fix(rpm): make it possible to scan non-RHEL images without rpm (#429)

* detector/alpine: Add LayerID to detect vulns

Signed-off-by: Simarpreet Singh <simar@linux.com>

* amazon: Add LayerID to DetectedVulns

Signed-off-by: Simarpreet Singh <simar@linux.com>

* debian: Add LayerID to DetectVulns + tests

Signed-off-by: Simarpreet Singh <simar@linux.com>

* oracle: Add LayerID to DetectVulns + tests

Signed-off-by: Simarpreet Singh <simar@linux.com>

* photon: Add LayerID to DetectVulns + tests

Signed-off-by: Simarpreet Singh <simar@linux.com>

* redhat: Add LayerID to DetectVulns + tests

Signed-off-by: Simarpreet Singh <simar@linux.com>

* suse: Add LayerID to DetectVulns + tests

Signed-off-by: Simarpreet Singh <simar@linux.com>

* ubuntu: Add LayerID to DetectVulns + tests

Signed-off-by: Simarpreet Singh <simar@linux.com>

* integration: Fix integration tests to include LayerID

Signed-off-by: Simarpreet Singh <simar@linux.com>

* fix(rpc): add layer_id

* fix(rpc): insert layer_id to the struct

* fix(extractor): add cleanup function

* fix(library): add layer ID to detected vulnerabilities

* test: update mocks

* chore(mod): point to the feature branch of fanal

* mod: Point to fanal/master

Signed-off-by: Simarpreet Singh <simar@linux.com>

* scan_test: Include LayerID as part of the assertion

Signed-off-by: Simarpreet Singh <simar@linux.com>

* docker_engine_test.go: Update an error message to conform with fanal/master.

Signed-off-by: Simarpreet Singh <simar@linux.com>

Co-authored-by: Teppei Fukuda <knqyf263@gmail.com>

Dockerfile

@@ -1,5 +1,5 @@
 FROM alpine:3.11
 RUN apk --no-cache add ca-certificates git rpm
 COPY trivy /usr/local/bin/trivy
-
+COPY contrib/gitlab.tpl contrib/gitlab.tpl
 ENTRYPOINT ["trivy"]

Makefile

@@ -47,7 +47,7 @@ build:
 
 .PHONY: protoc
 protoc:
-	protoc --proto_path=$(GOSRC):. --twirp_out=. --go_out=. ./rpc/detector/service.proto
+	find ./rpc/ -name "*.proto" -type f -exec protoc --proto_path=$(GOSRC):. --twirp_out=. --go_out=. {} \;
 
 .PHONY: install
 install:

README.md

@@ -49,7 +49,7 @@ A Simple and Comprehensive Vulnerability Scanner for Containers, Suitable for CI
 - [Continuous Integration (CI)](#continuous-integration-ci)
   - [Travis CI](#travis-ci)
   - [CircleCI](#circleci)
-  - [GitLab CI](#gitlab)
+  - [GitLab CI](#gitlab-ci)
   - [Authorization for Private Docker Registry](#authorization-for-private-docker-registry)
 - [Vulnerability Detection](#vulnerability-detection)
   - [OS Packages](#os-packages)
@@ -1239,7 +1239,7 @@ workflows:
 Example: https://circleci.com/gh/aquasecurity/trivy-ci-test  
 Repository: https://github.com/aquasecurity/trivy-ci-test
 
