com/docker/docker v20.10.10+incompatible
 	github.com/docker/go-connections v0.4.0
@@ -29,6 +28,7 @@ require (
 	github.com/google/go-github/v33 v33.0.0
 	github.com/google/wire v0.4.0
 	github.com/hashicorp/go-getter v1.5.2
+	github.com/hashicorp/go-hclog v0.15.0 // indirect
 	github.com/huandu/xstrings v1.3.2 // indirect
 	github.com/knqyf263/go-apk-version v0.0.0-20200609155635-041fdbb8563f
 	github.com/knqyf263/go-deb-version v0.0.0-20190517075300-09fca494f03d

go.sum

@@ -144,8 +144,8 @@ github.com/Microsoft/hcsshim v0.8.10/go.mod h1:g5uw8EV2mAlzqe94tfNBNdr89fnbD/n3H
 github.com/Microsoft/hcsshim v0.8.14/go.mod h1:NtVKoYxQuTLx6gEq0L96c9Ju4JbRJ4nY2ow3VK6a9Lg=
 github.com/Microsoft/hcsshim v0.8.15/go.mod h1:x38A4YbHbdxJtc0sF6oIz+RG0npwSCAvn69iY6URG00=
 github.com/Microsoft/hcsshim v0.8.16/go.mod h1:o5/SZqmR7x9JNKsW3pu+nqHm0MF8vbA+VxGOoXdC600=
-github.com/Microsoft/hcsshim v0.8.21 h1:btRfUDThBE5IKcvI8O8jOiIkujUsAMBSRsYDYmEi6oM=
+github.com/Microsoft/hcsshim v0.8.23 h1:47MSwtKGXet80aIn+7h4YI6fwPmwIghAnsx2aOUrG2M=
-github.com/Microsoft/hcsshim v0.8.21/go.mod h1:+w2gRZ5ReXQhFOrvSQeNfhrYB/dg3oDwTOcER2fw4I4=
+github.com/Microsoft/hcsshim v0.8.23/go.mod h1:4zegtUJth7lAvFyc6cH2gGQ5B3OFQim01nnU2M8jKDg=
 github.com/Microsoft/hcsshim/test v0.0.0-20200826032352-301c83a30e7c/go.mod h1:30A5igQ91GEmhYJF8TaRP79pMBOYynRsyOByfVV0dU4=
 github.com/Microsoft/hcsshim/test v0.0.0-20201218223536-d3e5debf77da/go.mod h1:5hlzMzRKMLyo42nCZ9oml8AdTlq/0cvIaBv6tK1RehU=
 github.com/Microsoft/hcsshim/test v0.0.0-20210227013316-43a75bb4edd3/go.mod h1:mw7qgWloBUl75W/gVH3cQszUg1+gUITj7D6NY7ywVnY=
@@ -170,8 +170,9 @@ github.com/VividCortex/ewma v1.1.1/go.mod h1:2Tkkvm3sRDVXaiyucHiACn4cqf7DpdyLvmx
 github.com/acomagu/bufpipe v1.0.3 h1:fxAGrHZTgQ9w5QqVItgzwj235/uYZYgbXitB+dLupOk=
 github.com/acomagu/bufpipe v1.0.3/go.mod h1:mxdxdup/WdsKVreO5GpW4+M/1CE2sMG4jeGJ2sYmHc4=
 github.com/agext/levenshtein v1.2.1/go.mod h1:JEDfjyjHDjOF/1e4FlBE/PkbqA9OfWu2ki2W0IB5558=
-github.com/agext/levenshtein v1.2.2 h1:0S/Yg6LYmFJ5stwQeRp6EeOcCbj7xiqQSdNelsXvaqE=
 github.com/agext/levenshtein v1.2.2/go.mod h1:JEDfjyjHDjOF/1e4FlBE/PkbqA9OfWu2ki2W0IB5558=
+github.com/agext/levenshtein v1.2.3 h1:YB2fHEn0UJagG8T1rrWknE3ZQzWM06O8AMAatNn7lmo=
+github.com/agext/levenshtein v1.2.3/go.mod h1:JEDfjyjHDjOF/1e4FlBE/PkbqA9OfWu2ki2W0IB5558=
 github.com/alecthomas/kingpin v2.2.6+incompatible/go.mod h1:59OFYbFVLKQKq+mqrL6Rw5bR0c3ACQaawgXx0QYndlE=
 github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
 github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
@@ -206,10 +207,10 @@ github.com/aquasecurity/cfsec v0.2.2 h1:hq6MZlg7XFZsrerCv297N4HRlnJM7K6LLd/l/xCz
 github.com/aquasecurity/cfsec v0.2.2/go.mod h1:sUELRJqIPXTOZiHUx7TzyyFFzuk0W22IG6IWAoV8T6U=
 github.com/aquasecurity/defsec v0.0.37 h1:zdZndlKrW257b8VLK1UwfmXiyPuDrNA+wzBilHRk1LA=
 github.com/aquasecurity/defsec v0.0.37/go.mod h1:csaBEcJ3AKy44expnW0dCANEZcS/c1vcJjwBCbnKWBM=
-github.com/aquasecurity/fanal v0.0.0-20211130145558-2c76718ef52e h1:8cdrjNJ3aMcNglPK80y37T9B733dBoe7118hLC2XWBA=
+github.com/aquasecurity/fanal v0.0.0-20211224205755-c94f68b6d71a h1:SAGMaeEgtCWrv8VD9tq+fbCjiSdTHPXjHXY9eTv/U7o=
-github.com/aquasecurity/fanal v0.0.0-20211130145558-2c76718ef52e/go.mod h1:tfiYxqoK/3PDW8Ut3UnxP7rKqFaSw1X6owKjAHjM1NA=
+github.com/aquasecurity/fanal v0.0.0-20211224205755-c94f68b6d71a/go.mod h1:xKJMgVsb+TgCMoiv3u7aethmPTkZiryr2nSShtMdRmA=
-github.com/aquasecurity/go-dep-parser v0.0.0-20211110174639-8257534ffed3 h1:zYNhYU4HUqJq+Lqhwf68gvd+v0cKqM2XOmggtHYLkoU=
+github.com/aquasecurity/go-dep-parser v0.0.0-20211224170007-df43bca6b6ff h1:JCKEV3TgUNh9fn+8hXyIdsF9yErA0rUbCkgt2flRKt4=
-github.com/aquasecurity/go-dep-parser v0.0.0-20211110174639-8257534ffed3/go.mod h1:Zc7Eo6tFl9l4XcqsWeabD7jHnXRBK/LdgZuu9GTSVLU=
+github.com/aquasecurity/go-dep-parser v0.0.0-20211224170007-df43bca6b6ff/go.mod h1:8fJ//Ob6/03lxbn4xa1F+G/giVtiVLxnZNpBp5xOxNk=
 github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce h1:QgBRgJvtEOBtUXilDb1MLi1p1MWoyFDXAu5DEUl5nwM=
 github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce/go.mod h1:HXgVzOPvXhVGLJs4ZKO817idqr/xhwsTcj17CLYY74s=
 github.com/aquasecurity/go-npm-version v0.0.0-20201110091526-0b796d180798 h1:eveqE9ivrt30CJ7dOajOfBavhZ4zPqHcZe/4tKp0alc=
@@ -221,8 +222,8 @@ github.com/aquasecurity/go-version v0.0.0-20210121072130-637058cfe492 h1:rcEG5HI
 github.com/aquasecurity/go-version v0.0.0-20210121072130-637058cfe492/go.mod h1:9Beu8XsUNNfzml7WBf3QmyPToP1wm1Gj/Vc5UJKqTzU=
 github.com/aquasecurity/testdocker v0.0.0-20210911155206-e1e85f5a1516 h1:moQmzbpLo5dxHQCyEhqzizsDSNrNhn/7uRTCZzo4A1o=
 github.com/aquasecurity/testdocker v0.0.0-20210911155206-e1e85f5a1516/go.mod h1:gTd97VdQ0rg8Mkiic3rPgNOQdprZ7feTAhiD5mGQjgM=
-github.com/aquasecurity/tfsec v0.61.4-0.20211130135821-0a1997e494fa h1:mgG6allqccyBmaE0qnWFl39ju156yqNVTd0D/xwuVko=
+github.com/aquasecurity/tfsec v0.63.1 h1:KH63HTcUoab7d3PKtqFO6T8K5AY7bzLw7Kiu+EY9U64=
-github.com/aquasecurity/tfsec v0.61.4-0.20211130135821-0a1997e494fa/go.mod h1:MR3uDlWu+fBTisFndR+NwjSGt06RBhkE++JzKRJ0Ggs=
+github.com/aquasecurity/tfsec v0.63.1/go.mod h1:g5ZWmsfqW1FsCaPb9ux8Pzjcyss/WUB2XuRd5slqvnc=
 github.com/aquasecurity/trivy-db v0.0.0-20210916043317-726b7b72a47b h1:RaS93vlHzgreZk3CYqcNgoqukwbsBEYhAiE6qmhLwB0=
 github.com/aquasecurity/trivy-db v0.0.0-20210916043317-726b7b72a47b/go.mod h1:5h8GV7Qxp/SMJ4awWHs0KRxwVkKzcwOnRkORWOnCXRU=
 github.com/aquasecurity/vuln-list-update v0.0.0-20191016075347-3d158c2bf9a2/go.mod h1:6NhOP0CjZJL27bZZcaHECtzWdwDDm2g6yCY0QgXEGQQ=
@@ -289,6 +290,7 @@ github.com/campoy/unique v0.0.0-20180121183637-88950e537e7e/go.mod h1:9IOqJGCPMS
 github.com/cavaliercoder/go-cpio v0.0.0-20180626203310-925f9528c45e/go.mod h1:oDpT4efm8tSYHXV5tHSdRvBet/b/QzxZ+XyyPehvm3A=
 github.com/cenkalti/backoff v2.2.1+incompatible h1:tNowT99t7UNflLxfYYSlKYsBpXdEet03Pg2g16Swow4=
 github.com/cenkalti/backoff v2.2.1+incompatible/go.mod h1:90ReRw6GdpyfrHakVjL/QHaoyV4aDUVVkXQJJJ3NXXM=
+github.com/cenkalti/backoff/v4 v4.1.1/go.mod h1:scbssz8iZGpm3xbr14ovlUdkxfGXNInqkPWOWmG2CLw=
 github.com/census-instrumentation/opencensus-proto v0.2.0/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
 github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
 github.com/cespare/xxhash v1.1.0 h1:a6HrQnmkObjyL+Gs60czilIUGqrzKutQD6XZog3p+ko=
@@ -347,14 +349,14 @@ github.com/containerd/containerd v1.4.0/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMX
 github.com/containerd/containerd v1.4.1-0.20201117152358-0edc412565dc/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA=
 github.com/containerd/containerd v1.4.1/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA=
