fix(pom): keep an order of dependencies (#1784)

Co-authored-by: knqyf263 <knqyf263@gmail.com>

.github/dependabot.yml

@@ -1,10 +1,15 @@
 version: 2
 updates:
-- package-ecosystem: github-actions
-  directory: /
-  schedule:
-    interval: daily
-- package-ecosystem: docker
-  directory: /
-  schedule:
-    interval: daily
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: monthly
+  - package-ecosystem: docker
+    directory: /
+    schedule:
+      interval: monthly
+  - package-ecosystem: gomod
+    open-pull-requests-limit: 10
+    directory: /
+    schedule:
+      interval: monthly

.github/pull_request_template.md

@@ -0,0 +1,18 @@
+## Description
+
+## Related issues
+- Close #XXX
+
+## Related PRs
+- [ ] #XXX
+- [ ] #YYY
+
+Remove this section if you don't have related PRs.
+
+## Checklist
+- [ ] I've read the [guidelines for contributing](https://github.com/aquasecurity/trivy/blob/main/CONTRIBUTING.md) to this repository.
+- [ ] I've followed the [conventions](https://github.com/aquasecurity/trivy/blob/main/CONTRIBUTING.md#title) in the PR title.
+- [ ] I've added tests that prove my fix is effective or that my feature works.
+- [ ] I've updated the [documentation](https://github.com/aquasecurity/trivy/blob/main/docs) with the relevant information (if needed).
+- [ ] I've added usage information (if the PR introduces new options)
+- [ ] I've included a "before" and "after" example to the description (if the PR is a user interface change).

.github/workflows/mkdocs-dev.yaml

@@ -16,7 +16,7 @@ jobs:
         with:
           fetch-depth: 0
           persist-credentials: true
-      - uses: actions/setup-python@v2
+      - uses: actions/setup-python@v3
         with:
           python-version: 3.x
       - name: Install dependencies

.github/workflows/mkdocs-latest.yaml

@@ -18,7 +18,7 @@ jobs:
         with:
           fetch-depth: 0
           persist-credentials: true
-      - uses: actions/setup-python@v2
+      - uses: actions/setup-python@v3
         with:
           python-version: 3.x
       - name: Install dependencies

.github/workflows/publish-chart.yaml

@@ -31,12 +31,12 @@ jobs:
         with:
           version: v3.5.0
       - name: Set up python
-        uses: actions/setup-python@0066b88440aa9562be742e2c60ee750fc57d8849 #v2.3.0
+        uses: actions/setup-python@v3
         with:
           python-version: 3.7
       - name: Setup Chart Linting
         id: lint
-        uses: helm/chart-testing-action@5f16c27cf7a4fa9c776ff73734df3909b2b65127 #v2.1.0
+        uses: helm/chart-testing-action@6b64532d456fa490a3da177fbd181ac4c8192b58 #v2.1.0
       - name: Setup Kubernetes cluster (KIND)
         uses: helm/kind-action@94729529f85113b88f4f819c17ce61382e6d8478 #v1.2.0
         with:
@@ -46,7 +46,7 @@ jobs:
         run: ct lint-and-install --validate-maintainers=false --charts helm/trivy
       - name: Run chart-testing (Ingress enabled)
         run: |
-          sed -i -e '97s,false,'true',g' ./helm/trivy/values.yaml
+          sed -i -e '117s,false,'true',g' ./helm/trivy/values.yaml
           ct lint-and-install --validate-maintainers=false --charts helm/trivy
 
   publish-chart:

.github/workflows/scan.yaml

@@ -14,7 +14,7 @@ jobs:
           scan-type: 'fs'
           exit-code: '1'
           severity: 'CRITICAL'
-          skip-dirs: integration
+          skip-dirs: integration,examples
 
       - name: Run Trivy vulnerability scanner to scan for Medium and High Vulnerabilities
         uses: aquasecurity/trivy-action@master
@@ -22,4 +22,4 @@ jobs:
           scan-type: 'fs'
           exit-code: '0'
           severity: 'HIGH,MEDIUM'
-          skip-dirs: integration
+          skip-dirs: integration,examples

.github/workflows/test.yaml

@@ -24,7 +24,7 @@ jobs:
           go-version: ${{ env.GO_VERSION }}
 
       - name: Lint
-        uses: golangci/golangci-lint-action@v2
+        uses: golangci/golangci-lint-action@v3.1.0
         with:
           version: v1.41
           args: --deadline=30m
@@ -87,7 +87,7 @@ jobs:
       with:
         fetch-depth: 0
         persist-credentials: true
-    - uses: actions/setup-python@v2
+    - uses: actions/setup-python@v3
       with:
         python-version: 3.x
     - name: Install dependencies

.gitignore

@@ -27,3 +27,6 @@ integration/testdata/fixtures/images
 
 # SBOMs generated during CI
 /bom.json
+
+# goreleaser output
+dist

.golangci.yaml

@@ -9,7 +9,7 @@ linters-settings:
   revive:
     ignore-generated-header: true
   gocyclo:
-    min-complexity: 10
+    min-complexity: 20
   dupl:
     threshold: 100
   goconst:
@@ -19,6 +19,10 @@ linters-settings:
     locale: US
   goimports:
     local-prefixes: github.com/aquasecurity
+  gosec:
+    excludes:
+      - G204
+      - G402
 
 linters:
   disable-all: true
@@ -53,9 +57,6 @@ issues:
     - linters:
         - gosec
       text: "Deferring unsafe method"
-    - linters:
-        - gosec
-      text: "G204: Subprocess launched with variable"
     - linters:
         - errcheck
       text: "Close` is not checked"

CONTRIBUTING.md

@@ -9,14 +9,89 @@ Thank you for taking interest in contributing to Trivy!
 ## Pull Requests
 
 1. Every Pull Request should have an associated bug or feature issue unless you are fixing a trivial documentation issue.
-1. Your PR is more likely to be accepted if it focuses on just one change.
-1. Describe what the PR does. There's no convention enforced, but please try to be concise and descriptive. Treat the PR description as a commit message. Titles that starts with "fix"/"add"/"improve"/"remove" are good examples.
-1. Please add the associated Issue in the PR description.
-1. There's no need to add or tag reviewers.
-1. If a reviewer commented on your code or asked for changes, please remember to mark the discussion as resolved after you address it. PRs with unresolved issues should not be merged (even if the comment is unclear or requires no action from your side).
-1. Please include a comment with the results before and after your change.
-1. Your PR is more likely to be accepted if it includes tests (We have not historically been very strict about tests, but we would like to improve this!).
-1. If your PR affects the user experience in some way, please update the Readme and the CLI help accordingly.
+4. Please add the associated Issue link in the PR description.
+2. Your PR is more likely to be accepted if it focuses on just one change.
+5. There's no need to add or tag reviewers.
+6. If a reviewer commented on your code or asked for changes, please remember to respond with comment. Do not mark discussion as resolved. It's up to reviewer to mark it resolved (in case if suggested fix addresses problem properly). PRs with unresolved issues should not be merged (even if the comment is unclear or requires no action from your side).
+7. Please include a comment with the results before and after your change.
+8. Your PR is more likely to be accepted if it includes tests (We have not historically been very strict about tests, but we would like to improve this!).
+9. If your PR affects the user experience in some way, please update the README.md and the CLI help accordingly.
+
+### Title
+It is not that strict, but we use the title conventions in this repository.
+Each commit message doesn't have to follow the conventions as long as it is clear and descriptive since it will be squashed and merged.
+
+#### Format of the title
+
+```
+<type>(<scope>): <subject>
+```
+
+The `type` and `scope` should always be lowercase as shown below.
+
+**Allowed `<type>` values:**
+  - **feat** for a new feature for the user, not a new feature for build script. Such commit will trigger a release bumping a MINOR version.
+  - **fix** for a bug fix for the user, not a fix to a build script. Such commit will trigger a release bumping a PATCH version.
+  - **perf** for performance improvements. Such commit will trigger a release bumping a PATCH version.
+  - **docs** for changes to the documentation.
+  - **style** for formatting changes, missing semicolons, etc.
+  - **refactor** for refactoring production code, e.g. renaming a variable.
+  - **test** for adding missing tests, refactoring tests; no production code change.
+  - **build** for updating build configuration, development tools or other changes irrelevant to the user.
+  - **chore** for updates that do not apply to the above, such as dependency updates.
+
+**Example `<scope>` values:**
+- alpine
+- redhat
+- ruby
+- python
+- terraform
+- report
+- etc.
+ 
+The `<scope>` can be empty (e.g. if the change is a global or difficult to assign to a single component), in which case the parentheses are omitted.
+
+#### Example titles
+
+```
+feat(alma): add support for AlmaLinux
+```
+
+```
+fix(oracle): handle advisories with ksplice versions
+```
+
+```
+docs(misconf): add comparison with Conftest and TFsec
+```
+
+```
+chore(deps): bump go.uber.org/zap from 1.19.1 to 1.20.0
+```
+
+**NOTE**: please do not use `chore(deps): update fanal` and something like that if you add new features or fix bugs in Trivy-related projects.
+The PR title should describe what the PR adds or fixes even though it just updates the dependency in Trivy.
+
+### Unit tests
+Your PR must pass all the unit tests. You can test it as below.
+
+```
+$ make test
+```
+
+### Integration tests
+Your PR must pass all the integration tests. You can test it as below.
+
+```
+$ make test-integration
+```
+
+### Documentation
+You can build the documents as below and view it at http://localhost:8000.
+
+```
+$ make mkdocs-serve
+```
 
 ## Understand where your pull request belongs
 
@@ -25,4 +100,5 @@ Trivy is composed of several different repositories that work together:
 - [Trivy](https://github.com/aquasecurity/trivy) is the client-side, user-facing, command line tool.
 - [vuln-list](https://github.com/aquasecurity/vuln-list) is a vulnerabilities database, aggregated from different sources, and normalized for easy consumption. Think of this as the "server" side of the trivy command line tool. **There should be no pull requests to this repo** 
 - [vuln-list-update](https://github.com/aquasecurity/vuln-list-update) is the code that maintains the vuln-list database.
+- [trivy-db](https://github.com/aquasecurity/trivy-db) maintains the vulnerability database pulled by Trivy CLI.
 - [fanal](https://github.com/aquasecurity/fanal) is a library for extracting system information from containers. It is being used by Trivy to find testable subjects in the container image.

Dockerfile.protoc

@@ -0,0 +1,12 @@
+FROM golang:1.17
+
+# Install protoc (cf. http://google.github.io/proto-lens/installing-protoc.html)
+ENV PROTOC_ZIP=protoc-3.19.4-linux-x86_64.zip
+RUN apt-get update && apt-get install -y unzip
+RUN curl --retry 5 -OL https://github.com/protocolbuffers/protobuf/releases/download/v3.19.4/$PROTOC_ZIP \
+    && unzip -o $PROTOC_ZIP -d /usr/local bin/protoc \
+    && unzip -o $PROTOC_ZIP -d /usr/local 'include/*' \ 
+    && rm -f $PROTOC_ZIP
+
+RUN go install github.com/twitchtv/twirp/protoc-gen-twirp@v8.1.0
+RUN go install google.golang.org/protobuf/cmd/protoc-gen-go@v1.27.1

Makefile

@@ -54,7 +54,11 @@ build:
 
 .PHONY: protoc
 protoc:
-	find ./rpc/ -name "*.proto" -type f -exec protoc --proto_path=$(GOSRC):. --twirp_out=. --twirp_opt=paths=source_relative --go_out=. --go_opt=paths=source_relative {} \;
+	docker build -t trivy-protoc - < Dockerfile.protoc
+	docker run --rm -it -v ${PWD}:/app -w /app trivy-protoc make _$@
+
+_protoc:
+	find ./rpc/ -name "*.proto" -type f -exec protoc --twirp_out=. --twirp_opt=paths=source_relative --go_out=. --go_opt=paths=source_relative {} \;
 
 .PHONY: install
 install:

README.md

@@ -165,7 +165,7 @@ Failures: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
 # Features
 
 - Comprehensive vulnerability detection
-  - OS packages (Alpine Linux, Red Hat Universal Base Image, Red Hat Enterprise Linux, CentOS, Oracle Linux, Debian, Ubuntu, Amazon Linux, openSUSE Leap, SUSE Enterprise Linux, Photon OS and Distroless)
+  - OS packages (Alpine Linux, Red Hat Universal Base Image, Red Hat Enterprise Linux, CentOS, AlmaLinux, Rocky Linux, CBL-Mariner, Oracle Linux, Debian, Ubuntu, Amazon Linux, openSUSE Leap, SUSE Enterprise Linux, Photon OS and Distroless)
   - **Language-specific packages** (Bundler, Composer, Pipenv, Poetry, npm, yarn, Cargo, NuGet, Maven, and Go)
 - Misconfiguration detection (IaC scanning) 
   - A wide variety of built-in policies are provided **out of the box**
@@ -185,6 +185,8 @@ Failures: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
   - **Suitable for CI** such as GitHub Actions, Jenkins, GitLab CI, etc.
 - Support multiple targets
   - container image, local filesystem and remote git repository
+- Supply chain security (SBOM support)
+  - Support CycloneDX
 
 # Integrations
 - [GitHub Actions][action]

ci/deploy-deb.sh

@@ -9,12 +9,14 @@ for release in ${DEBIAN_RELEASES[@]} ${UBUNTU_RELEASES[@]}; do
   echo "Removing deb package of $release"
   reprepro -A i386 remove $release trivy
   reprepro -A amd64 remove $release trivy
+  reprepro -A arm64 remove $release trivy
 done
 
 for release in ${DEBIAN_RELEASES[@]} ${UBUNTU_RELEASES[@]}; do
   echo "Adding deb package to $release"
   reprepro includedeb $release ../../dist/*Linux-64bit.deb
   reprepro includedeb $release ../../dist/*Linux-32bit.deb
+  reprepro includedeb $release ../../dist/*Linux-ARM64.deb
 done
 
 git add .

contrib/asff.tpl

@@ -19,12 +19,12 @@
     {
         "SchemaVersion": "2018-10-08",
         "Id": "{{ $target }}/{{ .VulnerabilityID }}",
-        "ProductArn": "arn:aws:securityhub:{{ getEnv "AWS_REGION" }}::product/aquasecurity/aquasecurity",
+        "ProductArn": "arn:aws:securityhub:{{ env "AWS_REGION" }}::product/aquasecurity/aquasecurity",
         "GeneratorId": "Trivy",
-        "AwsAccountId": "{{ getEnv "AWS_ACCOUNT_ID" }}",
+        "AwsAccountId": "{{ env "AWS_ACCOUNT_ID" }}",
         "Types": [ "Software and Configuration Checks/Vulnerabilities/CVE" ],
-        "CreatedAt": "{{ getCurrentTime }}",
-        "UpdatedAt": "{{ getCurrentTime }}",
+        "CreatedAt": "{{ now | date "2006-01-02T15:04:05.999999999Z07:00" }}",
+        "UpdatedAt": "{{ now | date "2006-01-02T15:04:05.999999999Z07:00" }}",
         "Severity": {
             "Label": "{{ $severity }}"
         },
@@ -42,7 +42,7 @@
                 "Type": "Container",
                 "Id": "{{ $target }}",
                 "Partition": "aws",
-                "Region": "{{ getEnv "AWS_REGION" }}",
+                "Region": "{{ env "AWS_REGION" }}",
                 "Details": {
                     "Container": { "ImageName": "{{ $target }}" },
                     "Other": {
@@ -51,10 +51,10 @@
                         "PkgName": "{{ .PkgName }}",
                         "Installed Package": "{{ .InstalledVersion }}",
                         "Patched Package": "{{ .FixedVersion }}",
-                        "NvdCvssScoreV3": "{{ (index .CVSS "nvd").V3Score }}",
-                        "NvdCvssVectorV3": "{{ (index .CVSS "nvd").V3Vector }}",
-                        "NvdCvssScoreV2": "{{ (index .CVSS "nvd").V2Score }}",
-                        "NvdCvssVectorV2": "{{ (index .CVSS "nvd").V2Vector }}"
+                        "NvdCvssScoreV3": "{{ (index .CVSS (sourceID "nvd")).V3Score }}",
+                        "NvdCvssVectorV3": "{{ (index .CVSS (sourceID "nvd")).V3Vector }}",
+                        "NvdCvssScoreV2": "{{ (index .CVSS (sourceID "nvd")).V2Score }}",
+                        "NvdCvssVectorV2": "{{ (index .CVSS (sourceID "nvd")).V2Vector }}"
                     }
                 }
             }

contrib/example_policy/advanced.rego

@@ -5,30 +5,42 @@ import data.lib.trivy
 default ignore = false
 
 nvd_v3_vector = v {
-	v := input.CVSS.nvd.v3
+	v := input.CVSS.nvd.V3Vector
+}
+
+redhat_v3_vector = v {
+	v := input.CVSS.redhat.V3Vector
 }
 
 # Ignore a vulnerability which requires high privilege
 ignore {
-	cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
-	cvss_vector.PrivilegesRequired == "High"
+	nvd_cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
+	nvd_cvss_vector.PrivilegesRequired == "High"
+
+        # Check against RedHat scores as well as NVD
+	redhat_cvss_vector := trivy.parse_cvss_vector_v3(redhat_v3_vector)
+	redhat_cvss_vector.PrivilegesRequired == "High"
 }
 
 # Ignore a vulnerability which requires user interaction
 ignore {
-	cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
-	cvss_vector.UserInteraction == "Required"
+	nvd_cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
+	nvd_cvss_vector.UserInteraction == "Required"
+
+        # Check against RedHat scores as well as NVD
+	redhat_cvss_vector := trivy.parse_cvss_vector_v3(redhat_v3_vector)
+	redhat_cvss_vector.UserInteraction == "Required"
 }
 
 ignore {
 	input.PkgName == "openssl"
 
 	# Split CVSSv3 vector
-	cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
+	nvd_cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
 
 	# Evaluate Attack Vector
 	ignore_attack_vectors := {"Physical", "Local"}
-	cvss_vector.AttackVector == ignore_attack_vectors[_]
+	nvd_cvss_vector.AttackVector == ignore_attack_vectors[_]
 }
 
 ignore {
@@ -50,11 +62,11 @@ ignore {
 	input.PkgName == "bash"
 
 	# Split CVSSv3 vector
-	cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
+	nvd_cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
 
 	# Evaluate Attack Vector
 	ignore_attack_vectors := {"Physical", "Local", "Adjacent"}
-	cvss_vector.AttackVector == ignore_attack_vectors[_]
+	nvd_cvss_vector.AttackVector == ignore_attack_vectors[_]
 
 	# Evaluate severity
 	input.Severity == {"LOW", "MEDIUM", "HIGH"}[_]
@@ -64,11 +76,11 @@ ignore {
 	input.PkgName == "django"
 
 	# Split CVSSv3 vector
-	cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
+	nvd_cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
 
 	# Evaluate Attack Vector
 	ignore_attack_vectors := {"Physical", "Local"}
-	cvss_vector.AttackVector == ignore_attack_vectors[_]
+	nvd_cvss_vector.AttackVector == ignore_attack_vectors[_]
 
 	# Evaluate severity
 	input.Severity == {"LOW", "MEDIUM"}[_]
@@ -86,7 +98,7 @@ ignore {
 	input.PkgName == "jquery"
 
 	# Split CVSSv3 vector
-	cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
+	nvd_cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
 
 	# Evaluate CWE-ID
 	deny_cwe_ids := {"CWE-79"} # XSS

contrib/example_policy/basic.rego

@@ -9,7 +9,11 @@ ignore_pkgs := {"bash", "bind-license", "rpm", "vim", "vim-minimal"}
 ignore_severities := {"LOW", "MEDIUM"}
 
 nvd_v3_vector = v {
-	v := input.CVSS.nvd.v3
+	v := input.CVSS.nvd.V3Vector
+}
+
+redhat_v3_vector = v {
+	v := input.CVSS.redhat.V3Vector
 }
 
 ignore {
@@ -22,20 +26,29 @@ ignore {
 
 # Ignore a vulnerability which is not remotely exploitable
 ignore {
-	cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
-	cvss_vector.AttackVector != "Network"
+	nvd_cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
+	nvd_cvss_vector.AttackVector != "Network"
+
+	redhat_cvss_vector := trivy.parse_cvss_vector_v3(redhat_v3_vector)
+	redhat_cvss_vector.AttackVector != "Network"
 }
 
 # Ignore a vulnerability which requires high privilege
 ignore {
-	cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
-	cvss_vector.PrivilegesRequired == "High"
+	nvd_cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
+	nvd_cvss_vector.PrivilegesRequired == "High"
+
+	redhat_cvss_vector := trivy.parse_cvss_vector_v3(redhat_v3_vector)
+	redhat_cvss_vector.PrivilegesRequired == "High"
 }
 
 # Ignore a vulnerability which requires user interaction
 ignore {
-	cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
-	cvss_vector.UserInteraction == "Required"
+	nvd_cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
+	nvd_cvss_vector.UserInteraction == "Required"
+
+	redhat_cvss_vector := trivy.parse_cvss_vector_v3(redhat_v3_vector)
+	redhat_cvss_vector.UserInteraction == "Required"
 }
 
 # Ignore CSRF

contrib/gitlab-codequality.tpl

@@ -13,7 +13,8 @@
       "type": "issue",
       "check_name": "container_scanning",
       "categories": [ "Security" ],
-      "description": "{{ .VulnerabilityID }}: {{ .Title }}",
+      "description": {{ list .VulnerabilityID .Title | join ": " | printf "%q" }},
+      "fingerprint": "{{ .VulnerabilityID | sha1sum }}",
       "content": {{ .Description | printf "%q" }},
       "severity": {{ if eq .Severity "LOW" -}}
                     "info"
@@ -35,4 +36,4 @@
     }
     {{- end -}}
   {{- end }}
-]
+]

contrib/html.tpl

@@ -52,7 +52,7 @@
       }
       a.toggle-more-links { cursor: pointer; }
     </style>
-    <title>{{- escapeXML ( index . 0 ).Target }} - Trivy Report - {{ getCurrentTime }}</title>
+    <title>{{- escapeXML ( index . 0 ).Target }} - Trivy Report - {{ now }} </title>
     <script>
       window.onload = function() {
         document.querySelectorAll('td.links').forEach(function(linkCell) {
@@ -82,7 +82,7 @@
     </script>
   </head>
   <body>
-    <h1>{{- escapeXML ( index . 0 ).Target }} - Trivy Report - {{ getCurrentTime }}</h1>
+    <h1>{{- escapeXML ( index . 0 ).Target }} - Trivy Report - {{ now }}</h1>
     <table>
     {{- range . }}
       <tr class="group-header"><th colspan="6">{{ escapeXML .Type }}</th></tr>
@@ -112,6 +112,31 @@
       </tr>
         {{- end }}
       {{- end }}
+      {{- if (eq (len .Misconfigurations ) 0) }}
+      <tr><th colspan="6">No Misconfigurations found</th></tr>
+      {{- else }}
+      <tr class="sub-header">
+        <th>Type</th>
+        <th>Misconf ID</th>
+        <th>Check</th>
+        <th>Severity</th>
+        <th>Message</th>
+      </tr>
+        {{- range .Misconfigurations }}
+      <tr class="severity-{{ escapeXML .Severity }}">
+        <td class="misconf-type">{{ escapeXML .Type }}</td>
+        <td>{{ escapeXML .ID }}</td>
+        <td class="misconf-check">{{ escapeXML .Title }}</td>
+        <td class="severity">{{ escapeXML .Severity }}</td>
+        <td class="link" data-more-links="off"  style="white-space:normal;"">
+          {{ escapeXML .Message }}
+          <br>
+            <a href={{ escapeXML .PrimaryURL | printf "%q" }}>{{ escapeXML .PrimaryURL }}</a>
+          </br>
+        </td>
+      </tr>
+        {{- end }}
+      {{- end }}
     {{- end }}
     </table>
 {{- else }}

contrib/junit.tpl

@@ -14,5 +14,18 @@
         </testcase>
     {{- end }}
     </testsuite>
+{{- $failures := len .Misconfigurations }}
+    <testsuite tests="{{ $failures }}" failures="{{ $failures }}" name="{{  .Target }}" errors="0" skipped="0" time="">
+    {{- if not (eq .Type "") }}
+        <properties>
+            <property name="type" value="{{ .Type }}"></property>
+        </properties>
+        {{- end -}}
+        {{ range .Misconfigurations }}
+        <testcase classname="{{ .Type }}" name="[{{ .Severity }}] {{ .ID }}" time="">
+            <failure message="{{ escapeXML .Title }}" type="description">{{ escapeXML .Description }}</failure>
+        </testcase>
+    {{- end }}
+    </testsuite>
 {{- end }}
 </testsuites>

contrib/sarif.tpl

@@ -1,100 +0,0 @@
-{
-  "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
-  "version": "2.1.0",
-  {{- $rules := makeRuleMap }}
-  "runs": [
-    {
-      "tool": {
-        "driver": {
-          "name": "Trivy",
-          "informationUri": "https://github.com/aquasecurity/trivy",
-          "fullName": "Trivy Vulnerability Scanner",
-          "version": "0.15.0",
-          "rules": [
-        {{- $t_first := true }}
-        {{- range $result := . }}
-            {{- $vulnerabilityType := .Type }}
-            {{- range .Vulnerabilities -}}
-                {{- if indexRule $rules .VulnerabilityID -}}
-                  {{- if $t_first -}}
-                    {{- $t_first = false -}}
-                  {{ else -}}
-                    ,
-                  {{- end }}
-                {
-                  "id": {{ .VulnerabilityID | toJson }},
-                  "name": "{{ toSarifRuleName $vulnerabilityType }}",
-                  "shortDescription": {
-                    "text": {{ .VulnerabilityID | toJson }}
-                  },
-                  "fullDescription": {
-                    "text": {{ endWithPeriod (escapeString .Title) | printf "%q" }}
-                  },
-                  "defaultConfiguration": {
-                    "level": "{{ toSarifErrorLevel .Vulnerability.Severity }}"
-                  }
-                  {{- with $help_uri := .PrimaryURL -}}
-                  ,
-                  {{ $help_uri | printf "\"helpUri\": %q," -}}
-                  {{- else -}}
-                  ,
-                  {{- end }}
-                  "help": {
-                    "text": {{ printf "Vulnerability %v\n%v\nSeverity: %v\nPackage: %v\nFixed Version: %v\nLink: [%v](%v)" .VulnerabilityID .Vulnerability.Description .Vulnerability.Severity .PkgName .FixedVersion .VulnerabilityID .PrimaryURL | printf "%q"}},                    
-                    "markdown": {{ printf "**Vulnerability %v**\n%v\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|%v|%v|%v|[%v](%v)|\n" .VulnerabilityID .Vulnerability.Description .Vulnerability.Severity .PkgName .FixedVersion .VulnerabilityID .PrimaryURL | printf "%q"}}                    
-                  },
-                  "properties": {
-                    "tags": [
-                      "vulnerability",
-                      "{{ .Vulnerability.Severity }}"
-                    ],
-                    "precision": "very-high"
-                  }
-                }
-                {{- end -}}
-            {{- end -}}
-         {{- end -}}
-          ]
-        }
-      },
-      "results": [
-    {{- $t_first := true }}
-    {{- range $result := . }}
-        {{- $filePath := .Target }}
-        {{- range $index, $vulnerability := .Vulnerabilities -}}
-          {{- if $t_first -}}
-            {{- $t_first = false -}}
-          {{ else -}}
-            ,
-          {{- end }}
-        {
-          "ruleId": {{ .VulnerabilityID | toJson }},
-          "ruleIndex": {{ index $rules .VulnerabilityID }},
-          "level": "{{ toSarifErrorLevel $vulnerability.Vulnerability.Severity }}",
-          "message": {
-            "text": {{ printf "Package: %v\nInstalled Version: %v\nVulnerability %v\nSeverity: %v\nFixed Version: %v\nLink: [%v](%v)" .PkgName .InstalledVersion .VulnerabilityID .Vulnerability.Severity .FixedVersion .VulnerabilityID .PrimaryURL | printf "%q"}}
-          },
-          "locations": [{
-            "physicalLocation": {
-              "artifactLocation": {
-                "uri": "{{ toPathUri $filePath }}",
-                "uriBaseId": "ROOTPATH"
-              },
-              "region" : {
-                "startLine": 1
-              }
-            }
-          }]
-        }
-        {{- end -}}
-      {{- end -}}
-      ],
-      "columnKind": "utf16CodeUnits",
-      "originalUriBaseIds": {
-        "ROOTPATH": {
-          "uri": "file:///"
-        }
-      }
-    }
-  ]
-}

docs/advanced/air-gap.md

@@ -1,24 +1,24 @@
 # Air-Gapped Environment
 
-Trivy can be used in air-gapped environments.
-
+Trivy can be used in air-gapped environments. Note that an allowlist is [here][allowlist].
 
 ## Air-Gapped Environment for vulnerabilities
 
 ### Download the vulnerability database
 At first, you need to download the vulnerability database for use in air-gapped environments.
-Go to [trivy-db][trivy-db] and download `trivy-offline.db.tgz` in the latest release.
-If you download `trivy-light-offline.db.tgz`, you have to run Trivy with `--light` option.
+Please follow [oras installation instruction][oras].
+
+Download `db.tar.gz`:
 
 ```
-$ wget https://github.com/aquasecurity/trivy-db/releases/latest/download/trivy-offline.db.tgz
+$ oras pull ghcr.io/aquasecurity/trivy-db:2 -a
 ```
 
 ### Transfer the DB file into the air-gapped environment
 The way of transfer depends on the environment.
 
 ```
-$ rsync -av -e ssh /path/to/trivy-offline.db.tgz [user]@[host]:dst
+$ rsync -av -e ssh /path/to/db.tar.gz [user]@[host]:dst
 ```
 
 ### Put the DB file in Trivy's cache directory
@@ -35,33 +35,28 @@ Put the DB file in the cache directory + `/db`.
 ```
 $ mkdir -p /home/myuser/.cache/trivy/db
 $ cd /home/myuser/.cache/trivy/db
-$ mv /path/to/trivy-offline.db.tgz .
-```
-
-Then, decompress it.
-`trivy-offline.db.tgz` file includes two files, `trivy.db` and `metadata.json`.
-
-```
-$ tar xvf trivy-offline.db.tgz
+$ tar xvf /path/to/db.tar.gz -C /home/myuser/.cache/trivy/db
 x trivy.db
 x metadata.json
-$ rm trivy-offline.db.tgz
+$ rm /path/to/db.tar.gz
 ```
 
 In an air-gapped environment it is your responsibility to update the Trivy database on a regular basis, so that the scanner can detect recently-identified vulnerabilities. 
 
-### Run Trivy with --skip-update option
+### Run Trivy with --skip-update and --offline-scan option
 In an air-gapped environment, specify `--skip-update` so that Trivy doesn't attempt to download the latest database file.
+In addition, if you want to scan Java dependencies such as JAR and pom.xml, you need to specify `--offline-scan` since Trivy tries to issue API requests for scanning Java applications by default.
 
 ```
-$ trivy image --skip-update alpine:3.12
+$ trivy image --skip-update --offline-scan alpine:3.12
 ```
 
 ## Air-Gapped Environment for misconfigurations
 
 ### Download misconfiguration policies
 At first, you need to download misconfiguration policies for use in air-gapped environments.
-Please follow [oras installation instruction][oras]. \
+Please follow [oras installation instruction][oras].
+
 Download `bundle.tar.gz`:
 
 ```
@@ -114,5 +109,5 @@ In an air-gapped environment, specify `--skip-policy-update` so that Trivy doesn
 $ trivy conf --skip-policy-update /path/to/conf
 ```
 
-[trivy-db]: https://github.com/aquasecurity/trivy-db/releases
+[allowlist]: ../getting-started/troubleshooting.md
 [oras]: https://oras.land/cli/

docs/advanced/community/tools.md

@@ -10,6 +10,13 @@ Have you created a tool that’s not listed? Add the name and description of you
 | [gitrivy][gitrivy]                         | GitHub Issue + Trivy                                                             |
 | [trivy-github-issues][trivy-github-issues] | GitHub Actions for creating GitHub Issues according to the Trivy scanning result |
 
+## Semaphore
+
+| Name                                                   | Description                               |
+| -------------------------------------------------------| ----------------------------------------- |
+| [Continuous Vulnerability Testing with Trivy][semaphore-tutorial] | Tutorial on scanning code, containers, infrastructure, and Kubernetes with Semaphore CI/CD. |
+
+
 ## CircleCI
 
 | Orb                                      | Description                               |
@@ -26,4 +33,5 @@ Have you created a tool that’s not listed? Add the name and description of you
 [trivy-github-issues]: https://github.com/marketplace/actions/trivy-github-issues
 [fifteen5/trivy-orb]: https://circleci.com/developer/orbs/orb/fifteen5/trivy-orb
 [gitrivy]: https://github.com/marketplace/actions/trivy-action
-[explorer]: https://dbsystel.github.io/trivy-vulnerability-explorer/
+[explorer]: https://dbsystel.github.io/trivy-vulnerability-explorer/
+[semaphore-tutorial]: https://semaphoreci.com/blog/continuous-container-vulnerability-testing-with-trivy

docs/advanced/container/unpacked-filesystem.md

@@ -1,6 +1,6 @@
 # Unpacked Filesystem
 
-Scan aan unpacked container image filesystem.
+Scan an unpacked container image filesystem.
 
 In this case, Trivy works the same way when scanning containers
 

docs/advanced/integrations/circleci.md

@@ -19,7 +19,7 @@ jobs:
             curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
       - run:
           name: Scan the local image with trivy
-          command: trivy --exit-code 0 --no-progress trivy-ci-test:${CIRCLE_SHA1}
+          command: trivy image --exit-code 0 --no-progress trivy-ci-test:${CIRCLE_SHA1}
 workflows:
   version: 2
   release:

docs/advanced/integrations/gitlab-ci.md

@@ -32,11 +32,11 @@ trivy:
     # Build image
     - docker build -t $IMAGE .
     # Build report
-    - ./trivy --exit-code 0 --cache-dir .trivycache/ --no-progress --format template --template "@contrib/gitlab.tpl" -o gl-container-scanning-report.json $IMAGE
+    - ./trivy --cache-dir .trivycache/ image --exit-code 0 --no-progress --format template --template "@contrib/gitlab.tpl" -o gl-container-scanning-report.json $IMAGE
     # Print report
-    - ./trivy --exit-code 0 --cache-dir .trivycache/ --no-progress --severity HIGH $IMAGE
+    - ./trivy --cache-dir .trivycache/ image --exit-code 0 --no-progress --severity HIGH $IMAGE
     # Fail on severe vulnerabilities
-    - ./trivy --exit-code 1 --cache-dir .trivycache/ --severity CRITICAL --no-progress $IMAGE
+    - ./trivy --cache-dir .trivycache/ image --exit-code 1 --severity CRITICAL --no-progress $IMAGE
   cache:
     paths:
       - .trivycache/
@@ -77,14 +77,14 @@ container_scanning:
     # cache cleanup is needed when scanning images with the same tags, it does not remove the database
     - time trivy image --clear-cache
     # update vulnerabilities db
-    - time trivy --download-db-only --no-progress --cache-dir .trivycache/
+    - time trivy --cache-dir .trivycache/ image --download-db-only --no-progress
     # Builds report and puts it in the default workdir $CI_PROJECT_DIR, so `artifacts:` can take it from there
-    - time trivy --exit-code 0 --cache-dir .trivycache/ --no-progress --format template --template "@/contrib/gitlab.tpl"
+    - time trivy --cache-dir .trivycache/ image --exit-code 0 --no-progress --format template --template "@/contrib/gitlab.tpl"
         --output "$CI_PROJECT_DIR/gl-container-scanning-report.json" "$FULL_IMAGE_NAME"
     # Prints full report
-    - time trivy --exit-code 0 --cache-dir .trivycache/ --no-progress "$FULL_IMAGE_NAME"
+    - time trivy --cache-dir .trivycache/ image --exit-code 0 --no-progress "$FULL_IMAGE_NAME"
     # Fail on critical vulnerabilities
-    - time trivy --exit-code 1 --cache-dir .trivycache/ --severity CRITICAL --no-progress "$FULL_IMAGE_NAME"
+    - time trivy --cache-dir .trivycache/ image --exit-code 1 --severity CRITICAL --no-progress "$FULL_IMAGE_NAME"
   cache:
     paths:
       - .trivycache/
@@ -135,14 +135,14 @@ trivy:
     # Build image
     - docker build -t $IMAGE .
     # Build report
-    - ./trivy --exit-code 0 --cache-dir .trivycache/ --no-progress --format template --template "@contrib/gitlab-codeclimate.tpl" -o gl-codeclimate.json $IMAGE
+    - ./trivy --cache-dir .trivycache/ image --exit-code 0 --no-progress --format template --template "@contrib/gitlab-codequality.tpl" -o gl-codeclimate.json $IMAGE
   cache:
     paths:
       - .trivycache/
   # Enables https://docs.gitlab.com/ee/user/application_security/container_scanning/ (Container Scanning report is available on GitLab EE Ultimate or GitLab.com Gold)
   artifacts:
     paths:
-      gl-codeclimate.json
+      - gl-codeclimate.json
     reports:
       codequality: gl-codeclimate.json
 ```

docs/advanced/integrations/index.md

@@ -1,4 +1,2 @@
 # Integrations
 Scan your image automatically as part of your CI workflow, failing the workflow if a vulnerability is found. When you don't want to fail the test, specify `--exit-code 0`.
-
-Since in automated scenarios such as CI/CD you are only interested in the end result, and not the full report, use the `--light` flag to optimize for this scenario and get fast results.

docs/advanced/integrations/travis-ci.md

@@ -15,8 +15,8 @@ before_install:
   - wget https://github.com/aquasecurity/trivy/releases/download/v${VERSION}/trivy_${VERSION}_Linux-64bit.tar.gz
   - tar zxvf trivy_${VERSION}_Linux-64bit.tar.gz
 script:
-  - ./trivy --exit-code 0 --severity HIGH --no-progress trivy-ci-test:${COMMIT}
-  - ./trivy --exit-code 1 --severity CRITICAL --no-progress trivy-ci-test:${COMMIT}
+  - ./trivy image --exit-code 0 --severity HIGH --no-progress trivy-ci-test:${COMMIT}
+  - ./trivy image --exit-code 1 --severity CRITICAL --no-progress trivy-ci-test:${COMMIT}
 cache:
   directories:
     - $HOME/.cache/trivy

docs/advanced/private-registries/acr.md

@@ -0,0 +1,27 @@
+# Requirements
+None, Trivy uses Azure SDK for Go. You don't need to install `az` command.
+
+# Privileges
+Service principal must have the `AcrPull` permissions.
+
+## Creation of a service principal
+```bash
+export SP_DATA=$(az ad sp create-for-rbac --name TrivyTest --role AcrPull --scope "/subscriptions/<subscription_id>/resourceGroups/<resource_group>/providers/Microsoft.ContainerRegistry/registries/<registry_name>")
+```
+
+# Usage
+```bash
+# must set TRIVY_USERNAME empty char
+export AZURE_CLIENT_ID$(echo $SP_DATA | jq -r .appId)
+export AZURE_CLIENT_SECRET$(echo $SP_DATA | jq -r .password)
+export AZURE_TENANT_ID$(echo $SP_DATA | jq -r .tenant)
+```
+
+# Testing
+You can test credentials in the following manner.
+
+```bash
+docker run -it --rm -v /tmp:/tmp\
+  -e AZURE_CLIENT_ID=${AZURE_CLIENT_ID} -e AZURE_CLIENT_SECRET=${AZURE_CLIENT_SECRET} \
+  -e AZURE_TENANT_ID=${AZURE_TENANT_ID} aquasec/trivy image your_special_project.azurecr.io/your_special_image:your_special_tag
+```

docs/advanced/sbom/cyclonedx.md

@@ -0,0 +1,175 @@
+# CycloneDX
+Trivy generates JSON reports in the [CycloneDX][cyclonedx] format.
+Note that XML format is not supported at the moment.
+
+
+You can specify `cyclonedx` with the `--format` option.
+
+```
+$ trivy image --format cyclonedx --output result.json alpine:3.15
+```
+
+<details>
+<summary>Result</summary>
+
+```
+$ cat result.json | jq .
+{
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.3",
+  "serialNumber": "urn:uuid:2be5773d-7cd3-4b4b-90a5-e165474ddace",
+  "version": 1,
+  "metadata": {
+    "timestamp": "2022-02-22T15:11:40.270597Z",
+    "tools": [
+      {
+        "vendor": "aquasecurity",
+        "name": "trivy",
+        "version": "dev"
+      }
+    ],
+    "component": {
+      "bom-ref": "pkg:oci/alpine@sha256:21a3deaa0d32a8057914f36584b5288d2e5ecc984380bc0118285c70fa8c9300?repository_url=index.docker.io%2Flibrary%2Falpine&arch=amd64",
+      "type": "container",
+      "name": "alpine:3.15",
+      "version": "",
+      "purl": "pkg:oci/alpine@sha256:21a3deaa0d32a8057914f36584b5288d2e5ecc984380bc0118285c70fa8c9300?repository_url=index.docker.io%2Flibrary%2Falpine&arch=amd64",
+      "properties": [
+        {
+          "name": "aquasecurity:trivy:SchemaVersion",
+          "value": "2"
+        },
+        {
+          "name": "aquasecurity:trivy:ImageID",
+          "value": "sha256:c059bfaa849c4d8e4aecaeb3a10c2d9b3d85f5165c66ad3a4d937758128c4d18"
+        },
+        {
+          "name": "aquasecurity:trivy:RepoDigest",
+          "value": "alpine@sha256:21a3deaa0d32a8057914f36584b5288d2e5ecc984380bc0118285c70fa8c9300"
+        },
+        {
+          "name": "aquasecurity:trivy:DiffID",
+          "value": "sha256:8d3ac3489996423f53d6087c81180006263b79f206d3fdec9e66f0e27ceb8759"
+        },
+        {
+          "name": "aquasecurity:trivy:RepoTag",
+          "value": "alpine:3.15"
+        }
+      ]
+    }
+  },
+  "components": [
+    {
+      "bom-ref": "pkg:apk/alpine/alpine-baselayout@3.2.0-r18?distro=3.15.0",
+      "type": "library",
+      "name": "alpine-baselayout",
+      "version": "3.2.0-r18",
+      "licenses": [
+        {
+          "expression": "GPL-2.0-only"
+        }
+      ],
+      "purl": "pkg:apk/alpine/alpine-baselayout@3.2.0-r18?distro=3.15.0",
+      "properties": [
+        {
+          "name": "aquasecurity:trivy:SrcName",
+          "value": "alpine-baselayout"
+        },
+        {
+          "name": "aquasecurity:trivy:SrcVersion",
+          "value": "3.2.0-r18"
+        },
+        {
+          "name": "aquasecurity:trivy:LayerDigest",
+          "value": "sha256:59bf1c3509f33515622619af21ed55bbe26d24913cedbca106468a5fb37a50c3"
+        },
+        {
+          "name": "aquasecurity:trivy:LayerDiffID",
+          "value": "sha256:8d3ac3489996423f53d6087c81180006263b79f206d3fdec9e66f0e27ceb8759"
+        }
+      ]
+    },
+    ...(snip)...
+    {
+      "bom-ref": "pkg:apk/alpine/zlib@1.2.11-r3?distro=3.15.0",
+      "type": "library",
+      "name": "zlib",
+      "version": "1.2.11-r3",
+      "licenses": [
+        {
+          "expression": "Zlib"
+        }
+      ],
+      "purl": "pkg:apk/alpine/zlib@1.2.11-r3?distro=3.15.0",
+      "properties": [
+        {
+          "name": "aquasecurity:trivy:SrcName",
+          "value": "zlib"
+        },
+        {
+          "name": "aquasecurity:trivy:SrcVersion",
+          "value": "1.2.11-r3"
+        },
+        {
+          "name": "aquasecurity:trivy:LayerDigest",
+          "value": "sha256:59bf1c3509f33515622619af21ed55bbe26d24913cedbca106468a5fb37a50c3"
+        },
+        {
+          "name": "aquasecurity:trivy:LayerDiffID",
+          "value": "sha256:8d3ac3489996423f53d6087c81180006263b79f206d3fdec9e66f0e27ceb8759"
+        }
+      ]
+    },
+    {
+      "bom-ref": "3da6a469-964d-4b4e-b67d-e94ec7c88d37",
+      "type": "operating-system",
+      "name": "alpine",
+      "version": "3.15.0",
+      "properties": [
+        {
+          "name": "aquasecurity:trivy:Type",
+          "value": "alpine"
+        },
+        {
+          "name": "aquasecurity:trivy:Class",
+          "value": "os-pkgs"
+        }
+      ]
+    }
+  ],
+  "dependencies": [
+    {
+      "ref": "3da6a469-964d-4b4e-b67d-e94ec7c88d37",
+      "dependsOn": [
+        "pkg:apk/alpine/alpine-baselayout@3.2.0-r18?distro=3.15.0",
+        "pkg:apk/alpine/alpine-keys@2.4-r1?distro=3.15.0",
+        "pkg:apk/alpine/apk-tools@2.12.7-r3?distro=3.15.0",
+        "pkg:apk/alpine/busybox@1.34.1-r3?distro=3.15.0",
+        "pkg:apk/alpine/ca-certificates-bundle@20191127-r7?distro=3.15.0",
+        "pkg:apk/alpine/libc-utils@0.7.2-r3?distro=3.15.0",
+        "pkg:apk/alpine/libcrypto1.1@1.1.1l-r7?distro=3.15.0",
+        "pkg:apk/alpine/libretls@3.3.4-r2?distro=3.15.0",
+        "pkg:apk/alpine/libssl1.1@1.1.1l-r7?distro=3.15.0",
+        "pkg:apk/alpine/musl@1.2.2-r7?distro=3.15.0",
+        "pkg:apk/alpine/musl-utils@1.2.2-r7?distro=3.15.0",
+        "pkg:apk/alpine/scanelf@1.3.3-r0?distro=3.15.0",
+        "pkg:apk/alpine/ssl_client@1.34.1-r3?distro=3.15.0",
+        "pkg:apk/alpine/zlib@1.2.11-r3?distro=3.15.0"
+      ]
+    },
+    {
+      "ref": "pkg:oci/alpine@sha256:21a3deaa0d32a8057914f36584b5288d2e5ecc984380bc0118285c70fa8c9300?repository_url=index.docker.io%2Flibrary%2Falpine&arch=amd64",
+      "dependsOn": [
+        "3da6a469-964d-4b4e-b67d-e94ec7c88d37"
+      ]
+    }
+  ]
+}
+
+```
+</details>
+
+!!! caution
+    It doesn't support vulnerabilities yet, but installed packages.
+
+[cyclonedx]: https://cyclonedx.org/

docs/getting-started/cli/client.md

@@ -9,7 +9,7 @@ USAGE:
 
 OPTIONS:
    --template value, -t value  output template [$TRIVY_TEMPLATE]
-   --format value, -f value    format (table, json, template) (default: "table") [$TRIVY_FORMAT]
+   --format value, -f value    format (table, json, sarif, template) (default: "table") [$TRIVY_FORMAT]
    --input value, -i value     input file path instead of image name [$TRIVY_INPUT]
    --severity value, -s value  severities of vulnerabilities to be displayed (comma separated) (default: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL") [$TRIVY_SEVERITY]
    --output value, -o value    output file name [$TRIVY_OUTPUT]
@@ -22,6 +22,7 @@ OPTIONS:
    --timeout value             timeout (default: 5m0s) [$TRIVY_TIMEOUT]
    --ignore-policy value       specify the Rego file to evaluate each vulnerability [$TRIVY_IGNORE_POLICY]
    --list-all-pkgs             enabling the option will output all packages regardless of vulnerability (default: false) [$TRIVY_LIST_ALL_PKGS]
+   --offline-scan              do not issue API requests to identify dependencies (default: false) [$TRIVY_OFFLINE_SCAN]
    --token value               for authentication [$TRIVY_TOKEN]
    --token-header value        specify a header name for token (default: "Trivy-Token") [$TRIVY_TOKEN_HEADER]
    --remote value              server address (default: "http://localhost:4954") [$TRIVY_REMOTE]

docs/getting-started/cli/config.md

@@ -9,7 +9,7 @@ USAGE:
 
 OPTIONS:
    --template value, -t value                     output template [$TRIVY_TEMPLATE]
-   --format value, -f value                       format (table, json, template) (default: "table") [$TRIVY_FORMAT]
+   --format value, -f value                       format (table, json, sarif, template) (default: "table") [$TRIVY_FORMAT]
    --severity value, -s value                     severities of vulnerabilities to be displayed (comma separated) (default: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL") [$TRIVY_SEVERITY]
    --output value, -o value                       output file name [$TRIVY_OUTPUT]
    --exit-code value                              Exit code when vulnerabilities were found (default: 0) [$TRIVY_EXIT_CODE]

docs/getting-started/cli/fs.md

@@ -9,7 +9,7 @@ USAGE:
 
 OPTIONS:
    --template value, -t value                     output template [$TRIVY_TEMPLATE]
-   --format value, -f value                       format (table, json, template) (default: "table") [$TRIVY_FORMAT]
+   --format value, -f value                       format (table, json, sarif, template) (default: "table") [$TRIVY_FORMAT]
    --severity value, -s value                     severities of vulnerabilities to be displayed (comma separated) (default: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL") [$TRIVY_SEVERITY]
    --output value, -o value                       output file name [$TRIVY_OUTPUT]
    --exit-code value                              Exit code when vulnerabilities were found (default: 0) [$TRIVY_EXIT_CODE]
@@ -25,6 +25,7 @@ OPTIONS:
    --no-progress                                  suppress progress bar (default: false) [$TRIVY_NO_PROGRESS]
    --ignore-policy value                          specify the Rego file to evaluate each vulnerability [$TRIVY_IGNORE_POLICY]
    --list-all-pkgs                                enabling the option will output all packages regardless of vulnerability (default: false) [$TRIVY_LIST_ALL_PKGS]
+   --offline-scan                                 do not issue API requests to identify dependencies (default: false) [$TRIVY_OFFLINE_SCAN]
    --skip-files value                             specify the file paths to skip traversal [$TRIVY_SKIP_FILES]
    --skip-dirs value                              specify the directories where the traversal is skipped [$TRIVY_SKIP_DIRS]
    --config-policy value                          specify paths to the Rego policy files directory, applying config files [$TRIVY_CONFIG_POLICY]

docs/getting-started/cli/image.md

@@ -9,7 +9,7 @@ USAGE:
 
 OPTIONS:
    --template value, -t value  output template [$TRIVY_TEMPLATE]
-   --format value, -f value    format (table, json, template) (default: "table") [$TRIVY_FORMAT]
+   --format value, -f value    format (table, json, sarif, template) (default: "table") [$TRIVY_FORMAT]
    --input value, -i value     input file path instead of image name [$TRIVY_INPUT]
    --severity value, -s value  severities of vulnerabilities to be displayed (comma separated) (default: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL") [$TRIVY_SEVERITY]
    --output value, -o value    output file name [$TRIVY_OUTPUT]
@@ -24,9 +24,9 @@ OPTIONS:
    --vuln-type value           comma-separated list of vulnerability types (os,library) (default: "os,library") [$TRIVY_VULN_TYPE]
    --ignorefile value          specify .trivyignore file (default: ".trivyignore") [$TRIVY_IGNOREFILE]
    --timeout value             timeout (default: 5m0s) [$TRIVY_TIMEOUT]
-   --light                     light mode: it's faster, but vulnerability descriptions and references are not displayed (default: false) [$TRIVY_LIGHT]
    --ignore-policy value       specify the Rego file to evaluate each vulnerability [$TRIVY_IGNORE_POLICY]
    --list-all-pkgs             enabling the option will output all packages regardless of vulnerability (default: false) [$TRIVY_LIST_ALL_PKGS]
+   --offline-scan              do not issue API requests to identify dependencies (default: false) [$TRIVY_OFFLINE_SCAN]
    --skip-files value          specify the file path to skip traversal [$TRIVY_SKIP_FILES]
    --skip-dirs value           specify the directory where the traversal is skipped [$TRIVY_SKIP_DIRS]
    --cache-backend value       cache backend (e.g. redis://localhost:6379) (default: "fs") [$TRIVY_CACHE_BACKEND]

docs/getting-started/cli/repo.md

@@ -9,7 +9,7 @@ USAGE:
 
 OPTIONS:
    --template value, -t value  output template [$TRIVY_TEMPLATE]
-   --format value, -f value    format (table, json, template) (default: "table") [$TRIVY_FORMAT]
+   --format value, -f value    format (table, json, sarif, template) (default: "table") [$TRIVY_FORMAT]
    --input value, -i value     input file path instead of image name [$TRIVY_INPUT]
    --severity value, -s value  severities of vulnerabilities to be displayed (comma separated) (default: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL") [$TRIVY_SEVERITY]
    --output value, -o value    output file name [$TRIVY_OUTPUT]
@@ -23,8 +23,10 @@ OPTIONS:
    --cache-backend value       cache backend (e.g. redis://localhost:6379) (default: "fs") [$TRIVY_CACHE_BACKEND]
    --timeout value             timeout (default: 5m0s) [$TRIVY_TIMEOUT]
    --no-progress               suppress progress bar (default: false) [$TRIVY_NO_PROGRESS]
+   --quiet, -q                      suppress progress bar and log output (default: false) [$TRIVY_QUIET]
    --ignore-policy value       specify the Rego file to evaluate each vulnerability [$TRIVY_IGNORE_POLICY]
    --list-all-pkgs             enabling the option will output all packages regardless of vulnerability (default: false) [$TRIVY_LIST_ALL_PKGS]
+   --offline-scan              do not issue API requests to identify dependencies (default: false) [$TRIVY_OFFLINE_SCAN]
    --skip-files value          specify the file path to skip traversal [$TRIVY_SKIP_FILES]
    --skip-dirs value           specify the directory where the traversal is skipped [$TRIVY_SKIP_DIRS]
    --help, -h                  show help (default: false)

docs/getting-started/cli/rootfs.md

@@ -9,7 +9,7 @@ USAGE:
 
 OPTIONS:
    --template value, -t value                     output template [$TRIVY_TEMPLATE]
-   --format value, -f value                       format (table, json, template) (default: "table") [$TRIVY_FORMAT]
+   --format value, -f value                       format (table, json, sarif, template) (default: "table") [$TRIVY_FORMAT]
    --severity value, -s value                     severities of vulnerabilities to be displayed (comma separated) (default: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL") [$TRIVY_SEVERITY]
    --output value, -o value                       output file name [$TRIVY_OUTPUT]
    --exit-code value                              Exit code when vulnerabilities were found (default: 0) [$TRIVY_EXIT_CODE]
@@ -25,6 +25,7 @@ OPTIONS:
    --no-progress                                  suppress progress bar (default: false) [$TRIVY_NO_PROGRESS]
    --ignore-policy value                          specify the Rego file to evaluate each vulnerability [$TRIVY_IGNORE_POLICY]
    --list-all-pkgs                                enabling the option will output all packages regardless of vulnerability (default: false) [$TRIVY_LIST_ALL_PKGS]
+   --offline-scan                                 do not issue API requests to identify dependencies (default: false) [$TRIVY_OFFLINE_SCAN]
    --skip-files value                             specify the file paths to skip traversal [$TRIVY_SKIP_FILES]
    --skip-dirs value                              specify the directories where the traversal is skipped [$TRIVY_SKIP_DIRS]
    --config-policy value                          specify paths to the Rego policy files directory, applying config files [$TRIVY_CONFIG_POLICY]

docs/getting-started/installation.md

@@ -118,13 +118,12 @@ Example:
 === "Linux"
 
     ``` bash
-    docker run --rm -v [YOUR_CACHE_DIR]:/root/.cache/ aquasec/trivy:{{ git.tag[1:] }} [YOUR_IMAGE_NAME]
+    docker run --rm -v [YOUR_CACHE_DIR]:/root/.cache/ aquasec/trivy:{{ git.tag[1:] }} image [YOUR_IMAGE_NAME]
     ```
 
 === "macOS"
 
     ``` bash
-    yay -Sy trivy-bin
     docker run --rm -v $HOME/Library/Caches:/root/.cache/ aquasec/trivy:{{ git.tag[1:] }} python:3.4-alpine
     ```
 

docs/getting-started/overview.md

@@ -22,7 +22,7 @@ See [Integrations][integrations] for details.
 ## Features
 
 - Comprehensive vulnerability detection
-    - [OS packages][os] (Alpine, Red Hat Universal Base Image, Red Hat Enterprise Linux, CentOS, Oracle Linux, Debian, Ubuntu, Amazon Linux, openSUSE Leap, SUSE Enterprise Linux, Photon OS and Distroless)
+    - [OS packages][os] (Alpine, Red Hat Universal Base Image, Red Hat Enterprise Linux, CentOS, AlmaLinux, Rocky Linux, CBL-Mariner, Oracle Linux, Debian, Ubuntu, Amazon Linux, openSUSE Leap, SUSE Enterprise Linux, Photon OS and Distroless)
     - [**Language-specific packages**][lang] (Bundler, Composer, Pipenv, Poetry, npm, yarn, Cargo, NuGet, Maven, and Go)
 - Detect IaC misconfigurations
     - A wide variety of [built-in policies][builtin] are provided **out of the box**:
@@ -55,12 +55,11 @@ See [Integrations][integrations] for details.
         - An image directory compliant with [OCI Image Format][oci]
     - local filesystem and rootfs
     - remote git repository
+- SBOM (Software Bill of Materials) support
+    - CycloneDX 
 
 Please see [LICENSE][license] for Trivy licensing information.
 
-!!! note
-    Trivy uses vulnerability information from a variety of sources, some of which are licensed for non-commercial use only.
-
 [vuln]: ../vulnerability/scanning/index.md
 [misconf]: ../misconfiguration/index.md
 [container]: ../vulnerability/scanning/image.md
@@ -80,4 +79,4 @@ Please see [LICENSE][license] for Trivy licensing information.
 [podman]: ../advanced/container/podman.md
 
 [oci]: https://github.com/opencontainers/image-spec
-[license]:  https://github.com/aquasecurity/trivy/blob/main/LICENSE
+[license]:  https://github.com/aquasecurity/trivy/blob/main/LICENSE

docs/getting-started/troubleshooting.md

@@ -39,6 +39,22 @@ https://developer.github.com/v3/#rate-limiting
 $ GITHUB_TOKEN=XXXXXXXXXX trivy alpine:3.10
 ```
 
+### Maven rate limiting
+
+!!! error
+    ``` bash
+    $ trivy image ...
+    ...
+    status 403 Forbidden from http://search.maven.org/solrsearch/select
+    ```
+
+Trivy calls Maven API for better detection of JAR files, but many requests may exceed rate limiting.
+If it happens frequently, try the `--offline-scan` option to stop Trivy from making API requests.
+This option affects only vulnerability scanning. The vulnerability database and builtin policies are downloaded as usual.
+If you want to skip them as well, you can try `--skip-update` and `--skip-policy-update`.
+
+Note that a number of vulnerabilities might be fewer than without the `--offline-scan` option.
+
 ### Running in parallel takes same time as series run
 When running trivy on multiple images simultaneously, it will take same time as running trivy in series.  
 This is because of a limitation of boltdb.
@@ -53,11 +69,17 @@ Reference : [boltdb: Opening a database][boltdb].
 !!! error
     FATAL failed to download vulnerability DB
 
-If trivy is running behind corporate firewall try to whitelist urls below:
+If trivy is running behind corporate firewall, you have to add the following urls to your allowlist.
 