-## GitLab
+## GitLab CI
 
 ```
 $ cat .gitlab-ci.yml
@@ -1248,7 +1248,7 @@ stages:
 
 trivy:
   stage: test
-  image: docker:19.03.5
+  image: docker:stable
   services:
     - name: docker:dind
       entrypoint: ["env", "-u", "DOCKER_HOST"]
@@ -1258,6 +1258,7 @@ trivy:
     DOCKER_DRIVER: overlay2
     # See https://github.com/docker-library/docker/pull/166
     DOCKER_TLS_CERTDIR: ""
+    IMAGE: trivy-ci-test:$CI_COMMIT_SHA
   before_script:
     - apk add --no-cache curl
     - export VERSION=$(curl --silent "https://api.github.com/repos/aquasecurity/trivy/releases/latest" | grep '"tag_name":' | sed -E 's/.*"v([^"]+)".*/\1/')
@@ -1267,21 +1268,21 @@ trivy:
   allow_failure: true
   script:
     # Build image
-    - docker build -t trivy-ci-test:$CI_COMMIT_SHA .
+    - docker build -t $IMAGE .
     # Build report
-    - ./trivy --exit-code 0 --cache-dir $CI_PROJECT_DIR/.trivycache/ --no-progress  --format template --template "@contrib/gitlab.tpl" -o ${CI_PROJECT_DIR}/gl-container-scanning-report.json trivy-ci-test:$CI_COMMIT_SHA
+    - ./trivy --exit-code 0 --cache-dir .trivycache/ --no-progress --format template --template "@contrib/gitlab.tpl" -o gl-container-scanning-report.json $IMAGE
     # Print report
-    - ./trivy --exit-code 0 --cache-dir $CI_PROJECT_DIR/.trivycache/ --no-progress --severity HIGH trivy-ci-test:$CI_COMMIT_SHA
+    - ./trivy --exit-code 0 --cache-dir .trivycache/ --no-progress --severity HIGH $IMAGE
     # Fail on high and critical vulnerabilities
-    - ./trivy --exit-code 1 --cache-dir $CI_PROJECT_DIR/.trivycache/ --severity CRITICAL --no-progress trivy-ci-test:$CI_COMMIT_SHA
+    - ./trivy --exit-code 1 --cache-dir .trivycache/ --severity CRITICAL --no-progress $IMAGE
   cache:
     paths:
-      - $CI_PROJECT_DIR/.trivycache/
-  # Enables https://docs.gitlab.com/ee/user/application_security/container_scanning/
+      - .trivycache/
+  # Enables https://docs.gitlab.com/ee/user/application_security/container_scanning/ (Container Scanning report is available on GitLab EE Ultimate or GitLab.com Gold)
   artifacts:
     reports:
-      container_scanning: ${CI_PROJECT_DIR}/gl-container-scanning-report.json
-```   
+      container_scanning: gl-container-scanning-report.json
+```
 
 ## Authorization for Private Docker Registry
 
@@ -1333,11 +1334,11 @@ export TRIVY_NON_SSL=true
 
 ## OS Packages
 
-The unfixed/unfixable vulnerabilities mean that the patch has not yet been provided on their distribution.
+The unfixed/unfixable vulnerabilities mean that the patch has not yet been provided on their distribution. Trivy doesn't support self-compiled packages/binaries, but official packages provided by vendors such as Red Hat and Debian.
 
 | OS                           | Supported Versions                       | Target Packages               | Detection of unfixed vulnerabilities |
 | ---------------------------- | ---------------------------------------- | ----------------------------- | :----------------------------------: |
-| Alpine Linux                 | 2.2 - 2.7, 3.0 - 3.10                    | Installed by apk              |                  NO                  |
+| Alpine Linux                 | 2.2 - 2.7, 3.0 - 3.11                    | Installed by apk              |                  NO                  |
 | Red Hat Universal Base Image | 7, 8                                     | Installed by yum/rpm          |                 YES                  |
 | Red Hat Enterprise Linux     | 6, 7, 8                                  | Installed by yum/rpm          |                 YES                  |
 | CentOS                       | 6, 7                                     | Installed by yum/rpm          |                 YES                  |

ci/Dockerfile

@@ -3,7 +3,7 @@ FROM circleci/golang:1.13-buster
 RUN sudo apt-get -y update \
     && sudo apt-get -y install rpm reprepro createrepo
 
-ARG GORELEASER_VERSION=0.110.0
+ARG GORELEASER_VERSION=0.124.1
 ARG GORELEASER_ARTIFACT=goreleaser_Linux_x86_64.tar.gz
 RUN wget https://github.com/goreleaser/goreleaser/releases/download/v${GORELEASER_VERSION}/${GORELEASER_ARTIFACT} \
     && sudo tar -xzf ${GORELEASER_ARTIFACT} -C /usr/bin/ goreleaser \

contrib/Trivy.gitlab-ci.yml

@@ -0,0 +1,29 @@
+Trivy_container_scanning:
+  stage: test
+  image:
+    name: alpine:3.11
+  variables:
+    # Override the GIT_STRATEGY variable in your `.gitlab-ci.yml` file and set it to `fetch` if you want to provide a `clair-whitelist.yml`
+    # file. See https://docs.gitlab.com/ee/user/application_security/container_scanning/index.html#overriding-the-container-scanning-template
+    # for details
+    GIT_STRATEGY: none
+    IMAGE: "$CI_REGISTRY_IMAGE:$CI_COMMIT_SHA"
+  allow_failure: true
+  before_script:
+    - export TRIVY_VERSION=${TRIVY_VERSION:-v0.4.3}
+    - apk add --no-cache curl docker-cli
+    - docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
+    - curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/master/contrib/install.sh | sh -s -- -b /usr/local/bin ${TRIVY_VERSION}
+    - curl -sSL -o /tmp/trivy-gitlab.tpl https://github.com/aquasecurity/trivy/raw/${TRIVY_VERSION}/contrib/gitlab.tpl
+  script:
+    - trivy --exit-code 0 --cache-dir .trivycache/ --no-progress --format template --template "@/tmp/trivy-gitlab.tpl" -o gl-container-scanning-report.json $IMAGE
+  cache:
+    paths:
+      - .trivycache/
+  artifacts:
+    reports:
+      container_scanning: gl-container-scanning-report.json
+  dependencies: []
+  only:
+    refs:
+      - branches

contrib/gitlab.tpl

@@ -1,40 +1,40 @@
-{{- /* Template based on https://docs.gitlab.com/ee/user/application_security/container_scanning/#reports-json-format */}}
+{{- /* Template based on https://docs.gitlab.com/ee/user/application_security/container_scanning/#reports-json-format */ -}}
 {
-"version": "2.3",
-{{- range . }}
-{{- $target := .Target }}
-"vulnerabilities": [
-    {{- $first := true}}
+  "version": "2.3",
+  "vulnerabilities": [
+  {{- $t_first := true }}
+  {{- range . }}
+  {{- $target := .Target }}
     {{- range .Vulnerabilities -}}
-    {{- if $first -}}
-      {{- $first = false -}}
-    {{else -}}
-,
-    {{- end}}
+    {{- if $t_first -}}
+      {{- $t_first = false -}}
+    {{ else -}}
+      ,
+    {{- end }}
     {
       "category": "container_scanning",
       "message": {{ .Title | printf "%q" }},
-      "description": {{ .Description | printf "%q"}},
+      "description": {{ .Description | printf "%q" }},
       "cve": "{{ .VulnerabilityID }}",
       "severity": {{ if eq .Severity "UNKNOWN" -}}
                     "Unknown"
-                {{else if eq .Severity "LOW" -}}
+                  {{- else if eq .Severity "LOW" -}}
                     "Low"
-                {{else if eq .Severity "MEDIUM" -}}
+                  {{- else if eq .Severity "MEDIUM" -}}
                     "Medium"
-                {{else if eq .Severity "HIGH" -}}
+                  {{- else if eq .Severity "HIGH" -}}
                     "High"
-                {{else if eq .Severity "CRITICAL" -}}
+                  {{- else if eq .Severity "CRITICAL" -}}
                     "Critical"
-                {{ else -}}
-                "{{ .Severity }}"
-                {{- end }},
+                  {{-  else -}}
+                    "{{ .Severity }}"
+                  {{- end }},
       "confidence": "Unknown",
       "solution": {{ if .FixedVersion -}}
-                  "Upgrade {{ .PkgName }} to {{ .FixedVersion }}",
+                    "Upgrade {{ .PkgName }} to {{ .FixedVersion }}"
                   {{- else -}}
-                  "No solution provided",
-                  {{- end }}
+                    "No solution provided"
+                  {{- end }},
       "scanner": {
         "id": "trivy",
         "name": "trivy"
@@ -43,38 +43,38 @@
         "dependency": {
           "package": {
             "name": "{{ .PkgName }}"
-       },
-            "version": "{{ .InstalledVersion }}"
+          },
+          "version": "{{ .InstalledVersion }}"
         },
-    {{- /* TODO: No mapping available - https://github.com/aquasecurity/trivy/issues/332 */}}
-    "operating_system": "Unknown",
-    "image": "{{ $target }}"
+        {{- /* TODO: No mapping available - https://github.com/aquasecurity/trivy/issues/332 */}}
+        "operating_system": "Unknown",
+        "image": "{{ $target }}"
       },
       "identifiers": [
-          {
+        {
 	  {{- /* TODO: Type not extractable - https://github.com/aquasecurity/trivy-db/pull/24 */}}
           "type": "cve",
           "name": "{{ .VulnerabilityID }}",
           "value": "{{ .VulnerabilityID }}",
           "url": ""
-          }
+        }
       ],
       "links": [
-          {{ $first := true -}}
-          {{- range .References -}}
-          {{- if $first -}}
-          {{- $first = false -}}
-          {{else -}}
- ,
-          {{ end -}}
-      {
+        {{- $l_first := true -}}
+        {{- range .References -}}
+        {{- if $l_first -}}
+          {{- $l_first = false }}
+        {{- else -}}
+          ,
+        {{- end -}}
+        {
           "url": "{{ . }}"
-      }
-      {{- end }}
-    ]
+        }
+        {{- end }}
+      ]
     }
-  {{- end -}}
-{{- end}}
+    {{- end -}}
+  {{- end }}
   ],
   "remediations": []
 }

go.mod

@@ -3,7 +3,7 @@ module github.com/aquasecurity/trivy
 go 1.13
 
 require (
-	github.com/aquasecurity/fanal v0.0.0-20200112144021-9a35ce3bd793
+	github.com/aquasecurity/fanal v0.0.0-20200306122936-f0a17242a9a0
 	github.com/aquasecurity/go-dep-parser v0.0.0-20190819075924-ea223f0ef24b
 	github.com/aquasecurity/trivy-db v0.0.0-20191226181755-d6cabf5bc5d1
 	github.com/caarlos0/env/v6 v6.0.0
@@ -12,7 +12,7 @@ require (
 	github.com/docker/docker v0.0.0-20180924202107-a9c061deec0f
 	github.com/genuinetools/reg v0.16.0
 	github.com/gogo/protobuf v1.2.2-0.20190723190241-65acae22fc9d // indirect
-	github.com/golang/protobuf v1.3.2
+	github.com/golang/protobuf v1.3.3
 	github.com/google/go-github/v28 v28.1.1
 	github.com/google/wire v0.3.0
 	github.com/knqyf263/go-deb-version v0.0.0-20190517075300-09fca494f03d
@@ -20,18 +20,16 @@ require (
 	github.com/knqyf263/go-version v1.1.1
 	github.com/kylelemons/godebug v1.1.0
 	github.com/olekukonko/tablewriter v0.0.2-0.20190607075207-195002e6e56a
+	github.com/opencontainers/go-digest v1.0.0-rc1
 	github.com/stretchr/testify v1.4.0
-	github.com/twitchtv/twirp v5.9.0+incompatible
-	github.com/urfave/cli v1.20.0
+	github.com/twitchtv/twirp v5.10.1+incompatible
+	github.com/urfave/cli v1.22.1
 	go.uber.org/atomic v1.5.1 // indirect
 	go.uber.org/multierr v1.4.0 // indirect
 	go.uber.org/zap v1.13.0
-	golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529
 	golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421
 	golang.org/x/tools v0.0.0-20191121040551-947d4aa89328 // indirect
 	golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898
 	gopkg.in/yaml.v2 v2.2.4 // indirect
 	k8s.io/utils v0.0.0-20191010214722-8d271d903fe4
 )
-
-replace github.com/genuinetools/reg => github.com/tomoyamachi/reg v0.16.1-0.20190706172545-2a2250fd7c00

go.sum

@@ -2,14 +2,20 @@ cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMT
 cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
 cloud.google.com/go v0.37.4 h1:glPeL3BQJsbF6aIIYfZizMwc5LTYz250bDMjttbBGAU=
 cloud.google.com/go v0.37.4/go.mod h1:NHPJ89PdicEuT9hdPXMROBD91xc5uRDxsMtSB16k7hw=
+github.com/14rcole/gopopulate v0.0.0-20180821133914-b175b219e774 h1:SCbEWT58NSt7d2mcFdvxC9uyrdcTfvBbPLThhkDmXzg=
+github.com/14rcole/gopopulate v0.0.0-20180821133914-b175b219e774/go.mod h1:6/0dYRLLXyJjbkIPeeGyoJ/eKOSI0eU6eTlCBYibgd0=
 github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78 h1:w+iIsaOQNcT7OZ575w+acHgRric5iCyQh+xv+KJ4HB8=
 github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78/go.mod h1:LmzpDX56iTiv29bbRTIsUNlaFfuhWRQBWjQdVyAevI8=
 github.com/BurntSushi/toml v0.3.1 h1:WXkYYl6Yr3qBf1K79EBnL4mak0OimBfB0XUf9Vl28OQ=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
+github.com/DataDog/zstd v1.4.0/go.mod h1:1jcaCB/ufaK+sKp1NBhlGmpz41jOoPQ35bpF36t7BBo=
 github.com/GoogleCloudPlatform/docker-credential-gcr v1.5.0 h1:wykTgKwhVr2t2qs+xI020s6W5dt614QqCHV+7W9dg64=
 github.com/GoogleCloudPlatform/docker-credential-gcr v1.5.0/go.mod h1:BB1eHdMLYEFuFdBlRMb0N7YGVdM5s6Pt0njxgvfbGGs=
-github.com/Microsoft/go-winio v0.4.12 h1:xAfWHN1IrQ0NJ9TBC0KBZoqLjzDTr1ML+4MywiUOryc=
-github.com/Microsoft/go-winio v0.4.12/go.mod h1:VhR8bwka0BXejwEJY73c50VrPtXAaKcyvVC4A4RozmA=
+github.com/Microsoft/go-winio v0.4.11/go.mod h1:VhR8bwka0BXejwEJY73c50VrPtXAaKcyvVC4A4RozmA=
+github.com/Microsoft/go-winio v0.4.15-0.20190919025122-fc70bd9a86b5 h1:ygIc8M6trr62pF5DucadTWGdEB4mEyvzi0e2nbcmcyA=
+github.com/Microsoft/go-winio v0.4.15-0.20190919025122-fc70bd9a86b5/go.mod h1:tTuCMEN+UleMWgg9dVx4Hu52b1bJo+59jBh3ajtinzw=
+github.com/Microsoft/hcsshim v0.8.7 h1:ptnOoufxGSzauVTsdE+wMYnCWA301PdoN4xg5oRdZpg=
+github.com/Microsoft/hcsshim v0.8.7/go.mod h1:OHd7sQqRFrYd3RmSgbgji+ctCwkbq2wbEYNSzOYtcBQ=
 github.com/Nvveen/Gotty v0.0.0-20120604004816-cd527374f1e5 h1:TngWCqHvy9oXAN6lEVMRuU21PR1EtLVZJmdB18Gu3Rw=
 github.com/Nvveen/Gotty v0.0.0-20120604004816-cd527374f1e5/go.mod h1:lmUJ/7eu/Q8D7ML55dXQrVaamCz2vxCfdQBasLZfHKk=
 github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU=
@@ -17,18 +23,14 @@ github.com/Shopify/sarama v1.19.0/go.mod h1:FVkBWblsNy7DGZRfXLU0O9RCGt5g3g3yEuWX
 github.com/Shopify/toxiproxy v2.1.4+incompatible/go.mod h1:OXgGpZ6Cli1/URJOF1DMxUHB2q5Ap20/P/eIdh4G0pI=
 github.com/VividCortex/ewma v1.1.1 h1:MnEK4VOv6n0RSY4vtRe3h11qjxL3+t0B8yOL8iMXdcM=
 github.com/VividCortex/ewma v1.1.1/go.mod h1:2Tkkvm3sRDVXaiyucHiACn4cqf7DpdyLvmxzcbUokwA=
-github.com/alcortesm/tgz v0.0.0-20161220082320-9c5fe88206d7 h1:uSoVVbwJiQipAclBbw+8quDsfcvFjOpI5iCf4p/cqCs=
 github.com/alcortesm/tgz v0.0.0-20161220082320-9c5fe88206d7/go.mod h1:6zEj6s6u/ghQa61ZWa/C2Aw3RkjiTBOix7dkqa1VLIs=
-github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc h1:cAKDfWh5VpdgMhJosfJnn5/FoN2SRZ4p7fJNX58YPaU=
 github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
-github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf h1:qet1QNfXsQxTZqLG4oE62mJzwPIB8+Tee4RNCL9ulrY=
 github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
-github.com/anmitsu/go-shlex v0.0.0-20161002113705-648efa622239 h1:kFOfPq6dUM1hTo4JG6LR5AXSUEsOjtdm0kw0FtQtMJA=
 github.com/anmitsu/go-shlex v0.0.0-20161002113705-648efa622239/go.mod h1:2FmKhYUyUczH0OGQWaF5ceTx0UBShxjsH6f8oGKYe2c=
 github.com/apache/thrift v0.12.0/go.mod h1:cp2SuWMxlEZw2r+iP2GNCdIi4C1qmUzdZFSVb+bacwQ=
 github.com/aquasecurity/fanal v0.0.0-20190819081512-f04452b627c6/go.mod h1:enEz4FFetw4XAbkffaYgyCVq1556R9Ry+noqT4rq9BE=
-github.com/aquasecurity/fanal v0.0.0-20200112144021-9a35ce3bd793 h1:wPGD5cu66RvwRkNULAqOAMbNWFjmYSCJ/mqHJ5rYBN0=
-github.com/aquasecurity/fanal v0.0.0-20200112144021-9a35ce3bd793/go.mod h1:S2D937GMywJzh6KiLQEyt/0yqmfAngUFvuQ9UmkIZSw=
+github.com/aquasecurity/fanal v0.0.0-20200306122936-f0a17242a9a0 h1:ZkK02opCRhNdXBQHVA8cYgMFWfIYKAdje6s7LJQOQ0I=
+github.com/aquasecurity/fanal v0.0.0-20200306122936-f0a17242a9a0/go.mod h1:yPZqe/vMN0QDXBIl3kE9s793zU9NSQuEHGWLlL85bG8=
 github.com/aquasecurity/go-dep-parser v0.0.0-20190819075924-ea223f0ef24b h1:55Ulc/gvfWm4ylhVaR7MxOwujRjA6et7KhmUbSgUFf4=
 github.com/aquasecurity/go-dep-parser v0.0.0-20190819075924-ea223f0ef24b/go.mod h1:BpNTD9vHfrejKsED9rx04ldM1WIbeyXGYxUrqTVwxVQ=
 github.com/aquasecurity/trivy v0.1.6/go.mod h1:5hobyhxLzDtxruHzPxpND2PUKOssvGUdE9BocpJUwo4=
@@ -36,16 +38,14 @@ github.com/aquasecurity/trivy-db v0.0.0-20191226181755-d6cabf5bc5d1 h1:IVXoVH8ej
 github.com/aquasecurity/trivy-db v0.0.0-20191226181755-d6cabf5bc5d1/go.mod h1:Uf9bXd50zTHtWTP7+7u5+OFCPtUVrmsS4v0RXd7E5lw=
 github.com/aquasecurity/vuln-list-update v0.0.0-20191016075347-3d158c2bf9a2 h1:xbdUfr2KE4THsFx9CFWtWpU91lF+YhgP46moV94nYTA=
 github.com/aquasecurity/vuln-list-update v0.0.0-20191016075347-3d158c2bf9a2/go.mod h1:6NhOP0CjZJL27bZZcaHECtzWdwDDm2g6yCY0QgXEGQQ=
-github.com/araddon/dateparse v0.0.0-20190426192744-0d74ffceef83 h1:ukTLOeMC0aVxbJWVg6hOsVJ0VPIo8w++PbNsze/pqF8=
 github.com/araddon/dateparse v0.0.0-20190426192744-0d74ffceef83/go.mod h1:SLqhdZcd+dF3TEVL2RMoob5bBP5R1P1qkox+HtCBgGI=
-github.com/aws/aws-sdk-go v1.19.11 h1:tqaTGER6Byw3QvsjGW0p018U2UOqaJPeJuzoaF7jjoQ=
 github.com/aws/aws-sdk-go v1.19.11/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo=
 github.com/aws/aws-sdk-go v1.25.31 h1:14mdh3HsTgRekePPkYcCbAaEXJknc3mN7f4XfsiMMDA=
 github.com/aws/aws-sdk-go v1.25.31/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo=
-github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973 h1:xJ4a3vCFaGF/jqvzLMYoU8P317H5OQ+Via4RmuPwCS0=
 github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
 github.com/beorn7/perks v1.0.0 h1:HWo1m869IqiPhD389kmkxeTalrjNbbJTC8LXupb+sl0=
 github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8=
+github.com/blang/semver v3.1.0+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk=
 github.com/briandowns/spinner v0.0.0-20190319032542-ac46072a5a91 h1:GMmnK0dvr0Sf0gx3DvTbln0c8DE07B7sPVD9dgHOqo4=
 github.com/briandowns/spinner v0.0.0-20190319032542-ac46072a5a91/go.mod h1:hw/JEQBIE+c/BLI4aKM8UU8v+ZqrD3h7HC27kKt8JQU=
 github.com/caarlos0/env/v6 v6.0.0 h1:NZt6FAoB8ieKO5lEwRdwCzYxWFx7ZYF2R7UcoyaWtyc=
@@ -56,8 +56,32 @@ github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghf
 github.com/cheggaaa/pb/v3 v3.0.3 h1:8WApbyUmgMOz7WIxJVNK0IRDcRfAmTxcEdi0TuxjdP4=
 github.com/cheggaaa/pb/v3 v3.0.3/go.mod h1:Pp35CDuiEpHa/ZLGCtBbM6CBwMstv1bJlG884V+73Yc=
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
+github.com/containerd/cgroups v0.0.0-20190919134610-bf292b21730f h1:tSNMc+rJDfmYntojat8lljbt1mgKNpTxUZJsSzJ9Y1s=
+github.com/containerd/cgroups v0.0.0-20190919134610-bf292b21730f/go.mod h1:OApqhQ4XNSNC13gXIwDjhOQxjWa/NxkwZXJ1EvqT0ko=
+github.com/containerd/console v0.0.0-20180822173158-c12b1e7919c1/go.mod h1:Tj/on1eG8kiEhd0+fhSDzsPAFESxzBBvdyEgyryXffw=
+github.com/containerd/containerd v1.2.10/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA=
+github.com/containerd/containerd v1.3.0-beta.2.0.20190828155532-0293cbd26c69/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA=
+github.com/containerd/continuity v0.0.0-20180216233310-d8fb8589b0e8/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y=
+github.com/containerd/continuity v0.0.0-20180921161001-7f53d412b9eb/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y=
 github.com/containerd/continuity v0.0.0-20190426062206-aaeac12a7ffc h1:TP+534wVlf61smEIq1nwLLAjQVEK2EADoW3CX9AuT+8=
 github.com/containerd/continuity v0.0.0-20190426062206-aaeac12a7ffc/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y=
+github.com/containerd/fifo v0.0.0-20190226154929-a9fb20d87448/go.mod h1:ODA38xgv3Kuk8dQz2ZQXpnv/UZZUHUCL7pnLehbXgQI=
+github.com/containerd/go-runc v0.0.0-20180907222934-5a6d9f37cfa3/go.mod h1:IV7qH3hrUgRmyYrtgEeGWJfWbgcHL9CSRruz2Vqcph0=
+github.com/containerd/ttrpc v0.0.0-20190828154514-0e0f228740de/go.mod h1:PvCDdDGpgqzQIzDW1TphrGLssLDZp2GuS+X5DkEJB8o=
+github.com/containerd/typeurl v0.0.0-20180627222232-a93fcdb778cd/go.mod h1:Cm3kwCdlkCfMSHURc+r6fwoGH6/F1hH3S4sg0rLFWPc=
+github.com/containers/image/v5 v5.1.0 h1:5FjAvPJniamuNNIQHkh4PnsL+n+xzs6Aonzaz5dqTEo=
+github.com/containers/image/v5 v5.1.0/go.mod h1:BKlMD34WxRo1ruGHHEOrPQP0Qci7SWoPwU6fS7arsCU=
+github.com/containers/libtrust v0.0.0-20190913040956-14b96171aa3b h1:Q8ePgVfHDplZ7U33NwHZkrVELsZP5fYj9pM5WBZB2GE=
+github.com/containers/libtrust v0.0.0-20190913040956-14b96171aa3b/go.mod h1:9rfv8iPl1ZP7aqh9YA68wnZv2NUDbXdcdPHVz0pFbPY=
+github.com/containers/ocicrypt v0.0.0-20190930154801-b87a4a69c741 h1:8tQkOcednLJtUcZgK7sPglscXtxvMOnFOa6wd09VWLM=
+github.com/containers/ocicrypt v0.0.0-20190930154801-b87a4a69c741/go.mod h1:MeJDzk1RJHv89LjsH0Sp5KTY3ZYkjXO/C+bKAeWFIrc=
+github.com/containers/storage v1.15.3/go.mod h1:v0lq/3f+cXH3Y/HiDaFYRR0zilwDve7I4W7U5xQxvF8=
+github.com/containers/storage v1.15.5 h1:dBZx9yRFHod9c8FVaXlVtRqr2cmlAhpl+9rt87cE7J4=
+github.com/containers/storage v1.15.5/go.mod h1:v0lq/3f+cXH3Y/HiDaFYRR0zilwDve7I4W7U5xQxvF8=
+github.com/coreos/clair v0.0.0-20180919182544-44ae4bc9590a/go.mod h1:uXhHPWAoRqw0jJc2f8RrPCwRhIo9otQ8OEWUFtpCiwA=
+github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
+github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d h1:U+s90UTSYgptZMwQh2aRr3LuazLJIa+Pg3Kc1ylSYVY=
+github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@@ -66,19 +90,27 @@ github.com/deckarep/golang-set v1.7.1/go.mod h1:93vsz/8Wt4joVM7c2AVqh+YRMiUSc14y
 github.com/dgryski/go-sip13 v0.0.0-20181026042036-e10d5fee7954/go.mod h1:vAd38F8PWV+bWy6jNmig1y/TA+kYO4g3RSRF0IAv0no=
 github.com/docker/cli v0.0.0-20180920165730-54c19e67f69c h1:QlAVcyoF7QQVN7zV+xYBjgwtRVlRU3WCTCpb2mcqQrM=
 github.com/docker/cli v0.0.0-20180920165730-54c19e67f69c/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
+github.com/docker/distribution v0.0.0-20170817175659-5f6282db7d65/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
+github.com/docker/distribution v0.0.0-20180920194744-16128bbac47f/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
 github.com/docker/distribution v2.7.1+incompatible h1:a5mlkVzth6W5A4fOsS3D2EO5BUmsJpcB+cRlLU7cSug=
 github.com/docker/distribution v2.7.1+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
+github.com/docker/docker v0.0.0-20171019062838-86f080cff091/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
+github.com/docker/docker v0.0.0-20180522102801-da99009bbb11/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
 github.com/docker/docker v0.0.0-20180924202107-a9c061deec0f h1:W4fbqg0JUwy6lLesoJaV/rE0fwAmtdtinMa64X1CEh0=
 github.com/docker/docker v0.0.0-20180924202107-a9c061deec0f/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
 github.com/docker/docker-ce v0.0.0-20180924210327-f53bd8bb8e43 h1:gZ4lWixV821UVbYtr+oz1ZPCHkbtE+ivfmHyZRgyl2Y=
 github.com/docker/docker-ce v0.0.0-20180924210327-f53bd8bb8e43/go.mod h1:l1FUGRYBvbjnZ8MS6A2xOji4aZFlY/Qmgz7p4oXH7ac=
-github.com/docker/docker-credential-helpers v0.6.2 h1:CrW9H1VMf3a4GrtyAi7IUJjkJVpwBBpX0+mvkvYJaus=
-github.com/docker/docker-credential-helpers v0.6.2/go.mod h1:WRaJzqw3CTB9bk10avuGsjVBZsD05qeibJ1/TYlvc0Y=
+github.com/docker/docker-credential-helpers v0.6.1/go.mod h1:WRaJzqw3CTB9bk10avuGsjVBZsD05qeibJ1/TYlvc0Y=
+github.com/docker/docker-credential-helpers v0.6.3 h1:zI2p9+1NQYdnG6sMU26EX4aVGlqbInSQxQXLvzJ4RPQ=
+github.com/docker/docker-credential-helpers v0.6.3/go.mod h1:WRaJzqw3CTB9bk10avuGsjVBZsD05qeibJ1/TYlvc0Y=
+github.com/docker/go-connections v0.0.0-20180212134524-7beb39f0b969/go.mod h1:Gbd7IOopHjR8Iph03tsViu4nIes5XhDvyHbTtUxmeec=
 github.com/docker/go-connections v0.0.0-20180821093606-97c2040d34df/go.mod h1:Gbd7IOopHjR8Iph03tsViu4nIes5XhDvyHbTtUxmeec=
 github.com/docker/go-connections v0.4.0 h1:El9xVISelRB7BuFusrZozjnkIM5YnzCViNKohAFqRJQ=
 github.com/docker/go-connections v0.4.0/go.mod h1:Gbd7IOopHjR8Iph03tsViu4nIes5XhDvyHbTtUxmeec=
+github.com/docker/go-metrics v0.0.0-20180209012529-399ea8c73916/go.mod h1:/u0gXw0Gay3ceNrsHubL3BtdOL2fHf93USgMTe0W5dI=
 github.com/docker/go-metrics v0.0.0-20181218153428-b84716841b82 h1:X0fj836zx99zFu83v/M79DuBn84IL/Syx1SY6Y5ZEMA=
 github.com/docker/go-metrics v0.0.0-20181218153428-b84716841b82/go.mod h1:/u0gXw0Gay3ceNrsHubL3BtdOL2fHf93USgMTe0W5dI=
+github.com/docker/go-units v0.3.3/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
 github.com/docker/go-units v0.4.0 h1:3uh0PgVws3nIA0Q+MwDC8yjEPf9zjRfZZWXZYDct3Tw=
 github.com/docker/go-units v0.4.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
 github.com/docker/libtrust v0.0.0-20160708172513-aabc10ec26b7 h1:UhxFibDNY/bfvqU5CAUmr9zpesgbU6SWc8/B4mflAE4=
@@ -91,45 +123,48 @@ github.com/elazarl/goproxy v0.0.0-20190421051319-9d40249d3c2f/go.mod h1:/Zj4wYkg
 github.com/elazarl/goproxy/ext v0.0.0-20190421051319-9d40249d3c2f h1:AUj1VoZUfhPhOPHULCQQDnGhRelpFWHMLhQVWDsS0v4=
 github.com/elazarl/goproxy/ext v0.0.0-20190421051319-9d40249d3c2f/go.mod h1:gNh8nYJoAm43RfaxurUnxr+N1PwuFV3ZMl/efxlIlY8=
 github.com/emirpasic/gods v1.9.0/go.mod h1:YfzfFFoVP/catgzJb4IKIqXjX78Ha8FMSDh3ymbK86o=
-github.com/emirpasic/gods v1.12.0 h1:QAUIPSaCu4G+POclxeqb3F+WPpdKqFGlw36+yOzGlrg=
 github.com/emirpasic/gods v1.12.0/go.mod h1:YfzfFFoVP/catgzJb4IKIqXjX78Ha8FMSDh3ymbK86o=
-github.com/etcd-io/bbolt v1.3.2 h1:RLRQ0TKLX7DlBRXAJHvbmXL17Q3KNnTBtZ9B6Qo+/Y0=
 github.com/etcd-io/bbolt v1.3.2/go.mod h1:ZF2nL25h33cCyBtcyWeZ2/I3HQOfTP+0PIEvHjkjCrw=
 github.com/etcd-io/bbolt v1.3.3 h1:gSJmxrs37LgTqR/oyJBWok6k6SvXEUerFTbltIhXkBM=
 github.com/etcd-io/bbolt v1.3.3/go.mod h1:ZF2nL25h33cCyBtcyWeZ2/I3HQOfTP+0PIEvHjkjCrw=
 github.com/fatih/color v1.7.0 h1:DkWD4oS2D8LGGgTQ6IvwJJXSL5Vp2ffcQg58nFV38Ys=
 github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=
-github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568 h1:BHsljHzVlRcyQhjrss6TZTdY2VfCqZPbv5k3iBFa2ZQ=
+github.com/fernet/fernet-go v0.0.0-20180830025343-9eac43b88a5e/go.mod h1:2H9hjfbpSMHwY503FclkV/lZTBh2YlOmLLSda12uL8c=
 github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568/go.mod h1:xEzjJPgXI435gkrCt3MPfRiAkVrwSbHsst4LCFVfpJc=
 github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
-github.com/genuinetools/pkg v0.0.0-20181022210355-2fcf164d37cb/go.mod h1:XTcrCYlXPxnxL2UpnwuRn7tcaTn9HAhxFoFJucootk8=
+github.com/fullsailor/pkcs7 v0.0.0-20190404230743-d7302db945fa/go.mod h1:KnogPXtdwXqoenmZCw6S+25EAm2MkxbG0deNDu4cbSA=
+github.com/genuinetools/pkg v0.0.0-20180910213200-1c141f661797/go.mod h1:XTcrCYlXPxnxL2UpnwuRn7tcaTn9HAhxFoFJucootk8=
+github.com/genuinetools/reg v0.16.0 h1:ZhLZPT+aUGHLfy45Ub5FLWik+3Dij1iwaj8A/GyAZBw=
+github.com/genuinetools/reg v0.16.0/go.mod h1:12Fe9EIvK3dG/qWhNk5e9O96I8SGmCKLsJ8GsXUbk+Y=
+github.com/ghodss/yaml v0.0.0-20161207003320-04f313413ffd/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
+github.com/ghodss/yaml v1.0.0 h1:wQHKEahhL6wmXdzwWG11gIVCkOv05bNOh+Rxn0yngAk=
+github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
 github.com/gliderlabs/ssh v0.1.1/go.mod h1:U7qILu1NlMHj9FlMhZLlkCdDnU1DBEAqr0aevW3Awn0=
-github.com/gliderlabs/ssh v0.1.3 h1:cBU46h1lYQk5f2Z+jZbewFKy+1zzE2aUX/ilcPDAm9M=
 github.com/gliderlabs/ssh v0.1.3/go.mod h1:U7qILu1NlMHj9FlMhZLlkCdDnU1DBEAqr0aevW3Awn0=
 github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
 github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE=
 github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk=
 github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
+github.com/godbus/dbus v0.0.0-20190422162347-ade71ed3457e/go.mod h1:bBOAhwG1umN6/6ZUMtDFBMQR8jRg9O75tm9K00oMsK4=
+github.com/gogo/protobuf v0.0.0-20170815085658-fcdc5011193f/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
 github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
-github.com/gogo/protobuf v1.2.0 h1:xU6/SpYbvkNYiptHJYEDRseDLvYE7wSqhYYNy0QSUzI=
 github.com/gogo/protobuf v1.2.0/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
-github.com/gogo/protobuf v1.2.1 h1:/s5zKNz0uPFCZ5hddgPdo2TK2TVrUNMn0OOX8/aZMTE=
 github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4=
 github.com/gogo/protobuf v1.2.2-0.20190723190241-65acae22fc9d h1:3PaI8p3seN09VjbTYC/QWlUZdZ1qS1zGjy7LH2Wt07I=
 github.com/gogo/protobuf v1.2.2-0.20190723190241-65acae22fc9d/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b h1:VKtxabqXZkF25pY9ekfRL6a582T4P37/31XEstQ5p58=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
+github.com/golang/lint v0.0.0-20180702182130-06c8688daad7/go.mod h1:tluoj9z5200jBnyusfRPU2LqT6J+DAorxEvtC7LHB+E=
 github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
 github.com/golang/mock v1.2.0 h1:28o5sBqPkBsMGnC6b4MvE2TzSr5/AT4c/1fLqVGIwlk=
 github.com/golang/mock v1.2.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
 github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
-github.com/golang/protobuf v1.3.1 h1:YF8+flBXS5eO826T4nzqPrxfhQThhXl0YzfuUPu4SBg=
 github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
-github.com/golang/protobuf v1.3.2 h1:6nsPYzhq5kReh6QImI3k5qWzO4PEbvbIW2cwSfR/6xs=
 github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
+github.com/golang/protobuf v1.3.3 h1:gyjaxf+svBWX08ZjK86iN9geUJF0H6gp2IRKX6Nf6/I=
+github.com/golang/protobuf v1.3.3/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw=
 github.com/golang/snappy v0.0.0-20180518054509-2e65f85255db/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
 github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
-github.com/google/go-cmp v0.2.0 h1:+dTQ8DZQJz0Mb/HjFlkptS1FeQ4cWSnN941F8aEG4SQ=
 github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
 github.com/google/go-cmp v0.3.0 h1:crn/baboCvb5fXaQ0IJ1SGTsTVrWpDsCWC8EGETZijY=
 github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
@@ -146,17 +181,23 @@ github.com/google/wire v0.3.0/go.mod h1:i1DMg/Lu8Sz5yYl25iOdmc5CT5qusaa+zmRWs167
 github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
 github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1 h1:EGx4pi6eqNxGaHF6qqu48+N2wcFQ5qg5FXgOdqsJ5d8=
 github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY=
-github.com/gorilla/context v1.1.1 h1:AWwleXJkX/nhcU9bZSnZoi3h/qGYqQAGhq6zZe/aQW8=
 github.com/gorilla/context v1.1.1/go.mod h1:kBGZzfjB9CEq2AlWe17Uuf7NDRt0dE0s8S51q0aT7Yg=
-github.com/gorilla/mux v1.6.2 h1:Pgr17XVTNXAk3q/r4CpKzC5xBM/qW1uVLV+IhRZpIIk=
+github.com/gorilla/mux v0.0.0-20170217192616-94e7d24fd285/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs=
 github.com/gorilla/mux v1.6.2/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs=
 github.com/gorilla/mux v1.7.1 h1:Dw4jY2nghMMRsh1ol8dv1axHkDwMQK2DHerMNJsIpJU=
 github.com/gorilla/mux v1.7.1/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs=
+github.com/gotestyourself/gotestyourself v2.2.0+incompatible/go.mod h1:zZKM6oeNM8k+FRljX1mnzVYeS8wiGgQyvST1/GafPbY=
+github.com/grpc-ecosystem/grpc-gateway v1.5.0/go.mod h1:RSKVYQBd5MCa4OVpNdGskqpgL2+G+NZTnrVHpWWfpdw=
+github.com/hashicorp/errwrap v0.0.0-20141028054710-7554cd9344ce/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
+github.com/hashicorp/go-multierror v0.0.0-20161216184304-ed905158d874/go.mod h1:JMRHfdO9jKNzS/+BTlxCjKNQHg/jZAft8U7LloJvN7I=
 github.com/hashicorp/go-version v1.2.0 h1:3vNe/fWF5CBgRIguda1meWhsZHy3m8gCJ5wx+dIzX/E=
 github.com/hashicorp/go-version v1.2.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA=
 github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
+github.com/hashicorp/golang-lru v0.5.1 h1:0hERBMJE1eitiLkihrMvRVBYAkpHzc/J3QdDN+dAcgU=
+github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
 github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
-github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 h1:BQSFePA1RWJOlocH6Fxy8MmwDt+yVQYULKfN0RoTN8A=
+github.com/imdario/mergo v0.3.8 h1:CGgOkSJeqMRmt0D9XLWExdT4m4F1vd3FV3VPt+0VxkQ=
+github.com/imdario/mergo v0.3.8/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
 github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99/go.mod h1:1lJo3i6rXxKeerYnT8Nvf0QmHCRC1n8sfWVwXF2Frvo=
 github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI=
 github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af h1:pmfjZENx5imkbgOkpRUYLnmbU7UEFbjtDA2hxJ1ichM=
@@ -165,11 +206,16 @@ github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1
 github.com/jtolds/gls v4.20.0+incompatible h1:xdiiI2gbIgH/gLH7ADydsJ1uDOEzR8yvV7C0MuV77Wo=
 github.com/jtolds/gls v4.20.0+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfVYBRgL+9YlvaHOwJU=
 github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w=
-github.com/kevinburke/ssh_config v0.0.0-20180830205328-81db2a75821e h1:RgQk53JHp/Cjunrr1WlsXSZpqXn+uREuHvUVcK82CV8=
+github.com/k0kubun/pp v3.0.1+incompatible/go.mod h1:GWse8YhT0p8pT4ir3ZgBbfZild3tgzSScAn6HmfYukg=
 github.com/kevinburke/ssh_config v0.0.0-20180830205328-81db2a75821e/go.mod h1:CT57kijsi8u/K/BOFA39wgDQJ9CxiF4nAY/ojJ6r6mM=
 github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvWXihfKN4Q=
 github.com/kisielk/errcheck v1.2.0/go.mod h1:/BMXB+zMLi60iA8Vv6Ksmxu/1UDYcXs4uQLJ+jE2L00=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
+github.com/klauspost/compress v1.9.4 h1:xhvAeUPQ2drNUhKtrGdTGNvV9nNafHMUkRyLkzxJoB4=
+github.com/klauspost/compress v1.9.4/go.mod h1:RyIbtBH6LamlWaDj8nUwkbUhJ87Yi3uG0guNDohfE1A=
+github.com/klauspost/cpuid v1.2.1/go.mod h1:Pj4uuM528wm8OyEC2QMXAi2YiTZ96dNQPGgoMS4s3ek=
+github.com/klauspost/pgzip v1.2.1 h1:oIPZROsWuPHpOdMVWLuJZXwgjhrW8r1yEX8UqMyeNHM=
+github.com/klauspost/pgzip v1.2.1/go.mod h1:Ch1tH69qFZu15pkjo5kYi6mth2Zzwzt50oCQKQE9RUs=
 github.com/knqyf263/berkeleydb v0.0.0-20190501065933-fafe01fb9662/go.mod h1:bu1CcN4tUtoRcI/B/RFHhxMNKFHVq/c3SV+UTyduoXg=
 github.com/knqyf263/go-deb-version v0.0.0-20190517075300-09fca494f03d h1:X4cedH4Kn3JPupAwwWuo4AzYp16P0OyLO9d7OnMZc/c=
 github.com/knqyf263/go-deb-version v0.0.0-20190517075300-09fca494f03d/go.mod h1:o8sgWoz3JADecfc/cTYD92/Et1yMqMy0utV1z+VaZao=
@@ -180,7 +226,6 @@ github.com/knqyf263/go-version v1.1.1 h1:+MpcBC9b7rk5ihag8Y/FLG8get1H2GjniwKQ+9D
 github.com/knqyf263/go-version v1.1.1/go.mod h1:0tBvHvOBSf5TqGNcY+/ih9o8qo3R16iZCpB9rP0D3VM=
 github.com/knqyf263/nested v0.0.1 h1:Sv26CegUMhjt19zqbBKntjwESdxe5hxVPSk0+AKjdUc=
 github.com/knqyf263/nested v0.0.1/go.mod h1:zwhsIhMkBg90DTOJQvxPkKIypEHPYkgWHs4gybdlUmk=
-github.com/konsorten/go-windows-terminal-sequences v1.0.1 h1:mweAR1A6xJ3oS2pRaGiHgQ4OO8tzTaLawm8vnODuwDk=
 github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