 github.com/containerd/containerd v1.4.3/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA=
+github.com/containerd/containerd v1.4.9/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA=
 github.com/containerd/containerd v1.5.0-beta.1/go.mod h1:5HfvG1V2FsKesEGQ17k5/T7V960Tmcumvqn8Mc+pCYQ=
 github.com/containerd/containerd v1.5.0-beta.3/go.mod h1:/wr9AVtEM7x9c+n0+stptlo/uBBoBORwEx6ardVcmKU=
 github.com/containerd/containerd v1.5.0-beta.4/go.mod h1:GmdgZd2zA2GYIBZ0w09ZvgqEq8EfBp/m3lcVZIvPHhI=
 github.com/containerd/containerd v1.5.0-rc.0/go.mod h1:V/IXoMqNGgBlabz3tHD2TWDoTJseu1FGOKuoA4nNb2s=
-github.com/containerd/containerd v1.5.1/go.mod h1:0DOxVqwDy2iZvrZp2JUx/E+hS0UNTVn7dJnIOwtYR4g=
 github.com/containerd/containerd v1.5.2/go.mod h1:0DOxVqwDy2iZvrZp2JUx/E+hS0UNTVn7dJnIOwtYR4g=
-github.com/containerd/containerd v1.5.7 h1:rQyoYtj4KddB3bxG6SAqd4+08gePNyJjRqvOIfV3rkM=
+github.com/containerd/containerd v1.5.8 h1:NmkCC1/QxyZFBny8JogwLpOy2f+VEbO/f6bV2Mqtwuw=
-github.com/containerd/containerd v1.5.7/go.mod h1:gyvv6+ugqY25TiXxcZC3L5yOeYgEw0QMhscqVp1AR9c=
+github.com/containerd/containerd v1.5.8/go.mod h1:YdFSv5bTFLpG2HIYmfqDpSYYTDX+mc5qtSuYx1YUb/s=
 github.com/containerd/continuity v0.0.0-20190426062206-aaeac12a7ffc/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y=
 github.com/containerd/continuity v0.0.0-20190815185530-f2a389ac0a02/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y=
 github.com/containerd/continuity v0.0.0-20191127005431-f65d91d395eb/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y=
@@ -369,6 +371,7 @@ github.com/containerd/fifo v0.0.0-20200410184934-f15a3290365b/go.mod h1:jPQ2IAeZ
 github.com/containerd/fifo v0.0.0-20201026212402-0724c46b320c/go.mod h1:jPQ2IAeZRCYxpS/Cm1495vGFww6ecHmMk1YJH2Q5ln0=
 github.com/containerd/fifo v0.0.0-20210316144830-115abcc95a1d/go.mod h1:ocF/ME1SX5b1AOlWi9r677YJmCPSwwWnQ9O123vzpE4=
 github.com/containerd/fifo v1.0.0/go.mod h1:ocF/ME1SX5b1AOlWi9r677YJmCPSwwWnQ9O123vzpE4=
+github.com/containerd/fuse-overlayfs-snapshotter v1.0.2/go.mod h1:nRZceC8a7dRm3Ao6cJAwuJWPFiBPaibHiFntRUnzhwU=
 github.com/containerd/go-cni v1.0.1/go.mod h1:+vUpYxKvAF72G9i1WoDOiPGRtQpqsNW/ZHtSlv++smU=
 github.com/containerd/go-cni v1.0.2/go.mod h1:nrNABBHzu0ZwCug9Ije8hL2xBCYh/pjfMb1aZGrrohk=
 github.com/containerd/go-runc v0.0.0-20180907222934-5a6d9f37cfa3/go.mod h1:IV7qH3hrUgRmyYrtgEeGWJfWbgcHL9CSRruz2Vqcph0=
@@ -383,8 +386,10 @@ github.com/containerd/imgcrypt v1.1.1/go.mod h1:xpLnwiQmEUJPvQoAapeb2SNCxz7Xr6PJ
 github.com/containerd/nri v0.0.0-20201007170849-eb1350a75164/go.mod h1:+2wGSDGFYfE5+So4M5syatU0N0f0LbWpuqyMi4/BE8c=
 github.com/containerd/nri v0.0.0-20210316161719-dbaa18c31c14/go.mod h1:lmxnXF6oMkbqs39FiCt1s0R2HSMhcLel9vNL3m4AaeY=
 github.com/containerd/nri v0.1.0/go.mod h1:lmxnXF6oMkbqs39FiCt1s0R2HSMhcLel9vNL3m4AaeY=
-github.com/containerd/stargz-snapshotter v0.0.0-20201027054423-3a04e4c2c116 h1:cj2qTm4k9TlXzzwCROQK0puJc2oauyjUiegQiqpNkuk=
 github.com/containerd/stargz-snapshotter v0.0.0-20201027054423-3a04e4c2c116/go.mod h1:o59b3PCKVAf9jjiKtCc/9hLAd+5p/rfhBfm6aBcTEr4=
+github.com/containerd/stargz-snapshotter v0.6.4 h1:mox1Ozl/LicA5j0O5Xk9Q8z+nOQQLnClarhxokyw9hI=
+github.com/containerd/stargz-snapshotter v0.6.4/go.mod h1:1t0SF1gAHJhCSftWKDLVitvfF3c2qhL5hymG7C50wto=
+github.com/containerd/stargz-snapshotter/estargz v0.6.4/go.mod h1:83VWDqHnurTKliEB0YvWMiCfLDwv4Cjj1X9Vk98GJZw=
 github.com/containerd/stargz-snapshotter/estargz v0.7.0 h1:1d/rydzTywc76lnjJb6qbPCiTiCwts49AzKps/Ecblw=
 github.com/containerd/stargz-snapshotter/estargz v0.7.0/go.mod h1:83VWDqHnurTKliEB0YvWMiCfLDwv4Cjj1X9Vk98GJZw=
 github.com/containerd/ttrpc v0.0.0-20190828154514-0e0f228740de/go.mod h1:PvCDdDGpgqzQIzDW1TphrGLssLDZp2GuS+X5DkEJB8o=
@@ -392,6 +397,7 @@ github.com/containerd/ttrpc v0.0.0-20190828172938-92c8520ef9f8/go.mod h1:PvCDdDG
 github.com/containerd/ttrpc v0.0.0-20191028202541-4f1b8fe65a5c/go.mod h1:LPm1u0xBw8r8NOKoOdNMeVHSawSsltak+Ihv+etqsE8=
 github.com/containerd/ttrpc v1.0.1/go.mod h1:UAxOpgT9ziI0gJrmKvgcZivgxOp8iFPSk8httJEt98Y=
 github.com/containerd/ttrpc v1.0.2/go.mod h1:UAxOpgT9ziI0gJrmKvgcZivgxOp8iFPSk8httJEt98Y=
+github.com/containerd/ttrpc v1.1.0/go.mod h1:XX4ZTnoOId4HklF4edwc4DcqskFZuvXB1Evzy5KFQpQ=
 github.com/containerd/typeurl v0.0.0-20180627222232-a93fcdb778cd/go.mod h1:Cm3kwCdlkCfMSHURc+r6fwoGH6/F1hH3S4sg0rLFWPc=
 github.com/containerd/typeurl v0.0.0-20190911142611-5eb25027c9fd/go.mod h1:GeKYzf2pQcqv7tJ0AoCuuhtnqhva5LNU3U+OyKxxJpk=
 github.com/containerd/typeurl v1.0.1/go.mod h1:TB1hUtrpaiO88KEK56ijojHS1+NeF0izUACaJW2mdXg=
@@ -461,10 +467,12 @@ github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f h1:lO4WD4F/r
 github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f/go.mod h1:cuUVRXasLTGF7a8hSLbxyZXjz+1KgoB3wDUb6vlszIc=
 github.com/dgryski/go-sip13 v0.0.0-20181026042036-e10d5fee7954/go.mod h1:vAd38F8PWV+bWy6jNmig1y/TA+kYO4g3RSRF0IAv0no=
 github.com/dimchansky/utfbom v1.1.0/go.mod h1:rO41eb7gLfo8SF1jd9F8HplJm1Fewwi4mQvIirEdv+8=
+github.com/dimchansky/utfbom v1.1.1/go.mod h1:SxdoEBH5qIqFocHMyGOXVAybYJdr71b1Q/j0mACtrfE=
 github.com/dnaeon/go-vcr v1.0.1/go.mod h1:aBB1+wY4s93YsC3HHjMBMrwTj2R9FHDzUr9KyGc8n1E=
 github.com/docker/cli v0.0.0-20190925022749-754388324470/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
 github.com/docker/cli v0.0.0-20191017083524-a8ff7f821017/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
 github.com/docker/cli v20.10.0-beta1.0.20201029214301-1d20b15adc38+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
+github.com/docker/cli v20.10.6+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
 github.com/docker/cli v20.10.7+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
 github.com/docker/cli v20.10.9+incompatible h1:OJ7YkwQA+k2Oi51lmCojpjiygKpi76P7bg91b2eJxYU=
 github.com/docker/cli v20.10.9+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
@@ -479,6 +487,8 @@ github.com/docker/docker v1.4.2-0.20180531152204-71cd53e4a197/go.mod h1:eEKB0N0r
 github.com/docker/docker v1.4.2-0.20190924003213-a8608b5b67c7/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
 github.com/docker/docker v17.12.0-ce-rc1.0.20200730172259-9f28837c1d93+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
 github.com/docker/docker v20.10.0-beta1.0.20201110211921-af34b94a78a1+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
+github.com/docker/docker v20.10.3-0.20210609071616-4c2ec79bf2a8+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
+github.com/docker/docker v20.10.6+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
 github.com/docker/docker v20.10.7+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
 github.com/docker/docker v20.10.10+incompatible h1:GKkP0T7U4ks6X3lmmHKC2QDprnpRJor2Z5a8m62R9ZM=