-- api.github.com
-- github.com
-- github-releases.githubusercontent.com
+- ghcr.io
+- pkg-containers.githubusercontent.com
+
+### Old DB schema
+
+!!! error
+    --skip-update cannot be specified with the old DB schema.
+
+Trivy v0.23.0 or later requires Trivy DB v2. Please update your local database or follow [the instruction of air-gapped environment][air-gapped].
 
 ## Homebrew
 ### Scope error
@@ -107,3 +129,5 @@ Try again with `--reset` option:
 ```
 $ trivy image --reset
 ```
+
+[air-gapped]: ../advanced/air-gap.md

docs/misconfiguration/iac.md

@@ -111,7 +111,7 @@ Failures: 9 (HIGH: 6, CRITICAL: 1)
 +                                          +            +                                          +          +--------------------------------------------------------+
 |                                          |            |                                          |          | Resource                                               |
 |                                          |            |                                          |          | 'aws_api_gateway_domain_name.missing_security_policy'  |
-|                                          |            |                                          |          | should include security_policy (defauls to outdated    |
+|                                          |            |                                          |          | should include security_policy (defaults to outdated   |
 |                                          |            |                                          |          | SSL/TLS policy). -->tfsec.dev/docs/aws/AWS025/         |
 +                                          +            +                                          +          +--------------------------------------------------------+
 |                                          |            |                                          |          | Resource                                               |

docs/misconfiguration/options/filter.md

@@ -72,7 +72,7 @@ Failures: 8 (HIGH: 6, CRITICAL: 1)
 +                                          +            +                                          +          +--------------------------------------------------------+
 |                                          |            |                                          |          | Resource                                               |
 |                                          |            |                                          |          | 'aws_api_gateway_domain_name.missing_security_policy'  |
-|                                          |            |                                          |          | should include security_policy (defauls to outdated    |
+|                                          |            |                                          |          | should include security_policy (defaults to outdated   |
 |                                          |            |                                          |          | SSL/TLS policy). -->tfsec.dev/docs/aws/AWS025/         |
 +                                          +            +                                          +          +--------------------------------------------------------+
 |                                          |            |                                          |          | Resource                                               |

docs/misconfiguration/options/report.md

@@ -3,4 +3,4 @@
 See [Reports Formats](../../vulnerability/examples/report.md) in Vulnerability section.
 
 !!! caution
-    Misconfiguration scanning doesn't support default templates such as XML and SARIF for now.
+    Misconfiguration scanning doesn't support default templates such as XML for now.

docs/vulnerability/detection/data-source.md

@@ -11,28 +11,31 @@
 | Ubuntu         | [Ubuntu CVE Tracker][ubuntu]             |
 | RHEL/CentOS    | [OVAL][rhel-oval]                        |
 |                | [Security Data][rhel-api]                |
+| AlmaLinux      | [AlmaLinux Product Errata][alma]         |
+| Rocky Linux    | [Rocky Linux UpdateInfo][rocky]          |
 | Oracle Linux   | [OVAL][oracle]                           |
+| CBL-Mariner    | [OVAL][mariner]                          |
 | OpenSUSE/SLES	 | [CVRF][suse]                             |
 | Photon OS      | [Photon Security Advisory][photon]       |
 
 # Programming Language
 
-| Language                     | Source                                           | Commercial Use  | Delay[^1]|
-| ---------------------------- | -------------------------------------------------|:---------------:|:--------:|
-| PHP                          | [PHP Security Advisories Database][php]          | ✅              | -        |
-|                              | [GitHub Advisory Database (Composer)][php-ghsa]  | ✅              | -        |
-| Python                       | [Safety DB][python]                              | ❌              | 1 month  |
-|                              | [GitHub Advisory Database (pip)][python-ghsa]    | ✅              | -        |
-| Ruby                         | [Ruby Advisory Database][ruby]                   | ✅              | -        |
-|                              | [GitHub Advisory Database (RubyGems)][ruby-ghsa] | ✅              | -        |
-| Node.js                      | [Ecosystem Security Working Group][nodejs]       | ✅              | -        |
-|                              | [GitHub Advisory Database (npm)][nodejs-ghsa]    | ✅              | -        |
-| Java                         | [GitLab Advisories Community][gitlab]            | ✅              | 1 month  |
-|                              | [GitHub Advisory Database (Maven)][java-ghsa]    | ✅              | -        |
-| Go                           | [GitLab Advisories Community][gitlab]            | ✅              | 1 month  |
-|                              | [The Go Vulnerability Database][go]              | ✅              | -        |
-| Rust                         | [RustSec Advisory Database][rust]                | ✅              | -        |
-| .NET                         | [GitHub Advisory Database (NuGet)][dotnet-ghsa]  | ✅              | -        |
+| Language                     | Source                                              | Commercial Use  | Delay[^1]|
+| ---------------------------- | ----------------------------------------------------|:---------------:|:--------:|
+| PHP                          | [PHP Security Advisories Database][php]             | ✅              | -        |
+|                              | [GitHub Advisory Database (Composer)][php-ghsa]     | ✅              | -        |
+| Python                       | [GitHub Advisory Database (pip)][python-ghsa]       | ✅              | -        |
+|                              | [Open Source Vulnerabilities (PyPI)][python-osv]    | ✅              | -        |
+| Ruby                         | [Ruby Advisory Database][ruby]                      | ✅              | -        |
+|                              | [GitHub Advisory Database (RubyGems)][ruby-ghsa]    | ✅              | -        |
+| Node.js                      | [Ecosystem Security Working Group][nodejs]          | ✅              | -        |
+|                              | [GitHub Advisory Database (npm)][nodejs-ghsa]       | ✅              | -        |
+| Java                         | [GitLab Advisories Community][gitlab]               | ✅              | 1 month  |
+|                              | [GitHub Advisory Database (Maven)][java-ghsa]       | ✅              | -        |
+| Go                           | [GitLab Advisories Community][gitlab]               | ✅              | 1 month  |
+|                              | [The Go Vulnerability Database][go]                 | ✅              | -        |
+| Rust                         | [Open Source Vulnerabilities (crates.io)][rust-osv] | ✅              | -        |
+| .NET                         | [GitHub Advisory Database (NuGet)][dotnet-ghsa]     | ✅              | -        |
 
 [^1]: Intentional delay between vulnerability disclosure and registration in the DB
 
@@ -51,9 +54,12 @@
 [ubuntu]: https://ubuntu.com/security/cve
 [rhel-oval]: https://www.redhat.com/security/data/oval/v2/
 [rhel-api]: https://www.redhat.com/security/data/metrics/
+[alma]: https://errata.almalinux.org/
+[rocky]: https://download.rockylinux.org/pub/rocky/
 [oracle]: https://linux.oracle.com/security/oval/
 [suse]: http://ftp.suse.com/pub/projects/security/cvrf/
 [photon]: https://packages.vmware.com/photon/photon_cve_metadata/
+[mariner]: https://github.com/microsoft/CBL-MarinerVulnerabilityData/
 
 [php-ghsa]: https://github.com/advisories?query=ecosystem%3Acomposer
 [python-ghsa]: https://github.com/advisories?query=ecosystem%3Apip
@@ -63,11 +69,12 @@
 [dotnet-ghsa]: https://github.com/advisories?query=ecosystem%3Anuget
 
 [php]: https://github.com/FriendsOfPHP/security-advisories
-[python]: https://github.com/pyupio/safety-db
 [ruby]: https://github.com/rubysec/ruby-advisory-db
 [nodejs]: https://github.com/nodejs/security-wg
 [gitlab]: https://gitlab.com/gitlab-org/advisories-community
 [go]: https://github.com/golang/vulndb
-[rust]: (https://github.com/RustSec/advisory-db)
+
+[python-osv]: https://osv.dev/list?q=&ecosystem=PyPI
+[rust-osv]: https://osv.dev/list?q=&ecosystem=crates.io
 
 [nvd]: https://nvd.nist.gov/

docs/vulnerability/detection/language.md

@@ -2,23 +2,25 @@
 
 `Trivy` automatically detects the following files in the container and scans vulnerabilities in the application dependencies.
 
-| Language | File                     | Image[^6] | Rootfs[^7] | Filesystem[^8] |  Repository[^9] |Dev dependencies |
-|----------|--------------------------|:---------:|:----------:|:--------------:|:---------------:|-----------------|
-| Ruby     | Gemfile.lock             | -         | -          | ✅             | ✅              | included        |
-|          | gemspec                  | ✅        | ✅         | -              | -               | included        |
-| Python   | Pipfile.lock             | -         | -          | ✅             | ✅              | excluded        |
-|          | poetry.lock              | -         | -          | ✅             | ✅              | included        |
-|          | requirements.txt         | -         | -          | ✅             | ✅              | included        |
-|          | egg package[^1]          | ✅        | ✅         | -              | -               | excluded        |
-|          | wheel package[^2]        | ✅        | ✅         | -              | -               | excluded        |
-| PHP      | composer.lock            | ✅        | ✅         | ✅             | ✅              | excluded        |
-| Node.js  | package-lock.json        | -         | -          | ✅             | ✅              | excluded        |
-|          | yarn.lock                | -         | -          | ✅             | ✅              | included        |
-|          | package.json             | ✅        | ✅         | -              | -               | excluded        |
-| .NET     | packages.lock.json       | ✅        | ✅         | ✅             | ✅              | included        |
-| Java     | JAR/WAR/EAR[^3][^4]      | ✅        | ✅         | ✅             | ✅              | included        |
-| Go       | Binaries built by Go[^5] | ✅        | ✅         | -              | -               | excluded        |
-|          | go.sum                   | -         | -          | ✅             | ✅              | included        |
+| Language | File                     | Image[^7] | Rootfs[^8] | Filesystem[^9] | Repository[^10] |Dev dependencies |
+|----------|--------------------------|:---------:|:----------:|:--------------:|:--------------:|-----------------|
+| Ruby     | Gemfile.lock             | -         | -          |       ✅        |       ✅        | included        |
+|          | gemspec                  | ✅        | ✅         |       -        |       -        | included        |
+| Python   | Pipfile.lock             | -         | -          |       ✅        |       ✅        | excluded        |
+|          | poetry.lock              | -         | -          |       ✅        |       ✅        | included        |
+|          | requirements.txt         | -         | -          |       ✅        |       ✅        | included        |
+|          | egg package[^1]          | ✅        | ✅         |       -        |       -        | excluded        |
+|          | wheel package[^2]        | ✅        | ✅         |       -        |       -        | excluded        |
+| PHP      | composer.lock            | ✅        | ✅         |       ✅        |       ✅        | excluded        |
+| Node.js  | package-lock.json        | -         | -          |       ✅        |       ✅        | excluded        |
+|          | yarn.lock                | -         | -          |       ✅        |       ✅        | included        |
+|          | package.json             | ✅        | ✅         |       -        |       -        | excluded        |
+| .NET     | packages.lock.json       | ✅        | ✅         |       ✅        |       ✅        | included        |
+| Java     | JAR/WAR/PAR/EAR[^3][^4]  | ✅        | ✅         |       -        |       -        | included        |
+|          | pom.xml[^5]              | -         | -          |       ✅        |       ✅        | excluded        |
+| Go       | Binaries built by Go[^6] | ✅        | ✅         |       -        |       -        | excluded        |
+|          | go.sum                   | -         | -          |       ✅        |       ✅        | included        |
+| Rust     | Cargo.lock               | ✅        | ✅         |       ✅        |       ✅        | included        |
 
 The path of these files does not matter.
 
@@ -26,10 +28,11 @@ Example: [Dockerfile](https://github.com/aquasecurity/trivy-ci-test/blob/main/Do
 
 [^1]: `*.egg-info`, `*.egg-info/PKG-INFO`, `*.egg` and `EGG-INFO/PKG-INFO`
 [^2]: `.dist-info/META-DATA`
-[^3]: `*.jar`, `*.war`, and `*.ear`
-[^4]: It requires the Internet access
-[^5]: UPX-compressed binaries don't work
-[^6]: ✅ means "enabled" and `-` means "disabled" in the image scanning
-[^7]: ✅ means "enabled" and `-` means "disabled" in the rootfs scanning
-[^8]: ✅ means "enabled" and `-` means "disabled" in the filesystem scanning
-[^9]: ✅ means "enabled" and `-` means "disabled" in the git repository scanning
+[^3]: `*.jar`, `*.war`, `*.par` and `*.ear`
+[^4]: It requires Internet access
+[^5]: It requires Internet access when the POM doesn't exist in your local repository
+[^6]: UPX-compressed binaries don't work
+[^7]: ✅ means "enabled" and `-` means "disabled" in the image scanning
+[^8]: ✅ means "enabled" and `-` means "disabled" in the rootfs scanning
+[^9]: ✅ means "enabled" and `-` means "disabled" in the filesystem scanning
+[^10]: ✅ means "enabled" and `-` means "disabled" in the git repository scanning

docs/vulnerability/detection/os.md

@@ -7,13 +7,16 @@ The unfixed/unfixable vulnerabilities mean that the patch has not yet been provi
 | Alpine Linux                     | 2.2 - 2.7, 3.0 - 3.15                    | Installed by apk              |                  NO                  |
 | Red Hat Universal Base Image[^1] | 7, 8                                     | Installed by yum/rpm          |                 YES                  |
 | Red Hat Enterprise Linux         | 6, 7, 8                                  | Installed by yum/rpm          |                 YES                  |
-| CentOS                           | 6, 7                                     | Installed by yum/rpm          |                 YES                  |
+| CentOS                           | 6, 7, 8                                  | Installed by yum/rpm          |                 YES                  |
+| AlmaLinux                        | 8                                        | Installed by yum/rpm          |                  NO                  |
+| Rocky Linux                      | 8                                        | Installed by yum/rpm          |                  NO                  |
 | Oracle Linux                     | 5, 6, 7, 8                               | Installed by yum/rpm          |                  NO                  |
+| CBL-Mariner                      | 1.0, 2.0                                 | Installed by yum/rpm          |                 YES                  |
 | Amazon Linux                     | 1, 2                                     | Installed by yum/rpm          |                  NO                  |
 | openSUSE Leap                    | 42, 15                                   | Installed by zypper/rpm       |                  NO                  |
 | SUSE Enterprise Linux            | 11, 12, 15                               | Installed by zypper/rpm       |                  NO                  |
-| Photon OS                        | 1.0, 2.0, 3.0                            | Installed by tdnf/yum/rpm     |                  NO                  |
-| Debian GNU/Linux                 | wheezy, jessie, stretch, buster          | Installed by apt/apt-get/dpkg |                 YES                  |
+| Photon OS                        | 1.0, 2.0, 3.0, 4.0                       | Installed by tdnf/yum/rpm     |                  NO                  |
+| Debian GNU/Linux                 | wheezy, jessie, stretch, buster, bullseye| Installed by apt/apt-get/dpkg |                 YES                  |
 | Ubuntu                           | All versions supported by Canonical      | Installed by apt/apt-get/dpkg |                 YES                  |
 | Distroless[^2]                   | Any                                      | Installed by apt/apt-get/dpkg |                 YES                  |
 

docs/vulnerability/examples/cache.md

@@ -41,3 +41,14 @@ Two options:
 ```
 $ trivy server --cache-backend redis://localhost:6379
 ```
+
+Trivy also support for connecting to Redis using TLS, you only need to specify `--redis-ca` , `--redis-cert` , and `--redis-key` option.
+
+```
+$ trivy server --cache-backend redis://localhost:6379 \
+  --redis-ca /path/to/ca-cert.pem \
+  --redis-cert /path/to/cert.pem \
+  --redis-key /path/to/key.pem
+```
+
+TLS option for redis is hidden from Trivy command-line flag, but you still can use it.

docs/vulnerability/examples/db.md

@@ -36,39 +36,3 @@ This is useful to initialize workers in Continuous Integration systems.
 ```
 $ trivy image --download-db-only
 ```
-
-## Lightweight DB
-The lightweight DB doesn't contain vulnerability detail such as descriptions and references. Because of that, the size of the DB is smaller and the download is faster.
-
-This option is useful when you don't need vulnerability details and is suitable for CI/CD.
-To find the additional information, you can search vulnerability details on the NVD website.
-https://nvd.nist.gov/vuln/search
-
-```
-$ trivy image --light alpine:3.10
-```
-
-`--light` option doesn't display titles like the following example.
-
-<details>
-<summary>Result</summary>
-
-```
-2019-11-14T10:21:01.553+0200    INFO    Reopening vulnerability DB
-2019-11-14T10:21:02.574+0200    INFO    Detecting Alpine vulnerabilities...
-
-alpine:3.10 (alpine 3.10.2)
-===========================
-Total: 3 (UNKNOWN: 0, LOW: 1, MEDIUM: 2, HIGH: 0, CRITICAL: 0)
-
-+---------+------------------+----------+-------------------+---------------+
-| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |
-+---------+------------------+----------+-------------------+---------------+
-| openssl | CVE-2019-1549    | MEDIUM   | 1.1.1c-r0         | 1.1.1d-r0     |
-+         +------------------+          +                   +               +
-|         | CVE-2019-1563    |          |                   |               |
-+         +------------------+----------+                   +               +
-|         | CVE-2019-1547    | LOW      |                   |               |
-+---------+------------------+----------+-------------------+---------------+
-```
-</details>

docs/vulnerability/examples/filter.md

@@ -294,25 +294,60 @@ There is a built-in Rego library with helper functions that you can import into
 To get started, see the [example policy][policy].
 
 ```bash
-$ trivy image --ignore-policy contrib/example_filter/basic.rego centos:7
+$ trivy image --ignore-policy contrib/example_policy/basic.rego centos:7
 ```
 
 <details>
 <summary>Result</summary>
 
 ```bash
-centos:7 (centos 7.8.2003)
+centos:7 (centos 7.9.2009)
 ==========================
-Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
+Total: 9 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 4, CRITICAL: 5)
 
-+---------+------------------+----------+-------------------+---------------+--------------------------------+
-| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |             TITLE              |
-+---------+------------------+----------+-------------------+---------------+--------------------------------+
-| glib2   | CVE-2016-3191    | HIGH     | 2.56.1-5.el7      |               | pcre: workspace overflow       |
-|         |                  |          |                   |               | for (*ACCEPT) with deeply      |
-|         |                  |          |                   |               | nested parentheses (8.39/13,   |
-|         |                  |          |                   |               | 10.22/12)                      |
-+---------+------------------+----------+-------------------+---------------+--------------------------------+
++--------------+------------------+----------+-------------------+-------------------+-----------------------------------------+
+|   LIBRARY    | VULNERABILITY ID | SEVERITY | INSTALLED VERSION |   FIXED VERSION   |                  TITLE                  |
++--------------+------------------+----------+-------------------+-------------------+-----------------------------------------+
+| glib2        | CVE-2015-8385    | HIGH     | 2.56.1-7.el7      |                   | pcre: buffer overflow caused            |
+|              |                  |          |                   |                   | by named forward reference              |
+|              |                  |          |                   |                   | to duplicate group number...            |
+|              |                  |          |                   |                   | -->avd.aquasec.com/nvd/cve-2015-8385    |
++              +------------------+          +                   +-------------------+-----------------------------------------+
+|              | CVE-2016-3191    |          |                   |                   | pcre: workspace overflow for            |
+|              |                  |          |                   |                   | (*ACCEPT) with deeply nested            |
+|              |                  |          |                   |                   | parentheses (8.39/13, 10.22/12)         |
+|              |                  |          |                   |                   | -->avd.aquasec.com/nvd/cve-2016-3191    |
++              +------------------+          +                   +-------------------+-----------------------------------------+
+|              | CVE-2021-27219   |          |                   | 2.56.1-9.el7_9    | glib: integer overflow in               |
+|              |                  |          |                   |                   | g_bytes_new function on                 |
+|              |                  |          |                   |                   | 64-bit platforms due to an...           |
+|              |                  |          |                   |                   | -->avd.aquasec.com/nvd/cve-2021-27219   |
++--------------+------------------+----------+-------------------+-------------------+-----------------------------------------+
+| glibc        | CVE-2019-1010022 | CRITICAL | 2.17-317.el7      |                   | glibc: stack guard protection bypass    |
+|              |                  |          |                   |                   | -->avd.aquasec.com/nvd/cve-2019-1010022 |
++--------------+                  +          +                   +-------------------+                                         +
+| glibc-common |                  |          |                   |                   |                                         |
+|              |                  |          |                   |                   |                                         |
++--------------+------------------+          +-------------------+-------------------+-----------------------------------------+
+| nss          | CVE-2021-43527   |          | 3.53.1-3.el7_9    | 3.67.0-4.el7_9    | nss: Memory corruption in               |
+|              |                  |          |                   |                   | decodeECorDsaSignature with             |
+|              |                  |          |                   |                   | DSA signatures (and RSA-PSS)            |
+|              |                  |          |                   |                   | -->avd.aquasec.com/nvd/cve-2021-43527   |
++--------------+                  +          +                   +                   +                                         +
+| nss-sysinit  |                  |          |                   |                   |                                         |
+|              |                  |          |                   |                   |                                         |
+|              |                  |          |                   |                   |                                         |
+|              |                  |          |                   |                   |                                         |
++--------------+                  +          +                   +                   +                                         +
+| nss-tools    |                  |          |                   |                   |                                         |
+|              |                  |          |                   |                   |                                         |
+|              |                  |          |                   |                   |                                         |
+|              |                  |          |                   |                   |                                         |
++--------------+------------------+----------+-------------------+-------------------+-----------------------------------------+
+| openssl-libs | CVE-2020-1971    | HIGH     | 1:1.0.2k-19.el7   | 1:1.0.2k-21.el7_9 | openssl: EDIPARTYNAME                   |
+|              |                  |          |                   |                   | NULL pointer de-reference               |
+|              |                  |          |                   |                   | -->avd.aquasec.com/nvd/cve-2020-1971    |
++--------------+------------------+----------+-------------------+-------------------+-----------------------------------------+
 ```
 
 </details>

docs/vulnerability/examples/report.md

@@ -136,6 +136,15 @@ $ trivy image -f json -o results.json golang:1.12-alpine
 
 `VulnerabilityID`, `PkgName`, `InstalledVersion`, and `Severity` in `Vulnerabilities` are always filled with values, but other fields might be empty.
 
+## SARIF
+[Sarif][sarif] can be generated with the `--format sarif` option.
+
+```
+$ trivy image --format sarif -o report.sarif  golang:1.12-alpine
+```
+
+This SARIF file can be uploaded to GitHub code scanning results, and there is a [Trivy GitHub Action][action] for automating this process.
+
 ## Template
 
 ### Custom Template
@@ -183,19 +192,16 @@ $ trivy image --format template --template "@/path/to/template" golang:1.12-alpi
 ```
 
 ### Default Templates
+
+If Trivy is installed using rpm then default templates can be found at `/usr/local/share/trivy/templates`.
+
 #### XML
 In the following example using the template `junit.tpl` XML can be generated.
 ```
 $ trivy image --format template --template "@contrib/junit.tpl" -o junit-report.xml  golang:1.12-alpine
 ```
 
-#### SARIF
-In the following example using the template `sarif.tpl` [Sarif][sarif] can be generated.
-```
-$ trivy image --format template --template "@contrib/sarif.tpl" -o report.sarif  golang:1.12-alpine
-```
-This SARIF format can be uploaded to GitHub code scanning results, and there is a [Trivy GitHub Action][action] for automating this process.
-
+#### ASFF
 Trivy also supports an [ASFF template for reporting findings to AWS Security Hub][asff]
 
 #### HTML
@@ -204,6 +210,13 @@ Trivy also supports an [ASFF template for reporting findings to AWS Security Hub
 $ trivy image --format template --template "@contrib/html.tpl" -o report.html golang:1.12-alpine
 ```
 
+The following example shows use of default HTML template when Trivy is installed using rpm.
+
+```
+$ trivy image --format template --template "@/usr/local/share/trivy/templates/html.tpl" -o report.html golang:1.12-alpine
+```
+
+
 [new-json]: https://github.com/aquasecurity/trivy/discussions/1050
 [action]: https://github.com/aquasecurity/trivy-action
 [asff]: https://github.com/aquasecurity/trivy/blob/main/docs/integrations/aws-security-hub.md

docs/vulnerability/scanning/filesystem.md

@@ -47,3 +47,10 @@ Total: 10 (UNKNOWN: 2, LOW: 0, MEDIUM: 6, HIGH: 2, CRITICAL: 0)
 ```
 
 </details>
+
+### Single file
+It's also possible to scan a single file.
+
+```
+$ trivy fs ~/src/github.com/aquasecurity/trivy-ci-test/Pipfile.lock
+```

docs/vulnerability/scanning/image.md

@@ -38,49 +38,52 @@ Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)
 ## Tar Files
 
 ```
-$ docker save ruby:2.3.0-alpine3.9 -o ruby-2.3.0.tar
-$ trivy image --input ruby-2.3.0.tar
+$ docker pull ruby:3.1-alpine3.15
+$ docker save ruby:3.1-alpine3.15 -o ruby-3.1.tar
+$ trivy image --input ruby-3.1.tar
 ```
 
 <details>
 <summary>Result</summary>
 
 ```
-2019-05-16T12:45:57.332+0900    INFO    Updating vulnerability database...
-2019-05-16T12:45:59.119+0900    INFO    Detecting Debian vulnerabilities...
+2022-02-03T10:08:19.127Z        INFO    Detected OS: alpine
+2022-02-03T10:08:19.127Z        WARN    This OS version is not on the EOL list: alpine 3.15
+2022-02-03T10:08:19.127Z        INFO    Detecting Alpine vulnerabilities...
+2022-02-03T10:08:19.127Z        INFO    Number of language-specific files: 2
+2022-02-03T10:08:19.127Z        INFO    Detecting gemspec vulnerabilities...
+2022-02-03T10:08:19.128Z        INFO    Detecting node-pkg vulnerabilities...
+2022-02-03T10:08:19.128Z        WARN    This OS version is no longer supported by the distribution: alpine 3.15.0
+2022-02-03T10:08:19.128Z        WARN    The vulnerability detection may be insufficient because security updates are not provided
 
-ruby-2.3.0.tar (debian 8.4)
-===========================
-Total: 7447 (UNKNOWN: 5, LOW: 326, MEDIUM: 5695, HIGH: 1316, CRITICAL: 105)
+ruby-3.1.tar (alpine 3.15.0)
+============================
+Total: 3 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 3, CRITICAL: 0)
 