 github.com/konsorten/go-windows-terminal-sequences v1.0.2 h1:DB17ag19krx9CFsz4o3enTrPXyIXCl+2iCXH/aMAp9s=
 github.com/konsorten/go-windows-terminal-sequences v1.0.2/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
@@ -190,32 +235,32 @@ github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORN
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
-github.com/kylelemons/godebug v0.0.0-20170820004349-d65d576e9348 h1:MtvEpTB6LX3vkb4ax0b5D2DHbNAUsen0Gx5wZoq3lV4=
 github.com/kylelemons/godebug v0.0.0-20170820004349-d65d576e9348/go.mod h1:B69LEHPfb2qLo0BaaOLcbitczOKLWTsrBG9LczfCD4k=
 github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc=
 github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
-github.com/mattn/go-colorable v0.1.1 h1:G1f5SKeVxmagw/IyvzvtZE4Gybcc4Tr1tf7I8z0XgOg=
 github.com/mattn/go-colorable v0.1.1/go.mod h1:FuOcm+DKB9mbwrcAfNl7/TZVBZ6rcnceauSikq3lYCQ=
-github.com/mattn/go-colorable v0.1.2 h1:/bC9yWikZXAL9uJdulbSfyVNIR3n3trXl+v8+1sx8mU=
 github.com/mattn/go-colorable v0.1.2/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE=
-github.com/mattn/go-isatty v0.0.5 h1:tHXDdz1cpzGaovsTB+TVB8q90WEokoVmfMqoVcrLUgw=
+github.com/mattn/go-colorable v0.1.4 h1:snbPLB8fVfU9iwbbo30TPtbLRzwWu6aJS6Xh4eaaviA=
+github.com/mattn/go-colorable v0.1.4/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE=
+github.com/mattn/go-isatty v0.0.4/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4=
 github.com/mattn/go-isatty v0.0.5/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s=
-github.com/mattn/go-isatty v0.0.8 h1:HLtExJ+uU2HOZ+wI0Tt5DtUDrx8yhUqDcp7fYERX4CE=
 github.com/mattn/go-isatty v0.0.8/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s=
 github.com/mattn/go-isatty v0.0.10 h1:qxFzApOv4WsAL965uUPIsXzAKCZxN2p9UqdhFS4ZW10=
 github.com/mattn/go-isatty v0.0.10/go.mod h1:qgIWMr58cqv1PHHyhnkY9lrL7etaEgOFcMEpPG5Rm84=
-github.com/mattn/go-jsonpointer v0.0.0-20180225143300-37667080efed h1:fCWISZq4YN4ulCJx7x0KB15rqxLEe3mtNJL8cSOGKZU=
 github.com/mattn/go-jsonpointer v0.0.0-20180225143300-37667080efed/go.mod h1:SDJ4hurDYyQ9/7nc+eCYtXqdufgK4Cq9TJlwPklqEYA=
-github.com/mattn/go-runewidth v0.0.4 h1:2BvfKmzob6Bmd4YsL0zygOqfdFnK7GR4QL06Do4/p7Y=
 github.com/mattn/go-runewidth v0.0.4/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzpuz5H//U1FU=
 github.com/mattn/go-runewidth v0.0.6 h1:V2iyH+aX9C5fsYCpK60U8BYIvmhqxuOL3JZcqc1NB7k=
 github.com/mattn/go-runewidth v0.0.6/go.mod h1:H031xJmbD/WCDINGzjvQ9THkh0rPKHF+m2gUSrubnMI=
+github.com/mattn/go-shellwords v1.0.6 h1:9Jok5pILi5S1MnDirGVTufYGtksUs/V2BWUP3ZkeUUI=
+github.com/mattn/go-shellwords v1.0.6/go.mod h1:3xCvwCdWdlDJUrvuMn7Wuy9eWs4pE8vqg+NOMyg4B2o=
 github.com/matttproud/golang_protobuf_extensions v1.0.1 h1:4hp9jkHxhMHkqkrB3Ix0jegS5sx/RkqARlsWZ6pIwiU=
 github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
+github.com/mistifyio/go-zfs v2.1.1+incompatible h1:gAMO1HM9xBRONLHHYnu5iFsOJUiJdNZo6oqSENd4eW8=
+github.com/mistifyio/go-zfs v2.1.1+incompatible/go.mod h1:8AuVvqP/mXw1px98n46wfvcGfQ4ci2FwoAjKYxuo3Z4=
 github.com/mitchellh/go-homedir v1.0.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
-github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y=
 github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
 github.com/mitchellh/go-wordwrap v1.0.0/go.mod h1:ZXFpozHsX6DPmq2I0TCekCxypsnAUbP2oI0UX1GXzOo=
+github.com/mtrmac/gpgme v0.0.0-20170102180018-b2432428689c/go.mod h1:GhAqVMEWnTcW2dxoD/SO3n2enrgWl3y6Dnx4m59GvcA=
 github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
 github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U=
 github.com/olekukonko/tablewriter v0.0.1/go.mod h1:vsDQFd/mU46D+Z4whnwzcISnGGzXWMclvtLoiIKAKIo=
@@ -223,17 +268,27 @@ github.com/olekukonko/tablewriter v0.0.2-0.20190607075207-195002e6e56a h1:0LD5FJ
 github.com/olekukonko/tablewriter v0.0.2-0.20190607075207-195002e6e56a/go.mod h1:rSAaSIOAGT9odnlyGlUfAJaoc5w2fSBUmeGDbRWPxyQ=
 github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
 github.com/onsi/ginkgo v1.7.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
+github.com/onsi/gomega v1.4.2/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
 github.com/onsi/gomega v1.4.3/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
-github.com/opencontainers/go-digest v0.0.0-20180430190053-c9281466c8b2 h1:QhPf3A2AZW3tTGvHPg0TA+CR3oHbVLlXUhlghqISp1I=
 github.com/opencontainers/go-digest v0.0.0-20180430190053-c9281466c8b2/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s=
-github.com/opencontainers/image-spec v1.0.1 h1:JMemWkRwHx4Zj+fVxWoMCFm/8sYGGrUVojFA6h/TRcI=
+github.com/opencontainers/go-digest v1.0.0-rc1 h1:WzifXhOVOEOuFYOJAW6aQqW0TooG2iki3E3Ii+WN7gQ=
+github.com/opencontainers/go-digest v1.0.0-rc1/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s=
 github.com/opencontainers/image-spec v1.0.1/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0=
-github.com/opencontainers/runc v0.1.1 h1:GlxAyO6x8rfZYN9Tt0Kti5a/cP41iuiO2yYT0IJGY8Y=
+github.com/opencontainers/image-spec v1.0.2-0.20190823105129-775207bd45b6 h1:yN8BPXVwMBAm3Cuvh1L5XE8XpvYRMdsVLd82ILprhUU=
+github.com/opencontainers/image-spec v1.0.2-0.20190823105129-775207bd45b6/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0=
+github.com/opencontainers/runc v0.0.0-20190115041553-12f6a991201f/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rmF59PVA73FjuZG0U=
 github.com/opencontainers/runc v0.1.1/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rmF59PVA73FjuZG0U=
+github.com/opencontainers/runc v1.0.0-rc9 h1:/k06BMULKF5hidyoZymkoDCzdJzltZpz/UU4LguQVtc=
+github.com/opencontainers/runc v1.0.0-rc9/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rmF59PVA73FjuZG0U=
+github.com/opencontainers/runtime-spec v0.1.2-0.20190507144316-5b71a03e2700/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
+github.com/opencontainers/runtime-tools v0.0.0-20181011054405-1d69bd0f9c39/go.mod h1:r3f7wjNzSs2extwzU3Y+6pKfobzPh+kKFJ3ofN+3nfs=
+github.com/opencontainers/selinux v1.3.0 h1:xsI95WzPZu5exzA6JzkLSfdr/DilzOhCJOqGe5TgR0g=
+github.com/opencontainers/selinux v1.3.0/go.mod h1:+BLncwf63G4dgOzykXAxcmnFlUaOlkDdmw/CqsW6pjs=
 github.com/openzipkin/zipkin-go v0.1.6/go.mod h1:QgAqvLzwWbR/WpD4A3cGpPtJrZXNIiJc5AZX7/PBEpw=
+github.com/ostreedev/ostree-go v0.0.0-20190702140239-759a8c1ac913 h1:TnbXhKzrTOyuvWrjI8W6pcoI9XPbLHFXCdN2dtUw7Rw=
+github.com/ostreedev/ostree-go v0.0.0-20190702140239-759a8c1ac913/go.mod h1:J6OG6YJVEWopen4avK3VNQSnALmmjvniMmni/YFYAwc=
 github.com/parnurzeal/gorequest v0.2.16 h1:T/5x+/4BT+nj+3eSknXmCTnEVGSzFzPGdpqmUVVZXHQ=
 github.com/parnurzeal/gorequest v0.2.16/go.mod h1:3Kh2QUMJoqw3icWAecsyzkpY7UzRfDhbRdTjtNwNiUE=
-github.com/pelletier/go-buffruneio v0.2.0 h1:U4t4R6YkofJ5xHm3dJzuRpPZ0mr5MMCoAWooScCR7aA=
 github.com/pelletier/go-buffruneio v0.2.0/go.mod h1:JkE26KsDizTr40EUHkXVtNPvgGtbSNq5BcowyYOWdKo=
 github.com/peterhellberg/link v1.0.0 h1:mUWkiegowUXEcmlb+ybF75Q/8D2Y0BjZtR8cxoKhaQo=
 github.com/peterhellberg/link v1.0.0/go.mod h1:gtSlOT4jmkY8P47hbTc8PTgiDDWpdPbFYl75keYyBB8=
@@ -243,91 +298,113 @@ github.com/pkg/errors v0.8.1 h1:iURUrRGxPUNPdy5/HRSm+Yj6okJ6UtLINN0Q9M4+h3I=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/pquerna/ffjson v0.0.0-20181028064349-e517b90714f7/go.mod h1:YARuvh7BUWHNhzDq2OM5tzR2RiCcN2D7sapiKyCel/M=
+github.com/pquerna/ffjson v0.0.0-20190813045741-dac163c6c0a9 h1:kyf9snWXHvQc+yxE9imhdI8YAm4oKeZISlaAR+x73zs=
+github.com/pquerna/ffjson v0.0.0-20190813045741-dac163c6c0a9/go.mod h1:YARuvh7BUWHNhzDq2OM5tzR2RiCcN2D7sapiKyCel/M=
+github.com/prometheus/client_golang v0.0.0-20180924113449-f69c853d21c1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw=
 github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw=
-github.com/prometheus/client_golang v0.9.3-0.20190127221311-3c4408c8b829 h1:D+CiwcpGTW6pL6bv6KI3KbyEyCKyS+1JWS2h8PNDnGA=
 github.com/prometheus/client_golang v0.9.3-0.20190127221311-3c4408c8b829/go.mod h1:p2iRAGwDERtqlqzRXnrOVns+ignqQo//hLXqYxZYVNs=
 github.com/prometheus/client_golang v0.9.3 h1:9iH4JKXLzFbOAdtqv/a+j8aewx2Y8lAjAydhbaScPF8=
 github.com/prometheus/client_golang v0.9.3/go.mod h1:/TN21ttK/J9q6uSwhBd54HahCDft0ttaMvbicHlPoso=
 github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
-github.com/prometheus/client_model v0.0.0-20190115171406-56726106282f h1:BVwpUVJDADN2ufcGik7W992pyps0wZ888b/y9GXcLTU=
 github.com/prometheus/client_model v0.0.0-20190115171406-56726106282f/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
 github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90 h1:S/YWwWx/RA8rT8tKFRuGUZhuA90OyIBpPCXkcbwU8DE=
 github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
+github.com/prometheus/common v0.0.0-20180801064454-c7de2306084e/go.mod h1:daVV7qP5qjZbuso7PdcryaAu0sAZbrN9i7WWcTMWvro=
 github.com/prometheus/common v0.0.0-20181113130724-41aa239b4cce/go.mod h1:daVV7qP5qjZbuso7PdcryaAu0sAZbrN9i7WWcTMWvro=
-github.com/prometheus/common v0.2.0 h1:kUZDBDTdBVBYBj5Tmh2NZLlF60mfjA27rM34b+cVwNU=
 github.com/prometheus/common v0.2.0/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4=
 github.com/prometheus/common v0.4.0 h1:7etb9YClo3a6HjLzfl6rIQaU+FDfi0VSX39io3aQ+DM=
 github.com/prometheus/common v0.4.0/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4=
+github.com/prometheus/procfs v0.0.0-20180920065004-418d78d0b9a7/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
 github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
-github.com/prometheus/procfs v0.0.0-20190117184657-bf6a532e95b1 h1:/K3IL0Z1quvmJ7X0A1AwNEK7CRkVK3YwfOU/QAL4WGg=
 github.com/prometheus/procfs v0.0.0-20190117184657-bf6a532e95b1/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
-github.com/prometheus/procfs v0.0.0-20190507164030-5867b95ac084 h1:sofwID9zm4tzrgykg80hfFph1mryUeLRsUfoocVVmRY=
 github.com/prometheus/procfs v0.0.0-20190507164030-5867b95ac084/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
+github.com/prometheus/procfs v0.0.5 h1:3+auTFlqw+ZaQYJARz6ArODtkaIwtvBTx3N2NehQlL8=
+github.com/prometheus/procfs v0.0.5/go.mod h1:4A/X28fw3Fc593LaREMrKMqOKvUAntwMDaekg4FpcdQ=
 github.com/prometheus/tsdb v0.7.1/go.mod h1:qhTCs0VvXwvX/y3TZrWD7rabWM+ijKTux40TwIPHuXU=
 github.com/rcrowley/go-metrics v0.0.0-20181016184325-3113b8401b8a/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4=
 github.com/rogpeppe/go-charset v0.0.0-20180617210344-2471d30d28b4/go.mod h1:qgYeAmZ5ZIpBWTGllZSQnw97Dj+woV0toclVaRGI8pc=
 github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
-github.com/sergi/go-diff v1.0.0 h1:Kpca3qRNrduNnOQeazBd0ysaKrUJiIuISHxogkT9RPQ=
+github.com/russross/blackfriday/v2 v2.0.1 h1:lPqVAte+HuHNfhJ/0LC98ESWRz8afy9tM/0RK8m9o+Q=
+github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/sergi/go-diff v1.0.0/go.mod h1:0CfEIISq7TuYL3j771MWULgwwjU+GofnZX9QAmXWZgo=
-github.com/shurcooL/httpfs v0.0.0-20181222201310-74dc9339e414/go.mod h1:ZY1cvUeJuFPAdZ/B6v7RHavJWZn2YPVFQ1OSXhCGOkg=
+github.com/shurcooL/httpfs v0.0.0-20171119174359-809beceb2371/go.mod h1:ZY1cvUeJuFPAdZ/B6v7RHavJWZn2YPVFQ1OSXhCGOkg=
+github.com/shurcooL/sanitized_anchor_name v1.0.0 h1:PdmoCO6wvbs+7yrJyMORt4/BmY5IYyJwS/kOiWx8mHo=
+github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc=
 github.com/simplereach/timeutils v1.2.0/go.mod h1:VVbQDfN/FHRZa1LSqcwo4kNZ62OOyqLLGQKYB3pB0Q8=
-github.com/sirupsen/logrus v1.2.0 h1:juTguoYk5qI21pwyTXY3B3Y5cOTH3ZUyZCg1v/mihuo=
+github.com/sirupsen/logrus v1.0.6/go.mod h1:pMByvHTf9Beacp5x1UXfOR9xyW/9antXMhjMPG0dEzc=
 github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo=
-github.com/sirupsen/logrus v1.4.1 h1:GL2rEmy6nsikmW0r8opw9JIRScdMF5hA8cOYLH7In1k=
 github.com/sirupsen/logrus v1.4.1/go.mod h1:ni0Sbl8bgC9z8RoU9G6nDWqqs/fq4eDPysMBDgk/93Q=
+github.com/sirupsen/logrus v1.4.2 h1:SPIRibHv4MatM3XXNO2BJeFLZwZ2LvZgfQ5+UNI2im4=
+github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE=
 github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d h1:zE9ykElWQ6/NYmHa3jpm/yHnI4xSofP+UP6SpjHcSeM=
 github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d/go.mod h1:OnSkiWE9lh6wB0YB77sQom3nweQdgAjqCqsofrRNTgc=
 github.com/smartystreets/goconvey v0.0.0-20190330032615-68dc04aab96a h1:pa8hGb/2YqsZKovtsgrwcDH1RZhVbTKCjLp47XpqCDs=
 github.com/smartystreets/goconvey v0.0.0-20190330032615-68dc04aab96a/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9QV7WQ/tjFTllLA=
 github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA=
 github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk=
-github.com/src-d/gcfg v1.4.0 h1:xXbNR5AlLSA315x2UO+fTSSAXCDf+Ar38/6oyGbDKQ4=
+github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
 github.com/src-d/gcfg v1.4.0/go.mod h1:p/UMsR43ujA89BJY9duynAwIpvqEujIH/jFlfL7jWoI=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.1.1 h1:2vfRuCMp5sSVIDSqO8oNnWJq7mPa6KVP3iPIwFBuy8A=
 github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
-github.com/stretchr/testify v1.3.0 h1:TivCn/peBQ7UY8ooIcPgZFpTNSz0Q2U6UrFlUfqbe0Q=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.4.0 h1:2E4SXV/wtOkTonXsotYi4li6zVWxYlZuYNCXe9XRJyk=
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
-github.com/tomoyamachi/reg v0.16.1-0.20190706172545-2a2250fd7c00 h1:0e4vRd9YqnQBIAIAE39jLKDWffRfJWxloyWwcaMAQho=
-github.com/tomoyamachi/reg v0.16.1-0.20190706172545-2a2250fd7c00/go.mod h1:RQE7h2jyIxekQZ24/wad0c9RGP+KSq4XzHh7h83ALi8=
-github.com/twitchtv/twirp v5.9.0+incompatible h1:KBCo4NYCpE9alO1HAEcgninDnw/0AhPT1rZnHkkSqi8=
-github.com/twitchtv/twirp v5.9.0+incompatible/go.mod h1:RRJoFSAmTEh2weEqWtpPE3vFK5YBhA6bqp2l1kfCC5A=
-github.com/urfave/cli v1.20.0 h1:fDqGv3UG/4jbVl/QkFwEdddtEDjh/5Ov6X+0B/3bPaw=
+github.com/syndtr/gocapability v0.0.0-20170704070218-db04d3cc01c8/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww=
+github.com/syndtr/gocapability v0.0.0-20180916011248-d98352740cb2 h1:b6uOv7YOFK0TYG7HtkIgExQo+2RdLuwRft63jn2HWj8=
+github.com/syndtr/gocapability v0.0.0-20180916011248-d98352740cb2/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww=
+github.com/tchap/go-patricia v2.3.0+incompatible h1:GkY4dP3cEfEASBPPkWd+AmjYxhmDkqO9/zg7R0lSQRs=
+github.com/tchap/go-patricia v2.3.0+incompatible/go.mod h1:bmLyhP68RS6kStMGxByiQ23RP/odRBOTVjwp2cDyi6I=
+github.com/twitchtv/twirp v5.10.1+incompatible h1:35js8ID9rYPKkZ0qWnuZw+q+OuCWM1GIibu1F1YImjA=
+github.com/twitchtv/twirp v5.10.1+incompatible/go.mod h1:RRJoFSAmTEh2weEqWtpPE3vFK5YBhA6bqp2l1kfCC5A=
+github.com/ulikunitz/xz v0.5.6 h1:jGHAfXawEGZQ3blwU5wnWKQJvAraT7Ftq9EXjnXYgt8=
+github.com/ulikunitz/xz v0.5.6/go.mod h1:2bypXElzHzzJZwzH67Y6wb67pO62Rzfn7BSiF4ABRW8=
+github.com/urfave/cli v0.0.0-20171014202726-7bc6a0acffa5/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijbERA=
 github.com/urfave/cli v1.20.0/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijbERA=
+github.com/urfave/cli v1.22.1 h1:+mkCCcOFKPnCmVYVcURKps1Xe+3zP90gSYGNfRkjoIY=
+github.com/urfave/cli v1.22.1/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0=
+github.com/vbatts/tar-split v0.11.1 h1:0Odu65rhcZ3JZaPHxl7tCI3V/C/Q9Zf82UFravl02dE=
+github.com/vbatts/tar-split v0.11.1/go.mod h1:LEuURwDEiWjRjwu46yU3KVGuUdVv/dcnpcEPSzR8z6g=
+github.com/vbauerster/mpb/v4 v4.11.1/go.mod h1:vMLa1J/ZKC83G2lB/52XpqT+ZZtFG4aZOdKhmpRL1uM=
 github.com/xanzy/ssh-agent v0.2.0/go.mod h1:0NyE30eGUDliuLEHJgYte/zncp2zdTStcOnWhgSqHD8=
-github.com/xanzy/ssh-agent v0.2.1 h1:TCbipTQL2JiiCprBWx9frJ2eJlCYT00NmctrHxVAr70=
 github.com/xanzy/ssh-agent v0.2.1/go.mod h1:mLlQY/MoOhWBj+gOGMQkOeiEvkx+8pJSI+0Bx9h2kr4=
-go.etcd.io/bbolt v1.3.2 h1:Z/90sZLPOeCy2PwprqkFa25PdkusRzaj9P8zm/KNyvk=
+github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU=
+github.com/xeipuuv/gojsonpointer v0.0.0-20190809123943-df4f5c81cb3b/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU=
+github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415/go.mod h1:GwrjFmJcFw6At/Gs6z4yjiIwzuJ1/+UwLxMQDVQXShQ=
+github.com/xeipuuv/gojsonschema v0.0.0-20180618132009-1d523034197f/go.mod h1:5yf86TLmAcydyeJq5YvxkGPE2fm/u4myDekKRoLuqhs=
+github.com/xeipuuv/gojsonschema v0.0.0-20190816131739-be0936907f66/go.mod h1:anYRn/JVcOK2ZgGU+IjEV4nwlhoK5sQluxsYJ78Id3Y=
 go.etcd.io/bbolt v1.3.2/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU=
+go.etcd.io/bbolt v1.3.3 h1:MUGmc65QhB3pIlaQ5bB4LwqSj6GIonVJXpZiaKNyaKk=
+go.etcd.io/bbolt v1.3.3/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU=
 go.opencensus.io v0.20.1/go.mod h1:6WKK9ahsWS3RSO+PY9ZHZUfv2irvY6gN279GOPZjmmk=
-go.uber.org/atomic v1.3.2 h1:2Oa65PReHzfn29GpvgsYwloV9AVFHPDk8tYxt2c2tr4=
+go.opencensus.io v0.22.0 h1:C9hSCOW830chIVkdja34wa6Ky+IzWllkUinR+BtRZd4=
+go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8=
 go.uber.org/atomic v1.3.2/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
-go.uber.org/atomic v1.5.0 h1:OI5t8sDa1Or+q8AeE+yKeB/SDYioSHAgcVljj9JIETY=
 go.uber.org/atomic v1.5.0/go.mod h1:sABNBOSYdrvTF6hTgEIbc7YasKWGhgEQZyfxyTvoXHQ=
 go.uber.org/atomic v1.5.1 h1:rsqfU5vBkVknbhUGbAUwQKR2H4ItV8tjJ+6kJX4cxHM=
 go.uber.org/atomic v1.5.1/go.mod h1:sABNBOSYdrvTF6hTgEIbc7YasKWGhgEQZyfxyTvoXHQ=
-go.uber.org/multierr v1.1.0 h1:HoEmRHQPVSqub6w2z2d2EOVs2fjyFRGyofhKuyDq0QI=
 go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/0=
 go.uber.org/multierr v1.3.0/go.mod h1:VgVr7evmIr6uPjLBxg28wmKNXyqE9akIJ5XnfpiKl+4=
 go.uber.org/multierr v1.4.0 h1:f3WCSC2KzAcBXGATIxAB1E2XuCpNU255wNKZ505qi3E=
 go.uber.org/multierr v1.4.0/go.mod h1:VgVr7evmIr6uPjLBxg28wmKNXyqE9akIJ5XnfpiKl+4=
 go.uber.org/tools v0.0.0-20190618225709-2cfd321de3ee h1:0mgffUl7nfd+FpvXMVz4IDEaUSmT1ysygQC7qYo7sG4=
 go.uber.org/tools v0.0.0-20190618225709-2cfd321de3ee/go.mod h1:vJERXedbb3MVM5f9Ejo0C68/HhF8uaILCdgjnY+goOA=
-go.uber.org/zap v1.9.1 h1:XCJQEf3W6eZaVwhRBof6ImoYGJSITeKWsyeh3HFu/5o=
 go.uber.org/zap v1.9.1/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q=
 go.uber.org/zap v1.13.0 h1:nR6NoDBgAf67s68NhaXbsojM+2gxp3S1hWkHDl27pVU=
 go.uber.org/zap v1.13.0/go.mod h1:zwrFLgMcdUuIBviXEYEH1YKNaOBnKXsx2IPda5bBwHM=
 golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
+golang.org/x/crypto v0.0.0-20180910181607-0e37d006457b/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20190219172222-a4c6cb3142f2/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
-golang.org/x/crypto v0.0.0-20190404164418-38d8ce5564a5 h1:bselrhR0Or1vomJZC8ZIjWtbDmn9OYFLX5Ik9alpJpE=
 golang.org/x/crypto v0.0.0-20190404164418-38d8ce5564a5/go.mod h1:WFFai1msRO1wXaEeE5yQxYXgSfI8pQAWXbQop6sCtWE=
-golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529 h1:iMGN4xG0cnqj3t+zOM8wUB0BiPKHEwSxEZCvzcbZuvk=
 golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
+golang.org/x/crypto v0.0.0-20190701094942-4def268fd1a4/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
+golang.org/x/crypto v0.0.0-20191112222119-e1110fd1c708 h1:pXVtWnwHkrWD9ru3sDxY/qFK/bfc0egRovX91EjWjf4=
+golang.org/x/crypto v0.0.0-20191112222119-e1110fd1c708/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
+golang.org/x/lint v0.0.0-20180702182130-06c8688daad7/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
 golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
 golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
 golang.org/x/lint v0.0.0-20190301231843-5614ed5bae6f/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
@@ -338,15 +415,16 @@ golang.org/x/mod v0.0.0-20190513183733-4bf6d317e70e/go.mod h1:mXi4GBBbnImb6dmsKG
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20180925072008-f04abc6bdfa7/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190125091013-d26f9f9a57f3/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20190503192946-f4e77d36d62c h1:uOCk1iQW6Vc18bnC13MfzScl+wdKBmM9Y9kU7Z83/lw=
-golang.org/x/net v0.0.0-20190503192946-f4e77d36d62c/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190501004415-9ce7a6920f09/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20190628185345-da137c7871d7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20191108221443-4ba9e2ef068c h1:SRpq/kuj/xNci/RdvEs+RSvpfxqvLAzTKuKGlzoGdZQ=
 golang.org/x/net v0.0.0-20191108221443-4ba9e2ef068c/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
@@ -361,6 +439,7 @@ golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5h
 golang.org/x/sys v0.0.0-20180903190138-2b024373dcd9/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20180925112736-b09afc3d579e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20181107165924-66b7b1311ac8/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20181122145206-62eef0e2fa9b/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -369,18 +448,20 @@ golang.org/x/sys v0.0.0-20190221075227-b4e8571b14e0/go.mod h1:STP8DvDyc/dI5b8T5h
 golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190403152447-81d4e9dc473e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190506115046-ca7f33d4116e h1:bq5BY1tGuaK8HxuwN6pT6kWgTVLeJ5KwuyBpsl1CZL4=
-golang.org/x/sys v0.0.0-20190506115046-ca7f33d4116e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190502145724-3ef323f4f1fd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190514135907-3a4b5fb9f71f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190916202348-b4ddaad3f8a3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191008105621-543471e840be/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20191105231009-c1f44814a5cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20191113165036-4c7a9d0fe056/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20191127021746-63cb32ae39b2/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191128015809-6d18c012aee9 h1:ZBzSG/7F4eNKz2L3GE9o300RX0Az1Bw5HF7PDraD+qU=
 golang.org/x/sys v0.0.0-20191128015809-6d18c012aee9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2 h1:z99zHgr7hKfrUcX/KsoJk5FJfjTceCKIp96+biqP4To=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2 h1:tW2bmiBqwgJj/UpqtC8EpXEZVYOwU0yG4iWbprSVAcs=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
-golang.org/x/time v0.0.0-20181108054448-85acf8d2951c h1:fqgJT0MGcGpPgpWU7VRdRjuArfcOvC4AoJmILihzhDg=
+golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4 h1:SvFZT6jyqRaOeXpc5h/JSfZenJ2O330aBsf7JfSUXmQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
@@ -394,16 +475,13 @@ golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3
 golang.org/x/tools v0.0.0-20190312170243-e65039ee4138/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
 golang.org/x/tools v0.0.0-20190328211700-ab21143f2384/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
 golang.org/x/tools v0.0.0-20190422233926-fe54fb35175b/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
-golang.org/x/tools v0.0.0-20190503185657-3b6f9c0030f7/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
+golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
 golang.org/x/tools v0.0.0-20190621195816-6e04913cbbac/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
 golang.org/x/tools v0.0.0-20191029041327-9cc4af7d6b2c/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20191029190741-b9c20aec41a5 h1:hKsoRgsbwY1NafxrwTs+k64bikrLBkAgPir1TNCj3Zs=
 golang.org/x/tools v0.0.0-20191029190741-b9c20aec41a5/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20191121040551-947d4aa89328 h1:t3X42h9e6xdbrCD/gPyWqAXr2BEpdJqRd1brThaaxII=
 golang.org/x/tools v0.0.0-20191121040551-947d4aa89328/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/xerrors v0.0.0-20190410155217-1f06c39b4373 h1:PPwnA7z1Pjf7XYaBP9GL1VAMZmcIWyFz7QCMSIIa3Bg=
 golang.org/x/xerrors v0.0.0-20190410155217-1f06c39b4373/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7 h1:9zdDQZ7Thm29KFXgAX/+yaf3eVbP7djjWp/dXAppNCc=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898 h1:/atklqdjdhuosWIl6AIbOeHJjicWYPqR9bpxqxYG2pA=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@@ -412,50 +490,56 @@ google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9Ywl
 google.golang.org/appengine v1.4.0 h1:/wp5JvzpHIxhs/dumFmF7BXTf3Z+dd4uXta4kVyO508=
 google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
 google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
+google.golang.org/genproto v0.0.0-20180924164928-221a8d4f7494/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
 google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
-google.golang.org/genproto v0.0.0-20190404172233-64821d5d2107 h1:xtNn7qFlagY2mQNFHMSRPjT2RkOV4OXM7P5TVy9xATo=
 google.golang.org/genproto v0.0.0-20190404172233-64821d5d2107/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
+google.golang.org/genproto v0.0.0-20190425155659-357c62f0e4bb/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
 google.golang.org/genproto v0.0.0-20190502173448-54afdca5d873 h1:nfPFGzJkUDX6uBmpN/pSw7MbOAWegH5QDQuoXFHedLg=
 google.golang.org/genproto v0.0.0-20190502173448-54afdca5d873/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
+google.golang.org/grpc v1.15.0/go.mod h1:0JHn/cJsOMiMfNA9+DeHDlAU7KAAB5GDlYFpa9MZMio=
 google.golang.org/grpc v1.17.0/go.mod h1:6QZJwpn2B+Zp71q/5VxRsJ6NXXVCE5NRUHRo+f3cWCs=
-google.golang.org/grpc v1.19.0 h1:cfg4PD8YEdSFnm7qLV4++93WcmhH2nIUhMjhdCvl3j8=
 google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
-google.golang.org/grpc v1.20.1 h1:Hz2g2wirWK7H0qIIhGIqRGTuMwTE8HEKFnDZZ7lm9NU=
 google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38=
+google.golang.org/grpc v1.24.0 h1:vb/1TCsVn3DcJlQ0Gs1yB1pKI6Do2/QNwxdKqmc/b0s=
+google.golang.org/grpc v1.24.0/go.mod h1:XDChyiUovWa60DnaeDeZmSW86xtLtjtZbwvSiRnRtcA=
+gopkg.in/airbrake/gobrake.v2 v2.0.9/go.mod h1:/h5ZAUhDkGaJfjzjKLSjv6zCL6O0LLBxU4K+aSYdM/U=
 gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 h1:qIbj1fsPNlZgppZ+VLlY7N33q108Sa+fhmuc+sWQYwY=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 h1:YR8cESwS4TdDjEe65xsg0ogRM/Nc3DYOhEAlW+xobZo=
+gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/cheggaaa/pb.v1 v1.0.28 h1:n1tBJnnK2r7g9OW2btFH91V92STTUevLXYFb8gy9EMk=
 gopkg.in/cheggaaa/pb.v1 v1.0.28/go.mod h1:V/YB90LKu/1FcN3WVnfiiE5oMCibMjukxqG/qStrOgw=
 gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
 gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
+gopkg.in/gemnasium/logrus-airbrake-hook.v2 v2.1.2/go.mod h1:Xk6kEKp8OKb+X14hQBKWaSkCsqBpgog8nAV2xsGOxlo=
 gopkg.in/mgo.v2 v2.0.0-20180705113604-9856a29383ce/go.mod h1:yeKp02qBN3iKW1OzL3MGk2IdtZzaj7SFntXj72NppTA=
+gopkg.in/square/go-jose.v2 v2.3.1/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=
 gopkg.in/src-d/go-billy.v4 v4.2.1/go.mod h1:tm33zBoOwxjYHZIE+OV8bxTWFMJLrconzFMd38aARFk=
-gopkg.in/src-d/go-billy.v4 v4.3.0 h1:KtlZ4c1OWbIs4jCv5ZXrTqG8EQocr0g/d4DjNg70aek=
 gopkg.in/src-d/go-billy.v4 v4.3.0/go.mod h1:tm33zBoOwxjYHZIE+OV8bxTWFMJLrconzFMd38aARFk=
 gopkg.in/src-d/go-git-fixtures.v3 v3.1.1/go.mod h1:dLBcvytrw/TYZsNTWCnkNF2DSIlzWYqTe3rJR56Ac7g=
-gopkg.in/src-d/go-git-fixtures.v3 v3.4.0 h1:KFpaNTUcLHLoP/OkdcRXR+MA5p55MhA41YVb7Wd8EfM=
 gopkg.in/src-d/go-git-fixtures.v3 v3.4.0/go.mod h1:dLBcvytrw/TYZsNTWCnkNF2DSIlzWYqTe3rJR56Ac7g=
-gopkg.in/src-d/go-git.v4 v4.10.0 h1:NWjTJTQnk8UpIGlssuefyDZ6JruEjo5s88vm88uASbw=
 gopkg.in/src-d/go-git.v4 v4.10.0/go.mod h1:Vtut8izDyrM8BUVQnzJ+YvmNcem2J89EmfZYCkLokZk=
 gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=
-gopkg.in/warnings.v0 v0.1.2 h1:wFXVbFY8DY5/xOe1ECiWdKCzZlxgshcYVNkBHstARME=
 gopkg.in/warnings.v0 v0.1.2/go.mod h1:jksf8JmL6Qr/oQM2OXTHunEvvTAsrWBLb6OOjuVWRNI=
 gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.2.2 h1:ZCJp+EgiOT7lHqUV2J862kp8Qj64Jo6az82+3Td9dZw=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.4 h1:/eiJrUcujPVeJ3xlSWaiNi3uSVmDGBK1pDHUHAnao1I=
 gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gotest.tools v2.1.0+incompatible/go.mod h1:DsYFclhRJ6vuDpmuTbkuFWG+y2sxOXAzmJt81HFBacw=
 gotest.tools v2.2.0+incompatible h1:VsBPFP1AI068pPrMxtb/S8Zkgf9xEmTLJjfM+P5UIEo=
 gotest.tools v2.2.0+incompatible/go.mod h1:DsYFclhRJ6vuDpmuTbkuFWG+y2sxOXAzmJt81HFBacw=
 honnef.co/go/tools v0.0.0-20180728063816-88497007e858/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
+honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.1-2019.2.3 h1:3JgtbtFHMiCmsznwGVTUWbgGov+pVqnlf1dEJTNAXeM=
 honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg=
-k8s.io/klog v0.3.0 h1:0VPpR+sizsiivjIfIAQH/rl8tan6jvWkS7lU+0di3lE=
+k8s.io/client-go v0.0.0-20170217214107-bcde30fb7eae/go.mod h1:7vJpHMYJwNQCWgzmNV+VYUl1zCObLyodBc8nIyt8L5s=
+k8s.io/client-go v11.0.0+incompatible h1:LBbX2+lOwY9flffWlJM7f1Ct8V2SRNiMRDFeiwnJo9o=
+k8s.io/client-go v11.0.0+incompatible/go.mod h1:7vJpHMYJwNQCWgzmNV+VYUl1zCObLyodBc8nIyt8L5s=
 k8s.io/klog v0.3.0/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk=
+k8s.io/kubernetes v1.13.0/go.mod h1:ocZa8+6APFNC2tX1DZASIbocyYT5jHzqFVsY5aoB7Jk=
 k8s.io/utils v0.0.0-20191010214722-8d271d903fe4 h1:Gi+/O1saihwDqnlmC8Vhv1M5Sp4+rbOmK9TbsLn8ZEA=
 k8s.io/utils v0.0.0-20191010214722-8d271d903fe4/go.mod h1:sZAwmy6armz5eXlNoLmJcl4F1QuKu7sr+mFQ0byX7Ew=
 moul.io/http2curl v1.0.0 h1:6XwpyZOYsgZJrU8exnG87ncVkU1FVCcTRpwzOkTDUi8=

goreleaser.yml

@@ -12,8 +12,6 @@ builds:
     goos:
       - darwin
       - linux
-      - freebsd
-      - openbsd
     goarch:
       - amd64
       - 386
@@ -94,3 +92,5 @@ dockers:
       - "--label=org.label-schema.build-date={{ .Date }}"
       - "--label=org.label-schema.vcs=https://github.com/aquasecurity/trivy"
       - "--label=org.label-schema.vcs-ref={{ .FullCommit }}"
+    extra_files:
+    - contrib/gitlab.tpl

integration/docker_engine_test.go

@@ -4,6 +4,7 @@ package integration
 
 import (
 	"context"
+	"io"
 	"io/ioutil"
 	"os"
 	"strings"
@@ -229,7 +230,7 @@ func TestRun_WithDockerEngine(t *testing.T) {
 			name:          "sad path, invalid image",
 			invalidImage:  true,
 			testfile:      "badimage:latest",
-			expectedError: "error in image scan: failed to analyze image: failed to extract files: failed to get the v2 manifest: Get https://registry-1.docker.io/v2/library/badimage/manifests/latest: http: non-successful response (status=401 body=\"{\\\"errors\\\":[{\\\"code\\\":\\\"UNAUTHORIZED\\\",\\\"message\\\":\\\"authentication required\\\",\\\"detail\\\":[{\\\"Type\\\":\\\"repository\\\",\\\"Class\\\":\\\"\\\",\\\"Name\\\":\\\"library/badimage\\\",\\\"Action\\\":\\\"pull\\\"}]}]}\\n\")",
+			expectedError: "unable to initialize a image struct: failed to initialize source: Error reading manifest latest in docker.io/library/badimage",
 		},
 	}
 
@@ -256,8 +257,9 @@ func TestRun_WithDockerEngine(t *testing.T) {
 				})
 
 				// load image into docker engine
-				_, err = cli.ImageLoad(ctx, testfile, true)
+				res, err := cli.ImageLoad(ctx, testfile, true)
 				require.NoError(t, err, tc.name)
+				io.Copy(ioutil.Discard, res.Body)
 
 				// tag our image to something unique
 				err = cli.ImageTag(ctx, tc.imageTag, tc.testfile)
@@ -293,7 +295,8 @@ func TestRun_WithDockerEngine(t *testing.T) {
 			err = app.Run(trivyArgs)
 			switch {
 			case tc.expectedError != "":
-				assert.Equal(t, tc.expectedError, err.Error(), tc.name)
+				require.NotNil(t, err)
+				assert.Contains(t, err.Error(), tc.expectedError, tc.name)
 			default:
 				assert.NoError(t, err, tc.name)
 			}
@@ -311,6 +314,10 @@ func TestRun_WithDockerEngine(t *testing.T) {
 					Force:         true,
 					PruneChildren: true,
 				})
+				_, err = cli.ImageRemove(ctx, tc.imageTag, types.ImageRemoveOptions{
+					Force:         true,
+					PruneChildren: true,
+				})
 				assert.NoError(t, err, tc.name)
 			}
 		})

integration/integration_test.go

@@ -1,4 +1,4 @@
-// +build integration
+// +rbuild integration
 
 package integration
 

integration/testdata/alpine-310-ignore-cveids.json.golden

@@ -7,6 +7,7 @@
         "PkgName": "openssl",
         "InstalledVersion": "1.1.1c-r0",
         "FixedVersion": "1.1.1d-r0",
+        "LayerID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0",
         "Title": "openssl: side-channel weak encryption vulnerability",
         "Description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
         "Severity": "LOW",

integration/testdata/alpine-310-ignore-unfixed.json.golden

@@ -7,6 +7,7 @@
         "PkgName": "openssl",
         "InstalledVersion": "1.1.1c-r0",
         "FixedVersion": "1.1.1d-r0",
+        "LayerID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0",
         "Title": "openssl: information disclosure in fork()",
         "Description": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
         "Severity": "MEDIUM",
@@ -24,6 +25,7 @@
         "PkgName": "openssl",
         "InstalledVersion": "1.1.1c-r0",
         "FixedVersion": "1.1.1d-r0",
+        "LayerID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0",
         "Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
         "Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
         "Severity": "MEDIUM",
@@ -43,6 +45,7 @@
         "PkgName": "openssl",
         "InstalledVersion": "1.1.1c-r0",
         "FixedVersion": "1.1.1d-r0",
+        "LayerID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0",
         "Title": "openssl: side-channel weak encryption vulnerability",
         "Description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
         "Severity": "LOW",

integration/testdata/alpine-310-medium-high.json.golden

@@ -7,6 +7,7 @@
         "PkgName": "openssl",
         "InstalledVersion": "1.1.1c-r0",
         "FixedVersion": "1.1.1d-r0",
+        "LayerID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0",
         "Title": "openssl: information disclosure in fork()",
         "Description": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
         "Severity": "MEDIUM",
@@ -24,6 +25,7 @@
         "PkgName": "openssl",
         "InstalledVersion": "1.1.1c-r0",
         "FixedVersion": "1.1.1d-r0",
+        "LayerID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0",