 github.com/docker/docker v20.10.10+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
@@ -524,6 +534,7 @@ github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5Kwzbycv
 github.com/fatih/color v1.9.0/go.mod h1:eQcE1qtQxscV5RaZvpXrrb8Drkc3/DdQ+uUYCNjL+zU=
 github.com/fatih/color v1.10.0 h1:s36xzo75JdqLaaWoiEHk767eHiwo0598uUxyfiPkDsg=
 github.com/fatih/color v1.10.0/go.mod h1:ELkj/draVOlAH/xkhN6mQ50Qd0MPOk5AAr3maGEBuJM=
+github.com/felixge/httpsnoop v1.0.2/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
 github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568/go.mod h1:xEzjJPgXI435gkrCt3MPfRiAkVrwSbHsst4LCFVfpJc=
 github.com/form3tech-oss/jwt-go v3.2.2+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k=
 github.com/fortytw2/leaktest v1.2.0/go.mod h1:jDsjWgpAGjm2CA7WthBh/CdZYEPF31XHquHwclZch5g=
@@ -684,6 +695,7 @@ github.com/golang/protobuf v1.5.2 h1:ROPKBNFfQgOUMifHyP+KYbvpjbdoFNs+aK7DXlji0Tw
 github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
 github.com/golang/snappy v0.0.0-20180518054509-2e65f85255db/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
 github.com/golang/snappy v0.0.3/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
+github.com/golang/snappy v0.0.4-0.20210608040537-544b4180ac70/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
 github.com/golang/snappy v0.0.4 h1:yAGX7huGHXlcLOEtBnF4w7FQwA26wojNCwOYAEhLjQM=
 github.com/golang/snappy v0.0.4/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
 github.com/golangci/check v0.0.0-20180506172741-cfe4005ccda2/go.mod h1:k9Qvh+8juN+UKMCS/3jFtGICgW8O96FVaZsaxdzDkR4=
@@ -818,6 +830,7 @@ github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFb
 github.com/grpc-ecosystem/grpc-opentracing v0.0.0-20180507213350-8e809c8a8645/go.mod h1:6iZfnjpejD4L/4DwD7NryNaJyCQdzwWwH2MWhCA90Kw=
 github.com/hanwen/go-fuse v1.0.0/go.mod h1:unqXarDXqzAk0rt98O2tVndEPIpUgLD9+rwFisZH3Ok=
 github.com/hanwen/go-fuse/v2 v2.0.3/go.mod h1:0EQM6aH2ctVpvZ6a+onrQ/vaykxh2GH7hy3e13vzTUY=
+github.com/hanwen/go-fuse/v2 v2.1.0/go.mod h1:oRyA5eK+pvJyv5otpO/DgccS8y/RvYMaO00GgRLGryc=
 github.com/hashicorp/consul/api v1.1.0/go.mod h1:VmuI/Lkw1nC05EYQWNKwWGbkg+FbDBtguAZLlVdkD9Q=
 github.com/hashicorp/consul/sdk v0.1.1/go.mod h1:VKf9jXwCTEY1QZP2MOLRhb5i/I/ssyNV1vwHyQBF0x8=
 github.com/hashicorp/errwrap v0.0.0-20141028054710-7554cd9344ce/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
@@ -833,6 +846,7 @@ github.com/hashicorp/go-hclog v0.9.2/go.mod h1:5CU+agLiy3J7N7QjHK5d05KxGsuXiQLrj
 github.com/hashicorp/go-hclog v0.15.0 h1:qMuK0wxsoW4D0ddCCYwPSTm4KQv1X1ke3WmPWZ0Mvsk=
 github.com/hashicorp/go-hclog v0.15.0/go.mod h1:whpDNt7SSdeAju8AWKIWsul05p54N/39EeqMAyrmvFQ=
 github.com/hashicorp/go-immutable-radix v1.0.0/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60=
+github.com/hashicorp/go-immutable-radix v1.3.1/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60=
 github.com/hashicorp/go-msgpack v0.5.3/go.mod h1:ahLV/dePpqEmjfWmKiqvPkv/twdG7iPBM1vqhUKIvfM=
 github.com/hashicorp/go-multierror v0.0.0-20161216184304-ed905158d874/go.mod h1:JMRHfdO9jKNzS/+BTlxCjKNQHg/jZAft8U7LloJvN7I=
 github.com/hashicorp/go-multierror v1.0.0/go.mod h1:dHtQlpGsu+cZNNAkkCN/P3hoUDHhCYQXV3UM06sGGrk=
@@ -863,8 +877,8 @@ github.com/hashicorp/golang-lru v0.5.3/go.mod h1:iADmTwqILo4mZ8BN3D2Q6+9jd8WM5uG
 github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4=
 github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ=
 github.com/hashicorp/hcl/v2 v2.6.0/go.mod h1:bQTN5mpo+jewjJgh8jr0JUguIi7qPHUF6yIfAEN3jqY=
-github.com/hashicorp/hcl/v2 v2.10.1 h1:h4Xx4fsrRE26ohAk/1iGF/JBqRQbyUqu5Lvj60U54ys=
+github.com/hashicorp/hcl/v2 v2.11.1 h1:yTyWcXcm9XB0TEkyU/JCRU6rYy4K+mgLtzn2wlrJbcc=
-github.com/hashicorp/hcl/v2 v2.10.1/go.mod h1:FwWsfWEjyV/CMj8s/gqAuiviY72rJ1/oayI9WftqcKg=
+github.com/hashicorp/hcl/v2 v2.11.1/go.mod h1:FwWsfWEjyV/CMj8s/gqAuiviY72rJ1/oayI9WftqcKg=
 github.com/hashicorp/logutils v1.0.0/go.mod h1:QIAnNjmIWmVIIkWDTG1z5v++HQmx9WQRO+LraFDTW64=
 github.com/hashicorp/mdns v1.0.0/go.mod h1:tL+uN++7HEJ6SQLQ2/p+z2pH24WQKWjBPkE0mNTz8vQ=
 github.com/hashicorp/memberlist v0.1.3/go.mod h1:ajVTdAv/9Im8oMAAj5G31PhhMCZJV2pPBoIllUwCN7I=
@@ -885,6 +899,7 @@ github.com/imdario/mergo v0.3.12/go.mod h1:jmQim1M+e3UYxmgPu/WyfjB3N3VflVyUjjjwH
 github.com/inconshreveable/go-update v0.0.0-20160112193335-8152e7eb6ccf/go.mod h1:hyb9oH7vZsitZCiBt0ZvifOrB+qc8PS5IiilCIb87rg=
 github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8=
 github.com/ishidawataru/sctp v0.0.0-20191218070446-00ab2ac2db07/go.mod h1:co9pwDoBCm1kGxawmb4sPq0cSIOOWNPT4KnHotMP1Zg=
+github.com/ishidawataru/sctp v0.0.0-20210226210310-f2269e66cdee/go.mod h1:co9pwDoBCm1kGxawmb4sPq0cSIOOWNPT4KnHotMP1Zg=
 github.com/j-keck/arping v0.0.0-20160618110441-2cf9dc699c56/go.mod h1:ymszkNOg6tORTn+6F6j+Jc8TOr5osrynvN6ivFWZ2GA=
 github.com/jaguilar/vt100 v0.0.0-20150826170717-2703a27b14ea/go.mod h1:QMdK4dGB3YhEW2BmA1wgGpPYI3HZy/5gD705PXKUVSg=
 github.com/jarcoal/httpmock v1.0.5/go.mod h1:ATjnClrvW/3tijVmpL/va5Z3aAyGvqU3gCT8nX0Txik=
@@ -945,8 +960,8 @@ github.com/knqyf263/go-deb-version v0.0.0-20190517075300-09fca494f03d h1:X4cedH4
 github.com/knqyf263/go-deb-version v0.0.0-20190517075300-09fca494f03d/go.mod h1:o8sgWoz3JADecfc/cTYD92/Et1yMqMy0utV1z+VaZao=
 github.com/knqyf263/go-rpm-version v0.0.0-20170716094938-74609b86c936 h1:HDjRqotkViMNcGMGicb7cgxklx8OwnjtCBmyWEqrRvM=
 github.com/knqyf263/go-rpm-version v0.0.0-20170716094938-74609b86c936/go.mod h1:i4sF0l1fFnY1aiw08QQSwVAFxHEm311Me3WsU/X7nL0=
-github.com/knqyf263/go-rpmdb v0.0.0-20210911072402-73bd0ce46c49 h1:QazJZdFn/ApQh8OHepQiCKXGZ0QE08Bu8BnS10aHgvE=
+github.com/knqyf263/go-rpmdb v0.0.0-20211216113947-1369b2ee40b7 h1:xVowqxH8FU6XAG1YIIjeWiUlbDh9ZQZWpk5pz6IcxEU=
-github.com/knqyf263/go-rpmdb v0.0.0-20210911072402-73bd0ce46c49/go.mod h1:RDPNeIkU5NWXtt0OMEoILyxwUC/DyXeRtK295wpqSi0=
+github.com/knqyf263/go-rpmdb v0.0.0-20211216113947-1369b2ee40b7/go.mod h1:RDPNeIkU5NWXtt0OMEoILyxwUC/DyXeRtK295wpqSi0=
 github.com/knqyf263/nested v0.0.1 h1:Sv26CegUMhjt19zqbBKntjwESdxe5hxVPSk0+AKjdUc=
 github.com/knqyf263/nested v0.0.1/go.mod h1:zwhsIhMkBg90DTOJQvxPkKIypEHPYkgWHs4gybdlUmk=
 github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
@@ -1058,8 +1073,9 @@ github.com/mitchellh/mapstructure v1.4.2/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RR
 github.com/mitchellh/osext v0.0.0-20151018003038-5e2d6d41470f/go.mod h1:OkQIRizQZAeMln+1tSwduZz7+Af5oFlKirV/MSYes2A=
 github.com/mitchellh/reflectwalk v1.0.1 h1:FVzMWA5RllMAKIdUSC8mdWo3XtwoecrH79BY70sEEpE=
 github.com/mitchellh/reflectwalk v1.0.1/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw=