-+------------------------------+---------------------+----------+----------------------------+----------------------------------+-----------------------------------------------------+
-|           LIBRARY            |  VULNERABILITY ID   | SEVERITY |     INSTALLED VERSION      |          FIXED VERSION           |                        TITLE                        |
-+------------------------------+---------------------+----------+----------------------------+----------------------------------+-----------------------------------------------------+
-| apt                          | CVE-2019-3462       | CRITICAL | 1.0.9.8.3                  | 1.0.9.8.5                        | Incorrect sanitation of the                         |
-|                              |                     |          |                            |                                  | 302 redirect field in HTTP                          |
-|                              |                     |          |                            |                                  | transport method of...                              |
-+                              +---------------------+----------+                            +----------------------------------+-----------------------------------------------------+
-|                              | CVE-2016-1252       | MEDIUM   |                            | 1.0.9.8.4                        | The apt package in Debian                           |
-|                              |                     |          |                            |                                  | jessie before 1.0.9.8.4, in                         |
-|                              |                     |          |                            |                                  | Debian unstable before...                           |
-+                              +---------------------+----------+                            +----------------------------------+-----------------------------------------------------+
-|                              | CVE-2011-3374       | LOW      |                            |                                  |                                                     |
-+------------------------------+---------------------+----------+----------------------------+----------------------------------+-----------------------------------------------------+
-| bash                         | CVE-2016-7543       | HIGH     | 4.3-11                     | 4.3-11+deb8u1                    | bash: Specially crafted                             |
-|                              |                     |          |                            |                                  | SHELLOPTS+PS4 variables allows                      |
-|                              |                     |          |                            |                                  | command substitution                                |
-+                              +---------------------+          +                            +----------------------------------+-----------------------------------------------------+
-|                              | CVE-2019-9924       |          |                            | 4.3-11+deb8u2                    | bash: BASH_CMD is writable in                       |
-|                              |                     |          |                            |                                  | restricted bash shells                              |
-+                              +---------------------+----------+                            +----------------------------------+-----------------------------------------------------+
-|                              | CVE-2016-0634       | MEDIUM   |                            | 4.3-11+deb8u1                    | bash: Arbitrary code execution                      |
-|                              |                     |          |                            |                                  | via malicious hostname                              |
-+                              +---------------------+----------+                            +----------------------------------+-----------------------------------------------------+
-|                              | CVE-2016-9401       | LOW      |                            | 4.3-11+deb8u2                    | bash: popd controlled free                          |
-+                              +---------------------+          +                            +----------------------------------+-----------------------------------------------------+
-|                              | TEMP-0841856-B18BAF |          |                            |                                  |                                                     |
-+------------------------------+---------------------+----------+----------------------------+----------------------------------+-----------------------------------------------------
-...
++----------+------------------+----------+-------------------+---------------+---------------------------------------+
+| LIBRARY  | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                 TITLE                 |
++----------+------------------+----------+-------------------+---------------+---------------------------------------+
+| gmp      | CVE-2021-43618   | HIGH     | 6.2.1-r0          | 6.2.1-r1      | gmp: Integer overflow and resultant   |
+|          |                  |          |                   |               | buffer overflow via crafted input     |
+|          |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-43618 |
++----------+                  +          +                   +               +                                       +
+| gmp-dev  |                  |          |                   |               |                                       |
+|          |                  |          |                   |               |                                       |
+|          |                  |          |                   |               |                                       |
++----------+                  +          +                   +               +                                       +
+| libgmpxx |                  |          |                   |               |                                       |
+|          |                  |          |                   |               |                                       |
+|          |                  |          |                   |               |                                       |
++----------+------------------+----------+-------------------+---------------+---------------------------------------+
+
+Node.js (node-pkg)
+==================
+Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
+
+
+Ruby (gemspec)
+==============
+Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
 ```
 
 </details>

examples/misconf/custom-policy/hcl/policy/full_open.rego

@@ -11,6 +11,6 @@ __rego_input__ := {"selector": [{"type": "hcl"}]}
 
 deny[msg] {
 	input.environment == "dev"
-	contains(input.service.http[name].listen_addr, "0.0.0.0")
+	contains(input.service.http[name][_].listen_addr, "0.0.0.0")
 	msg = sprintf("'%s' listens on 0.0.0.0 in dev environment", [name])
 }

examples/misconf/custom-policy/hcl/policy/full_open_test.rego

@@ -1,39 +1,43 @@
 package user.hcl.ID004
 
 test_denied {
-	msg := "'web_proxy' listens on 0.0.0.0 in dev environment"
 	deny[msg] with input as {
-	    "environment": "dev",
-	    "service": {
-	        "http": {
-	            "web_proxy": {
-	                "listen_addr": "0.0.0.0:8080",
-	                "process": {
-	                    "main": {
-	                        "command": ["/usr/local/bin/awesome-app", "server"],
-	                    },
-	                },
-	            },
-	        },
-	    },
+		"environment": "dev",
+		"service": {"http": {"web_proxy": [{
+			"listen_addr": "0.0.0.0:8080",
+			"process": {
+				"main": [{"command": [
+					"/usr/local/bin/awesome-app",
+					"server",
+				]}],
+				"mgmt": [{"command": [
+					"/usr/local/bin/awesome-app",
+					"mgmt",
+				]}],
+			},
+		}]}},
 	}
+
+	msg == "'web_proxy' listens on 0.0.0.0 in dev environment"
 }
 
 test_allowed {
 	r := deny with input as {
-	    "environment": "dev",
-	    "service": {
-	        "http": {
-	            "web_proxy": {
-	                "listen_addr": "127.0.0.1:8080",
-	                "process": {
-	                    "main": {
-	                        "command": ["/usr/local/bin/awesome-app", "server"],
-	                    },
-	                },
-	            },
-	        },
-	    },
+		"environment": "dev",
+		"service": {"http": {"web_proxy": [{
+			"listen_addr": "127.0.0.1:8080",
+			"process": {
+				"main": [{"command": [
+					"/usr/local/bin/awesome-app",
+					"server",
+				]}],
+				"mgmt": [{"command": [
+					"/usr/local/bin/awesome-app",
+					"mgmt",
+				]}],
+			},
+		}]}},
 	}
+
 	count(r) == 0
 }

examples/misconf/mixed/README.md

@@ -67,7 +67,7 @@ Failures: 8 (HIGH: 6, CRITICAL: 1)
 +                                          +            +                                          +          +--------------------------------------------------------+
 |                                          |            |                                          |          | Resource                                               |
 |                                          |            |                                          |          | 'aws_api_gateway_domain_name.missing_security_policy'  |
-|                                          |            |                                          |          | should include security_policy (defauls to outdated    |
+|                                          |            |                                          |          | should include security_policy (defaults to outdated   |
 |                                          |            |                                          |          | SSL/TLS policy). -->tfsec.dev/docs/aws/AWS025/         |
 +                                          +            +                                          +          +--------------------------------------------------------+
 |                                          |            |                                          |          | Resource                                               |

go.mod

@@ -1,53 +1,197 @@
 module github.com/aquasecurity/trivy
 
-go 1.16
+go 1.17
 
 require (
-	github.com/Masterminds/goutils v1.1.1 // indirect
+	github.com/CycloneDX/cyclonedx-go v0.4.0
 	github.com/Masterminds/sprig v2.22.0+incompatible
 	github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46
 	github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986
-	github.com/aquasecurity/fanal v0.0.0-20211130145558-2c76718ef52e
-	github.com/aquasecurity/go-dep-parser v0.0.0-20211110174639-8257534ffed3
+	github.com/aquasecurity/fanal v0.0.0-20220303080309-254063f95ea0
+	github.com/aquasecurity/go-dep-parser v0.0.0-20220302151315-ff6d77c26988
 	github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce
 	github.com/aquasecurity/go-npm-version v0.0.0-20201110091526-0b796d180798
 	github.com/aquasecurity/go-pep440-version v0.0.0-20210121094942-22b2f8951d46
 	github.com/aquasecurity/go-version v0.0.0-20210121072130-637058cfe492
-	github.com/aquasecurity/trivy-db v0.0.0-20210916043317-726b7b72a47b
-	github.com/caarlos0/env/v6 v6.0.0
+	github.com/aquasecurity/trivy-db v0.0.0-20220130223604-df65ebde46f4
+	github.com/caarlos0/env/v6 v6.9.1
 	github.com/cenkalti/backoff v2.2.1+incompatible
-	github.com/cheggaaa/pb/v3 v3.0.3
-	github.com/containerd/containerd v1.5.7 // indirect
-	github.com/docker/cli v20.10.9+incompatible // indirect
-	github.com/docker/docker v20.10.10+incompatible
+	github.com/cheggaaa/pb/v3 v3.0.8
+	github.com/docker/docker v20.10.12+incompatible
 	github.com/docker/go-connections v0.4.0
-	github.com/fatih/color v1.10.0
+	github.com/fatih/color v1.13.0
 	github.com/go-redis/redis/v8 v8.11.4
-	github.com/goccy/go-yaml v1.8.2 // indirect
 	github.com/golang/protobuf v1.5.2
-	github.com/google/go-containerregistry v0.6.0
-	github.com/google/go-github/v33 v33.0.0
-	github.com/google/wire v0.4.0
-	github.com/hashicorp/go-getter v1.5.2
-	github.com/huandu/xstrings v1.3.2 // indirect
+	github.com/google/go-containerregistry v0.7.1-0.20211214010025-a65b7844a475
+	github.com/google/uuid v1.3.0
+	github.com/google/wire v0.5.0
+	github.com/hashicorp/go-getter v1.5.11
 	github.com/knqyf263/go-apk-version v0.0.0-20200609155635-041fdbb8563f
 	github.com/knqyf263/go-deb-version v0.0.0-20190517075300-09fca494f03d
 	github.com/knqyf263/go-rpm-version v0.0.0-20170716094938-74609b86c936
 	github.com/masahiro331/go-mvn-version v0.0.0-20210429150710-d3157d602a08
-	github.com/mitchellh/copystructure v1.1.1 // indirect
 	github.com/olekukonko/tablewriter v0.0.5
-	github.com/open-policy-agent/opa v0.34.0
-	github.com/spf13/afero v1.6.0
-	github.com/stretchr/objx v0.3.0 // indirect
+	github.com/open-policy-agent/opa v0.37.2
+	github.com/owenrumney/go-sarif/v2 v2.0.17
+	github.com/package-url/packageurl-go v0.1.1-0.20220203205134-d70459300c8a
+	github.com/spf13/afero v1.8.1
 	github.com/stretchr/testify v1.7.0
 	github.com/testcontainers/testcontainers-go v0.11.1
-	github.com/twitchtv/twirp v8.1.0+incompatible
+	github.com/twitchtv/twirp v8.1.1+incompatible
 	github.com/urfave/cli/v2 v2.3.0
-	go.uber.org/zap v1.19.1
-	golang.org/x/oauth2 v0.0.0-20210514164344-f6687ab2804c
+	go.uber.org/zap v1.21.0
+	golang.org/x/sys v0.0.0-20220204135822-1c1b9b1eba6a // indirect
 	golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1
 	google.golang.org/protobuf v1.27.1
-	gopkg.in/go-playground/validator.v9 v9.31.0 // indirect
 	gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b
 	k8s.io/utils v0.0.0-20201110183641-67b214c5f920
 )
+
+require (
+	cloud.google.com/go v0.99.0 // indirect
+	cloud.google.com/go/storage v1.14.0 // indirect
+	github.com/Azure/azure-sdk-for-go v61.4.0+incompatible // indirect
+	github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78 // indirect
+	github.com/Azure/go-autorest v14.2.0+incompatible // indirect
+	github.com/Azure/go-autorest/autorest v0.11.24 // indirect
+	github.com/Azure/go-autorest/autorest/adal v0.9.18 // indirect
+	github.com/Azure/go-autorest/autorest/azure/auth v0.5.11 // indirect
+	github.com/Azure/go-autorest/autorest/azure/cli v0.4.5 // indirect
+	github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect
+	github.com/Azure/go-autorest/logger v0.2.1 // indirect
+	github.com/Azure/go-autorest/tracing v0.6.0 // indirect
+	github.com/BurntSushi/toml v1.0.0 // indirect
+	github.com/GoogleCloudPlatform/docker-credential-gcr v1.5.0 // indirect
+	github.com/Masterminds/goutils v1.1.1 // indirect
+	github.com/Masterminds/semver v1.5.0 // indirect
+	github.com/Microsoft/go-winio v0.5.1 // indirect
+	github.com/Microsoft/hcsshim v0.9.2 // indirect
+	github.com/OneOfOne/xxhash v1.2.8 // indirect
+	github.com/ProtonMail/go-crypto v0.0.0-20210428141323-04723f9f07d7 // indirect
+	github.com/VividCortex/ewma v1.1.1 // indirect
+	github.com/acomagu/bufpipe v1.0.3 // indirect
+	github.com/agext/levenshtein v1.2.3 // indirect
+	github.com/apparentlymart/go-cidr v1.1.0 // indirect
+	github.com/apparentlymart/go-textseg/v13 v13.0.0 // indirect
+	github.com/aquasecurity/defsec v0.12.1 // indirect
+	github.com/aquasecurity/tfsec v1.4.1 // indirect
+	github.com/aws/aws-sdk-go v1.43.8 // indirect
+	github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d // indirect
+	github.com/bmatcuk/doublestar v1.3.4 // indirect
+	github.com/briandowns/spinner v1.12.0 // indirect
+	github.com/cespare/xxhash/v2 v2.1.2 // indirect
+	github.com/containerd/cgroups v1.0.3 // indirect
+	github.com/containerd/containerd v1.5.9 // indirect
+	github.com/containerd/continuity v0.2.2 // indirect
+	github.com/containerd/stargz-snapshotter/estargz v0.10.1 // indirect
+	github.com/containerd/typeurl v1.0.2 // indirect
+	github.com/cpuguy83/go-md2man/v2 v2.0.1 // indirect
+	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect
+	github.com/dimchansky/utfbom v1.1.1 // indirect
+	github.com/docker/cli v20.10.11+incompatible // indirect
+	github.com/docker/distribution v2.7.1+incompatible // indirect
+	github.com/docker/docker-credential-helpers v0.6.4 // indirect
+	github.com/docker/go-units v0.4.0 // indirect
+	github.com/emirpasic/gods v1.12.0 // indirect
+	github.com/ghodss/yaml v1.0.0 // indirect
+	github.com/go-git/gcfg v1.5.0 // indirect
+	github.com/go-git/go-billy/v5 v5.3.1 // indirect
+	github.com/go-git/go-git/v5 v5.4.2 // indirect
+	github.com/gobwas/glob v0.2.3 // indirect
+	github.com/goccy/go-yaml v1.8.2 // indirect
+	github.com/gogo/protobuf v1.3.2 // indirect
+	github.com/golang-jwt/jwt/v4 v4.2.0 // indirect
+	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
+	github.com/googleapis/gax-go/v2 v2.1.1 // indirect
+	github.com/hashicorp/errwrap v1.1.0 // indirect
+	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
+	github.com/hashicorp/go-multierror v1.1.1 // indirect
+	github.com/hashicorp/go-retryablehttp v0.7.0 // indirect
+	github.com/hashicorp/go-safetemp v1.0.0 // indirect
+	github.com/hashicorp/go-uuid v1.0.2 // indirect
+	github.com/hashicorp/go-version v1.4.0 // indirect
+	github.com/hashicorp/hcl v1.0.0 // indirect
+	github.com/hashicorp/hcl/v2 v2.11.1 // indirect
+	github.com/huandu/xstrings v1.3.2 // indirect
+	github.com/imdario/mergo v0.3.12 // indirect
+	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
+	github.com/jmespath/go-jmespath v0.4.0 // indirect
+	github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 // indirect
+	github.com/kevinburke/ssh_config v0.0.0-20201106050909-4977a11b4351 // indirect
+	github.com/klauspost/compress v1.14.2 // indirect
+	github.com/knqyf263/go-rpmdb v0.0.0-20220209103220-0f7a6d951a6d // indirect
+	github.com/knqyf263/nested v0.0.1 // indirect
+	github.com/liamg/iamgo v0.0.6 // indirect
+	github.com/liamg/jfather v0.0.7 // indirect
+	github.com/mattn/go-colorable v0.1.12 // indirect
+	github.com/mattn/go-isatty v0.0.14 // indirect
+	github.com/mattn/go-runewidth v0.0.12 // indirect
+	github.com/mitchellh/copystructure v1.1.1 // indirect
+	github.com/mitchellh/go-homedir v1.1.0 // indirect
+	github.com/mitchellh/go-testing-interface v1.0.0 // indirect
+	github.com/mitchellh/go-wordwrap v1.0.1 // indirect
+	github.com/mitchellh/mapstructure v1.4.3 // indirect
+	github.com/mitchellh/reflectwalk v1.0.1 // indirect
+	github.com/moby/buildkit v0.9.3 // indirect
+	github.com/moby/sys/mount v0.2.0 // indirect
+	github.com/moby/sys/mountinfo v0.6.0 // indirect
+	github.com/moby/term v0.0.0-20201216013528-df9cb8a40635 // indirect
+	github.com/morikuni/aec v1.0.0 // indirect
+	github.com/opencontainers/go-digest v1.0.0 // indirect
+	github.com/opencontainers/image-spec v1.0.2 // indirect
+	github.com/opencontainers/runc v1.1.0 // indirect
+	github.com/owenrumney/squealer v0.3.1 // indirect
+	github.com/pkg/errors v0.9.1 // indirect
+	github.com/pmezard/go-difflib v1.0.0 // indirect
+	github.com/rcrowley/go-metrics v0.0.0-20200313005456-10cdbea86bc0 // indirect
+	github.com/remyoudompheng/bigfft v0.0.0-20200410134404-eec4a21b6bb0 // indirect
+	github.com/rivo/uniseg v0.2.0 // indirect
+	github.com/russross/blackfriday/v2 v2.1.0 // indirect
+	github.com/saracen/walker v0.0.0-20191201085201-324a081bae7e // indirect
+	github.com/sergi/go-diff v1.1.0 // indirect
+	github.com/sirupsen/logrus v1.8.1 // indirect
+	github.com/stretchr/objx v0.3.0 // indirect
+	github.com/tmccombs/hcl2json v0.3.3 // indirect
+	github.com/ulikunitz/xz v0.5.8 // indirect
+	github.com/vbatts/tar-split v0.11.2 // indirect
+	github.com/xanzy/ssh-agent v0.3.0 // indirect
+	github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
+	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
+	github.com/yashtewari/glob-intersection v0.0.0-20180916065949-5c77d914dd0b // indirect
+	github.com/zclconf/go-cty v1.10.0 // indirect
+	github.com/zclconf/go-cty-yaml v1.0.2 // indirect
+	go.etcd.io/bbolt v1.3.6 // indirect
+	go.opencensus.io v0.23.0 // indirect
+	go.uber.org/atomic v1.7.0 // indirect
+	go.uber.org/multierr v1.6.0 // indirect
+	golang.org/x/crypto v0.0.0-20220208233918-bba287dce954 // indirect
+	golang.org/x/mod v0.6.0-dev.0.20211013180041-c96bc1413d57 // indirect
+	golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd // indirect
+	golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8 // indirect
+	golang.org/x/sync v0.0.0-20210220032951-036812b2e83c // indirect
+	golang.org/x/text v0.3.7 // indirect
+	golang.org/x/tools v0.1.8 // indirect
+	google.golang.org/api v0.62.0 // indirect
+	google.golang.org/appengine v1.6.7 // indirect
+	google.golang.org/genproto v0.0.0-20220204002441-d6cc3cc0770e // indirect
+	google.golang.org/grpc v1.44.0 // indirect
+	gopkg.in/cheggaaa/pb.v1 v1.0.28 // indirect
+	gopkg.in/go-playground/validator.v9 v9.31.0 // indirect
+	gopkg.in/warnings.v0 v0.1.2 // indirect
+	gopkg.in/yaml.v2 v2.4.0 // indirect
+	lukechampine.com/uint128 v1.1.1 // indirect
+	modernc.org/cc/v3 v3.35.22 // indirect
+	modernc.org/ccgo/v3 v3.15.1 // indirect
+	modernc.org/libc v1.14.1 // indirect
+	modernc.org/mathutil v1.4.1 // indirect
+	modernc.org/memory v1.0.5 // indirect
+	modernc.org/opt v0.1.1 // indirect
+	modernc.org/sqlite v1.14.5 // indirect
+	modernc.org/strutil v1.1.1 // indirect
+	modernc.org/token v1.0.0 // indirect
+	sigs.k8s.io/yaml v1.3.0 // indirect
+)
+
+// To resolve CVE-2021-3538. Note that it is used only for testing.
+replace github.com/satori/go.uuid v1.2.0 => github.com/satori/go.uuid v1.2.1-0.20181016170032-d91630c85102

goreleaser.yml

@@ -13,19 +13,22 @@ builds:
       - darwin
       - linux
       - freebsd
-      - openbsd
     goarch:
       - amd64
       - 386
       - arm
       - arm64
-      - ppc64le
       - s390x
     goarm:
       - 7
     ignore:
       - goos: darwin
         goarch: 386
+      # modernc.org/sqlite doesn't support the following pairs
+      - goos: freebsd
+        goarch: arm
+      - goos: freebsd
+        goarch: arm64
 
 release:
     extra_files:
@@ -140,29 +143,59 @@ dockers:
       - "--platform=linux/arm64"
     extra_files:
     - contrib/
+  - image_templates:
+      - "docker.io/aquasec/trivy:{{ .Version }}-s390x"
+      - "docker.io/aquasec/trivy:latest-s390x"
+      - "ghcr.io/aquasecurity/trivy:{{ .Version }}-s390x"
+      - "ghcr.io/aquasecurity/trivy:latest-s390x"
+      - "public.ecr.aws/aquasecurity/trivy:latest-s390x"
+      - "public.ecr.aws/aquasecurity/trivy:{{ .Version }}-s390x"
+    use: buildx
+    goos: linux
+    goarch: s390x
+    ids:
+      - trivy
+    build_flag_templates:
+      - "--label=org.label-schema.schema-version=1.0"
+      - "--label=org.label-schema.name={{ .ProjectName }}"
+      - "--label=org.label-schema.description=A Fast Vulnerability Scanner for Containers"
+      - "--label=org.label-schema.vendor=Aqua Security"
+      - "--label=org.label-schema.version={{ .Version }}"
+      - "--label=org.label-schema.build-date={{ .Date }}"
+      - "--label=org.label-schema.vcs=https://github.com/aquasecurity/trivy"
+      - "--label=org.label-schema.vcs-ref={{ .FullCommit }}"
+      - "--platform=linux/s390x"
+    extra_files:
+    - contrib/
 
 docker_manifests:
   - name_template: 'aquasec/trivy:{{ .Version }}'
     image_templates:
     - 'aquasec/trivy:{{ .Version }}-amd64'
     - 'aquasec/trivy:{{ .Version }}-arm64'
+    - 'aquasec/trivy:{{ .Version }}-s390x'
   - name_template: 'ghcr.io/aquasecurity/trivy:{{ .Version }}'
     image_templates:
     - 'ghcr.io/aquasecurity/trivy:{{ .Version }}-amd64'
     - 'ghcr.io/aquasecurity/trivy:{{ .Version }}-arm64'
+    - 'ghcr.io/aquasecurity/trivy:{{ .Version }}-s390x'
   - name_template: 'public.ecr.aws/aquasecurity/trivy:{{ .Version }}'
     image_templates:
     - 'public.ecr.aws/aquasecurity/trivy:{{ .Version }}-amd64'
     - 'public.ecr.aws/aquasecurity/trivy:{{ .Version }}-arm64'
+    - 'public.ecr.aws/aquasecurity/trivy:{{ .Version }}-s390x'
   - name_template: 'aquasec/trivy:latest'
     image_templates:
     - 'aquasec/trivy:{{ .Version }}-amd64'
     - 'aquasec/trivy:{{ .Version }}-arm64'
+    - 'aquasec/trivy:{{ .Version }}-s390x'
   - name_template: 'ghcr.io/aquasecurity/trivy:latest'
     image_templates:
     - 'ghcr.io/aquasecurity/trivy:{{ .Version }}-amd64'
     - 'ghcr.io/aquasecurity/trivy:{{ .Version }}-arm64'
+    - 'ghcr.io/aquasecurity/trivy:{{ .Version }}-s390x'
   - name_template: 'public.ecr.aws/aquasecurity/trivy:latest'
     image_templates: 
     - 'public.ecr.aws/aquasecurity/trivy:{{ .Version }}-amd64'
     - 'public.ecr.aws/aquasecurity/trivy:{{ .Version }}-arm64'
+    - 'public.ecr.aws/aquasecurity/trivy:{{ .Version }}-s390x'

helm/trivy/Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v2
 name: trivy
-version: 0.4.7
-appVersion: "0.21.0"
+version: 0.4.11
+appVersion: 0.24.0
 description: Trivy helm chart
 keywords:
   - scanner

helm/trivy/README.md

@@ -64,6 +64,10 @@ The following table lists the configurable parameters of the Trivy chart and the
 | `replicaCount`                        | Number of Trivy Pods to run                                   | `1`            |
 | `trivy.debugMode`             | The flag to enable or disable Trivy debug mode                          | `false` |
 | `trivy.gitHubToken`           | The GitHub access token to download Trivy DB. More info: https://github.com/aquasecurity/trivy#github-rate-limiting                          |      |
+| `trivy.registryUsername`              | The username used to log in at dockerhub. More info: https://aquasecurity.github.io/trivy/dev/advanced/private-registries/docker-hub/ |      |
+| `trivy.registryPassword`              | The password used to log in at dockerhub. More info: https://aquasecurity.github.io/trivy/dev/advanced/private-registries/docker-hub/ |      |
+| `trivy.registryCredentialsExistingSecret` | Name of Secret containing dockerhub credentials. Alternative to the 2 parameters above, has precedence if set.                    |      |
+| `trivy.serviceAccount.annotations`        | Additional annotations to add to the Kubernetes service account resource |     |
 | `trivy.skipUpdate`            | The flag to enable or disable Trivy DB downloads from GitHub            | `false`        |
 | `trivy.cache.redis.enabled`           | Enable Redis as caching backend                                         | `false` |
 | `trivy.cache.redis.url`               | Specify redis connection url, e.g. redis://redis.redis.svc:6379         | `` |

helm/trivy/templates/_helpers.tpl

@@ -50,6 +50,6 @@ Return the proper imageRef as used by the container template spec.
 {{- define "trivy.imageRef" -}}
 {{- $registryName := .Values.image.registry -}}
 {{- $repositoryName := .Values.image.repository -}}
-{{- $tag := .Values.image.tag | toString -}}
+{{- $tag := .Values.image.tag | default .Chart.AppVersion | toString -}}
 {{- printf "%s/%s:%s" $registryName $repositoryName $tag -}}
 {{- end -}}

helm/trivy/templates/configmap.yaml

@@ -0,0 +1,23 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "trivy.fullname" . }}
+  labels:
+{{ include "trivy.labels" . | indent 4 }}
+data:
+  TRIVY_LISTEN: "0.0.0.0:{{ .Values.service.port }}"
+  TRIVY_CACHE_DIR: "/home/scanner/.cache/trivy"
+{{- if .Values.trivy.cache.redis.enabled }}
+  TRIVY_CACHE_BACKEND: {{ .Values.trivy.cache.redis.url | quote }}
+{{- end }}
+  TRIVY_DEBUG: {{ .Values.trivy.debugMode | quote }}
+  TRIVY_SKIP_UPDATE: {{ .Values.trivy.skipUpdate | quote }}
+{{- if .Values.httpProxy }}
+  HTTP_PROXY: {{ .Values.httpProxy | quote }}
+{{- end }}
+{{- if .Values.httpsProxy }}
+  HTTPS_PROXY: {{ .Values.httpsProxy | quote }}
+{{- end }}
+{{- if .Values.noProxy }}
+  NO_PROXY: {{ .Values.noProxy | quote }}
+{{- end }}

helm/trivy/templates/secret.yaml

@@ -6,4 +6,8 @@ metadata:
 {{ include "trivy.labels" . | indent 4 }}
 type: Opaque
 data:
-  gitHubToken: {{ .Values.trivy.gitHubToken | default "" | b64enc | quote }}
+  GITHUB_TOKEN: {{ .Values.trivy.gitHubToken | default "" | b64enc | quote }}
+{{- if not .Values.trivy.registryCredentialsExistingSecret }}
+  TRIVY_USERNAME: {{ .Values.trivy.registryUsername | default "" | b64enc | quote }}
+  TRIVY_PASSWORD: {{ .Values.trivy.registryPassword | default "" | b64enc | quote }}
+{{- end -}}

helm/trivy/templates/serviceaccount.yaml

@@ -4,4 +4,8 @@ metadata:
   name: {{ include "trivy.fullname" . }}
   labels:
 {{ include "trivy.labels" . | indent 4 }}
+{{- if (.Values.trivy.serviceAccount).annotations }}
+  annotations:
+{{ toYaml .Values.trivy.serviceAccount.annotations | indent 8 }}
+{{- end }}
   namespace: {{ .Release.Namespace }}

helm/trivy/templates/statefulset.yaml

@@ -4,6 +4,9 @@ metadata:
   name: {{ include "trivy.fullname" . }}
   labels:
 {{ include "trivy.labels" . | indent 4 }}
+    {{- with .Values.trivy.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
 spec:
   podManagementPolicy: "Parallel"
   serviceName: {{ include "trivy.fullname" . }}
@@ -29,6 +32,9 @@ spec:
       labels:
         app.kubernetes.io/name: {{ include "trivy.name" . }}
         app.kubernetes.io/instance: {{ .Release.Name }}
+        {{- with .Values.trivy.labels }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
     spec:
       serviceAccountName: {{ include "trivy.fullname" . }}
       automountServiceAccountToken: false
@@ -62,30 +68,24 @@ spec:
           {{- end }}
           args:
             - server
+          {{- if .Values.trivy.registryCredentialsExistingSecret }}
           env:
-            - name: "TRIVY_LISTEN"
-              value: "0.0.0.0:{{ .Values.service.port | default 4954 }}"
-            - name: "TRIVY_CACHE_DIR"
-              value: "/home/scanner/.cache/trivy"
-            {{- if .Values.trivy.cache.redis.enabled }}
-            - name: "TRIVY_CACHE_BACKEND"
-              value: {{ .Values.trivy.cache.redis.url | quote }}
-            {{- end }}
-            - name: "TRIVY_DEBUG"
-              value: {{ .Values.trivy.debugMode | default false | quote }}
-            - name: "TRIVY_SKIP_UPDATE"
-              value: {{ .Values.trivy.skipUpdate | default false | quote }}
-            - name: "GITHUB_TOKEN"
+            - name: TRIVY_USERNAME
               valueFrom:
                 secretKeyRef:
-                  name: {{ include "trivy.fullname" . }}
-                  key: gitHubToken
-            - name: "HTTP_PROXY"
-              value: {{ .Values.httpProxy | quote }}
-            - name: "HTTPS_PROXY"
-              value: {{ .Values.httpsProxy | quote }}
-            - name: "NO_PROXY"
-              value: {{ .Values.noProxy | quote }}
+                  name: {{ .Values.trivy.registryCredentialsExistingSecret }}
+                  key: TRIVY_USERNAME
+            - name: TRIVY_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.trivy.registryCredentialsExistingSecret }}
+                  key: TRIVY_PASSWORD
+          {{- end }}
+          envFrom:
+            - configMapRef:
+                name: {{ include "trivy.fullname" . }}
+            - secretRef:
+                name: {{ include "trivy.fullname" . }}
           ports:
             - name: trivy-http
               containerPort: {{ .Values.service.port }}

helm/trivy/values.yaml

@@ -4,7 +4,9 @@ fullnameOverride: ""
 image:
   registry: docker.io
   repository: aquasec/trivy
-  tag: 0.21.0
+  # tag is an override of the image tag, which is by default set by the
+  # appVersion field in Chart.yaml.
+  tag: ""
   pullPolicy: IfNotPresent
   pullSecret: ""
 
@@ -68,6 +70,24 @@ trivy:
   # You can create a GitHub token by following the instructions in
   # https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line
   gitHubToken: ""
+  # Docker registry credentials
+  # See also: https://aquasecurity.github.io/trivy/dev/advanced/private-registries/docker-hub/
+  #
+  # Either
+  # Directly in this file
+  #
+  # TRIVY_USERNAME
+  registryUsername: ""
+  # TRIVY_PASSWORD
+  registryPassword: ""
+  #
+  # Or
+  # From an existing secret
+  #
+  # The secret must be Opaque and just contain "TRIVY_USERNAME: your_user" and "TRIVY_PASSWORD: your_password" as k/v pairs.
+  # NOTE: When this is set the previous parameters are ignored.
+  #
+  # registryCredentialsExistingSecret: name-of-existing-secret
   # skipUpdate the flag to enable or disable Trivy DB downloads from GitHub
   #
   # You might want to enable this flag in test or CI/CD environments to avoid GitHub rate limiting issues.
@@ -86,6 +106,11 @@ trivy:
     redis:
       enabled: false
       url: ""  # e.g. redis://redis.redis.svc:6379
+  serviceAccount:
+    annotations: {}
+      # eks.amazonaws.com/role-arn: arn:aws:iam::ACCOUNT_ID:role/IAM_ROLE_NAME
+  # If you want to add custom labels to your statefulset and podTemplate
+  labels: {}
 
 service:
   # type Kubernetes service type

integration/client_server_test.go

@@ -5,6 +5,7 @@ package integration
 
 import (
 	"context"
+	"encoding/json"
 	"fmt"
 	"io"
 	"os"
@@ -13,6 +14,7 @@ import (
 	"testing"
 	"time"
 
+	cdx "github.com/CycloneDX/cyclonedx-go"
 	"github.com/docker/go-connections/nat"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
@@ -32,6 +34,7 @@ type csArgs struct {
 	Input             string
 	ClientToken       string
 	ClientTokenHeader string
+	ListAllPackages   bool
 }
 
 func TestClientServer(t *testing.T) {
@@ -42,54 +45,46 @@ func TestClientServer(t *testing.T) {
 		wantErr string
 	}{
 		{
-			name: "alpine 3.10 integration",
-			args: csArgs{
-				Input: "testdata/fixtures/images/alpine-310.tar.gz",
-			},
-			golden: "testdata/alpine-310.json.golden",
-		},
-		{
-			name: "alpine 3.10 integration with --ignore-unfixed option",
-			args: csArgs{
-				IgnoreUnfixed: true,
-				Input:         "testdata/fixtures/images/alpine-310.tar.gz",
-			},
-			golden: "testdata/alpine-310-ignore-unfixed.json.golden",
-		},
-		{
-			name: "alpine 3.10 integration with medium and high severity",
-			args: csArgs{
-				IgnoreUnfixed: true,
-				Severity:      []string{"MEDIUM", "HIGH"},
-				Input:         "testdata/fixtures/images/alpine-310.tar.gz",
-			},
-			golden: "testdata/alpine-310-medium-high.json.golden",
-		},
-		{
-			name: "alpine 3.10 integration with .trivyignore",
-			args: csArgs{
-				IgnoreUnfixed: false,
-				IgnoreIDs:     []string{"CVE-2019-1549", "CVE-2019-1563"},
-				Input:         "testdata/fixtures/images/alpine-310.tar.gz",
-			},
-			golden: "testdata/alpine-310-ignore-cveids.json.golden",
-		},
-		{
-			name: "alpine 3.9 integration",
+			name: "alpine 3.9",
 			args: csArgs{
 				Input: "testdata/fixtures/images/alpine-39.tar.gz",
 			},
 			golden: "testdata/alpine-39.json.golden",
 		},
 		{
-			name: "debian buster integration",
+			name: "alpine 3.9 with high and critical severity",
+			args: csArgs{
+				IgnoreUnfixed: true,
+				Severity:      []string{"HIGH", "CRITICAL"},
+				Input:         "testdata/fixtures/images/alpine-39.tar.gz",
+			},
+			golden: "testdata/alpine-39-high-critical.json.golden",
+		},
+		{
+			name: "alpine 3.9 with .trivyignore",
+			args: csArgs{
+				IgnoreUnfixed: false,
+				IgnoreIDs:     []string{"CVE-2019-1549", "CVE-2019-14697"},
+				Input:         "testdata/fixtures/images/alpine-39.tar.gz",
+			},
+			golden: "testdata/alpine-39-ignore-cveids.json.golden",
+		},
+		{
+			name: "alpine 3.10",
+			args: csArgs{
+				Input: "testdata/fixtures/images/alpine-310.tar.gz",
+			},
+			golden: "testdata/alpine-310.json.golden",
+		},
+		{
+			name: "debian buster/10",
 			args: csArgs{
 				Input: "testdata/fixtures/images/debian-buster.tar.gz",
 			},
 			golden: "testdata/debian-buster.json.golden",
 		},
 		{
-			name: "debian buster integration with --ignore-unfixed option",
+			name: "debian buster/10 with --ignore-unfixed option",
 			args: csArgs{
 				IgnoreUnfixed: true,
 				Input:         "testdata/fixtures/images/debian-buster.tar.gz",
@@ -97,43 +92,28 @@ func TestClientServer(t *testing.T) {
 			golden: "testdata/debian-buster-ignore-unfixed.json.golden",
 		},
 		{
-			name: "debian stretch integration",
+			name: "debian stretch/9",
 			args: csArgs{
 				Input: "testdata/fixtures/images/debian-stretch.tar.gz",
 			},
 			golden: "testdata/debian-stretch.json.golden",
 		},
 		{
-			name: "ubuntu 18.04 integration",
+			name: "ubuntu 18.04",
 			args: csArgs{
 				Input: "testdata/fixtures/images/ubuntu-1804.tar.gz",
 			},
 			golden: "testdata/ubuntu-1804.json.golden",
 		},
 		{
-			name: "ubuntu 18.04 integration with --ignore-unfixed option",
-			args: csArgs{
-				IgnoreUnfixed: true,
-				Input:         "testdata/fixtures/images/ubuntu-1804.tar.gz",
-			},
-			golden: "testdata/ubuntu-1804-ignore-unfixed.json.golden",
-		},
-		{
-			name: "ubuntu 16.04 integration",
-			args: csArgs{
-				Input: "testdata/fixtures/images/ubuntu-1604.tar.gz",
-			},
-			golden: "testdata/ubuntu-1604.json.golden",
-		},
-		{
-			name: "centos 7 integration",
+			name: "centos 7",
 			args: csArgs{
 				Input: "testdata/fixtures/images/centos-7.tar.gz",
 			},
 			golden: "testdata/centos-7.json.golden",
 		},
 		{
-			name: "centos 7 integration with --ignore-unfixed option",
+			name: "centos 7 with --ignore-unfixed option",
 			args: csArgs{
 				IgnoreUnfixed: true,
 				Input:         "testdata/fixtures/images/centos-7.tar.gz",
@@ -141,122 +121,100 @@ func TestClientServer(t *testing.T) {
 			golden: "testdata/centos-7-ignore-unfixed.json.golden",
 		},
 		{
-			name: "centos 7 integration with low and high severity",
+			name: "centos 7 with medium severity",
 			args: csArgs{
 				IgnoreUnfixed: true,
-				Severity:      []string{"LOW", "HIGH"},
+				Severity:      []string{"MEDIUM"},
 				Input:         "testdata/fixtures/images/centos-7.tar.gz",
 			},
-			golden: "testdata/centos-7-low-high.json.golden",
+			golden: "testdata/centos-7-medium.json.golden",
 		},
 		{
-			name: "centos 6 integration",
+			name: "centos 6",
 			args: csArgs{
 				Input: "testdata/fixtures/images/centos-6.tar.gz",
 			},
 			golden: "testdata/centos-6.json.golden",
 		},
 		{
-			name: "ubi 7 integration",
+			name: "ubi 7",
 			args: csArgs{
 				Input: "testdata/fixtures/images/ubi-7.tar.gz",
 			},
 			golden: "testdata/ubi-7.json.golden",
 		},
 		{
-			name: "distroless base integration",
+			name: "almalinux 8",
+			args: csArgs{
+				Input: "testdata/fixtures/images/almalinux-8.tar.gz",
+			},
+			golden: "testdata/almalinux-8.json.golden",
+		},
+		{
+			name: "rocky linux 8",
+			args: csArgs{
+				Input: "testdata/fixtures/images/rockylinux-8.tar.gz",
+			},
+			golden: "testdata/rockylinux-8.json.golden",
+		},
+		{
+			name: "distroless base",
 			args: csArgs{
 				Input: "testdata/fixtures/images/distroless-base.tar.gz",
 			},
 			golden: "testdata/distroless-base.json.golden",
 		},
 		{
-			name: "distroless base integration with --ignore-unfixed option",
-			args: csArgs{
-				IgnoreUnfixed: true,
-				Input:         "testdata/fixtures/images/distroless-base.tar.gz",
-			},
-			golden: "testdata/distroless-base-ignore-unfixed.json.golden",
-		},
-		{
-			name: "distroless python27 integration",
+			name: "distroless python27",
 			args: csArgs{
 				Input: "testdata/fixtures/images/distroless-python27.tar.gz",
 			},
 			golden: "testdata/distroless-python27.json.golden",
 		},
 		{
-			name: "amazon 1 integration",
+			name: "amazon 1",
 			args: csArgs{
 				Input: "testdata/fixtures/images/amazon-1.tar.gz",
 			},
 			golden: "testdata/amazon-1.json.golden",
 		},
 		{
-			name: "amazon 2 integration",
+			name: "amazon 2",
 			args: csArgs{
 				Input: "testdata/fixtures/images/amazon-2.tar.gz",
 			},
 			golden: "testdata/amazon-2.json.golden",
 		},
 		{
-			name: "oracle 6 integration",
-			args: csArgs{
-				Input: "testdata/fixtures/images/oraclelinux-6-slim.tar.gz",
-			},
-			golden: "testdata/oraclelinux-6-slim.json.golden",
-		},
-		{
-			name: "oracle 7 integration",
-			args: csArgs{
-				Input: "testdata/fixtures/images/oraclelinux-7-slim.tar.gz",
-			},
-			golden: "testdata/oraclelinux-7-slim.json.golden",
-		},
-		{
-			name: "oracle 8 integration",
+			name: "oracle 8",
 			args: csArgs{
 				Input: "testdata/fixtures/images/oraclelinux-8-slim.tar.gz",
 			},
 			golden: "testdata/oraclelinux-8-slim.json.golden",
 		},
 		{
-			name: "opensuse leap 15.1 integration",
+			name: "opensuse leap 15.1",
 			args: csArgs{
 				Input: "testdata/fixtures/images/opensuse-leap-151.tar.gz",
 			},
 			golden: "testdata/opensuse-leap-151.json.golden",
 		},
 		{
-			name: "opensuse leap 42.3 integration",
-			args: csArgs{
-				Input: "testdata/fixtures/images/opensuse-leap-423.tar.gz",
-			},
-			golden: "testdata/opensuse-leap-423.json.golden",
-		},
-		{
-			name: "photon 1.0 integration",
-			args: csArgs{
-				Input: "testdata/fixtures/images/photon-10.tar.gz",
-			},
-			golden: "testdata/photon-10.json.golden",
-		},
-		{
-			name: "photon 2.0 integration",
-			args: csArgs{
-				Input: "testdata/fixtures/images/photon-20.tar.gz",
-			},
-			golden: "testdata/photon-20.json.golden",
-		},
-		{
-			name: "photon 3.0 integration",
+			name: "photon 3.0",
 			args: csArgs{
 				Input: "testdata/fixtures/images/photon-30.tar.gz",
 			},
 			golden: "testdata/photon-30.json.golden",
 		},
 		{
-			name: "buxybox with Cargo.lock integration",
+			name: "CBL-Mariner 1.0",
+			args: csArgs{
+				Input: "testdata/fixtures/images/mariner-1.0.tar.gz",
+			},
+			golden: "testdata/mariner-1.0.json.golden",
+		},
+		{
+			name: "buxybox with Cargo.lock",
 			args: csArgs{
 				Input: "testdata/fixtures/images/busybox-with-lockfile.tar.gz",
 			},
@@ -286,7 +244,7 @@ func TestClientServerWithTemplate(t *testing.T) {
 		golden string
 	}{
 		{
-			name: "alpine 3.10 integration with gitlab template",
+			name: "alpine 3.10 with gitlab template",
 			args: csArgs{
 				Format:       "template",
 				TemplatePath: "@../contrib/gitlab.tpl",
@@ -295,7 +253,7 @@ func TestClientServerWithTemplate(t *testing.T) {
 			golden: "testdata/alpine-310.gitlab.golden",
 		},
 		{
-			name: "alpine 3.10 integration with gitlab-codequality template",
+			name: "alpine 3.10 with gitlab-codequality template",
 			args: csArgs{
 				Format:       "template",
 				TemplatePath: "@../contrib/gitlab-codequality.tpl",
@@ -304,16 +262,15 @@ func TestClientServerWithTemplate(t *testing.T) {
 			golden: "testdata/alpine-310.gitlab-codequality.golden",
 		},
 		{
-			name: "alpine 3.10 integration with sarif template",
+			name: "alpine 3.10 with sarif format",
 			args: csArgs{
-				Format:       "template",
-				TemplatePath: "@../contrib/sarif.tpl",
-				Input:        "testdata/fixtures/images/alpine-310.tar.gz",
+				Format: "sarif",
+				Input:  "testdata/fixtures/images/alpine-310.tar.gz",
 			},
 			golden: "testdata/alpine-310.sarif.golden",
 		},
 		{
-			name: "alpine 3.10 integration with ASFF template",
+			name: "alpine 3.10 with ASFF template",
 			args: csArgs{
 				Format:       "template",
 				TemplatePath: "@../contrib/asff.tpl",
@@ -322,7 +279,7 @@ func TestClientServerWithTemplate(t *testing.T) {
 			golden: "testdata/alpine-310.asff.golden",
 		},
 		{
-			name: "alpine 3.10 integration with html template",
+			name: "alpine 3.10 with html template",
 			args: csArgs{
 				Format:       "template",
 				TemplatePath: "@../contrib/html.tpl",
@@ -332,13 +289,23 @@ func TestClientServerWithTemplate(t *testing.T) {
 		},
 	}
 
+	report.CustomTemplateFuncMap = map[string]interface{}{
+		"now": func() time.Time {
+			return time.Date(2020, 8, 10, 7, 28, 17, 958601, time.UTC)
+		},
+		"date": func(format string, t time.Time) string {
+			return t.Format(format)
+		},
+	}
+
+	t.Cleanup(func() {
+		report.CustomTemplateFuncMap = map[string]interface{}{}
+	})
+
 	app, addr, cacheDir := setup(t, setupOptions{})
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			report.Now = func() time.Time {
-				return time.Date(2020, 8, 10, 7, 28, 17, 958601, time.UTC)
-			}
 			t.Setenv("AWS_REGION", "test-region")
 			t.Setenv("AWS_ACCOUNT_ID", "123456789012")
 			osArgs, outputFile := setupClient(t, tt.args, addr, cacheDir, tt.golden)
@@ -358,6 +325,55 @@ func TestClientServerWithTemplate(t *testing.T) {
 	}
 }
 
+func TestClientServerWithCycloneDX(t *testing.T) {
+	tests := []struct {
+		name                  string
+		args                  csArgs
+		wantComponentsCount   int
+		wantDependenciesCount int
+		wantDependsOnCount    []int
+	}{
+		{
+			name: "fluentd with RubyGems with CycloneDX format",
+			args: csArgs{
+				Format: "cyclonedx",
+				Input:  "testdata/fixtures/images/fluentd-multiple-lockfiles.tar.gz",
+			},
+			wantComponentsCount:   161,
+			wantDependenciesCount: 2,
+			wantDependsOnCount: []int{
+				105,
+				56,
+			},
+		},
+	}
+
+	app, addr, cacheDir := setup(t, setupOptions{})
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			osArgs, outputFile := setupClient(t, tt.args, addr, cacheDir, "")
+
+			// Run Trivy client
+			err := app.Run(osArgs)
+			require.NoError(t, err)
+
+			f, err := os.Open(outputFile)
+			require.NoError(t, err)
+			defer f.Close()
+
+			var got cdx.BOM
+			err = json.NewDecoder(f).Decode(&got)
+			require.NoError(t, err)
+
+			assert.EqualValues(t, tt.wantComponentsCount, len(*got.Components))
+			assert.EqualValues(t, tt.wantDependenciesCount, len(*got.Dependencies))
+			for i, dep := range *got.Dependencies {
+				assert.EqualValues(t, tt.wantDependsOnCount[i], len(*dep.Dependencies))
+			}
+		})
+	}
+}
+
 func TestClientServerWithToken(t *testing.T) {
 	cases := []struct {
 		name    string
@@ -366,13 +382,13 @@ func TestClientServerWithToken(t *testing.T) {
 		wantErr string
 	}{
 		{
-			name: "alpine 3.10 integration with token",
+			name: "alpine 3.9 with token",
 			args: csArgs{
-				Input:             "testdata/fixtures/images/alpine-310.tar.gz",
+				Input:             "testdata/fixtures/images/alpine-39.tar.gz",
 				ClientToken:       "token",
 				ClientTokenHeader: "Trivy-Token",
 			},
-			golden: "testdata/alpine-310.json.golden",
+			golden: "testdata/alpine-39.json.golden",
 		},
 		{
 			name: "invalid token",
@@ -387,8 +403,8 @@ func TestClientServerWithToken(t *testing.T) {
 			name: "invalid token header",
 			args: csArgs{
 				Input:             "testdata/fixtures/images/distroless-base.tar.gz",
-				ClientToken:       "valid-token",
-				ClientTokenHeader: "Trivy-Token",
+				ClientToken:       "token",
+				ClientTokenHeader: "Unknown-Header",
 			},
 			wantErr: "twirp error unauthenticated: invalid token",
 		},
@@ -428,15 +444,15 @@ func TestClientServerWithRedis(t *testing.T) {
 
 	// Set up Trivy server
 	app, addr, cacheDir := setup(t, setupOptions{cacheBackend: addr})
-	defer os.RemoveAll(cacheDir)
+	t.Cleanup(func() { os.RemoveAll(cacheDir) })
 
 	// Test parameters
 	testArgs := csArgs{
-		Input: "testdata/fixtures/images/centos-7.tar.gz",
+		Input: "testdata/fixtures/images/alpine-39.tar.gz",
 	}
-	golden := "testdata/centos-7.json.golden"
+	golden := "testdata/alpine-39.json.golden"
 
-	t.Run("centos 7", func(t *testing.T) {
+	t.Run("alpine 3.9", func(t *testing.T) {
 		osArgs, outputFile := setupClient(t, testArgs, addr, cacheDir, golden)
 
 		// Run Trivy client
@@ -470,7 +486,7 @@ func setup(t *testing.T, options setupOptions) (*cli.App, string, string) {
 	version := "dev"
 
 	// Set up testing DB
-	cacheDir := gunzipDB(t)
+	cacheDir := initDB(t)
 
 	port, err := getFreePort()
 	assert.NoError(t, err)
@@ -526,7 +542,7 @@ func setupClient(t *testing.T, c csArgs, addr string, cacheDir string, golden st
 	}
 	if len(c.Severity) != 0 {
 		osArgs = append(osArgs,
-			[]string{"--severity", strings.Join(c.Severity, ",")}...,
+			"--severity", strings.Join(c.Severity, ","),
 		)
 	}
 
@@ -534,22 +550,22 @@ func setupClient(t *testing.T, c csArgs, addr string, cacheDir string, golden st
 		trivyIgnore := filepath.Join(t.TempDir(), ".trivyignore")
 		err := os.WriteFile(trivyIgnore, []byte(strings.Join(c.IgnoreIDs, "\n")), 0444)
 		require.NoError(t, err, "failed to write .trivyignore")
-		osArgs = append(osArgs, []string{"--ignorefile", trivyIgnore}...)
+		osArgs = append(osArgs, "--ignorefile", trivyIgnore)
 	}
 	if c.ClientToken != "" {
-		osArgs = append(osArgs, []string{"--token", c.ClientToken, "--token-header", c.ClientTokenHeader}...)
+		osArgs = append(osArgs, "--token", c.ClientToken, "--token-header", c.ClientTokenHeader)
 	}
 	if c.Input != "" {
-		osArgs = append(osArgs, []string{"--input", c.Input}...)
+		osArgs = append(osArgs, "--input", c.Input)
 	}
 
-	// Setup the output file
+	// Set up the output file
 	outputFile := filepath.Join(t.TempDir(), "output.json")
 	if *update {
 		outputFile = golden
 	}
 
-	osArgs = append(osArgs, []string{"--output", outputFile}...)
+	osArgs = append(osArgs, "--output", outputFile)
 
 	return osArgs, outputFile
 }

integration/docker/docker.go

@@ -1,116 +0,0 @@
-package docker
-
-import (
-	"context"
-	"encoding/base64"
-	"encoding/json"
-	"fmt"
-	"io"
-	"net/url"
-	"os"
-
-	"github.com/docker/docker/client"
-
-	"github.com/docker/docker/api/types"
-)
-
-// RegistryConfig holds the config for docker registry
-type RegistryConfig struct {
-	URL      *url.URL
-	Username string
-	Password string
-}
-
-// GetAuthConfig returns the docker registry authConfig
-func (c RegistryConfig) GetAuthConfig() types.AuthConfig {
-	return types.AuthConfig{
-		Username:      c.Username,
-		Password:      c.Password,
-		ServerAddress: c.URL.Host,
-	}
-}
-
-// GetRegistryAuth returns the json encoded docker registry auth
-func (c RegistryConfig) GetRegistryAuth() (string, error) {
-	authConfig := types.AuthConfig{
-		Username: c.Username,
-		Password: c.Password,
-	}
-	encodedJSON, err := json.Marshal(authConfig)
-	if err != nil {
-		return "", err
-	}
-	return base64.URLEncoding.EncodeToString(encodedJSON), nil
-}
-
-// Docker returns docker client
-type Docker struct {
-	cli *client.Client
-}
-
-// New is the factory method to return docker client
-func New() (Docker, error) {
-	cli, err := client.NewClientWithOpts(client.FromEnv, client.WithAPIVersionNegotiation())
-	if err != nil {
-		return Docker{}, err
-	}
-	return Docker{
-		cli: cli,
-	}, nil
-}
-
-// ReplicateImage tags the given imagePath and pushes it to the given dest registry.
-func (d Docker) ReplicateImage(ctx context.Context, imageRef, imagePath string, dest RegistryConfig) error {
-	// remove existing Image if any
-	_, _ = d.cli.ImageRemove(ctx, imageRef, types.ImageRemoveOptions{
-		Force:         true,
-		PruneChildren: true,
-	})
-
-	testfile, err := os.Open(imagePath)
-	if err != nil {
-		return err
-	}
-
-	// load image into docker engine
-	resp, err := d.cli.ImageLoad(ctx, testfile, true)
-	if err != nil {
-		return err
-	}
-	if _, err = io.Copy(io.Discard, resp.Body); err != nil {
-		return err
-	}
-	defer resp.Body.Close()
-
-	targetImageRef := fmt.Sprintf("%s/%s", dest.URL.Host, imageRef)
-
-	if err = d.cli.ImageTag(ctx, imageRef, targetImageRef); err != nil {
-		return err
-	}
-	defer func() {
-		_, _ = d.cli.ImageRemove(ctx, imageRef, types.ImageRemoveOptions{
-			Force:         true,
-			PruneChildren: true,
-		})
-		_, _ = d.cli.ImageRemove(ctx, targetImageRef, types.ImageRemoveOptions{
-			Force:         true,
-			PruneChildren: true,
-		})
-	}()
-
-	auth, err := dest.GetRegistryAuth()
-	if err != nil {
-		return err
-	}
-
-	pushOut, err := d.cli.ImagePush(ctx, targetImageRef, types.ImagePushOptions{RegistryAuth: auth})
-	if err != nil {
-		return err
-	}
-	defer pushOut.Close()
-
-	if _, err = io.Copy(io.Discard, pushOut); err != nil {
-		return err
-	}
-	return nil
-}

integration/docker_engine_test.go

@@ -19,235 +19,185 @@ import (
 	"github.com/aquasecurity/trivy/pkg/commands"
 )
 
-func TestRun_WithDockerEngine(t *testing.T) {
-	testCases := []struct {
-		name                string
-		withImageSubcommand bool
-		imageTag            string
-		invalidImage        bool
-		ignoreUnfixed       bool
-		severity            []string
-		ignoreIDs           []string
-		testfile            string
-		wantOutputFile      string
-		wantError           string
+func TestDockerEngine(t *testing.T) {
+	tests := []struct {
+		name          string
+		imageTag      string
+		invalidImage  bool
+		ignoreUnfixed bool
+		severity      []string
+		ignoreIDs     []string
+		input         string
+		golden        string
+		wantErr       string
 	}{
-		// All of these cases should pass for either
-		// $ trivy <args>
-		// $ trivy image <args>
 		{
-			name:           "happy path, valid image path, alpine:3.10",
-			imageTag:       "alpine:3.10",
-			wantOutputFile: "testdata/alpine-310.json.golden",
-			testfile:       "testdata/fixtures/images/alpine-310.tar.gz",
+			name:     "alpine:3.9",
+			imageTag: "alpine:3.9",
+			input:    "testdata/fixtures/images/alpine-39.tar.gz",
+			golden:   "testdata/alpine-39.json.golden",
 		},
 		{
-			name:                "happy path, valid image path, with image subcommand, alpine:3.10",
-			withImageSubcommand: true,
-			imageTag:            "alpine:3.10",
-			wantOutputFile:      "testdata/alpine-310.json.golden",
-			testfile:            "testdata/fixtures/images/alpine-310.tar.gz",
+			name:     "alpine:3.9, with high and critical severity",
+			severity: []string{"HIGH", "CRITICAL"},
+			imageTag: "alpine:3.9",
+			input:    "testdata/fixtures/images/alpine-39.tar.gz",
+			golden:   "testdata/alpine-39-high-critical.json.golden",
 		},
 		{
-			name:           "happy path, valid image path, alpine:3.10, ignore unfixed",
-			ignoreUnfixed:  true,
-			imageTag:       "alpine:3.10",
-			wantOutputFile: "testdata/alpine-310-ignore-unfixed.json.golden",
-			testfile:       "testdata/fixtures/images/alpine-310.tar.gz",
+			name:      "alpine:3.9, with .trivyignore",
+			imageTag:  "alpine:3.9",
+			ignoreIDs: []string{"CVE-2019-1549", "CVE-2019-14697"},
+			input:     "testdata/fixtures/images/alpine-39.tar.gz",
+			golden:    "testdata/alpine-39-ignore-cveids.json.golden",
 		},
 		{
-			name:           "happy path, valid image path, alpine:3.10, ignore unfixed, with medium and high severity",
-			ignoreUnfixed:  true,
-			severity:       []string{"MEDIUM", "HIGH"},
-			imageTag:       "alpine:3.10",
-			wantOutputFile: "testdata/alpine-310-medium-high.json.golden",
-			testfile:       "testdata/fixtures/images/alpine-310.tar.gz",
+			name:     "alpine:3.10",
+			imageTag: "alpine:3.10",
+			input:    "testdata/fixtures/images/alpine-310.tar.gz",
+			golden:   "testdata/alpine-310.json.golden",
 		},
 		{
-			name:           "happy path, valid image path, alpine:3.10, with .trivyignore",
-			imageTag:       "alpine:3.10",
-			ignoreIDs:      []string{"CVE-2019-1549", "CVE-2019-1563"},
-			wantOutputFile: "testdata/alpine-310-ignore-cveids.json.golden",
-			testfile:       "testdata/fixtures/images/alpine-310.tar.gz",
+			name:     "amazonlinux:1",
+			imageTag: "amazonlinux:1",
+			input:    "testdata/fixtures/images/amazon-1.tar.gz",
+			golden:   "testdata/amazon-1.json.golden",
 		},
 		{
-			name:           "happy path, valid image path, alpine:3.9",
-			imageTag:       "alpine:3.9",
-			wantOutputFile: "testdata/alpine-39.json.golden",
-			testfile:       "testdata/fixtures/images/alpine-39.tar.gz",
+			name:     "amazonlinux:2",
+			imageTag: "amazonlinux:2",
+			input:    "testdata/fixtures/images/amazon-2.tar.gz",
+			golden:   "testdata/amazon-2.json.golden",
 		},
 		{
-			name:           "happy path, valid image path, amazonlinux:1",
-			imageTag:       "amazonlinux:1",
-			wantOutputFile: "testdata/amazon-1.json.golden",
-			testfile:       "testdata/fixtures/images/amazon-1.tar.gz",
+			name:     "almalinux 8",
+			imageTag: "almalinux:8",
+			input:    "testdata/fixtures/images/almalinux-8.tar.gz",
+			golden:   "testdata/almalinux-8.json.golden",
 		},
 		{
-			name:           "happy path, valid image path, amazonlinux:2",
-			imageTag:       "amazonlinux:2",
-			wantOutputFile: "testdata/amazon-2.json.golden",
-			testfile:       "testdata/fixtures/images/amazon-2.tar.gz",
+			name:     "rocky linux 8",
+			imageTag: "rockylinux:8",
+			input:    "testdata/fixtures/images/rockylinux-8.tar.gz",
+			golden:   "testdata/rockylinux-8.json.golden",
 		},
 		{
-			name:           "happy path, valid image path, centos:6",
-			imageTag:       "centos:6",
-			wantOutputFile: "testdata/centos-6.json.golden",
-			testfile:       "testdata/fixtures/images/centos-6.tar.gz",
+			name:     "centos 6",
+			imageTag: "centos:6",
+			input:    "testdata/fixtures/images/centos-6.tar.gz",
+			golden:   "testdata/centos-6.json.golden",
 		},
 		{
-			name:           "happy path, valid image path, centos:7",
-			imageTag:       "centos:7",
-			wantOutputFile: "testdata/centos-7.json.golden",
-			testfile:       "testdata/fixtures/images/centos-7.tar.gz",
+			name:     "centos 7",
+			imageTag: "centos:7",
+			input:    "testdata/fixtures/images/centos-7.tar.gz",
+			golden:   "testdata/centos-7.json.golden",
 		},
 		{
-			name:           "happy path, valid image path, centos:7, with --ignore-unfixed option",
-			imageTag:       "centos:7",
-			ignoreUnfixed:  true,
-			wantOutputFile: "testdata/centos-7-ignore-unfixed.json.golden",
-			testfile:       "testdata/fixtures/images/centos-7.tar.gz",
+			name:          "centos 7, with --ignore-unfixed option",
+			imageTag:      "centos:7",
+			ignoreUnfixed: true,
+			input:         "testdata/fixtures/images/centos-7.tar.gz",
+			golden:        "testdata/centos-7-ignore-unfixed.json.golden",
 		},
 		{
-			name:           "happy path, valid image path, centos:7, with --ignore-unfixed option, with low and high severity",
-			imageTag:       "centos:7",
-			ignoreUnfixed:  true,
-			severity:       []string{"LOW", "HIGH"},
-			wantOutputFile: "testdata/centos-7-low-high.json.golden",
-			testfile:       "testdata/fixtures/images/centos-7.tar.gz",
+			name:          "centos 7, with --ignore-unfixed option, with medium severity",
+			imageTag:      "centos:7",
+			ignoreUnfixed: true,
+			severity:      []string{"MEDIUM"},
+			input:         "testdata/fixtures/images/centos-7.tar.gz",
+			golden:        "testdata/centos-7-medium.json.golden",
 		},
 		{
-			name:           "happy path, valid image path, debian:buster",
-			imageTag:       "debian:buster",
-			wantOutputFile: "testdata/debian-buster.json.golden",
-			testfile:       "testdata/fixtures/images/debian-buster.tar.gz",
+			name:     "registry.redhat.io/ubi7",
+			imageTag: "registry.redhat.io/ubi7",
+			input:    "testdata/fixtures/images/ubi-7.tar.gz",
+			golden:   "testdata/ubi-7.json.golden",
 		},
 		{
-			name:           "happy path, valid image path, debian:buster, with --ignore-unfixed option",
-			ignoreUnfixed:  true,
-			imageTag:       "debian:buster",
-			wantOutputFile: "testdata/debian-buster-ignore-unfixed.json.golden",
-			testfile:       "testdata/fixtures/images/debian-buster.tar.gz",
+			name:     "debian buster/10",
+			imageTag: "debian:buster",
+			input:    "testdata/fixtures/images/debian-buster.tar.gz",
+			golden:   "testdata/debian-buster.json.golden",
 		},
 		{
-			name:           "happy path, valid image path, debian:stretch",
-			imageTag:       "debian:stretch",
-			wantOutputFile: "testdata/debian-stretch.json.golden",
-			testfile:       "testdata/fixtures/images/debian-stretch.tar.gz",
+			name:          "debian buster/10, with --ignore-unfixed option",
+			ignoreUnfixed: true,
+			imageTag:      "debian:buster",
+			input:         "testdata/fixtures/images/debian-buster.tar.gz",
+			golden:        "testdata/debian-buster-ignore-unfixed.json.golden",
 		},
 		{
-			name:           "happy path, valid image path, distroless:base",
-			imageTag:       "gcr.io/distroless/base:latest",
-			wantOutputFile: "testdata/distroless-base.json.golden",
-			testfile:       "testdata/fixtures/images/distroless-base.tar.gz",
+			name:     "debian stretch/9",
+			imageTag: "debian:stretch",
+			input:    "testdata/fixtures/images/debian-stretch.tar.gz",
+			golden:   "testdata/debian-stretch.json.golden",
 		},
 		{
-			name:           "happy path, valid image path, distroless:base",
-			imageTag:       "gcr.io/distroless/base:latest",
-			wantOutputFile: "testdata/distroless-base.json.golden",
-			testfile:       "testdata/fixtures/images/distroless-base.tar.gz",
+			name:     "distroless base",
+			imageTag: "gcr.io/distroless/base:latest",
+			input:    "testdata/fixtures/images/distroless-base.tar.gz",
+			golden:   "testdata/distroless-base.json.golden",
 		},
 		{
-			name:           "happy path, valid image path, distroless:base, with --ignore-unfixed option",
-			imageTag:       "gcr.io/distroless/base:latest",
-			ignoreUnfixed:  true,
-			wantOutputFile: "testdata/distroless-base-ignore-unfixed.json.golden",
-			testfile:       "testdata/fixtures/images/distroless-base.tar.gz",