         "Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
         "Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
         "Severity": "MEDIUM",

integration/testdata/alpine-310.json.golden

@@ -7,6 +7,7 @@
         "PkgName": "openssl",
         "InstalledVersion": "1.1.1c-r0",
         "FixedVersion": "1.1.1d-r0",
+        "LayerID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0",
         "Title": "openssl: information disclosure in fork()",
         "Description": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
         "Severity": "MEDIUM",
@@ -24,6 +25,7 @@
         "PkgName": "openssl",
         "InstalledVersion": "1.1.1c-r0",
         "FixedVersion": "1.1.1d-r0",
+        "LayerID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0",
         "Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
         "Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
         "Severity": "MEDIUM",
@@ -43,6 +45,7 @@
         "PkgName": "openssl",
         "InstalledVersion": "1.1.1c-r0",
         "FixedVersion": "1.1.1d-r0",
+        "LayerID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0",
         "Title": "openssl: side-channel weak encryption vulnerability",
         "Description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
         "Severity": "LOW",

integration/testdata/alpine-39.json.golden

@@ -7,6 +7,7 @@
         "PkgName": "musl",
         "InstalledVersion": "1.1.20-r4",
         "FixedVersion": "1.1.20-r5",
+        "LayerID": "sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81",
         "Description": "musl libc through 1.1.23 has an x87 floating-point stack adjustment imbalance, related to the math/i386/ directory. In some cases, use of this library could introduce out-of-bounds writes that are not present in an application's source code.",
         "Severity": "HIGH",
         "References": [
@@ -19,6 +20,7 @@
         "PkgName": "openssl",
         "InstalledVersion": "1.1.1b-r1",
         "FixedVersion": "1.1.1d-r0",
+        "LayerID": "sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81",
         "Title": "openssl: information disclosure in fork()",
         "Description": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
         "Severity": "MEDIUM",
@@ -36,6 +38,7 @@
         "PkgName": "openssl",
         "InstalledVersion": "1.1.1b-r1",
         "FixedVersion": "1.1.1d-r0",
+        "LayerID": "sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81",
         "Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
         "Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
         "Severity": "MEDIUM",
@@ -55,6 +58,7 @@
         "PkgName": "openssl",
         "InstalledVersion": "1.1.1b-r1",
         "FixedVersion": "1.1.1d-r0",
+        "LayerID": "sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81",
         "Title": "openssl: side-channel weak encryption vulnerability",
         "Description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
         "Severity": "LOW",

integration/testdata/amazon-1.json.golden

@@ -7,6 +7,7 @@
         "PkgName": "curl",
         "InstalledVersion": "7.61.1-11.91.amzn1",
         "FixedVersion": "7.61.1-12.93.amzn1",
+        "LayerID": "sha256:984fe1509738f6f00f34d9be7398b07ebeb8b98dda077ff6be2cdb87111b73cf",
         "Title": "curl: double free due to subsequent call of realloc()",
         "Description": "Double-free vulnerability in the FTP-kerberos code in cURL 7.52.0 to 7.65.3.",
         "Severity": "HIGH",
@@ -23,6 +24,7 @@
         "PkgName": "curl",
         "InstalledVersion": "7.61.1-11.91.amzn1",
         "FixedVersion": "7.61.1-12.93.amzn1",
+        "LayerID": "sha256:984fe1509738f6f00f34d9be7398b07ebeb8b98dda077ff6be2cdb87111b73cf",
         "Title": "curl: heap buffer overflow in function tftp_receive_packet()",
         "Description": "Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3.",
         "Severity": "HIGH",
@@ -40,6 +42,7 @@
         "PkgName": "libcurl",
         "InstalledVersion": "7.61.1-11.91.amzn1",
         "FixedVersion": "7.61.1-12.93.amzn1",
+        "LayerID": "sha256:984fe1509738f6f00f34d9be7398b07ebeb8b98dda077ff6be2cdb87111b73cf",
         "Title": "curl: double free due to subsequent call of realloc()",
         "Description": "Double-free vulnerability in the FTP-kerberos code in cURL 7.52.0 to 7.65.3.",
         "Severity": "HIGH",
@@ -56,6 +59,7 @@
         "PkgName": "libcurl",
         "InstalledVersion": "7.61.1-11.91.amzn1",
         "FixedVersion": "7.61.1-12.93.amzn1",
+        "LayerID": "sha256:984fe1509738f6f00f34d9be7398b07ebeb8b98dda077ff6be2cdb87111b73cf",
         "Title": "curl: heap buffer overflow in function tftp_receive_packet()",
         "Description": "Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3.",
         "Severity": "HIGH",
@@ -73,6 +77,7 @@
         "PkgName": "libnghttp2",
         "InstalledVersion": "1.21.1-1.4.amzn1",
         "FixedVersion": "1.31.1-2.5.amzn1",
+        "LayerID": "sha256:984fe1509738f6f00f34d9be7398b07ebeb8b98dda077ff6be2cdb87111b73cf",
         "Title": "HTTP/2: large amount of data requests leads to denial of service",
         "Description": "Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service. The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.",
         "Severity": "HIGH",
@@ -101,6 +106,7 @@
         "PkgName": "libnghttp2",
         "InstalledVersion": "1.21.1-1.4.amzn1",
         "FixedVersion": "1.31.1-2.5.amzn1",
+        "LayerID": "sha256:984fe1509738f6f00f34d9be7398b07ebeb8b98dda077ff6be2cdb87111b73cf",
         "Title": "HTTP/2: flood using PRIORITY frames results in excessive resource consumption",
         "Description": "Some HTTP/2 implementations are vulnerable to resource loops, potentially leading to a denial of service. The attacker creates multiple request streams and continually shuffles the priority of the streams in a way that causes substantial churn to the priority tree. This can consume excess CPU.",
         "Severity": "HIGH",

integration/testdata/amazon-2.json.golden

@@ -7,6 +7,7 @@
         "PkgName": "curl",
         "InstalledVersion": "7.61.1-9.amzn2.0.1",
         "FixedVersion": "7.61.1-11.amzn2.0.2",
+        "LayerID": "sha256:f387c8b346c85cae37abd1f1a63015acb69f593dc425d0269f57d1012c3a81f6",
         "Title": "curl: Integer overflows in curl_url_set() function",
         "Description": "An integer overflow in curl's URL API results in a buffer overflow in libcurl 7.62.0 to and including 7.64.1.",
         "Severity": "MEDIUM",
@@ -22,6 +23,7 @@
         "PkgName": "curl",
         "InstalledVersion": "7.61.1-9.amzn2.0.1",
         "FixedVersion": "7.61.1-11.amzn2.0.2",
+        "LayerID": "sha256:f387c8b346c85cae37abd1f1a63015acb69f593dc425d0269f57d1012c3a81f6",
         "Title": "curl: TFTP receive heap buffer overflow in tftp_receive_packet() function",
         "Description": "A heap buffer overflow in the TFTP receiving code allows for DoS or arbitrary code execution in libcurl versions 7.19.4 through 7.64.1.",
         "Severity": "MEDIUM",
@@ -39,6 +41,7 @@
         "PkgName": "glib2",
         "InstalledVersion": "2.54.2-2.amzn2",
         "FixedVersion": "2.56.1-4.amzn2",
+        "LayerID": "sha256:f387c8b346c85cae37abd1f1a63015acb69f593dc425d0269f57d1012c3a81f6",
         "Title": "glib2: file_copy_fallback in gio/gfile.c in GNOME GLib does not properly restrict file permissions while a copy operation is in progress",
         "Description": "file_copy_fallback in gio/gfile.c in GNOME GLib 2.15.0 through 2.61.1 does not properly restrict file permissions while a copy operation is in progress. Instead, default permissions are used.",
         "Severity": "HIGH",
@@ -57,6 +60,7 @@
         "PkgName": "libcurl",
         "InstalledVersion": "7.61.1-9.amzn2.0.1",
         "FixedVersion": "7.61.1-11.amzn2.0.2",
+        "LayerID": "sha256:f387c8b346c85cae37abd1f1a63015acb69f593dc425d0269f57d1012c3a81f6",
         "Title": "curl: Integer overflows in curl_url_set() function",
         "Description": "An integer overflow in curl's URL API results in a buffer overflow in libcurl 7.62.0 to and including 7.64.1.",
         "Severity": "MEDIUM",
@@ -72,6 +76,7 @@
         "PkgName": "libcurl",
         "InstalledVersion": "7.61.1-9.amzn2.0.1",
         "FixedVersion": "7.61.1-11.amzn2.0.2",
+        "LayerID": "sha256:f387c8b346c85cae37abd1f1a63015acb69f593dc425d0269f57d1012c3a81f6",
         "Title": "curl: TFTP receive heap buffer overflow in tftp_receive_packet() function",
         "Description": "A heap buffer overflow in the TFTP receiving code allows for DoS or arbitrary code execution in libcurl versions 7.19.4 through 7.64.1.",
         "Severity": "MEDIUM",
@@ -89,6 +94,7 @@
         "PkgName": "libnghttp2",
         "InstalledVersion": "1.31.1-1.amzn2.0.2",
         "FixedVersion": "1.39.2-1.amzn2",
+        "LayerID": "sha256:f387c8b346c85cae37abd1f1a63015acb69f593dc425d0269f57d1012c3a81f6",
         "Title": "HTTP/2: large amount of data requests leads to denial of service",
         "Description": "Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service. The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.",
         "Severity": "HIGH",
@@ -117,6 +123,7 @@
         "PkgName": "libnghttp2",
         "InstalledVersion": "1.31.1-1.amzn2.0.2",
         "FixedVersion": "1.39.2-1.amzn2",
+        "LayerID": "sha256:f387c8b346c85cae37abd1f1a63015acb69f593dc425d0269f57d1012c3a81f6",
         "Title": "HTTP/2: flood using PRIORITY frames results in excessive resource consumption",
         "Description": "Some HTTP/2 implementations are vulnerable to resource loops, potentially leading to a denial of service. The attacker creates multiple request streams and continually shuffles the priority of the streams in a way that causes substantial churn to the priority tree. This can consume excess CPU.",
         "Severity": "HIGH",
@@ -146,6 +153,7 @@
         "PkgName": "libssh2",
         "InstalledVersion": "1.4.3-12.amzn2.2",
         "FixedVersion": "1.4.3-12.amzn2.2.1",
+        "LayerID": "sha256:f387c8b346c85cae37abd1f1a63015acb69f593dc425d0269f57d1012c3a81f6",
         "Title": "libssh2: Zero-byte allocation with a specially crafted SFTP packed leading to an out-of-bounds read",
         "Description": "An out of bounds read flaw was discovered in libssh2 before 1.8.1 when a specially crafted SFTP packet is received from the server. A remote attacker who compromises a SSH server may be able to cause a Denial of Service or read data in the client memory.",
         "Severity": "MEDIUM",
@@ -173,6 +181,7 @@
         "PkgName": "libssh2",
         "InstalledVersion": "1.4.3-12.amzn2.2",
         "FixedVersion": "1.4.3-12.amzn2.2.1",
+        "LayerID": "sha256:f387c8b346c85cae37abd1f1a63015acb69f593dc425d0269f57d1012c3a81f6",
         "Title": "libssh2: Out-of-bounds reads with specially crafted SSH packets",
         "Description": "An out of bounds read flaw was discovered in libssh2 before 1.8.1 in the way SSH packets with a padding length value greater than the packet length are parsed. A remote attacker who compromises a SSH server may be able to cause a Denial of Service or read data in the client memory.",
         "Severity": "MEDIUM",
@@ -194,6 +203,7 @@
         "PkgName": "libssh2",
         "InstalledVersion": "1.4.3-12.amzn2.2",
         "FixedVersion": "1.4.3-12.amzn2.2.2",
+        "LayerID": "sha256:f387c8b346c85cae37abd1f1a63015acb69f593dc425d0269f57d1012c3a81f6",
         "Title": "libssh2: Out-of-bounds memory comparison with specially crafted message channel request",
         "Description": "An out of bounds read flaw was discovered in libssh2 before 1.8.1 in the way SSH_MSG_CHANNEL_REQUEST packets with an exit status message and no payload are parsed. A remote attacker who compromises a SSH server may be able to cause a Denial of Service or read data in the client memory.",
         "Severity": "MEDIUM",
@@ -221,6 +231,7 @@
         "PkgName": "libxml2",
         "InstalledVersion": "2.9.1-6.amzn2.3.2",
         "FixedVersion": "2.9.1-6.amzn2.3.3",
+        "LayerID": "sha256:f387c8b346c85cae37abd1f1a63015acb69f593dc425d0269f57d1012c3a81f6",
         "Title": "libxml2: Use after free via namespace node in XPointer ranges",
         "Description": "xpointer.c in libxml2 before 2.9.5 (as used in Apple iOS before 10, OS X before 10.12, tvOS before 10, and watchOS before 3, and other products) does not forbid namespace nodes in XPointer ranges, which allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free and memory corruption) via a crafted XML document.",
         "Severity": "CRITICAL",
@@ -247,6 +258,7 @@
         "PkgName": "libxml2",
         "InstalledVersion": "2.9.1-6.amzn2.3.2",
         "FixedVersion": "2.9.1-6.amzn2.3.3",
+        "LayerID": "sha256:f387c8b346c85cae37abd1f1a63015acb69f593dc425d0269f57d1012c3a81f6",
         "Title": "libxml2: Mishandling parameter-entity references",
         "Description": "parser.c in libxml2 before 2.9.5 mishandles parameter-entity references because the NEXTL macro calls the xmlParserHandlePEReference function in the case of a '%' character in a DTD name.",
         "Severity": "HIGH",
@@ -263,6 +275,7 @@
         "PkgName": "ncurses",
         "InstalledVersion": "6.0-8.20170212.amzn2.1.2",
         "FixedVersion": "6.0-8.20170212.amzn2.1.3",
+        "LayerID": "sha256:f387c8b346c85cae37abd1f1a63015acb69f593dc425d0269f57d1012c3a81f6",
         "Title": "ncurses: Stack-based buffer overflow in fmt_entry function in dump_entry.c",
         "Description": "In ncurses 6.0, there is a stack-based buffer overflow in the fmt_entry function. A crafted input will lead to a remote arbitrary code execution attack.",
         "Severity": "HIGH",
@@ -277,6 +290,7 @@
         "PkgName": "ncurses",
         "InstalledVersion": "6.0-8.20170212.amzn2.1.2",
         "FixedVersion": "6.0-8.20170212.amzn2.1.3",
+        "LayerID": "sha256:f387c8b346c85cae37abd1f1a63015acb69f593dc425d0269f57d1012c3a81f6",
         "Title": "ncurses: Stack-based buffer overflow caused by format string vulnerability in fmt_entry function",
         "Description": "In ncurses 6.0, there is a format string vulnerability in the fmt_entry function. A crafted input will lead to a remote arbitrary code execution attack.",
         "Severity": "HIGH",
@@ -291,6 +305,7 @@
         "PkgName": "ncurses",
         "InstalledVersion": "6.0-8.20170212.amzn2.1.2",
         "FixedVersion": "6.0-8.20170212.amzn2.1.3",
+        "LayerID": "sha256:f387c8b346c85cae37abd1f1a63015acb69f593dc425d0269f57d1012c3a81f6",
         "Title": "ncurses: Illegal address access in append_acs function",
         "Description": "In ncurses 6.0, there is an attempted 0xffffffffffffffff access in the append_acs function of tinfo/parse_entry.c. It could lead to a remote denial of service attack if the terminfo library code is used to process untrusted terminfo data.",
         "Severity": "MEDIUM",
@@ -305,6 +320,7 @@
         "PkgName": "ncurses",
         "InstalledVersion": "6.0-8.20170212.amzn2.1.2",
         "FixedVersion": "6.0-8.20170212.amzn2.1.3",
+        "LayerID": "sha256:f387c8b346c85cae37abd1f1a63015acb69f593dc425d0269f57d1012c3a81f6",
         "Title": "ncurses: Null pointer dereference vulnerability in _nc_parse_entry function",
         "Description": "In ncurses 6.0, there is a NULL Pointer Dereference in the _nc_parse_entry function of tinfo/parse_entry.c. It could lead to a remote denial of service attack if the terminfo library code is used to process untrusted terminfo data.",
         "Severity": "MEDIUM",
@@ -319,6 +335,7 @@
         "PkgName": "ncurses-base",
         "InstalledVersion": "6.0-8.20170212.amzn2.1.2",
         "FixedVersion": "6.0-8.20170212.amzn2.1.3",
+        "LayerID": "sha256:f387c8b346c85cae37abd1f1a63015acb69f593dc425d0269f57d1012c3a81f6",
         "Title": "ncurses: Stack-based buffer overflow in fmt_entry function in dump_entry.c",
         "Description": "In ncurses 6.0, there is a stack-based buffer overflow in the fmt_entry function. A crafted input will lead to a remote arbitrary code execution attack.",
         "Severity": "HIGH",
@@ -333,6 +350,7 @@
         "PkgName": "ncurses-base",
         "InstalledVersion": "6.0-8.20170212.amzn2.1.2",
         "FixedVersion": "6.0-8.20170212.amzn2.1.3",
+        "LayerID": "sha256:f387c8b346c85cae37abd1f1a63015acb69f593dc425d0269f57d1012c3a81f6",
         "Title": "ncurses: Stack-based buffer overflow caused by format string vulnerability in fmt_entry function",
         "Description": "In ncurses 6.0, there is a format string vulnerability in the fmt_entry function. A crafted input will lead to a remote arbitrary code execution attack.",
         "Severity": "HIGH",
@@ -347,6 +365,7 @@
         "PkgName": "ncurses-base",
         "InstalledVersion": "6.0-8.20170212.amzn2.1.2",
         "FixedVersion": "6.0-8.20170212.amzn2.1.3",
+        "LayerID": "sha256:f387c8b346c85cae37abd1f1a63015acb69f593dc425d0269f57d1012c3a81f6",
         "Title": "ncurses: Illegal address access in append_acs function",
         "Description": "In ncurses 6.0, there is an attempted 0xffffffffffffffff access in the append_acs function of tinfo/parse_entry.c. It could lead to a remote denial of service attack if the terminfo library code is used to process untrusted terminfo data.",
         "Severity": "MEDIUM",
@@ -361,6 +380,7 @@
         "PkgName": "ncurses-base",
         "InstalledVersion": "6.0-8.20170212.amzn2.1.2",
         "FixedVersion": "6.0-8.20170212.amzn2.1.3",
+        "LayerID": "sha256:f387c8b346c85cae37abd1f1a63015acb69f593dc425d0269f57d1012c3a81f6",
         "Title": "ncurses: Null pointer dereference vulnerability in _nc_parse_entry function",
         "Description": "In ncurses 6.0, there is a NULL Pointer Dereference in the _nc_parse_entry function of tinfo/parse_entry.c. It could lead to a remote denial of service attack if the terminfo library code is used to process untrusted terminfo data.",
         "Severity": "MEDIUM",
@@ -375,6 +395,7 @@
         "PkgName": "ncurses-libs",
         "InstalledVersion": "6.0-8.20170212.amzn2.1.2",
         "FixedVersion": "6.0-8.20170212.amzn2.1.3",
+        "LayerID": "sha256:f387c8b346c85cae37abd1f1a63015acb69f593dc425d0269f57d1012c3a81f6",
         "Title": "ncurses: Stack-based buffer overflow in fmt_entry function in dump_entry.c",
         "Description": "In ncurses 6.0, there is a stack-based buffer overflow in the fmt_entry function. A crafted input will lead to a remote arbitrary code execution attack.",
         "Severity": "HIGH",
@@ -389,6 +410,7 @@
         "PkgName": "ncurses-libs",
         "InstalledVersion": "6.0-8.20170212.amzn2.1.2",
         "FixedVersion": "6.0-8.20170212.amzn2.1.3",
+        "LayerID": "sha256:f387c8b346c85cae37abd1f1a63015acb69f593dc425d0269f57d1012c3a81f6",
         "Title": "ncurses: Stack-based buffer overflow caused by format string vulnerability in fmt_entry function",
         "Description": "In ncurses 6.0, there is a format string vulnerability in the fmt_entry function. A crafted input will lead to a remote arbitrary code execution attack.",
         "Severity": "HIGH",
@@ -403,6 +425,7 @@
         "PkgName": "ncurses-libs",
         "InstalledVersion": "6.0-8.20170212.amzn2.1.2",
         "FixedVersion": "6.0-8.20170212.amzn2.1.3",
+        "LayerID": "sha256:f387c8b346c85cae37abd1f1a63015acb69f593dc425d0269f57d1012c3a81f6",
         "Title": "ncurses: Illegal address access in append_acs function",
         "Description": "In ncurses 6.0, there is an attempted 0xffffffffffffffff access in the append_acs function of tinfo/parse_entry.c. It could lead to a remote denial of service attack if the terminfo library code is used to process untrusted terminfo data.",
         "Severity": "MEDIUM",
@@ -417,6 +440,7 @@
         "PkgName": "ncurses-libs",
         "InstalledVersion": "6.0-8.20170212.amzn2.1.2",
         "FixedVersion": "6.0-8.20170212.amzn2.1.3",
+        "LayerID": "sha256:f387c8b346c85cae37abd1f1a63015acb69f593dc425d0269f57d1012c3a81f6",
         "Title": "ncurses: Null pointer dereference vulnerability in _nc_parse_entry function",
         "Description": "In ncurses 6.0, there is a NULL Pointer Dereference in the _nc_parse_entry function of tinfo/parse_entry.c. It could lead to a remote denial of service attack if the terminfo library code is used to process untrusted terminfo data.",
         "Severity": "MEDIUM",
@@ -431,6 +455,7 @@
         "PkgName": "nss",
         "InstalledVersion": "3.36.0-7.amzn2",
         "FixedVersion": "3.44.0-4.amzn2.0.2",
+        "LayerID": "sha256:f387c8b346c85cae37abd1f1a63015acb69f593dc425d0269f57d1012c3a81f6",
         "Title": "nss: Cache side-channel variant of the Bleichenbacher attack",
         "Description": "A cached side channel attack during handshakes using RSA encryption could allow for the decryption of encrypted content. This is a variant of the Adaptive Chosen Ciphertext attack (AKA Bleichenbacher attack) and affects all NSS versions prior to NSS 3.41.",
         "Severity": "MEDIUM",
@@ -446,6 +471,7 @@
         "PkgName": "nss",
         "InstalledVersion": "3.36.0-7.amzn2",
         "FixedVersion": "3.44.0-4.amzn2.0.2",
+        "LayerID": "sha256:f387c8b346c85cae37abd1f1a63015acb69f593dc425d0269f57d1012c3a81f6",
         "Title": "ROHNP: Key Extraction Side Channel in Multiple Crypto Libraries",
         "Description": "Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host.",
         "Severity": "LOW",
@@ -477,6 +503,7 @@
         "PkgName": "nss-sysinit",
         "InstalledVersion": "3.36.0-7.amzn2",
         "FixedVersion": "3.44.0-4.amzn2.0.2",
+        "LayerID": "sha256:f387c8b346c85cae37abd1f1a63015acb69f593dc425d0269f57d1012c3a81f6",
         "Title": "nss: Cache side-channel variant of the Bleichenbacher attack",
         "Description": "A cached side channel attack during handshakes using RSA encryption could allow for the decryption of encrypted content. This is a variant of the Adaptive Chosen Ciphertext attack (AKA Bleichenbacher attack) and affects all NSS versions prior to NSS 3.41.",
         "Severity": "MEDIUM",
@@ -492,6 +519,7 @@
         "PkgName": "nss-sysinit",
         "InstalledVersion": "3.36.0-7.amzn2",
         "FixedVersion": "3.44.0-4.amzn2.0.2",
+        "LayerID": "sha256:f387c8b346c85cae37abd1f1a63015acb69f593dc425d0269f57d1012c3a81f6",
         "Title": "ROHNP: Key Extraction Side Channel in Multiple Crypto Libraries",
         "Description": "Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host.",
         "Severity": "LOW",
@@ -523,6 +551,7 @@
         "PkgName": "nss-tools",
         "InstalledVersion": "3.36.0-7.amzn2",
         "FixedVersion": "3.44.0-4.amzn2.0.2",
+        "LayerID": "sha256:f387c8b346c85cae37abd1f1a63015acb69f593dc425d0269f57d1012c3a81f6",
         "Title": "nss: Cache side-channel variant of the Bleichenbacher attack",
         "Description": "A cached side channel attack during handshakes using RSA encryption could allow for the decryption of encrypted content. This is a variant of the Adaptive Chosen Ciphertext attack (AKA Bleichenbacher attack) and affects all NSS versions prior to NSS 3.41.",
         "Severity": "MEDIUM",
@@ -538,6 +567,7 @@
         "PkgName": "nss-tools",
         "InstalledVersion": "3.36.0-7.amzn2",
         "FixedVersion": "3.44.0-4.amzn2.0.2",
+        "LayerID": "sha256:f387c8b346c85cae37abd1f1a63015acb69f593dc425d0269f57d1012c3a81f6",
         "Title": "ROHNP: Key Extraction Side Channel in Multiple Crypto Libraries",
         "Description": "Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host.",
         "Severity": "LOW",
@@ -569,6 +599,7 @@
         "PkgName": "python",
         "InstalledVersion": "2.7.14-58.amzn2.0.4",
         "FixedVersion": "2.7.16-1.amzn2.0.1",
+        "LayerID": "sha256:f387c8b346c85cae37abd1f1a63015acb69f593dc425d0269f57d1012c3a81f6",
         "Title": "python: NULL pointer dereference using a specially crafted X509 certificate",
         "Description": "A null pointer dereference vulnerability was found in the certificate parsing code in Python. This causes a denial of service to applications when parsing specially crafted certificates. This vulnerability is unlikely to be triggered if application enables SSL/TLS certificate validation and accepts certificates only from trusted root certificate authorities.",
         "Severity": "HIGH",
@@ -582,6 +613,7 @@
         "PkgName": "python",
         "InstalledVersion": "2.7.14-58.amzn2.0.4",
         "FixedVersion": "2.7.16-1.amzn2.0.1",
+        "LayerID": "sha256:f387c8b346c85cae37abd1f1a63015acb69f593dc425d0269f57d1012c3a81f6",
         "Title": "python: DOS via regular expression catastrophic backtracking in apop() method in pop3lib",
         "Description": "python before versions 2.7.15, 3.4.9, 3.5.6rc1, 3.6.5rc1 and 3.7.0 is vulnerable to catastrophic backtracking in pop3lib's apop() method.  An attacker could use this flaw to cause denial of service.",
         "Severity": "MEDIUM",
@@ -614,6 +646,7 @@
         "PkgName": "python",
         "InstalledVersion": "2.7.14-58.amzn2.0.4",
         "FixedVersion": "2.7.16-1.amzn2.0.1",
+        "LayerID": "sha256:f387c8b346c85cae37abd1f1a63015acb69f593dc425d0269f57d1012c3a81f6",
         "Title": "python: DOS via regular expression backtracking in difflib.IS_LINE_JUNK method in difflib",
         "Description": "python before versions 2.7.15, 3.4.9, 3.5.6rc1, 3.6.5rc1 and 3.7.0 is vulnerable to catastrophic backtracking in the difflib.IS_LINE_JUNK method.  An attacker could use this flaw to cause denial of service.",
         "Severity": "MEDIUM",
@@ -646,6 +679,7 @@
         "PkgName": "python",
         "InstalledVersion": "2.7.14-58.amzn2.0.4",
         "FixedVersion": "2.7.16-1.amzn2.0.1",
+        "LayerID": "sha256:f387c8b346c85cae37abd1f1a63015acb69f593dc425d0269f57d1012c3a81f6",
         "Title": "python: Integer overflow in Modules/_pickle.c allows for memory exhaustion if serializing gigabytes of data",
         "Description": "Modules/_pickle.c in Python before 3.7.1 has an integer overflow via a large LONG_BINPUT value that is mishandled during a \"resize to twice the size\" attempt. This issue might cause memory exhaustion, but is only relevant if the pickle format is used for serializing tens or hundreds of gigabytes of data.",
         "Severity": "MEDIUM",
@@ -669,6 +703,7 @@
         "PkgName": "python",
         "InstalledVersion": "2.7.14-58.amzn2.0.4",
         "FixedVersion": "2.7.16-2.amzn2.0.1",
+        "LayerID": "sha256:f387c8b346c85cae37abd1f1a63015acb69f593dc425d0269f57d1012c3a81f6",
         "Title": "python: regression of CVE-2019-9636 due to functional fix to allow port numbers in netloc",
         "Description": "A security regression of CVE-2019-9636 was discovered in python since commit d537ab0ff9767ef024f26246899728f0116b1ec3 affecting versions 2.7, 3.5, 3.6, 3.7 and from v3.8.0a4 through v3.8.0b1, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed. The result of an attack may vary based on the application.",
         "Severity": "MEDIUM",
@@ -689,6 +724,7 @@
         "PkgName": "python",
         "InstalledVersion": "2.7.14-58.amzn2.0.4",
         "FixedVersion": "2.7.16-1.amzn2.0.1",
+        "LayerID": "sha256:f387c8b346c85cae37abd1f1a63015acb69f593dc425d0269f57d1012c3a81f6",
         "Title": "python: Information Disclosure due to urlsplit improper NFKC normalization",
         "Description": "Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by: Improper Handling of Unicode Encoding (with an incorrect netloc) during NFKC normalization. The impact is: Information disclosure (credentials, cookies, etc. that are cached against a given hostname). The components are: urllib.parse.urlsplit, urllib.parse.urlparse. The attack vector is: A specially crafted URL could be incorrectly parsed to locate cookies or authentication data and send that information to a different host than when parsed correctly.",
         "Severity": "MEDIUM",
@@ -729,6 +765,7 @@
         "PkgName": "python",
         "InstalledVersion": "2.7.14-58.amzn2.0.4",
         "FixedVersion": "2.7.16-3.amzn2.0.1",
+        "LayerID": "sha256:f387c8b346c85cae37abd1f1a63015acb69f593dc425d0269f57d1012c3a81f6",
         "Title": "python: Undocumented local_file protocol allows remote attackers to bypass protection mechanisms",
         "Description": "urllib in Python 2.x through 2.7.16 supports the local_file: scheme, which makes it easier for remote attackers to bypass protection mechanisms that blacklist file: URIs, as demonstrated by triggering a urllib.urlopen('local_file:///etc/passwd') call.",
         "Severity": "MEDIUM",
@@ -748,6 +785,7 @@
         "PkgName": "python-libs",
         "InstalledVersion": "2.7.14-58.amzn2.0.4",
         "FixedVersion": "2.7.16-1.amzn2.0.1",
+        "LayerID": "sha256:f387c8b346c85cae37abd1f1a63015acb69f593dc425d0269f57d1012c3a81f6",
         "Title": "python: NULL pointer dereference using a specially crafted X509 certificate",
         "Description": "A null pointer dereference vulnerability was found in the certificate parsing code in Python. This causes a denial of service to applications when parsing specially crafted certificates. This vulnerability is unlikely to be triggered if application enables SSL/TLS certificate validation and accepts certificates only from trusted root certificate authorities.",
         "Severity": "HIGH",
@@ -761,6 +799,7 @@
         "PkgName": "python-libs",
         "InstalledVersion": "2.7.14-58.amzn2.0.4",
         "FixedVersion": "2.7.16-1.amzn2.0.1",
+        "LayerID": "sha256:f387c8b346c85cae37abd1f1a63015acb69f593dc425d0269f57d1012c3a81f6",
         "Title": "python: DOS via regular expression catastrophic backtracking in apop() method in pop3lib",
         "Description": "python before versions 2.7.15, 3.4.9, 3.5.6rc1, 3.6.5rc1 and 3.7.0 is vulnerable to catastrophic backtracking in pop3lib's apop() method.  An attacker could use this flaw to cause denial of service.",
         "Severity": "MEDIUM",
@@ -793,6 +832,7 @@
         "PkgName": "python-libs",
         "InstalledVersion": "2.7.14-58.amzn2.0.4",
         "FixedVersion": "2.7.16-1.amzn2.0.1",
+        "LayerID": "sha256:f387c8b346c85cae37abd1f1a63015acb69f593dc425d0269f57d1012c3a81f6",
         "Title": "python: DOS via regular expression backtracking in difflib.IS_LINE_JUNK method in difflib",
         "Description": "python before versions 2.7.15, 3.4.9, 3.5.6rc1, 3.6.5rc1 and 3.7.0 is vulnerable to catastrophic backtracking in the difflib.IS_LINE_JUNK method.  An attacker could use this flaw to cause denial of service.",
         "Severity": "MEDIUM",
@@ -825,6 +865,7 @@
         "PkgName": "python-libs",
         "InstalledVersion": "2.7.14-58.amzn2.0.4",
         "FixedVersion": "2.7.16-1.amzn2.0.1",
+        "LayerID": "sha256:f387c8b346c85cae37abd1f1a63015acb69f593dc425d0269f57d1012c3a81f6",
         "Title": "python: Integer overflow in Modules/_pickle.c allows for memory exhaustion if serializing gigabytes of data",
         "Description": "Modules/_pickle.c in Python before 3.7.1 has an integer overflow via a large LONG_BINPUT value that is mishandled during a \"resize to twice the size\" attempt. This issue might cause memory exhaustion, but is only relevant if the pickle format is used for serializing tens or hundreds of gigabytes of data.",
         "Severity": "MEDIUM",
@@ -848,6 +889,7 @@
         "PkgName": "python-libs",
         "InstalledVersion": "2.7.14-58.amzn2.0.4",
         "FixedVersion": "2.7.16-2.amzn2.0.1",
+        "LayerID": "sha256:f387c8b346c85cae37abd1f1a63015acb69f593dc425d0269f57d1012c3a81f6",
         "Title": "python: regression of CVE-2019-9636 due to functional fix to allow port numbers in netloc",
         "Description": "A security regression of CVE-2019-9636 was discovered in python since commit d537ab0ff9767ef024f26246899728f0116b1ec3 affecting versions 2.7, 3.5, 3.6, 3.7 and from v3.8.0a4 through v3.8.0b1, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed. The result of an attack may vary based on the application.",
         "Severity": "MEDIUM",
@@ -868,6 +910,7 @@
         "PkgName": "python-libs",
         "InstalledVersion": "2.7.14-58.amzn2.0.4",
         "FixedVersion": "2.7.16-1.amzn2.0.1",
+        "LayerID": "sha256:f387c8b346c85cae37abd1f1a63015acb69f593dc425d0269f57d1012c3a81f6",
         "Title": "python: Information Disclosure due to urlsplit improper NFKC normalization",
         "Description": "Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by: Improper Handling of Unicode Encoding (with an incorrect netloc) during NFKC normalization. The impact is: Information disclosure (credentials, cookies, etc. that are cached against a given hostname). The components are: urllib.parse.urlsplit, urllib.parse.urlparse. The attack vector is: A specially crafted URL could be incorrectly parsed to locate cookies or authentication data and send that information to a different host than when parsed correctly.",
         "Severity": "MEDIUM",
@@ -908,6 +951,7 @@
         "PkgName": "python-libs",
         "InstalledVersion": "2.7.14-58.amzn2.0.4",
         "FixedVersion": "2.7.16-3.amzn2.0.1",
+        "LayerID": "sha256:f387c8b346c85cae37abd1f1a63015acb69f593dc425d0269f57d1012c3a81f6",