-github.com/moby/buildkit v0.8.1 h1:zrGxLwffKM8nVxBvaJa7H404eQLfqlg1GB6YVIzXVQ0=
 github.com/moby/buildkit v0.8.1/go.mod h1:/kyU1hKy/aYCuP39GZA9MaKioovHku57N6cqlKZIaiQ=
+github.com/moby/buildkit v0.9.3 h1:0JmMLY45KIKFogJXv4LyWo+KmIMuvhit5TDrwBlxDp0=
+github.com/moby/buildkit v0.9.3/go.mod h1:5dZQUHg9STw/Fhl4zZiusDJKn8uje/0x952Nce4a8cg=
 github.com/moby/locker v1.0.1/go.mod h1:S7SDdo5zpBK84bzzVlKr2V0hz+7x9hWbYC/kq7oQppc=
 github.com/moby/sys/mount v0.1.0/go.mod h1:FVQFLDRWwyBjDTBNQXDlWnSFREqOo3OKX9aqhmeoo74=
 github.com/moby/sys/mount v0.1.1/go.mod h1:FVQFLDRWwyBjDTBNQXDlWnSFREqOo3OKX9aqhmeoo74=
@@ -1073,6 +1089,7 @@ github.com/moby/sys/mountinfo v0.4.1/go.mod h1:rEr8tzG/lsIZHBtN/JjGG+LMYx9eXgW2J
 github.com/moby/sys/symlink v0.1.0/go.mod h1:GGDODQmbFOjFsXvfLVn3+ZRxkch54RkSiGqsZeMYowQ=
 github.com/moby/term v0.0.0-20200312100748-672ec06f55cd/go.mod h1:DdlQx2hp0Ss5/fLikoLlEeIYiATotOjgB//nb973jeo=
 github.com/moby/term v0.0.0-20200915141129-7f0af18e79f2/go.mod h1:TjQg8pa4iejrUrjiz0MCtMV38jdMNW4doKSiBrEvCQQ=
+github.com/moby/term v0.0.0-20201110203204-bea5bbe245bf/go.mod h1:FBS0z0QWA44HXygs7VXDUOGoN/1TV3RuWkLO04am3wc=
 github.com/moby/term v0.0.0-20201216013528-df9cb8a40635 h1:rzf0wL0CHVc8CEsgyygG0Mn9CNCCPZqOPaz8RiiHYQk=
 github.com/moby/term v0.0.0-20201216013528-df9cb8a40635/go.mod h1:FBS0z0QWA44HXygs7VXDUOGoN/1TV3RuWkLO04am3wc=
 github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
@@ -1176,6 +1193,7 @@ github.com/pborman/uuid v1.2.0/go.mod h1:X/NO0urCmaxf9VXbdlT7C2Yzkj2IKimNn4k+gtP
 github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic=
 github.com/pelletier/go-toml v1.8.0/go.mod h1:D6yutnOGMveHEPV7VQOuvI/gXY61bv+9bAOTRnLElKs=
 github.com/pelletier/go-toml v1.8.1/go.mod h1:T2/BmBdy8dvIRq1a/8aqjN41wvWlN4lrapLU/GW4pbc=
+github.com/pelletier/go-toml v1.9.1/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c=
 github.com/pelletier/go-toml v1.9.3/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c=
 github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU=
 github.com/peterh/liner v0.0.0-20170211195444-bf27d3ba8e1d/go.mod h1:xIteQHvHuaLYG9IFj6mSxM0fCKrs34IrEQUhOYuGPHc=
@@ -1367,7 +1385,10 @@ github.com/tmccombs/hcl2json v0.3.1/go.mod h1:ljY0/prd2IFUF3cagQjV3cpPEEQKzqyGqn
 github.com/tommy-muehle/go-mnd v1.1.1/go.mod h1:dSUh0FtTP8VhvkL1S+gUR1OKd9ZnSaozuI6r3m6wOig=
 github.com/tommy-muehle/go-mnd v1.3.1-0.20200224220436-e6f9a994e8fa/go.mod h1:dSUh0FtTP8VhvkL1S+gUR1OKd9ZnSaozuI6r3m6wOig=
 github.com/tonistiigi/fsutil v0.0.0-20201103201449-0834f99b7b85/go.mod h1:a7cilN64dG941IOXfhJhlH0qB92hxJ9A1ewrdUmJ6xo=
+github.com/tonistiigi/fsutil v0.0.0-20210609172227-d72af97c0eaf/go.mod h1:lJAxK//iyZ3yGbQswdrPTxugZIDM7sd4bEsD0x3XMHk=
+github.com/tonistiigi/go-actions-cache v0.0.0-20211002214948-4d48f2ff622a/go.mod h1:YiIBjH5gP7mao3t0dBrNNBGuKYdeJmcAJjYLXr43k6A=
 github.com/tonistiigi/units v0.0.0-20180711220420-6950e57a87ea/go.mod h1:WPnis/6cRcDZSUvVmezrxJPkiO87ThFYsoUiMwWNDJk=
+github.com/tonistiigi/vt100 v0.0.0-20210615222946-8066bb97264f/go.mod h1:ulncasL3N9uLrVann0m+CDlJKWsIAP34MPcOJF6VRvc=
 github.com/twitchtv/twirp v8.1.0+incompatible h1:KGXanpa9LXdVE/V5P/tA27rkKFmXRGCtSNT7zdeeVOY=
 github.com/twitchtv/twirp v8.1.0+incompatible/go.mod h1:RRJoFSAmTEh2weEqWtpPE3vFK5YBhA6bqp2l1kfCC5A=
 github.com/uber/jaeger-client-go v2.25.0+incompatible/go.mod h1:WVhlPFC8FDjOFMMWRy2pZqQJSXxYSwNYOkTr/Z6d3Kk=
@@ -1465,12 +1486,28 @@ go.opencensus.io v0.22.4/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
 go.opencensus.io v0.22.5/go.mod h1:5pWMHQbX5EPX2/62yrJeAkowc+lfs/XD7Uxpq3pI6kk=
 go.opencensus.io v0.23.0 h1:gqCw0LfLxScz8irSi8exQc7fyQ0fKQU/qnC/X8+V/1M=
 go.opencensus.io v0.23.0/go.mod h1:XItmlyltB5F7CS4xOC1DcqMoFqwtC6OG2xF7mCv7P7E=
+go.opentelemetry.io/contrib v0.21.0/go.mod h1:EH4yDYeNoaTqn/8yCWQmfNB78VHfGX2Jt2bvnvzBlGM=
+go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.21.0/go.mod h1:Vm5u/mtkj1OMhtao0v+BGo2LUoLCgHYXvRmj0jWITlE=
+go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace v0.21.0/go.mod h1:a9cocRplhIBkUAJmak+BPDx+LVL7cTmqUPB0uBcTA4k=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.21.0/go.mod h1:JQAtechjxLEL81EjmbRwxBq/XEzGaHcsPuDHAx54hg4=
+go.opentelemetry.io/otel v1.0.0-RC1/go.mod h1:x9tRa9HK4hSSq7jf2TKbqFbtt58/TGk0f9XiEYISI1I=
+go.opentelemetry.io/otel/exporters/jaeger v1.0.0-RC1/go.mod h1:FXJnjGCoTQL6nQ8OpFJ0JI1DrdOvMoVx49ic0Hg4+D4=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.0.0-RC1/go.mod h1:FliQjImlo7emZVjixV8nbDMAa4iAkcWTE9zzSEOiEPw=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.0.0-RC1/go.mod h1:cDwRc2Jrh5Gku1peGK8p9rRuX/Uq2OtVmLicjlw2WYU=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.0.0-RC1/go.mod h1:OYKzEoxgXFvehW7X12WYT4/a2BlASJK9l7RtG4A91fg=
+go.opentelemetry.io/otel/internal/metric v0.21.0/go.mod h1:iOfAaY2YycsXfYD4kaRSbLx2LKmfpKObWBEv9QK5zFo=
+go.opentelemetry.io/otel/metric v0.21.0/go.mod h1:JWCt1bjivC4iCrz/aCrM1GSw+ZcvY44KCbaeeRhzHnc=
+go.opentelemetry.io/otel/oteltest v1.0.0-RC1/go.mod h1:+eoIG0gdEOaPNftuy1YScLr1Gb4mL/9lpDkZ0JjMRq4=
+go.opentelemetry.io/otel/sdk v1.0.0-RC1/go.mod h1:kj6yPn7Pgt5ByRuwesbaWcRLA+V7BSDg3Hf8xRvsvf8=
+go.opentelemetry.io/otel/trace v1.0.0-RC1/go.mod h1:86UHmyHWFEtWjfWPSbu0+d0Pf9Q6e1U+3ViBOc+NXAg=
+go.opentelemetry.io/proto/otlp v0.9.0/go.mod h1:1vKfU9rv61e9EVGthD1zNvUbiwPcimSsOPU9brfSHJg=
 go.uber.org/atomic v1.3.2/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
 go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
 go.uber.org/atomic v1.6.0/go.mod h1:sABNBOSYdrvTF6hTgEIbc7YasKWGhgEQZyfxyTvoXHQ=
 go.uber.org/atomic v1.7.0 h1:ADUqmZGgLDDfbSL9ZmPxKTybcoEYHgpYfELNoN+7hsw=
 go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=
 go.uber.org/automaxprocs v1.4.0/go.mod h1:/mTEdr7LvHhs0v7mjdxDreTz1OG5zdZGqgOnhWiR/+Q=
+go.uber.org/goleak v1.1.10/go.mod h1:8a7PlsEVH3e/a/GLqe5IIrQx6GzcnRmZEufDUTk4A7A=
 go.uber.org/goleak v1.1.11-0.20210813005559-691160354723 h1:sHOAIxRGBp443oHZIPB+HsUGaksVCXVQENPxwTfQdH4=
 go.uber.org/goleak v1.1.11-0.20210813005559-691160354723/go.mod h1:cwTWslyiVhfpKIDGSZEM2HlOvcqm+tG4zioyIeLoqMQ=
 go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/0=
@@ -1748,6 +1785,7 @@ golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210220050731-9a76102bfb43/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210305230114-8fe3ee5dd75b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210313202042-bd2e13477e9c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210315160823-c6e025ad8005/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210320140829-1e4c9ba3b0c4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210324051608-47abb6519492/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=