+			name:     "distroless python2.7",
+			imageTag: "gcr.io/distroless/python2.7:latest",
+			input:    "testdata/fixtures/images/distroless-python27.tar.gz",
+			golden:   "testdata/distroless-python27.json.golden",
 		},
 		{
-			name:           "happy path, valid image path, distroless:python2.7",
-			imageTag:       "gcr.io/distroless/python2.7:latest",
-			wantOutputFile: "testdata/distroless-python27.json.golden",
-			testfile:       "testdata/fixtures/images/distroless-python27.tar.gz",
+			name:     "oracle linux 8",
+			imageTag: "oraclelinux:8-slim",
+			input:    "testdata/fixtures/images/oraclelinux-8-slim.tar.gz",
+			golden:   "testdata/oraclelinux-8-slim.json.golden",
 		},
 		{
-			name:           "happy path, valid image path, oraclelinux:6-slim",
-			imageTag:       "oraclelinux:6-slim",
-			wantOutputFile: "testdata/oraclelinux-6-slim.json.golden",
-			testfile:       "testdata/fixtures/images/oraclelinux-6-slim.tar.gz",
+			name:     "ubuntu 18.04",
+			imageTag: "ubuntu:18.04",
+			input:    "testdata/fixtures/images/ubuntu-1804.tar.gz",
+			golden:   "testdata/ubuntu-1804.json.golden",
 		},
 		{
-			name:           "happy path, valid image path, oraclelinux:7-slim",
-			imageTag:       "oraclelinux:7-slim",
-			wantOutputFile: "testdata/oraclelinux-7-slim.json.golden",
-			testfile:       "testdata/fixtures/images/oraclelinux-7-slim.tar.gz",
+			name:          "ubuntu 18.04, with --ignore-unfixed option",
+			imageTag:      "ubuntu:18.04",
+			ignoreUnfixed: true,
+			input:         "testdata/fixtures/images/ubuntu-1804.tar.gz",
+			golden:        "testdata/ubuntu-1804-ignore-unfixed.json.golden",
 		},
 		{
-			name:           "happy path, valid image path, oraclelinux:8-slim",
-			imageTag:       "oraclelinux:8-slim",
-			wantOutputFile: "testdata/oraclelinux-8-slim.json.golden",
-			testfile:       "testdata/fixtures/images/oraclelinux-8-slim.tar.gz",
+			name:     "opensuse leap 15.1",
+			imageTag: "opensuse/leap:latest",
+			input:    "testdata/fixtures/images/opensuse-leap-151.tar.gz",
+			golden:   "testdata/opensuse-leap-151.json.golden",
 		},
 		{
-			name:           "happy path, valid image path, ubuntu:16.04",
-			imageTag:       "ubuntu:16.04",
-			wantOutputFile: "testdata/ubuntu-1604.json.golden",
-			testfile:       "testdata/fixtures/images/ubuntu-1604.tar.gz",
+			name:     "photon 3.0",
+			imageTag: "photon:3.0-20190823",
+			input:    "testdata/fixtures/images/photon-30.tar.gz",
+			golden:   "testdata/photon-30.json.golden",
 		},
 		{
-			name:           "happy path, valid image path, ubuntu:18.04",
-			imageTag:       "ubuntu:18.04",
-			wantOutputFile: "testdata/ubuntu-1804.json.golden",
-			testfile:       "testdata/fixtures/images/ubuntu-1804.tar.gz",
+			name:     "CBL-Mariner 1.0",
+			imageTag: "cblmariner.azurecr.io/base/core:1.0",
+			input:    "testdata/fixtures/images/mariner-1.0.tar.gz",
+			golden:   "testdata/mariner-1.0.json.golden",
 		},
 		{
-			name:           "happy path, valid image path, ubuntu:18.04, with --ignore-unfixed option",
-			imageTag:       "ubuntu:18.04",
-			ignoreUnfixed:  true,
-			wantOutputFile: "testdata/ubuntu-1804-ignore-unfixed.json.golden",
-			testfile:       "testdata/fixtures/images/ubuntu-1804.tar.gz",
-		},
-		{
-			name:           "happy path, valid image path, registry.redhat.io/ubi7",
-			imageTag:       "registry.redhat.io/ubi7",
-			wantOutputFile: "testdata/ubi-7.json.golden",
-			testfile:       "testdata/fixtures/images/ubi-7.tar.gz",
-		},
-		{
-			name:           "happy path, valid image path, opensuse leap 15.1",
-			imageTag:       "opensuse/leap:latest",
-			wantOutputFile: "testdata/opensuse-leap-151.json.golden",
-			testfile:       "testdata/fixtures/images/opensuse-leap-151.tar.gz",
-		},
-		{
-			name:           "happy path, valid image path, opensuse leap 42.3",
-			imageTag:       "opensuse/leap:42.3",
-			wantOutputFile: "testdata/opensuse-leap-423.json.golden",
-			testfile:       "testdata/fixtures/images/opensuse-leap-423.tar.gz",
-		},
-		{
-			name:           "happy path, valid image path, photon 1.0",
-			imageTag:       "photon:1.0-20190823",
-			wantOutputFile: "testdata/photon-10.json.golden",
-			testfile:       "testdata/fixtures/images/photon-10.tar.gz",
-		},
-		{
-			name:           "happy path, valid image path, photon 2.0",
-			imageTag:       "photon:2.0-20190726",
-			wantOutputFile: "testdata/photon-20.json.golden",
-			testfile:       "testdata/fixtures/images/photon-20.tar.gz",
-		},
-		{
-			name:           "happy path, valid image path, photon 3.0",
-			imageTag:       "photon:3.0-20190823",
-			wantOutputFile: "testdata/photon-30.json.golden",
-			testfile:       "testdata/fixtures/images/photon-30.tar.gz",
-		},
-		{
-			name:           "buxybox with Cargo.lock integration",
-			imageTag:       "busy-cargo:latest",
-			wantOutputFile: "testdata/busybox-with-lockfile.json.golden",
-			testfile:       "testdata/fixtures/images/busybox-with-lockfile.tar.gz",
+			name:     "busybox with Cargo.lock",
+			imageTag: "busy-cargo:latest",
+			input:    "testdata/fixtures/images/busybox-with-lockfile.tar.gz",
+			golden:   "testdata/busybox-with-lockfile.json.golden",
 		},
 		{
 			name:         "sad path, invalid image",
 			invalidImage: true,
-			testfile:     "badimage:latest",
-			wantError:    "unable to inspect the image (index.docker.io/library/badimage:latest)",
+			input:        "badimage:latest",
+			wantErr:      "unable to inspect the image (index.docker.io/library/badimage:latest)",
 		},
 	}
 
 	// Set up testing DB
-	cacheDir := gunzipDB(t)
+	cacheDir := initDB(t)
 
 	ctx := context.Background()
 	defer ctx.Done()
@@ -255,26 +205,26 @@ func TestRun_WithDockerEngine(t *testing.T) {
 	cli, err := client.NewClientWithOpts(client.FromEnv, client.WithAPIVersionNegotiation())
 	require.NoError(t, err)
 
-	for _, tc := range testCases {
-		t.Run(tc.name, func(t *testing.T) {
-			if !tc.invalidImage {
-				testfile, err := os.Open(tc.testfile)
-				require.NoError(t, err, tc.name)
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if !tt.invalidImage {
+				testfile, err := os.Open(tt.input)
+				require.NoError(t, err, tt.name)
 
 				// ensure image doesnt already exists
-				_, _ = cli.ImageRemove(ctx, tc.testfile, types.ImageRemoveOptions{
+				_, _ = cli.ImageRemove(ctx, tt.input, types.ImageRemoveOptions{
 					Force:         true,
 					PruneChildren: true,
 				})
 
 				// load image into docker engine
 				res, err := cli.ImageLoad(ctx, testfile, true)
-				require.NoError(t, err, tc.name)
+				require.NoError(t, err, tt.name)
 				io.Copy(io.Discard, res.Body)
 
 				// tag our image to something unique
-				err = cli.ImageTag(ctx, tc.imageTag, tc.testfile)
-				require.NoError(t, err, tc.name)
+				err = cli.ImageTag(ctx, tt.imageTag, tt.input)
+				require.NoError(t, err, tt.name)
 			}
 
 			tmpDir := t.TempDir()
@@ -282,55 +232,47 @@ func TestRun_WithDockerEngine(t *testing.T) {
 
 			// run trivy
 			app := commands.NewApp("dev")
-			trivyArgs := []string{"trivy"}
-			trivyArgs = append(trivyArgs, "--cache-dir", cacheDir)
-			if tc.withImageSubcommand {
-				trivyArgs = append(trivyArgs, "image")
-			}
+			trivyArgs := []string{"trivy", "--cache-dir", cacheDir, "image",
+				"--skip-update", "--format=json", "--output", output}
 
-			trivyArgs = append(trivyArgs, []string{"--skip-update", "--format=json", "--output", output}...)
-
-			if tc.ignoreUnfixed {
+			if tt.ignoreUnfixed {
 				trivyArgs = append(trivyArgs, "--ignore-unfixed")
 			}
-			if len(tc.severity) != 0 {
+			if len(tt.severity) != 0 {
 				trivyArgs = append(trivyArgs,
-					[]string{"--severity", strings.Join(tc.severity, ",")}...,
+					[]string{"--severity", strings.Join(tt.severity, ",")}...,
 				)
 			}
-			if len(tc.ignoreIDs) != 0 {
+			if len(tt.ignoreIDs) != 0 {
 				trivyIgnore := ".trivyignore"
-				err := os.WriteFile(trivyIgnore, []byte(strings.Join(tc.ignoreIDs, "\n")), 0444)
+				err = os.WriteFile(trivyIgnore, []byte(strings.Join(tt.ignoreIDs, "\n")), 0444)
 				assert.NoError(t, err, "failed to write .trivyignore")
 				defer os.Remove(trivyIgnore)
 			}
-			trivyArgs = append(trivyArgs, tc.testfile)
+			trivyArgs = append(trivyArgs, tt.input)
 
 			err = app.Run(trivyArgs)
-			switch {
-			case tc.wantError != "":
+			if tt.wantErr != "" {
 				require.NotNil(t, err)
-				assert.Contains(t, err.Error(), tc.wantError, tc.name)
+				assert.Contains(t, err.Error(), tt.wantErr, tt.name)
 				return
-			default:
-				assert.NoError(t, err, tc.name)
 			}
 
+			assert.NoError(t, err, tt.name)
+
 			// check for vulnerability output info
-			got := readReport(t, output)
-			want := readReport(t, tc.wantOutputFile)
-			assert.Equal(t, want, got)
+			compareReports(t, tt.golden, output)
 
 			// cleanup
-			_, err = cli.ImageRemove(ctx, tc.testfile, types.ImageRemoveOptions{
+			_, err = cli.ImageRemove(ctx, tt.input, types.ImageRemoveOptions{
 				Force:         true,
 				PruneChildren: true,
 			})
-			_, err = cli.ImageRemove(ctx, tc.imageTag, types.ImageRemoveOptions{
+			_, err = cli.ImageRemove(ctx, tt.imageTag, types.ImageRemoveOptions{
 				Force:         true,
 				PruneChildren: true,
 			})
-			assert.NoError(t, err, tc.name)
+			assert.NoError(t, err, tt.name)
 		})
 	}
 }

integration/fs_test.go

@@ -22,6 +22,7 @@ func TestFilesystem(t *testing.T) {
 		ignoreIDs      []string
 		policyPaths    []string
 		namespaces     []string
+		listAllPkgs    bool
 		input          string
 	}
 	tests := []struct {
@@ -41,10 +42,19 @@ func TestFilesystem(t *testing.T) {
 			name: "pip",
 			args: args{
 				securityChecks: "vuln",
+				listAllPkgs:    true,
 				input:          "testdata/fixtures/fs/pip",
 			},
 			golden: "testdata/pip.json.golden",
 		},
+		{
+			name: "pom",
+			args: args{
+				securityChecks: "vuln",
+				input:          "testdata/fixtures/fs/pom",
+			},
+			golden: "testdata/pom.json.golden",
+		},
 		{
 			name: "dockerfile",
 			args: args{
@@ -85,12 +95,12 @@ func TestFilesystem(t *testing.T) {
 	}
 
 	// Set up testing DB
-	cacheDir := gunzipDB(t)
+	cacheDir := initDB(t)
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			osArgs := []string{"trivy", "--cache-dir", cacheDir, "fs", "--skip-db-update", "--skip-policy-update",
-				"--format", "json", "--security-checks", tt.args.securityChecks}
+				"--format", "json", "--offline-scan", "--security-checks", tt.args.securityChecks}
 
 			if len(tt.args.policyPaths) != 0 {
 				for _, policyPath := range tt.args.policyPaths {
@@ -105,9 +115,7 @@ func TestFilesystem(t *testing.T) {
 			}
 
 			if len(tt.args.severity) != 0 {
-				osArgs = append(osArgs,
-					[]string{"--severity", strings.Join(tt.args.severity, ",")}...,
-				)
+				osArgs = append(osArgs, "--severity", strings.Join(tt.args.severity, ","))
 			}
 
 			if len(tt.args.ignoreIDs) != 0 {
@@ -123,6 +131,10 @@ func TestFilesystem(t *testing.T) {
 				outputFile = tt.golden
 			}
 
+			if tt.args.listAllPkgs {
+				osArgs = append(osArgs, "--list-all-pkgs")
+			}
+
 			osArgs = append(osArgs, "--output", outputFile)
 			osArgs = append(osArgs, tt.args.input)
 
@@ -134,10 +146,7 @@ func TestFilesystem(t *testing.T) {
 			assert.Nil(t, app.Run(osArgs))
 
 			// Compare want and got
-			want := readReport(t, tt.golden)
-			got := readReport(t, outputFile)
-
-			assert.Equal(t, want, got)
+			compareReports(t, tt.golden, outputFile)
 		})
 	}
 }

integration/integration_test.go

@@ -4,11 +4,9 @@
 package integration
 
 import (
-	"compress/gzip"
 	"context"
 	"encoding/json"
 	"flag"
-	"io"
 	"net"
 	"os"
 	"path/filepath"
@@ -19,44 +17,43 @@ import (
 	"github.com/stretchr/testify/require"
 
 	"github.com/aquasecurity/trivy-db/pkg/db"
-	"github.com/aquasecurity/trivy/pkg/report"
+	"github.com/aquasecurity/trivy-db/pkg/metadata"
+	"github.com/aquasecurity/trivy/pkg/dbtest"
+	"github.com/aquasecurity/trivy/pkg/types"
 )
 
 var update = flag.Bool("update", false, "update golden files")
 
-func gunzipDB(t *testing.T) string {
-	gz, err := os.Open("testdata/trivy.db.gz")
+func initDB(t *testing.T) string {
+	fixtureDir := filepath.Join("testdata", "fixtures", "db")
+	entries, err := os.ReadDir(fixtureDir)
 	require.NoError(t, err)
 
-	zr, err := gzip.NewReader(gz)
-	require.NoError(t, err)
+	var fixtures []string
+	for _, entry := range entries {
+		if entry.IsDir() {
+			continue
+		}
+		fixtures = append(fixtures, filepath.Join(fixtureDir, entry.Name()))
+	}
 
-	tmpDir := t.TempDir()
-	dbPath := db.Path(tmpDir)
-	dbDir := filepath.Dir(dbPath)
-	err = os.MkdirAll(dbDir, 0700)
-	require.NoError(t, err)
+	cacheDir := dbtest.InitDB(t, fixtures)
+	defer db.Close()
 
-	file, err := os.Create(dbPath)
-	require.NoError(t, err)
-	defer file.Close()
-
-	_, err = io.Copy(file, zr)
-	require.NoError(t, err)
+	dbDir := filepath.Dir(db.Path(cacheDir))
 
 	metadataFile := filepath.Join(dbDir, "metadata.json")
-	b, err := json.Marshal(db.Metadata{
-		Version:    1,
-		Type:       1,
-		NextUpdate: time.Time{},
-		UpdatedAt:  time.Time{},
+	f, err := os.Create(metadataFile)
+	require.NoError(t, err)
+
+	err = json.NewEncoder(f).Encode(metadata.Metadata{
+		Version:    db.SchemaVersion,
+		NextUpdate: time.Now().Add(24 * time.Hour),
+		UpdatedAt:  time.Now(),
 	})
 	require.NoError(t, err)
 
-	err = os.WriteFile(metadataFile, b, 0600)
-	require.NoError(t, err)
-
-	return tmpDir
+	return cacheDir
 }
 
 func getFreePort() (int, error) {
@@ -88,14 +85,14 @@ func waitPort(ctx context.Context, addr string) error {
 	}
 }
 
-func readReport(t *testing.T, filePath string) report.Report {
+func readReport(t *testing.T, filePath string) types.Report {
 	t.Helper()
 
 	f, err := os.Open(filePath)
 	require.NoError(t, err, filePath)
 	defer f.Close()
 
-	var res report.Report
+	var res types.Report
 	err = json.NewDecoder(f).Decode(&res)
 	require.NoError(t, err, filePath)
 
@@ -105,6 +102,8 @@ func readReport(t *testing.T, filePath string) report.Report {
 	// We don't compare repo tags because the archive doesn't support it
 	res.Metadata.RepoTags = nil
 
+	res.Metadata.RepoDigests = nil
+
 	return res
 }
 

integration/registry_test.go

@@ -4,6 +4,8 @@
 package integration
 
 import (
+	"bytes"
+	"compress/gzip"
 	"context"
 	"crypto/tls"
 	"crypto/x509"
@@ -17,19 +19,20 @@ import (
 	"testing"
 
 	"github.com/docker/go-connections/nat"
+	"github.com/google/go-containerregistry/pkg/authn"
 	"github.com/google/go-containerregistry/pkg/name"
+	"github.com/google/go-containerregistry/pkg/v1/remote"
+	"github.com/google/go-containerregistry/pkg/v1/tarball"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	testcontainers "github.com/testcontainers/testcontainers-go"
 	"github.com/testcontainers/testcontainers-go/wait"
 
-	_ "github.com/aquasecurity/fanal/analyzer"
-	testdocker "github.com/aquasecurity/trivy/integration/docker"
 	"github.com/aquasecurity/trivy/pkg/commands"
 )
 
 const (
-	registryImage = "registry:2"
+	registryImage = "registry:2.7.0"
 	registryPort  = "5443/tcp"
 
 	authImage    = "cesanta/docker_auth:1"
@@ -52,6 +55,7 @@ func setupRegistry(ctx context.Context, baseDir string, authURL *url.URL) (testc
 			"REGISTRY_AUTH_TOKEN_SERVICE":        "registry.docker.io",
 			"REGISTRY_AUTH_TOKEN_ISSUER":         "Trivy auth server",
 			"REGISTRY_AUTH_TOKEN_ROOTCERTBUNDLE": "/certs/cert.pem",
+			"REGISTRY_AUTH_TOKEN_AUTOREDIRECT":   "false",
 		},
 		BindMounts: map[string]string{
 			filepath.Join(baseDir, "data", "certs"): "/certs",
@@ -133,13 +137,12 @@ func TestRegistry(t *testing.T) {
 	registryURL, err := getURL(ctx, registryC, registryPort)
 	require.NoError(t, err)
 
-	config := testdocker.RegistryConfig{
-		URL:      registryURL,
+	auth := &authn.Basic{
 		Username: authUsername,
 		Password: authPassword,
 	}
 
-	testCases := []struct {
+	tests := []struct {
 		name      string
 		imageName string
 		imageFile string
@@ -178,29 +181,25 @@ func TestRegistry(t *testing.T) {
 		},
 	}
 
-	for _, tc := range testCases {
+	for _, tc := range tests {
 		t.Run(tc.name, func(t *testing.T) {
-			d, err := testdocker.New()
-			require.NoError(t, err)
-
 			s := fmt.Sprintf("%s/%s", registryURL.Host, tc.imageName)
 			imageRef, err := name.ParseReference(s)
 			require.NoError(t, err)
 
 			// 1. Load a test image from the tar file, tag it and push to the test registry.
-			err = d.ReplicateImage(ctx, tc.imageName, tc.imageFile, config)
+			err = replicateImage(imageRef, tc.imageFile, auth)
 			require.NoError(t, err)
 
 			// 2. Scan it
 			resultFile, err := scan(t, imageRef, baseDir, tc.golden, tc.option)
 
 			if tc.wantErr != "" {
-				require.NotNil(t, err)
+				require.Error(t, err)
 				require.Contains(t, err.Error(), tc.wantErr, err)
 				return
-			} else {
-				require.NoError(t, err)
 			}
+			require.NoError(t, err)
 
 			// 3. Read want and got
 			want := readReport(t, tc.golden)
@@ -211,9 +210,6 @@ func TestRegistry(t *testing.T) {
 			for i := range want.Results {
 				want.Results[i].Target = fmt.Sprintf("%s (alpine 3.10.2)", s)
 			}
-			want.Metadata.RepoDigests = []string{
-				fmt.Sprintf("%s/alpine@sha256:acd3ca9941a85e8ed16515bfc5328e4e2f8c128caa72959a58a127b7801ee01f", registryURL.Host),
-			}
 
 			// 5. Compare want and got
 			assert.Equal(t, want, got)
@@ -223,7 +219,7 @@ func TestRegistry(t *testing.T) {
 
 func scan(t *testing.T, imageRef name.Reference, baseDir, goldenFile string, opt registryOption) (string, error) {
 	// Set up testing DB
-	cacheDir := gunzipDB(t)
+	cacheDir := initDB(t)
 
 	// Setup the output file
 	outputFile := filepath.Join(t.TempDir(), "output.json")
@@ -240,7 +236,8 @@ func scan(t *testing.T, imageRef name.Reference, baseDir, goldenFile string, opt
 	app := commands.NewApp("dev")
 	app.Writer = io.Discard
 
-	osArgs := []string{"trivy", "--cache-dir", cacheDir, "--format", "json", "--skip-update", "--output", outputFile, imageRef.Name()}
+	osArgs := []string{"trivy", "--cache-dir", cacheDir, "image", "--format", "json", "--skip-update",
+		"--output", outputFile, imageRef.Name()}
 
 	// Run Trivy
 	if err := app.Run(osArgs); err != nil {
@@ -316,3 +313,32 @@ func requestRegistryToken(imageRef name.Reference, baseDir string, opt registryO
 
 	return r.AccessToken, nil
 }
+
+// ReplicateImage tags the given imagePath and pushes it to the given dest registry.
+func replicateImage(imageRef name.Reference, imagePath string, auth authn.Authenticator) error {
+	img, err := tarball.Image(func() (io.ReadCloser, error) {
+		b, err := os.ReadFile(imagePath)
+		if err != nil {
+			return nil, err
+		}
+		gr, err := gzip.NewReader(bytes.NewReader(b))
+		if err != nil {
+			return nil, err
+		}
+		return io.NopCloser(gr), nil
+	}, nil)
+	if err != nil {
+		return err
+	}
+
+	t := &http.Transport{
+		TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
+	}
+
+	err = remote.Write(imageRef, img, remote.WithAuth(auth), remote.WithTransport(t))
+	if err != nil {
+		return err
+	}
+
+	return nil
+}

integration/standalone_tar_test.go

@@ -15,105 +15,84 @@ import (
 	"github.com/aquasecurity/trivy/pkg/commands"
 )
 
-func TestRun_WithTar(t *testing.T) {
+func TestTar(t *testing.T) {
 	type args struct {
-		Version             string
-		WithImageSubcommand bool
-		SkipUpdate          bool
-		IgnoreUnfixed       bool
-		Severity            []string
-		IgnoreIDs           []string
-		Format              string
-		Input               string
-		SkipDirs            []string
-		SkipFiles           []string
+		IgnoreUnfixed bool
+		Severity      []string
+		IgnoreIDs     []string
+		Format        string
+		Input         string
+		SkipDirs      []string
+		SkipFiles     []string
 	}
-	cases := []struct {
+	tests := []struct {
 		name     string
 		testArgs args
 		golden   string
 	}{
 		{
-			name: "alpine 3.10 integration",
+			name: "alpine 3.9",
 			testArgs: args{
-				Version:    "dev",
-				SkipUpdate: true,
-				Format:     "json",
-				Input:      "testdata/fixtures/images/alpine-310.tar.gz",
-			},
-			golden: "testdata/alpine-310.json.golden",
-		},
-		{
-			name: "alpine 3.10 integration with image subcommand",
-			testArgs: args{
-				Version:             "dev",
-				WithImageSubcommand: true,
-				SkipUpdate:          true,
-				Format:              "json",
-				Input:               "testdata/fixtures/images/alpine-310.tar.gz",
-			},
-			golden: "testdata/alpine-310.json.golden",
-		},
-		{
-			name: "alpine 3.10 integration with --ignore-unfixed option",
-			testArgs: args{
-				Version:       "dev",
-				SkipUpdate:    true,
-				IgnoreUnfixed: true,
-				Format:        "json",
-				Input:         "testdata/fixtures/images/alpine-310.tar.gz",
-			},
-			golden: "testdata/alpine-310-ignore-unfixed.json.golden",
-		},
-		{
-			name: "alpine 3.10 integration with medium and high severity",
-			testArgs: args{
-				Version:       "dev",
-				SkipUpdate:    true,
-				IgnoreUnfixed: true,
-				Severity:      []string{"MEDIUM", "HIGH"},
-				Format:        "json",
-				Input:         "testdata/fixtures/images/alpine-310.tar.gz",
-			},
-			golden: "testdata/alpine-310-medium-high.json.golden",
-		},
-		{
-			name: "alpine 3.10 integration with .trivyignore",
-			testArgs: args{
-				Version:       "dev",
-				SkipUpdate:    true,
-				IgnoreUnfixed: false,
-				IgnoreIDs:     []string{"CVE-2019-1549", "CVE-2019-1563"},
-				Format:        "json",
-				Input:         "testdata/fixtures/images/alpine-310.tar.gz",
-			},
-			golden: "testdata/alpine-310-ignore-cveids.json.golden",
-		},
-		{
-			name: "alpine 3.9 integration",
-			testArgs: args{
-				Version:    "dev",
-				SkipUpdate: true,
-				Format:     "json",
-				Input:      "testdata/fixtures/images/alpine-39.tar.gz",
+				Format: "json",
+				Input:  "testdata/fixtures/images/alpine-39.tar.gz",
 			},
 			golden: "testdata/alpine-39.json.golden",
 		},
 		{
-			name: "debian buster integration",
+			name: "alpine 3.9 with high and critical severity",
 			testArgs: args{
-				Version:    "dev",
-				SkipUpdate: true,
-				Format:     "json",
-				Input:      "testdata/fixtures/images/debian-buster.tar.gz",
+				IgnoreUnfixed: true,
+				Severity:      []string{"HIGH", "CRITICAL"},
+				Format:        "json",
+				Input:         "testdata/fixtures/images/alpine-39.tar.gz",
+			},
+			golden: "testdata/alpine-39-high-critical.json.golden",
+		},
+		{
+			name: "alpine 3.9 with .trivyignore",
+			testArgs: args{
+				IgnoreUnfixed: false,
+				IgnoreIDs:     []string{"CVE-2019-1549", "CVE-2019-14697"},
+				Format:        "json",
+				Input:         "testdata/fixtures/images/alpine-39.tar.gz",
+			},
+			golden: "testdata/alpine-39-ignore-cveids.json.golden",
+		},
+		{
+			name: "alpine 3.10",
+			testArgs: args{
+				Format: "json",
+				Input:  "testdata/fixtures/images/alpine-310.tar.gz",
+			},
+			golden: "testdata/alpine-310.json.golden",
+		},
+		{
+			name: "amazon linux 1",
+			testArgs: args{
+				Format: "json",
+				Input:  "testdata/fixtures/images/amazon-1.tar.gz",
+			},
+			golden: "testdata/amazon-1.json.golden",
+		},
+		{
+			name: "amazon linux 2",
+			testArgs: args{
+				Format: "json",
+				Input:  "testdata/fixtures/images/amazon-2.tar.gz",
+			},
+			golden: "testdata/amazon-2.json.golden",
+		},
+		{
+			name: "debian buster/10",
+			testArgs: args{
+				Format: "json",
+				Input:  "testdata/fixtures/images/debian-buster.tar.gz",
 			},
 			golden: "testdata/debian-buster.json.golden",
 		},
 		{
-			name: "debian buster integration with --ignore-unfixed option",
+			name: "debian buster/10 with --ignore-unfixed option",
 			testArgs: args{
-				Version:       "dev",
-				SkipUpdate:    true,
 				IgnoreUnfixed: true,
 				Format:        "json",
 				Input:         "testdata/fixtures/images/debian-buster.tar.gz",
@@ -121,30 +100,24 @@ func TestRun_WithTar(t *testing.T) {
 			golden: "testdata/debian-buster-ignore-unfixed.json.golden",
 		},
 		{
-			name: "debian stretch integration",
+			name: "debian stretch/9",
 			testArgs: args{
-				Version:    "dev",
-				SkipUpdate: true,
-				Format:     "json",
-				Input:      "testdata/fixtures/images/debian-stretch.tar.gz",
+				Format: "json",
+				Input:  "testdata/fixtures/images/debian-stretch.tar.gz",
 			},
 			golden: "testdata/debian-stretch.json.golden",
 		},
 		{
-			name: "ubuntu 18.04 integration",
+			name: "ubuntu 18.04",
 			testArgs: args{
-				Version:    "dev",
-				SkipUpdate: true,
-				Format:     "json",
-				Input:      "testdata/fixtures/images/ubuntu-1804.tar.gz",
+				Format: "json",
+				Input:  "testdata/fixtures/images/ubuntu-1804.tar.gz",
 			},
 			golden: "testdata/ubuntu-1804.json.golden",
 		},
 		{
-			name: "ubuntu 18.04 integration with --ignore-unfixed option",
+			name: "ubuntu 18.04 with --ignore-unfixed option",
 			testArgs: args{
-				Version:       "dev",
-				SkipUpdate:    true,
 				IgnoreUnfixed: true,
 				Format:        "json",
 				Input:         "testdata/fixtures/images/ubuntu-1804.tar.gz",
@@ -152,30 +125,16 @@ func TestRun_WithTar(t *testing.T) {
 			golden: "testdata/ubuntu-1804-ignore-unfixed.json.golden",
 		},
 		{
-			name: "ubuntu 16.04 integration",
+			name: "centos 7",
 			testArgs: args{
-				Version:    "dev",
-				SkipUpdate: true,
-				Format:     "json",
-				Input:      "testdata/fixtures/images/ubuntu-1604.tar.gz",
-			},
-			golden: "testdata/ubuntu-1604.json.golden",
-		},
-		{
-			name: "centos 7 integration",
-			testArgs: args{
-				Version:    "dev",
-				SkipUpdate: true,
-				Format:     "json",
-				Input:      "testdata/fixtures/images/centos-7.tar.gz",
+				Format: "json",
+				Input:  "testdata/fixtures/images/centos-7.tar.gz",
 			},
 			golden: "testdata/centos-7.json.golden",
 		},
 		{
-			name: "centos 7 integration with --ignore-unfixed option",
+			name: "centos 7with --ignore-unfixed option",
 			testArgs: args{
-				Version:       "dev",
-				SkipUpdate:    true,
 				IgnoreUnfixed: true,
 				Format:        "json",
 				Input:         "testdata/fixtures/images/centos-7.tar.gz",
@@ -183,249 +142,158 @@ func TestRun_WithTar(t *testing.T) {
 			golden: "testdata/centos-7-ignore-unfixed.json.golden",
 		},
 		{
-			name: "centos 7 integration with low and high severity",
+			name: "centos 7 with medium severity",
 			testArgs: args{
-				Version:       "dev",
-				SkipUpdate:    true,
 				IgnoreUnfixed: true,
-				Severity:      []string{"LOW", "HIGH"},
+				Severity:      []string{"MEDIUM"},
 				Format:        "json",
 				Input:         "testdata/fixtures/images/centos-7.tar.gz",
 			},
-			golden: "testdata/centos-7-low-high.json.golden",
+			golden: "testdata/centos-7-medium.json.golden",
 		},
 		{
-			name: "centos 6 integration",
+			name: "centos 6",
 			testArgs: args{
-				Version:    "dev",
-				SkipUpdate: true,
-				Format:     "json",
-				Input:      "testdata/fixtures/images/centos-6.tar.gz",
+				Format: "json",
+				Input:  "testdata/fixtures/images/centos-6.tar.gz",
 			},
 			golden: "testdata/centos-6.json.golden",
 		},
 		{
-			name: "ubi 7 integration",
+			name: "ubi 7",
 			testArgs: args{
-				Version:    "dev",
-				SkipUpdate: true,
-				Format:     "json",
-				Input:      "testdata/fixtures/images/ubi-7.tar.gz",
+				Format: "json",
+				Input:  "testdata/fixtures/images/ubi-7.tar.gz",
 			},
 			golden: "testdata/ubi-7.json.golden",
 		},
 		{
-			name: "distroless base integration",
+			name: "almalinux 8",
 			testArgs: args{
-				Version:    "dev",
-				SkipUpdate: true,
-				Format:     "json",
-				Input:      "testdata/fixtures/images/distroless-base.tar.gz",
+				Format: "json",
+				Input:  "testdata/fixtures/images/almalinux-8.tar.gz",
+			},
+			golden: "testdata/almalinux-8.json.golden",
+		},
+		{
+			name: "rocky linux 8",
+			testArgs: args{
+				Format: "json",
+				Input:  "testdata/fixtures/images/rockylinux-8.tar.gz",
+			},
+			golden: "testdata/rockylinux-8.json.golden",
+		},
+		{
+			name: "distroless base",
+			testArgs: args{
+				Format: "json",
+				Input:  "testdata/fixtures/images/distroless-base.tar.gz",
 			},
 			golden: "testdata/distroless-base.json.golden",
 		},
 		{
-			name: "distroless base integration with --ignore-unfixed option",
+			name: "distroless python27",
 			testArgs: args{
-				Version:       "dev",
-				SkipUpdate:    true,
-				IgnoreUnfixed: true,
-				Format:        "json",
-				Input:         "testdata/fixtures/images/distroless-base.tar.gz",
-			},
-			golden: "testdata/distroless-base-ignore-unfixed.json.golden",
-		},
-		{
-			name: "distroless python27 integration",
-			testArgs: args{
-				Version:    "dev",
-				SkipUpdate: true,
-				Format:     "json",
-				Input:      "testdata/fixtures/images/distroless-python27.tar.gz",
+				Format: "json",
+				Input:  "testdata/fixtures/images/distroless-python27.tar.gz",
 			},
 			golden: "testdata/distroless-python27.json.golden",
 		},
 		{
-			name: "amazon 1 integration",
+			name: "oracle linux 8",
 			testArgs: args{
-				Version:    "dev",
-				SkipUpdate: true,
-				Format:     "json",
-				Input:      "testdata/fixtures/images/amazon-1.tar.gz",
-			},
-			golden: "testdata/amazon-1.json.golden",
-		},
-		{
-			name: "amazon 2 integration",
-			testArgs: args{
-				Version:    "dev",
-				SkipUpdate: true,
-				Format:     "json",
-				Input:      "testdata/fixtures/images/amazon-2.tar.gz",
-			},
-			golden: "testdata/amazon-2.json.golden",
-		},
-		{
-			name: "oracle 6 integration",
-			testArgs: args{
-				Version:    "dev",
-				SkipUpdate: true,
-				Format:     "json",
-				Input:      "testdata/fixtures/images/oraclelinux-6-slim.tar.gz",
-			},
-			golden: "testdata/oraclelinux-6-slim.json.golden",
-		},
-		{
-			name: "oracle 7 integration",
-			testArgs: args{
-				Version:    "dev",
-				SkipUpdate: true,
-				Format:     "json",
-				Input:      "testdata/fixtures/images/oraclelinux-7-slim.tar.gz",
-			},
-			golden: "testdata/oraclelinux-7-slim.json.golden",
-		},
-		{
-			name: "oracle 8 integration",
-			testArgs: args{
-				Version:    "dev",
-				SkipUpdate: true,
-				Format:     "json",
-				Input:      "testdata/fixtures/images/oraclelinux-8-slim.tar.gz",
+				Format: "json",
+				Input:  "testdata/fixtures/images/oraclelinux-8-slim.tar.gz",
 			},
 			golden: "testdata/oraclelinux-8-slim.json.golden",
 		},
 		{
-			name: "opensuse leap 15.1 integration",
+			name: "opensuse leap 15.1",
 			testArgs: args{
-				Version:    "dev",
-				SkipUpdate: true,
-				Format:     "json",
-				Input:      "testdata/fixtures/images/opensuse-leap-151.tar.gz",
+				Format: "json",
+				Input:  "testdata/fixtures/images/opensuse-leap-151.tar.gz",
 			},
 			golden: "testdata/opensuse-leap-151.json.golden",
 		},
 		{
-			name: "opensuse leap 42.3 integration",
+			name: "photon 3.0",
 			testArgs: args{
-				Version:    "dev",
-				SkipUpdate: true,
-				Format:     "json",
-				Input:      "testdata/fixtures/images/opensuse-leap-423.tar.gz",
-			},
-			golden: "testdata/opensuse-leap-423.json.golden",
-		},
-		{
-			name: "photon 1.0 integration",
-			testArgs: args{
-				Version:    "dev",
-				SkipUpdate: true,
-				Format:     "json",
-				Input:      "testdata/fixtures/images/photon-10.tar.gz",
-			},
-			golden: "testdata/photon-10.json.golden",
-		},
-		{
-			name: "photon 2.0 integration",
-			testArgs: args{
-				Version:    "dev",
-				SkipUpdate: true,
-				Format:     "json",
-				Input:      "testdata/fixtures/images/photon-20.tar.gz",
-			},
-			golden: "testdata/photon-20.json.golden",
-		},
-		{
-			name: "photon 3.0 integration",
-			testArgs: args{
-				Version:    "dev",
-				SkipUpdate: true,
-				Format:     "json",
-				Input:      "testdata/fixtures/images/photon-30.tar.gz",
+				Format: "json",
+				Input:  "testdata/fixtures/images/photon-30.tar.gz",
 			},
 			golden: "testdata/photon-30.json.golden",
 		},
+		{
+			name: "CBL-Mariner 1.0",
+			testArgs: args{
+				Format: "json",
+				Input:  "testdata/fixtures/images/mariner-1.0.tar.gz",
+			},
+			golden: "testdata/mariner-1.0.json.golden",
+		},
 		{
 			name: "buxybox with Cargo.lock integration",
 			testArgs: args{
-				Version:    "dev",
-				SkipUpdate: true,
-				Format:     "json",
-				Input:      "testdata/fixtures/images/busybox-with-lockfile.tar.gz",
+				Format: "json",
+				Input:  "testdata/fixtures/images/busybox-with-lockfile.tar.gz",
 			},
 			golden: "testdata/busybox-with-lockfile.json.golden",
 		},
 		{
-			name: "fluentd with multiple lock files",
+			name: "fluentd with RubyGems",
 			testArgs: args{
-				Version:       "dev",
-				SkipUpdate:    true,
 				IgnoreUnfixed: true,
 				Format:        "json",
 				Input:         "testdata/fixtures/images/fluentd-multiple-lockfiles.tar.gz",
-				SkipFiles:     []string{"/Gemfile.lock"},
-				SkipDirs: []string{
-					"/var/lib/gems/2.5.0/gems/http_parser.rb-0.6.0",
-					"/var/lib/gems/2.5.0/gems/fluent-plugin-detect-exceptions-0.0.13",
-				},
 			},
-			golden: "testdata/fluentd-multiple-lockfiles.json.golden",
+			golden: "testdata/fluentd-gems.json.golden",
 		},
 	}
 
 	// Set up testing DB
-	cacheDir := gunzipDB(t)
+	cacheDir := initDB(t)
 
 	// Setup CLI App
 	app := commands.NewApp("dev")
 	app.Writer = io.Discard
 
-	for _, c := range cases {
-		t.Run(c.name, func(t *testing.T) {
-			osArgs := []string{"trivy"}
-			osArgs = append(osArgs, "--cache-dir", cacheDir)
-			if c.testArgs.WithImageSubcommand {
-				osArgs = append(osArgs, "image")
-			}
-			osArgs = append(osArgs, "--format", c.testArgs.Format)
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			osArgs := []string{"trivy", "--cache-dir", cacheDir, "image", "--format", tt.testArgs.Format, "--skip-update"}
 
-			if c.testArgs.SkipUpdate {
-				osArgs = append(osArgs, "--skip-update")
-			}
-			if c.testArgs.IgnoreUnfixed {
+			if tt.testArgs.IgnoreUnfixed {
 				osArgs = append(osArgs, "--ignore-unfixed")
 			}
-			if len(c.testArgs.Severity) != 0 {
-				osArgs = append(osArgs,
-					[]string{"--severity", strings.Join(c.testArgs.Severity, ",")}...,
-				)
+			if len(tt.testArgs.Severity) != 0 {
+				osArgs = append(osArgs, "--severity", strings.Join(tt.testArgs.Severity, ","))
 			}
-			if len(c.testArgs.IgnoreIDs) != 0 {
+			if len(tt.testArgs.IgnoreIDs) != 0 {
 				trivyIgnore := ".trivyignore"
-				err := os.WriteFile(trivyIgnore, []byte(strings.Join(c.testArgs.IgnoreIDs, "\n")), 0444)
+				err := os.WriteFile(trivyIgnore, []byte(strings.Join(tt.testArgs.IgnoreIDs, "\n")), 0444)
 				assert.NoError(t, err, "failed to write .trivyignore")
 				defer os.Remove(trivyIgnore)
 			}
-			if c.testArgs.Input != "" {
-				osArgs = append(osArgs, "--input", c.testArgs.Input)
+			if tt.testArgs.Input != "" {
+				osArgs = append(osArgs, "--input", tt.testArgs.Input)
 			}
 
-			if len(c.testArgs.SkipFiles) != 0 {
-				for _, skipFile := range c.testArgs.SkipFiles {
+			// TODO: test skip files/dirs
+			if len(tt.testArgs.SkipFiles) != 0 {
+				for _, skipFile := range tt.testArgs.SkipFiles {
 					osArgs = append(osArgs, "--skip-files", skipFile)
 				}
 			}
 
-			if len(c.testArgs.SkipDirs) != 0 {
-				for _, skipDir := range c.testArgs.SkipDirs {
+			if len(tt.testArgs.SkipDirs) != 0 {
+				for _, skipDir := range tt.testArgs.SkipDirs {
 					osArgs = append(osArgs, "--skip-dirs", skipDir)
 				}
 			}
 
-			// Setup the output file
+			// Set up the output file
 			outputFile := filepath.Join(t.TempDir(), "output.json")
 			if *update {
-				outputFile = c.golden
+				outputFile = tt.golden
 			}
 
 			osArgs = append(osArgs, []string{"--output", outputFile}...)
@@ -434,7 +302,7 @@ func TestRun_WithTar(t *testing.T) {
 			assert.Nil(t, app.Run(osArgs))
 
 			// Compare want and got
-			compareReports(t, c.golden, outputFile)
+			compareReports(t, tt.golden, outputFile)
 		})
 	}
 }

integration/testdata/almalinux-8.json.golden

@@ -0,0 +1,122 @@
+{
+  "SchemaVersion": 2,
+  "ArtifactName": "testdata/fixtures/images/almalinux-8.tar.gz",
+  "ArtifactType": "container_image",
+  "Metadata": {
+    "OS": {
+      "Family": "alma",
+      "Name": "8.5"
+    },
+    "ImageID": "sha256:4ca63ce1d8a90da2ed4f2d5e93e8e9db2f32d0fabf0718a2edebbe0e70826622",
+    "DiffIDs": [
+      "sha256:124d41c237c5e823577dda97e87cebaecce62d585c725d07e709ce410681de4d"
+    ],
+    "ImageConfig": {
+      "architecture": "amd64",
+      "container": "a467f67a48d469e1975b7414f33f2cf87121d4cc59d2ee029ea58e6b81774769",
+      "created": "2021-11-13T12:10:27.09871973Z",
+      "docker_version": "20.10.7",
+      "history": [
+        {
+          "created": "2021-11-13T12:10:26.29818864Z",
+          "created_by": "/bin/sh -c #(nop) ADD file:2e002305ccb9d8a4dcef52509c4c50b9a15e76c9c49ca6abda3e0d7091c63fa7 in / "
+        },
+        {
+          "created": "2021-11-13T12:10:27.09871973Z",
+          "created_by": "/bin/sh -c #(nop)  CMD [\"/bin/bash\"]",
+          "empty_layer": true
+        }
+      ],
+      "os": "linux",
+      "rootfs": {
+        "type": "layers",
+        "diff_ids": [
+          "sha256:124d41c237c5e823577dda97e87cebaecce62d585c725d07e709ce410681de4d"
+        ]
+      },
+      "config": {
+        "Cmd": [
+          "/bin/bash"
+        ],
+        "Env": [
+          "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+        ],
+        "Image": "sha256:d38d2eac03bc19e080df596d6148863a0f8293f3a277a7524f378da79a1feb0f"
+      }
+    }
+  },
+  "Results": [
+    {
+      "Target": "testdata/fixtures/images/almalinux-8.tar.gz (alma 8.5)",
+      "Class": "os-pkgs",
+      "Type": "alma",
+      "Vulnerabilities": [
+        {
+          "VulnerabilityID": "CVE-2021-3712",
+          "PkgName": "openssl-libs",
+          "InstalledVersion": "1:1.1.1k-4.el8",
+          "FixedVersion": "1:1.1.1k-5.el8_5",
+          "Layer": {
+            "DiffID": "sha256:124d41c237c5e823577dda97e87cebaecce62d585c725d07e709ce410681de4d"
+          },
+          "SeveritySource": "alma",
+          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-3712",
+          "DataSource": {
+            "ID": "alma",
+            "Name": "AlmaLinux Product Errata",
+            "URL": "https://errata.almalinux.org/"
+          },
+          "Title": "openssl: Read buffer overruns processing ASN.1 strings",
+          "Description": "ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's own \"d2i\" functions (and other similar parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array by directly setting the \"data\" and \"length\" fields in the ASN1_STRING array. This can also happen by using the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for strings that have been directly constructed. Where an application requests an ASN.1 structure to be printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the application without NUL terminating the \"data\" field, then a read buffer overrun can occur. The same thing can also occur during name constraints processing of certificates (for example if a certificate has been directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack). It could also result in the disclosure of private memory contents (such as private keys, or sensitive plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected 1.0.2-1.0.2y).",
+          "Severity": "MEDIUM",
+          "CweIDs": [
+            "CWE-125"
+          ],
+          "CVSS": {
+            "nvd": {
+              "V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:P",
+              "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H",
+              "V2Score": 5.8,
+              "V3Score": 7.4
+            },
+            "redhat": {
+              "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H",
+              "V3Score": 7.4
+            }
+          },
+          "References": [
+            "http://www.openwall.com/lists/oss-security/2021/08/26/2",
+            "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-3712.json",
+            "https://access.redhat.com/security/cve/CVE-2021-3712",
+            "https://crates.io/crates/openssl-src",
+            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3712",
+            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=94d23fcff9b2a7a8368dfe52214d5c2569882c11",
+            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=ccb0a11145ee72b042d10593a64eaf9e8a55ec12",
+            "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10366",
+            "https://linux.oracle.com/cve/CVE-2021-3712.html",
+            "https://linux.oracle.com/errata/ELSA-2022-9023.html",
+            "https://lists.apache.org/thread.html/r18995de860f0e63635f3008fd2a6aca82394249476d21691e7c59c9e@%3Cdev.tomcat.apache.org%3E",
+            "https://lists.apache.org/thread.html/rad5d9f83f0d11fb3f8bb148d179b8a9ad7c6a17f18d70e5805a713d1@%3Cdev.tomcat.apache.org%3E",
+            "https://lists.debian.org/debian-lts-announce/2021/09/msg00014.html",
+            "https://lists.debian.org/debian-lts-announce/2021/09/msg00021.html",
+            "https://nvd.nist.gov/vuln/detail/CVE-2021-3712",
+            "https://rustsec.org/advisories/RUSTSEC-2021-0098.html",
+            "https://security.netapp.com/advisory/ntap-20210827-0010/",
+            "https://ubuntu.com/security/notices/USN-5051-1",
+            "https://ubuntu.com/security/notices/USN-5051-2",
+            "https://ubuntu.com/security/notices/USN-5051-3",
+            "https://ubuntu.com/security/notices/USN-5051-4 (regression only in trusty/esm)",
+            "https://ubuntu.com/security/notices/USN-5088-1",
+            "https://www.debian.org/security/2021/dsa-4963",
+            "https://www.openssl.org/news/secadv/20210824.txt",
+            "https://www.oracle.com/security-alerts/cpuoct2021.html",
+            "https://www.tenable.com/security/tns-2021-16",
+            "https://www.tenable.com/security/tns-2022-02"
+          ],
+          "PublishedDate": "2021-08-24T15:15:00Z",
+          "LastModifiedDate": "2022-01-06T09:15:00Z"
+        }
+      ]
+    }
+  ]
+}

integration/testdata/alpine-310-ignore-cveids.json.golden

@@ -1,223 +0,0 @@
-{
-  "SchemaVersion": 2,
-  "ArtifactName": "testdata/fixtures/images/alpine-310.tar.gz",
-  "ArtifactType": "container_image",
-  "Metadata": {
-    "OS": {
-      "Family": "alpine",
-      "Name": "3.10.2",
-      "EOSL": true
-    },
-    "ImageID": "sha256:961769676411f082461f9ef46626dd7a2d1e2b2a38e6a44364bcbecf51e66dd4",
-    "DiffIDs": [
-      "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
-    ],
-    "ImageConfig": {
-      "architecture": "amd64",
-      "container": "0a80155a31551fcc1a36fccbbda79fcd3f0b1c7d270653d00310e6e2217c57e6",
-      "created": "2019-08-20T20:19:55.211423266Z",
-      "docker_version": "18.06.1-ce",
-      "history": [
-        {
-          "created": "2019-08-20T20:19:55.062606894Z",
-          "created_by": "/bin/sh -c #(nop) ADD file:fe64057fbb83dccb960efabbf1cd8777920ef279a7fa8dbca0a8801c651bdf7c in / "
-        },
-        {
-          "created": "2019-08-20T20:19:55.211423266Z",
-          "created_by": "/bin/sh -c #(nop)  CMD [\"/bin/sh\"]",
-          "empty_layer": true
-        }
-      ],
-      "os": "linux",
-      "rootfs": {
-        "type": "layers",
-        "diff_ids": [
-          "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
-        ]
-      },
-      "config": {
-        "Cmd": [
-          "/bin/sh"
-        ],
-        "Env": [
-          "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
-        ],
-        "Image": "sha256:06f4121dff4d0123ce11bd2e44f48da9ba9ddcd23ae376ea1f363f63ea0849b5",
-        "ArgsEscaped": true
-      }
-    }
-  },
-  "Results": [
-    {
-      "Target": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)",
-      "Class": "os-pkgs",
-      "Type": "alpine",
-      "Vulnerabilities": [
-        {
-          "VulnerabilityID": "CVE-2019-1551",
-          "PkgName": "libcrypto1.1",
-          "InstalledVersion": "1.1.1c-r0",
-          "FixedVersion": "1.1.1d-r2",
-          "Layer": {
-            "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
-          },
-          "SeveritySource": "nvd",
-          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
-          "Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
-          "Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).",
-          "Severity": "MEDIUM",
-          "CweIDs": [
-            "CWE-200"
-          ],
-          "CVSS": {
-            "nvd": {
-              "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
-              "V2Score": 5
-            },
-            "redhat": {
-              "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
-              "V3Score": 4.8
-            }
-          },
-          "References": [
-            "http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
-            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
-            "https://github.com/openssl/openssl/pull/10575",
-            "https://seclists.org/bugtraq/2019/Dec/39",
-            "https://seclists.org/bugtraq/2019/Dec/46",
-            "https://security.netapp.com/advisory/ntap-20191210-0001/",
-            "https://www.debian.org/security/2019/dsa-4594",
-            "https://www.openssl.org/news/secadv/20191206.txt",
-            "https://www.tenable.com/security/tns-2019-09"
-          ],
-          "PublishedDate": "2019-12-06T18:15:00Z",
-          "LastModifiedDate": "2019-12-25T11:15:00Z"
-        },
-        {
-          "VulnerabilityID": "CVE-2019-1547",
-          "PkgName": "libcrypto1.1",
-          "InstalledVersion": "1.1.1c-r0",
-          "FixedVersion": "1.1.1d-r0",
-          "Layer": {
-            "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
-          },
-          "SeveritySource": "nvd",
-          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1547",
-          "Title": "openssl: side-channel weak encryption vulnerability",
-          "Description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
-          "Severity": "LOW",
-          "CweIDs": [
-            "CWE-311"
-          ],
-          "CVSS": {
-            "nvd": {
-              "V2Vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
-              "V2Score": 1.9
-            },
-            "redhat": {
-              "V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
-              "V3Score": 5.5
-            }
-          },
-          "References": [
-            "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
-            "https://arxiv.org/abs/1909.01785",
-            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a",
-            "https://seclists.org/bugtraq/2019/Sep/25",
-            "https://security.netapp.com/advisory/ntap-20190919-0002/",
-            "https://www.openssl.org/news/secadv/20190910.txt"
-          ],
-          "PublishedDate": "2019-09-10T17:15:00Z",
-          "LastModifiedDate": "2019-09-12T16:15:00Z"
-        },
-        {
-          "VulnerabilityID": "CVE-2019-1551",
-          "PkgName": "libssl1.1",
-          "InstalledVersion": "1.1.1c-r0",
-          "FixedVersion": "1.1.1d-r2",
-          "Layer": {
-            "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
-          },
-          "SeveritySource": "nvd",
-          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
-          "Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
-          "Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).",
-          "Severity": "MEDIUM",
-          "CweIDs": [
-            "CWE-200"
-          ],
-          "CVSS": {
-            "nvd": {
-              "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
-              "V2Score": 5
-            },
-            "redhat": {
-              "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
-              "V3Score": 4.8
-            }
-          },
-          "References": [
-            "http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
-            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
-            "https://github.com/openssl/openssl/pull/10575",
-            "https://seclists.org/bugtraq/2019/Dec/39",
-            "https://seclists.org/bugtraq/2019/Dec/46",
-            "https://security.netapp.com/advisory/ntap-20191210-0001/",
-            "https://www.debian.org/security/2019/dsa-4594",
-            "https://www.openssl.org/news/secadv/20191206.txt",
-            "https://www.tenable.com/security/tns-2019-09"
-          ],
-          "PublishedDate": "2019-12-06T18:15:00Z",
-          "LastModifiedDate": "2019-12-25T11:15:00Z"
-        },
-        {
-          "VulnerabilityID": "CVE-2019-1547",
-          "PkgName": "libssl1.1",
-          "InstalledVersion": "1.1.1c-r0",
-          "FixedVersion": "1.1.1d-r0",
-          "Layer": {
-            "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
-          },
-          "SeveritySource": "nvd",
-          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1547",
-          "Title": "openssl: side-channel weak encryption vulnerability",
-          "Description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
-          "Severity": "LOW",
-          "CweIDs": [
-            "CWE-311"
-          ],
-          "CVSS": {
-            "nvd": {
-              "V2Vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
-              "V2Score": 1.9
-            },
-            "redhat": {
-              "V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
-              "V3Score": 5.5
-            }
-          },
-          "References": [
-            "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
-            "https://arxiv.org/abs/1909.01785",
-            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a",
-            "https://seclists.org/bugtraq/2019/Sep/25",
-            "https://security.netapp.com/advisory/ntap-20190919-0002/",
-            "https://www.openssl.org/news/secadv/20190910.txt"
-          ],
-          "PublishedDate": "2019-09-10T17:15:00Z",
-          "LastModifiedDate": "2019-09-12T16:15:00Z"
-        }
-      ]
-    }
-  ]
-}

integration/testdata/alpine-310-ignore-unfixed.json.golden

@@ -1,375 +0,0 @@
-{
-  "SchemaVersion": 2,
-  "ArtifactName": "testdata/fixtures/images/alpine-310.tar.gz",
-  "ArtifactType": "container_image",
-  "Metadata": {
-    "OS": {
-      "Family": "alpine",
-      "Name": "3.10.2",
-      "EOSL": true
-    },
-    "ImageID": "sha256:961769676411f082461f9ef46626dd7a2d1e2b2a38e6a44364bcbecf51e66dd4",
-    "DiffIDs": [
-      "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
-    ],
-    "ImageConfig": {
-      "architecture": "amd64",
-      "container": "0a80155a31551fcc1a36fccbbda79fcd3f0b1c7d270653d00310e6e2217c57e6",
-      "created": "2019-08-20T20:19:55.211423266Z",
-      "docker_version": "18.06.1-ce",
-      "history": [
-        {
-          "created": "2019-08-20T20:19:55.062606894Z",
-          "created_by": "/bin/sh -c #(nop) ADD file:fe64057fbb83dccb960efabbf1cd8777920ef279a7fa8dbca0a8801c651bdf7c in / "
-        },
-        {
-          "created": "2019-08-20T20:19:55.211423266Z",
-          "created_by": "/bin/sh -c #(nop)  CMD [\"/bin/sh\"]",
-          "empty_layer": true
-        }
-      ],
-      "os": "linux",
-      "rootfs": {
-        "type": "layers",
-        "diff_ids": [
-          "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
-        ]
-      },
-      "config": {
-        "Cmd": [
-          "/bin/sh"
-        ],
-        "Env": [
-          "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
-        ],
-        "Image": "sha256:06f4121dff4d0123ce11bd2e44f48da9ba9ddcd23ae376ea1f363f63ea0849b5",
-        "ArgsEscaped": true
-      }
-    }
-  },
-  "Results": [
-    {
-      "Target": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)",
-      "Class": "os-pkgs",
-      "Type": "alpine",
-      "Vulnerabilities": [
-        {
-          "VulnerabilityID": "CVE-2019-1549",
-          "PkgName": "libcrypto1.1",
-          "InstalledVersion": "1.1.1c-r0",
-          "FixedVersion": "1.1.1d-r0",
-          "Layer": {
-            "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
-          },
-          "SeveritySource": "nvd",
-          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1549",
-          "Title": "openssl: information disclosure in fork()",
-          "Description": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
-          "Severity": "MEDIUM",
-          "CweIDs": [
-            "CWE-330"
-          ],
-          "CVSS": {
-            "nvd": {
-              "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
-              "V2Score": 5
-            },
-            "redhat": {
-              "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
-              "V3Score": 4.8
-            }
-          },
-          "References": [
-            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be",
-            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/",
-            "https://security.netapp.com/advisory/ntap-20190919-0002/",
-            "https://support.f5.com/csp/article/K44070243",
-            "https://www.openssl.org/news/secadv/20190910.txt"
-          ],
-          "PublishedDate": "2019-09-10T17:15:00Z",
-          "LastModifiedDate": "2019-09-19T17:15:00Z"
-        },
-        {
-          "VulnerabilityID": "CVE-2019-1551",
-          "PkgName": "libcrypto1.1",
-          "InstalledVersion": "1.1.1c-r0",
-          "FixedVersion": "1.1.1d-r2",
-          "Layer": {
-            "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
-          },
-          "SeveritySource": "nvd",
-          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
-          "Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
-          "Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).",
-          "Severity": "MEDIUM",
-          "CweIDs": [
-            "CWE-200"
-          ],
-          "CVSS": {
-            "nvd": {
-              "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
-              "V2Score": 5
-            },
-            "redhat": {
-              "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
-              "V3Score": 4.8
-            }
-          },
-          "References": [
-            "http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
-            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
-            "https://github.com/openssl/openssl/pull/10575",
-            "https://seclists.org/bugtraq/2019/Dec/39",
-            "https://seclists.org/bugtraq/2019/Dec/46",
-            "https://security.netapp.com/advisory/ntap-20191210-0001/",
-            "https://www.debian.org/security/2019/dsa-4594",
-            "https://www.openssl.org/news/secadv/20191206.txt",
-            "https://www.tenable.com/security/tns-2019-09"
-          ],
-          "PublishedDate": "2019-12-06T18:15:00Z",
-          "LastModifiedDate": "2019-12-25T11:15:00Z"
-        },
-        {
-          "VulnerabilityID": "CVE-2019-1563",
-          "PkgName": "libcrypto1.1",
-          "InstalledVersion": "1.1.1c-r0",
-          "FixedVersion": "1.1.1d-r0",
-          "Layer": {
-            "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
-          },
-          "SeveritySource": "nvd",
-          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1563",
-          "Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
-          "Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
-          "Severity": "MEDIUM",
-          "CweIDs": [
-            "CWE-311"
-          ],
-          "CVSS": {
-            "nvd": {
-              "V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
-              "V2Score": 4.3
-            },
-            "redhat": {
-              "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
-              "V3Score": 3.7
-            }
-          },
-          "References": [
-            "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
-            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f",
-            "https://seclists.org/bugtraq/2019/Sep/25",
-            "https://security.netapp.com/advisory/ntap-20190919-0002/",
-            "https://www.openssl.org/news/secadv/20190910.txt"
-          ],
-          "PublishedDate": "2019-09-10T17:15:00Z",
-          "LastModifiedDate": "2019-09-12T11:15:00Z"
-        },
-        {
-          "VulnerabilityID": "CVE-2019-1547",
-          "PkgName": "libcrypto1.1",
-          "InstalledVersion": "1.1.1c-r0",
-          "FixedVersion": "1.1.1d-r0",
-          "Layer": {
-            "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
-          },
-          "SeveritySource": "nvd",
-          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1547",
-          "Title": "openssl: side-channel weak encryption vulnerability",
-          "Description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
-          "Severity": "LOW",
-          "CweIDs": [
-            "CWE-311"
-          ],
-          "CVSS": {
-            "nvd": {
-              "V2Vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
-              "V2Score": 1.9
-            },
-            "redhat": {
-              "V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
-              "V3Score": 5.5
-            }
-          },
-          "References": [
-            "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
-            "https://arxiv.org/abs/1909.01785",
-            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a",
-            "https://seclists.org/bugtraq/2019/Sep/25",
-            "https://security.netapp.com/advisory/ntap-20190919-0002/",
-            "https://www.openssl.org/news/secadv/20190910.txt"
-          ],
-          "PublishedDate": "2019-09-10T17:15:00Z",
-          "LastModifiedDate": "2019-09-12T16:15:00Z"
-        },
-        {
-          "VulnerabilityID": "CVE-2019-1549",
-          "PkgName": "libssl1.1",
-          "InstalledVersion": "1.1.1c-r0",
-          "FixedVersion": "1.1.1d-r0",
-          "Layer": {
-            "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
-          },
-          "SeveritySource": "nvd",
-          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1549",
-          "Title": "openssl: information disclosure in fork()",
-          "Description": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
-          "Severity": "MEDIUM",
-          "CweIDs": [
-            "CWE-330"
-          ],
-          "CVSS": {
-            "nvd": {
-              "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
-              "V2Score": 5
-            },
-            "redhat": {
-              "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
-              "V3Score": 4.8
-            }
-          },
-          "References": [
-            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be",
-            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/",
-            "https://security.netapp.com/advisory/ntap-20190919-0002/",
-            "https://support.f5.com/csp/article/K44070243",
-            "https://www.openssl.org/news/secadv/20190910.txt"
-          ],
-          "PublishedDate": "2019-09-10T17:15:00Z",
-          "LastModifiedDate": "2019-09-19T17:15:00Z"
-        },
-        {
-          "VulnerabilityID": "CVE-2019-1551",
-          "PkgName": "libssl1.1",
-          "InstalledVersion": "1.1.1c-r0",
-          "FixedVersion": "1.1.1d-r2",
-          "Layer": {
-            "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
-          },
-          "SeveritySource": "nvd",
-          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
-          "Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
-          "Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).",
-          "Severity": "MEDIUM",
-          "CweIDs": [
-            "CWE-200"
-          ],
-          "CVSS": {
-            "nvd": {
-              "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
-              "V2Score": 5
-            },
-            "redhat": {
-              "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
-              "V3Score": 4.8
-            }
-          },
-          "References": [
-            "http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
-            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
-            "https://github.com/openssl/openssl/pull/10575",
-            "https://seclists.org/bugtraq/2019/Dec/39",
-            "https://seclists.org/bugtraq/2019/Dec/46",
-            "https://security.netapp.com/advisory/ntap-20191210-0001/",
-            "https://www.debian.org/security/2019/dsa-4594",
-            "https://www.openssl.org/news/secadv/20191206.txt",
-            "https://www.tenable.com/security/tns-2019-09"
-          ],
-          "PublishedDate": "2019-12-06T18:15:00Z",
-          "LastModifiedDate": "2019-12-25T11:15:00Z"
-        },
-        {
-          "VulnerabilityID": "CVE-2019-1563",
-          "PkgName": "libssl1.1",