         "Title": "python: Undocumented local_file protocol allows remote attackers to bypass protection mechanisms",
         "Description": "urllib in Python 2.x through 2.7.16 supports the local_file: scheme, which makes it easier for remote attackers to bypass protection mechanisms that blacklist file: URIs, as demonstrated by triggering a urllib.urlopen('local_file:///etc/passwd') call.",
         "Severity": "MEDIUM",
@@ -927,6 +971,7 @@
         "PkgName": "vim-minimal",
         "InstalledVersion": "2:7.4.160-4.amzn2.0.16",
         "FixedVersion": "2:8.1.1602-1.amzn2",
+        "LayerID": "sha256:f387c8b346c85cae37abd1f1a63015acb69f593dc425d0269f57d1012c3a81f6",
         "Title": "vim/neovim: ':source!' command allows arbitrary command execution via modelines",
         "Description": "getchar.c in Vim before 8.1.1365 and Neovim before 0.3.6 allows remote attackers to execute arbitrary OS commands via the :source! command in a modeline, as demonstrated by execute in Vim, and assert_fails or nvim_input in Neovim.",
         "Severity": "CRITICAL",

integration/testdata/centos-7-critical.json.golden

@@ -7,6 +7,7 @@
         "PkgName": "curl",
         "InstalledVersion": "7.29.0-51.el7",
         "FixedVersion": "7.29.0-51.el7_6.3",
+        "LayerID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854",
         "Title": "curl: NTLM password overflow via integer overflow",
         "Description": "curl before version 7.61.1 is vulnerable to a buffer overrun in the NTLM authentication code. The internal function Curl_ntlm_core_mk_nt_hash multiplies the length of the password by two (SUM) to figure out how large temporary storage area to allocate from the heap. The length value is then subsequently used to iterate over the password and generate output into the allocated storage buffer. On systems with a 32 bit size_t, the math to calculate SUM triggers an integer overflow when the password length exceeds 2GB (2^31 bytes). This integer overflow usually causes a very small buffer to actually get allocated instead of the intended very huge one, making the use of that buffer end up in a heap buffer overflow. (This bug is almost identical to CVE-2017-8816.)",
         "Severity": "CRITICAL",
@@ -29,6 +30,7 @@
         "PkgName": "libcurl",
         "InstalledVersion": "7.29.0-51.el7",
         "FixedVersion": "7.29.0-51.el7_6.3",
+        "LayerID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854",
         "Title": "curl: NTLM password overflow via integer overflow",
         "Description": "curl before version 7.61.1 is vulnerable to a buffer overrun in the NTLM authentication code. The internal function Curl_ntlm_core_mk_nt_hash multiplies the length of the password by two (SUM) to figure out how large temporary storage area to allocate from the heap. The length value is then subsequently used to iterate over the password and generate output into the allocated storage buffer. On systems with a 32 bit size_t, the math to calculate SUM triggers an integer overflow when the password length exceeds 2GB (2^31 bytes). This integer overflow usually causes a very small buffer to actually get allocated instead of the intended very huge one, making the use of that buffer end up in a heap buffer overflow. (This bug is almost identical to CVE-2017-8816.)",
         "Severity": "CRITICAL",
@@ -51,6 +53,7 @@
         "PkgName": "libssh2",
         "InstalledVersion": "1.4.3-12.el7",
         "FixedVersion": "1.4.3-12.el7_6.2",
+        "LayerID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854",
         "Title": "libssh2: Integer overflow in transport read resulting in out of bounds write",
         "Description": "An integer overflow flaw which could lead to an out of bounds write was discovered in libssh2 before 1.8.1 in the way packets are read from the server. A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server.",
         "Severity": "CRITICAL",
@@ -80,6 +83,7 @@
         "PkgName": "systemd",
         "InstalledVersion": "219-62.el7_6.5",
         "FixedVersion": "219-67.el7",
+        "LayerID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854",
         "Title": "systemd: line splitting via fgets() allows for state injection during daemon-reexec",
         "Description": "A vulnerability in unit_deserialize of systemd allows an attacker to supply arbitrary state across systemd re-execution via NotifyAccess. This can be used to improperly influence systemd execution and possibly lead to root privilege escalation. Affected releases are systemd versions up to and including 239.",
         "Severity": "CRITICAL",
@@ -99,6 +103,7 @@
         "PkgName": "systemd-libs",
         "InstalledVersion": "219-62.el7_6.5",
         "FixedVersion": "219-67.el7",
+        "LayerID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854",
         "Title": "systemd: line splitting via fgets() allows for state injection during daemon-reexec",
         "Description": "A vulnerability in unit_deserialize of systemd allows an attacker to supply arbitrary state across systemd re-execution via NotifyAccess. This can be used to improperly influence systemd execution and possibly lead to root privilege escalation. Affected releases are systemd versions up to and including 239.",
         "Severity": "CRITICAL",
@@ -112,6 +117,33 @@
           "https://usn.ubuntu.com/3816-1/",
           "https://www.exploit-db.com/exploits/45714/"
         ]
+      },
+      {
+        "VulnerabilityID": "CVE-2019-12735",
+        "PkgName": "vim-minimal",
+        "InstalledVersion": "2:7.4.160-5.el7",
+        "FixedVersion": "2:7.4.160-6.el7_6",
+        "LayerID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854",
+        "Title": "vim/neovim: ':source!' command allows arbitrary command execution via modelines",
+        "Description": "getchar.c in Vim before 8.1.1365 and Neovim before 0.3.6 allows remote attackers to execute arbitrary OS commands via the :source! command in a modeline, as demonstrated by execute in Vim, and assert_fails or nvim_input in Neovim.",
+        "Severity": "CRITICAL",
+        "References": [
+          "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00031.html",
+          "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00036.html",
+          "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00037.html",
+          "http://www.securityfocus.com/bid/108724",
+          "https://bugs.debian.org/930020",
+          "https://bugs.debian.org/930024",
+          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12735",
+          "https://github.com/neovim/neovim/pull/10082",
+          "https://github.com/numirias/security/blob/master/doc/2019-06-04_ace-vim-neovim.md",
+          "https://github.com/vim/vim/commit/53575521406739cf20bbe4e384d88e7dca11f040",
+          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2BMDSHTF754TITC6AQJPCS5IRIDMMIM7/",
+          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TRIRBC2YRGKPAWVRMZS4SZTGGCVRVZPR/",
+          "https://usn.ubuntu.com/4016-1/",
+          "https://usn.ubuntu.com/4016-2/",
+          "https://www.debian.org/security/2019/dsa-4467"
+        ]
       }
     ]
   }

integration/testdata/centos-7-ignore-unfixed.json.golden

@@ -7,6 +7,7 @@
         "PkgName": "bind-license",
         "InstalledVersion": "32:9.9.4-73.el7_6",
         "FixedVersion": "32:9.9.4-74.el7_6.1",
+        "LayerID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854",
         "Title": "bind: Limiting simultaneous TCP clients is ineffective",
         "Description": "By design, BIND is intended to limit the number of TCP clients that can be connected at any given time. The number of allowed connections is a tunable parameter which, if unset, defaults to a conservative value for most servers. Unfortunately, the code which was intended to limit the number of simultaneous connections contained an error which could be exploited to grow the number of simultaneous connections beyond this limit. Versions affected: BIND 9.9.0 -\u003e 9.10.8-P1, 9.11.0 -\u003e 9.11.6, 9.12.0 -\u003e 9.12.4, 9.14.0. BIND 9 Supported Preview Edition versions 9.9.3-S1 -\u003e 9.11.5-S3, and 9.11.5-S5. Versions 9.13.0 -\u003e 9.13.7 of the 9.13 development branch are also affected. Versions prior to BIND 9.9.0 have not been evaluated for vulnerability to CVE-2018-5743.",
         "Severity": "HIGH",
@@ -20,6 +21,7 @@
         "PkgName": "bind-license",
         "InstalledVersion": "32:9.9.4-73.el7_6",
         "FixedVersion": "32:9.11.4-9.P2.el7",
+        "LayerID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854",
         "Title": "bind: Incorrect documentation of krb5-subdomain and ms-subdomain update policies",
         "Description": "To provide fine-grained controls over the ability to use Dynamic DNS (DDNS) to update records in a zone, BIND 9 provides a feature called update-policy. Various rules can be configured to limit the types of updates that can be performed by a client, depending on the key used when sending the update request. Unfortunately, some rule types were not initially documented, and when documentation for them was added to the Administrator Reference Manual (ARM) in change #3112, the language that was added to the ARM at that time incorrectly described the behavior of two rule types, krb5-subdomain and ms-subdomain. This incorrect documentation could mislead operators into believing that policies they had configured were more restrictive than they actually were. This affects BIND versions prior to BIND 9.11.5 and BIND 9.12.3.",
         "Severity": "MEDIUM",
@@ -37,6 +39,7 @@
         "PkgName": "binutils",
         "InstalledVersion": "2.27-34.base.el7",
         "FixedVersion": "2.27-41.base.el7",
+        "LayerID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854",
         "Title": "binutils: integer overflow leads to heap-based buffer overflow in objdump",
         "Description": "binutils version 2.32 and earlier contains a Integer Overflow vulnerability in objdump, bfd_get_dynamic_reloc_upper_bound,bfd_canonicalize_dynamic_reloc that can result in Integer overflow trigger heap overflow. Successful exploitation allows execution of arbitrary code.. This attack appear to be exploitable via Local. This vulnerability appears to have been fixed in after commit 3a551c7a1b80fca579461774860574eabfd7f18f.",
         "Severity": "MEDIUM",
@@ -52,6 +55,7 @@
         "PkgName": "binutils",
         "InstalledVersion": "2.27-34.base.el7",
         "FixedVersion": "2.27-41.base.el7",
+        "LayerID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854",
         "Title": "binutils: Stack Exhaustion in the demangling functions provided by libiberty",
         "Description": "An issue was discovered in arm_pt in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.30. Stack Exhaustion occurs in the C++ demangling functions provided by libiberty, and there are recursive stack frames: demangle_arm_hp_template, demangle_class_name, demangle_fund_type, do_type, do_arg, demangle_args, and demangle_nested_args. This can occur during execution of nm-new.",
         "Severity": "MEDIUM",
@@ -68,6 +72,7 @@
         "PkgName": "binutils",
         "InstalledVersion": "2.27-34.base.el7",
         "FixedVersion": "2.27-41.base.el7",
+        "LayerID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854",
         "Title": "binutils: NULL pointer dereference in work_stuff_copy_to_from in cplus-dem.c.",
         "Description": "A NULL pointer dereference (aka SEGV on unknown address 0x000000000000) was discovered in work_stuff_copy_to_from in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.30. This can occur during execution of objdump.",
         "Severity": "MEDIUM",
@@ -85,6 +90,7 @@
         "PkgName": "curl",
         "InstalledVersion": "7.29.0-51.el7",
         "FixedVersion": "7.29.0-51.el7_6.3",
+        "LayerID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854",
         "Title": "curl: NTLM password overflow via integer overflow",
         "Description": "curl before version 7.61.1 is vulnerable to a buffer overrun in the NTLM authentication code. The internal function Curl_ntlm_core_mk_nt_hash multiplies the length of the password by two (SUM) to figure out how large temporary storage area to allocate from the heap. The length value is then subsequently used to iterate over the password and generate output into the allocated storage buffer. On systems with a 32 bit size_t, the math to calculate SUM triggers an integer overflow when the password length exceeds 2GB (2^31 bytes). This integer overflow usually causes a very small buffer to actually get allocated instead of the intended very huge one, making the use of that buffer end up in a heap buffer overflow. (This bug is almost identical to CVE-2017-8816.)",
         "Severity": "CRITICAL",
@@ -107,6 +113,7 @@
         "PkgName": "curl",
         "InstalledVersion": "7.29.0-51.el7",
         "FixedVersion": "7.29.0-54.el7",
+        "LayerID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854",
         "Title": "curl: Heap-based buffer over-read in the curl tool warning formatting",
         "Description": "Curl versions 7.14.1 through 7.61.1 are vulnerable to a heap-based buffer over-read in the tool_msgs.c:voutf() function that may result in information exposure and denial of service.",
         "Severity": "MEDIUM",
@@ -129,6 +136,7 @@
         "PkgName": "elfutils-default-yama-scope",
         "InstalledVersion": "0.172-2.el7",
         "FixedVersion": "0.176-2.el7",
+        "LayerID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854",
         "Title": "elfutils: Double-free due to double decompression of sections in crafted ELF causes crash",
         "Description": "libelf/elf_end.c in elfutils 0.173 allows remote attackers to cause a denial of service (double free and application crash) or possibly have unspecified other impact because it tries to decompress twice.",
         "Severity": "HIGH",
@@ -143,6 +151,7 @@
         "PkgName": "elfutils-default-yama-scope",
         "InstalledVersion": "0.172-2.el7",
         "FixedVersion": "0.176-2.el7",
+        "LayerID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854",
         "Title": "elfutils: Heap-based buffer over-read in libdw/dwarf_getaranges.c:dwarf_getaranges() via crafted file",
         "Description": "dwarf_getaranges in dwarf_getaranges.c in libdw in elfutils before 2018-08-18 allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted file.",
         "Severity": "MEDIUM",
@@ -161,6 +170,7 @@
         "PkgName": "elfutils-default-yama-scope",
         "InstalledVersion": "0.172-2.el7",
         "FixedVersion": "0.176-2.el7",
+        "LayerID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854",
         "Title": "elfutils: Heap-based buffer over-read in libdw/dwarf_getabbrev.c and libwd/dwarf_hasattr.c causes crash",
         "Description": "libdw in elfutils 0.173 checks the end of the attributes list incorrectly in dwarf_getabbrev in dwarf_getabbrev.c and dwarf_hasattr in dwarf_hasattr.c, leading to a heap-based buffer over-read and an application crash.",
         "Severity": "MEDIUM",
@@ -178,6 +188,7 @@
         "PkgName": "elfutils-default-yama-scope",
         "InstalledVersion": "0.172-2.el7",
         "FixedVersion": "0.176-2.el7",
+        "LayerID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854",
         "Title": "elfutils: invalid memory address dereference was discovered in dwfl_segment_report_module.c in libdwfl",
         "Description": "An invalid memory address dereference was discovered in dwfl_segment_report_module.c in libdwfl in elfutils through v0.174. The vulnerability allows attackers to cause a denial of service (application crash) with a crafted ELF file, as demonstrated by consider_notes.",
         "Severity": "MEDIUM",
@@ -194,6 +205,7 @@
         "PkgName": "elfutils-default-yama-scope",
         "InstalledVersion": "0.172-2.el7",
         "FixedVersion": "0.176-2.el7",
+        "LayerID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854",
         "Title": "elfutils: eu-size cannot handle recursive ar files",
         "Description": "An Invalid Memory Address Dereference exists in the function elf_end in libelf in elfutils through v0.174. Although eu-size is intended to support ar files inside ar files, handle_ar in size.c closes the outer ar file before handling all inner entries. The vulnerability allows attackers to cause a denial of service (application crash) with a crafted ELF file.",
         "Severity": "MEDIUM",
@@ -210,6 +222,7 @@
         "PkgName": "elfutils-default-yama-scope",
         "InstalledVersion": "0.172-2.el7",
         "FixedVersion": "0.176-2.el7",
+        "LayerID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854",
         "Title": "elfutils: Divide-by-zero in arlib_add_symbols function in arlib.c",
         "Description": "Divide-by-zero vulnerabilities in the function arlib_add_symbols() in arlib.c in elfutils 0.174 allow remote attackers to cause a denial of service (application crash) with a crafted ELF file, as demonstrated by eu-ranlib, because a zero sh_entsize is mishandled.",
         "Severity": "MEDIUM",
@@ -226,6 +239,7 @@
         "PkgName": "elfutils-default-yama-scope",
         "InstalledVersion": "0.172-2.el7",
         "FixedVersion": "0.176-2.el7",
+        "LayerID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854",
         "Title": "elfutils: heap-based buffer over-read in read_srclines in dwarf_getsrclines.c in libdw",
         "Description": "A heap-based buffer over-read was discovered in the function read_srclines in dwarf_getsrclines.c in libdw in elfutils 0.175. A crafted input can cause segmentation faults, leading to denial-of-service, as demonstrated by eu-nm.",
         "Severity": "MEDIUM",
@@ -242,6 +256,7 @@
         "PkgName": "elfutils-default-yama-scope",
         "InstalledVersion": "0.172-2.el7",
         "FixedVersion": "0.176-2.el7",
+        "LayerID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854",
         "Title": "elfutils: segmentation fault in elf64_xlatetom in libelf/elf32_xlatetom.c",
         "Description": "An issue was discovered in elfutils 0.175. A segmentation fault can occur in the function elf64_xlatetom in libelf/elf32_xlatetom.c, due to dwfl_segment_report_module not checking whether the dyn data read from a core file is truncated. A crafted input can cause a program crash, leading to denial-of-service, as demonstrated by eu-stack.",
         "Severity": "MEDIUM",
@@ -258,6 +273,7 @@
         "PkgName": "elfutils-default-yama-scope",
         "InstalledVersion": "0.172-2.el7",
         "FixedVersion": "0.176-2.el7",
+        "LayerID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854",
         "Title": "elfutils: out of bound write in elf_cvt_note in libelf/note_xlate.h",
         "Description": "In elfutils 0.175, a negative-sized memcpy is attempted in elf_cvt_note in libelf/note_xlate.h because of an incorrect overflow check. Crafted elf input causes a segmentation fault, leading to denial of service (program crash).",
         "Severity": "MEDIUM",
@@ -272,6 +288,7 @@
         "PkgName": "elfutils-default-yama-scope",
         "InstalledVersion": "0.172-2.el7",
         "FixedVersion": "0.176-2.el7",
+        "LayerID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854",
         "Title": "elfutils: heap-based buffer over-read in function elf32_xlatetom in elf32_xlatetom.c",
         "Description": "In elfutils 0.175, a heap-based buffer over-read was discovered in the function elf32_xlatetom in elf32_xlatetom.c in libelf. A crafted ELF input can cause a segmentation fault leading to denial of service (program crash) because ebl_core_note does not reject malformed core file notes.",
         "Severity": "MEDIUM",
@@ -288,6 +305,7 @@
         "PkgName": "elfutils-libelf",
         "InstalledVersion": "0.172-2.el7",
         "FixedVersion": "0.176-2.el7",
+        "LayerID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854",
         "Title": "elfutils: Double-free due to double decompression of sections in crafted ELF causes crash",
         "Description": "libelf/elf_end.c in elfutils 0.173 allows remote attackers to cause a denial of service (double free and application crash) or possibly have unspecified other impact because it tries to decompress twice.",
         "Severity": "HIGH",
@@ -302,6 +320,7 @@
         "PkgName": "elfutils-libelf",
         "InstalledVersion": "0.172-2.el7",
         "FixedVersion": "0.176-2.el7",
+        "LayerID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854",
         "Title": "elfutils: Heap-based buffer over-read in libdw/dwarf_getaranges.c:dwarf_getaranges() via crafted file",
         "Description": "dwarf_getaranges in dwarf_getaranges.c in libdw in elfutils before 2018-08-18 allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted file.",
         "Severity": "MEDIUM",
@@ -320,6 +339,7 @@
         "PkgName": "elfutils-libelf",
         "InstalledVersion": "0.172-2.el7",
         "FixedVersion": "0.176-2.el7",
+        "LayerID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854",
         "Title": "elfutils: Heap-based buffer over-read in libdw/dwarf_getabbrev.c and libwd/dwarf_hasattr.c causes crash",
         "Description": "libdw in elfutils 0.173 checks the end of the attributes list incorrectly in dwarf_getabbrev in dwarf_getabbrev.c and dwarf_hasattr in dwarf_hasattr.c, leading to a heap-based buffer over-read and an application crash.",
         "Severity": "MEDIUM",
@@ -337,6 +357,7 @@
         "PkgName": "elfutils-libelf",
         "InstalledVersion": "0.172-2.el7",
         "FixedVersion": "0.176-2.el7",
+        "LayerID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854",
         "Title": "elfutils: invalid memory address dereference was discovered in dwfl_segment_report_module.c in libdwfl",
         "Description": "An invalid memory address dereference was discovered in dwfl_segment_report_module.c in libdwfl in elfutils through v0.174. The vulnerability allows attackers to cause a denial of service (application crash) with a crafted ELF file, as demonstrated by consider_notes.",
         "Severity": "MEDIUM",
@@ -353,6 +374,7 @@
         "PkgName": "elfutils-libelf",
         "InstalledVersion": "0.172-2.el7",
         "FixedVersion": "0.176-2.el7",
+        "LayerID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854",
         "Title": "elfutils: eu-size cannot handle recursive ar files",
         "Description": "An Invalid Memory Address Dereference exists in the function elf_end in libelf in elfutils through v0.174. Although eu-size is intended to support ar files inside ar files, handle_ar in size.c closes the outer ar file before handling all inner entries. The vulnerability allows attackers to cause a denial of service (application crash) with a crafted ELF file.",
         "Severity": "MEDIUM",
@@ -369,6 +391,7 @@
         "PkgName": "elfutils-libelf",
         "InstalledVersion": "0.172-2.el7",
         "FixedVersion": "0.176-2.el7",
+        "LayerID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854",
         "Title": "elfutils: Divide-by-zero in arlib_add_symbols function in arlib.c",
         "Description": "Divide-by-zero vulnerabilities in the function arlib_add_symbols() in arlib.c in elfutils 0.174 allow remote attackers to cause a denial of service (application crash) with a crafted ELF file, as demonstrated by eu-ranlib, because a zero sh_entsize is mishandled.",
         "Severity": "MEDIUM",
@@ -385,6 +408,7 @@
         "PkgName": "elfutils-libelf",
         "InstalledVersion": "0.172-2.el7",
         "FixedVersion": "0.176-2.el7",
+        "LayerID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854",
         "Title": "elfutils: heap-based buffer over-read in read_srclines in dwarf_getsrclines.c in libdw",
         "Description": "A heap-based buffer over-read was discovered in the function read_srclines in dwarf_getsrclines.c in libdw in elfutils 0.175. A crafted input can cause segmentation faults, leading to denial-of-service, as demonstrated by eu-nm.",
         "Severity": "MEDIUM",
@@ -401,6 +425,7 @@
         "PkgName": "elfutils-libelf",
         "InstalledVersion": "0.172-2.el7",
         "FixedVersion": "0.176-2.el7",
+        "LayerID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854",
         "Title": "elfutils: segmentation fault in elf64_xlatetom in libelf/elf32_xlatetom.c",
         "Description": "An issue was discovered in elfutils 0.175. A segmentation fault can occur in the function elf64_xlatetom in libelf/elf32_xlatetom.c, due to dwfl_segment_report_module not checking whether the dyn data read from a core file is truncated. A crafted input can cause a program crash, leading to denial-of-service, as demonstrated by eu-stack.",
         "Severity": "MEDIUM",
@@ -417,6 +442,7 @@
         "PkgName": "elfutils-libelf",
         "InstalledVersion": "0.172-2.el7",
         "FixedVersion": "0.176-2.el7",
+        "LayerID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854",
         "Title": "elfutils: out of bound write in elf_cvt_note in libelf/note_xlate.h",
         "Description": "In elfutils 0.175, a negative-sized memcpy is attempted in elf_cvt_note in libelf/note_xlate.h because of an incorrect overflow check. Crafted elf input causes a segmentation fault, leading to denial of service (program crash).",
         "Severity": "MEDIUM",
@@ -431,6 +457,7 @@
         "PkgName": "elfutils-libelf",
         "InstalledVersion": "0.172-2.el7",
         "FixedVersion": "0.176-2.el7",
+        "LayerID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854",
         "Title": "elfutils: heap-based buffer over-read in function elf32_xlatetom in elf32_xlatetom.c",
         "Description": "In elfutils 0.175, a heap-based buffer over-read was discovered in the function elf32_xlatetom in elf32_xlatetom.c in libelf. A crafted ELF input can cause a segmentation fault leading to denial of service (program crash) because ebl_core_note does not reject malformed core file notes.",
         "Severity": "MEDIUM",
@@ -447,6 +474,7 @@
         "PkgName": "elfutils-libs",
         "InstalledVersion": "0.172-2.el7",
         "FixedVersion": "0.176-2.el7",
+        "LayerID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854",
         "Title": "elfutils: Double-free due to double decompression of sections in crafted ELF causes crash",
         "Description": "libelf/elf_end.c in elfutils 0.173 allows remote attackers to cause a denial of service (double free and application crash) or possibly have unspecified other impact because it tries to decompress twice.",
         "Severity": "HIGH",
@@ -461,6 +489,7 @@
         "PkgName": "elfutils-libs",
         "InstalledVersion": "0.172-2.el7",
         "FixedVersion": "0.176-2.el7",
+        "LayerID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854",
         "Title": "elfutils: Heap-based buffer over-read in libdw/dwarf_getaranges.c:dwarf_getaranges() via crafted file",
         "Description": "dwarf_getaranges in dwarf_getaranges.c in libdw in elfutils before 2018-08-18 allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted file.",
         "Severity": "MEDIUM",
@@ -479,6 +508,7 @@
         "PkgName": "elfutils-libs",
         "InstalledVersion": "0.172-2.el7",
         "FixedVersion": "0.176-2.el7",
+        "LayerID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854",
         "Title": "elfutils: Heap-based buffer over-read in libdw/dwarf_getabbrev.c and libwd/dwarf_hasattr.c causes crash",
         "Description": "libdw in elfutils 0.173 checks the end of the attributes list incorrectly in dwarf_getabbrev in dwarf_getabbrev.c and dwarf_hasattr in dwarf_hasattr.c, leading to a heap-based buffer over-read and an application crash.",
         "Severity": "MEDIUM",
@@ -496,6 +526,7 @@
         "PkgName": "elfutils-libs",
         "InstalledVersion": "0.172-2.el7",
         "FixedVersion": "0.176-2.el7",
+        "LayerID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854",
         "Title": "elfutils: invalid memory address dereference was discovered in dwfl_segment_report_module.c in libdwfl",
         "Description": "An invalid memory address dereference was discovered in dwfl_segment_report_module.c in libdwfl in elfutils through v0.174. The vulnerability allows attackers to cause a denial of service (application crash) with a crafted ELF file, as demonstrated by consider_notes.",
         "Severity": "MEDIUM",
@@ -512,6 +543,7 @@
         "PkgName": "elfutils-libs",
         "InstalledVersion": "0.172-2.el7",
         "FixedVersion": "0.176-2.el7",
+        "LayerID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854",
         "Title": "elfutils: eu-size cannot handle recursive ar files",
         "Description": "An Invalid Memory Address Dereference exists in the function elf_end in libelf in elfutils through v0.174. Although eu-size is intended to support ar files inside ar files, handle_ar in size.c closes the outer ar file before handling all inner entries. The vulnerability allows attackers to cause a denial of service (application crash) with a crafted ELF file.",
         "Severity": "MEDIUM",
@@ -528,6 +560,7 @@
         "PkgName": "elfutils-libs",
         "InstalledVersion": "0.172-2.el7",
         "FixedVersion": "0.176-2.el7",
+        "LayerID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854",
         "Title": "elfutils: Divide-by-zero in arlib_add_symbols function in arlib.c",
         "Description": "Divide-by-zero vulnerabilities in the function arlib_add_symbols() in arlib.c in elfutils 0.174 allow remote attackers to cause a denial of service (application crash) with a crafted ELF file, as demonstrated by eu-ranlib, because a zero sh_entsize is mishandled.",
         "Severity": "MEDIUM",
@@ -544,6 +577,7 @@
         "PkgName": "elfutils-libs",
         "InstalledVersion": "0.172-2.el7",
         "FixedVersion": "0.176-2.el7",
+        "LayerID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854",
         "Title": "elfutils: heap-based buffer over-read in read_srclines in dwarf_getsrclines.c in libdw",
         "Description": "A heap-based buffer over-read was discovered in the function read_srclines in dwarf_getsrclines.c in libdw in elfutils 0.175. A crafted input can cause segmentation faults, leading to denial-of-service, as demonstrated by eu-nm.",
         "Severity": "MEDIUM",
@@ -560,6 +594,7 @@
         "PkgName": "elfutils-libs",
         "InstalledVersion": "0.172-2.el7",
         "FixedVersion": "0.176-2.el7",
+        "LayerID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854",
         "Title": "elfutils: segmentation fault in elf64_xlatetom in libelf/elf32_xlatetom.c",
         "Description": "An issue was discovered in elfutils 0.175. A segmentation fault can occur in the function elf64_xlatetom in libelf/elf32_xlatetom.c, due to dwfl_segment_report_module not checking whether the dyn data read from a core file is truncated. A crafted input can cause a program crash, leading to denial-of-service, as demonstrated by eu-stack.",
         "Severity": "MEDIUM",
@@ -576,6 +611,7 @@
         "PkgName": "elfutils-libs",
         "InstalledVersion": "0.172-2.el7",
         "FixedVersion": "0.176-2.el7",
+        "LayerID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854",
         "Title": "elfutils: out of bound write in elf_cvt_note in libelf/note_xlate.h",
         "Description": "In elfutils 0.175, a negative-sized memcpy is attempted in elf_cvt_note in libelf/note_xlate.h because of an incorrect overflow check. Crafted elf input causes a segmentation fault, leading to denial of service (program crash).",
         "Severity": "MEDIUM",
@@ -590,6 +626,7 @@
         "PkgName": "elfutils-libs",
         "InstalledVersion": "0.172-2.el7",
         "FixedVersion": "0.176-2.el7",
+        "LayerID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854",
         "Title": "elfutils: heap-based buffer over-read in function elf32_xlatetom in elf32_xlatetom.c",
         "Description": "In elfutils 0.175, a heap-based buffer over-read was discovered in the function elf32_xlatetom in elf32_xlatetom.c in libelf. A crafted ELF input can cause a segmentation fault leading to denial of service (program crash) because ebl_core_note does not reject malformed core file notes.",
         "Severity": "MEDIUM",
@@ -606,6 +643,7 @@
         "PkgName": "glibc",
         "InstalledVersion": "2.17-260.el7_6.3",
         "FixedVersion": "2.17-292.el7",
+        "LayerID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854",
         "Title": "glibc: getaddrinfo should reject IP addresses with trailing characters",
         "Description": "In the GNU C Library (aka glibc or libc6) through 2.28, the getaddrinfo function would successfully parse a string that contained an IPv4 address followed by whitespace and arbitrary characters, which could lead applications to incorrectly assume that it had parsed a valid string, without the possibility of embedded HTTP headers or other potentially dangerous substrings.",
         "Severity": "MEDIUM",
@@ -623,6 +661,7 @@
         "PkgName": "glibc-common",
         "InstalledVersion": "2.17-260.el7_6.3",
         "FixedVersion": "2.17-292.el7",