helm/trivy/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
 name: trivy
-version: 0.4.7
+version: 0.4.8
 appVersion: "0.21.0"
 description: Trivy helm chart
 keywords:

helm/trivy/templates/configmap.yaml

@@ -0,0 +1,23 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "trivy.fullname" . }}
+  labels:
+{{ include "trivy.labels" . | indent 4 }}
+data:
+  TRIVY_LISTEN: "0.0.0.0:{{ .Values.service.port }}"
+  TRIVY_CACHE_DIR: "/home/scanner/.cache/trivy"
+{{- if .Values.trivy.cache.redis.enabled }}
+  TRIVY_CACHE_BACKEND: {{ .Values.trivy.cache.redis.url | quote }}
+{{- end }}
+  TRIVY_DEBUG: {{ .Values.trivy.debugMode | quote }}
+  TRIVY_SKIP_UPDATE: {{ .Values.trivy.skipUpdate | quote }}
+{{- if .Values.httpProxy }}
+  HTTP_PROXY: {{ .Values.httpProxy | quote }}
+{{- end }}
+{{- if .Values.httpsProxy }}
+  HTTPS_PROXY: {{ .Values.httpsProxy | quote }}
+{{- end }}
+{{- if .Values.noProxy }}
+  NO_PROXY: {{ .Values.noProxy | quote }}
+{{- end }}

helm/trivy/templates/secret.yaml

@@ -6,4 +6,4 @@ metadata:
 {{ include "trivy.labels" . | indent 4 }}
 type: Opaque
 data:
-  gitHubToken: {{ .Values.trivy.gitHubToken | default "" | b64enc | quote }}
+  GITHUB_TOKEN: {{ .Values.trivy.gitHubToken | default "" | b64enc | quote }}

helm/trivy/templates/statefulset.yaml

@@ -62,30 +62,11 @@ spec:
           {{- end }}
           args:
             - server
-          env:
+          envFrom:
-            - name: "TRIVY_LISTEN"
+            - configMapRef:
-              value: "0.0.0.0:{{ .Values.service.port | default 4954 }}"
+                name: {{ include "trivy.fullname" . }}
-            - name: "TRIVY_CACHE_DIR"
+            - secretRef:
-              value: "/home/scanner/.cache/trivy"
+                name: {{ include "trivy.fullname" . }}
-            {{- if .Values.trivy.cache.redis.enabled }}
-            - name: "TRIVY_CACHE_BACKEND"
-              value: {{ .Values.trivy.cache.redis.url | quote }}
-            {{- end }}
-            - name: "TRIVY_DEBUG"
-              value: {{ .Values.trivy.debugMode | default false | quote }}
-            - name: "TRIVY_SKIP_UPDATE"
-              value: {{ .Values.trivy.skipUpdate | default false | quote }}
-            - name: "GITHUB_TOKEN"
-              valueFrom:
-                secretKeyRef:
-                  name: {{ include "trivy.fullname" . }}
-                  key: gitHubToken
-            - name: "HTTP_PROXY"
-              value: {{ .Values.httpProxy | quote }}
-            - name: "HTTPS_PROXY"
-              value: {{ .Values.httpsProxy | quote }}
-            - name: "NO_PROXY"
-              value: {{ .Values.noProxy | quote }}
           ports:
             - name: trivy-http
               containerPort: {{ .Values.service.port }}