-          "InstalledVersion": "1.1.1c-r0",
-          "FixedVersion": "1.1.1d-r0",
-          "Layer": {
-            "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
-          },
-          "SeveritySource": "nvd",
-          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1563",
-          "Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
-          "Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
-          "Severity": "MEDIUM",
-          "CweIDs": [
-            "CWE-311"
-          ],
-          "CVSS": {
-            "nvd": {
-              "V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
-              "V2Score": 4.3
-            },
-            "redhat": {
-              "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
-              "V3Score": 3.7
-            }
-          },
-          "References": [
-            "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
-            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f",
-            "https://seclists.org/bugtraq/2019/Sep/25",
-            "https://security.netapp.com/advisory/ntap-20190919-0002/",
-            "https://www.openssl.org/news/secadv/20190910.txt"
-          ],
-          "PublishedDate": "2019-09-10T17:15:00Z",
-          "LastModifiedDate": "2019-09-12T11:15:00Z"
-        },
-        {
-          "VulnerabilityID": "CVE-2019-1547",
-          "PkgName": "libssl1.1",
-          "InstalledVersion": "1.1.1c-r0",
-          "FixedVersion": "1.1.1d-r0",
-          "Layer": {
-            "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
-          },
-          "SeveritySource": "nvd",
-          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1547",
-          "Title": "openssl: side-channel weak encryption vulnerability",
-          "Description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
-          "Severity": "LOW",
-          "CweIDs": [
-            "CWE-311"
-          ],
-          "CVSS": {
-            "nvd": {
-              "V2Vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
-              "V2Score": 1.9
-            },
-            "redhat": {
-              "V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
-              "V3Score": 5.5
-            }
-          },
-          "References": [
-            "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
-            "https://arxiv.org/abs/1909.01785",
-            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a",
-            "https://seclists.org/bugtraq/2019/Sep/25",
-            "https://security.netapp.com/advisory/ntap-20190919-0002/",
-            "https://www.openssl.org/news/secadv/20190910.txt"
-          ],
-          "PublishedDate": "2019-09-10T17:15:00Z",
-          "LastModifiedDate": "2019-09-12T16:15:00Z"
-        }
-      ]
-    }
-  ]
-}

integration/testdata/alpine-310-medium-high.json.golden

@@ -1,295 +0,0 @@
-{
-  "SchemaVersion": 2,
-  "ArtifactName": "testdata/fixtures/images/alpine-310.tar.gz",
-  "ArtifactType": "container_image",
-  "Metadata": {
-    "OS": {
-      "Family": "alpine",
-      "Name": "3.10.2",
-      "EOSL": true
-    },
-    "ImageID": "sha256:961769676411f082461f9ef46626dd7a2d1e2b2a38e6a44364bcbecf51e66dd4",
-    "DiffIDs": [
-      "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
-    ],
-    "ImageConfig": {
-      "architecture": "amd64",
-      "container": "0a80155a31551fcc1a36fccbbda79fcd3f0b1c7d270653d00310e6e2217c57e6",
-      "created": "2019-08-20T20:19:55.211423266Z",
-      "docker_version": "18.06.1-ce",
-      "history": [
-        {
-          "created": "2019-08-20T20:19:55.062606894Z",
-          "created_by": "/bin/sh -c #(nop) ADD file:fe64057fbb83dccb960efabbf1cd8777920ef279a7fa8dbca0a8801c651bdf7c in / "
-        },
-        {
-          "created": "2019-08-20T20:19:55.211423266Z",
-          "created_by": "/bin/sh -c #(nop)  CMD [\"/bin/sh\"]",
-          "empty_layer": true
-        }
-      ],
-      "os": "linux",
-      "rootfs": {
-        "type": "layers",
-        "diff_ids": [
-          "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
-        ]
-      },
-      "config": {
-        "Cmd": [
-          "/bin/sh"
-        ],
-        "Env": [
-          "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
-        ],
-        "Image": "sha256:06f4121dff4d0123ce11bd2e44f48da9ba9ddcd23ae376ea1f363f63ea0849b5",
-        "ArgsEscaped": true
-      }
-    }
-  },
-  "Results": [
-    {
-      "Target": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)",
-      "Class": "os-pkgs",
-      "Type": "alpine",
-      "Vulnerabilities": [
-        {
-          "VulnerabilityID": "CVE-2019-1549",
-          "PkgName": "libcrypto1.1",
-          "InstalledVersion": "1.1.1c-r0",
-          "FixedVersion": "1.1.1d-r0",
-          "Layer": {
-            "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
-          },
-          "SeveritySource": "nvd",
-          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1549",
-          "Title": "openssl: information disclosure in fork()",
-          "Description": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
-          "Severity": "MEDIUM",
-          "CweIDs": [
-            "CWE-330"
-          ],
-          "CVSS": {
-            "nvd": {
-              "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
-              "V2Score": 5
-            },
-            "redhat": {
-              "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
-              "V3Score": 4.8
-            }
-          },
-          "References": [
-            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be",
-            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/",
-            "https://security.netapp.com/advisory/ntap-20190919-0002/",
-            "https://support.f5.com/csp/article/K44070243",
-            "https://www.openssl.org/news/secadv/20190910.txt"
-          ],
-          "PublishedDate": "2019-09-10T17:15:00Z",
-          "LastModifiedDate": "2019-09-19T17:15:00Z"
-        },
-        {
-          "VulnerabilityID": "CVE-2019-1551",
-          "PkgName": "libcrypto1.1",
-          "InstalledVersion": "1.1.1c-r0",
-          "FixedVersion": "1.1.1d-r2",
-          "Layer": {
-            "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
-          },
-          "SeveritySource": "nvd",
-          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
-          "Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
-          "Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).",
-          "Severity": "MEDIUM",
-          "CweIDs": [
-            "CWE-200"
-          ],
-          "CVSS": {
-            "nvd": {
-              "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
-              "V2Score": 5
-            },
-            "redhat": {
-              "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
-              "V3Score": 4.8
-            }
-          },
-          "References": [
-            "http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
-            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
-            "https://github.com/openssl/openssl/pull/10575",
-            "https://seclists.org/bugtraq/2019/Dec/39",
-            "https://seclists.org/bugtraq/2019/Dec/46",
-            "https://security.netapp.com/advisory/ntap-20191210-0001/",
-            "https://www.debian.org/security/2019/dsa-4594",
-            "https://www.openssl.org/news/secadv/20191206.txt",
-            "https://www.tenable.com/security/tns-2019-09"
-          ],
-          "PublishedDate": "2019-12-06T18:15:00Z",
-          "LastModifiedDate": "2019-12-25T11:15:00Z"
-        },
-        {
-          "VulnerabilityID": "CVE-2019-1563",
-          "PkgName": "libcrypto1.1",
-          "InstalledVersion": "1.1.1c-r0",
-          "FixedVersion": "1.1.1d-r0",
-          "Layer": {
-            "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
-          },
-          "SeveritySource": "nvd",
-          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1563",
-          "Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
-          "Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
-          "Severity": "MEDIUM",
-          "CweIDs": [
-            "CWE-311"
-          ],
-          "CVSS": {
-            "nvd": {
-              "V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
-              "V2Score": 4.3
-            },
-            "redhat": {
-              "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
-              "V3Score": 3.7
-            }
-          },
-          "References": [
-            "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
-            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f",
-            "https://seclists.org/bugtraq/2019/Sep/25",
-            "https://security.netapp.com/advisory/ntap-20190919-0002/",
-            "https://www.openssl.org/news/secadv/20190910.txt"
-          ],
-          "PublishedDate": "2019-09-10T17:15:00Z",
-          "LastModifiedDate": "2019-09-12T11:15:00Z"
-        },
-        {
-          "VulnerabilityID": "CVE-2019-1549",
-          "PkgName": "libssl1.1",
-          "InstalledVersion": "1.1.1c-r0",
-          "FixedVersion": "1.1.1d-r0",
-          "Layer": {
-            "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
-          },
-          "SeveritySource": "nvd",
-          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1549",
-          "Title": "openssl: information disclosure in fork()",
-          "Description": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
-          "Severity": "MEDIUM",
-          "CweIDs": [
-            "CWE-330"
-          ],
-          "CVSS": {
-            "nvd": {
-              "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
-              "V2Score": 5
-            },
-            "redhat": {
-              "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
-              "V3Score": 4.8
-            }
-          },
-          "References": [
-            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be",
-            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/",
-            "https://security.netapp.com/advisory/ntap-20190919-0002/",
-            "https://support.f5.com/csp/article/K44070243",
-            "https://www.openssl.org/news/secadv/20190910.txt"
-          ],
-          "PublishedDate": "2019-09-10T17:15:00Z",
-          "LastModifiedDate": "2019-09-19T17:15:00Z"
-        },
-        {
-          "VulnerabilityID": "CVE-2019-1551",
-          "PkgName": "libssl1.1",
-          "InstalledVersion": "1.1.1c-r0",
-          "FixedVersion": "1.1.1d-r2",
-          "Layer": {
-            "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
-          },
-          "SeveritySource": "nvd",
-          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
-          "Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
-          "Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).",
-          "Severity": "MEDIUM",
-          "CweIDs": [
-            "CWE-200"
-          ],
-          "CVSS": {
-            "nvd": {
-              "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
-              "V2Score": 5
-            },
-            "redhat": {
-              "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
-              "V3Score": 4.8
-            }
-          },
-          "References": [
-            "http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
-            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
-            "https://github.com/openssl/openssl/pull/10575",
-            "https://seclists.org/bugtraq/2019/Dec/39",
-            "https://seclists.org/bugtraq/2019/Dec/46",
-            "https://security.netapp.com/advisory/ntap-20191210-0001/",
-            "https://www.debian.org/security/2019/dsa-4594",
-            "https://www.openssl.org/news/secadv/20191206.txt",
-            "https://www.tenable.com/security/tns-2019-09"
-          ],
-          "PublishedDate": "2019-12-06T18:15:00Z",
-          "LastModifiedDate": "2019-12-25T11:15:00Z"
-        },
-        {
-          "VulnerabilityID": "CVE-2019-1563",
-          "PkgName": "libssl1.1",
-          "InstalledVersion": "1.1.1c-r0",
-          "FixedVersion": "1.1.1d-r0",
-          "Layer": {
-            "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
-          },
-          "SeveritySource": "nvd",
-          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1563",
-          "Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
-          "Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
-          "Severity": "MEDIUM",
-          "CweIDs": [
-            "CWE-311"
-          ],
-          "CVSS": {
-            "nvd": {
-              "V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
-              "V2Score": 4.3
-            },
-            "redhat": {
-              "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
-              "V3Score": 3.7
-            }
-          },
-          "References": [
-            "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
-            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f",
-            "https://seclists.org/bugtraq/2019/Sep/25",
-            "https://security.netapp.com/advisory/ntap-20190919-0002/",
-            "https://www.openssl.org/news/secadv/20190910.txt"
-          ],
-          "PublishedDate": "2019-09-10T17:15:00Z",
-          "LastModifiedDate": "2019-09-12T11:15:00Z"
-        }
-      ]
-    }
-  ]
-}

integration/testdata/alpine-310-registry.json.golden

@@ -1,6 +1,6 @@
 {
   "SchemaVersion": 2,
-  "ArtifactName": "testdata/fixtures/images/alpine-310.tar.gz",
+  "ArtifactName": "localhost:63577/alpine:3.10",
   "ArtifactType": "container_image",
   "Metadata": {
     "OS": {
@@ -12,6 +12,12 @@
     "DiffIDs": [
       "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
     ],
+    "RepoTags": [
+      "localhost:63577/alpine:3.10"
+    ],
+    "RepoDigests": [
+      "localhost:63577/alpine@sha256:d9b1a0d4fab413443a22e550cb8720de487295cebca3f9b2fcbf8882192a9bf9"
+    ],
     "ImageConfig": {
       "architecture": "amd64",
       "container": "0a80155a31551fcc1a36fccbbda79fcd3f0b1c7d270653d00310e6e2217c57e6",
@@ -49,7 +55,7 @@
   },
   "Results": [
     {
-      "Target": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)",
+      "Target": "localhost:63577/alpine:3.10 (alpine 3.10.2)",
       "Class": "os-pkgs",
       "Type": "alpine",
       "Vulnerabilities": [
@@ -59,11 +65,16 @@
           "InstalledVersion": "1.1.1c-r0",
           "FixedVersion": "1.1.1d-r0",
           "Layer": {
-            "Digest": "sha256:9d48c3bd43c520dc2784e868a780e976b207cbf493eaff8c6596eb871cbd9609",
+            "Digest": "sha256:3489774ebf88fb1f0b08e0abb45826a3cbd9d0eb6458d5fc54729197feddffb9",
             "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
           },
           "SeveritySource": "nvd",
           "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1549",
+          "DataSource": {
+            "ID": "alpine",
+            "Name": "Alpine Secdb",
+            "URL": "https://secdb.alpinelinux.org/"
+          },
           "Title": "openssl: information disclosure in fork()",
           "Description": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
           "Severity": "MEDIUM",
@@ -73,7 +84,9 @@
           "CVSS": {
             "nvd": {
               "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
-              "V2Score": 5
+              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
+              "V2Score": 5,
+              "V3Score": 5.3
             },
             "redhat": {
               "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
@@ -81,15 +94,29 @@
             }
           },
           "References": [
+            "https://access.redhat.com/security/cve/CVE-2019-1549",
             "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549",
             "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be",
+            "https://linux.oracle.com/cve/CVE-2019-1549.html",
+            "https://linux.oracle.com/errata/ELSA-2020-1840.html",
             "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/",
+            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/",
+            "https://seclists.org/bugtraq/2019/Oct/1",
             "https://security.netapp.com/advisory/ntap-20190919-0002/",
             "https://support.f5.com/csp/article/K44070243",
-            "https://www.openssl.org/news/secadv/20190910.txt"
+            "https://support.f5.com/csp/article/K44070243?utm_source=f5support\u0026amp;utm_medium=RSS",
+            "https://ubuntu.com/security/notices/USN-4376-1",
+            "https://usn.ubuntu.com/4376-1/",
+            "https://www.debian.org/security/2019/dsa-4539",
+            "https://www.openssl.org/news/secadv/20190910.txt",
+            "https://www.oracle.com/security-alerts/cpuapr2020.html",
+            "https://www.oracle.com/security-alerts/cpujan2020.html",
+            "https://www.oracle.com/security-alerts/cpujul2020.html",
+            "https://www.oracle.com/security-alerts/cpuoct2020.html",
+            "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"
           ],
           "PublishedDate": "2019-09-10T17:15:00Z",
-          "LastModifiedDate": "2019-09-19T17:15:00Z"
+          "LastModifiedDate": "2020-10-20T22:15:00Z"
         },
         {
           "VulnerabilityID": "CVE-2019-1551",
@@ -97,13 +124,18 @@
           "InstalledVersion": "1.1.1c-r0",
           "FixedVersion": "1.1.1d-r2",
           "Layer": {
-            "Digest": "sha256:9d48c3bd43c520dc2784e868a780e976b207cbf493eaff8c6596eb871cbd9609",
+            "Digest": "sha256:3489774ebf88fb1f0b08e0abb45826a3cbd9d0eb6458d5fc54729197feddffb9",
             "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
           },
           "SeveritySource": "nvd",
           "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
+          "DataSource": {
+            "ID": "alpine",
+            "Name": "Alpine Secdb",
+            "URL": "https://secdb.alpinelinux.org/"
+          },
           "Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
-          "Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).",
+          "Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).",
           "Severity": "MEDIUM",
           "CweIDs": [
             "CWE-200"
@@ -111,109 +143,49 @@
           "CVSS": {
             "nvd": {
               "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
-              "V2Score": 5
+              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
+              "V2Score": 5,
+              "V3Score": 5.3
             },
             "redhat": {
-              "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
+              "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
               "V3Score": 4.8
             }
           },
           "References": [
+            "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html",
             "http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
+            "https://access.redhat.com/security/cve/CVE-2019-1551",
             "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
             "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
             "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
             "https://github.com/openssl/openssl/pull/10575",
+            "https://linux.oracle.com/cve/CVE-2019-1551.html",
+            "https://linux.oracle.com/errata/ELSA-2020-4514.html",
+            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/",
+            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/",
+            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/",
             "https://seclists.org/bugtraq/2019/Dec/39",
             "https://seclists.org/bugtraq/2019/Dec/46",
+            "https://security.gentoo.org/glsa/202004-10",
             "https://security.netapp.com/advisory/ntap-20191210-0001/",
+            "https://ubuntu.com/security/notices/USN-4376-1",
+            "https://ubuntu.com/security/notices/USN-4504-1",
+            "https://usn.ubuntu.com/4376-1/",
+            "https://usn.ubuntu.com/4504-1/",
             "https://www.debian.org/security/2019/dsa-4594",
+            "https://www.debian.org/security/2021/dsa-4855",
             "https://www.openssl.org/news/secadv/20191206.txt",
-            "https://www.tenable.com/security/tns-2019-09"
+            "https://www.oracle.com/security-alerts/cpuApr2021.html",
+            "https://www.oracle.com/security-alerts/cpujan2021.html",
+            "https://www.oracle.com/security-alerts/cpujul2020.html",
+            "https://www.tenable.com/security/tns-2019-09",
+            "https://www.tenable.com/security/tns-2020-03",
+            "https://www.tenable.com/security/tns-2020-11",
+            "https://www.tenable.com/security/tns-2021-10"
           ],
           "PublishedDate": "2019-12-06T18:15:00Z",
-          "LastModifiedDate": "2019-12-25T11:15:00Z"
-        },
-        {
-          "VulnerabilityID": "CVE-2019-1563",
-          "PkgName": "libcrypto1.1",
-          "InstalledVersion": "1.1.1c-r0",
-          "FixedVersion": "1.1.1d-r0",
-          "Layer": {
-            "Digest": "sha256:9d48c3bd43c520dc2784e868a780e976b207cbf493eaff8c6596eb871cbd9609",
-            "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
-          },
-          "SeveritySource": "nvd",
-          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1563",
-          "Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
-          "Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
-          "Severity": "MEDIUM",
-          "CweIDs": [
-            "CWE-311"
-          ],
-          "CVSS": {
-            "nvd": {
-              "V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
-              "V2Score": 4.3
-            },
-            "redhat": {
-              "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
-              "V3Score": 3.7
-            }
-          },
-          "References": [
-            "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
-            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f",
-            "https://seclists.org/bugtraq/2019/Sep/25",
-            "https://security.netapp.com/advisory/ntap-20190919-0002/",
-            "https://www.openssl.org/news/secadv/20190910.txt"
-          ],
-          "PublishedDate": "2019-09-10T17:15:00Z",
-          "LastModifiedDate": "2019-09-12T11:15:00Z"
-        },
-        {
-          "VulnerabilityID": "CVE-2019-1547",
-          "PkgName": "libcrypto1.1",
-          "InstalledVersion": "1.1.1c-r0",
-          "FixedVersion": "1.1.1d-r0",
-          "Layer": {
-            "Digest": "sha256:9d48c3bd43c520dc2784e868a780e976b207cbf493eaff8c6596eb871cbd9609",
-            "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
-          },
-          "SeveritySource": "nvd",
-          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1547",
-          "Title": "openssl: side-channel weak encryption vulnerability",
-          "Description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
-          "Severity": "LOW",
-          "CweIDs": [
-            "CWE-311"
-          ],
-          "CVSS": {
-            "nvd": {
-              "V2Vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
-              "V2Score": 1.9
-            },
-            "redhat": {
-              "V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
-              "V3Score": 5.5
-            }
-          },
-          "References": [
-            "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
-            "https://arxiv.org/abs/1909.01785",
-            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a",
-            "https://seclists.org/bugtraq/2019/Sep/25",
-            "https://security.netapp.com/advisory/ntap-20190919-0002/",
-            "https://www.openssl.org/news/secadv/20190910.txt"
-          ],
-          "PublishedDate": "2019-09-10T17:15:00Z",
-          "LastModifiedDate": "2019-09-12T16:15:00Z"
+          "LastModifiedDate": "2021-07-21T11:39:00Z"
         },
         {
           "VulnerabilityID": "CVE-2019-1549",
@@ -221,11 +193,16 @@
           "InstalledVersion": "1.1.1c-r0",
           "FixedVersion": "1.1.1d-r0",
           "Layer": {
-            "Digest": "sha256:9d48c3bd43c520dc2784e868a780e976b207cbf493eaff8c6596eb871cbd9609",
+            "Digest": "sha256:3489774ebf88fb1f0b08e0abb45826a3cbd9d0eb6458d5fc54729197feddffb9",
             "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
           },
           "SeveritySource": "nvd",
           "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1549",
+          "DataSource": {
+            "ID": "alpine",
+            "Name": "Alpine Secdb",
+            "URL": "https://secdb.alpinelinux.org/"
+          },
           "Title": "openssl: information disclosure in fork()",
           "Description": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
           "Severity": "MEDIUM",
@@ -235,7 +212,9 @@
           "CVSS": {
             "nvd": {
               "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
-              "V2Score": 5
+              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
+              "V2Score": 5,
+              "V3Score": 5.3
             },
             "redhat": {
               "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
@@ -243,15 +222,29 @@
             }
           },
           "References": [
+            "https://access.redhat.com/security/cve/CVE-2019-1549",
             "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549",
             "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be",
+            "https://linux.oracle.com/cve/CVE-2019-1549.html",
+            "https://linux.oracle.com/errata/ELSA-2020-1840.html",
             "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/",
+            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/",
+            "https://seclists.org/bugtraq/2019/Oct/1",
             "https://security.netapp.com/advisory/ntap-20190919-0002/",
             "https://support.f5.com/csp/article/K44070243",
-            "https://www.openssl.org/news/secadv/20190910.txt"
+            "https://support.f5.com/csp/article/K44070243?utm_source=f5support\u0026amp;utm_medium=RSS",
+            "https://ubuntu.com/security/notices/USN-4376-1",
+            "https://usn.ubuntu.com/4376-1/",
+            "https://www.debian.org/security/2019/dsa-4539",
+            "https://www.openssl.org/news/secadv/20190910.txt",
+            "https://www.oracle.com/security-alerts/cpuapr2020.html",
+            "https://www.oracle.com/security-alerts/cpujan2020.html",
+            "https://www.oracle.com/security-alerts/cpujul2020.html",
+            "https://www.oracle.com/security-alerts/cpuoct2020.html",
+            "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"
           ],
           "PublishedDate": "2019-09-10T17:15:00Z",
-          "LastModifiedDate": "2019-09-19T17:15:00Z"
+          "LastModifiedDate": "2020-10-20T22:15:00Z"
         },
         {
           "VulnerabilityID": "CVE-2019-1551",
@@ -259,13 +252,18 @@
           "InstalledVersion": "1.1.1c-r0",
           "FixedVersion": "1.1.1d-r2",
           "Layer": {
-            "Digest": "sha256:9d48c3bd43c520dc2784e868a780e976b207cbf493eaff8c6596eb871cbd9609",
+            "Digest": "sha256:3489774ebf88fb1f0b08e0abb45826a3cbd9d0eb6458d5fc54729197feddffb9",
             "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
           },
           "SeveritySource": "nvd",
           "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
+          "DataSource": {
+            "ID": "alpine",
+            "Name": "Alpine Secdb",
+            "URL": "https://secdb.alpinelinux.org/"
+          },
           "Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
-          "Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).",
+          "Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).",
           "Severity": "MEDIUM",
           "CweIDs": [
             "CWE-200"
@@ -273,109 +271,49 @@
           "CVSS": {
             "nvd": {
               "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
-              "V2Score": 5
+              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
+              "V2Score": 5,
+              "V3Score": 5.3
             },
             "redhat": {
-              "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
+              "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
               "V3Score": 4.8
             }
           },
           "References": [
+            "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html",
             "http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
+            "https://access.redhat.com/security/cve/CVE-2019-1551",
             "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
             "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
             "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
             "https://github.com/openssl/openssl/pull/10575",
+            "https://linux.oracle.com/cve/CVE-2019-1551.html",
+            "https://linux.oracle.com/errata/ELSA-2020-4514.html",
+            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/",
+            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/",
+            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/",
             "https://seclists.org/bugtraq/2019/Dec/39",
             "https://seclists.org/bugtraq/2019/Dec/46",
+            "https://security.gentoo.org/glsa/202004-10",
             "https://security.netapp.com/advisory/ntap-20191210-0001/",
+            "https://ubuntu.com/security/notices/USN-4376-1",
+            "https://ubuntu.com/security/notices/USN-4504-1",
+            "https://usn.ubuntu.com/4376-1/",
+            "https://usn.ubuntu.com/4504-1/",
             "https://www.debian.org/security/2019/dsa-4594",
+            "https://www.debian.org/security/2021/dsa-4855",
             "https://www.openssl.org/news/secadv/20191206.txt",
-            "https://www.tenable.com/security/tns-2019-09"
+            "https://www.oracle.com/security-alerts/cpuApr2021.html",
+            "https://www.oracle.com/security-alerts/cpujan2021.html",
+            "https://www.oracle.com/security-alerts/cpujul2020.html",
+            "https://www.tenable.com/security/tns-2019-09",
+            "https://www.tenable.com/security/tns-2020-03",
+            "https://www.tenable.com/security/tns-2020-11",
+            "https://www.tenable.com/security/tns-2021-10"
           ],
           "PublishedDate": "2019-12-06T18:15:00Z",
-          "LastModifiedDate": "2019-12-25T11:15:00Z"
-        },
-        {
-          "VulnerabilityID": "CVE-2019-1563",
-          "PkgName": "libssl1.1",
-          "InstalledVersion": "1.1.1c-r0",
-          "FixedVersion": "1.1.1d-r0",
-          "Layer": {
-            "Digest": "sha256:9d48c3bd43c520dc2784e868a780e976b207cbf493eaff8c6596eb871cbd9609",
-            "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
-          },
-          "SeveritySource": "nvd",
-          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1563",
-          "Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
-          "Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
-          "Severity": "MEDIUM",
-          "CweIDs": [
-            "CWE-311"
-          ],
-          "CVSS": {
-            "nvd": {
-              "V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
-              "V2Score": 4.3
-            },
-            "redhat": {
-              "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
-              "V3Score": 3.7
-            }
-          },
-          "References": [
-            "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
-            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f",
-            "https://seclists.org/bugtraq/2019/Sep/25",
-            "https://security.netapp.com/advisory/ntap-20190919-0002/",
-            "https://www.openssl.org/news/secadv/20190910.txt"
-          ],
-          "PublishedDate": "2019-09-10T17:15:00Z",
-          "LastModifiedDate": "2019-09-12T11:15:00Z"
-        },
-        {
-          "VulnerabilityID": "CVE-2019-1547",
-          "PkgName": "libssl1.1",
-          "InstalledVersion": "1.1.1c-r0",
-          "FixedVersion": "1.1.1d-r0",
-          "Layer": {
-            "Digest": "sha256:9d48c3bd43c520dc2784e868a780e976b207cbf493eaff8c6596eb871cbd9609",
-            "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
-          },
-          "SeveritySource": "nvd",
-          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1547",
-          "Title": "openssl: side-channel weak encryption vulnerability",
-          "Description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
-          "Severity": "LOW",
-          "CweIDs": [
-            "CWE-311"
-          ],
-          "CVSS": {
-            "nvd": {
-              "V2Vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
-              "V2Score": 1.9
-            },
-            "redhat": {
-              "V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
-              "V3Score": 5.5
-            }
-          },
-          "References": [
-            "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
-            "https://arxiv.org/abs/1909.01785",
-            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a",
-            "https://seclists.org/bugtraq/2019/Sep/25",
-            "https://security.netapp.com/advisory/ntap-20190919-0002/",
-            "https://www.openssl.org/news/secadv/20190910.txt"
-          ],
-          "PublishedDate": "2019-09-10T17:15:00Z",
-          "LastModifiedDate": "2019-09-12T16:15:00Z"
+          "LastModifiedDate": "2021-07-21T11:39:00Z"
         }
       ]
     }

integration/testdata/alpine-310.asff.golden

@@ -34,8 +34,8 @@
                         "PkgName": "libcrypto1.1",
                         "Installed Package": "1.1.1c-r0",
                         "Patched Package": "1.1.1d-r0",
-                        "NvdCvssScoreV3": "0",
-                        "NvdCvssVectorV3": "",
+                        "NvdCvssScoreV3": "5.3",
+                        "NvdCvssVectorV3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
                         "NvdCvssScoreV2": "5",
                         "NvdCvssVectorV2": "AV:N/AC:L/Au:N/C:P/I:N/A:N"
                     }
@@ -57,7 +57,7 @@
             "Label": "MEDIUM"
         },
         "Title": "Trivy found a vulnerability to CVE-2019-1551 in container testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)",
-        "Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).",
+        "Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).",
         "Remediation": {
             "Recommendation": {
                 "Text": "More information on this vulnerability is provided in the hyperlink",
@@ -79,8 +79,8 @@
                         "PkgName": "libcrypto1.1",
                         "Installed Package": "1.1.1c-r0",
                         "Patched Package": "1.1.1d-r2",
-                        "NvdCvssScoreV3": "0",
-                        "NvdCvssVectorV3": "",
+                        "NvdCvssScoreV3": "5.3",
+                        "NvdCvssVectorV3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
                         "NvdCvssScoreV2": "5",
                         "NvdCvssVectorV2": "AV:N/AC:L/Au:N/C:P/I:N/A:N"
                     }
@@ -89,96 +89,6 @@
         ],
         "RecordState": "ACTIVE"
     },
-    {
-        "SchemaVersion": "2018-10-08",
-        "Id": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)/CVE-2019-1563",
-        "ProductArn": "arn:aws:securityhub:test-region::product/aquasecurity/aquasecurity",
-        "GeneratorId": "Trivy",
-        "AwsAccountId": "123456789012",
-        "Types": [ "Software and Configuration Checks/Vulnerabilities/CVE" ],
-        "CreatedAt": "2020-08-10T07:28:17.000958601Z",
-        "UpdatedAt": "2020-08-10T07:28:17.000958601Z",
-        "Severity": {
-            "Label": "MEDIUM"
-        },
-        "Title": "Trivy found a vulnerability to CVE-2019-1563 in container testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)",
-        "Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
-        "Remediation": {
-            "Recommendation": {
-                "Text": "More information on this vulnerability is provided in the hyperlink",
-                "Url": "https://avd.aquasec.com/nvd/cve-2019-1563"
-            }
-        },
-        "ProductFields": { "Product Name": "Trivy" },
-        "Resources": [
-            {
-                "Type": "Container",
-                "Id": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)",
-                "Partition": "aws",
-                "Region": "test-region",
-                "Details": {
-                    "Container": { "ImageName": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)" },
-                    "Other": {
-                        "CVE ID": "CVE-2019-1563",
-                        "CVE Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
-                        "PkgName": "libcrypto1.1",
-                        "Installed Package": "1.1.1c-r0",
-                        "Patched Package": "1.1.1d-r0",
-                        "NvdCvssScoreV3": "0",
-                        "NvdCvssVectorV3": "",
-                        "NvdCvssScoreV2": "4.3",
-                        "NvdCvssVectorV2": "AV:N/AC:M/Au:N/C:P/I:N/A:N"
-                    }
-                }
-            }
-        ],
-        "RecordState": "ACTIVE"
-    },
-    {
-        "SchemaVersion": "2018-10-08",
-        "Id": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)/CVE-2019-1547",
-        "ProductArn": "arn:aws:securityhub:test-region::product/aquasecurity/aquasecurity",
-        "GeneratorId": "Trivy",
-        "AwsAccountId": "123456789012",
-        "Types": [ "Software and Configuration Checks/Vulnerabilities/CVE" ],
-        "CreatedAt": "2020-08-10T07:28:17.000958601Z",
-        "UpdatedAt": "2020-08-10T07:28:17.000958601Z",
-        "Severity": {
-            "Label": "LOW"
-        },
-        "Title": "Trivy found a vulnerability to CVE-2019-1547 in container testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)",
-        "Description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
-        "Remediation": {
-            "Recommendation": {
-                "Text": "More information on this vulnerability is provided in the hyperlink",
-                "Url": "https://avd.aquasec.com/nvd/cve-2019-1547"
-            }
-        },
-        "ProductFields": { "Product Name": "Trivy" },
-        "Resources": [
-            {
-                "Type": "Container",
-                "Id": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)",
-                "Partition": "aws",
-                "Region": "test-region",
-                "Details": {
-                    "Container": { "ImageName": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)" },
-                    "Other": {
-                        "CVE ID": "CVE-2019-1547",
-                        "CVE Title": "openssl: side-channel weak encryption vulnerability",
-                        "PkgName": "libcrypto1.1",
-                        "Installed Package": "1.1.1c-r0",
-                        "Patched Package": "1.1.1d-r0",
-                        "NvdCvssScoreV3": "0",
-                        "NvdCvssVectorV3": "",
-                        "NvdCvssScoreV2": "1.9",
-                        "NvdCvssVectorV2": "AV:L/AC:M/Au:N/C:P/I:N/A:N"
-                    }
-                }
-            }
-        ],
-        "RecordState": "ACTIVE"
-    },
     {
         "SchemaVersion": "2018-10-08",
         "Id": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)/CVE-2019-1549",
@@ -214,8 +124,8 @@
                         "PkgName": "libssl1.1",
                         "Installed Package": "1.1.1c-r0",
                         "Patched Package": "1.1.1d-r0",
-                        "NvdCvssScoreV3": "0",
-                        "NvdCvssVectorV3": "",
+                        "NvdCvssScoreV3": "5.3",
+                        "NvdCvssVectorV3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
                         "NvdCvssScoreV2": "5",
                         "NvdCvssVectorV2": "AV:N/AC:L/Au:N/C:P/I:N/A:N"
                     }
@@ -237,7 +147,7 @@
             "Label": "MEDIUM"
         },
         "Title": "Trivy found a vulnerability to CVE-2019-1551 in container testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)",
-        "Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).",
+        "Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).",
         "Remediation": {
             "Recommendation": {
                 "Text": "More information on this vulnerability is provided in the hyperlink",
@@ -259,8 +169,8 @@
                         "PkgName": "libssl1.1",
                         "Installed Package": "1.1.1c-r0",
                         "Patched Package": "1.1.1d-r2",
-                        "NvdCvssScoreV3": "0",
-                        "NvdCvssVectorV3": "",
+                        "NvdCvssScoreV3": "5.3",
+                        "NvdCvssVectorV3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
                         "NvdCvssScoreV2": "5",
                         "NvdCvssVectorV2": "AV:N/AC:L/Au:N/C:P/I:N/A:N"
                     }
@@ -268,95 +178,5 @@
             }
         ],
         "RecordState": "ACTIVE"
-    },
-    {
-        "SchemaVersion": "2018-10-08",
-        "Id": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)/CVE-2019-1563",
-        "ProductArn": "arn:aws:securityhub:test-region::product/aquasecurity/aquasecurity",
-        "GeneratorId": "Trivy",
-        "AwsAccountId": "123456789012",
-        "Types": [ "Software and Configuration Checks/Vulnerabilities/CVE" ],
-        "CreatedAt": "2020-08-10T07:28:17.000958601Z",
-        "UpdatedAt": "2020-08-10T07:28:17.000958601Z",
-        "Severity": {
-            "Label": "MEDIUM"
-        },
-        "Title": "Trivy found a vulnerability to CVE-2019-1563 in container testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)",
-        "Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
-        "Remediation": {
-            "Recommendation": {
-                "Text": "More information on this vulnerability is provided in the hyperlink",
-                "Url": "https://avd.aquasec.com/nvd/cve-2019-1563"
-            }
-        },
-        "ProductFields": { "Product Name": "Trivy" },
-        "Resources": [
-            {
-                "Type": "Container",
-                "Id": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)",
-                "Partition": "aws",
-                "Region": "test-region",
-                "Details": {
-                    "Container": { "ImageName": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)" },
-                    "Other": {
-                        "CVE ID": "CVE-2019-1563",
-                        "CVE Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
-                        "PkgName": "libssl1.1",
-                        "Installed Package": "1.1.1c-r0",
-                        "Patched Package": "1.1.1d-r0",
-                        "NvdCvssScoreV3": "0",
-                        "NvdCvssVectorV3": "",
-                        "NvdCvssScoreV2": "4.3",
-                        "NvdCvssVectorV2": "AV:N/AC:M/Au:N/C:P/I:N/A:N"
-                    }
-                }
-            }
-        ],
-        "RecordState": "ACTIVE"
-    },
-    {
-        "SchemaVersion": "2018-10-08",
-        "Id": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)/CVE-2019-1547",
-        "ProductArn": "arn:aws:securityhub:test-region::product/aquasecurity/aquasecurity",
-        "GeneratorId": "Trivy",
-        "AwsAccountId": "123456789012",
-        "Types": [ "Software and Configuration Checks/Vulnerabilities/CVE" ],
-        "CreatedAt": "2020-08-10T07:28:17.000958601Z",
-        "UpdatedAt": "2020-08-10T07:28:17.000958601Z",
-        "Severity": {
-            "Label": "LOW"
-        },
-        "Title": "Trivy found a vulnerability to CVE-2019-1547 in container testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)",
-        "Description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
-        "Remediation": {
-            "Recommendation": {
-                "Text": "More information on this vulnerability is provided in the hyperlink",
-                "Url": "https://avd.aquasec.com/nvd/cve-2019-1547"
-            }
-        },
-        "ProductFields": { "Product Name": "Trivy" },
-        "Resources": [
-            {
-                "Type": "Container",
-                "Id": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)",
-                "Partition": "aws",
-                "Region": "test-region",
-                "Details": {
-                    "Container": { "ImageName": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)" },
-                    "Other": {
-                        "CVE ID": "CVE-2019-1547",
-                        "CVE Title": "openssl: side-channel weak encryption vulnerability",
-                        "PkgName": "libssl1.1",
-                        "Installed Package": "1.1.1c-r0",
-                        "Patched Package": "1.1.1d-r0",
-                        "NvdCvssScoreV3": "0",
-                        "NvdCvssVectorV3": "",
-                        "NvdCvssScoreV2": "1.9",
-                        "NvdCvssVectorV2": "AV:L/AC:M/Au:N/C:P/I:N/A:N"
-                    }
-                }
-            }
-        ],
-        "RecordState": "ACTIVE"
     }
 ]

integration/testdata/alpine-310.gitlab-codequality.golden

@@ -4,6 +4,7 @@
       "check_name": "container_scanning",
       "categories": [ "Security" ],
       "description": "CVE-2019-1549: openssl: information disclosure in fork()",
+      "fingerprint": "4fd5aebc601a7127e0a012b91569675cd8566e15",
       "content": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
       "severity": "minor",
       "location": {
@@ -18,7 +19,8 @@
       "check_name": "container_scanning",
       "categories": [ "Security" ],
       "description": "CVE-2019-1551: openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
-      "content": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).",
+      "fingerprint": "7a6f161c388588da3cca874c3aba98a296a1ebf4",
+      "content": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).",
       "severity": "minor",
       "location": {
         "path": "libcrypto1.1-1.1.1c-r0",
@@ -27,39 +29,12 @@
         }
       }
     },
-    {
-      "type": "issue",
-      "check_name": "container_scanning",
-      "categories": [ "Security" ],
-      "description": "CVE-2019-1563: openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
-      "content": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
-      "severity": "minor",
-      "location": {
-        "path": "libcrypto1.1-1.1.1c-r0",
-        "lines": {
-          "begin": 1
-        }
-      }
-    },
-    {
-      "type": "issue",
-      "check_name": "container_scanning",
-      "categories": [ "Security" ],
-      "description": "CVE-2019-1547: openssl: side-channel weak encryption vulnerability",
-      "content": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
-      "severity": "info",
-      "location": {
-        "path": "libcrypto1.1-1.1.1c-r0",
-        "lines": {
-          "begin": 1
-        }
-      }
-    },
     {
       "type": "issue",
       "check_name": "container_scanning",
       "categories": [ "Security" ],
       "description": "CVE-2019-1549: openssl: information disclosure in fork()",
+      "fingerprint": "4fd5aebc601a7127e0a012b91569675cd8566e15",
       "content": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
       "severity": "minor",
       "location": {
@@ -74,7 +49,8 @@
       "check_name": "container_scanning",
       "categories": [ "Security" ],
       "description": "CVE-2019-1551: openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
-      "content": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).",
+      "fingerprint": "7a6f161c388588da3cca874c3aba98a296a1ebf4",
+      "content": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).",
       "severity": "minor",
       "location": {
         "path": "libssl1.1-1.1.1c-r0",
@@ -82,33 +58,5 @@
           "begin": 1
         }
       }
-    },
-    {
-      "type": "issue",
-      "check_name": "container_scanning",
-      "categories": [ "Security" ],
-      "description": "CVE-2019-1563: openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
-      "content": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
-      "severity": "minor",
-      "location": {
-        "path": "libssl1.1-1.1.1c-r0",
-        "lines": {
-          "begin": 1
-        }
-      }
-    },
-    {
-      "type": "issue",
-      "check_name": "container_scanning",
-      "categories": [ "Security" ],
-      "description": "CVE-2019-1547: openssl: side-channel weak encryption vulnerability",
-      "content": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
-      "severity": "info",
-      "location": {
-        "path": "libssl1.1-1.1.1c-r0",
-        "lines": {
-          "begin": 1
-        }
-      }
     }
-]
+]

integration/testdata/alpine-310.gitlab.golden

@@ -33,17 +33,45 @@
         }
       ],
       "links": [{
+          "url": "https://access.redhat.com/security/cve/CVE-2019-1549"
+        },{
           "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549"
         },{
           "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be"
+        },{
+          "url": "https://linux.oracle.com/cve/CVE-2019-1549.html"
+        },{
+          "url": "https://linux.oracle.com/errata/ELSA-2020-1840.html"
         },{
           "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/"
+        },{
+          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/"
+        },{
+          "url": "https://seclists.org/bugtraq/2019/Oct/1"
         },{
           "url": "https://security.netapp.com/advisory/ntap-20190919-0002/"
         },{
           "url": "https://support.f5.com/csp/article/K44070243"
+        },{
+          "url": "https://support.f5.com/csp/article/K44070243?utm_source=f5support&utm_medium=RSS"
+        },{
+          "url": "https://ubuntu.com/security/notices/USN-4376-1"
+        },{
+          "url": "https://usn.ubuntu.com/4376-1/"
+        },{
+          "url": "https://www.debian.org/security/2019/dsa-4539"
         },{
           "url": "https://www.openssl.org/news/secadv/20190910.txt"
+        },{
+          "url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
+        },{
+          "url": "https://www.oracle.com/security-alerts/cpujan2020.html"
+        },{
+          "url": "https://www.oracle.com/security-alerts/cpujul2020.html"
+        },{
+          "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
+        },{
+          "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"
         }
       ]
     },
@@ -51,7 +79,7 @@
       "id": "CVE-2019-1551",
       "category": "container_scanning",
       "message": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
-      "description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).",
+      "description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).",
       "cve": "CVE-2019-1551",
       "severity": "Medium",
       "confidence": "Unknown",
@@ -79,7 +107,11 @@
         }
       ],
       "links": [{
+          "url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html"
+        },{
           "url": "http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html"
+        },{
+          "url": "https://access.redhat.com/security/cve/CVE-2019-1551"
         },{
           "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551"
         },{
@@ -88,120 +120,52 @@
           "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98"
         },{
           "url": "https://github.com/openssl/openssl/pull/10575"
+        },{
+          "url": "https://linux.oracle.com/cve/CVE-2019-1551.html"
+        },{
+          "url": "https://linux.oracle.com/errata/ELSA-2020-4514.html"
+        },{
+          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/"
+        },{
+          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/"
+        },{
+          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/"
         },{
           "url": "https://seclists.org/bugtraq/2019/Dec/39"
         },{
           "url": "https://seclists.org/bugtraq/2019/Dec/46"
+        },{
+          "url": "https://security.gentoo.org/glsa/202004-10"
         },{
           "url": "https://security.netapp.com/advisory/ntap-20191210-0001/"
+        },{
+          "url": "https://ubuntu.com/security/notices/USN-4376-1"
+        },{
+          "url": "https://ubuntu.com/security/notices/USN-4504-1"
+        },{
+          "url": "https://usn.ubuntu.com/4376-1/"
+        },{
+          "url": "https://usn.ubuntu.com/4504-1/"
         },{
           "url": "https://www.debian.org/security/2019/dsa-4594"
+        },{
+          "url": "https://www.debian.org/security/2021/dsa-4855"
         },{
           "url": "https://www.openssl.org/news/secadv/20191206.txt"
+        },{
+          "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
+        },{
+          "url": "https://www.oracle.com/security-alerts/cpujan2021.html"
+        },{
+          "url": "https://www.oracle.com/security-alerts/cpujul2020.html"
         },{
           "url": "https://www.tenable.com/security/tns-2019-09"
-        }
-      ]
-    },
-    {
-      "id": "CVE-2019-1563",
-      "category": "container_scanning",
-      "message": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
-      "description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
-      "cve": "CVE-2019-1563",
-      "severity": "Medium",
-      "confidence": "Unknown",
-      "solution": "Upgrade libcrypto1.1 to 1.1.1d-r0",
-      "scanner": {
-        "id": "trivy",
-        "name": "trivy"
-      },
-      "location": {
-        "dependency": {
-          "package": {
-            "name": "libcrypto1.1"
-          },
-          "version": "1.1.1c-r0"
-        },
-        "operating_system": "Unknown",
-        "image": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)"
-      },
-      "identifiers": [
-        {
-          "type": "cve",
-          "name": "CVE-2019-1563",
-          "value": "CVE-2019-1563",
-          "url": "https://avd.aquasec.com/nvd/cve-2019-1563"
-        }
-      ],
-      "links": [{
-          "url": "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html"
         },{
-          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563"
+          "url": "https://www.tenable.com/security/tns-2020-03"
         },{
-          "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64"
+          "url": "https://www.tenable.com/security/tns-2020-11"
         },{
-          "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97"
-        },{
-          "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f"
-        },{
-          "url": "https://seclists.org/bugtraq/2019/Sep/25"
-        },{
-          "url": "https://security.netapp.com/advisory/ntap-20190919-0002/"
-        },{
-          "url": "https://www.openssl.org/news/secadv/20190910.txt"
-        }
-      ]
-    },
-    {
-      "id": "CVE-2019-1547",
-      "category": "container_scanning",
-      "message": "openssl: side-channel weak encryption vulnerability",
-      "description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
-      "cve": "CVE-2019-1547",
-      "severity": "Low",
-      "confidence": "Unknown",
-      "solution": "Upgrade libcrypto1.1 to 1.1.1d-r0",
-      "scanner": {
-        "id": "trivy",
-        "name": "trivy"
-      },
-      "location": {
-        "dependency": {
-          "package": {
-            "name": "libcrypto1.1"
-          },
-          "version": "1.1.1c-r0"
-        },
-        "operating_system": "Unknown",
-        "image": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)"
-      },
-      "identifiers": [
-        {
-          "type": "cve",
-          "name": "CVE-2019-1547",
-          "value": "CVE-2019-1547",
-          "url": "https://avd.aquasec.com/nvd/cve-2019-1547"
-        }
-      ],
-      "links": [{
-          "url": "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html"
-        },{
-          "url": "https://arxiv.org/abs/1909.01785"
-        },{
-          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547"
-        },{
-          "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46"
-        },{
-          "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8"
-        },{
-          "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a"
-        },{
-          "url": "https://seclists.org/bugtraq/2019/Sep/25"
-        },{
-          "url": "https://security.netapp.com/advisory/ntap-20190919-0002/"
-        },{
-          "url": "https://www.openssl.org/news/secadv/20190910.txt"
+          "url": "https://www.tenable.com/security/tns-2021-10"
         }
       ]
     },
@@ -237,17 +201,45 @@
         }
       ],
       "links": [{
+          "url": "https://access.redhat.com/security/cve/CVE-2019-1549"
+        },{
           "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549"
         },{
           "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be"
+        },{
+          "url": "https://linux.oracle.com/cve/CVE-2019-1549.html"
+        },{
+          "url": "https://linux.oracle.com/errata/ELSA-2020-1840.html"
         },{
           "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/"
+        },{
+          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/"
+        },{
+          "url": "https://seclists.org/bugtraq/2019/Oct/1"
         },{
           "url": "https://security.netapp.com/advisory/ntap-20190919-0002/"
         },{
           "url": "https://support.f5.com/csp/article/K44070243"
+        },{
+          "url": "https://support.f5.com/csp/article/K44070243?utm_source=f5support&utm_medium=RSS"
+        },{
+          "url": "https://ubuntu.com/security/notices/USN-4376-1"
+        },{
+          "url": "https://usn.ubuntu.com/4376-1/"
+        },{
+          "url": "https://www.debian.org/security/2019/dsa-4539"
         },{
           "url": "https://www.openssl.org/news/secadv/20190910.txt"
+        },{
+          "url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
+        },{
+          "url": "https://www.oracle.com/security-alerts/cpujan2020.html"
+        },{
+          "url": "https://www.oracle.com/security-alerts/cpujul2020.html"
+        },{
+          "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
+        },{
+          "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"
         }
       ]
     },
@@ -255,7 +247,7 @@
       "id": "CVE-2019-1551",
       "category": "container_scanning",
       "message": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
-      "description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).",
+      "description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).",
       "cve": "CVE-2019-1551",
       "severity": "Medium",
       "confidence": "Unknown",
@@ -283,7 +275,11 @@
         }
       ],
       "links": [{
+          "url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html"
+        },{
           "url": "http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html"
+        },{
+          "url": "https://access.redhat.com/security/cve/CVE-2019-1551"
         },{
           "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551"
         },{
@@ -292,120 +288,52 @@
           "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98"
         },{
           "url": "https://github.com/openssl/openssl/pull/10575"
+        },{
+          "url": "https://linux.oracle.com/cve/CVE-2019-1551.html"
+        },{
+          "url": "https://linux.oracle.com/errata/ELSA-2020-4514.html"
+        },{
+          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/"
+        },{
+          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/"