+        "LayerID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854",
         "Title": "glibc: getaddrinfo should reject IP addresses with trailing characters",
         "Description": "In the GNU C Library (aka glibc or libc6) through 2.28, the getaddrinfo function would successfully parse a string that contained an IPv4 address followed by whitespace and arbitrary characters, which could lead applications to incorrectly assume that it had parsed a valid string, without the possibility of embedded HTTP headers or other potentially dangerous substrings.",
         "Severity": "MEDIUM",
@@ -640,6 +679,7 @@
         "PkgName": "libcurl",
         "InstalledVersion": "7.29.0-51.el7",
         "FixedVersion": "7.29.0-51.el7_6.3",
+        "LayerID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854",
         "Title": "curl: NTLM password overflow via integer overflow",
         "Description": "curl before version 7.61.1 is vulnerable to a buffer overrun in the NTLM authentication code. The internal function Curl_ntlm_core_mk_nt_hash multiplies the length of the password by two (SUM) to figure out how large temporary storage area to allocate from the heap. The length value is then subsequently used to iterate over the password and generate output into the allocated storage buffer. On systems with a 32 bit size_t, the math to calculate SUM triggers an integer overflow when the password length exceeds 2GB (2^31 bytes). This integer overflow usually causes a very small buffer to actually get allocated instead of the intended very huge one, making the use of that buffer end up in a heap buffer overflow. (This bug is almost identical to CVE-2017-8816.)",
         "Severity": "CRITICAL",
@@ -662,6 +702,7 @@
         "PkgName": "libcurl",
         "InstalledVersion": "7.29.0-51.el7",
         "FixedVersion": "7.29.0-54.el7",
+        "LayerID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854",
         "Title": "curl: Heap-based buffer over-read in the curl tool warning formatting",
         "Description": "Curl versions 7.14.1 through 7.61.1 are vulnerable to a heap-based buffer over-read in the tool_msgs.c:voutf() function that may result in information exposure and denial of service.",
         "Severity": "MEDIUM",
@@ -684,6 +725,7 @@
         "PkgName": "libssh2",
         "InstalledVersion": "1.4.3-12.el7",
         "FixedVersion": "1.4.3-12.el7_6.2",
+        "LayerID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854",
         "Title": "libssh2: Integer overflow in transport read resulting in out of bounds write",
         "Description": "An integer overflow flaw which could lead to an out of bounds write was discovered in libssh2 before 1.8.1 in the way packets are read from the server. A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server.",
         "Severity": "CRITICAL",
@@ -713,6 +755,7 @@
         "PkgName": "libssh2",
         "InstalledVersion": "1.4.3-12.el7",
         "FixedVersion": "1.4.3-12.el7_6.2",
+        "LayerID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854",
         "Title": "libssh2: Integer overflow in keyboard interactive handling resulting in out of bounds write",
         "Description": "An integer overflow flaw, which could lead to an out of bounds write, was discovered in libssh2 before 1.8.1 in the way keyboard prompt requests are parsed. A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server.",
         "Severity": "MEDIUM",
@@ -736,6 +779,7 @@
         "PkgName": "libssh2",
         "InstalledVersion": "1.4.3-12.el7",
         "FixedVersion": "1.4.3-12.el7_6.2",
+        "LayerID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854",
         "Title": "libssh2: Integer overflow in SSH packet processing channel resulting in out of bounds write",
         "Description": "An integer overflow flaw which could lead to an out of bounds write was discovered in libssh2 before 1.8.1 in the way SSH_MSG_CHANNEL_REQUEST packets with an exit signal are parsed. A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server.",
         "Severity": "MEDIUM",
@@ -759,6 +803,7 @@
         "PkgName": "libssh2",
         "InstalledVersion": "1.4.3-12.el7",
         "FixedVersion": "1.8.0-3.el7",
+        "LayerID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854",
         "Title": "libssh2: Zero-byte allocation with a specially crafted SFTP packed leading to an out-of-bounds read",
         "Description": "An out of bounds read flaw was discovered in libssh2 before 1.8.1 when a specially crafted SFTP packet is received from the server. A remote attacker who compromises a SSH server may be able to cause a Denial of Service or read data in the client memory.",
         "Severity": "MEDIUM",
@@ -786,6 +831,7 @@
         "PkgName": "libssh2",
         "InstalledVersion": "1.4.3-12.el7",
         "FixedVersion": "1.8.0-3.el7",
+        "LayerID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854",
         "Title": "libssh2: Out-of-bounds reads with specially crafted SSH packets",
         "Description": "An out of bounds read flaw was discovered in libssh2 before 1.8.1 in the way SSH packets with a padding length value greater than the packet length are parsed. A remote attacker who compromises a SSH server may be able to cause a Denial of Service or read data in the client memory.",
         "Severity": "MEDIUM",
@@ -807,6 +853,7 @@
         "PkgName": "libssh2",
         "InstalledVersion": "1.4.3-12.el7",
         "FixedVersion": "1.4.3-12.el7_6.3",
+        "LayerID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854",
         "Title": "libssh2: Out-of-bounds memory comparison with specially crafted message channel request",
         "Description": "An out of bounds read flaw was discovered in libssh2 before 1.8.1 in the way SSH_MSG_CHANNEL_REQUEST packets with an exit status message and no payload are parsed. A remote attacker who compromises a SSH server may be able to cause a Denial of Service or read data in the client memory.",
         "Severity": "MEDIUM",
@@ -834,6 +881,7 @@
         "PkgName": "libssh2",
         "InstalledVersion": "1.4.3-12.el7",
         "FixedVersion": "1.4.3-12.el7_6.2",
+        "LayerID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854",
         "Title": "libssh2: Integer overflow in user authenticate keyboard interactive allows out-of-bounds writes",
         "Description": "A flaw was found in libssh2 before 1.8.1. A server could send a multiple keyboard interactive response messages whose total length are greater than unsigned char max characters. This value is used as an index to copy memory causing in an out of bounds memory write error.",
         "Severity": "MEDIUM",
@@ -857,6 +905,7 @@
         "PkgName": "nspr",
         "InstalledVersion": "4.19.0-1.el7_5",
         "FixedVersion": "4.21.0-1.el7",
+        "LayerID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854",
         "Title": "nss: Cache side-channel variant of the Bleichenbacher attack",
         "Description": "A cached side channel attack during handshakes using RSA encryption could allow for the decryption of encrypted content. This is a variant of the Adaptive Chosen Ciphertext attack (AKA Bleichenbacher attack) and affects all NSS versions prior to NSS 3.41.",
         "Severity": "MEDIUM",
@@ -872,6 +921,7 @@
         "PkgName": "nspr",
         "InstalledVersion": "4.19.0-1.el7_5",
         "FixedVersion": "4.21.0-1.el7",
+        "LayerID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854",
         "Title": "ROHNP: Key Extraction Side Channel in Multiple Crypto Libraries",
         "Description": "Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host.",
         "Severity": "LOW",
@@ -903,6 +953,7 @@
         "PkgName": "nss",
         "InstalledVersion": "3.36.0-7.1.el7_6",
         "FixedVersion": "3.44.0-4.el7",
+        "LayerID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854",
         "Title": "nss: Cache side-channel variant of the Bleichenbacher attack",
         "Description": "A cached side channel attack during handshakes using RSA encryption could allow for the decryption of encrypted content. This is a variant of the Adaptive Chosen Ciphertext attack (AKA Bleichenbacher attack) and affects all NSS versions prior to NSS 3.41.",
         "Severity": "MEDIUM",
@@ -918,6 +969,7 @@
         "PkgName": "nss",
         "InstalledVersion": "3.36.0-7.1.el7_6",
         "FixedVersion": "3.44.0-4.el7",
+        "LayerID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854",
         "Title": "ROHNP: Key Extraction Side Channel in Multiple Crypto Libraries",
         "Description": "Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host.",
         "Severity": "LOW",
@@ -949,6 +1001,7 @@
         "PkgName": "nss-softokn",
         "InstalledVersion": "3.36.0-5.el7_5",
         "FixedVersion": "3.44.0-5.el7",
+        "LayerID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854",
         "Title": "nss: Cache side-channel variant of the Bleichenbacher attack",
         "Description": "A cached side channel attack during handshakes using RSA encryption could allow for the decryption of encrypted content. This is a variant of the Adaptive Chosen Ciphertext attack (AKA Bleichenbacher attack) and affects all NSS versions prior to NSS 3.41.",
         "Severity": "MEDIUM",
@@ -964,6 +1017,7 @@
         "PkgName": "nss-softokn",
         "InstalledVersion": "3.36.0-5.el7_5",
         "FixedVersion": "3.44.0-5.el7",
+        "LayerID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854",
         "Title": "ROHNP: Key Extraction Side Channel in Multiple Crypto Libraries",
         "Description": "Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host.",
         "Severity": "LOW",
@@ -995,6 +1049,7 @@
         "PkgName": "nss-softokn-freebl",
         "InstalledVersion": "3.36.0-5.el7_5",
         "FixedVersion": "3.44.0-5.el7",
+        "LayerID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854",
         "Title": "nss: Cache side-channel variant of the Bleichenbacher attack",
         "Description": "A cached side channel attack during handshakes using RSA encryption could allow for the decryption of encrypted content. This is a variant of the Adaptive Chosen Ciphertext attack (AKA Bleichenbacher attack) and affects all NSS versions prior to NSS 3.41.",
         "Severity": "MEDIUM",
@@ -1010,6 +1065,7 @@
         "PkgName": "nss-softokn-freebl",
         "InstalledVersion": "3.36.0-5.el7_5",
         "FixedVersion": "3.44.0-5.el7",
+        "LayerID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854",
         "Title": "ROHNP: Key Extraction Side Channel in Multiple Crypto Libraries",
         "Description": "Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host.",
         "Severity": "LOW",
@@ -1041,6 +1097,7 @@
         "PkgName": "nss-sysinit",
         "InstalledVersion": "3.36.0-7.1.el7_6",
         "FixedVersion": "3.44.0-4.el7",
+        "LayerID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854",
         "Title": "nss: Cache side-channel variant of the Bleichenbacher attack",
         "Description": "A cached side channel attack during handshakes using RSA encryption could allow for the decryption of encrypted content. This is a variant of the Adaptive Chosen Ciphertext attack (AKA Bleichenbacher attack) and affects all NSS versions prior to NSS 3.41.",
         "Severity": "MEDIUM",
@@ -1056,6 +1113,7 @@
         "PkgName": "nss-sysinit",
         "InstalledVersion": "3.36.0-7.1.el7_6",
         "FixedVersion": "3.44.0-4.el7",
+        "LayerID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854",
         "Title": "ROHNP: Key Extraction Side Channel in Multiple Crypto Libraries",
         "Description": "Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host.",
         "Severity": "LOW",
@@ -1087,6 +1145,7 @@
         "PkgName": "nss-tools",
         "InstalledVersion": "3.36.0-7.1.el7_6",
         "FixedVersion": "3.44.0-4.el7",
+        "LayerID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854",
         "Title": "nss: Cache side-channel variant of the Bleichenbacher attack",
         "Description": "A cached side channel attack during handshakes using RSA encryption could allow for the decryption of encrypted content. This is a variant of the Adaptive Chosen Ciphertext attack (AKA Bleichenbacher attack) and affects all NSS versions prior to NSS 3.41.",
         "Severity": "MEDIUM",
@@ -1102,6 +1161,7 @@
         "PkgName": "nss-tools",
         "InstalledVersion": "3.36.0-7.1.el7_6",
         "FixedVersion": "3.44.0-4.el7",
+        "LayerID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854",
         "Title": "ROHNP: Key Extraction Side Channel in Multiple Crypto Libraries",
         "Description": "Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host.",
         "Severity": "LOW",
@@ -1133,6 +1193,7 @@
         "PkgName": "nss-util",
         "InstalledVersion": "3.36.0-1.1.el7_6",
         "FixedVersion": "3.44.0-3.el7",
+        "LayerID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854",
         "Title": "nss: Cache side-channel variant of the Bleichenbacher attack",
         "Description": "A cached side channel attack during handshakes using RSA encryption could allow for the decryption of encrypted content. This is a variant of the Adaptive Chosen Ciphertext attack (AKA Bleichenbacher attack) and affects all NSS versions prior to NSS 3.41.",
         "Severity": "MEDIUM",
@@ -1148,6 +1209,7 @@
         "PkgName": "nss-util",
         "InstalledVersion": "3.36.0-1.1.el7_6",
         "FixedVersion": "3.44.0-3.el7",
+        "LayerID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854",
         "Title": "ROHNP: Key Extraction Side Channel in Multiple Crypto Libraries",
         "Description": "Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host.",
         "Severity": "LOW",
@@ -1179,6 +1241,7 @@
         "PkgName": "openssl-libs",
         "InstalledVersion": "1:1.0.2k-16.el7",
         "FixedVersion": "1:1.0.2k-19.el7",
+        "LayerID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854",
         "Title": "openssl: timing side channel attack in the DSA signature algorithm",
         "Description": "The OpenSSL DSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.1a (Affected 1.1.1). Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i). Fixed in OpenSSL 1.0.2q (Affected 1.0.2-1.0.2p).",
         "Severity": "MEDIUM",
@@ -1208,6 +1271,7 @@
         "PkgName": "openssl-libs",
         "InstalledVersion": "1:1.0.2k-16.el7",
         "FixedVersion": "1:1.0.2k-19.el7",
+        "LayerID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854",
         "Title": "openssl: 0-byte record padding oracle",
         "Description": "If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable \"non-stitched\" ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway). Fixed in OpenSSL 1.0.2r (Affected 1.0.2-1.0.2q).",
         "Severity": "MEDIUM",
@@ -1241,6 +1305,7 @@
         "PkgName": "openssl-libs",
         "InstalledVersion": "1:1.0.2k-16.el7",
         "FixedVersion": "1:1.0.2k-16.el7_6.1",
+        "LayerID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854",
         "Title": "openssl: Side-channel vulnerability on SMT/Hyper-Threading architectures (PortSmash)",
         "Description": "Simultaneous Multi-threading (SMT) in processors can enable local users to exploit software vulnerable to timing attacks via a side-channel timing attack on 'port contention'.",
         "Severity": "LOW",
@@ -1273,6 +1338,7 @@
         "PkgName": "procps-ng",
         "InstalledVersion": "3.3.10-23.el7",
         "FixedVersion": "3.3.10-26.el7",
+        "LayerID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854",
         "Title": "procps-ng, procps: Local privilege escalation in top",
         "Description": "procps-ng before version 3.3.15 is vulnerable to a local privilege escalation in top. If a user runs top with HOME unset in an attacker-controlled directory, the attacker could achieve privilege escalation by exploiting one of several vulnerabilities in the config_file() function.",
         "Severity": "MEDIUM",
@@ -1296,6 +1362,7 @@
         "PkgName": "python",
         "InstalledVersion": "2.7.5-76.el7",
         "FixedVersion": "2.7.5-86.el7",
+        "LayerID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854",
         "Title": "python: NULL pointer dereference using a specially crafted X509 certificate",
         "Description": "A null pointer dereference vulnerability was found in the certificate parsing code in Python. This causes a denial of service to applications when parsing specially crafted certificates. This vulnerability is unlikely to be triggered if application enables SSL/TLS certificate validation and accepts certificates only from trusted root certificate authorities.",
         "Severity": "HIGH",
@@ -1309,6 +1376,7 @@
         "PkgName": "python",
         "InstalledVersion": "2.7.5-76.el7",
         "FixedVersion": "2.7.5-86.el7",
+        "LayerID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854",
         "Title": "python: Missing salt initialization in _elementtree.c module",
         "Description": "Python's elementtree C accelerator failed to initialise Expat's hash salt during initialization. This could make it easy to conduct denial of service attacks against Expat by constructing an XML document that would cause pathological hash collisions in Expat's internal data structures, consuming large amounts CPU and RAM. Python 3.8, 3.7, 3.6, 3.5, 3.4, 2.7 are believed to be vulnerable.",
         "Severity": "MEDIUM",
@@ -1334,6 +1402,7 @@
         "PkgName": "python",
         "InstalledVersion": "2.7.5-76.el7",
         "FixedVersion": "2.7.5-80.el7_6",
+        "LayerID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854",
         "Title": "python: regression of CVE-2019-9636 due to functional fix to allow port numbers in netloc",
         "Description": "A security regression of CVE-2019-9636 was discovered in python since commit d537ab0ff9767ef024f26246899728f0116b1ec3 affecting versions 2.7, 3.5, 3.6, 3.7 and from v3.8.0a4 through v3.8.0b1, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed. The result of an attack may vary based on the application.",
         "Severity": "MEDIUM",
@@ -1354,6 +1423,7 @@
         "PkgName": "python",
         "InstalledVersion": "2.7.5-76.el7",
         "FixedVersion": "2.7.5-77.el7_6",
+        "LayerID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854",
         "Title": "python: Information Disclosure due to urlsplit improper NFKC normalization",
         "Description": "Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by: Improper Handling of Unicode Encoding (with an incorrect netloc) during NFKC normalization. The impact is: Information disclosure (credentials, cookies, etc. that are cached against a given hostname). The components are: urllib.parse.urlsplit, urllib.parse.urlparse. The attack vector is: A specially crafted URL could be incorrectly parsed to locate cookies or authentication data and send that information to a different host than when parsed correctly.",
         "Severity": "MEDIUM",
@@ -1394,6 +1464,7 @@
         "PkgName": "python",
         "InstalledVersion": "2.7.5-76.el7",
         "FixedVersion": "2.7.5-86.el7",
+        "LayerID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854",
         "Title": "python: CRLF injection via the query part of the url passed to urlopen()",
         "Description": "An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \\r\\n (specifically in the query string after a ? character) followed by an HTTP header or a Redis command.",
         "Severity": "MEDIUM",
@@ -1411,6 +1482,7 @@
         "PkgName": "python",
         "InstalledVersion": "2.7.5-76.el7",
         "FixedVersion": "2.7.5-86.el7",
+        "LayerID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854",
         "Title": "python: CRLF injection via the path part of the url passed to urlopen()",
         "Description": "An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \\r\\n (specifically in the path component of a URL that lacks a ? character) followed by an HTTP header or a Redis command. This is similar to the CVE-2019-9740 query string issue.",
         "Severity": "MEDIUM",
@@ -1428,6 +1500,7 @@
         "PkgName": "python",
         "InstalledVersion": "2.7.5-76.el7",
         "FixedVersion": "2.7.5-86.el7",
+        "LayerID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854",
         "Title": "python: Undocumented local_file protocol allows remote attackers to bypass protection mechanisms",
         "Description": "urllib in Python 2.x through 2.7.16 supports the local_file: scheme, which makes it easier for remote attackers to bypass protection mechanisms that blacklist file: URIs, as demonstrated by triggering a urllib.urlopen('local_file:///etc/passwd') call.",
         "Severity": "MEDIUM",
@@ -1447,6 +1520,7 @@
         "PkgName": "python-libs",
         "InstalledVersion": "2.7.5-76.el7",
         "FixedVersion": "2.7.5-86.el7",
+        "LayerID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854",
         "Title": "python: NULL pointer dereference using a specially crafted X509 certificate",
         "Description": "A null pointer dereference vulnerability was found in the certificate parsing code in Python. This causes a denial of service to applications when parsing specially crafted certificates. This vulnerability is unlikely to be triggered if application enables SSL/TLS certificate validation and accepts certificates only from trusted root certificate authorities.",
         "Severity": "HIGH",
@@ -1460,6 +1534,7 @@
         "PkgName": "python-libs",
         "InstalledVersion": "2.7.5-76.el7",
         "FixedVersion": "2.7.5-86.el7",
+        "LayerID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854",
         "Title": "python: Missing salt initialization in _elementtree.c module",
         "Description": "Python's elementtree C accelerator failed to initialise Expat's hash salt during initialization. This could make it easy to conduct denial of service attacks against Expat by constructing an XML document that would cause pathological hash collisions in Expat's internal data structures, consuming large amounts CPU and RAM. Python 3.8, 3.7, 3.6, 3.5, 3.4, 2.7 are believed to be vulnerable.",
         "Severity": "MEDIUM",
@@ -1485,6 +1560,7 @@
         "PkgName": "python-libs",
         "InstalledVersion": "2.7.5-76.el7",
         "FixedVersion": "2.7.5-80.el7_6",
+        "LayerID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854",
         "Title": "python: regression of CVE-2019-9636 due to functional fix to allow port numbers in netloc",
         "Description": "A security regression of CVE-2019-9636 was discovered in python since commit d537ab0ff9767ef024f26246899728f0116b1ec3 affecting versions 2.7, 3.5, 3.6, 3.7 and from v3.8.0a4 through v3.8.0b1, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed. The result of an attack may vary based on the application.",
         "Severity": "MEDIUM",
@@ -1505,6 +1581,7 @@
         "PkgName": "python-libs",
         "InstalledVersion": "2.7.5-76.el7",
         "FixedVersion": "2.7.5-77.el7_6",
+        "LayerID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854",
         "Title": "python: Information Disclosure due to urlsplit improper NFKC normalization",
         "Description": "Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by: Improper Handling of Unicode Encoding (with an incorrect netloc) during NFKC normalization. The impact is: Information disclosure (credentials, cookies, etc. that are cached against a given hostname). The components are: urllib.parse.urlsplit, urllib.parse.urlparse. The attack vector is: A specially crafted URL could be incorrectly parsed to locate cookies or authentication data and send that information to a different host than when parsed correctly.",
         "Severity": "MEDIUM",
@@ -1545,6 +1622,7 @@
         "PkgName": "python-libs",
         "InstalledVersion": "2.7.5-76.el7",
         "FixedVersion": "2.7.5-86.el7",
+        "LayerID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854",
         "Title": "python: CRLF injection via the query part of the url passed to urlopen()",
         "Description": "An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \\r\\n (specifically in the query string after a ? character) followed by an HTTP header or a Redis command.",
         "Severity": "MEDIUM",
@@ -1562,6 +1640,7 @@
         "PkgName": "python-libs",
         "InstalledVersion": "2.7.5-76.el7",
         "FixedVersion": "2.7.5-86.el7",
+        "LayerID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854",
         "Title": "python: CRLF injection via the path part of the url passed to urlopen()",
         "Description": "An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \\r\\n (specifically in the path component of a URL that lacks a ? character) followed by an HTTP header or a Redis command. This is similar to the CVE-2019-9740 query string issue.",
         "Severity": "MEDIUM",
@@ -1579,6 +1658,7 @@
         "PkgName": "python-libs",
         "InstalledVersion": "2.7.5-76.el7",
         "FixedVersion": "2.7.5-86.el7",
+        "LayerID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854",
         "Title": "python: Undocumented local_file protocol allows remote attackers to bypass protection mechanisms",
         "Description": "urllib in Python 2.x through 2.7.16 supports the local_file: scheme, which makes it easier for remote attackers to bypass protection mechanisms that blacklist file: URIs, as demonstrated by triggering a urllib.urlopen('local_file:///etc/passwd') call.",
         "Severity": "MEDIUM",
@@ -1598,6 +1678,7 @@
         "PkgName": "systemd",
         "InstalledVersion": "219-62.el7_6.5",
         "FixedVersion": "219-67.el7",
+        "LayerID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854",
         "Title": "systemd: line splitting via fgets() allows for state injection during daemon-reexec",
         "Description": "A vulnerability in unit_deserialize of systemd allows an attacker to supply arbitrary state across systemd re-execution via NotifyAccess. This can be used to improperly influence systemd execution and possibly lead to root privilege escalation. Affected releases are systemd versions up to and including 239.",
         "Severity": "CRITICAL",
@@ -1617,6 +1698,7 @@
         "PkgName": "systemd",
         "InstalledVersion": "219-62.el7_6.5",
         "FixedVersion": "219-67.el7",
+        "LayerID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854",
         "Title": "systemd: out-of-bounds read when parsing a crafted syslog message",
         "Description": "An out of bounds read was discovered in systemd-journald in the way it parses log messages that terminate with a colon ':'. A local attacker can use this flaw to disclose process memory data. Versions from v221 to v239 are vulnerable.",
         "Severity": "LOW",
@@ -1640,6 +1722,7 @@
         "PkgName": "systemd",
         "InstalledVersion": "219-62.el7_6.5",
         "FixedVersion": "219-67.el7",
+        "LayerID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854",
         "Title": "systemd: kills privileged process if unprivileged PIDFile was tampered",
         "Description": "It was discovered systemd does not correctly check the content of PIDFile files before using it to kill processes. When a service is run from an unprivileged user (e.g. User field set in the service file), a local attacker who is able to write to the PIDFile of the mentioned service may use this flaw to trick systemd into killing other services and/or privileged processes. Versions before v237 are vulnerable.",
         "Severity": "LOW",
@@ -1656,6 +1739,7 @@
         "PkgName": "systemd-libs",
         "InstalledVersion": "219-62.el7_6.5",
         "FixedVersion": "219-67.el7",
+        "LayerID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854",
         "Title": "systemd: line splitting via fgets() allows for state injection during daemon-reexec",
         "Description": "A vulnerability in unit_deserialize of systemd allows an attacker to supply arbitrary state across systemd re-execution via NotifyAccess. This can be used to improperly influence systemd execution and possibly lead to root privilege escalation. Affected releases are systemd versions up to and including 239.",
         "Severity": "CRITICAL",
@@ -1675,6 +1759,7 @@
         "PkgName": "systemd-libs",
         "InstalledVersion": "219-62.el7_6.5",
         "FixedVersion": "219-67.el7",
+        "LayerID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854",
         "Title": "systemd: out-of-bounds read when parsing a crafted syslog message",
         "Description": "An out of bounds read was discovered in systemd-journald in the way it parses log messages that terminate with a colon ':'. A local attacker can use this flaw to disclose process memory data. Versions from v221 to v239 are vulnerable.",
         "Severity": "LOW",
@@ -1698,6 +1783,7 @@
         "PkgName": "systemd-libs",
         "InstalledVersion": "219-62.el7_6.5",
         "FixedVersion": "219-67.el7",
+        "LayerID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854",
         "Title": "systemd: kills privileged process if unprivileged PIDFile was tampered",
         "Description": "It was discovered systemd does not correctly check the content of PIDFile files before using it to kill processes. When a service is run from an unprivileged user (e.g. User field set in the service file), a local attacker who is able to write to the PIDFile of the mentioned service may use this flaw to trick systemd into killing other services and/or privileged processes. Versions before v237 are vulnerable.",
         "Severity": "LOW",
@@ -1708,6 +1794,33 @@
           "https://lists.apache.org/thread.html/5960a34a524848cd722fd7ab7e2227eac10107b0f90d9d1e9c3caa74@%3Cuser.cassandra.apache.org%3E",
           "https://security.netapp.com/advisory/ntap-20190307-0007/"
         ]
+      },
+      {
+        "VulnerabilityID": "CVE-2019-12735",
+        "PkgName": "vim-minimal",
+        "InstalledVersion": "2:7.4.160-5.el7",
+        "FixedVersion": "2:7.4.160-6.el7_6",
+        "LayerID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854",
+        "Title": "vim/neovim: ':source!' command allows arbitrary command execution via modelines",
+        "Description": "getchar.c in Vim before 8.1.1365 and Neovim before 0.3.6 allows remote attackers to execute arbitrary OS commands via the :source! command in a modeline, as demonstrated by execute in Vim, and assert_fails or nvim_input in Neovim.",
+        "Severity": "CRITICAL",
+        "References": [
+          "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00031.html",
+          "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00036.html",
+          "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00037.html",
+          "http://www.securityfocus.com/bid/108724",
+          "https://bugs.debian.org/930020",
+          "https://bugs.debian.org/930024",
+          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12735",
+          "https://github.com/neovim/neovim/pull/10082",
+          "https://github.com/numirias/security/blob/master/doc/2019-06-04_ace-vim-neovim.md",
+          "https://github.com/vim/vim/commit/53575521406739cf20bbe4e384d88e7dca11f040",
+          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2BMDSHTF754TITC6AQJPCS5IRIDMMIM7/",
+          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TRIRBC2YRGKPAWVRMZS4SZTGGCVRVZPR/",
+          "https://usn.ubuntu.com/4016-1/",
+          "https://usn.ubuntu.com/4016-2/",
+          "https://www.debian.org/security/2019/dsa-4467"
+        ]
       }
     ]
   }

integration/testdata/centos-7-low-high.json.golden

@@ -7,6 +7,7 @@
         "PkgName": "bind-license",
         "InstalledVersion": "32:9.9.4-73.el7_6",
         "FixedVersion": "32:9.9.4-74.el7_6.1",
+        "LayerID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854",
         "Title": "bind: Limiting simultaneous TCP clients is ineffective",
         "Description": "By design, BIND is intended to limit the number of TCP clients that can be connected at any given time. The number of allowed connections is a tunable parameter which, if unset, defaults to a conservative value for most servers. Unfortunately, the code which was intended to limit the number of simultaneous connections contained an error which could be exploited to grow the number of simultaneous connections beyond this limit. Versions affected: BIND 9.9.0 -\u003e 9.10.8-P1, 9.11.0 -\u003e 9.11.6, 9.12.0 -\u003e 9.12.4, 9.14.0. BIND 9 Supported Preview Edition versions 9.9.3-S1 -\u003e 9.11.5-S3, and 9.11.5-S5. Versions 9.13.0 -\u003e 9.13.7 of the 9.13 development branch are also affected. Versions prior to BIND 9.9.0 have not been evaluated for vulnerability to CVE-2018-5743.",
         "Severity": "HIGH",
@@ -20,6 +21,7 @@
         "PkgName": "elfutils-default-yama-scope",
         "InstalledVersion": "0.172-2.el7",
         "FixedVersion": "0.176-2.el7",