integration/testdata/alpine-310.html.golden

@@ -232,6 +232,7 @@
           <a href="https://www.openssl.org/news/secadv/20190910.txt">https://www.openssl.org/news/secadv/20190910.txt</a>
         </td>
       </tr>
+      <tr><th colspan="6">No Misconfigurations found</th></tr>
     </table>
   </body>
 </html>

integration/testdata/nodejs.json.golden

@@ -92,7 +92,7 @@
           "PkgName": "lodash",
           "InstalledVersion": "4.17.4",
           "FixedVersion": "4.17.12",
-          "SeveritySource": "nvd",
+          "SeveritySource": "ghsa-npm",
           "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-10744",
           "Title": "nodejs-lodash: prototype pollution in defaultsDeep function leading to modifying properties",
           "Description": "Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.",
@@ -164,7 +164,7 @@
           "PkgName": "lodash",
           "InstalledVersion": "4.17.4",
           "FixedVersion": "4.17.11",
-          "SeveritySource": "nvd",
+          "SeveritySource": "ghsa-npm",
           "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1010266",
           "Title": "Moderate severity vulnerability that affects lodash",
           "Description": "lodash prior to 4.17.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.17.11.",

pkg/commands/app.go

@@ -18,6 +18,7 @@ import (
 	"github.com/aquasecurity/trivy/pkg/commands/plugin"
 	"github.com/aquasecurity/trivy/pkg/commands/server"
 	tdb "github.com/aquasecurity/trivy/pkg/db"
+	"github.com/aquasecurity/trivy/pkg/log"
 	"github.com/aquasecurity/trivy/pkg/result"
 	"github.com/aquasecurity/trivy/pkg/types"
 	"github.com/aquasecurity/trivy/pkg/utils"
@@ -225,6 +226,12 @@ var (
 		EnvVars: []string{"TRIVY_SKIP_DIRS"},
 	}
 
+	offlineScan = cli.BoolFlag{
+		Name:    "offline-scan",
+		Usage:   "do not issue API requests to identify dependencies",
+		EnvVars: []string{"TRIVY_OFFLINE_SCAN"},
+	}
+
 	// For misconfigurations
 	configPolicy = cli.StringSliceFlag{
 		Name:    "config-policy",
@@ -309,6 +316,7 @@ var (
 		&ignorePolicy,
 		&listAllPackages,
 		&cacheBackendFlag,
+		&offlineScan,
 		stringSliceFlag(skipFiles),
 		stringSliceFlag(skipDirs),
 	}
@@ -344,7 +352,10 @@ func NewApp(version string) *cli.App {
 
 	runAsPlugin := os.Getenv("TRIVY_RUN_AS_PLUGIN")
 	if runAsPlugin == "" {
-		app.Action = artifact.ImageRun
+		app.Action = func(ctx *cli.Context) error {
+			log.Logger.Warn("The root command will be removed. Please migrate to 'trivy image' command. See https://github.com/aquasecurity/trivy/discussions/1515")
+			return artifact.ImageRun(ctx)
+		}
 	} else {
 		app.Action = func(ctx *cli.Context) error {
 			return plugin.RunWithArgs(ctx.Context, runAsPlugin, ctx.Args().Slice())
@@ -465,6 +476,7 @@ func NewFilesystemCommand() *cli.Command {
 			&noProgressFlag,
 			&ignorePolicy,
 			&listAllPackages,
+			&offlineScan,
 			stringSliceFlag(skipFiles),
 			stringSliceFlag(skipDirs),
 			stringSliceFlag(configPolicy),
@@ -499,6 +511,7 @@ func NewRootfsCommand() *cli.Command {
 			&noProgressFlag,
 			&ignorePolicy,
 			&listAllPackages,
+			&offlineScan,
 			stringSliceFlag(skipFiles),
 			stringSliceFlag(skipDirs),
 			stringSliceFlag(configPolicy),
@@ -536,6 +549,7 @@ func NewRepositoryCommand() *cli.Command {
 			&noProgressFlag,
 			&ignorePolicy,
 			&listAllPackages,
+			&offlineScan,
 			stringSliceFlag(skipFiles),
 			stringSliceFlag(skipDirs),
 		},
@@ -569,6 +583,7 @@ func NewClientCommand() *cli.Command {
 			stringSliceFlag(skipDirs),
 			stringSliceFlag(configPolicy),
 			&listAllPackages,
+			&offlineScan,
 
 			// original flags
 			&token,
@@ -667,6 +682,18 @@ func NewPluginCommand() *cli.Command {
 				ArgsUsage: "PLUGIN_NAME",
 				Action:    plugin.Uninstall,
 			},
+			{
+				Name:    "list",
+				Aliases: []string{"l"},
+				Usage:   "list installed plugin",
+				Action:  plugin.List,
+			},
+			{
+				Name:      "info",
+				Usage:     "information about a plugin",
+				ArgsUsage: "PLUGIN_NAME",
+				Action:    plugin.Information,
+			},
 			{
 				Name:      "run",
 				Aliases:   []string{"r"},
@@ -674,6 +701,12 @@ func NewPluginCommand() *cli.Command {
 				ArgsUsage: "PLUGIN_NAME [PLUGIN_OPTIONS]",
 				Action:    plugin.Run,
 			},
+			{
+				Name:      "update",
+				Usage:     "update an existing plugin",
+				ArgsUsage: "PLUGIN_NAME",
+				Action:    plugin.Update,
+			},
 		},
 	}
 }

pkg/commands/artifact/run.go

@@ -203,6 +203,7 @@ func scan(ctx context.Context, opt Option, initializeScanner InitializeScanner,
 		DisabledAnalyzers: disabledAnalyzers(opt),
 		SkipFiles:         opt.SkipFiles,
 		SkipDirs:          opt.SkipDirs,
+		Offline:           opt.OfflineScan,
 	}
 
 	s, cleanup, err := initializeScanner(ctx, target, cacheClient, cacheClient, opt.Timeout, artifactOpt, configScannerOptions)

pkg/commands/client/run.go

@@ -143,7 +143,7 @@ func initializeScanner(ctx context.Context, opt Option) (scanner.Scanner, func()
 	// ScannerOptions is filled only when config scanning is enabled.
 	var configScannerOptions config.ScannerOption
 	if utils.StringInSlice(types.SecurityCheckConfig, opt.SecurityChecks) {
-		builtinPolicyPaths, err := operation.InitBuiltinPolicies(ctx, false)
+		builtinPolicyPaths, err := operation.InitBuiltinPolicies(ctx, opt.SkipPolicyUpdate)
 		if err != nil {
 			return scanner.Scanner{}, nil, xerrors.Errorf("failed to initialize default policies: %w", err)
 		}
@@ -161,6 +161,7 @@ func initializeScanner(ctx context.Context, opt Option) (scanner.Scanner, func()
 		DisabledAnalyzers: disabledAnalyzers(opt),
 		SkipFiles:         opt.SkipFiles,
 		SkipDirs:          opt.SkipDirs,
+		Offline:           opt.OfflineScan,
 	}
 
 	if opt.Input != "" {

pkg/commands/option/artifact.go

@@ -15,8 +15,9 @@ type ArtifactOption struct {
 	Timeout    time.Duration
 	ClearCache bool
 
-	SkipDirs  []string
+	SkipDirs    []string
-	SkipFiles []string
+	SkipFiles   []string
+	OfflineScan bool
 
 	// this field is populated in Init()
 	Target string
@@ -25,11 +26,12 @@ type ArtifactOption struct {
 // NewArtifactOption is the factory method to return artifact option
 func NewArtifactOption(c *cli.Context) ArtifactOption {
 	return ArtifactOption{
-		Input:      c.String("input"),
+		Input:       c.String("input"),
-		Timeout:    c.Duration("timeout"),
+		Timeout:     c.Duration("timeout"),
-		ClearCache: c.Bool("clear-cache"),
+		ClearCache:  c.Bool("clear-cache"),
-		SkipFiles:  c.StringSlice("skip-files"),
+		SkipFiles:   c.StringSlice("skip-files"),
-		SkipDirs:   c.StringSlice("skip-dirs"),
+		SkipDirs:    c.StringSlice("skip-dirs"),
+		OfflineScan: c.Bool("offline-scan"),
 	}
 }
 

pkg/commands/plugin/plugin.go

@@ -2,6 +2,8 @@ package plugin
 
 import (
 	"context"
+	"fmt"
+	"os"
 
 	"github.com/urfave/cli/v2"
 	"golang.org/x/xerrors"
@@ -47,6 +49,65 @@ func Uninstall(c *cli.Context) error {
 	return nil
 }
 