+        },{
+          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/"
         },{
           "url": "https://seclists.org/bugtraq/2019/Dec/39"
         },{
           "url": "https://seclists.org/bugtraq/2019/Dec/46"
+        },{
+          "url": "https://security.gentoo.org/glsa/202004-10"
         },{
           "url": "https://security.netapp.com/advisory/ntap-20191210-0001/"
+        },{
+          "url": "https://ubuntu.com/security/notices/USN-4376-1"
+        },{
+          "url": "https://ubuntu.com/security/notices/USN-4504-1"
+        },{
+          "url": "https://usn.ubuntu.com/4376-1/"
+        },{
+          "url": "https://usn.ubuntu.com/4504-1/"
         },{
           "url": "https://www.debian.org/security/2019/dsa-4594"
+        },{
+          "url": "https://www.debian.org/security/2021/dsa-4855"
         },{
           "url": "https://www.openssl.org/news/secadv/20191206.txt"
+        },{
+          "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
+        },{
+          "url": "https://www.oracle.com/security-alerts/cpujan2021.html"
+        },{
+          "url": "https://www.oracle.com/security-alerts/cpujul2020.html"
         },{
           "url": "https://www.tenable.com/security/tns-2019-09"
-        }
-      ]
-    },
-    {
-      "id": "CVE-2019-1563",
-      "category": "container_scanning",
-      "message": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
-      "description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
-      "cve": "CVE-2019-1563",
-      "severity": "Medium",
-      "confidence": "Unknown",
-      "solution": "Upgrade libssl1.1 to 1.1.1d-r0",
-      "scanner": {
-        "id": "trivy",
-        "name": "trivy"
-      },
-      "location": {
-        "dependency": {
-          "package": {
-            "name": "libssl1.1"
-          },
-          "version": "1.1.1c-r0"
-        },
-        "operating_system": "Unknown",
-        "image": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)"
-      },
-      "identifiers": [
-        {
-          "type": "cve",
-          "name": "CVE-2019-1563",
-          "value": "CVE-2019-1563",
-          "url": "https://avd.aquasec.com/nvd/cve-2019-1563"
-        }
-      ],
-      "links": [{
-          "url": "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html"
         },{
-          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563"
+          "url": "https://www.tenable.com/security/tns-2020-03"
         },{
-          "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64"
+          "url": "https://www.tenable.com/security/tns-2020-11"
         },{
-          "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97"
-        },{
-          "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f"
-        },{
-          "url": "https://seclists.org/bugtraq/2019/Sep/25"
-        },{
-          "url": "https://security.netapp.com/advisory/ntap-20190919-0002/"
-        },{
-          "url": "https://www.openssl.org/news/secadv/20190910.txt"
-        }
-      ]
-    },
-    {
-      "id": "CVE-2019-1547",
-      "category": "container_scanning",
-      "message": "openssl: side-channel weak encryption vulnerability",
-      "description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
-      "cve": "CVE-2019-1547",
-      "severity": "Low",
-      "confidence": "Unknown",
-      "solution": "Upgrade libssl1.1 to 1.1.1d-r0",
-      "scanner": {
-        "id": "trivy",
-        "name": "trivy"
-      },
-      "location": {
-        "dependency": {
-          "package": {
-            "name": "libssl1.1"
-          },
-          "version": "1.1.1c-r0"
-        },
-        "operating_system": "Unknown",
-        "image": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)"
-      },
-      "identifiers": [
-        {
-          "type": "cve",
-          "name": "CVE-2019-1547",
-          "value": "CVE-2019-1547",
-          "url": "https://avd.aquasec.com/nvd/cve-2019-1547"
-        }
-      ],
-      "links": [{
-          "url": "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html"
-        },{
-          "url": "https://arxiv.org/abs/1909.01785"
-        },{
-          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547"
-        },{
-          "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46"
-        },{
-          "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8"
-        },{
-          "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a"
-        },{
-          "url": "https://seclists.org/bugtraq/2019/Sep/25"
-        },{
-          "url": "https://security.netapp.com/advisory/ntap-20190919-0002/"
-        },{
-          "url": "https://www.openssl.org/news/secadv/20190910.txt"
+          "url": "https://www.tenable.com/security/tns-2021-10"
         }
       ]
     }

integration/testdata/alpine-310.html.golden

@@ -51,7 +51,7 @@
       }
       a.toggle-more-links { cursor: pointer; }
     </style>
-    <title>testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2) - Trivy Report - 2020-08-10T07:28:17.000958601Z</title>
+    <title>testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2) - Trivy Report - 2020-08-10 07:28:17.000958601 +0000 UTC </title>
     <script>
       window.onload = function() {
         document.querySelectorAll('td.links').forEach(function(linkCell) {
@@ -81,7 +81,7 @@
     </script>
   </head>
   <body>
-    <h1>testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2) - Trivy Report - 2020-08-10T07:28:17.000958601Z</h1>
+    <h1>testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2) - Trivy Report - 2020-08-10 07:28:17.000958601 +0000 UTC</h1>
     <table>
       <tr class="group-header"><th colspan="6">alpine</th></tr>
       <tr class="sub-header">
@@ -99,12 +99,26 @@
         <td class="pkg-version">1.1.1c-r0</td>
         <td>1.1.1d-r0</td>
         <td class="links" data-more-links="off">
+          <a href="https://access.redhat.com/security/cve/CVE-2019-1549">https://access.redhat.com/security/cve/CVE-2019-1549</a>
           <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549">https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549</a>
           <a href="https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be">https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be</a>
+          <a href="https://linux.oracle.com/cve/CVE-2019-1549.html">https://linux.oracle.com/cve/CVE-2019-1549.html</a>
+          <a href="https://linux.oracle.com/errata/ELSA-2020-1840.html">https://linux.oracle.com/errata/ELSA-2020-1840.html</a>
           <a href="https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/">https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/</a>
+          <a href="https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/">https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/</a>
+          <a href="https://seclists.org/bugtraq/2019/Oct/1">https://seclists.org/bugtraq/2019/Oct/1</a>
           <a href="https://security.netapp.com/advisory/ntap-20190919-0002/">https://security.netapp.com/advisory/ntap-20190919-0002/</a>
           <a href="https://support.f5.com/csp/article/K44070243">https://support.f5.com/csp/article/K44070243</a>
+          <a href="https://support.f5.com/csp/article/K44070243?utm_source=f5support&amp;amp;utm_medium=RSS">https://support.f5.com/csp/article/K44070243?utm_source=f5support&amp;amp;utm_medium=RSS</a>
+          <a href="https://ubuntu.com/security/notices/USN-4376-1">https://ubuntu.com/security/notices/USN-4376-1</a>
+          <a href="https://usn.ubuntu.com/4376-1/">https://usn.ubuntu.com/4376-1/</a>
+          <a href="https://www.debian.org/security/2019/dsa-4539">https://www.debian.org/security/2019/dsa-4539</a>
           <a href="https://www.openssl.org/news/secadv/20190910.txt">https://www.openssl.org/news/secadv/20190910.txt</a>
+          <a href="https://www.oracle.com/security-alerts/cpuapr2020.html">https://www.oracle.com/security-alerts/cpuapr2020.html</a>
+          <a href="https://www.oracle.com/security-alerts/cpujan2020.html">https://www.oracle.com/security-alerts/cpujan2020.html</a>
+          <a href="https://www.oracle.com/security-alerts/cpujul2020.html">https://www.oracle.com/security-alerts/cpujul2020.html</a>
+          <a href="https://www.oracle.com/security-alerts/cpuoct2020.html">https://www.oracle.com/security-alerts/cpuoct2020.html</a>
+          <a href="https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html">https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html</a>
         </td>
       </tr>
       <tr class="severity-MEDIUM">
@@ -114,52 +128,36 @@
         <td class="pkg-version">1.1.1c-r0</td>
         <td>1.1.1d-r2</td>
         <td class="links" data-more-links="off">
+          <a href="http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html">http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html</a>
           <a href="http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html">http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html</a>
+          <a href="https://access.redhat.com/security/cve/CVE-2019-1551">https://access.redhat.com/security/cve/CVE-2019-1551</a>
           <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551">https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551</a>
           <a href="https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f">https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f</a>
           <a href="https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98">https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98</a>
           <a href="https://github.com/openssl/openssl/pull/10575">https://github.com/openssl/openssl/pull/10575</a>
+          <a href="https://linux.oracle.com/cve/CVE-2019-1551.html">https://linux.oracle.com/cve/CVE-2019-1551.html</a>
+          <a href="https://linux.oracle.com/errata/ELSA-2020-4514.html">https://linux.oracle.com/errata/ELSA-2020-4514.html</a>
+          <a href="https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/">https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/</a>
+          <a href="https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/">https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/</a>
+          <a href="https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/">https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/</a>
           <a href="https://seclists.org/bugtraq/2019/Dec/39">https://seclists.org/bugtraq/2019/Dec/39</a>
           <a href="https://seclists.org/bugtraq/2019/Dec/46">https://seclists.org/bugtraq/2019/Dec/46</a>
+          <a href="https://security.gentoo.org/glsa/202004-10">https://security.gentoo.org/glsa/202004-10</a>
           <a href="https://security.netapp.com/advisory/ntap-20191210-0001/">https://security.netapp.com/advisory/ntap-20191210-0001/</a>
+          <a href="https://ubuntu.com/security/notices/USN-4376-1">https://ubuntu.com/security/notices/USN-4376-1</a>
+          <a href="https://ubuntu.com/security/notices/USN-4504-1">https://ubuntu.com/security/notices/USN-4504-1</a>
+          <a href="https://usn.ubuntu.com/4376-1/">https://usn.ubuntu.com/4376-1/</a>
+          <a href="https://usn.ubuntu.com/4504-1/">https://usn.ubuntu.com/4504-1/</a>
           <a href="https://www.debian.org/security/2019/dsa-4594">https://www.debian.org/security/2019/dsa-4594</a>
+          <a href="https://www.debian.org/security/2021/dsa-4855">https://www.debian.org/security/2021/dsa-4855</a>
           <a href="https://www.openssl.org/news/secadv/20191206.txt">https://www.openssl.org/news/secadv/20191206.txt</a>
+          <a href="https://www.oracle.com/security-alerts/cpuApr2021.html">https://www.oracle.com/security-alerts/cpuApr2021.html</a>
+          <a href="https://www.oracle.com/security-alerts/cpujan2021.html">https://www.oracle.com/security-alerts/cpujan2021.html</a>
+          <a href="https://www.oracle.com/security-alerts/cpujul2020.html">https://www.oracle.com/security-alerts/cpujul2020.html</a>
           <a href="https://www.tenable.com/security/tns-2019-09">https://www.tenable.com/security/tns-2019-09</a>
-        </td>
-      </tr>
-      <tr class="severity-MEDIUM">
-        <td class="pkg-name">libcrypto1.1</td>
-        <td>CVE-2019-1563</td>
-        <td class="severity">MEDIUM</td>
-        <td class="pkg-version">1.1.1c-r0</td>
-        <td>1.1.1d-r0</td>
-        <td class="links" data-more-links="off">
-          <a href="http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html">http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html</a>
-          <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563">https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563</a>
-          <a href="https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64">https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64</a>
-          <a href="https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97">https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97</a>
-          <a href="https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f">https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f</a>
-          <a href="https://seclists.org/bugtraq/2019/Sep/25">https://seclists.org/bugtraq/2019/Sep/25</a>
-          <a href="https://security.netapp.com/advisory/ntap-20190919-0002/">https://security.netapp.com/advisory/ntap-20190919-0002/</a>
-          <a href="https://www.openssl.org/news/secadv/20190910.txt">https://www.openssl.org/news/secadv/20190910.txt</a>
-        </td>
-      </tr>
-      <tr class="severity-LOW">
-        <td class="pkg-name">libcrypto1.1</td>
-        <td>CVE-2019-1547</td>
-        <td class="severity">LOW</td>
-        <td class="pkg-version">1.1.1c-r0</td>
-        <td>1.1.1d-r0</td>
-        <td class="links" data-more-links="off">
-          <a href="http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html">http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html</a>
-          <a href="https://arxiv.org/abs/1909.01785">https://arxiv.org/abs/1909.01785</a>
-          <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547">https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547</a>
-          <a href="https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46">https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46</a>
-          <a href="https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8">https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8</a>
-          <a href="https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a">https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a</a>
-          <a href="https://seclists.org/bugtraq/2019/Sep/25">https://seclists.org/bugtraq/2019/Sep/25</a>
-          <a href="https://security.netapp.com/advisory/ntap-20190919-0002/">https://security.netapp.com/advisory/ntap-20190919-0002/</a>
-          <a href="https://www.openssl.org/news/secadv/20190910.txt">https://www.openssl.org/news/secadv/20190910.txt</a>
+          <a href="https://www.tenable.com/security/tns-2020-03">https://www.tenable.com/security/tns-2020-03</a>
+          <a href="https://www.tenable.com/security/tns-2020-11">https://www.tenable.com/security/tns-2020-11</a>
+          <a href="https://www.tenable.com/security/tns-2021-10">https://www.tenable.com/security/tns-2021-10</a>
         </td>
       </tr>
       <tr class="severity-MEDIUM">
@@ -169,12 +167,26 @@
         <td class="pkg-version">1.1.1c-r0</td>
         <td>1.1.1d-r0</td>
         <td class="links" data-more-links="off">
+          <a href="https://access.redhat.com/security/cve/CVE-2019-1549">https://access.redhat.com/security/cve/CVE-2019-1549</a>
           <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549">https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549</a>
           <a href="https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be">https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be</a>
+          <a href="https://linux.oracle.com/cve/CVE-2019-1549.html">https://linux.oracle.com/cve/CVE-2019-1549.html</a>
+          <a href="https://linux.oracle.com/errata/ELSA-2020-1840.html">https://linux.oracle.com/errata/ELSA-2020-1840.html</a>
           <a href="https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/">https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/</a>
+          <a href="https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/">https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/</a>
+          <a href="https://seclists.org/bugtraq/2019/Oct/1">https://seclists.org/bugtraq/2019/Oct/1</a>
           <a href="https://security.netapp.com/advisory/ntap-20190919-0002/">https://security.netapp.com/advisory/ntap-20190919-0002/</a>
           <a href="https://support.f5.com/csp/article/K44070243">https://support.f5.com/csp/article/K44070243</a>
+          <a href="https://support.f5.com/csp/article/K44070243?utm_source=f5support&amp;amp;utm_medium=RSS">https://support.f5.com/csp/article/K44070243?utm_source=f5support&amp;amp;utm_medium=RSS</a>
+          <a href="https://ubuntu.com/security/notices/USN-4376-1">https://ubuntu.com/security/notices/USN-4376-1</a>
+          <a href="https://usn.ubuntu.com/4376-1/">https://usn.ubuntu.com/4376-1/</a>
+          <a href="https://www.debian.org/security/2019/dsa-4539">https://www.debian.org/security/2019/dsa-4539</a>
           <a href="https://www.openssl.org/news/secadv/20190910.txt">https://www.openssl.org/news/secadv/20190910.txt</a>
+          <a href="https://www.oracle.com/security-alerts/cpuapr2020.html">https://www.oracle.com/security-alerts/cpuapr2020.html</a>
+          <a href="https://www.oracle.com/security-alerts/cpujan2020.html">https://www.oracle.com/security-alerts/cpujan2020.html</a>
+          <a href="https://www.oracle.com/security-alerts/cpujul2020.html">https://www.oracle.com/security-alerts/cpujul2020.html</a>
+          <a href="https://www.oracle.com/security-alerts/cpuoct2020.html">https://www.oracle.com/security-alerts/cpuoct2020.html</a>
+          <a href="https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html">https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html</a>
         </td>
       </tr>
       <tr class="severity-MEDIUM">
@@ -184,54 +196,39 @@
         <td class="pkg-version">1.1.1c-r0</td>
         <td>1.1.1d-r2</td>
         <td class="links" data-more-links="off">
+          <a href="http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html">http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html</a>
           <a href="http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html">http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html</a>
+          <a href="https://access.redhat.com/security/cve/CVE-2019-1551">https://access.redhat.com/security/cve/CVE-2019-1551</a>
           <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551">https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551</a>
           <a href="https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f">https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f</a>
           <a href="https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98">https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98</a>
           <a href="https://github.com/openssl/openssl/pull/10575">https://github.com/openssl/openssl/pull/10575</a>
+          <a href="https://linux.oracle.com/cve/CVE-2019-1551.html">https://linux.oracle.com/cve/CVE-2019-1551.html</a>
+          <a href="https://linux.oracle.com/errata/ELSA-2020-4514.html">https://linux.oracle.com/errata/ELSA-2020-4514.html</a>
+          <a href="https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/">https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/</a>
+          <a href="https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/">https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/</a>
+          <a href="https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/">https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/</a>
           <a href="https://seclists.org/bugtraq/2019/Dec/39">https://seclists.org/bugtraq/2019/Dec/39</a>
           <a href="https://seclists.org/bugtraq/2019/Dec/46">https://seclists.org/bugtraq/2019/Dec/46</a>
+          <a href="https://security.gentoo.org/glsa/202004-10">https://security.gentoo.org/glsa/202004-10</a>
           <a href="https://security.netapp.com/advisory/ntap-20191210-0001/">https://security.netapp.com/advisory/ntap-20191210-0001/</a>
+          <a href="https://ubuntu.com/security/notices/USN-4376-1">https://ubuntu.com/security/notices/USN-4376-1</a>
+          <a href="https://ubuntu.com/security/notices/USN-4504-1">https://ubuntu.com/security/notices/USN-4504-1</a>
+          <a href="https://usn.ubuntu.com/4376-1/">https://usn.ubuntu.com/4376-1/</a>
+          <a href="https://usn.ubuntu.com/4504-1/">https://usn.ubuntu.com/4504-1/</a>
           <a href="https://www.debian.org/security/2019/dsa-4594">https://www.debian.org/security/2019/dsa-4594</a>
+          <a href="https://www.debian.org/security/2021/dsa-4855">https://www.debian.org/security/2021/dsa-4855</a>
           <a href="https://www.openssl.org/news/secadv/20191206.txt">https://www.openssl.org/news/secadv/20191206.txt</a>
+          <a href="https://www.oracle.com/security-alerts/cpuApr2021.html">https://www.oracle.com/security-alerts/cpuApr2021.html</a>
+          <a href="https://www.oracle.com/security-alerts/cpujan2021.html">https://www.oracle.com/security-alerts/cpujan2021.html</a>
+          <a href="https://www.oracle.com/security-alerts/cpujul2020.html">https://www.oracle.com/security-alerts/cpujul2020.html</a>
           <a href="https://www.tenable.com/security/tns-2019-09">https://www.tenable.com/security/tns-2019-09</a>
+          <a href="https://www.tenable.com/security/tns-2020-03">https://www.tenable.com/security/tns-2020-03</a>
+          <a href="https://www.tenable.com/security/tns-2020-11">https://www.tenable.com/security/tns-2020-11</a>
+          <a href="https://www.tenable.com/security/tns-2021-10">https://www.tenable.com/security/tns-2021-10</a>
         </td>
       </tr>
-      <tr class="severity-MEDIUM">
-        <td class="pkg-name">libssl1.1</td>
-        <td>CVE-2019-1563</td>
-        <td class="severity">MEDIUM</td>
-        <td class="pkg-version">1.1.1c-r0</td>
-        <td>1.1.1d-r0</td>
-        <td class="links" data-more-links="off">
-          <a href="http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html">http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html</a>
-          <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563">https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563</a>
-          <a href="https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64">https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64</a>
-          <a href="https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97">https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97</a>
-          <a href="https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f">https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f</a>
-          <a href="https://seclists.org/bugtraq/2019/Sep/25">https://seclists.org/bugtraq/2019/Sep/25</a>
-          <a href="https://security.netapp.com/advisory/ntap-20190919-0002/">https://security.netapp.com/advisory/ntap-20190919-0002/</a>
-          <a href="https://www.openssl.org/news/secadv/20190910.txt">https://www.openssl.org/news/secadv/20190910.txt</a>
-        </td>
-      </tr>
-      <tr class="severity-LOW">
-        <td class="pkg-name">libssl1.1</td>
-        <td>CVE-2019-1547</td>
-        <td class="severity">LOW</td>
-        <td class="pkg-version">1.1.1c-r0</td>
-        <td>1.1.1d-r0</td>
-        <td class="links" data-more-links="off">
-          <a href="http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html">http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html</a>
-          <a href="https://arxiv.org/abs/1909.01785">https://arxiv.org/abs/1909.01785</a>
-          <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547">https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547</a>
-          <a href="https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46">https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46</a>
-          <a href="https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8">https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8</a>
-          <a href="https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a">https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a</a>
-          <a href="https://seclists.org/bugtraq/2019/Sep/25">https://seclists.org/bugtraq/2019/Sep/25</a>
-          <a href="https://security.netapp.com/advisory/ntap-20190919-0002/">https://security.netapp.com/advisory/ntap-20190919-0002/</a>
-          <a href="https://www.openssl.org/news/secadv/20190910.txt">https://www.openssl.org/news/secadv/20190910.txt</a>
-        </td>
-      </tr>
+      <tr><th colspan="6">No Misconfigurations found</th></tr>
     </table>
   </body>
 </html>

integration/testdata/alpine-310.json.golden

@@ -63,6 +63,11 @@
           },
           "SeveritySource": "nvd",
           "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1549",
+          "DataSource": {
+            "ID": "alpine",
+            "Name": "Alpine Secdb",
+            "URL": "https://secdb.alpinelinux.org/"
+          },
           "Title": "openssl: information disclosure in fork()",
           "Description": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
           "Severity": "MEDIUM",
@@ -72,7 +77,9 @@
           "CVSS": {
             "nvd": {
               "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
-              "V2Score": 5
+              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
+              "V2Score": 5,
+              "V3Score": 5.3
             },
             "redhat": {
               "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
@@ -80,15 +87,29 @@
             }
           },
           "References": [
+            "https://access.redhat.com/security/cve/CVE-2019-1549",
             "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549",
             "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be",
+            "https://linux.oracle.com/cve/CVE-2019-1549.html",
+            "https://linux.oracle.com/errata/ELSA-2020-1840.html",
             "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/",
+            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/",
+            "https://seclists.org/bugtraq/2019/Oct/1",
             "https://security.netapp.com/advisory/ntap-20190919-0002/",
             "https://support.f5.com/csp/article/K44070243",
-            "https://www.openssl.org/news/secadv/20190910.txt"
+            "https://support.f5.com/csp/article/K44070243?utm_source=f5support\u0026amp;utm_medium=RSS",
+            "https://ubuntu.com/security/notices/USN-4376-1",
+            "https://usn.ubuntu.com/4376-1/",
+            "https://www.debian.org/security/2019/dsa-4539",
+            "https://www.openssl.org/news/secadv/20190910.txt",
+            "https://www.oracle.com/security-alerts/cpuapr2020.html",
+            "https://www.oracle.com/security-alerts/cpujan2020.html",
+            "https://www.oracle.com/security-alerts/cpujul2020.html",
+            "https://www.oracle.com/security-alerts/cpuoct2020.html",
+            "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"
           ],
           "PublishedDate": "2019-09-10T17:15:00Z",
-          "LastModifiedDate": "2019-09-19T17:15:00Z"
+          "LastModifiedDate": "2020-10-20T22:15:00Z"
         },
         {
           "VulnerabilityID": "CVE-2019-1551",
@@ -100,8 +121,13 @@
           },
           "SeveritySource": "nvd",
           "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
+          "DataSource": {
+            "ID": "alpine",
+            "Name": "Alpine Secdb",
+            "URL": "https://secdb.alpinelinux.org/"
+          },
           "Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
-          "Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).",
+          "Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).",
           "Severity": "MEDIUM",
           "CweIDs": [
             "CWE-200"
@@ -109,107 +135,49 @@
           "CVSS": {
             "nvd": {
               "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
-              "V2Score": 5
+              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
+              "V2Score": 5,
+              "V3Score": 5.3
             },
             "redhat": {
-              "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
+              "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
               "V3Score": 4.8
             }
           },
           "References": [
+            "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html",
             "http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
+            "https://access.redhat.com/security/cve/CVE-2019-1551",
             "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
             "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
             "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
             "https://github.com/openssl/openssl/pull/10575",
+            "https://linux.oracle.com/cve/CVE-2019-1551.html",
+            "https://linux.oracle.com/errata/ELSA-2020-4514.html",
+            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/",
+            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/",
+            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/",
             "https://seclists.org/bugtraq/2019/Dec/39",
             "https://seclists.org/bugtraq/2019/Dec/46",
+            "https://security.gentoo.org/glsa/202004-10",
             "https://security.netapp.com/advisory/ntap-20191210-0001/",
+            "https://ubuntu.com/security/notices/USN-4376-1",
+            "https://ubuntu.com/security/notices/USN-4504-1",
+            "https://usn.ubuntu.com/4376-1/",
+            "https://usn.ubuntu.com/4504-1/",
             "https://www.debian.org/security/2019/dsa-4594",
+            "https://www.debian.org/security/2021/dsa-4855",
             "https://www.openssl.org/news/secadv/20191206.txt",
-            "https://www.tenable.com/security/tns-2019-09"
+            "https://www.oracle.com/security-alerts/cpuApr2021.html",
+            "https://www.oracle.com/security-alerts/cpujan2021.html",
+            "https://www.oracle.com/security-alerts/cpujul2020.html",
+            "https://www.tenable.com/security/tns-2019-09",
+            "https://www.tenable.com/security/tns-2020-03",
+            "https://www.tenable.com/security/tns-2020-11",
+            "https://www.tenable.com/security/tns-2021-10"
           ],
           "PublishedDate": "2019-12-06T18:15:00Z",
-          "LastModifiedDate": "2019-12-25T11:15:00Z"
-        },
-        {
-          "VulnerabilityID": "CVE-2019-1563",
-          "PkgName": "libcrypto1.1",
-          "InstalledVersion": "1.1.1c-r0",
-          "FixedVersion": "1.1.1d-r0",
-          "Layer": {
-            "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
-          },
-          "SeveritySource": "nvd",
-          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1563",
-          "Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
-          "Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
-          "Severity": "MEDIUM",
-          "CweIDs": [
-            "CWE-311"
-          ],
-          "CVSS": {
-            "nvd": {
-              "V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
-              "V2Score": 4.3
-            },
-            "redhat": {
-              "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
-              "V3Score": 3.7
-            }
-          },
-          "References": [
-            "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
-            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f",
-            "https://seclists.org/bugtraq/2019/Sep/25",
-            "https://security.netapp.com/advisory/ntap-20190919-0002/",
-            "https://www.openssl.org/news/secadv/20190910.txt"
-          ],
-          "PublishedDate": "2019-09-10T17:15:00Z",
-          "LastModifiedDate": "2019-09-12T11:15:00Z"
-        },
-        {
-          "VulnerabilityID": "CVE-2019-1547",
-          "PkgName": "libcrypto1.1",
-          "InstalledVersion": "1.1.1c-r0",
-          "FixedVersion": "1.1.1d-r0",
-          "Layer": {
-            "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
-          },
-          "SeveritySource": "nvd",
-          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1547",
-          "Title": "openssl: side-channel weak encryption vulnerability",
-          "Description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
-          "Severity": "LOW",
-          "CweIDs": [
-            "CWE-311"
-          ],
-          "CVSS": {
-            "nvd": {
-              "V2Vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
-              "V2Score": 1.9
-            },
-            "redhat": {
-              "V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
-              "V3Score": 5.5
-            }
-          },
-          "References": [
-            "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
-            "https://arxiv.org/abs/1909.01785",
-            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a",
-            "https://seclists.org/bugtraq/2019/Sep/25",
-            "https://security.netapp.com/advisory/ntap-20190919-0002/",
-            "https://www.openssl.org/news/secadv/20190910.txt"
-          ],
-          "PublishedDate": "2019-09-10T17:15:00Z",
-          "LastModifiedDate": "2019-09-12T16:15:00Z"
+          "LastModifiedDate": "2021-07-21T11:39:00Z"
         },
         {
           "VulnerabilityID": "CVE-2019-1549",
@@ -221,6 +189,11 @@
           },
           "SeveritySource": "nvd",
           "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1549",
+          "DataSource": {
+            "ID": "alpine",
+            "Name": "Alpine Secdb",
+            "URL": "https://secdb.alpinelinux.org/"
+          },
           "Title": "openssl: information disclosure in fork()",
           "Description": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
           "Severity": "MEDIUM",
@@ -230,7 +203,9 @@
           "CVSS": {
             "nvd": {
               "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
-              "V2Score": 5
+              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
+              "V2Score": 5,
+              "V3Score": 5.3
             },
             "redhat": {
               "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
@@ -238,15 +213,29 @@
             }
           },
           "References": [
+            "https://access.redhat.com/security/cve/CVE-2019-1549",
             "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549",
             "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be",
+            "https://linux.oracle.com/cve/CVE-2019-1549.html",
+            "https://linux.oracle.com/errata/ELSA-2020-1840.html",
             "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/",
+            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/",
+            "https://seclists.org/bugtraq/2019/Oct/1",
             "https://security.netapp.com/advisory/ntap-20190919-0002/",
             "https://support.f5.com/csp/article/K44070243",
-            "https://www.openssl.org/news/secadv/20190910.txt"
+            "https://support.f5.com/csp/article/K44070243?utm_source=f5support\u0026amp;utm_medium=RSS",
+            "https://ubuntu.com/security/notices/USN-4376-1",
+            "https://usn.ubuntu.com/4376-1/",
+            "https://www.debian.org/security/2019/dsa-4539",
+            "https://www.openssl.org/news/secadv/20190910.txt",
+            "https://www.oracle.com/security-alerts/cpuapr2020.html",
+            "https://www.oracle.com/security-alerts/cpujan2020.html",
+            "https://www.oracle.com/security-alerts/cpujul2020.html",
+            "https://www.oracle.com/security-alerts/cpuoct2020.html",
+            "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"
           ],
           "PublishedDate": "2019-09-10T17:15:00Z",
-          "LastModifiedDate": "2019-09-19T17:15:00Z"
+          "LastModifiedDate": "2020-10-20T22:15:00Z"
         },
         {
           "VulnerabilityID": "CVE-2019-1551",
@@ -258,8 +247,13 @@
           },
           "SeveritySource": "nvd",
           "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
+          "DataSource": {
+            "ID": "alpine",
+            "Name": "Alpine Secdb",
+            "URL": "https://secdb.alpinelinux.org/"
+          },
           "Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
-          "Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).",
+          "Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).",
           "Severity": "MEDIUM",
           "CweIDs": [
             "CWE-200"
@@ -267,107 +261,49 @@
           "CVSS": {
             "nvd": {
               "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
-              "V2Score": 5
+              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
+              "V2Score": 5,
+              "V3Score": 5.3
             },
             "redhat": {
-              "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
+              "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
               "V3Score": 4.8
             }
           },
           "References": [
+            "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html",
             "http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
+            "https://access.redhat.com/security/cve/CVE-2019-1551",
             "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
             "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
             "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
             "https://github.com/openssl/openssl/pull/10575",
+            "https://linux.oracle.com/cve/CVE-2019-1551.html",
+            "https://linux.oracle.com/errata/ELSA-2020-4514.html",
+            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/",
+            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/",
+            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/",
             "https://seclists.org/bugtraq/2019/Dec/39",
             "https://seclists.org/bugtraq/2019/Dec/46",
+            "https://security.gentoo.org/glsa/202004-10",
             "https://security.netapp.com/advisory/ntap-20191210-0001/",
+            "https://ubuntu.com/security/notices/USN-4376-1",
+            "https://ubuntu.com/security/notices/USN-4504-1",
+            "https://usn.ubuntu.com/4376-1/",
+            "https://usn.ubuntu.com/4504-1/",
             "https://www.debian.org/security/2019/dsa-4594",
+            "https://www.debian.org/security/2021/dsa-4855",
             "https://www.openssl.org/news/secadv/20191206.txt",
-            "https://www.tenable.com/security/tns-2019-09"
+            "https://www.oracle.com/security-alerts/cpuApr2021.html",
+            "https://www.oracle.com/security-alerts/cpujan2021.html",
+            "https://www.oracle.com/security-alerts/cpujul2020.html",
+            "https://www.tenable.com/security/tns-2019-09",
+            "https://www.tenable.com/security/tns-2020-03",
+            "https://www.tenable.com/security/tns-2020-11",
+            "https://www.tenable.com/security/tns-2021-10"
           ],
           "PublishedDate": "2019-12-06T18:15:00Z",
-          "LastModifiedDate": "2019-12-25T11:15:00Z"
-        },
-        {
-          "VulnerabilityID": "CVE-2019-1563",
-          "PkgName": "libssl1.1",
-          "InstalledVersion": "1.1.1c-r0",
-          "FixedVersion": "1.1.1d-r0",
-          "Layer": {
-            "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
-          },
-          "SeveritySource": "nvd",
-          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1563",
-          "Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
-          "Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
-          "Severity": "MEDIUM",
-          "CweIDs": [
-            "CWE-311"
-          ],
-          "CVSS": {
-            "nvd": {
-              "V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
-              "V2Score": 4.3
-            },
-            "redhat": {
-              "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
-              "V3Score": 3.7
-            }
-          },
-          "References": [
-            "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
-            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f",
-            "https://seclists.org/bugtraq/2019/Sep/25",
-            "https://security.netapp.com/advisory/ntap-20190919-0002/",
-            "https://www.openssl.org/news/secadv/20190910.txt"
-          ],
-          "PublishedDate": "2019-09-10T17:15:00Z",
-          "LastModifiedDate": "2019-09-12T11:15:00Z"
-        },
-        {
-          "VulnerabilityID": "CVE-2019-1547",
-          "PkgName": "libssl1.1",
-          "InstalledVersion": "1.1.1c-r0",
-          "FixedVersion": "1.1.1d-r0",
-          "Layer": {
-            "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
-          },
-          "SeveritySource": "nvd",
-          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1547",
-          "Title": "openssl: side-channel weak encryption vulnerability",
-          "Description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
-          "Severity": "LOW",
-          "CweIDs": [
-            "CWE-311"
-          ],
-          "CVSS": {
-            "nvd": {
-              "V2Vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
-              "V2Score": 1.9
-            },
-            "redhat": {
-              "V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
-              "V3Score": 5.5
-            }
-          },
-          "References": [
-            "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
-            "https://arxiv.org/abs/1909.01785",
-            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a",
-            "https://seclists.org/bugtraq/2019/Sep/25",
-            "https://security.netapp.com/advisory/ntap-20190919-0002/",
-            "https://www.openssl.org/news/secadv/20190910.txt"
-          ],
-          "PublishedDate": "2019-09-10T17:15:00Z",
-          "LastModifiedDate": "2019-09-12T16:15:00Z"
+          "LastModifiedDate": "2021-07-21T11:39:00Z"
         }
       ]
     }

integration/testdata/alpine-310.sarif.golden

@@ -1,115 +1,70 @@
 {
-  "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
   "version": "2.1.0",
+  "$schema": "https://json.schemastore.org/sarif-2.1.0-rtm.5.json",
   "runs": [
     {
       "tool": {
         "driver": {
-          "name": "Trivy",
-          "informationUri": "https://github.com/aquasecurity/trivy",
           "fullName": "Trivy Vulnerability Scanner",
-          "version": "0.15.0",
+          "informationUri": "https://github.com/aquasecurity/trivy",
+          "name": "Trivy",
           "rules": [
-                {
-                  "id": "CVE-2019-1549",
-                  "name": "OsPackageVulnerability",
-                  "shortDescription": {
-                    "text": "CVE-2019-1549"
-                  },
-                  "fullDescription": {
-                    "text": "openssl: information disclosure in fork()."
-                  },
-                  "defaultConfiguration": {
-                    "level": "warning"
-                  },
-                  "helpUri": "https://avd.aquasec.com/nvd/cve-2019-1549",
-                  "help": {
-                    "text": "Vulnerability CVE-2019-1549\nOpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).\nSeverity: MEDIUM\nPackage: libcrypto1.1\nFixed Version: 1.1.1d-r0\nLink: [CVE-2019-1549](https://avd.aquasec.com/nvd/cve-2019-1549)",                    
-                    "markdown": "**Vulnerability CVE-2019-1549**\nOpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|MEDIUM|libcrypto1.1|1.1.1d-r0|[CVE-2019-1549](https://avd.aquasec.com/nvd/cve-2019-1549)|\n"                    
-                  },
-                  "properties": {
-                    "tags": [
-                      "vulnerability",
-                      "MEDIUM"
-                    ],
-                    "precision": "very-high"
-                  }
-                },
-                {
-                  "id": "CVE-2019-1551",
-                  "name": "OsPackageVulnerability",
-                  "shortDescription": {
-                    "text": "CVE-2019-1551"
-                  },
-                  "fullDescription": {
-                    "text": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64."
-                  },
-                  "defaultConfiguration": {
-                    "level": "warning"
-                  },
-                  "helpUri": "https://avd.aquasec.com/nvd/cve-2019-1551",
-                  "help": {
-                    "text": "Vulnerability CVE-2019-1551\nThere is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).\nSeverity: MEDIUM\nPackage: libcrypto1.1\nFixed Version: 1.1.1d-r2\nLink: [CVE-2019-1551](https://avd.aquasec.com/nvd/cve-2019-1551)",                    
-                    "markdown": "**Vulnerability CVE-2019-1551**\nThere is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|MEDIUM|libcrypto1.1|1.1.1d-r2|[CVE-2019-1551](https://avd.aquasec.com/nvd/cve-2019-1551)|\n"                    
-                  },
-                  "properties": {
-                    "tags": [
-                      "vulnerability",
-                      "MEDIUM"
-                    ],
-                    "precision": "very-high"
-                  }
-                },
-                {
-                  "id": "CVE-2019-1563",
-                  "name": "OsPackageVulnerability",
-                  "shortDescription": {
-                    "text": "CVE-2019-1563"
-                  },
-                  "fullDescription": {
-                    "text": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey."
-                  },
-                  "defaultConfiguration": {
-                    "level": "warning"
-                  },
-                  "helpUri": "https://avd.aquasec.com/nvd/cve-2019-1563",
-                  "help": {
-                    "text": "Vulnerability CVE-2019-1563\nIn situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).\nSeverity: MEDIUM\nPackage: libcrypto1.1\nFixed Version: 1.1.1d-r0\nLink: [CVE-2019-1563](https://avd.aquasec.com/nvd/cve-2019-1563)",                    
-                    "markdown": "**Vulnerability CVE-2019-1563**\nIn situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|MEDIUM|libcrypto1.1|1.1.1d-r0|[CVE-2019-1563](https://avd.aquasec.com/nvd/cve-2019-1563)|\n"                    
-                  },
-                  "properties": {
-                    "tags": [
-                      "vulnerability",
-                      "MEDIUM"
-                    ],
-                    "precision": "very-high"
-                  }
-                },
-                {
-                  "id": "CVE-2019-1547",
-                  "name": "OsPackageVulnerability",
-                  "shortDescription": {
-                    "text": "CVE-2019-1547"
-                  },
-                  "fullDescription": {
-                    "text": "openssl: side-channel weak encryption vulnerability."
-                  },
-                  "defaultConfiguration": {
-                    "level": "note"
-                  },
-                  "helpUri": "https://avd.aquasec.com/nvd/cve-2019-1547",
-                  "help": {
-                    "text": "Vulnerability CVE-2019-1547\nNormally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).\nSeverity: LOW\nPackage: libcrypto1.1\nFixed Version: 1.1.1d-r0\nLink: [CVE-2019-1547](https://avd.aquasec.com/nvd/cve-2019-1547)",                    
-                    "markdown": "**Vulnerability CVE-2019-1547**\nNormally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|LOW|libcrypto1.1|1.1.1d-r0|[CVE-2019-1547](https://avd.aquasec.com/nvd/cve-2019-1547)|\n"                    
-                  },
-                  "properties": {
-                    "tags": [
-                      "vulnerability",
-                      "LOW"
-                    ],
-                    "precision": "very-high"
-                  }
-                }]
+            {
+              "id": "CVE-2019-1549",
+              "name": "OsPackageVulnerability",
+              "shortDescription": {
+                "text": "CVE-2019-1549"
+              },
+              "fullDescription": {
+                "text": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c)."
+              },
+              "defaultConfiguration": {
+                "level": "warning"
+              },
+              "helpUri": "https://avd.aquasec.com/nvd/cve-2019-1549",
+              "help": {
+                "text": "Vulnerability CVE-2019-1549\nSeverity: MEDIUM\nPackage: libssl1.1\nFixed Version: 1.1.1d-r0\nLink: [CVE-2019-1549](https://avd.aquasec.com/nvd/cve-2019-1549)\nOpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
+                "markdown": "**Vulnerability CVE-2019-1549**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|MEDIUM|libssl1.1|1.1.1d-r0|[CVE-2019-1549](https://avd.aquasec.com/nvd/cve-2019-1549)|\n\nOpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c)."
+              },
+              "properties": {
+                "precision": "very-high",
+                "security-severity": "5.3",
+                "tags": [
+                  "vulnerability",
+                  "security",
+                  "MEDIUM"
+                ]
+              }
+            },
+            {
+              "id": "CVE-2019-1551",
+              "name": "OsPackageVulnerability",
+              "shortDescription": {
+                "text": "CVE-2019-1551"
+              },
+              "fullDescription": {
+                "text": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t)."
+              },
+              "defaultConfiguration": {
+                "level": "warning"
+              },
+              "helpUri": "https://avd.aquasec.com/nvd/cve-2019-1551",
+              "help": {
+                "text": "Vulnerability CVE-2019-1551\nSeverity: MEDIUM\nPackage: libssl1.1\nFixed Version: 1.1.1d-r2\nLink: [CVE-2019-1551](https://avd.aquasec.com/nvd/cve-2019-1551)\nThere is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).",
+                "markdown": "**Vulnerability CVE-2019-1551**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|MEDIUM|libssl1.1|1.1.1d-r2|[CVE-2019-1551](https://avd.aquasec.com/nvd/cve-2019-1551)|\n\nThere is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t)."
+              },
+              "properties": {
+                "precision": "very-high",
+                "security-severity": "5.3",
+                "tags": [
+                  "vulnerability",
+                  "security",
+                  "MEDIUM"
+                ]
+              }
+            }
+          ],
+          "version": "dev"
         }
       },
       "results": [
@@ -120,17 +75,19 @@
           "message": {
             "text": "Package: libcrypto1.1\nInstalled Version: 1.1.1c-r0\nVulnerability CVE-2019-1549\nSeverity: MEDIUM\nFixed Version: 1.1.1d-r0\nLink: [CVE-2019-1549](https://avd.aquasec.com/nvd/cve-2019-1549)"
           },
-          "locations": [{
-            "physicalLocation": {
-              "artifactLocation": {
-                "uri": "testdata/fixtures/images/alpine-310.tar.gz",
-                "uriBaseId": "ROOTPATH"
-              },
-              "region" : {
-                "startLine": 1
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "testdata/fixtures/images/alpine-310.tar.gz",
+                  "uriBaseId": "ROOTPATH"
+                },
+                "region": {
+                  "startLine": 1
+                }
               }
             }
-          }]
+          ]
         },
         {
           "ruleId": "CVE-2019-1551",
@@ -139,55 +96,19 @@
           "message": {
             "text": "Package: libcrypto1.1\nInstalled Version: 1.1.1c-r0\nVulnerability CVE-2019-1551\nSeverity: MEDIUM\nFixed Version: 1.1.1d-r2\nLink: [CVE-2019-1551](https://avd.aquasec.com/nvd/cve-2019-1551)"
           },
-          "locations": [{
-            "physicalLocation": {
-              "artifactLocation": {
-                "uri": "testdata/fixtures/images/alpine-310.tar.gz",
-                "uriBaseId": "ROOTPATH"
-              },
-              "region" : {
-                "startLine": 1
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "testdata/fixtures/images/alpine-310.tar.gz",
+                  "uriBaseId": "ROOTPATH"
+                },
+                "region": {
+                  "startLine": 1
+                }
               }
             }
-          }]
-        },
-        {
-          "ruleId": "CVE-2019-1563",
-          "ruleIndex": 2,
-          "level": "warning",
-          "message": {
-            "text": "Package: libcrypto1.1\nInstalled Version: 1.1.1c-r0\nVulnerability CVE-2019-1563\nSeverity: MEDIUM\nFixed Version: 1.1.1d-r0\nLink: [CVE-2019-1563](https://avd.aquasec.com/nvd/cve-2019-1563)"
-          },
-          "locations": [{
-            "physicalLocation": {
-              "artifactLocation": {
-                "uri": "testdata/fixtures/images/alpine-310.tar.gz",
-                "uriBaseId": "ROOTPATH"
-              },
-              "region" : {
-                "startLine": 1
-              }
-            }
-          }]
-        },
-        {
-          "ruleId": "CVE-2019-1547",
-          "ruleIndex": 3,
-          "level": "note",
-          "message": {
-            "text": "Package: libcrypto1.1\nInstalled Version: 1.1.1c-r0\nVulnerability CVE-2019-1547\nSeverity: LOW\nFixed Version: 1.1.1d-r0\nLink: [CVE-2019-1547](https://avd.aquasec.com/nvd/cve-2019-1547)"
-          },
-          "locations": [{
-            "physicalLocation": {
-              "artifactLocation": {
-                "uri": "testdata/fixtures/images/alpine-310.tar.gz",
-                "uriBaseId": "ROOTPATH"
-              },
-              "region" : {
-                "startLine": 1
-              }
-            }
-          }]
+          ]
         },
         {
           "ruleId": "CVE-2019-1549",
@@ -196,17 +117,19 @@
           "message": {
             "text": "Package: libssl1.1\nInstalled Version: 1.1.1c-r0\nVulnerability CVE-2019-1549\nSeverity: MEDIUM\nFixed Version: 1.1.1d-r0\nLink: [CVE-2019-1549](https://avd.aquasec.com/nvd/cve-2019-1549)"
           },
-          "locations": [{
-            "physicalLocation": {
-              "artifactLocation": {
-                "uri": "testdata/fixtures/images/alpine-310.tar.gz",
-                "uriBaseId": "ROOTPATH"
-              },
-              "region" : {
-                "startLine": 1
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "testdata/fixtures/images/alpine-310.tar.gz",
+                  "uriBaseId": "ROOTPATH"
+                },
+                "region": {
+                  "startLine": 1
+                }
               }
             }
-          }]
+          ]
         },
         {
           "ruleId": "CVE-2019-1551",
@@ -215,56 +138,21 @@
           "message": {
             "text": "Package: libssl1.1\nInstalled Version: 1.1.1c-r0\nVulnerability CVE-2019-1551\nSeverity: MEDIUM\nFixed Version: 1.1.1d-r2\nLink: [CVE-2019-1551](https://avd.aquasec.com/nvd/cve-2019-1551)"
           },
-          "locations": [{
-            "physicalLocation": {
-              "artifactLocation": {
-                "uri": "testdata/fixtures/images/alpine-310.tar.gz",
-                "uriBaseId": "ROOTPATH"
-              },
-              "region" : {
-                "startLine": 1
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "testdata/fixtures/images/alpine-310.tar.gz",
+                  "uriBaseId": "ROOTPATH"
+                },
+                "region": {
+                  "startLine": 1
+                }
               }
             }
-          }]
-        },
-        {
-          "ruleId": "CVE-2019-1563",
-          "ruleIndex": 2,
-          "level": "warning",
-          "message": {
-            "text": "Package: libssl1.1\nInstalled Version: 1.1.1c-r0\nVulnerability CVE-2019-1563\nSeverity: MEDIUM\nFixed Version: 1.1.1d-r0\nLink: [CVE-2019-1563](https://avd.aquasec.com/nvd/cve-2019-1563)"
-          },
-          "locations": [{
-            "physicalLocation": {
-              "artifactLocation": {
-                "uri": "testdata/fixtures/images/alpine-310.tar.gz",
-                "uriBaseId": "ROOTPATH"
-              },
-              "region" : {
-                "startLine": 1
-              }
-            }
-          }]
-        },
-        {
-          "ruleId": "CVE-2019-1547",
-          "ruleIndex": 3,
-          "level": "note",
-          "message": {
-            "text": "Package: libssl1.1\nInstalled Version: 1.1.1c-r0\nVulnerability CVE-2019-1547\nSeverity: LOW\nFixed Version: 1.1.1d-r0\nLink: [CVE-2019-1547](https://avd.aquasec.com/nvd/cve-2019-1547)"
-          },
-          "locations": [{
-            "physicalLocation": {
-              "artifactLocation": {
-                "uri": "testdata/fixtures/images/alpine-310.tar.gz",
-                "uriBaseId": "ROOTPATH"
-              },
-              "region" : {
-                "startLine": 1
-              }
-            }
-          }]
-        }],
+          ]
+        }
+      ],
       "columnKind": "utf16CodeUnits",
       "originalUriBaseIds": {
         "ROOTPATH": {

integration/testdata/alpine-39-high-critical.json.golden

@@ -0,0 +1,131 @@
+{
+  "SchemaVersion": 2,
+  "ArtifactName": "testdata/fixtures/images/alpine-39.tar.gz",
+  "ArtifactType": "container_image",
+  "Metadata": {
+    "OS": {
+      "Family": "alpine",
+      "Name": "3.9.4",
+      "EOSL": true
+    },
+    "ImageID": "sha256:055936d3920576da37aa9bc460d70c5f212028bda1c08c0879aedf03d7a66ea1",
+    "DiffIDs": [
+      "sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81"
+    ],
+    "ImageConfig": {
+      "architecture": "amd64",
+      "container": "c10d36fa368a7ea673683682666758adf35efe98e10989505f4f566b5b18538f",
+      "created": "2019-05-11T00:07:03.510395965Z",
+      "docker_version": "18.06.1-ce",
+      "history": [
+        {
+          "created": "2019-05-11T00:07:03.358250803Z",
+          "created_by": "/bin/sh -c #(nop) ADD file:a86aea1f3a7d68f6ae03397b99ea77f2e9ee901c5c59e59f76f93adbb4035913 in / "
+        },
+        {
+          "created": "2019-05-11T00:07:03.510395965Z",
+          "created_by": "/bin/sh -c #(nop)  CMD [\"/bin/sh\"]",
+          "empty_layer": true
+        }
+      ],
+      "os": "linux",
+      "rootfs": {
+        "type": "layers",
+        "diff_ids": [
+          "sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81"
+        ]
+      },
+      "config": {
+        "Cmd": [
+          "/bin/sh"
+        ],
+        "Env": [
+          "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+        ],
+        "Image": "sha256:09f2bbe58e774849d74dc1391c2e01731896c745c4aba1ecf69a283bdb4b537a",
+        "ArgsEscaped": true
+      }
+    }
+  },
+  "Results": [
+    {
+      "Target": "testdata/fixtures/images/alpine-39.tar.gz (alpine 3.9.4)",
+      "Class": "os-pkgs",
+      "Type": "alpine",
+      "Vulnerabilities": [
+        {
+          "VulnerabilityID": "CVE-2019-14697",
+          "PkgName": "musl",
+          "InstalledVersion": "1.1.20-r4",
+          "FixedVersion": "1.1.20-r5",
+          "Layer": {
+            "DiffID": "sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81"
+          },
+          "SeveritySource": "nvd",
+          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-14697",
+          "DataSource": {
+            "ID": "alpine",
+            "Name": "Alpine Secdb",
+            "URL": "https://secdb.alpinelinux.org/"
+          },
+          "Description": "musl libc through 1.1.23 has an x87 floating-point stack adjustment imbalance, related to the math/i386/ directory. In some cases, use of this library could introduce out-of-bounds writes that are not present in an application's source code.",