+        "LayerID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854",
         "Title": "elfutils: Double-free due to double decompression of sections in crafted ELF causes crash",
         "Description": "libelf/elf_end.c in elfutils 0.173 allows remote attackers to cause a denial of service (double free and application crash) or possibly have unspecified other impact because it tries to decompress twice.",
         "Severity": "HIGH",
@@ -34,6 +36,7 @@
         "PkgName": "elfutils-libelf",
         "InstalledVersion": "0.172-2.el7",
         "FixedVersion": "0.176-2.el7",
+        "LayerID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854",
         "Title": "elfutils: Double-free due to double decompression of sections in crafted ELF causes crash",
         "Description": "libelf/elf_end.c in elfutils 0.173 allows remote attackers to cause a denial of service (double free and application crash) or possibly have unspecified other impact because it tries to decompress twice.",
         "Severity": "HIGH",
@@ -48,6 +51,7 @@
         "PkgName": "elfutils-libs",
         "InstalledVersion": "0.172-2.el7",
         "FixedVersion": "0.176-2.el7",
+        "LayerID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854",
         "Title": "elfutils: Double-free due to double decompression of sections in crafted ELF causes crash",
         "Description": "libelf/elf_end.c in elfutils 0.173 allows remote attackers to cause a denial of service (double free and application crash) or possibly have unspecified other impact because it tries to decompress twice.",
         "Severity": "HIGH",
@@ -62,6 +66,7 @@
         "PkgName": "nspr",
         "InstalledVersion": "4.19.0-1.el7_5",
         "FixedVersion": "4.21.0-1.el7",
+        "LayerID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854",
         "Title": "ROHNP: Key Extraction Side Channel in Multiple Crypto Libraries",
         "Description": "Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host.",
         "Severity": "LOW",
@@ -93,6 +98,7 @@
         "PkgName": "nss",
         "InstalledVersion": "3.36.0-7.1.el7_6",
         "FixedVersion": "3.44.0-4.el7",
+        "LayerID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854",
         "Title": "ROHNP: Key Extraction Side Channel in Multiple Crypto Libraries",
         "Description": "Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host.",
         "Severity": "LOW",
@@ -124,6 +130,7 @@
         "PkgName": "nss-softokn",
         "InstalledVersion": "3.36.0-5.el7_5",
         "FixedVersion": "3.44.0-5.el7",
+        "LayerID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854",
         "Title": "ROHNP: Key Extraction Side Channel in Multiple Crypto Libraries",
         "Description": "Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host.",
         "Severity": "LOW",
@@ -155,6 +162,7 @@
         "PkgName": "nss-softokn-freebl",
         "InstalledVersion": "3.36.0-5.el7_5",
         "FixedVersion": "3.44.0-5.el7",
+        "LayerID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854",
         "Title": "ROHNP: Key Extraction Side Channel in Multiple Crypto Libraries",
         "Description": "Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host.",
         "Severity": "LOW",
@@ -186,6 +194,7 @@
         "PkgName": "nss-sysinit",
         "InstalledVersion": "3.36.0-7.1.el7_6",
         "FixedVersion": "3.44.0-4.el7",
+        "LayerID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854",
         "Title": "ROHNP: Key Extraction Side Channel in Multiple Crypto Libraries",
         "Description": "Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host.",
         "Severity": "LOW",
@@ -217,6 +226,7 @@
         "PkgName": "nss-tools",
         "InstalledVersion": "3.36.0-7.1.el7_6",
         "FixedVersion": "3.44.0-4.el7",
+        "LayerID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854",
         "Title": "ROHNP: Key Extraction Side Channel in Multiple Crypto Libraries",
         "Description": "Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host.",
         "Severity": "LOW",
@@ -248,6 +258,7 @@
         "PkgName": "nss-util",
         "InstalledVersion": "3.36.0-1.1.el7_6",
         "FixedVersion": "3.44.0-3.el7",
+        "LayerID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854",
         "Title": "ROHNP: Key Extraction Side Channel in Multiple Crypto Libraries",
         "Description": "Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host.",
         "Severity": "LOW",
@@ -279,6 +290,7 @@
         "PkgName": "openssl-libs",
         "InstalledVersion": "1:1.0.2k-16.el7",
         "FixedVersion": "1:1.0.2k-16.el7_6.1",
+        "LayerID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854",
         "Title": "openssl: Side-channel vulnerability on SMT/Hyper-Threading architectures (PortSmash)",
         "Description": "Simultaneous Multi-threading (SMT) in processors can enable local users to exploit software vulnerable to timing attacks via a side-channel timing attack on 'port contention'.",
         "Severity": "LOW",
@@ -311,6 +323,7 @@
         "PkgName": "python",
         "InstalledVersion": "2.7.5-76.el7",
         "FixedVersion": "2.7.5-86.el7",
+        "LayerID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854",
         "Title": "python: NULL pointer dereference using a specially crafted X509 certificate",
         "Description": "A null pointer dereference vulnerability was found in the certificate parsing code in Python. This causes a denial of service to applications when parsing specially crafted certificates. This vulnerability is unlikely to be triggered if application enables SSL/TLS certificate validation and accepts certificates only from trusted root certificate authorities.",
         "Severity": "HIGH",
@@ -324,6 +337,7 @@
         "PkgName": "python-libs",
         "InstalledVersion": "2.7.5-76.el7",
         "FixedVersion": "2.7.5-86.el7",
+        "LayerID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854",
         "Title": "python: NULL pointer dereference using a specially crafted X509 certificate",
         "Description": "A null pointer dereference vulnerability was found in the certificate parsing code in Python. This causes a denial of service to applications when parsing specially crafted certificates. This vulnerability is unlikely to be triggered if application enables SSL/TLS certificate validation and accepts certificates only from trusted root certificate authorities.",
         "Severity": "HIGH",
@@ -337,6 +351,7 @@
         "PkgName": "systemd",
         "InstalledVersion": "219-62.el7_6.5",
         "FixedVersion": "219-67.el7",
+        "LayerID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854",
         "Title": "systemd: out-of-bounds read when parsing a crafted syslog message",
         "Description": "An out of bounds read was discovered in systemd-journald in the way it parses log messages that terminate with a colon ':'. A local attacker can use this flaw to disclose process memory data. Versions from v221 to v239 are vulnerable.",
         "Severity": "LOW",
@@ -360,6 +375,7 @@
         "PkgName": "systemd",
         "InstalledVersion": "219-62.el7_6.5",
         "FixedVersion": "219-67.el7",
+        "LayerID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854",
         "Title": "systemd: kills privileged process if unprivileged PIDFile was tampered",
         "Description": "It was discovered systemd does not correctly check the content of PIDFile files before using it to kill processes. When a service is run from an unprivileged user (e.g. User field set in the service file), a local attacker who is able to write to the PIDFile of the mentioned service may use this flaw to trick systemd into killing other services and/or privileged processes. Versions before v237 are vulnerable.",
         "Severity": "LOW",
@@ -376,6 +392,7 @@
         "PkgName": "systemd-libs",
         "InstalledVersion": "219-62.el7_6.5",
         "FixedVersion": "219-67.el7",
+        "LayerID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854",
         "Title": "systemd: out-of-bounds read when parsing a crafted syslog message",
         "Description": "An out of bounds read was discovered in systemd-journald in the way it parses log messages that terminate with a colon ':'. A local attacker can use this flaw to disclose process memory data. Versions from v221 to v239 are vulnerable.",
         "Severity": "LOW",
@@ -399,6 +416,7 @@
         "PkgName": "systemd-libs",
         "InstalledVersion": "219-62.el7_6.5",
         "FixedVersion": "219-67.el7",
+        "LayerID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854",
         "Title": "systemd: kills privileged process if unprivileged PIDFile was tampered",
         "Description": "It was discovered systemd does not correctly check the content of PIDFile files before using it to kill processes. When a service is run from an unprivileged user (e.g. User field set in the service file), a local attacker who is able to write to the PIDFile of the mentioned service may use this flaw to trick systemd into killing other services and/or privileged processes. Versions before v237 are vulnerable.",
         "Severity": "LOW",

integration/testdata/debian-buster-ignore-unfixed.json.golden

@@ -7,6 +7,7 @@
         "PkgName": "e2fsprogs",
         "InstalledVersion": "1.44.5-1+deb10u1",
         "FixedVersion": "1.44.5-1+deb10u2",
+        "LayerID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d",
         "Description": "An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.",
         "Severity": "MEDIUM",
         "References": [
@@ -23,6 +24,7 @@
         "PkgName": "libcom-err2",
         "InstalledVersion": "1.44.5-1+deb10u1",
         "FixedVersion": "1.44.5-1+deb10u2",
+        "LayerID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d",
         "Description": "An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.",
         "Severity": "MEDIUM",
         "References": [
@@ -39,6 +41,7 @@
         "PkgName": "libext2fs2",
         "InstalledVersion": "1.44.5-1+deb10u1",
         "FixedVersion": "1.44.5-1+deb10u2",
+        "LayerID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d",
         "Description": "An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.",
         "Severity": "MEDIUM",
         "References": [
@@ -55,6 +58,7 @@
         "PkgName": "libss2",
         "InstalledVersion": "1.44.5-1+deb10u1",
         "FixedVersion": "1.44.5-1+deb10u2",
+        "LayerID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d",
         "Description": "An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.",
         "Severity": "MEDIUM",
         "References": [

integration/testdata/debian-buster.json.golden

@@ -6,18 +6,21 @@
         "VulnerabilityID": "CVE-2011-3374",
         "PkgName": "apt",
         "InstalledVersion": "1.8.2",
+        "LayerID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d",
         "Severity": "LOW"
       },
       {
         "VulnerabilityID": "TEMP-0841856-B18BAF",
         "PkgName": "bash",
         "InstalledVersion": "5.0-4",
+        "LayerID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d",
         "Severity": "LOW"
       },
       {
         "VulnerabilityID": "CVE-2016-2781",
         "PkgName": "coreutils",
         "InstalledVersion": "8.30-3",
+        "LayerID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d",
         "Title": "coreutils: Non-privileged session can escape to the parent session in chroot",
         "Description": "chroot in GNU coreutils, when used with --userspec, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.",
         "Severity": "LOW",
@@ -30,6 +33,7 @@
         "VulnerabilityID": "CVE-2017-18018",
         "PkgName": "coreutils",
         "InstalledVersion": "8.30-3",
+        "LayerID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d",
         "Title": "coreutils: race condition vulnerability in chown and chgrp",
         "Description": "In GNU Coreutils through 8.29, chown-core.c in chown and chgrp does not prevent replacement of a plain file with a symlink during use of the POSIX \"-R -L\" options, which allows local users to modify the ownership of arbitrary files by leveraging a race condition.",
         "Severity": "LOW",
@@ -42,6 +46,7 @@
         "PkgName": "e2fsprogs",
         "InstalledVersion": "1.44.5-1+deb10u1",
         "FixedVersion": "1.44.5-1+deb10u2",
+        "LayerID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d",
         "Description": "An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.",
         "Severity": "MEDIUM",
         "References": [
@@ -57,6 +62,7 @@
         "VulnerabilityID": "CVE-2018-12886",
         "PkgName": "gcc-8-base",
         "InstalledVersion": "8.3.0-6",
+        "LayerID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d",
         "Title": "gcc: spilling of stack protection address in cfgexpand.c and function.c leads to stack-overflow protection bypass",
         "Description": "stack_protect_prologue in cfgexpand.c and stack_protect_epilogue in function.c in GNU Compiler Collection (GCC) 4.1 through 8 (under certain circumstances) generate instruction sequences when targeting ARM targets that spill the address of the stack protector guard, which allows an attacker to bypass the protection of -fstack-protector, -fstack-protector-all, -fstack-protector-strong, and -fstack-protector-explicit against stack overflow by controlling what the stack canary is compared against.",
         "Severity": "MEDIUM",
@@ -69,6 +75,7 @@
         "VulnerabilityID": "CVE-2019-15847",
         "PkgName": "gcc-8-base",
         "InstalledVersion": "8.3.0-6",
+        "LayerID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d",
         "Title": "gcc: POWER9 \"DARN\" RNG intrinsic produces repeated output",
         "Description": "The POWER9 backend in GNU Compiler Collection (GCC) before version 10 could optimize multiple calls of the __builtin_darn intrinsic into a single call, thus reducing the entropy of the random number generator. This occurred because a volatile operation was not specified. For example, within a single execution of a program, the output of every __builtin_darn() call may be the same.",
         "Severity": "MEDIUM",
@@ -80,12 +87,14 @@
         "VulnerabilityID": "CVE-2011-3374",
         "PkgName": "libapt-pkg5.0",
         "InstalledVersion": "1.8.2",
+        "LayerID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d",
         "Severity": "LOW"
       },
       {
         "VulnerabilityID": "CVE-2019-1010022",
         "PkgName": "libc-bin",
         "InstalledVersion": "2.28-10",
+        "LayerID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d",
         "Title": "glibc: stack guard protection bypass",
         "Description": "GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass stack guard protection. The component is: nptl. The attack vector is: Exploit stack buffer overflow vulnerability and use this bypass vulnerability to bypass stack guard.",
         "Severity": "HIGH",
@@ -97,6 +106,7 @@
         "VulnerabilityID": "CVE-2010-4051",
         "PkgName": "libc-bin",
         "InstalledVersion": "2.28-10",
+        "LayerID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d",
         "Title": "CVE-2010-4052 glibc: De-recursivise regular expression engine",
         "Description": "The regcomp implementation in the GNU C Library (aka glibc or libc6) through 2.11.3, and 2.12.x through 2.12.2, allows context-dependent attackers to cause a denial of service (application crash) via a regular expression containing adjacent bounded repetitions that bypass the intended RE_DUP_MAX limitation, as demonstrated by a {10,}{10,}{10,}{10,}{10,} sequence in the proftpd.gnu.c exploit for ProFTPD, related to a \"RE_DUP_MAX overflow.\"",
         "Severity": "MEDIUM",
@@ -118,6 +128,7 @@
         "VulnerabilityID": "CVE-2010-4052",
         "PkgName": "libc-bin",
         "InstalledVersion": "2.28-10",
+        "LayerID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d",
         "Title": "CVE-2010-4051 CVE-2010-4052 glibc: De-recursivise regular expression engine",
         "Description": "Stack consumption vulnerability in the regcomp implementation in the GNU C Library (aka glibc or libc6) through 2.11.3, and 2.12.x through 2.12.2, allows context-dependent attackers to cause a denial of service (resource exhaustion) via a regular expression containing adjacent repetition operators, as demonstrated by a {10,}{10,}{10,}{10,} sequence in the proftpd.gnu.c exploit for ProFTPD.",
         "Severity": "MEDIUM",
@@ -139,6 +150,7 @@
         "VulnerabilityID": "CVE-2010-4756",
         "PkgName": "libc-bin",
         "InstalledVersion": "2.28-10",
+        "LayerID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d",
         "Title": "glibc: glob implementation can cause excessive CPU and memory consumption due to crafted glob expressions",
         "Description": "The glob implementation in the GNU C Library (aka glibc or libc6) allows remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in STAT commands to an FTP daemon, a different vulnerability than CVE-2010-2632.",
         "Severity": "MEDIUM",
@@ -152,6 +164,7 @@
         "VulnerabilityID": "CVE-2016-10228",
         "PkgName": "libc-bin",
         "InstalledVersion": "2.28-10",
+        "LayerID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d",
         "Title": "glibc: iconv program can hang when invoked with the -c option",
         "Description": "The iconv program in the GNU C Library (aka glibc or libc6) 2.25 and earlier, when invoked with the -c option, enters an infinite loop when processing invalid multi-byte input sequences, leading to a denial of service.",
         "Severity": "MEDIUM",
@@ -165,6 +178,7 @@
         "VulnerabilityID": "CVE-2018-20796",
         "PkgName": "libc-bin",
         "InstalledVersion": "2.28-10",
+        "LayerID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d",
         "Title": "glibc: uncontrolled recursion in function check_dst_limits_calc_pos_1 in posix/regexec.c",
         "Description": "In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(\\227|)(\\\\1\\\\1|t1|\\\\\\2537)+' in grep.",
         "Severity": "MEDIUM",
@@ -179,6 +193,7 @@
         "VulnerabilityID": "CVE-2019-1010023",
         "PkgName": "libc-bin",
         "InstalledVersion": "2.28-10",
+        "LayerID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d",
         "Description": "GNU Libc current is affected by: Re-mapping current loaded libray with malicious ELF file. The impact is: In worst case attacker may evaluate privileges. The component is: libld. The attack vector is: Attacker sends 2 ELF files to victim and asks to run ldd on it. ldd execute code.",
         "Severity": "MEDIUM",
         "References": [
@@ -191,6 +206,7 @@
         "VulnerabilityID": "CVE-2019-1010024",
         "PkgName": "libc-bin",
         "InstalledVersion": "2.28-10",
+        "LayerID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d",
         "Description": "GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass ASLR using cache of thread stack and heap. The component is: glibc.",
         "Severity": "MEDIUM",
         "References": [
@@ -203,6 +219,7 @@
         "VulnerabilityID": "CVE-2019-1010025",
         "PkgName": "libc-bin",
         "InstalledVersion": "2.28-10",
+        "LayerID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d",
         "Title": "glibc: information disclosure of heap addresses of pthread_created thread",
         "Description": "** DISPUTED ** GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may guess the heap addresses of pthread_created thread. The component is: glibc. NOTE: the vendor's position is \"ASLR bypass itself is not a vulnerability.\"",
         "Severity": "MEDIUM",
@@ -214,6 +231,7 @@
         "VulnerabilityID": "CVE-2019-9192",
         "PkgName": "libc-bin",
         "InstalledVersion": "2.28-10",
+        "LayerID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d",
         "Title": "glibc: uncontrolled recursion in function check_dst_limits_calc_pos_1 in posix/regexec.c",
         "Description": "** DISPUTED ** In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(|)(\\\\1\\\\1)*' in grep, a different issue than CVE-2018-20796. NOTE: the software maintainer disputes that this is a vulnerability because the behavior occurs only with a crafted pattern.",
         "Severity": "MEDIUM",
@@ -225,6 +243,7 @@
         "VulnerabilityID": "CVE-2019-1010022",
         "PkgName": "libc6",
         "InstalledVersion": "2.28-10",
+        "LayerID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d",
         "Title": "glibc: stack guard protection bypass",
         "Description": "GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass stack guard protection. The component is: nptl. The attack vector is: Exploit stack buffer overflow vulnerability and use this bypass vulnerability to bypass stack guard.",
         "Severity": "HIGH",
@@ -236,6 +255,7 @@
         "VulnerabilityID": "CVE-2010-4051",
         "PkgName": "libc6",
         "InstalledVersion": "2.28-10",
+        "LayerID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d",
         "Title": "CVE-2010-4052 glibc: De-recursivise regular expression engine",
         "Description": "The regcomp implementation in the GNU C Library (aka glibc or libc6) through 2.11.3, and 2.12.x through 2.12.2, allows context-dependent attackers to cause a denial of service (application crash) via a regular expression containing adjacent bounded repetitions that bypass the intended RE_DUP_MAX limitation, as demonstrated by a {10,}{10,}{10,}{10,}{10,} sequence in the proftpd.gnu.c exploit for ProFTPD, related to a \"RE_DUP_MAX overflow.\"",
         "Severity": "MEDIUM",
@@ -257,6 +277,7 @@
         "VulnerabilityID": "CVE-2010-4052",
         "PkgName": "libc6",
         "InstalledVersion": "2.28-10",
+        "LayerID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d",
         "Title": "CVE-2010-4051 CVE-2010-4052 glibc: De-recursivise regular expression engine",
         "Description": "Stack consumption vulnerability in the regcomp implementation in the GNU C Library (aka glibc or libc6) through 2.11.3, and 2.12.x through 2.12.2, allows context-dependent attackers to cause a denial of service (resource exhaustion) via a regular expression containing adjacent repetition operators, as demonstrated by a {10,}{10,}{10,}{10,} sequence in the proftpd.gnu.c exploit for ProFTPD.",
         "Severity": "MEDIUM",
@@ -278,6 +299,7 @@
         "VulnerabilityID": "CVE-2010-4756",
         "PkgName": "libc6",
         "InstalledVersion": "2.28-10",
+        "LayerID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d",
         "Title": "glibc: glob implementation can cause excessive CPU and memory consumption due to crafted glob expressions",
         "Description": "The glob implementation in the GNU C Library (aka glibc or libc6) allows remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in STAT commands to an FTP daemon, a different vulnerability than CVE-2010-2632.",
         "Severity": "MEDIUM",
@@ -291,6 +313,7 @@
         "VulnerabilityID": "CVE-2016-10228",
         "PkgName": "libc6",
         "InstalledVersion": "2.28-10",
+        "LayerID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d",
         "Title": "glibc: iconv program can hang when invoked with the -c option",
         "Description": "The iconv program in the GNU C Library (aka glibc or libc6) 2.25 and earlier, when invoked with the -c option, enters an infinite loop when processing invalid multi-byte input sequences, leading to a denial of service.",
         "Severity": "MEDIUM",
@@ -304,6 +327,7 @@
         "VulnerabilityID": "CVE-2018-20796",
         "PkgName": "libc6",
         "InstalledVersion": "2.28-10",
+        "LayerID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d",
         "Title": "glibc: uncontrolled recursion in function check_dst_limits_calc_pos_1 in posix/regexec.c",
         "Description": "In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(\\227|)(\\\\1\\\\1|t1|\\\\\\2537)+' in grep.",
         "Severity": "MEDIUM",
@@ -318,6 +342,7 @@
         "VulnerabilityID": "CVE-2019-1010023",
         "PkgName": "libc6",
         "InstalledVersion": "2.28-10",
+        "LayerID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d",
         "Description": "GNU Libc current is affected by: Re-mapping current loaded libray with malicious ELF file. The impact is: In worst case attacker may evaluate privileges. The component is: libld. The attack vector is: Attacker sends 2 ELF files to victim and asks to run ldd on it. ldd execute code.",
         "Severity": "MEDIUM",
         "References": [
@@ -330,6 +355,7 @@
         "VulnerabilityID": "CVE-2019-1010024",
         "PkgName": "libc6",
         "InstalledVersion": "2.28-10",
+        "LayerID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d",
         "Description": "GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass ASLR using cache of thread stack and heap. The component is: glibc.",
         "Severity": "MEDIUM",
         "References": [
@@ -342,6 +368,7 @@
         "VulnerabilityID": "CVE-2019-1010025",
         "PkgName": "libc6",
         "InstalledVersion": "2.28-10",
+        "LayerID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d",
         "Title": "glibc: information disclosure of heap addresses of pthread_created thread",
         "Description": "** DISPUTED ** GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may guess the heap addresses of pthread_created thread. The component is: glibc. NOTE: the vendor's position is \"ASLR bypass itself is not a vulnerability.\"",
         "Severity": "MEDIUM",
@@ -353,6 +380,7 @@
         "VulnerabilityID": "CVE-2019-9192",
         "PkgName": "libc6",
         "InstalledVersion": "2.28-10",
+        "LayerID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d",
         "Title": "glibc: uncontrolled recursion in function check_dst_limits_calc_pos_1 in posix/regexec.c",
         "Description": "** DISPUTED ** In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(|)(\\\\1\\\\1)*' in grep, a different issue than CVE-2018-20796. NOTE: the software maintainer disputes that this is a vulnerability because the behavior occurs only with a crafted pattern.",
         "Severity": "MEDIUM",
@@ -365,6 +393,7 @@
         "PkgName": "libcom-err2",
         "InstalledVersion": "1.44.5-1+deb10u1",
         "FixedVersion": "1.44.5-1+deb10u2",
+        "LayerID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d",
         "Description": "An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.",
         "Severity": "MEDIUM",
         "References": [
@@ -381,6 +410,7 @@
         "PkgName": "libext2fs2",
         "InstalledVersion": "1.44.5-1+deb10u1",
         "FixedVersion": "1.44.5-1+deb10u2",
+        "LayerID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d",
         "Description": "An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.",
         "Severity": "MEDIUM",
         "References": [
@@ -396,6 +426,7 @@
         "VulnerabilityID": "CVE-2018-12886",
         "PkgName": "libgcc1",
         "InstalledVersion": "8.3.0-6",
+        "LayerID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d",
         "Title": "gcc: spilling of stack protection address in cfgexpand.c and function.c leads to stack-overflow protection bypass",
         "Description": "stack_protect_prologue in cfgexpand.c and stack_protect_epilogue in function.c in GNU Compiler Collection (GCC) 4.1 through 8 (under certain circumstances) generate instruction sequences when targeting ARM targets that spill the address of the stack protector guard, which allows an attacker to bypass the protection of -fstack-protector, -fstack-protector-all, -fstack-protector-strong, and -fstack-protector-explicit against stack overflow by controlling what the stack canary is compared against.",
         "Severity": "MEDIUM",
@@ -408,6 +439,7 @@
         "VulnerabilityID": "CVE-2019-15847",
         "PkgName": "libgcc1",
         "InstalledVersion": "8.3.0-6",
+        "LayerID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d",
         "Title": "gcc: POWER9 \"DARN\" RNG intrinsic produces repeated output",
         "Description": "The POWER9 backend in GNU Compiler Collection (GCC) before version 10 could optimize multiple calls of the __builtin_darn intrinsic into a single call, thus reducing the entropy of the random number generator. This occurred because a volatile operation was not specified. For example, within a single execution of a program, the output of every __builtin_darn() call may be the same.",
         "Severity": "MEDIUM",
@@ -419,6 +451,7 @@
         "VulnerabilityID": "CVE-2018-6829",
         "PkgName": "libgcrypt20",
         "InstalledVersion": "1.8.4-5",
+        "LayerID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d",
         "Title": "libgcrypt: ElGamal implementation doesn't have semantic security due to incorrectly encoded plaintexts possibly allowing to obtain sensitive information",
         "Description": "cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt messages directly, improperly encodes plaintexts, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for Libgcrypt's ElGamal implementation.",
         "Severity": "MEDIUM",
@@ -432,6 +465,7 @@
         "VulnerabilityID": "CVE-2019-12904",
         "PkgName": "libgcrypt20",
         "InstalledVersion": "1.8.4-5",
+        "LayerID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d",
         "Title": "Libgcrypt: physical addresses being available to other processes leads to a flush-and-reload side-channel attack",
         "Description": "In Libgcrypt 1.8.4, the C implementation of AES is vulnerable to a flush-and-reload side-channel attack because physical addresses are available to other processes. (The C implementation is used on platforms where an assembly-language implementation is unavailable.)",
         "Severity": "MEDIUM",
@@ -447,6 +481,7 @@
         "VulnerabilityID": "CVE-2019-13627",
         "PkgName": "libgcrypt20",
         "InstalledVersion": "1.8.4-5",
+        "LayerID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d",
         "Description": "It was discovered that there was a ECDSA timing attack in the libgcrypt20 cryptographic library. Version affected: 1.8.4-5, 1.7.6-2+deb9u3, and 1.6.3-2+deb8u4. Versions fixed: 1.8.5-2 and 1.6.3-2+deb8u7.",
         "Severity": "MEDIUM",
         "References": [
@@ -463,6 +498,7 @@
         "VulnerabilityID": "CVE-2011-3389",
         "PkgName": "libgnutls30",
         "InstalledVersion": "3.6.7-4",
+        "LayerID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d",
         "Title": "HTTPS: block-wise chosen-plaintext attack against SSL/TLS (BEAST)",
         "Description": "The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to obtain plaintext HTTP headers via a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in conjunction with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the Java URLConnection API, or (3) the Silverlight WebClient API, aka a \"BEAST\" attack.",
         "Severity": "MEDIUM",
@@ -561,6 +597,7 @@
         "VulnerabilityID": "CVE-2019-17543",
         "PkgName": "liblz4-1",
         "InstalledVersion": "1.8.3-1",
+        "LayerID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d",
         "Description": "LZ4 before 1.9.2 has a heap-based buffer overflow in LZ4_write32 (related to LZ4_compress_destSize), affecting applications that call LZ4_compress_fast with a large input. (This issue can also lead to data corruption.) NOTE: the vendor states \"only a few specific / uncommon usages of the API are at risk.\"",
         "Severity": "MEDIUM",
         "References": [
@@ -575,6 +612,7 @@
         "VulnerabilityID": "CVE-2019-17594",
         "PkgName": "libncursesw6",
         "InstalledVersion": "6.1+20181013-2+deb10u1",
+        "LayerID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d",
         "Description": "There is a heap-based buffer over-read in the _nc_find_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.",
         "Severity": "MEDIUM",
         "References": [
@@ -586,6 +624,7 @@
         "VulnerabilityID": "CVE-2019-17595",
         "PkgName": "libncursesw6",
         "InstalledVersion": "6.1+20181013-2+deb10u1",
+        "LayerID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d",
         "Description": "There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.",
         "Severity": "MEDIUM",
         "References": [
@@ -597,6 +636,7 @@
         "VulnerabilityID": "CVE-2017-11164",
         "PkgName": "libpcre3",
         "InstalledVersion": "2:8.39-12",
+        "LayerID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d",
         "Title": "pcre: OP_KETRMAX feature in the match function in pcre_exec.c",
         "Description": "In PCRE 8.41, the OP_KETRMAX feature in the match function in pcre_exec.c allows stack exhaustion (uncontrolled recursion) when processing a crafted regular expression.",
         "Severity": "HIGH",
@@ -609,6 +649,7 @@
         "VulnerabilityID": "CVE-2017-7245",
         "PkgName": "libpcre3",