+// Information displays information about the plugin
+func Information(c *cli.Context) error {
+	if c.NArg() != 1 {
+		cli.ShowSubcommandHelpAndExit(c, 1)
+	}
+
+	if err := initLogger(c); err != nil {
+		return xerrors.Errorf("initialize logger error: %w", err)
+	}
+
+	pluginName := c.Args().First()
+	info, err := plugin.Information(pluginName)
+	if err != nil {
+		return xerrors.Errorf("plugin information display error: %w", err)
+	}
+
+	if _, err = fmt.Fprintf(os.Stdout, info); err != nil {
+		return xerrors.Errorf("print error: %w", err)
+	}
+
+	return nil
+}
+
+// List displays a list of all of installed plugins
+func List(c *cli.Context) error {
+	if err := initLogger(c); err != nil {
+		return xerrors.Errorf("initialize error: %w", err)
+	}
+
+	info, err := plugin.List()
+	if err != nil {
+		return xerrors.Errorf("plugin list display error: %w", err)
+	}
+
+	if _, err = fmt.Fprintf(os.Stdout, info); err != nil {
+		return xerrors.Errorf("print error: %w", err)
+	}
+
+	return nil
+}
+
+// Update updates an existing plugin
+func Update(c *cli.Context) error {
+	if c.NArg() != 1 {
+		cli.ShowSubcommandHelpAndExit(c, 1)
+	}
+
+	if err := initLogger(c); err != nil {
+		return xerrors.Errorf("initialize error: %w", err)
+	}
+
+	pluginName := c.Args().First()
+	if err := plugin.Update(pluginName); err != nil {
+		return xerrors.Errorf("plugin update error: %w", err)
+	}
+
+	return nil
+}
+
 // Run runs the plugin
 func Run(c *cli.Context) error {
 	if c.NArg() < 1 {

pkg/detector/library/driver.go

@@ -37,7 +37,7 @@ func NewDriver(libType string) (Driver, error) {
 		driver = newPipDriver()
 	case ftypes.NuGet:
 		driver = newNugetDriver()
-	case ftypes.Jar:
+	case ftypes.Jar, ftypes.Pom:
 		driver = newMavenDriver()
 	case ftypes.GoBinary, ftypes.GoMod:
 		driver = Driver{

pkg/plugin/plugin.go

@@ -2,13 +2,15 @@ package plugin
 
 import (
 	"context"
+	"fmt"
 	"os"
 	"os/exec"
 	"path/filepath"
 	"runtime"
+	"strings"
 
 	"golang.org/x/xerrors"
-	yaml "gopkg.in/yaml.v3"
+	"gopkg.in/yaml.v3"
 
 	"github.com/aquasecurity/trivy/pkg/downloader"
 	"github.com/aquasecurity/trivy/pkg/log"
@@ -183,6 +185,79 @@ func Uninstall(name string) error {
 	return os.RemoveAll(pluginDir)
 }
 
+// Information gets the information about an installed plugin
+func Information(name string) (string, error) {
+	pluginDir := filepath.Join(dir(), name)
+
+	if _, err := os.Stat(pluginDir); err != nil {
+		if os.IsNotExist(err) {
+			return "", xerrors.Errorf("could not find a plugin called '%s', did you install it?", name)
+		}
+		return "", xerrors.Errorf("stat error: %w", err)
+	}
+
+	plugin, err := loadMetadata(pluginDir)
+	if err != nil {
+		return "", xerrors.Errorf("unable to load metadata: %w", err)
+	}
+
+	return fmt.Sprintf(`
+Plugin: %s
+  Description: %s
+  Version:     %s
+  Usage:       %s
+`, plugin.Name, plugin.Description, plugin.Version, plugin.Usage), nil
+}
+
+// List gets a list of all installed plugins
+func List() (string, error) {
+	if _, err := os.Stat(dir()); err != nil {
+		if os.IsNotExist(err) {
+			return "No Installed Plugins\n", nil
+		}
+		return "", xerrors.Errorf("stat error: %w", err)
+	}
+	plugins, err := LoadAll()
+	if err != nil {
+		return "", xerrors.Errorf("unable to load plugins: %w", err)
+	}
+	pluginList := []string{"Installed Plugins:"}
+	for _, plugin := range plugins {
+		pluginList = append(pluginList, fmt.Sprintf("  Name:    %s\n  Version: %s\n", plugin.Name, plugin.Version))
+	}
+
+	return strings.Join(pluginList, "\n"), nil
+}
+
+// Update updates an existing plugin
+func Update(name string) error {
+	pluginDir := filepath.Join(dir(), name)
+
+	if _, err := os.Stat(pluginDir); err != nil {
+		if os.IsNotExist(err) {
+			return xerrors.Errorf("could not find a plugin called '%s' to update: %w", name, err)
+		}
+		return err
+	}
+
+	plugin, err := loadMetadata(pluginDir)
+	if err != nil {
+		return err
+	}
+	log.Logger.Infof("Updating plugin '%s'", name)
+	updated, err := Install(nil, plugin.Repository, true)
+	if err != nil {
+		return xerrors.Errorf("unable to perform an update installation: %w", err)
+	}
+
+	if plugin.Version == updated.Version {
+		log.Logger.Infof("The %s plugin is the latest version. [%s]", name, plugin.Version)
+	} else {
+		log.Logger.Infof("Updated '%s' from %s to %s", name, plugin.Version, updated.Version)
+	}
+	return nil
+}
+
 // LoadAll loads all plugins
 func LoadAll() ([]Plugin, error) {
 	pluginsDir := dir()

pkg/plugin/plugin_test.go

@@ -291,6 +291,39 @@ func TestUninstall(t *testing.T) {
 	assert.NoFileExists(t, pluginDir)
 }
 
+func TestInformation(t *testing.T) {
+	pluginName := "test_plugin"
+
+	tempDir := t.TempDir()
+	pluginDir := filepath.Join(tempDir, ".trivy", "plugins", pluginName)
+
+	t.Setenv("XDG_DATA_HOME", tempDir)
+
+	// Create the test plugin directory
+	err := os.MkdirAll(pluginDir, os.ModePerm)
+	require.NoError(t, err)
+
+	// write the plugin name
+	pluginMetadata := `name: "test_plugin"
+repository: github.com/aquasecurity/trivy-plugin-test
+version: "0.1.0"
+usage: test
+description: A simple test plugin`
+
+	err = os.WriteFile(filepath.Join(pluginDir, "plugin.yaml"), []byte(pluginMetadata), os.ModePerm)
+	require.NoError(t, err)
+
+	// Get Information for the plugin
+	info, err := plugin.Information(pluginName)
+	require.NoError(t, err)
+	assert.Equal(t, "\nPlugin: test_plugin\n  Description: A simple test plugin\n  Version:     0.1.0\n  Usage:       test\n", info)
+
+	// Get Information for unknown plugin
+	info, err = plugin.Information("unknown")
+	require.Error(t, err)
+	assert.Equal(t, "could not find a plugin called 'unknown', did you install it?", err.Error())
+}
+
 func TestLoadAll1(t *testing.T) {
 	tests := []struct {
 		name    string
@@ -345,3 +378,46 @@ func TestLoadAll1(t *testing.T) {
 		})
 	}
 }
+
+func TestUpdate(t *testing.T) {
+	pluginName := "test_plugin"
+
+	tempDir := t.TempDir()
+	pluginDir := filepath.Join(tempDir, ".trivy", "plugins", pluginName)
+
+	t.Setenv("XDG_DATA_HOME", tempDir)
+
+	// Create the test plugin directory
+	err := os.MkdirAll(pluginDir, os.ModePerm)
+	require.NoError(t, err)
+
+	// write the plugin name
+	pluginMetadata := `name: "test_plugin"
+repository: testdata/test_plugin
+version: "0.0.5"
+usage: test
+description: A simple test plugin`
+
+	err = os.WriteFile(filepath.Join(pluginDir, "plugin.yaml"), []byte(pluginMetadata), os.ModePerm)
+	require.NoError(t, err)
+
+	// verify initial version
+	verifyVersion(t, pluginName, "0.0.5")
+
+	// Update the existing plugin
+	err = plugin.Update(pluginName)
+	require.NoError(t, err)
+
+	// verify plugin updated
+	verifyVersion(t, pluginName, "0.1.0")
+}
+
+func verifyVersion(t *testing.T, pluginName, expectedVersion string) {
+	plugins, err := plugin.LoadAll()
+	require.NoError(t, err)
+	for _, plugin := range plugins {
+		if plugin.Name == pluginName {
+			assert.Equal(t, expectedVersion, plugin.Version)
+		}
+	}
+}

pkg/result/result.go

@@ -12,6 +12,7 @@ import (
 	"github.com/open-policy-agent/opa/rego"
 	"golang.org/x/xerrors"
 
+	ftypes "github.com/aquasecurity/fanal/types"
 	"github.com/aquasecurity/trivy-db/pkg/db"
 	dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
 	"github.com/aquasecurity/trivy-db/pkg/vulnsrc/vulnerability"
@@ -66,10 +67,10 @@ func (c Client) FillVulnerabilityInfo(vulns []types.DetectedVulnerability, repor
 		}
 