+          "Severity": "CRITICAL",
+          "CweIDs": [
+            "CWE-787"
+          ],
+          "CVSS": {
+            "nvd": {
+              "V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
+              "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+              "V2Score": 7.5,
+              "V3Score": 9.8
+            }
+          },
+          "References": [
+            "http://www.openwall.com/lists/oss-security/2019/08/06/4",
+            "https://security.gentoo.org/glsa/202003-13",
+            "https://www.openwall.com/lists/musl/2019/08/06/1"
+          ],
+          "PublishedDate": "2019-08-06T16:15:00Z",
+          "LastModifiedDate": "2020-03-14T19:15:00Z"
+        },
+        {
+          "VulnerabilityID": "CVE-2019-14697",
+          "PkgName": "musl-utils",
+          "InstalledVersion": "1.1.20-r4",
+          "FixedVersion": "1.1.20-r5",
+          "Layer": {
+            "DiffID": "sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81"
+          },
+          "SeveritySource": "nvd",
+          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-14697",
+          "DataSource": {
+            "ID": "alpine",
+            "Name": "Alpine Secdb",
+            "URL": "https://secdb.alpinelinux.org/"
+          },
+          "Description": "musl libc through 1.1.23 has an x87 floating-point stack adjustment imbalance, related to the math/i386/ directory. In some cases, use of this library could introduce out-of-bounds writes that are not present in an application's source code.",
+          "Severity": "CRITICAL",
+          "CweIDs": [
+            "CWE-787"
+          ],
+          "CVSS": {
+            "nvd": {
+              "V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
+              "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+              "V2Score": 7.5,
+              "V3Score": 9.8
+            }
+          },
+          "References": [
+            "http://www.openwall.com/lists/oss-security/2019/08/06/4",
+            "https://security.gentoo.org/glsa/202003-13",
+            "https://www.openwall.com/lists/musl/2019/08/06/1"
+          ],
+          "PublishedDate": "2019-08-06T16:15:00Z",
+          "LastModifiedDate": "2020-03-14T19:15:00Z"
+        }
+      ]
+    }
+  ]
+}

integration/testdata/alpine-39-ignore-cveids.json.golden

@@ -0,0 +1,195 @@
+{
+  "SchemaVersion": 2,
+  "ArtifactName": "testdata/fixtures/images/alpine-39.tar.gz",
+  "ArtifactType": "container_image",
+  "Metadata": {
+    "OS": {
+      "Family": "alpine",
+      "Name": "3.9.4",
+      "EOSL": true
+    },
+    "ImageID": "sha256:055936d3920576da37aa9bc460d70c5f212028bda1c08c0879aedf03d7a66ea1",
+    "DiffIDs": [
+      "sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81"
+    ],
+    "ImageConfig": {
+      "architecture": "amd64",
+      "container": "c10d36fa368a7ea673683682666758adf35efe98e10989505f4f566b5b18538f",
+      "created": "2019-05-11T00:07:03.510395965Z",
+      "docker_version": "18.06.1-ce",
+      "history": [
+        {
+          "created": "2019-05-11T00:07:03.358250803Z",
+          "created_by": "/bin/sh -c #(nop) ADD file:a86aea1f3a7d68f6ae03397b99ea77f2e9ee901c5c59e59f76f93adbb4035913 in / "
+        },
+        {
+          "created": "2019-05-11T00:07:03.510395965Z",
+          "created_by": "/bin/sh -c #(nop)  CMD [\"/bin/sh\"]",
+          "empty_layer": true
+        }
+      ],
+      "os": "linux",
+      "rootfs": {
+        "type": "layers",
+        "diff_ids": [
+          "sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81"
+        ]
+      },
+      "config": {
+        "Cmd": [
+          "/bin/sh"
+        ],
+        "Env": [
+          "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+        ],
+        "Image": "sha256:09f2bbe58e774849d74dc1391c2e01731896c745c4aba1ecf69a283bdb4b537a",
+        "ArgsEscaped": true
+      }
+    }
+  },
+  "Results": [
+    {
+      "Target": "testdata/fixtures/images/alpine-39.tar.gz (alpine 3.9.4)",
+      "Class": "os-pkgs",
+      "Type": "alpine",
+      "Vulnerabilities": [
+        {
+          "VulnerabilityID": "CVE-2019-1551",
+          "PkgName": "libcrypto1.1",
+          "InstalledVersion": "1.1.1b-r1",
+          "FixedVersion": "1.1.1d-r2",
+          "Layer": {
+            "DiffID": "sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81"
+          },
+          "SeveritySource": "nvd",
+          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
+          "DataSource": {
+            "ID": "alpine",
+            "Name": "Alpine Secdb",
+            "URL": "https://secdb.alpinelinux.org/"
+          },
+          "Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
+          "Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).",
+          "Severity": "MEDIUM",
+          "CweIDs": [
+            "CWE-200"
+          ],
+          "CVSS": {
+            "nvd": {
+              "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
+              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
+              "V2Score": 5,
+              "V3Score": 5.3
+            },
+            "redhat": {
+              "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
+              "V3Score": 4.8
+            }
+          },
+          "References": [
+            "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html",
+            "http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
+            "https://access.redhat.com/security/cve/CVE-2019-1551",
+            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
+            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
+            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
+            "https://github.com/openssl/openssl/pull/10575",
+            "https://linux.oracle.com/cve/CVE-2019-1551.html",
+            "https://linux.oracle.com/errata/ELSA-2020-4514.html",
+            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/",
+            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/",
+            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/",
+            "https://seclists.org/bugtraq/2019/Dec/39",
+            "https://seclists.org/bugtraq/2019/Dec/46",
+            "https://security.gentoo.org/glsa/202004-10",
+            "https://security.netapp.com/advisory/ntap-20191210-0001/",
+            "https://ubuntu.com/security/notices/USN-4376-1",
+            "https://ubuntu.com/security/notices/USN-4504-1",
+            "https://usn.ubuntu.com/4376-1/",
+            "https://usn.ubuntu.com/4504-1/",
+            "https://www.debian.org/security/2019/dsa-4594",
+            "https://www.debian.org/security/2021/dsa-4855",
+            "https://www.openssl.org/news/secadv/20191206.txt",
+            "https://www.oracle.com/security-alerts/cpuApr2021.html",
+            "https://www.oracle.com/security-alerts/cpujan2021.html",
+            "https://www.oracle.com/security-alerts/cpujul2020.html",
+            "https://www.tenable.com/security/tns-2019-09",
+            "https://www.tenable.com/security/tns-2020-03",
+            "https://www.tenable.com/security/tns-2020-11",
+            "https://www.tenable.com/security/tns-2021-10"
+          ],
+          "PublishedDate": "2019-12-06T18:15:00Z",
+          "LastModifiedDate": "2021-07-21T11:39:00Z"
+        },
+        {
+          "VulnerabilityID": "CVE-2019-1551",
+          "PkgName": "libssl1.1",
+          "InstalledVersion": "1.1.1b-r1",
+          "FixedVersion": "1.1.1d-r2",
+          "Layer": {
+            "DiffID": "sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81"
+          },
+          "SeveritySource": "nvd",
+          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
+          "DataSource": {
+            "ID": "alpine",
+            "Name": "Alpine Secdb",
+            "URL": "https://secdb.alpinelinux.org/"
+          },
+          "Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
+          "Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).",
+          "Severity": "MEDIUM",
+          "CweIDs": [
+            "CWE-200"
+          ],
+          "CVSS": {
+            "nvd": {
+              "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
+              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
+              "V2Score": 5,
+              "V3Score": 5.3
+            },
+            "redhat": {
+              "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
+              "V3Score": 4.8
+            }
+          },
+          "References": [
+            "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html",
+            "http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
+            "https://access.redhat.com/security/cve/CVE-2019-1551",
+            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
+            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
+            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
+            "https://github.com/openssl/openssl/pull/10575",
+            "https://linux.oracle.com/cve/CVE-2019-1551.html",
+            "https://linux.oracle.com/errata/ELSA-2020-4514.html",
+            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/",
+            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/",
+            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/",
+            "https://seclists.org/bugtraq/2019/Dec/39",
+            "https://seclists.org/bugtraq/2019/Dec/46",
+            "https://security.gentoo.org/glsa/202004-10",
+            "https://security.netapp.com/advisory/ntap-20191210-0001/",
+            "https://ubuntu.com/security/notices/USN-4376-1",
+            "https://ubuntu.com/security/notices/USN-4504-1",
+            "https://usn.ubuntu.com/4376-1/",
+            "https://usn.ubuntu.com/4504-1/",
+            "https://www.debian.org/security/2019/dsa-4594",
+            "https://www.debian.org/security/2021/dsa-4855",
+            "https://www.openssl.org/news/secadv/20191206.txt",
+            "https://www.oracle.com/security-alerts/cpuApr2021.html",
+            "https://www.oracle.com/security-alerts/cpujan2021.html",
+            "https://www.oracle.com/security-alerts/cpujul2020.html",
+            "https://www.tenable.com/security/tns-2019-09",
+            "https://www.tenable.com/security/tns-2020-03",
+            "https://www.tenable.com/security/tns-2020-11",
+            "https://www.tenable.com/security/tns-2021-10"
+          ],
+          "PublishedDate": "2019-12-06T18:15:00Z",
+          "LastModifiedDate": "2021-07-21T11:39:00Z"
+        }
+      ]
+    }
+  ]
+}

integration/testdata/alpine-39.json.golden

@@ -63,6 +63,11 @@
           },
           "SeveritySource": "nvd",
           "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1549",
+          "DataSource": {
+            "ID": "alpine",
+            "Name": "Alpine Secdb",
+            "URL": "https://secdb.alpinelinux.org/"
+          },
           "Title": "openssl: information disclosure in fork()",
           "Description": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
           "Severity": "MEDIUM",
@@ -72,7 +77,9 @@
           "CVSS": {
             "nvd": {
               "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
-              "V2Score": 5
+              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
+              "V2Score": 5,
+              "V3Score": 5.3
             },
             "redhat": {
               "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
@@ -80,15 +87,29 @@
             }
           },
           "References": [
+            "https://access.redhat.com/security/cve/CVE-2019-1549",
             "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549",
             "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be",
+            "https://linux.oracle.com/cve/CVE-2019-1549.html",
+            "https://linux.oracle.com/errata/ELSA-2020-1840.html",
             "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/",
+            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/",
+            "https://seclists.org/bugtraq/2019/Oct/1",
             "https://security.netapp.com/advisory/ntap-20190919-0002/",
             "https://support.f5.com/csp/article/K44070243",
-            "https://www.openssl.org/news/secadv/20190910.txt"
+            "https://support.f5.com/csp/article/K44070243?utm_source=f5support\u0026amp;utm_medium=RSS",
+            "https://ubuntu.com/security/notices/USN-4376-1",
+            "https://usn.ubuntu.com/4376-1/",
+            "https://www.debian.org/security/2019/dsa-4539",
+            "https://www.openssl.org/news/secadv/20190910.txt",
+            "https://www.oracle.com/security-alerts/cpuapr2020.html",
+            "https://www.oracle.com/security-alerts/cpujan2020.html",
+            "https://www.oracle.com/security-alerts/cpujul2020.html",
+            "https://www.oracle.com/security-alerts/cpuoct2020.html",
+            "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"
           ],
           "PublishedDate": "2019-09-10T17:15:00Z",
-          "LastModifiedDate": "2019-09-19T17:15:00Z"
+          "LastModifiedDate": "2020-10-20T22:15:00Z"
         },
         {
           "VulnerabilityID": "CVE-2019-1551",
@@ -100,8 +121,13 @@
           },
           "SeveritySource": "nvd",
           "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
+          "DataSource": {
+            "ID": "alpine",
+            "Name": "Alpine Secdb",
+            "URL": "https://secdb.alpinelinux.org/"
+          },
           "Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
-          "Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).",
+          "Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).",
           "Severity": "MEDIUM",
           "CweIDs": [
             "CWE-200"
@@ -109,107 +135,49 @@
           "CVSS": {
             "nvd": {
               "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
-              "V2Score": 5
+              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
+              "V2Score": 5,
+              "V3Score": 5.3
             },
             "redhat": {
-              "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
+              "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
               "V3Score": 4.8
             }
           },
           "References": [
+            "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html",
             "http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
+            "https://access.redhat.com/security/cve/CVE-2019-1551",
             "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
             "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
             "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
             "https://github.com/openssl/openssl/pull/10575",
+            "https://linux.oracle.com/cve/CVE-2019-1551.html",
+            "https://linux.oracle.com/errata/ELSA-2020-4514.html",
+            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/",
+            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/",
+            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/",
             "https://seclists.org/bugtraq/2019/Dec/39",
             "https://seclists.org/bugtraq/2019/Dec/46",
+            "https://security.gentoo.org/glsa/202004-10",
             "https://security.netapp.com/advisory/ntap-20191210-0001/",
+            "https://ubuntu.com/security/notices/USN-4376-1",
+            "https://ubuntu.com/security/notices/USN-4504-1",
+            "https://usn.ubuntu.com/4376-1/",
+            "https://usn.ubuntu.com/4504-1/",
             "https://www.debian.org/security/2019/dsa-4594",
+            "https://www.debian.org/security/2021/dsa-4855",
             "https://www.openssl.org/news/secadv/20191206.txt",
-            "https://www.tenable.com/security/tns-2019-09"
+            "https://www.oracle.com/security-alerts/cpuApr2021.html",
+            "https://www.oracle.com/security-alerts/cpujan2021.html",
+            "https://www.oracle.com/security-alerts/cpujul2020.html",
+            "https://www.tenable.com/security/tns-2019-09",
+            "https://www.tenable.com/security/tns-2020-03",
+            "https://www.tenable.com/security/tns-2020-11",
+            "https://www.tenable.com/security/tns-2021-10"
           ],
           "PublishedDate": "2019-12-06T18:15:00Z",
-          "LastModifiedDate": "2019-12-25T11:15:00Z"
-        },
-        {
-          "VulnerabilityID": "CVE-2019-1563",
-          "PkgName": "libcrypto1.1",
-          "InstalledVersion": "1.1.1b-r1",
-          "FixedVersion": "1.1.1d-r0",
-          "Layer": {
-            "DiffID": "sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81"
-          },
-          "SeveritySource": "nvd",
-          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1563",
-          "Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
-          "Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
-          "Severity": "MEDIUM",
-          "CweIDs": [
-            "CWE-311"
-          ],
-          "CVSS": {
-            "nvd": {
-              "V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
-              "V2Score": 4.3
-            },
-            "redhat": {
-              "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
-              "V3Score": 3.7
-            }
-          },
-          "References": [
-            "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
-            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f",
-            "https://seclists.org/bugtraq/2019/Sep/25",
-            "https://security.netapp.com/advisory/ntap-20190919-0002/",
-            "https://www.openssl.org/news/secadv/20190910.txt"
-          ],
-          "PublishedDate": "2019-09-10T17:15:00Z",
-          "LastModifiedDate": "2019-09-12T11:15:00Z"
-        },
-        {
-          "VulnerabilityID": "CVE-2019-1547",
-          "PkgName": "libcrypto1.1",
-          "InstalledVersion": "1.1.1b-r1",
-          "FixedVersion": "1.1.1d-r0",
-          "Layer": {
-            "DiffID": "sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81"
-          },
-          "SeveritySource": "nvd",
-          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1547",
-          "Title": "openssl: side-channel weak encryption vulnerability",
-          "Description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
-          "Severity": "LOW",
-          "CweIDs": [
-            "CWE-311"
-          ],
-          "CVSS": {
-            "nvd": {
-              "V2Vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
-              "V2Score": 1.9
-            },
-            "redhat": {
-              "V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
-              "V3Score": 5.5
-            }
-          },
-          "References": [
-            "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
-            "https://arxiv.org/abs/1909.01785",
-            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a",
-            "https://seclists.org/bugtraq/2019/Sep/25",
-            "https://security.netapp.com/advisory/ntap-20190919-0002/",
-            "https://www.openssl.org/news/secadv/20190910.txt"
-          ],
-          "PublishedDate": "2019-09-10T17:15:00Z",
-          "LastModifiedDate": "2019-09-12T16:15:00Z"
+          "LastModifiedDate": "2021-07-21T11:39:00Z"
         },
         {
           "VulnerabilityID": "CVE-2019-1549",
@@ -221,6 +189,11 @@
           },
           "SeveritySource": "nvd",
           "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1549",
+          "DataSource": {
+            "ID": "alpine",
+            "Name": "Alpine Secdb",
+            "URL": "https://secdb.alpinelinux.org/"
+          },
           "Title": "openssl: information disclosure in fork()",
           "Description": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
           "Severity": "MEDIUM",
@@ -230,7 +203,9 @@
           "CVSS": {
             "nvd": {
               "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
-              "V2Score": 5
+              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
+              "V2Score": 5,
+              "V3Score": 5.3
             },
             "redhat": {
               "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
@@ -238,15 +213,29 @@
             }
           },
           "References": [
+            "https://access.redhat.com/security/cve/CVE-2019-1549",
             "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549",
             "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be",
+            "https://linux.oracle.com/cve/CVE-2019-1549.html",
+            "https://linux.oracle.com/errata/ELSA-2020-1840.html",
             "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/",
+            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/",
+            "https://seclists.org/bugtraq/2019/Oct/1",
             "https://security.netapp.com/advisory/ntap-20190919-0002/",
             "https://support.f5.com/csp/article/K44070243",
-            "https://www.openssl.org/news/secadv/20190910.txt"
+            "https://support.f5.com/csp/article/K44070243?utm_source=f5support\u0026amp;utm_medium=RSS",
+            "https://ubuntu.com/security/notices/USN-4376-1",
+            "https://usn.ubuntu.com/4376-1/",
+            "https://www.debian.org/security/2019/dsa-4539",
+            "https://www.openssl.org/news/secadv/20190910.txt",
+            "https://www.oracle.com/security-alerts/cpuapr2020.html",
+            "https://www.oracle.com/security-alerts/cpujan2020.html",
+            "https://www.oracle.com/security-alerts/cpujul2020.html",
+            "https://www.oracle.com/security-alerts/cpuoct2020.html",
+            "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"
           ],
           "PublishedDate": "2019-09-10T17:15:00Z",
-          "LastModifiedDate": "2019-09-19T17:15:00Z"
+          "LastModifiedDate": "2020-10-20T22:15:00Z"
         },
         {
           "VulnerabilityID": "CVE-2019-1551",
@@ -258,8 +247,13 @@
           },
           "SeveritySource": "nvd",
           "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
+          "DataSource": {
+            "ID": "alpine",
+            "Name": "Alpine Secdb",
+            "URL": "https://secdb.alpinelinux.org/"
+          },
           "Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
-          "Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).",
+          "Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).",
           "Severity": "MEDIUM",
           "CweIDs": [
             "CWE-200"
@@ -267,107 +261,49 @@
           "CVSS": {
             "nvd": {
               "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
-              "V2Score": 5
+              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
+              "V2Score": 5,
+              "V3Score": 5.3
             },
             "redhat": {
-              "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
+              "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
               "V3Score": 4.8
             }
           },
           "References": [
+            "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html",
             "http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
+            "https://access.redhat.com/security/cve/CVE-2019-1551",
             "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
             "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
             "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
             "https://github.com/openssl/openssl/pull/10575",
+            "https://linux.oracle.com/cve/CVE-2019-1551.html",
+            "https://linux.oracle.com/errata/ELSA-2020-4514.html",
+            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/",
+            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/",
+            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/",
             "https://seclists.org/bugtraq/2019/Dec/39",
             "https://seclists.org/bugtraq/2019/Dec/46",
+            "https://security.gentoo.org/glsa/202004-10",
             "https://security.netapp.com/advisory/ntap-20191210-0001/",
+            "https://ubuntu.com/security/notices/USN-4376-1",
+            "https://ubuntu.com/security/notices/USN-4504-1",
+            "https://usn.ubuntu.com/4376-1/",
+            "https://usn.ubuntu.com/4504-1/",
             "https://www.debian.org/security/2019/dsa-4594",
+            "https://www.debian.org/security/2021/dsa-4855",
             "https://www.openssl.org/news/secadv/20191206.txt",
-            "https://www.tenable.com/security/tns-2019-09"
+            "https://www.oracle.com/security-alerts/cpuApr2021.html",
+            "https://www.oracle.com/security-alerts/cpujan2021.html",
+            "https://www.oracle.com/security-alerts/cpujul2020.html",
+            "https://www.tenable.com/security/tns-2019-09",
+            "https://www.tenable.com/security/tns-2020-03",
+            "https://www.tenable.com/security/tns-2020-11",
+            "https://www.tenable.com/security/tns-2021-10"
           ],
           "PublishedDate": "2019-12-06T18:15:00Z",
-          "LastModifiedDate": "2019-12-25T11:15:00Z"
-        },
-        {
-          "VulnerabilityID": "CVE-2019-1563",
-          "PkgName": "libssl1.1",
-          "InstalledVersion": "1.1.1b-r1",
-          "FixedVersion": "1.1.1d-r0",
-          "Layer": {
-            "DiffID": "sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81"
-          },
-          "SeveritySource": "nvd",
-          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1563",
-          "Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
-          "Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
-          "Severity": "MEDIUM",
-          "CweIDs": [
-            "CWE-311"
-          ],
-          "CVSS": {
-            "nvd": {
-              "V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
-              "V2Score": 4.3
-            },
-            "redhat": {
-              "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
-              "V3Score": 3.7
-            }
-          },
-          "References": [
-            "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
-            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f",
-            "https://seclists.org/bugtraq/2019/Sep/25",
-            "https://security.netapp.com/advisory/ntap-20190919-0002/",
-            "https://www.openssl.org/news/secadv/20190910.txt"
-          ],
-          "PublishedDate": "2019-09-10T17:15:00Z",
-          "LastModifiedDate": "2019-09-12T11:15:00Z"
-        },
-        {
-          "VulnerabilityID": "CVE-2019-1547",
-          "PkgName": "libssl1.1",
-          "InstalledVersion": "1.1.1b-r1",
-          "FixedVersion": "1.1.1d-r0",
-          "Layer": {
-            "DiffID": "sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81"
-          },
-          "SeveritySource": "nvd",
-          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1547",
-          "Title": "openssl: side-channel weak encryption vulnerability",
-          "Description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
-          "Severity": "LOW",
-          "CweIDs": [
-            "CWE-311"
-          ],
-          "CVSS": {
-            "nvd": {
-              "V2Vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
-              "V2Score": 1.9
-            },
-            "redhat": {
-              "V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
-              "V3Score": 5.5
-            }
-          },
-          "References": [
-            "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
-            "https://arxiv.org/abs/1909.01785",
-            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a",
-            "https://seclists.org/bugtraq/2019/Sep/25",
-            "https://security.netapp.com/advisory/ntap-20190919-0002/",
-            "https://www.openssl.org/news/secadv/20190910.txt"
-          ],
-          "PublishedDate": "2019-09-10T17:15:00Z",
-          "LastModifiedDate": "2019-09-12T16:15:00Z"
+          "LastModifiedDate": "2021-07-21T11:39:00Z"
         },
         {
           "VulnerabilityID": "CVE-2019-14697",
@@ -379,6 +315,11 @@
           },
           "SeveritySource": "nvd",
           "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-14697",
+          "DataSource": {
+            "ID": "alpine",
+            "Name": "Alpine Secdb",
+            "URL": "https://secdb.alpinelinux.org/"
+          },
           "Description": "musl libc through 1.1.23 has an x87 floating-point stack adjustment imbalance, related to the math/i386/ directory. In some cases, use of this library could introduce out-of-bounds writes that are not present in an application's source code.",
           "Severity": "CRITICAL",
           "CweIDs": [
@@ -394,10 +335,11 @@
           },
           "References": [
             "http://www.openwall.com/lists/oss-security/2019/08/06/4",
+            "https://security.gentoo.org/glsa/202003-13",
             "https://www.openwall.com/lists/musl/2019/08/06/1"
           ],
           "PublishedDate": "2019-08-06T16:15:00Z",
-          "LastModifiedDate": "2019-08-14T17:28:00Z"
+          "LastModifiedDate": "2020-03-14T19:15:00Z"
         },
         {
           "VulnerabilityID": "CVE-2019-14697",
@@ -409,6 +351,11 @@
           },
           "SeveritySource": "nvd",
           "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-14697",
+          "DataSource": {
+            "ID": "alpine",
+            "Name": "Alpine Secdb",
+            "URL": "https://secdb.alpinelinux.org/"
+          },
           "Description": "musl libc through 1.1.23 has an x87 floating-point stack adjustment imbalance, related to the math/i386/ directory. In some cases, use of this library could introduce out-of-bounds writes that are not present in an application's source code.",
           "Severity": "CRITICAL",
           "CweIDs": [
@@ -424,10 +371,11 @@
           },
           "References": [
             "http://www.openwall.com/lists/oss-security/2019/08/06/4",
+            "https://security.gentoo.org/glsa/202003-13",
             "https://www.openwall.com/lists/musl/2019/08/06/1"
           ],
           "PublishedDate": "2019-08-06T16:15:00Z",
-          "LastModifiedDate": "2019-08-14T17:28:00Z"
+          "LastModifiedDate": "2020-03-14T19:15:00Z"
         }
       ]
     }

integration/testdata/amazon-1.json.golden

@@ -62,6 +62,11 @@
           },
           "SeveritySource": "amazon",
           "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-5481",
+          "DataSource": {
+            "ID": "amazon",
+            "Name": "Amazon Linux Security Center",
+            "URL": "https://alas.aws.amazon.com/"
+          },
           "Title": "curl: double free due to subsequent call of realloc()",
           "Description": "Double-free vulnerability in the FTP-kerberos code in cURL 7.52.0 to 7.65.3.",
           "Severity": "MEDIUM",
@@ -71,7 +76,9 @@
           "CVSS": {
             "nvd": {
               "V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
-              "V2Score": 7.5
+              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+              "V2Score": 7.5,
+              "V3Score": 9.8
             },
             "redhat": {
               "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H",
@@ -81,637 +88,25 @@
           "References": [
             "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00048.html",
             "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00055.html",
+            "https://access.redhat.com/security/cve/CVE-2019-5481",
             "https://curl.haxx.se/docs/CVE-2019-5481.html",
             "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5481",
+            "https://linux.oracle.com/cve/CVE-2019-5481.html",
+            "https://linux.oracle.com/errata/ELSA-2020-1792.html",
+            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6CI4QQ2RSZX4VCFM76SIWGKY6BY7UWIC/",
             "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGDVKSLY5JUNJRLYRUA6CXGQ2LM63XC3/",
             "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UA7KDM2WPM5CJDDGOEGFV6SSGD2J7RNT/",
-            "https://usn.ubuntu.com/usn/usn-4129-1"
+            "https://seclists.org/bugtraq/2020/Feb/36",
+            "https://security.gentoo.org/glsa/202003-29",
+            "https://security.netapp.com/advisory/ntap-20191004-0003/",
+            "https://ubuntu.com/security/notices/USN-4129-1",
+            "https://www.debian.org/security/2020/dsa-4633",
+            "https://www.oracle.com/security-alerts/cpuapr2020.html",
+            "https://www.oracle.com/security-alerts/cpujan2020.html",
+            "https://www.oracle.com/security-alerts/cpuoct2020.html"
           ],
           "PublishedDate": "2019-09-16T19:15:00Z",
-          "LastModifiedDate": "2019-09-18T00:15:00Z"
-        },
-        {
-          "VulnerabilityID": "CVE-2019-5482",
-          "PkgName": "curl",
-          "InstalledVersion": "7.61.1-11.91.amzn1",
-          "FixedVersion": "7.61.1-12.93.amzn1",
-          "Layer": {
-            "DiffID": "sha256:984fe1509738f6f00f34d9be7398b07ebeb8b98dda077ff6be2cdb87111b73cf"
-          },
-          "SeveritySource": "amazon",
-          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-5482",
-          "Title": "curl: heap buffer overflow in function tftp_receive_packet()",
-          "Description": "Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3.",
-          "Severity": "MEDIUM",
-          "CweIDs": [
-            "CWE-120"
-          ],
-          "CVSS": {
-            "nvd": {
-              "V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
-              "V2Score": 7.5
-            },
-            "redhat": {
-              "V3Vector": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
-              "V3Score": 6.3
-            }
-          },
-          "References": [
-            "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00048.html",
-            "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00055.html",
-            "https://curl.haxx.se/docs/CVE-2019-5482.html",
-            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5482",
-            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGDVKSLY5JUNJRLYRUA6CXGQ2LM63XC3/",
-            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UA7KDM2WPM5CJDDGOEGFV6SSGD2J7RNT/",
-            "https://usn.ubuntu.com/usn/usn-4129-1",
-            "https://usn.ubuntu.com/usn/usn-4129-2"
-          ],
-          "PublishedDate": "2019-09-16T19:15:00Z",
-          "LastModifiedDate": "2019-09-18T00:15:00Z"
-        },
-        {
-          "VulnerabilityID": "CVE-2019-18218",
-          "PkgName": "file-libs",
-          "InstalledVersion": "5.34-3.37.amzn1",
-          "FixedVersion": "5.37-8.48.amzn1",
-          "Layer": {
-            "DiffID": "sha256:984fe1509738f6f00f34d9be7398b07ebeb8b98dda077ff6be2cdb87111b73cf"
-          },
-          "SeveritySource": "amazon",
-          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-18218",
-          "Title": "file: heap-based buffer overflow in cdf_read_property_info in cdf.c",
-          "Description": "cdf_read_property_info in cdf.c in file through 5.37 does not restrict the number of CDF_VECTOR elements, which allows a heap-based buffer overflow (4-byte out-of-bounds write).",
-          "Severity": "MEDIUM",
-          "CweIDs": [
-            "CWE-787"
-          ],
-          "CVSS": {
-            "nvd": {
-              "V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
-              "V2Score": 7.5
-            },
-            "redhat": {
-              "V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
-              "V3Score": 7.8
-            }
-          },
-          "References": [
-            "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16780",
-            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18218",
-            "https://github.com/file/file/commit/46a8443f76cec4b41ec736eca396984c74664f84",
-            "https://lists.debian.org/debian-lts-announce/2019/10/msg00032.html",
-            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CV6PFCEYHYALMTT45QE2U5C5TEJZQPXJ/",
-            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VBK6XOJR6OVWT2FUEBO7V7KCOSSLAP52/",
-            "https://usn.ubuntu.com/4172-1/",
-            "https://usn.ubuntu.com/4172-2/",
-            "https://usn.ubuntu.com/usn/usn-4172-1",
-            "https://usn.ubuntu.com/usn/usn-4172-2",
-            "https://www.debian.org/security/2019/dsa-4550"
-          ],
-          "PublishedDate": "2019-10-21T05:15:00Z",
-          "LastModifiedDate": "2019-10-26T11:15:00Z"
-        },
-        {
-          "VulnerabilityID": "CVE-2016-10739",
-          "PkgName": "glibc",
-          "InstalledVersion": "2.17-260.175.amzn1",
-          "FixedVersion": "2.17-292.178.amzn1",
-          "Layer": {
-            "DiffID": "sha256:984fe1509738f6f00f34d9be7398b07ebeb8b98dda077ff6be2cdb87111b73cf"
-          },
-          "SeveritySource": "amazon",
-          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2016-10739",
-          "Title": "glibc: getaddrinfo should reject IP addresses with trailing characters",
-          "Description": "In the GNU C Library (aka glibc or libc6) through 2.28, the getaddrinfo function would successfully parse a string that contained an IPv4 address followed by whitespace and arbitrary characters, which could lead applications to incorrectly assume that it had parsed a valid string, without the possibility of embedded HTTP headers or other potentially dangerous substrings.",
-          "Severity": "MEDIUM",
-          "CweIDs": [
-            "CWE-20"
-          ],
-          "CVSS": {
-            "nvd": {
-              "V2Vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
-              "V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
-              "V2Score": 4.6,
-              "V3Score": 5.3
-            },
-            "redhat": {
-              "V2Vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
-              "V2Score": 4.6
-            }
-          },
-          "References": [
-            "http://linux.oracle.com/cve/CVE-2016-10739.html",
-            "http://linux.oracle.com/errata/ELSA-2019-3513.html",
-            "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00082.html",
-            "http://www.securityfocus.com/bid/106672",
-            "https://access.redhat.com/errata/RHSA-2019:2118",
-            "https://bugzilla.redhat.com/show_bug.cgi?id=1347549",
-            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10739",
-            "https://sourceware.org/bugzilla/show_bug.cgi?id=20018"
-          ],
-          "PublishedDate": "2019-01-21T19:29:00Z",
-          "LastModifiedDate": "2019-08-06T17:15:00Z"
-        },
-        {
-          "VulnerabilityID": "CVE-2016-10739",
-          "PkgName": "glibc-common",
-          "InstalledVersion": "2.17-260.175.amzn1",
-          "FixedVersion": "2.17-292.178.amzn1",
-          "Layer": {
-            "DiffID": "sha256:984fe1509738f6f00f34d9be7398b07ebeb8b98dda077ff6be2cdb87111b73cf"
-          },
-          "SeveritySource": "amazon",
-          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2016-10739",
-          "Title": "glibc: getaddrinfo should reject IP addresses with trailing characters",
-          "Description": "In the GNU C Library (aka glibc or libc6) through 2.28, the getaddrinfo function would successfully parse a string that contained an IPv4 address followed by whitespace and arbitrary characters, which could lead applications to incorrectly assume that it had parsed a valid string, without the possibility of embedded HTTP headers or other potentially dangerous substrings.",
-          "Severity": "MEDIUM",
-          "CweIDs": [
-            "CWE-20"
-          ],
-          "CVSS": {
-            "nvd": {
-              "V2Vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
-              "V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
-              "V2Score": 4.6,
-              "V3Score": 5.3
-            },
-            "redhat": {
-              "V2Vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
-              "V2Score": 4.6
-            }
-          },
-          "References": [
-            "http://linux.oracle.com/cve/CVE-2016-10739.html",
-            "http://linux.oracle.com/errata/ELSA-2019-3513.html",
-            "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00082.html",
-            "http://www.securityfocus.com/bid/106672",
-            "https://access.redhat.com/errata/RHSA-2019:2118",
-            "https://bugzilla.redhat.com/show_bug.cgi?id=1347549",
-            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10739",
-            "https://sourceware.org/bugzilla/show_bug.cgi?id=20018"
-          ],
-          "PublishedDate": "2019-01-21T19:29:00Z",
-          "LastModifiedDate": "2019-08-06T17:15:00Z"
-        },
-        {
-          "VulnerabilityID": "CVE-2019-5481",
-          "PkgName": "libcurl",
-          "InstalledVersion": "7.61.1-11.91.amzn1",
-          "FixedVersion": "7.61.1-12.93.amzn1",
-          "Layer": {
-            "DiffID": "sha256:984fe1509738f6f00f34d9be7398b07ebeb8b98dda077ff6be2cdb87111b73cf"
-          },
-          "SeveritySource": "amazon",
-          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-5481",
-          "Title": "curl: double free due to subsequent call of realloc()",
-          "Description": "Double-free vulnerability in the FTP-kerberos code in cURL 7.52.0 to 7.65.3.",
-          "Severity": "MEDIUM",
-          "CweIDs": [
-            "CWE-415"
-          ],
-          "CVSS": {
-            "nvd": {
-              "V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
-              "V2Score": 7.5
-            },
-            "redhat": {
-              "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H",
-              "V3Score": 5.7
-            }
-          },
-          "References": [
-            "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00048.html",
-            "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00055.html",
-            "https://curl.haxx.se/docs/CVE-2019-5481.html",
-            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5481",
-            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGDVKSLY5JUNJRLYRUA6CXGQ2LM63XC3/",
-            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UA7KDM2WPM5CJDDGOEGFV6SSGD2J7RNT/",
-            "https://usn.ubuntu.com/usn/usn-4129-1"
-          ],
-          "PublishedDate": "2019-09-16T19:15:00Z",
-          "LastModifiedDate": "2019-09-18T00:15:00Z"
-        },
-        {
-          "VulnerabilityID": "CVE-2019-5482",
-          "PkgName": "libcurl",
-          "InstalledVersion": "7.61.1-11.91.amzn1",
-          "FixedVersion": "7.61.1-12.93.amzn1",
-          "Layer": {
-            "DiffID": "sha256:984fe1509738f6f00f34d9be7398b07ebeb8b98dda077ff6be2cdb87111b73cf"
-          },
-          "SeveritySource": "amazon",
-          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-5482",
-          "Title": "curl: heap buffer overflow in function tftp_receive_packet()",
-          "Description": "Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3.",
-          "Severity": "MEDIUM",
-          "CweIDs": [
-            "CWE-120"
-          ],
-          "CVSS": {
-            "nvd": {
-              "V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
-              "V2Score": 7.5
-            },
-            "redhat": {
-              "V3Vector": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
-              "V3Score": 6.3
-            }
-          },
-          "References": [
-            "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00048.html",
-            "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00055.html",
-            "https://curl.haxx.se/docs/CVE-2019-5482.html",
-            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5482",
-            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGDVKSLY5JUNJRLYRUA6CXGQ2LM63XC3/",
-            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UA7KDM2WPM5CJDDGOEGFV6SSGD2J7RNT/",
-            "https://usn.ubuntu.com/usn/usn-4129-1",
-            "https://usn.ubuntu.com/usn/usn-4129-2"
-          ],
-          "PublishedDate": "2019-09-16T19:15:00Z",
-          "LastModifiedDate": "2019-09-18T00:15:00Z"
-        },
-        {
-          "VulnerabilityID": "CVE-2019-12290",
-          "PkgName": "libidn2",
-          "InstalledVersion": "0.16-1.2.amzn1",
-          "FixedVersion": "2.3.0-1.4.amzn1",
-          "Layer": {
-            "DiffID": "sha256:984fe1509738f6f00f34d9be7398b07ebeb8b98dda077ff6be2cdb87111b73cf"
-          },
-          "SeveritySource": "amazon",
-          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-12290",
-          "Description": "GNU libidn2 before 2.2.0 fails to perform the roundtrip checks specified in RFC3490 Section 4.2 when converting A-labels to U-labels. This makes it possible in some circumstances for one domain to impersonate another. By creating a malicious domain that matches a target domain except for the inclusion of certain punycoded Unicode characters (that would be discarded when converted first to a Unicode label and then back to an ASCII label), arbitrary domains can be impersonated.",
-          "Severity": "MEDIUM",
-          "CweIDs": [
-            "CWE-20"
-          ],
-          "CVSS": {
-            "nvd": {
-              "V2Vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
-              "V2Score": 5
-            }
-          },
-          "References": [
-            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12290",
-            "https://gitlab.com/libidn/libidn2/commit/241e8f486134793cb0f4a5b0e5817a97883401f5",
-            "https://gitlab.com/libidn/libidn2/commit/614117ef6e4c60e1950d742e3edf0a0ef8d389de",
-            "https://gitlab.com/libidn/libidn2/merge_requests/71",
-            "https://usn.ubuntu.com/4168-1/",
-            "https://usn.ubuntu.com/usn/usn-4168-1"
-          ],
-          "PublishedDate": "2019-10-22T16:15:00Z",
-          "LastModifiedDate": "2019-10-29T19:15:00Z"
-        },
-        {
-          "VulnerabilityID": "CVE-2019-18224",
-          "PkgName": "libidn2",
-          "InstalledVersion": "0.16-1.2.amzn1",
-          "FixedVersion": "2.3.0-1.4.amzn1",
-          "Layer": {
-            "DiffID": "sha256:984fe1509738f6f00f34d9be7398b07ebeb8b98dda077ff6be2cdb87111b73cf"
-          },
-          "SeveritySource": "amazon",
-          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-18224",
-          "Title": "libidn2: heap-based buffer overflow in idn2_to_ascii_4i in lib/lookup.c",
-          "Description": "idn2_to_ascii_4i in lib/lookup.c in GNU libidn2 before 2.1.1 has a heap-based buffer overflow via a long domain string.",
-          "Severity": "MEDIUM",
-          "CweIDs": [
-            "CWE-787"
-          ],
-          "CVSS": {
-            "nvd": {
-              "V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
-              "V2Score": 7.5
-            },
-            "redhat": {
-              "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
-              "V3Score": 5.6
-            }
-          },
-          "References": [
-            "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=12420",
-            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18224",
-            "https://github.com/libidn/libidn2/commit/e4d1558aa2c1c04a05066ee8600f37603890ba8c",
-            "https://github.com/libidn/libidn2/compare/libidn2-2.1.0...libidn2-2.1.1",
-            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JDQVQ2XPV5BTZUFINT7AFJSKNNBVURNJ/",
-            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MINU5RKDFE6TKAFY5DRFN3WSFDS4DYVS/",
-            "https://usn.ubuntu.com/4168-1/",
-            "https://usn.ubuntu.com/usn/usn-4168-1"
-          ],
-          "PublishedDate": "2019-10-21T17:15:00Z",
-          "LastModifiedDate": "2019-10-29T19:15:00Z"
-        },
-        {
-          "VulnerabilityID": "CVE-2019-9511",
-          "PkgName": "libnghttp2",
-          "InstalledVersion": "1.21.1-1.4.amzn1",
-          "FixedVersion": "1.31.1-2.5.amzn1",
-          "Layer": {
-            "DiffID": "sha256:984fe1509738f6f00f34d9be7398b07ebeb8b98dda077ff6be2cdb87111b73cf"
-          },
-          "SeveritySource": "amazon",
-          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-9511",
-          "Title": "HTTP/2: large amount of data requests leads to denial of service",
-          "Description": "Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service. The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.",
-          "Severity": "HIGH",
-          "CweIDs": [
-            "CWE-400"
-          ],
-          "CVSS": {
-            "nvd": {
-              "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
-              "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
-              "V2Score": 7.8,
-              "V3Score": 7.5
-            },
-            "redhat": {
-              "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
-              "V3Score": 6.5
-            }
-          },
-          "References": [
-            "http://linux.oracle.com/cve/CVE-2019-9511.html",
-            "http://linux.oracle.com/errata/ELSA-2019-2925.html",
-            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9511",
-            "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md",
-            "https://kb.cert.org/vuls/id/605641/",
-            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BP556LEG3WENHZI5TAQ6ZEBFTJB4E2IS/",
-            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JUBYAF6ED3O4XCHQ5C2HYENJLXYXZC4M/",
-            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LZLUYPYY3RX4ZJDWZRJIKSULYRJ4PXW7/",
-            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TAZZEVTCN2B4WT6AIBJ7XGYJMBTORJU5/",
-            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XHTKU7YQ5EEP2XNSAV4M4VJ7QCBOJMOD/",
-            "https://nodejs.org/en/blog/vulnerability/aug-2019-security-releases/",
-            "https://seclists.org/bugtraq/2019/Aug/40",
-            "https://security.netapp.com/advisory/ntap-20190823-0002/",
-            "https://security.netapp.com/advisory/ntap-20190823-0005/",
-            "https://support.f5.com/csp/article/K02591030",
-            "https://usn.ubuntu.com/4099-1/",
-            "https://usn.ubuntu.com/usn/usn-4099-1",
-            "https://www.debian.org/security/2019/dsa-4505",
-            "https://www.nginx.com/blog/nginx-updates-mitigate-august-2019-http-2-vulnerabilities/",
-            "https://www.synology.com/security/advisory/Synology_SA_19_33"
-          ],
-          "PublishedDate": "2019-08-13T21:15:00Z",
-          "LastModifiedDate": "2019-08-23T21:15:00Z"
-        },
-        {
-          "VulnerabilityID": "CVE-2019-9513",
-          "PkgName": "libnghttp2",
-          "InstalledVersion": "1.21.1-1.4.amzn1",
-          "FixedVersion": "1.31.1-2.5.amzn1",
-          "Layer": {
-            "DiffID": "sha256:984fe1509738f6f00f34d9be7398b07ebeb8b98dda077ff6be2cdb87111b73cf"
-          },
-          "SeveritySource": "amazon",
-          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-9513",
-          "Title": "HTTP/2: flood using PRIORITY frames results in excessive resource consumption",
-          "Description": "Some HTTP/2 implementations are vulnerable to resource loops, potentially leading to a denial of service. The attacker creates multiple request streams and continually shuffles the priority of the streams in a way that causes substantial churn to the priority tree. This can consume excess CPU.",
-          "Severity": "HIGH",
-          "CweIDs": [
-            "CWE-400"
-          ],
-          "CVSS": {
-            "nvd": {
-              "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
-              "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
-              "V2Score": 7.8,
-              "V3Score": 7.5
-            },
-            "redhat": {
-              "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
-              "V3Score": 7.5
-            }
-          },
-          "References": [
-            "http://linux.oracle.com/cve/CVE-2019-9513.html",
-            "http://linux.oracle.com/errata/ELSA-2019-2925.html",
-            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9513",
-            "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md",
-            "https://kb.cert.org/vuls/id/605641/",
-            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4ZQGHE3WTYLYAYJEIDJVF2FIGQTAYPMC/",
-            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CMNFX5MNYRWWIMO4BTKYQCGUDMHO3AXP/",
-            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JUBYAF6ED3O4XCHQ5C2HYENJLXYXZC4M/",
-            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LZLUYPYY3RX4ZJDWZRJIKSULYRJ4PXW7/",
-            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TAZZEVTCN2B4WT6AIBJ7XGYJMBTORJU5/",
-            "https://nghttp2.org/blog/2019/08/19/nghttp2-v1-39-2/",
-            "https://nodejs.org/en/blog/vulnerability/aug-2019-security-releases/",
-            "https://seclists.org/bugtraq/2019/Aug/40",
-            "https://security.netapp.com/advisory/ntap-20190823-0002/",
-            "https://security.netapp.com/advisory/ntap-20190823-0005/",
-            "https://support.f5.com/csp/article/K02591030",
-            "https://usn.ubuntu.com/4099-1/",
-            "https://usn.ubuntu.com/usn/usn-4099-1",
-            "https://www.debian.org/security/2019/dsa-4505",
-            "https://www.nginx.com/blog/nginx-updates-mitigate-august-2019-http-2-vulnerabilities/",
-            "https://www.synology.com/security/advisory/Synology_SA_19_33"
-          ],
-          "PublishedDate": "2019-08-13T21:15:00Z",
-          "LastModifiedDate": "2019-08-23T21:15:00Z"
-        },
-        {
-          "VulnerabilityID": "CVE-2019-1563",
-          "PkgName": "openssl",
-          "InstalledVersion": "1:1.0.2k-16.150.amzn1",
-          "FixedVersion": "1:1.0.2k-16.151.amzn1",
-          "Layer": {
-            "DiffID": "sha256:984fe1509738f6f00f34d9be7398b07ebeb8b98dda077ff6be2cdb87111b73cf"
-          },
-          "SeveritySource": "amazon",
-          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1563",
-          "Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
-          "Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
-          "Severity": "LOW",
-          "CweIDs": [
-            "CWE-311"
-          ],
-          "CVSS": {
-            "nvd": {
-              "V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
-              "V2Score": 4.3
-            },
-            "redhat": {
-              "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
-              "V3Score": 3.7
-            }
-          },
-          "References": [
-            "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
-            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f",
-            "https://seclists.org/bugtraq/2019/Sep/25",
-            "https://security.netapp.com/advisory/ntap-20190919-0002/",
-            "https://www.openssl.org/news/secadv/20190910.txt"
-          ],
-          "PublishedDate": "2019-09-10T17:15:00Z",
-          "LastModifiedDate": "2019-09-12T11:15:00Z"
-        },
-        {
-          "VulnerabilityID": "CVE-2019-16056",
-          "PkgName": "python27",
-          "InstalledVersion": "2.7.16-1.129.amzn1",
-          "FixedVersion": "2.7.16-1.130.amzn1",
-          "Layer": {
-            "DiffID": "sha256:984fe1509738f6f00f34d9be7398b07ebeb8b98dda077ff6be2cdb87111b73cf"
-          },
-          "SeveritySource": "amazon",
-          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-16056",
-          "Title": "python: email.utils.parseaddr wrongly parses email addresses",
-          "Description": "An issue was discovered in Python through 2.7.16, 3.x through 3.5.7, 3.6.x through 3.6.9, and 3.7.x through 3.7.4. The email module wrongly parses email addresses that contain multiple @ characters. An application that uses the email module and implements some kind of checks on the From/To headers of a message could be tricked into accepting an email address that should be denied. An attack may be the same as in CVE-2019-11340; however, this CVE applies to Python more generally.",
-          "Severity": "MEDIUM",
-          "CweIDs": [
-            "CWE-20"
-          ],
-          "CVSS": {
-            "nvd": {
-              "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
-              "V2Score": 5
-            },
-            "redhat": {
-              "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
-              "V3Score": 7.3
-            }
-          },
-          "References": [
-            "https://bugs.python.org/issue34155",
-            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16056",
-            "https://github.com/python/cpython/commit/8cb65d1381b027f0b09ee36bfed7f35bb4dec9a9",
-            "https://lists.debian.org/debian-lts-announce/2019/09/msg00018.html",
-            "https://lists.debian.org/debian-lts-announce/2019/09/msg00019.html",
-            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E2HP37NUVLQSBW3J735A2DQDOZ4ZGBLY/",
-            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ER6LONC2B2WYIO56GBQUDU6QTWZDPUNQ/",
-            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K4KZEFP6E4YPYB52AF4WXCUDSGQOTF37/",
-            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NF3DRDGMVIRYNZMSLJIHNW47HOUQYXVG/",
-            "https://usn.ubuntu.com/usn/usn-4151-1",
-            "https://usn.ubuntu.com/usn/usn-4151-2"
-          ],
-          "PublishedDate": "2019-09-06T18:15:00Z",
-          "LastModifiedDate": "2019-09-11T05:15:00Z"
-        },
-        {
-          "VulnerabilityID": "CVE-2019-16935",
-          "PkgName": "python27",
-          "InstalledVersion": "2.7.16-1.129.amzn1",
-          "FixedVersion": "2.7.16-1.131.amzn1",
-          "Layer": {
-            "DiffID": "sha256:984fe1509738f6f00f34d9be7398b07ebeb8b98dda077ff6be2cdb87111b73cf"
-          },
-          "SeveritySource": "amazon",
-          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-16935",
-          "Title": "python: XSS vulnerability in the documentation XML-RPC server in server_title field",
-          "Description": "The documentation XML-RPC server in Python through 2.7.16, 3.x through 3.6.9, and 3.7.x through 3.7.4 has XSS via the server_title field. This occurs in Lib/DocXMLRPCServer.py in Python 2.x, and in Lib/xmlrpc/server.py in Python 3.x. If set_server_title is called with untrusted input, arbitrary JavaScript can be delivered to clients that visit the http URL for this server.",
-          "Severity": "MEDIUM",
-          "CweIDs": [
-            "CWE-79"
-          ],
-          "CVSS": {
-            "nvd": {
-              "V2Vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
-              "V2Score": 4.3
-            },
-            "redhat": {
-              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
-              "V3Score": 6.1
-            }
-          },
-          "References": [
-            "https://bugs.python.org/issue38243",
-            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16935",
-            "https://github.com/python/cpython/blob/35c0809158be7feae4c4f877a08b93baea2d8291/Lib/xmlrpc/server.py#L897",
-            "https://github.com/python/cpython/blob/e007860b8b3609ce0bc62b1780efaa06241520bd/Lib/DocXMLRPCServer.py#L213",
-            "https://github.com/python/cpython/pull/16373",
-            "https://security.netapp.com/advisory/ntap-20191017-0004/",
-            "https://usn.ubuntu.com/4151-1/",
-            "https://usn.ubuntu.com/4151-2/",
-            "https://usn.ubuntu.com/usn/usn-4151-1",
-            "https://usn.ubuntu.com/usn/usn-4151-2"
-          ],
-          "PublishedDate": "2019-09-28T02:15:00Z",
-          "LastModifiedDate": "2019-10-09T16:15:00Z"
-        },
-        {
-          "VulnerabilityID": "CVE-2019-16056",
-          "PkgName": "python27-libs",
-          "InstalledVersion": "2.7.16-1.129.amzn1",
-          "FixedVersion": "2.7.16-1.130.amzn1",
-          "Layer": {
-            "DiffID": "sha256:984fe1509738f6f00f34d9be7398b07ebeb8b98dda077ff6be2cdb87111b73cf"
-          },
-          "SeveritySource": "amazon",
-          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-16056",
-          "Title": "python: email.utils.parseaddr wrongly parses email addresses",
-          "Description": "An issue was discovered in Python through 2.7.16, 3.x through 3.5.7, 3.6.x through 3.6.9, and 3.7.x through 3.7.4. The email module wrongly parses email addresses that contain multiple @ characters. An application that uses the email module and implements some kind of checks on the From/To headers of a message could be tricked into accepting an email address that should be denied. An attack may be the same as in CVE-2019-11340; however, this CVE applies to Python more generally.",
-          "Severity": "MEDIUM",
-          "CweIDs": [
-            "CWE-20"
-          ],
-          "CVSS": {
-            "nvd": {
-              "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
-              "V2Score": 5
-            },
-            "redhat": {
-              "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
-              "V3Score": 7.3
-            }
-          },
-          "References": [
-            "https://bugs.python.org/issue34155",
-            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16056",
-            "https://github.com/python/cpython/commit/8cb65d1381b027f0b09ee36bfed7f35bb4dec9a9",
-            "https://lists.debian.org/debian-lts-announce/2019/09/msg00018.html",
-            "https://lists.debian.org/debian-lts-announce/2019/09/msg00019.html",
-            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E2HP37NUVLQSBW3J735A2DQDOZ4ZGBLY/",
-            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ER6LONC2B2WYIO56GBQUDU6QTWZDPUNQ/",
-            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K4KZEFP6E4YPYB52AF4WXCUDSGQOTF37/",
-            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NF3DRDGMVIRYNZMSLJIHNW47HOUQYXVG/",
-            "https://usn.ubuntu.com/usn/usn-4151-1",
-            "https://usn.ubuntu.com/usn/usn-4151-2"
-          ],
-          "PublishedDate": "2019-09-06T18:15:00Z",
-          "LastModifiedDate": "2019-09-11T05:15:00Z"
-        },
-        {
-          "VulnerabilityID": "CVE-2019-16935",
-          "PkgName": "python27-libs",
-          "InstalledVersion": "2.7.16-1.129.amzn1",
-          "FixedVersion": "2.7.16-1.131.amzn1",
-          "Layer": {
-            "DiffID": "sha256:984fe1509738f6f00f34d9be7398b07ebeb8b98dda077ff6be2cdb87111b73cf"
-          },
-          "SeveritySource": "amazon",
-          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-16935",
-          "Title": "python: XSS vulnerability in the documentation XML-RPC server in server_title field",
-          "Description": "The documentation XML-RPC server in Python through 2.7.16, 3.x through 3.6.9, and 3.7.x through 3.7.4 has XSS via the server_title field. This occurs in Lib/DocXMLRPCServer.py in Python 2.x, and in Lib/xmlrpc/server.py in Python 3.x. If set_server_title is called with untrusted input, arbitrary JavaScript can be delivered to clients that visit the http URL for this server.",
-          "Severity": "MEDIUM",
-          "CweIDs": [
-            "CWE-79"
-          ],
-          "CVSS": {
-            "nvd": {
-              "V2Vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
-              "V2Score": 4.3
-            },
-            "redhat": {
-              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
-              "V3Score": 6.1
-            }
-          },
-          "References": [
-            "https://bugs.python.org/issue38243",
-            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16935",
-            "https://github.com/python/cpython/blob/35c0809158be7feae4c4f877a08b93baea2d8291/Lib/xmlrpc/server.py#L897",
-            "https://github.com/python/cpython/blob/e007860b8b3609ce0bc62b1780efaa06241520bd/Lib/DocXMLRPCServer.py#L213",
-            "https://github.com/python/cpython/pull/16373",
-            "https://security.netapp.com/advisory/ntap-20191017-0004/",
-            "https://usn.ubuntu.com/4151-1/",
-            "https://usn.ubuntu.com/4151-2/",
-            "https://usn.ubuntu.com/usn/usn-4151-1",
-            "https://usn.ubuntu.com/usn/usn-4151-2"
-          ],
-          "PublishedDate": "2019-09-28T02:15:00Z",
-          "LastModifiedDate": "2019-10-09T16:15:00Z"
+          "LastModifiedDate": "2020-10-20T22:15:00Z"
         }
       ]
     }

integration/testdata/busybox-with-lockfile.json.golden

@@ -54,131 +54,77 @@
       "Type": "cargo",
       "Vulnerabilities": [
         {
-          "VulnerabilityID": "RUSTSEC-2019-0001",
+          "VulnerabilityID": "CVE-2019-15542",
           "PkgName": "ammonia",
           "InstalledVersion": "1.9.0",
           "FixedVersion": "\u003e= 2.1.0",
           "Layer": {
             "DiffID": "sha256:ea6f6933da66090da8bfe233d68f083792a68f944cd2d8f9fbb52da795813a4f"
           },
-          "PrimaryURL": "https://rustsec.org/advisories/RUSTSEC-2019-0001",
+          "SeveritySource": "nvd",
+          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-15542",
+          "DataSource": {
+            "Name": "RustSec Advisory Database",
+            "URL": "https://github.com/RustSec/advisory-db"
+          },
           "Title": "Uncontrolled recursion leads to abort in HTML serialization",
-          "Description": "Affected versions of this crate did use recursion for serialization of HTML\nDOM trees.\n\nThis allows an attacker to cause abort due to stack overflow by providing\na pathologically nested input.\n\nThe flaw was corrected by serializing the DOM tree iteratively instead.",
-          "Severity": "UNKNOWN",
+          "Description": "An issue was discovered in the ammonia crate before 2.1.0 for Rust. There is uncontrolled recursion during HTML DOM tree serialization.",
+          "Severity": "HIGH",
+          "CweIDs": [
+            "CWE-674"
+          ],
+          "CVSS": {
+            "nvd": {
+              "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
+              "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
+              "V2Score": 5,
+              "V3Score": 7.5
+            }
+          },
           "References": [
-            "https://github.com/rust-ammonia/ammonia/blob/master/CHANGELOG.md#210"
-          ]
+            "https://crates.io/crates/ammonia",
+            "https://github.com/rust-ammonia/ammonia/blob/master/CHANGELOG.md#210",
+            "https://rustsec.org/advisories/RUSTSEC-2019-0001.html"
+          ],
+          "PublishedDate": "2019-08-26T18:15:00Z",
+          "LastModifiedDate": "2020-08-24T17:37:00Z"
         },
         {
-          "VulnerabilityID": "RUSTSEC-2016-0001",
-          "PkgName": "openssl",
-          "InstalledVersion": "0.8.3",
-          "FixedVersion": "\u003e= 0.9.0",
+          "VulnerabilityID": "CVE-2021-38193",
+          "PkgName": "ammonia",
+          "InstalledVersion": "1.9.0",
+          "FixedVersion": "\u003e= 3.1.0, \u003e= 2.1.3, \u003c 3.0.0",
           "Layer": {
             "DiffID": "sha256:ea6f6933da66090da8bfe233d68f083792a68f944cd2d8f9fbb52da795813a4f"
           },
-          "PrimaryURL": "https://rustsec.org/advisories/RUSTSEC-2016-0001",
-          "Title": "SSL/TLS MitM vulnerability due to insecure defaults",
-          "Description": "All versions of rust-openssl prior to 0.9.0 contained numerous insecure defaults\nincluding off-by-default certificate verification and no API to perform hostname\nverification.\n\nUnless configured correctly by a developer, these defaults could allow an attacker\nto perform man-in-the-middle attacks.\n\nThe problem was addressed in newer versions by enabling certificate verification\nby default and exposing APIs to perform hostname verification. Use the\n`SslConnector` and `SslAcceptor` types to take advantage of these new features\n(as opposed to the lower-level `SslContext` type).",
-          "Severity": "UNKNOWN",
-          "References": [
-            "https://github.com/sfackler/rust-openssl/releases/tag/v0.9.0"
-          ]
-        },
-        {
-          "VulnerabilityID": "RUSTSEC-2019-0035",
-          "PkgName": "rand_core",
-          "InstalledVersion": "0.3.1",
-          "FixedVersion": "\u003e= 0.4.2",
-          "Layer": {
-            "DiffID": "sha256:ea6f6933da66090da8bfe233d68f083792a68f944cd2d8f9fbb52da795813a4f"
+          "SeveritySource": "nvd",
+          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-38193",
+          "DataSource": {
+            "Name": "RustSec Advisory Database",
+            "URL": "https://github.com/RustSec/advisory-db"
           },
-          "PrimaryURL": "https://rustsec.org/advisories/RUSTSEC-2019-0035",
-          "Title": "Unaligned memory access",
-          "Description": "Affected versions of this crate violated alignment when casting byte slices to\ninteger slices, resulting in undefined behavior.\n\nThe flaw was corrected by Ralf Jung and Diggory Hardy.",
-          "Severity": "UNKNOWN",
-          "References": [
-            "https://github.com/rust-random/rand/blob/master/rand_core/CHANGELOG.md#050---2019-06-06"
-          ]
-        },
-        {
-          "VulnerabilityID": "RUSTSEC-2019-0035",
-          "PkgName": "rand_core",
-          "InstalledVersion": "0.4.0",
-          "FixedVersion": "\u003e= 0.4.2",
-          "Layer": {
-            "DiffID": "sha256:ea6f6933da66090da8bfe233d68f083792a68f944cd2d8f9fbb52da795813a4f"
+          "Title": "Incorrect handling of embedded SVG and MathML leads to mutation XSS",
+          "Description": "An issue was discovered in the ammonia crate before 3.1.0 for Rust. XSS can occur because the parsing differences for HTML, SVG, and MathML are mishandled, a similar issue to CVE-2020-26870.",
+          "Severity": "MEDIUM",
+          "CweIDs": [
+            "CWE-79"
+          ],
+          "CVSS": {
+            "nvd": {
+              "V2Vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
+              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
+              "V2Score": 4.3,
+              "V3Score": 6.1
+            }
           },
-          "PrimaryURL": "https://rustsec.org/advisories/RUSTSEC-2019-0035",
-          "Title": "Unaligned memory access",
-          "Description": "Affected versions of this crate violated alignment when casting byte slices to\ninteger slices, resulting in undefined behavior.\n\nThe flaw was corrected by Ralf Jung and Diggory Hardy.",
-          "Severity": "UNKNOWN",
           "References": [
-            "https://github.com/rust-random/rand/blob/master/rand_core/CHANGELOG.md#050---2019-06-06"
-          ]
-        },
-        {
-          "VulnerabilityID": "RUSTSEC-2018-0018",
-          "PkgName": "smallvec",
-          "InstalledVersion": "0.6.9",
-          "FixedVersion": "\u003e= 0.6.13",
-          "Layer": {
-            "DiffID": "sha256:ea6f6933da66090da8bfe233d68f083792a68f944cd2d8f9fbb52da795813a4f"
-          },
-          "PrimaryURL": "https://rustsec.org/advisories/RUSTSEC-2018-0018",
-          "Title": "smallvec creates uninitialized value of any type",
-          "Description": "Affected versions of this crate called `mem::uninitialized()` to create values of a user-supplied type `T`.\nThis is unsound e.g. if `T` is a reference type (which must be non-null and thus may not remain uninitialized).\n \nThe flaw was corrected by avoiding the use of `mem::uninitialized()`, using `MaybeUninit` instead.",
-          "Severity": "UNKNOWN",
-          "References": [
-            "https://github.com/servo/rust-smallvec/issues/126"
-          ]
-        },
-        {
-          "VulnerabilityID": "RUSTSEC-2019-0009",
-          "PkgName": "smallvec",
-          "InstalledVersion": "0.6.9",
-          "FixedVersion": "\u003e= 0.6.10",
-          "Layer": {
-            "DiffID": "sha256:ea6f6933da66090da8bfe233d68f083792a68f944cd2d8f9fbb52da795813a4f"
-          },
-          "PrimaryURL": "https://rustsec.org/advisories/RUSTSEC-2019-0009",
-          "Title": "Double-free and use-after-free in SmallVec::grow()",
-          "Description": "Attempting to call `grow` on a spilled SmallVec with a value equal to the current capacity causes it to free the existing data. This performs a double free immediately and may lead to use-after-free on subsequent accesses to the SmallVec contents.\n\nAn attacker that controls the value passed to `grow` may exploit this flaw to obtain memory contents or gain remote code execution.\n\nCredits to @ehuss for discovering, reporting and fixing the bug.",
-          "Severity": "UNKNOWN",
-          "References": [
-            "https://github.com/servo/rust-smallvec/issues/148"
-          ]
-        },
-        {
-          "VulnerabilityID": "RUSTSEC-2019-0012",
-          "PkgName": "smallvec",
-          "InstalledVersion": "0.6.9",
-          "FixedVersion": "\u003e= 0.6.10",
-          "Layer": {
-            "DiffID": "sha256:ea6f6933da66090da8bfe233d68f083792a68f944cd2d8f9fbb52da795813a4f"
-          },
-          "PrimaryURL": "https://rustsec.org/advisories/RUSTSEC-2019-0012",
-          "Title": "Memory corruption in SmallVec::grow()",
-          "Description": "Attempting to call `grow` on a spilled SmallVec with a value less than the current capacity causes corruption of memory allocator data structures.\n\nAn attacker that controls the value passed to `grow` may exploit this flaw to obtain memory contents or gain remote code execution.\n\nCredits to @ehuss for discovering, reporting and fixing the bug.",
-          "Severity": "UNKNOWN",
-          "References": [
-            "https://github.com/servo/rust-smallvec/issues/149"
-          ]
-        },
-        {
-          "VulnerabilityID": "RUSTSEC-2018-0017",
-          "PkgName": "tempdir",
-          "InstalledVersion": "0.3.7",
-          "Layer": {
-            "DiffID": "sha256:ea6f6933da66090da8bfe233d68f083792a68f944cd2d8f9fbb52da795813a4f"
-          },
-          "PrimaryURL": "https://rustsec.org/advisories/RUSTSEC-2018-0017",
-          "Title": "`tempdir` crate has been deprecated; use `tempfile` instead",
-          "Description": "The [`tempdir`](https://crates.io/crates/tempdir) crate has been deprecated\nand the functionality is merged into [`tempfile`](https://crates.io/crates/tempfile).",
-          "Severity": "UNKNOWN",
-          "References": [
-            "https://github.com/rust-lang-deprecated/tempdir/pull/46"
-          ]
+            "https://crates.io/crates/ammonia",
+            "https://github.com/rust-ammonia/ammonia/pull/142",
+            "https://raw.githubusercontent.com/rustsec/advisory-db/main/crates/ammonia/RUSTSEC-2021-0074.md",
+            "https://rustsec.org/advisories/RUSTSEC-2021-0074.html"
+          ],
+          "PublishedDate": "2021-08-08T06:15:00Z",
+          "LastModifiedDate": "2021-08-16T16:37:00Z"
         }
       ]
     }

integration/testdata/centos-7-medium.json.golden

@@ -0,0 +1,149 @@
+{
+  "SchemaVersion": 2,
+  "ArtifactName": "testdata/fixtures/images/centos-7.tar.gz",
+  "ArtifactType": "container_image",
+  "Metadata": {
+    "OS": {
+      "Family": "centos",
+      "Name": "7.6.1810"
+    },
+    "ImageID": "sha256:9f38484d220fa527b1fb19747638497179500a1bed8bf0498eb788229229e6e1",
+    "DiffIDs": [
+      "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854"
+    ],
+    "ImageConfig": {
+      "architecture": "amd64",
+      "container": "958baf5225f586da9c70a21e911a0a875402dd22d83133d78b3b3aa6130e7892",
+      "created": "2019-03-14T21:19:53.361167852Z",
+      "docker_version": "18.06.1-ce",
+      "history": [
+        {
+          "created": "2019-03-14T21:19:52.66982152Z",
+          "created_by": "/bin/sh -c #(nop) ADD file:074f2c974463ab38cf3532134e8ba2c91c9e346457713f2e8b8e2ac0ee9fd83d in / "
+        },
+        {
+          "created": "2019-03-14T21:19:53.099141434Z",
+          "created_by": "/bin/sh -c #(nop)  LABEL org.label-schema.schema-version=1.0 org.label-schema.name=CentOS Base Image org.label-schema.vendor=CentOS org.label-schema.license=GPLv2 org.label-schema.build-date=20190305",
+          "empty_layer": true
+        },
+        {
+          "created": "2019-03-14T21:19:53.361167852Z",
+          "created_by": "/bin/sh -c #(nop)  CMD [\"/bin/bash\"]",
+          "empty_layer": true
+        }
+      ],
+      "os": "linux",
+      "rootfs": {
+        "type": "layers",
+        "diff_ids": [
+          "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854"
+        ]
+      },
+      "config": {
+        "Cmd": [
+          "/bin/bash"
+        ],
+        "Env": [
+          "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+        ],
+        "Image": "sha256:294e8d8145287e70f07328cc09d840fad8980b801223321b983442f097aff0d8",
+        "Labels": {
+          "org.label-schema.build-date": "20190305",
+          "org.label-schema.license": "GPLv2",
+          "org.label-schema.name": "CentOS Base Image",
+          "org.label-schema.schema-version": "1.0",
+          "org.label-schema.vendor": "CentOS"
+        },
+        "ArgsEscaped": true
+      }
+    }
+  },
+  "Results": [
+    {
+      "Target": "testdata/fixtures/images/centos-7.tar.gz (centos 7.6.1810)",
+      "Class": "os-pkgs",
+      "Type": "centos",
+      "Vulnerabilities": [
+        {
+          "VulnerabilityID": "CVE-2019-1559",
+          "VendorIDs": [
+            "RHSA-2019:2304"
+          ],
+          "PkgName": "openssl-libs",
+          "InstalledVersion": "1:1.0.2k-16.el7",
+          "FixedVersion": "1:1.0.2k-19.el7",
+          "Layer": {
+            "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854"
+          },
+          "SeveritySource": "redhat",
+          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1559",
+          "Title": "openssl: 0-byte record padding oracle",
+          "Description": "If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable \"non-stitched\" ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway). Fixed in OpenSSL 1.0.2r (Affected 1.0.2-1.0.2q).",
+          "Severity": "MEDIUM",
+          "CweIDs": [
+            "CWE-203"
+          ],
+          "CVSS": {
+            "nvd": {
+              "V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
+              "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
+              "V2Score": 4.3,
+              "V3Score": 5.9
+            },
+            "redhat": {
+              "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
+              "V3Score": 5.9
+            }
+          },
+          "References": [
+            "http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00041.html",
+            "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00019.html",
+            "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00046.html",
+            "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00047.html",
+            "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00049.html",
+            "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00080.html",
+            "http://www.securityfocus.com/bid/107174",
+            "https://access.redhat.com/errata/RHSA-2019:2304",
+            "https://access.redhat.com/errata/RHSA-2019:2437",
+            "https://access.redhat.com/errata/RHSA-2019:2439",
+            "https://access.redhat.com/errata/RHSA-2019:2471",
+            "https://access.redhat.com/errata/RHSA-2019:3929",
+            "https://access.redhat.com/errata/RHSA-2019:3931",
+            "https://access.redhat.com/security/cve/CVE-2019-1559",
+            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1559",
+            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e9bbefbf0f24c57645e7ad6a5a71ae649d18ac8e",
+            "https://github.com/RUB-NDS/TLS-Padding-Oracles",
+            "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10282",
+            "https://linux.oracle.com/cve/CVE-2019-1559.html",
+            "https://linux.oracle.com/errata/ELSA-2019-2471.html",
+            "https://lists.debian.org/debian-lts-announce/2019/03/msg00003.html",
+            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EWC42UXL5GHTU5G77VKBF6JYUUNGSHOM/",
+            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y3IVFGSERAZLNJCK35TEM2R4726XIH3Z/",
+            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBEV5QGDRFUZDMNECFXUSN5FMYOZDE4V/",
+            "https://security.gentoo.org/glsa/201903-10",
+            "https://security.netapp.com/advisory/ntap-20190301-0001/",
+            "https://security.netapp.com/advisory/ntap-20190301-0002/",
+            "https://security.netapp.com/advisory/ntap-20190423-0002/",
+            "https://support.f5.com/csp/article/K18549143",
+            "https://support.f5.com/csp/article/K18549143?utm_source=f5support\u0026amp;utm_medium=RSS",
+            "https://ubuntu.com/security/notices/USN-3899-1",
+            "https://ubuntu.com/security/notices/USN-4376-2",
+            "https://usn.ubuntu.com/3899-1/",
+            "https://usn.ubuntu.com/4376-2/",
+            "https://www.debian.org/security/2019/dsa-4400",
+            "https://www.openssl.org/news/secadv/20190226.txt",
+            "https://www.oracle.com/security-alerts/cpujan2020.html",
+            "https://www.oracle.com/security-alerts/cpujan2021.html",
+            "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html",
+            "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html",
+            "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html",
+            "https://www.tenable.com/security/tns-2019-02",
+            "https://www.tenable.com/security/tns-2019-03"
+          ],
+          "PublishedDate": "2019-02-27T23:29:00Z",
+          "LastModifiedDate": "2021-01-20T15:15:00Z"
+        }
+      ]
+    }
+  ]
+}

integration/testdata/debian-buster-ignore-unfixed.json.golden

@@ -52,239 +52,11 @@
       "Class": "os-pkgs",
       "Type": "debian",
       "Vulnerabilities": [
-        {
-          "VulnerabilityID": "CVE-2019-5094",
-          "PkgName": "e2fsprogs",
-          "InstalledVersion": "1.44.5-1+deb10u1",
-          "FixedVersion": "1.44.5-1+deb10u2",
-          "Layer": {
-            "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d"
-          },
-          "SeveritySource": "nvd",
-          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-5094",
-          "Title": "e2fsprogs: crafted ext4 partition leads to out-of-bounds write",
-          "Description": "An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.",
-          "Severity": "MEDIUM",
-          "CweIDs": [
-            "CWE-787"
-          ],
-          "CVSS": {
-            "nvd": {
-              "V2Vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
-              "V2Score": 4.6
-            },
-            "redhat": {
-              "V3Vector": "CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
-              "V3Score": 6.4
-            }
-          },
-          "References": [
-            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5094",
-            "https://lists.debian.org/debian-lts-announce/2019/09/msg00029.html",
-            "https://seclists.org/bugtraq/2019/Sep/58",
-            "https://talosintelligence.com/vulnerability_reports/TALOS-2019-0887",
-            "https://usn.ubuntu.com/4142-2/",
-            "https://usn.ubuntu.com/usn/usn-4142-1",
-            "https://usn.ubuntu.com/usn/usn-4142-2",
-            "https://www.debian.org/security/2019/dsa-4535"
-          ],
-          "PublishedDate": "2019-09-24T22:15:00Z",
-          "LastModifiedDate": "2019-09-28T03:15:00Z"
-        },
-        {
-          "VulnerabilityID": "CVE-2019-5188",
-          "PkgName": "e2fsprogs",
-          "InstalledVersion": "1.44.5-1+deb10u1",
-          "FixedVersion": "1.44.5-1+deb10u3",
-          "Layer": {
-            "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d"
-          },
-          "SeveritySource": "nvd",
-          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-5188",
-          "Title": "e2fsprogs: Out-of-bounds write in  e2fsck/rehash.c",
-          "Description": "A code execution vulnerability exists in the directory rehashing functionality of E2fsprogs e2fsck 1.45.4. A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.",
-          "Severity": "MEDIUM",
-          "CweIDs": [
-            "CWE-787"
-          ],
-          "CVSS": {
-            "nvd": {
-              "V2Vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
-              "V2Score": 4.6
-            },
-            "redhat": {
-              "V3Vector": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
-              "V3Score": 7.5
-            }
-          },
-          "References": [
-            "http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00004.html",
-            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5188",
-            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2AKETJ6BREDUHRWQTV35SPGG5C6H7KSI/",
-            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6DOBCYQKCTTWXBLMUPJ5TX3FY7JNCOKY/",
-            "https://talosintelligence.com/vulnerability_reports/TALOS-2019-0973",
-            "https://usn.ubuntu.com/4249-1/",
-            "https://usn.ubuntu.com/usn/usn-4249-1"
-          ],
-          "PublishedDate": "2020-01-08T16:15:00Z",
-          "LastModifiedDate": "2020-01-28T06:15:00Z"
-        },
-        {
-          "VulnerabilityID": "CVE-2019-5094",
-          "PkgName": "libcom-err2",
-          "InstalledVersion": "1.44.5-1+deb10u1",
-          "FixedVersion": "1.44.5-1+deb10u2",
-          "Layer": {
-            "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d"
-          },
-          "SeveritySource": "nvd",
-          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-5094",
-          "Title": "e2fsprogs: crafted ext4 partition leads to out-of-bounds write",
-          "Description": "An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.",
-          "Severity": "MEDIUM",
-          "CweIDs": [
-            "CWE-787"
-          ],
-          "CVSS": {
-            "nvd": {
-              "V2Vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
-              "V2Score": 4.6
-            },
-            "redhat": {
-              "V3Vector": "CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
-              "V3Score": 6.4
-            }
-          },
-          "References": [
-            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5094",
-            "https://lists.debian.org/debian-lts-announce/2019/09/msg00029.html",
-            "https://seclists.org/bugtraq/2019/Sep/58",
-            "https://talosintelligence.com/vulnerability_reports/TALOS-2019-0887",
-            "https://usn.ubuntu.com/4142-2/",
-            "https://usn.ubuntu.com/usn/usn-4142-1",
-            "https://usn.ubuntu.com/usn/usn-4142-2",
-            "https://www.debian.org/security/2019/dsa-4535"
-          ],
-          "PublishedDate": "2019-09-24T22:15:00Z",
-          "LastModifiedDate": "2019-09-28T03:15:00Z"
-        },
-        {
-          "VulnerabilityID": "CVE-2019-5188",
-          "PkgName": "libcom-err2",
-          "InstalledVersion": "1.44.5-1+deb10u1",
-          "FixedVersion": "1.44.5-1+deb10u3",
-          "Layer": {
-            "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d"
-          },
-          "SeveritySource": "nvd",
-          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-5188",
-          "Title": "e2fsprogs: Out-of-bounds write in  e2fsck/rehash.c",
-          "Description": "A code execution vulnerability exists in the directory rehashing functionality of E2fsprogs e2fsck 1.45.4. A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.",
-          "Severity": "MEDIUM",
-          "CweIDs": [
-            "CWE-787"
-          ],
-          "CVSS": {
-            "nvd": {
-              "V2Vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
-              "V2Score": 4.6
-            },
-            "redhat": {
-              "V3Vector": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
-              "V3Score": 7.5
-            }
-          },
-          "References": [
-            "http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00004.html",
-            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5188",
-            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2AKETJ6BREDUHRWQTV35SPGG5C6H7KSI/",
-            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6DOBCYQKCTTWXBLMUPJ5TX3FY7JNCOKY/",
-            "https://talosintelligence.com/vulnerability_reports/TALOS-2019-0973",
-            "https://usn.ubuntu.com/4249-1/",
-            "https://usn.ubuntu.com/usn/usn-4249-1"
-          ],
-          "PublishedDate": "2020-01-08T16:15:00Z",
-          "LastModifiedDate": "2020-01-28T06:15:00Z"
-        },
-        {
-          "VulnerabilityID": "CVE-2019-5094",
-          "PkgName": "libext2fs2",
-          "InstalledVersion": "1.44.5-1+deb10u1",
-          "FixedVersion": "1.44.5-1+deb10u2",
-          "Layer": {
-            "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d"
-          },
-          "SeveritySource": "nvd",
-          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-5094",
-          "Title": "e2fsprogs: crafted ext4 partition leads to out-of-bounds write",
-          "Description": "An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.",
-          "Severity": "MEDIUM",
-          "CweIDs": [
-            "CWE-787"
-          ],
-          "CVSS": {
-            "nvd": {
-              "V2Vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
-              "V2Score": 4.6
-            },
-            "redhat": {
-              "V3Vector": "CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
-              "V3Score": 6.4
-            }
-          },
-          "References": [
-            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5094",
-            "https://lists.debian.org/debian-lts-announce/2019/09/msg00029.html",
-            "https://seclists.org/bugtraq/2019/Sep/58",
-            "https://talosintelligence.com/vulnerability_reports/TALOS-2019-0887",
-            "https://usn.ubuntu.com/4142-2/",
-            "https://usn.ubuntu.com/usn/usn-4142-1",
-            "https://usn.ubuntu.com/usn/usn-4142-2",
-            "https://www.debian.org/security/2019/dsa-4535"
-          ],
-          "PublishedDate": "2019-09-24T22:15:00Z",
-          "LastModifiedDate": "2019-09-28T03:15:00Z"
-        },
-        {
-          "VulnerabilityID": "CVE-2019-5188",
-          "PkgName": "libext2fs2",
-          "InstalledVersion": "1.44.5-1+deb10u1",
-          "FixedVersion": "1.44.5-1+deb10u3",
-          "Layer": {
-            "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d"
-          },
-          "SeveritySource": "nvd",
-          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-5188",
-          "Title": "e2fsprogs: Out-of-bounds write in  e2fsck/rehash.c",
-          "Description": "A code execution vulnerability exists in the directory rehashing functionality of E2fsprogs e2fsck 1.45.4. A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.",
-          "Severity": "MEDIUM",
-          "CweIDs": [
-            "CWE-787"
-          ],
-          "CVSS": {
-            "nvd": {
-              "V2Vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
-              "V2Score": 4.6
-            },
-            "redhat": {
-              "V3Vector": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
-              "V3Score": 7.5
-            }
-          },
-          "References": [
-            "http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00004.html",
-            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5188",
-            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2AKETJ6BREDUHRWQTV35SPGG5C6H7KSI/",
-            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6DOBCYQKCTTWXBLMUPJ5TX3FY7JNCOKY/",
-            "https://talosintelligence.com/vulnerability_reports/TALOS-2019-0973",
-            "https://usn.ubuntu.com/4249-1/",
-            "https://usn.ubuntu.com/usn/usn-4249-1"
-          ],
-          "PublishedDate": "2020-01-08T16:15:00Z",
-          "LastModifiedDate": "2020-01-28T06:15:00Z"
-        },
         {
           "VulnerabilityID": "CVE-2019-18224",
+          "VendorIDs": [
+            "DSA-4613-1"
+          ],
           "PkgName": "libidn2-0",
           "InstalledVersion": "2.0.5-1",
           "FixedVersion": "2.0.5-1+deb10u1",
@@ -293,16 +65,23 @@
           },
           "SeveritySource": "nvd",
           "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-18224",
+          "DataSource": {
+            "ID": "debian",
+            "Name": "Debian Security Tracker",
+            "URL": "https://salsa.debian.org/security-tracker-team/security-tracker"
+          },
           "Title": "libidn2: heap-based buffer overflow in idn2_to_ascii_4i in lib/lookup.c",
           "Description": "idn2_to_ascii_4i in lib/lookup.c in GNU libidn2 before 2.1.1 has a heap-based buffer overflow via a long domain string.",
-          "Severity": "HIGH",
+          "Severity": "CRITICAL",
           "CweIDs": [
             "CWE-787"
           ],
           "CVSS": {
             "nvd": {
               "V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
-              "V2Score": 7.5
+              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+              "V2Score": 7.5,
+              "V3Score": 9.8
             },
             "redhat": {
               "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
@@ -310,466 +89,23 @@
             }
           },
           "References": [
+            "http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00008.html",
+            "http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00009.html",
+            "https://access.redhat.com/security/cve/CVE-2019-18224",
             "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=12420",
             "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18224",
             "https://github.com/libidn/libidn2/commit/e4d1558aa2c1c04a05066ee8600f37603890ba8c",
             "https://github.com/libidn/libidn2/compare/libidn2-2.1.0...libidn2-2.1.1",
             "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JDQVQ2XPV5BTZUFINT7AFJSKNNBVURNJ/",
             "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MINU5RKDFE6TKAFY5DRFN3WSFDS4DYVS/",
+            "https://seclists.org/bugtraq/2020/Feb/4",
+            "https://security.gentoo.org/glsa/202003-63",
+            "https://ubuntu.com/security/notices/USN-4168-1",
             "https://usn.ubuntu.com/4168-1/",
-            "https://usn.ubuntu.com/usn/usn-4168-1"
+            "https://www.debian.org/security/2020/dsa-4613"
           ],
           "PublishedDate": "2019-10-21T17:15:00Z",
           "LastModifiedDate": "2019-10-29T19:15:00Z"
-        },
-        {
-          "VulnerabilityID": "CVE-2019-17594",
-          "PkgName": "libncursesw6",
-          "InstalledVersion": "6.1+20181013-2+deb10u1",
-          "FixedVersion": "6.1+20181013-2+deb10u2",
-          "Layer": {
-            "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d"
-          },
-          "SeveritySource": "debian",
-          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-17594",
-          "Title": "ncurses: heap-based buffer overflow in the _nc_find_entry function in tinfo/comp_hash.c",
-          "Description": "There is a heap-based buffer over-read in the _nc_find_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.",
-          "Severity": "LOW",
-          "CweIDs": [
-            "CWE-125"
-          ],
-          "CVSS": {
-            "nvd": {
-              "V2Vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
-              "V2Score": 4.6
-            },
-            "redhat": {
-              "V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
-              "V3Score": 5.3
-            }
-          },
-          "References": [
-            "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html",
-            "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00061.html",
-            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17594",
-            "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00017.html",
-            "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00045.html"
-          ],
-          "PublishedDate": "2019-10-14T21:15:00Z",
-          "LastModifiedDate": "2019-12-26T15:35:00Z"
-        },
-        {
-          "VulnerabilityID": "CVE-2019-17595",
-          "PkgName": "libncursesw6",
-          "InstalledVersion": "6.1+20181013-2+deb10u1",
-          "FixedVersion": "6.1+20181013-2+deb10u2",
-          "Layer": {
-            "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d"
-          },
-          "SeveritySource": "debian",
-          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-17595",
-          "Title": "ncurses: heap-based buffer overflow in the fmt_entry function in tinfo/comp_hash.c",
-          "Description": "There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.",
-          "Severity": "LOW",
-          "CweIDs": [
-            "CWE-125"
-          ],
-          "CVSS": {
-            "nvd": {
-              "V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:P",
-              "V2Score": 5.8
-            },
-            "redhat": {
-              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L",
-              "V3Score": 5.4
-            }
-          },
-          "References": [
-            "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html",
-            "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00061.html",
-            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17595",
-            "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00013.html",
-            "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00045.html"
-          ],
-          "PublishedDate": "2019-10-14T21:15:00Z",
-          "LastModifiedDate": "2019-12-23T19:26:00Z"
-        },
-        {
-          "VulnerabilityID": "CVE-2019-5094",
-          "PkgName": "libss2",
-          "InstalledVersion": "1.44.5-1+deb10u1",
-          "FixedVersion": "1.44.5-1+deb10u2",
-          "Layer": {
-            "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d"
-          },
-          "SeveritySource": "nvd",
-          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-5094",
-          "Title": "e2fsprogs: crafted ext4 partition leads to out-of-bounds write",
-          "Description": "An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.",
-          "Severity": "MEDIUM",
-          "CweIDs": [
-            "CWE-787"
-          ],
-          "CVSS": {
-            "nvd": {
-              "V2Vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
-              "V2Score": 4.6
-            },
-            "redhat": {
-              "V3Vector": "CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
-              "V3Score": 6.4
-            }
-          },
-          "References": [
-            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5094",
-            "https://lists.debian.org/debian-lts-announce/2019/09/msg00029.html",
-            "https://seclists.org/bugtraq/2019/Sep/58",
-            "https://talosintelligence.com/vulnerability_reports/TALOS-2019-0887",
-            "https://usn.ubuntu.com/4142-2/",
-            "https://usn.ubuntu.com/usn/usn-4142-1",
-            "https://usn.ubuntu.com/usn/usn-4142-2",
-            "https://www.debian.org/security/2019/dsa-4535"
-          ],
-          "PublishedDate": "2019-09-24T22:15:00Z",
-          "LastModifiedDate": "2019-09-28T03:15:00Z"
-        },
-        {
-          "VulnerabilityID": "CVE-2019-5188",
-          "PkgName": "libss2",
-          "InstalledVersion": "1.44.5-1+deb10u1",
-          "FixedVersion": "1.44.5-1+deb10u3",
-          "Layer": {
-            "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d"
-          },
-          "SeveritySource": "nvd",
-          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-5188",
-          "Title": "e2fsprogs: Out-of-bounds write in  e2fsck/rehash.c",
-          "Description": "A code execution vulnerability exists in the directory rehashing functionality of E2fsprogs e2fsck 1.45.4. A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.",
-          "Severity": "MEDIUM",
-          "CweIDs": [
-            "CWE-787"
-          ],
-          "CVSS": {
-            "nvd": {
-              "V2Vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
-              "V2Score": 4.6
-            },
-            "redhat": {
-              "V3Vector": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
-              "V3Score": 7.5
-            }
-          },
-          "References": [
-            "http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00004.html",
-            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5188",
-            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2AKETJ6BREDUHRWQTV35SPGG5C6H7KSI/",
-            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6DOBCYQKCTTWXBLMUPJ5TX3FY7JNCOKY/",
-            "https://talosintelligence.com/vulnerability_reports/TALOS-2019-0973",
-            "https://usn.ubuntu.com/4249-1/",
-            "https://usn.ubuntu.com/usn/usn-4249-1"
-          ],
-          "PublishedDate": "2020-01-08T16:15:00Z",
-          "LastModifiedDate": "2020-01-28T06:15:00Z"
-        },
-        {
-          "VulnerabilityID": "CVE-2019-15718",
-          "PkgName": "libsystemd0",
-          "InstalledVersion": "241-7~deb10u1",
-          "FixedVersion": "241-7~deb10u2",
-          "Layer": {
-            "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d"
-          },
-          "SeveritySource": "nvd",
-          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-15718",
-          "Title": "systemd: systemd-resolved allows unprivileged users to configure DNS",
-          "Description": "In systemd 240, bus_open_system_watch_bind_with_description in shared/bus-util.c (as used by systemd-resolved to connect to the system D-Bus instance), calls sd_bus_set_trusted, which disables access controls for incoming D-Bus messages. An unprivileged user can exploit this by executing D-Bus methods that should be restricted to privileged users, in order to change the system's DNS resolver settings.",
-          "Severity": "MEDIUM",
-          "CweIDs": [
-            "CWE-284"
-          ],
-          "CVSS": {
-            "nvd": {
-              "V2Vector": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
-              "V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
-              "V2Score": 2.1,
-              "V3Score": 5.5
-            },
-            "redhat": {
-              "V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
-              "V3Score": 5.3
-            }
-          },
-          "References": [
-            "http://linux.oracle.com/cve/CVE-2019-15718.html",
-            "http://linux.oracle.com/errata/ELSA-2019-3592.html",
-            "http://www.openwall.com/lists/oss-security/2019/09/03/1",
-            "https://bugzilla.redhat.com/show_bug.cgi?id=1746057",
-            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15718",
-            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BRE5IS24XTF5WNZGH2L7GSQJKARBOEGL/",
-            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HIKGKXZ5OEGOEYURHLJHEMFYNLEGAW5B/",
-            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U2WNHRJW4XI6H5YMDG4BUFGPAXWUMUVG/",
-            "https://usn.ubuntu.com/usn/usn-4120-1"
-          ],
-          "PublishedDate": "2019-09-04T12:15:00Z",
-          "LastModifiedDate": "2019-09-19T04:15:00Z"
-        },
-        {
-          "VulnerabilityID": "CVE-2019-17594",
-          "PkgName": "libtinfo6",
-          "InstalledVersion": "6.1+20181013-2+deb10u1",
-          "FixedVersion": "6.1+20181013-2+deb10u2",
-          "Layer": {
-            "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d"
-          },
-          "SeveritySource": "debian",
-          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-17594",
-          "Title": "ncurses: heap-based buffer overflow in the _nc_find_entry function in tinfo/comp_hash.c",
-          "Description": "There is a heap-based buffer over-read in the _nc_find_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.",
-          "Severity": "LOW",
-          "CweIDs": [
-            "CWE-125"
-          ],
-          "CVSS": {
-            "nvd": {
-              "V2Vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
-              "V2Score": 4.6
-            },
-            "redhat": {
-              "V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
-              "V3Score": 5.3
-            }
-          },
-          "References": [
-            "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html",
-            "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00061.html",
-            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17594",
-            "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00017.html",
-            "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00045.html"
-          ],
-          "PublishedDate": "2019-10-14T21:15:00Z",
-          "LastModifiedDate": "2019-12-26T15:35:00Z"
-        },
-        {
-          "VulnerabilityID": "CVE-2019-17595",
-          "PkgName": "libtinfo6",
-          "InstalledVersion": "6.1+20181013-2+deb10u1",
-          "FixedVersion": "6.1+20181013-2+deb10u2",
-          "Layer": {
-            "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d"
-          },
-          "SeveritySource": "debian",
-          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-17595",
-          "Title": "ncurses: heap-based buffer overflow in the fmt_entry function in tinfo/comp_hash.c",
-          "Description": "There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.",
-          "Severity": "LOW",
-          "CweIDs": [
-            "CWE-125"
-          ],
-          "CVSS": {
-            "nvd": {
-              "V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:P",
-              "V2Score": 5.8
-            },
-            "redhat": {
-              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L",
-              "V3Score": 5.4
-            }
-          },
-          "References": [
-            "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html",
-            "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00061.html",
-            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17595",
-            "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00013.html",
-            "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00045.html"
-          ],
-          "PublishedDate": "2019-10-14T21:15:00Z",
-          "LastModifiedDate": "2019-12-23T19:26:00Z"
-        },
-        {
-          "VulnerabilityID": "CVE-2019-15718",
-          "PkgName": "libudev1",
-          "InstalledVersion": "241-7~deb10u1",
-          "FixedVersion": "241-7~deb10u2",
-          "Layer": {
-            "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d"
-          },
-          "SeveritySource": "nvd",
-          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-15718",
-          "Title": "systemd: systemd-resolved allows unprivileged users to configure DNS",
-          "Description": "In systemd 240, bus_open_system_watch_bind_with_description in shared/bus-util.c (as used by systemd-resolved to connect to the system D-Bus instance), calls sd_bus_set_trusted, which disables access controls for incoming D-Bus messages. An unprivileged user can exploit this by executing D-Bus methods that should be restricted to privileged users, in order to change the system's DNS resolver settings.",
-          "Severity": "MEDIUM",
-          "CweIDs": [
-            "CWE-284"
-          ],
-          "CVSS": {
-            "nvd": {
-              "V2Vector": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
-              "V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
-              "V2Score": 2.1,
-              "V3Score": 5.5
-            },
-            "redhat": {
-              "V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
-              "V3Score": 5.3
-            }
-          },
-          "References": [
-            "http://linux.oracle.com/cve/CVE-2019-15718.html",
-            "http://linux.oracle.com/errata/ELSA-2019-3592.html",
-            "http://www.openwall.com/lists/oss-security/2019/09/03/1",
-            "https://bugzilla.redhat.com/show_bug.cgi?id=1746057",
-            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15718",
-            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BRE5IS24XTF5WNZGH2L7GSQJKARBOEGL/",
-            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HIKGKXZ5OEGOEYURHLJHEMFYNLEGAW5B/",
-            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U2WNHRJW4XI6H5YMDG4BUFGPAXWUMUVG/",
-            "https://usn.ubuntu.com/usn/usn-4120-1"
-          ],
-          "PublishedDate": "2019-09-04T12:15:00Z",
-          "LastModifiedDate": "2019-09-19T04:15:00Z"
-        },
-        {
-          "VulnerabilityID": "CVE-2019-17594",
-          "PkgName": "ncurses-base",
-          "InstalledVersion": "6.1+20181013-2+deb10u1",
-          "FixedVersion": "6.1+20181013-2+deb10u2",
-          "Layer": {
-            "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d"
-          },
-          "SeveritySource": "debian",
-          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-17594",
-          "Title": "ncurses: heap-based buffer overflow in the _nc_find_entry function in tinfo/comp_hash.c",
-          "Description": "There is a heap-based buffer over-read in the _nc_find_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.",
-          "Severity": "LOW",
-          "CweIDs": [
-            "CWE-125"
-          ],
-          "CVSS": {
-            "nvd": {
-              "V2Vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
-              "V2Score": 4.6
-            },
-            "redhat": {
-              "V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
-              "V3Score": 5.3
-            }
-          },
-          "References": [
-            "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html",
-            "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00061.html",
-            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17594",
-            "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00017.html",
-            "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00045.html"
-          ],
-          "PublishedDate": "2019-10-14T21:15:00Z",
-          "LastModifiedDate": "2019-12-26T15:35:00Z"
-        },
-        {
-          "VulnerabilityID": "CVE-2019-17595",
-          "PkgName": "ncurses-base",
-          "InstalledVersion": "6.1+20181013-2+deb10u1",
-          "FixedVersion": "6.1+20181013-2+deb10u2",
-          "Layer": {
-            "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d"
-          },
-          "SeveritySource": "debian",
-          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-17595",
-          "Title": "ncurses: heap-based buffer overflow in the fmt_entry function in tinfo/comp_hash.c",
-          "Description": "There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.",
-          "Severity": "LOW",
-          "CweIDs": [
-            "CWE-125"
-          ],
-          "CVSS": {
-            "nvd": {
-              "V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:P",
-              "V2Score": 5.8
-            },
-            "redhat": {
-              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L",
-              "V3Score": 5.4
-            }
-          },
-          "References": [
-            "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html",
-            "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00061.html",
-            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17595",
-            "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00013.html",
-            "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00045.html"
-          ],
-          "PublishedDate": "2019-10-14T21:15:00Z",
-          "LastModifiedDate": "2019-12-23T19:26:00Z"
-        },
-        {
-          "VulnerabilityID": "CVE-2019-17594",
-          "PkgName": "ncurses-bin",
-          "InstalledVersion": "6.1+20181013-2+deb10u1",
-          "FixedVersion": "6.1+20181013-2+deb10u2",
-          "Layer": {
-            "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d"
-          },
-          "SeveritySource": "debian",
-          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-17594",
-          "Title": "ncurses: heap-based buffer overflow in the _nc_find_entry function in tinfo/comp_hash.c",
-          "Description": "There is a heap-based buffer over-read in the _nc_find_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.",
-          "Severity": "LOW",
-          "CweIDs": [
-            "CWE-125"
-          ],
-          "CVSS": {
-            "nvd": {
-              "V2Vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
-              "V2Score": 4.6
-            },
-            "redhat": {
-              "V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
-              "V3Score": 5.3
-            }
-          },
-          "References": [
-            "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html",
-            "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00061.html",
-            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17594",
-            "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00017.html",
-            "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00045.html"
-          ],
-          "PublishedDate": "2019-10-14T21:15:00Z",
-          "LastModifiedDate": "2019-12-26T15:35:00Z"
-        },
-        {
-          "VulnerabilityID": "CVE-2019-17595",
-          "PkgName": "ncurses-bin",
-          "InstalledVersion": "6.1+20181013-2+deb10u1",
-          "FixedVersion": "6.1+20181013-2+deb10u2",
-          "Layer": {
-            "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d"
-          },
-          "SeveritySource": "debian",
-          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-17595",
-          "Title": "ncurses: heap-based buffer overflow in the fmt_entry function in tinfo/comp_hash.c",
-          "Description": "There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.",
-          "Severity": "LOW",
-          "CweIDs": [
-            "CWE-125"
-          ],
-          "CVSS": {
-            "nvd": {
-              "V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:P",
-              "V2Score": 5.8
-            },
-            "redhat": {
-              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L",
-              "V3Score": 5.4
-            }
-          },
-          "References": [
-            "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html",
-            "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00061.html",
-            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17595",
-            "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00013.html",
-            "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00045.html"
-          ],
-          "PublishedDate": "2019-10-14T21:15:00Z",
-          "LastModifiedDate": "2019-12-23T19:26:00Z"
         }
       ]
     }

integration/testdata/distroless-base-ignore-unfixed.json.golden

@@ -1,134 +0,0 @@
-{
-  "SchemaVersion": 2,
-  "ArtifactName": "testdata/fixtures/images/distroless-base.tar.gz",
-  "ArtifactType": "container_image",
-  "Metadata": {
-    "OS": {
-      "Family": "debian",
-      "Name": "9.9"
-    },
-    "ImageID": "sha256:7f04a8d247173b1f2546d22913af637bbab4e7411e00ae6207da8d94c445750d",
-    "DiffIDs": [
-      "sha256:932da51564135c98a49a34a193d6cd363d8fa4184d957fde16c9d8527b3f3b02",
-      "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5"
-    ],
-    "ImageConfig": {
-      "architecture": "amd64",
-      "author": "Bazel",
-      "created": "1970-01-01T00:00:00Z",
-      "history": [
-        {
-          "author": "Bazel",
-          "created": "1970-01-01T00:00:00Z",
-          "created_by": "bazel build ..."
-        },
-        {
-          "author": "Bazel",
-          "created": "1970-01-01T00:00:00Z",
-          "created_by": "bazel build ..."
-        }
-      ],
-      "os": "linux",
-      "rootfs": {
-        "type": "layers",
-        "diff_ids": [
-          "sha256:932da51564135c98a49a34a193d6cd363d8fa4184d957fde16c9d8527b3f3b02",
-          "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5"
-        ]
-      },
-      "config": {
-        "Env": [
-          "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
-          "SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt"
-        ]
-      }
-    }
-  },
-  "Results": [
-    {
-      "Target": "testdata/fixtures/images/distroless-base.tar.gz (debian 9.9)",
-      "Class": "os-pkgs",
-      "Type": "debian",
-      "Vulnerabilities": [
-        {
-          "VulnerabilityID": "CVE-2019-1563",
-          "PkgName": "libssl1.1",
-          "InstalledVersion": "1.1.0k-1~deb9u1",
-          "FixedVersion": "1.1.0l-1~deb9u1",
-          "Layer": {
-            "DiffID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5"
-          },
-          "SeveritySource": "nvd",
-          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1563",
-          "Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
-          "Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
-          "Severity": "MEDIUM",
-          "CweIDs": [
-            "CWE-311"
-          ],
-          "CVSS": {
-            "nvd": {
-              "V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
-              "V2Score": 4.3
-            },
-            "redhat": {
-              "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
-              "V3Score": 3.7
-            }
-          },
-          "References": [
-            "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
-            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f",
-            "https://seclists.org/bugtraq/2019/Sep/25",
-            "https://security.netapp.com/advisory/ntap-20190919-0002/",
-            "https://www.openssl.org/news/secadv/20190910.txt"
-          ],
-          "PublishedDate": "2019-09-10T17:15:00Z",
-          "LastModifiedDate": "2019-09-12T11:15:00Z"
-        },
-        {
-          "VulnerabilityID": "CVE-2019-1563",
-          "PkgName": "openssl",
-          "InstalledVersion": "1.1.0k-1~deb9u1",
-          "FixedVersion": "1.1.0l-1~deb9u1",
-          "Layer": {
-            "DiffID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5"
-          },
-          "SeveritySource": "nvd",
-          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1563",
-          "Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
-          "Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
-          "Severity": "MEDIUM",
-          "CweIDs": [
-            "CWE-311"
-          ],
-          "CVSS": {
-            "nvd": {
-              "V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
-              "V2Score": 4.3
-            },
-            "redhat": {
-              "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
-              "V3Score": 3.7
-            }
-          },
-          "References": [
-            "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
-            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f",
-            "https://seclists.org/bugtraq/2019/Sep/25",
-            "https://security.netapp.com/advisory/ntap-20190919-0002/",
-            "https://www.openssl.org/news/secadv/20190910.txt"
-          ],
-          "PublishedDate": "2019-09-10T17:15:00Z",
-          "LastModifiedDate": "2019-09-12T11:15:00Z"
-        }
-      ]
-    }
-  ]
-}