 		// Detect which data source should be used.
-		source := c.detectSource(reportType)
+		sources := c.detectSource(reportType)
 
 		// Select the severity according to the detected source.
-		severity, severitySource := c.getVendorSeverity(&vuln, source)
+		severity, severitySource := c.getVendorSeverity(&vuln, sources)
 
 		// The vendor might provide package-specific severity like Debian.
 		// For example, CVE-2015-2328 in Debian has "unimportant" for mongodb and "low" for pcre3.
@@ -84,38 +85,42 @@ func (c Client) FillVulnerabilityInfo(vulns []types.DetectedVulnerability, repor
 
 		vulns[i].Severity = severity
 		vulns[i].SeveritySource = severitySource
-		vulns[i].PrimaryURL = c.getPrimaryURL(vulnID, vuln.References, source)
+		vulns[i].PrimaryURL = c.getPrimaryURL(vulnID, vuln.References, sources)
 		vulns[i].Vulnerability.VendorSeverity = nil // Remove VendorSeverity from Results
 	}
 }
-func (c Client) detectSource(reportType string) string {
+func (c Client) detectSource(reportType string) []string {
-	var source string
+	var sources []string
 	switch reportType {
 	case vulnerability.Ubuntu, vulnerability.Alpine, vulnerability.RedHat, vulnerability.RedHatOVAL,
 		vulnerability.Debian, vulnerability.DebianOVAL, vulnerability.Fedora, vulnerability.Amazon,
 		vulnerability.OracleOVAL, vulnerability.SuseCVRF, vulnerability.OpenSuseCVRF, vulnerability.Photon:
-		source = reportType
+		sources = []string{reportType}
 	case vulnerability.CentOS: // CentOS doesn't have its own so we use RedHat
-		source = vulnerability.RedHat
+		sources = []string{vulnerability.RedHat}
 	case "npm", "yarn":
-		source = vulnerability.NodejsSecurityWg
+		sources = []string{vulnerability.NodejsSecurityWg, vulnerability.GHSANpm, vulnerability.GLAD}
 	case "nuget":
-		source = vulnerability.GHSANuget
+		sources = []string{vulnerability.GHSANuget, vulnerability.GLAD}
 	case "pipenv", "poetry":
-		source = vulnerability.PythonSafetyDB
+		sources = []string{vulnerability.PythonSafetyDB, vulnerability.GHSAPip, vulnerability.GLAD}
 	case "bundler":
-		source = vulnerability.RubySec
+		sources = []string{vulnerability.RubySec, vulnerability.GHSARubygems, vulnerability.GLAD}
 	case "cargo":
-		source = vulnerability.RustSec
+		sources = []string{vulnerability.RustSec}
 	case "composer":
-		source = vulnerability.PhpSecurityAdvisories
+		sources = []string{vulnerability.PhpSecurityAdvisories, vulnerability.GHSAComposer, vulnerability.GLAD}
+	case ftypes.Jar:
+		sources = []string{vulnerability.GHSAMaven, vulnerability.GLAD}
 	}
-	return source
+	return sources
 }
 
-func (c Client) getVendorSeverity(vuln *dbTypes.Vulnerability, source string) (string, string) {
+func (c Client) getVendorSeverity(vuln *dbTypes.Vulnerability, sources []string) (string, string) {
-	if vs, ok := vuln.VendorSeverity[source]; ok {
+	for _, source := range sources {
-		return vs.String(), source
+		if vs, ok := vuln.VendorSeverity[source]; ok {
+			return vs.String(), source
+		}
 	}
 
 	// Try NVD as a fallback if it exists
@@ -130,7 +135,7 @@ func (c Client) getVendorSeverity(vuln *dbTypes.Vulnerability, source string) (s
 	return vuln.Severity, ""
 }
 
-func (c Client) getPrimaryURL(vulnID string, refs []string, source string) string {
+func (c Client) getPrimaryURL(vulnID string, refs []string, sources []string) string {
 	switch {
 	case strings.HasPrefix(vulnID, "CVE-"):
 		return "https://avd.aquasec.com/nvd/" + strings.ToLower(vulnID)
@@ -142,11 +147,13 @@ func (c Client) getPrimaryURL(vulnID string, refs []string, source string) strin
 		return "https://security-tracker.debian.org/tracker/" + vulnID
 	}
 
-	prefixes := primaryURLPrefixes[source]
+	for _, source := range sources {
-	for _, pre := range prefixes {
+		prefixes := primaryURLPrefixes[source]
-		for _, ref := range refs {
+		for _, pre := range prefixes {
-			if strings.HasPrefix(ref, pre) {
+			for _, ref := range refs {
-				return ref
+				if strings.HasPrefix(ref, pre) {
+					return ref
+				}
 			}
 		}
 	}

pkg/result/result_test.go

@@ -263,9 +263,9 @@ func TestClient_FillVulnerabilityInfo(t *testing.T) {
 
 func TestClient_getPrimaryURL(t *testing.T) {
 	type args struct {
-		vulnID string
+		vulnID  string
-		refs   []string
+		refs    []string
-		source string
+		sources []string
 	}
 	tests := []struct {
 		name string
@@ -275,36 +275,36 @@ func TestClient_getPrimaryURL(t *testing.T) {
 		{
 			name: "CVE-ID",
 			args: args{
-				vulnID: "CVE-2014-8484",
+				vulnID:  "CVE-2014-8484",
-				refs:   []string{"http://linux.oracle.com/cve/CVE-2014-8484.html"},
+				refs:    []string{"http://linux.oracle.com/cve/CVE-2014-8484.html"},
-				source: vulnerability.OracleOVAL,
+				sources: []string{vulnerability.OracleOVAL},
 			},
 			want: "https://avd.aquasec.com/nvd/cve-2014-8484",
 		},
 		{
 			name: "RUSTSEC",
 			args: args{
-				vulnID: "RUSTSEC-2018-0017",
+				vulnID:  "RUSTSEC-2018-0017",
-				refs:   []string{"https://github.com/rust-lang-deprecated/tempdir/pull/46"},
+				refs:    []string{"https://github.com/rust-lang-deprecated/tempdir/pull/46"},
-				source: vulnerability.RustSec,
+				sources: []string{vulnerability.RustSec},
 			},
 			want: "https://rustsec.org/advisories/RUSTSEC-2018-0017",
 		},
 		{
 			name: "GHSA",
 			args: args{
-				vulnID: "GHSA-28fw-88hq-6jmm",
+				vulnID:  "GHSA-28fw-88hq-6jmm",
-				refs:   []string{},
+				refs:    []string{},
-				source: vulnerability.PhpSecurityAdvisories,
+				sources: []string{vulnerability.PhpSecurityAdvisories},
 			},
 			want: "https://github.com/advisories/GHSA-28fw-88hq-6jmm",
 		},
 		{
 			name: "Debian temp vulnerability",
 			args: args{
-				vulnID: "TEMP-0841856-B18BAF",
+				vulnID:  "TEMP-0841856-B18BAF",
-				refs:   []string{},
+				refs:    []string{},
-				source: vulnerability.DebianOVAL,
+				sources: []string{vulnerability.DebianOVAL},
 			},
 			want: "https://security-tracker.debian.org/tracker/TEMP-0841856-B18BAF",
 		},
@@ -317,7 +317,7 @@ func TestClient_getPrimaryURL(t *testing.T) {
 					"https://github.com/lodash/lodash/pull/4759",
 					"https://www.npmjs.com/advisories/1523",
 				},
-				source: vulnerability.NodejsSecurityWg,
+				sources: []string{vulnerability.NodejsSecurityWg},
 			},
 			want: "https://www.npmjs.com/advisories/1523",
 		},
@@ -329,7 +329,7 @@ func TestClient_getPrimaryURL(t *testing.T) {
 					"http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00076.html",
 					"https://www.suse.com/support/security/rating/",
 				},
-				source: vulnerability.OpenSuseCVRF,
+				sources: []string{vulnerability.OpenSuseCVRF},
 			},
 			want: "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00076.html",
 		},
@@ -337,7 +337,7 @@ func TestClient_getPrimaryURL(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			c := Client{}
-			got := c.getPrimaryURL(tt.args.vulnID, tt.args.refs, tt.args.source)
+			got := c.getPrimaryURL(tt.args.vulnID, tt.args.refs, tt.args.sources)
 			assert.Equal(t, tt.want, got)
 		})
 	}

pkg/scanner/local/scan.go

@@ -308,6 +308,8 @@ func toDetectedMisconfiguration(res ftypes.MisconfResult, defaultSeverity dbType
 		Traces:      res.Traces,
 		IacMetadata: ftypes.IacMetadata{
 			Resource:  res.Resource,
+			Provider:  res.Provider,
+			Service:   res.Service,
 			StartLine: res.StartLine,
 			EndLine:   res.EndLine,
 		},