         "InstalledVersion": "2:8.39-12",
+        "LayerID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d",
         "Title": "pcre: stack-based buffer overflow write in pcre32_copy_substring",
         "Description": "Stack-based buffer overflow in the pcre32_copy_substring function in pcre_get.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (WRITE of size 4) or possibly have unspecified other impact via a crafted file.",
         "Severity": "MEDIUM",
@@ -623,6 +664,7 @@
         "VulnerabilityID": "CVE-2017-7246",
         "PkgName": "libpcre3",
         "InstalledVersion": "2:8.39-12",
+        "LayerID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d",
         "Title": "pcre: stack-based buffer overflow write in pcre32_copy_substring",
         "Description": "Stack-based buffer overflow in the pcre32_copy_substring function in pcre_get.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (WRITE of size 268) or possibly have unspecified other impact via a crafted file.",
         "Severity": "MEDIUM",
@@ -637,6 +679,7 @@
         "VulnerabilityID": "CVE-2017-16231",
         "PkgName": "libpcre3",
         "InstalledVersion": "2:8.39-12",
+        "LayerID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d",
         "Title": "pcre: self-recursive call in match() in pcre_exec.c leads to denial of service",
         "Description": "** DISPUTED ** In PCRE 8.41, after compiling, a pcretest load test PoC produces a crash overflow in the function match() in pcre_exec.c because of a self-recursive call. NOTE: third parties dispute the relevance of this report, noting that there are options that can be used to limit the amount of stack that is used.",
         "Severity": "LOW",
@@ -655,6 +698,7 @@
         "VulnerabilityID": "CVE-2019-9893",
         "PkgName": "libseccomp2",
         "InstalledVersion": "2.3.3-4",
+        "LayerID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d",
         "Title": "libseccomp: incorrect generation of syscall filters in libseccomp",
         "Description": "libseccomp before 2.4.0 did not correctly generate 64-bit syscall argument comparisons using the arithmetic operators (LT, GT, LE, GE), which might able to lead to bypassing seccomp filters and potential privilege escalations.",
         "Severity": "HIGH",
@@ -671,6 +715,7 @@
         "PkgName": "libss2",
         "InstalledVersion": "1.44.5-1+deb10u1",
         "FixedVersion": "1.44.5-1+deb10u2",
+        "LayerID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d",
         "Description": "An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.",
         "Severity": "MEDIUM",
         "References": [
@@ -686,6 +731,7 @@
         "VulnerabilityID": "CVE-2018-12886",
         "PkgName": "libstdc++6",
         "InstalledVersion": "8.3.0-6",
+        "LayerID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d",
         "Title": "gcc: spilling of stack protection address in cfgexpand.c and function.c leads to stack-overflow protection bypass",
         "Description": "stack_protect_prologue in cfgexpand.c and stack_protect_epilogue in function.c in GNU Compiler Collection (GCC) 4.1 through 8 (under certain circumstances) generate instruction sequences when targeting ARM targets that spill the address of the stack protector guard, which allows an attacker to bypass the protection of -fstack-protector, -fstack-protector-all, -fstack-protector-strong, and -fstack-protector-explicit against stack overflow by controlling what the stack canary is compared against.",
         "Severity": "MEDIUM",
@@ -698,6 +744,7 @@
         "VulnerabilityID": "CVE-2019-15847",
         "PkgName": "libstdc++6",
         "InstalledVersion": "8.3.0-6",
+        "LayerID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d",
         "Title": "gcc: POWER9 \"DARN\" RNG intrinsic produces repeated output",
         "Description": "The POWER9 backend in GNU Compiler Collection (GCC) before version 10 could optimize multiple calls of the __builtin_darn intrinsic into a single call, thus reducing the entropy of the random number generator. This occurred because a volatile operation was not specified. For example, within a single execution of a program, the output of every __builtin_darn() call may be the same.",
         "Severity": "MEDIUM",
@@ -709,6 +756,7 @@
         "VulnerabilityID": "CVE-2018-20839",
         "PkgName": "libsystemd0",
         "InstalledVersion": "241-7~deb10u1",
+        "LayerID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d",
         "Title": "systemd: mishandling of the current keyboard mode check leading to passwords being disclosed in cleartext to attacker",
         "Description": "systemd 242 changes the VT1 mode upon a logout, which allows attackers to read cleartext passwords in certain circumstances, such as watching a shutdown, or using Ctrl-Alt-F1 and Ctrl-Alt-F2. This occurs because the KDGKBMODE (aka current keyboard mode) check is mishandled.",
         "Severity": "MEDIUM",
@@ -724,6 +772,7 @@
         "VulnerabilityID": "CVE-2019-3843",
         "PkgName": "libsystemd0",
         "InstalledVersion": "241-7~deb10u1",
+        "LayerID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d",
         "Title": "systemd: services with DynamicUser can create SUID/SGID binaries",
         "Description": "It was discovered that a systemd service that uses DynamicUser property can create a SUID/SGID binary that would be allowed to run as the transient service UID/GID even after the service is terminated. A local attacker may use this flaw to access resources that will be owned by a potentially different service in the future, when the UID/GID will be recycled.",
         "Severity": "MEDIUM",
@@ -738,6 +787,7 @@
         "VulnerabilityID": "CVE-2019-3844",
         "PkgName": "libsystemd0",
         "InstalledVersion": "241-7~deb10u1",
+        "LayerID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d",
         "Title": "systemd: services with DynamicUser can get new privileges and create SGID binaries",
         "Description": "It was discovered that a systemd service that uses DynamicUser property can get new privileges through the execution of SUID binaries, which would allow to create binaries owned by the service transient group with the setgid bit set. A local attacker may use this flaw to access resources that will be owned by a potentially different service in the future, when the GID will be recycled.",
         "Severity": "MEDIUM",
@@ -751,6 +801,7 @@
         "VulnerabilityID": "CVE-2013-4392",
         "PkgName": "libsystemd0",
         "InstalledVersion": "241-7~deb10u1",
+        "LayerID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d",
         "Title": "systemd: TOCTOU race condition when updating file permissions and SELinux security contexts",
         "Description": "systemd, when updating file permissions, allows local users to change the permissions and SELinux security contexts for arbitrary files via a symlink attack on unspecified files.",
         "Severity": "LOW",
@@ -764,6 +815,7 @@
         "VulnerabilityID": "CVE-2019-15718",
         "PkgName": "libsystemd0",
         "InstalledVersion": "241-7~deb10u1",
+        "LayerID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d",
         "Title": "systemd: systemd-resolved allows unprivileged users to configure DNS",
         "Description": "In systemd 240, bus_open_system_watch_bind_with_description in shared/bus-util.c (as used by systemd-resolved to connect to the system D-Bus instance), calls sd_bus_set_trusted, which disables access controls for incoming D-Bus messages. An unprivileged user can exploit this by executing D-Bus methods that should be restricted to privileged users, in order to change the system's DNS resolver settings.",
         "Severity": "LOW",
@@ -779,6 +831,7 @@
         "VulnerabilityID": "CVE-2018-1000654",
         "PkgName": "libtasn1-6",
         "InstalledVersion": "4.13-3",
+        "LayerID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d",
         "Title": "libtasn1: Infinite loop in _asn1_expand_object_id(ptree) leads to memory exhaustion",
         "Description": "GNU Libtasn1-4.13 libtasn1-4.13 version libtasn1-4.13, libtasn1-4.12 contains a DoS, specifically CPU usage will reach 100% when running asn1Paser against the POC due to an issue in _asn1_expand_object_id(p_tree), after a long time, the program will be killed. This attack appears to be exploitable via parsing a crafted file.",
         "Severity": "HIGH",
@@ -793,6 +846,7 @@
         "VulnerabilityID": "CVE-2019-17594",
         "PkgName": "libtinfo6",
         "InstalledVersion": "6.1+20181013-2+deb10u1",
+        "LayerID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d",
         "Description": "There is a heap-based buffer over-read in the _nc_find_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.",
         "Severity": "MEDIUM",
         "References": [
@@ -804,6 +858,7 @@
         "VulnerabilityID": "CVE-2019-17595",
         "PkgName": "libtinfo6",
         "InstalledVersion": "6.1+20181013-2+deb10u1",
+        "LayerID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d",
         "Description": "There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.",
         "Severity": "MEDIUM",
         "References": [
@@ -815,6 +870,7 @@
         "VulnerabilityID": "CVE-2018-20839",
         "PkgName": "libudev1",
         "InstalledVersion": "241-7~deb10u1",
+        "LayerID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d",
         "Title": "systemd: mishandling of the current keyboard mode check leading to passwords being disclosed in cleartext to attacker",
         "Description": "systemd 242 changes the VT1 mode upon a logout, which allows attackers to read cleartext passwords in certain circumstances, such as watching a shutdown, or using Ctrl-Alt-F1 and Ctrl-Alt-F2. This occurs because the KDGKBMODE (aka current keyboard mode) check is mishandled.",
         "Severity": "MEDIUM",
@@ -830,6 +886,7 @@
         "VulnerabilityID": "CVE-2019-3843",
         "PkgName": "libudev1",
         "InstalledVersion": "241-7~deb10u1",
+        "LayerID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d",
         "Title": "systemd: services with DynamicUser can create SUID/SGID binaries",
         "Description": "It was discovered that a systemd service that uses DynamicUser property can create a SUID/SGID binary that would be allowed to run as the transient service UID/GID even after the service is terminated. A local attacker may use this flaw to access resources that will be owned by a potentially different service in the future, when the UID/GID will be recycled.",
         "Severity": "MEDIUM",
@@ -844,6 +901,7 @@
         "VulnerabilityID": "CVE-2019-3844",
         "PkgName": "libudev1",
         "InstalledVersion": "241-7~deb10u1",
+        "LayerID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d",
         "Title": "systemd: services with DynamicUser can get new privileges and create SGID binaries",
         "Description": "It was discovered that a systemd service that uses DynamicUser property can get new privileges through the execution of SUID binaries, which would allow to create binaries owned by the service transient group with the setgid bit set. A local attacker may use this flaw to access resources that will be owned by a potentially different service in the future, when the GID will be recycled.",
         "Severity": "MEDIUM",
@@ -857,6 +915,7 @@
         "VulnerabilityID": "CVE-2013-4392",
         "PkgName": "libudev1",
         "InstalledVersion": "241-7~deb10u1",
+        "LayerID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d",
         "Title": "systemd: TOCTOU race condition when updating file permissions and SELinux security contexts",
         "Description": "systemd, when updating file permissions, allows local users to change the permissions and SELinux security contexts for arbitrary files via a symlink attack on unspecified files.",
         "Severity": "LOW",
@@ -870,6 +929,7 @@
         "VulnerabilityID": "CVE-2019-15718",
         "PkgName": "libudev1",
         "InstalledVersion": "241-7~deb10u1",
+        "LayerID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d",
         "Title": "systemd: systemd-resolved allows unprivileged users to configure DNS",
         "Description": "In systemd 240, bus_open_system_watch_bind_with_description in shared/bus-util.c (as used by systemd-resolved to connect to the system D-Bus instance), calls sd_bus_set_trusted, which disables access controls for incoming D-Bus messages. An unprivileged user can exploit this by executing D-Bus methods that should be restricted to privileged users, in order to change the system's DNS resolver settings.",
         "Severity": "LOW",
@@ -885,6 +945,7 @@
         "VulnerabilityID": "CVE-2012-2663",
         "PkgName": "libxtables12",
         "InstalledVersion": "1.8.2-4",
+        "LayerID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d",
         "Title": "iptables: --syn flag bypass",
         "Description": "extensions/libxt_tcp.c in iptables through 1.4.21 does not match TCP SYN+FIN packets in --syn rules, which might allow remote attackers to bypass intended firewall restrictions via crafted packets.  NOTE: the CVE-2012-6638 fix makes this issue less relevant.",
         "Severity": "HIGH",
@@ -897,6 +958,7 @@
         "VulnerabilityID": "CVE-2019-11360",
         "PkgName": "libxtables12",
         "InstalledVersion": "1.8.2-4",
+        "LayerID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d",
         "Description": "A buffer overflow in iptables-restore in netfilter iptables 1.8.2 allows an attacker to (at least) crash the program or potentially gain code execution via a specially crafted iptables-save file. This is related to add_param_to_argv in xshared.c.",
         "Severity": "MEDIUM",
         "References": [
@@ -908,6 +970,7 @@
         "VulnerabilityID": "CVE-2007-5686",
         "PkgName": "login",
         "InstalledVersion": "1:4.5-1.1",
+        "LayerID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d",
         "Description": "initscripts in rPath Linux 1 sets insecure permissions for the /var/log/btmp file, which allows local users to obtain sensitive information regarding authentication attempts.  NOTE: because sshd detects the insecure permissions and does not log certain events, this also prevents sshd from logging failed authentication attempts by remote attackers.",
         "Severity": "MEDIUM",
         "References": [
@@ -923,6 +986,7 @@
         "VulnerabilityID": "CVE-2018-7169",
         "PkgName": "login",
         "InstalledVersion": "1:4.5-1.1",
+        "LayerID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d",
         "Title": "shadow-utils: newgidmap allows unprivileged user to drop supplementary groups potentially allowing privilege escalation",
         "Description": "An issue was discovered in shadow 4.5. newgidmap (in shadow-utils) is setuid and allows an unprivileged user to be placed in a user namespace where setgroups(2) is permitted. This allows an attacker to remove themselves from a supplementary group, which may allow access to certain filesystem paths if the administrator has used \"group blacklisting\" (e.g., chmod g-rwx) to restrict access to paths. This flaw effectively reverts a security feature in the kernel (in particular, the /proc/self/setgroups knob) to prevent this sort of privilege escalation.",
         "Severity": "MEDIUM",
@@ -935,6 +999,7 @@
         "VulnerabilityID": "CVE-2013-4235",
         "PkgName": "login",
         "InstalledVersion": "1:4.5-1.1",
+        "LayerID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d",
         "Title": "shadow-utils: TOCTOU race conditions by copying and removing directory trees",
         "Description": "A TOCTOU race condition was discovered in shadow-utils. A local attacker with write privileges in a directory removed or copied by usermod/userdel could potentially exploit this flaw, when the administrator invokes usermod/userdel, to delete or modify other files on the system.",
         "Severity": "LOW"
@@ -943,12 +1008,14 @@
         "VulnerabilityID": "TEMP-0628843-DBAD28",
         "PkgName": "login",
         "InstalledVersion": "1:4.5-1.1",
+        "LayerID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d",
         "Severity": "LOW"
       },
       {
         "VulnerabilityID": "CVE-2019-17594",
         "PkgName": "ncurses-base",
         "InstalledVersion": "6.1+20181013-2+deb10u1",
+        "LayerID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d",
         "Description": "There is a heap-based buffer over-read in the _nc_find_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.",
         "Severity": "MEDIUM",
         "References": [
@@ -960,6 +1027,7 @@
         "VulnerabilityID": "CVE-2019-17595",
         "PkgName": "ncurses-base",
         "InstalledVersion": "6.1+20181013-2+deb10u1",
+        "LayerID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d",
         "Description": "There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.",
         "Severity": "MEDIUM",
         "References": [
@@ -971,6 +1039,7 @@
         "VulnerabilityID": "CVE-2019-17594",
         "PkgName": "ncurses-bin",
         "InstalledVersion": "6.1+20181013-2+deb10u1",
+        "LayerID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d",
         "Description": "There is a heap-based buffer over-read in the _nc_find_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.",
         "Severity": "MEDIUM",
         "References": [
@@ -982,6 +1051,7 @@
         "VulnerabilityID": "CVE-2019-17595",
         "PkgName": "ncurses-bin",
         "InstalledVersion": "6.1+20181013-2+deb10u1",
+        "LayerID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d",
         "Description": "There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.",
         "Severity": "MEDIUM",
         "References": [
@@ -993,6 +1063,7 @@
         "VulnerabilityID": "CVE-2007-5686",
         "PkgName": "passwd",
         "InstalledVersion": "1:4.5-1.1",
+        "LayerID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d",
         "Description": "initscripts in rPath Linux 1 sets insecure permissions for the /var/log/btmp file, which allows local users to obtain sensitive information regarding authentication attempts.  NOTE: because sshd detects the insecure permissions and does not log certain events, this also prevents sshd from logging failed authentication attempts by remote attackers.",
         "Severity": "MEDIUM",
         "References": [
@@ -1008,6 +1079,7 @@
         "VulnerabilityID": "CVE-2018-7169",
         "PkgName": "passwd",
         "InstalledVersion": "1:4.5-1.1",
+        "LayerID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d",
         "Title": "shadow-utils: newgidmap allows unprivileged user to drop supplementary groups potentially allowing privilege escalation",
         "Description": "An issue was discovered in shadow 4.5. newgidmap (in shadow-utils) is setuid and allows an unprivileged user to be placed in a user namespace where setgroups(2) is permitted. This allows an attacker to remove themselves from a supplementary group, which may allow access to certain filesystem paths if the administrator has used \"group blacklisting\" (e.g., chmod g-rwx) to restrict access to paths. This flaw effectively reverts a security feature in the kernel (in particular, the /proc/self/setgroups knob) to prevent this sort of privilege escalation.",
         "Severity": "MEDIUM",
@@ -1020,6 +1092,7 @@
         "VulnerabilityID": "CVE-2013-4235",
         "PkgName": "passwd",
         "InstalledVersion": "1:4.5-1.1",
+        "LayerID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d",
         "Title": "shadow-utils: TOCTOU race conditions by copying and removing directory trees",
         "Description": "A TOCTOU race condition was discovered in shadow-utils. A local attacker with write privileges in a directory removed or copied by usermod/userdel could potentially exploit this flaw, when the administrator invokes usermod/userdel, to delete or modify other files on the system.",
         "Severity": "LOW"
@@ -1028,12 +1101,14 @@
         "VulnerabilityID": "TEMP-0628843-DBAD28",
         "PkgName": "passwd",
         "InstalledVersion": "1:4.5-1.1",
+        "LayerID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d",
         "Severity": "LOW"
       },
       {
         "VulnerabilityID": "CVE-2011-4116",
         "PkgName": "perl-base",
         "InstalledVersion": "5.28.1-6",
+        "LayerID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d",
         "Title": "perl: File::Temp insecure temporary file handling",
         "Description": "No description is available for this CVE.",
         "Severity": "LOW"
@@ -1042,12 +1117,14 @@
         "VulnerabilityID": "TEMP-0517018-A83CE6",
         "PkgName": "sysvinit-utils",
         "InstalledVersion": "2.93-8",
+        "LayerID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d",
         "Severity": "LOW"
       },
       {
         "VulnerabilityID": "CVE-2005-2541",
         "PkgName": "tar",
         "InstalledVersion": "1.30+dfsg-6",
+        "LayerID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d",
         "Description": "Tar 1.15.1 does not properly warn the user when extracting setuid or setgid files, which may allow local users or remote attackers to gain privileges.",
         "Severity": "CRITICAL",
         "References": [
@@ -1058,6 +1135,7 @@
         "VulnerabilityID": "CVE-2019-9923",
         "PkgName": "tar",
         "InstalledVersion": "1.30+dfsg-6",
+        "LayerID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d",
         "Title": "tar: null-pointer dereference in pax_decode_header in sparse.c",
         "Description": "pax_decode_header in sparse.c in GNU Tar before 1.32 had a NULL pointer dereference when parsing certain archives that have malformed extended headers.",
         "Severity": "MEDIUM",
@@ -1072,6 +1150,7 @@
         "VulnerabilityID": "TEMP-0290435-0B57B5",
         "PkgName": "tar",
         "InstalledVersion": "1.30+dfsg-6",
+        "LayerID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d",
         "Severity": "LOW"
       }
     ]

integration/testdata/distroless-base-ignore-unfixed.json.golden

@@ -7,6 +7,7 @@
         "PkgName": "libssl1.1",
         "InstalledVersion": "1.1.0k-1~deb9u1",
         "FixedVersion": "1.1.0l-1~deb9u1",
+        "LayerID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5",
         "Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
         "Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
         "Severity": "MEDIUM",
@@ -26,6 +27,7 @@
         "PkgName": "openssl",
         "InstalledVersion": "1.1.0k-1~deb9u1",
         "FixedVersion": "1.1.0l-1~deb9u1",
+        "LayerID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5",
         "Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
         "Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
         "Severity": "MEDIUM",

integration/testdata/distroless-base.json.golden

@@ -6,6 +6,7 @@
         "VulnerabilityID": "CVE-2018-1000001",
         "PkgName": "libc6",
         "InstalledVersion": "2.24-11+deb9u4",
+        "LayerID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5",
         "Title": "glibc: realpath() buffer underflow when getcwd() returns relative path allows privilege escalation",
         "Description": "In glibc 2.26 and earlier there is confusion in the usage of getcwd() by realpath() which can be used to write before the destination buffer leading to a buffer underflow and potential code execution.",
         "Severity": "HIGH",
@@ -27,6 +28,7 @@
         "VulnerabilityID": "CVE-2018-6485",
         "PkgName": "libc6",
         "InstalledVersion": "2.24-11+deb9u4",
+        "LayerID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5",
         "Title": "glibc: Integer overflow in posix_memalign in memalign functions",
         "Description": "An integer overflow in the implementation of the posix_memalign in memalign functions in the GNU C Library (aka glibc or libc6) 2.26 and earlier could cause these functions to return a pointer to a heap area that is too small, potentially leading to heap corruption.",
         "Severity": "HIGH",
@@ -45,6 +47,7 @@
         "VulnerabilityID": "CVE-2018-6551",
         "PkgName": "libc6",
         "InstalledVersion": "2.24-11+deb9u4",
+        "LayerID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5",
         "Title": "glibc: integer overflow in malloc functions",
         "Description": "The malloc implementation in the GNU C Library (aka glibc or libc6), from version 2.24 to 2.26 on powerpc, and only in version 2.26 on i386, did not properly handle malloc calls with arguments close to SIZE_MAX and could return a pointer to a heap region that is smaller than requested, eventually leading to heap corruption.",
         "Severity": "HIGH",
@@ -59,6 +62,7 @@
         "VulnerabilityID": "CVE-2019-1010022",
         "PkgName": "libc6",
         "InstalledVersion": "2.24-11+deb9u4",
+        "LayerID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5",
         "Title": "glibc: stack guard protection bypass",
         "Description": "GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass stack guard protection. The component is: nptl. The attack vector is: Exploit stack buffer overflow vulnerability and use this bypass vulnerability to bypass stack guard.",
         "Severity": "HIGH",
@@ -70,6 +74,7 @@
         "VulnerabilityID": "CVE-2019-9169",
         "PkgName": "libc6",
         "InstalledVersion": "2.24-11+deb9u4",
+        "LayerID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5",
         "Title": "glibc: regular-expression match via proceed_next_node in posix/regexec.c leads to heap-based buffer over-read",
         "Description": "In the GNU C Library (aka glibc or libc6) through 2.29, proceed_next_node in posix/regexec.c has a heap-based buffer over-read via an attempted case-insensitive regular-expression match.",
         "Severity": "HIGH",
@@ -89,6 +94,7 @@
         "VulnerabilityID": "CVE-2009-5155",
         "PkgName": "libc6",
         "InstalledVersion": "2.24-11+deb9u4",
+        "LayerID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5",
         "Title": "glibc: parse_reg_exp in posix/regcomp.c misparses alternatives leading to denial of service or trigger incorrect result",
         "Description": "In the GNU C Library (aka glibc or libc6) before 2.28, parse_reg_exp in posix/regcomp.c misparses alternatives, which allows attackers to cause a denial of service (assertion failure and application exit) or trigger an incorrect result by attempting a regular-expression match.",
         "Severity": "MEDIUM",
@@ -109,6 +115,7 @@
         "VulnerabilityID": "CVE-2010-4051",
         "PkgName": "libc6",
         "InstalledVersion": "2.24-11+deb9u4",
+        "LayerID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5",
         "Title": "CVE-2010-4052 glibc: De-recursivise regular expression engine",
         "Description": "The regcomp implementation in the GNU C Library (aka glibc or libc6) through 2.11.3, and 2.12.x through 2.12.2, allows context-dependent attackers to cause a denial of service (application crash) via a regular expression containing adjacent bounded repetitions that bypass the intended RE_DUP_MAX limitation, as demonstrated by a {10,}{10,}{10,}{10,}{10,} sequence in the proftpd.gnu.c exploit for ProFTPD, related to a \"RE_DUP_MAX overflow.\"",
         "Severity": "MEDIUM",
@@ -130,6 +137,7 @@
         "VulnerabilityID": "CVE-2010-4052",
         "PkgName": "libc6",
         "InstalledVersion": "2.24-11+deb9u4",
+        "LayerID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5",
         "Title": "CVE-2010-4051 CVE-2010-4052 glibc: De-recursivise regular expression engine",
         "Description": "Stack consumption vulnerability in the regcomp implementation in the GNU C Library (aka glibc or libc6) through 2.11.3, and 2.12.x through 2.12.2, allows context-dependent attackers to cause a denial of service (resource exhaustion) via a regular expression containing adjacent repetition operators, as demonstrated by a {10,}{10,}{10,}{10,} sequence in the proftpd.gnu.c exploit for ProFTPD.",
         "Severity": "MEDIUM",
@@ -151,6 +159,7 @@
         "VulnerabilityID": "CVE-2010-4756",
         "PkgName": "libc6",
         "InstalledVersion": "2.24-11+deb9u4",
+        "LayerID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5",
         "Title": "glibc: glob implementation can cause excessive CPU and memory consumption due to crafted glob expressions",
         "Description": "The glob implementation in the GNU C Library (aka glibc or libc6) allows remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in STAT commands to an FTP daemon, a different vulnerability than CVE-2010-2632.",
         "Severity": "MEDIUM",
@@ -164,6 +173,7 @@
         "VulnerabilityID": "CVE-2015-8985",
         "PkgName": "libc6",
         "InstalledVersion": "2.24-11+deb9u4",
+        "LayerID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5",
         "Title": "glibc: potential denial of service in pop_fail_stack()",
         "Description": "The pop_fail_stack function in the GNU C Library (aka glibc or libc6) allows context-dependent attackers to cause a denial of service (assertion failure and application crash) via vectors related to extended regular expression processing.",
         "Severity": "MEDIUM",
@@ -179,6 +189,7 @@
         "VulnerabilityID": "CVE-2016-10228",
         "PkgName": "libc6",
         "InstalledVersion": "2.24-11+deb9u4",
+        "LayerID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5",
         "Title": "glibc: iconv program can hang when invoked with the -c option",
         "Description": "The iconv program in the GNU C Library (aka glibc or libc6) 2.25 and earlier, when invoked with the -c option, enters an infinite loop when processing invalid multi-byte input sequences, leading to a denial of service.",
         "Severity": "MEDIUM",
@@ -192,6 +203,7 @@
         "VulnerabilityID": "CVE-2016-10739",
         "PkgName": "libc6",
         "InstalledVersion": "2.24-11+deb9u4",
+        "LayerID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5",
         "Title": "glibc: getaddrinfo should reject IP addresses with trailing characters",
         "Description": "In the GNU C Library (aka glibc or libc6) through 2.28, the getaddrinfo function would successfully parse a string that contained an IPv4 address followed by whitespace and arbitrary characters, which could lead applications to incorrectly assume that it had parsed a valid string, without the possibility of embedded HTTP headers or other potentially dangerous substrings.",
         "Severity": "MEDIUM",
@@ -208,6 +220,7 @@
         "VulnerabilityID": "CVE-2017-12132",
         "PkgName": "libc6",
         "InstalledVersion": "2.24-11+deb9u4",
+        "LayerID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5",
         "Title": "glibc: Fragmentation attacks possible when EDNS0 is enabled",
         "Description": "The DNS stub resolver in the GNU C Library (aka glibc or libc6) before version 2.26, when EDNS support is enabled, will solicit large UDP responses from name servers, potentially simplifying off-path DNS spoofing attacks due to IP fragmentation.",
         "Severity": "MEDIUM",
@@ -223,6 +236,7 @@
         "VulnerabilityID": "CVE-2018-20796",
         "PkgName": "libc6",
         "InstalledVersion": "2.24-11+deb9u4",
+        "LayerID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5",
         "Title": "glibc: uncontrolled recursion in function check_dst_limits_calc_pos_1 in posix/regexec.c",
         "Description": "In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(\\227|)(\\\\1\\\\1|t1|\\\\\\2537)+' in grep.",
         "Severity": "MEDIUM",
@@ -237,6 +251,7 @@
         "VulnerabilityID": "CVE-2019-1010023",
         "PkgName": "libc6",
         "InstalledVersion": "2.24-11+deb9u4",
+        "LayerID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5",
         "Description": "GNU Libc current is affected by: Re-mapping current loaded libray with malicious ELF file. The impact is: In worst case attacker may evaluate privileges. The component is: libld. The attack vector is: Attacker sends 2 ELF files to victim and asks to run ldd on it. ldd execute code.",
         "Severity": "MEDIUM",
         "References": [
@@ -249,6 +264,7 @@
         "VulnerabilityID": "CVE-2019-1010024",
         "PkgName": "libc6",
         "InstalledVersion": "2.24-11+deb9u4",
+        "LayerID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5",
         "Description": "GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass ASLR using cache of thread stack and heap. The component is: glibc.",
         "Severity": "MEDIUM",
         "References": [
@@ -261,6 +277,7 @@
         "VulnerabilityID": "CVE-2019-1010025",
         "PkgName": "libc6",
         "InstalledVersion": "2.24-11+deb9u4",
+        "LayerID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5",
         "Title": "glibc: information disclosure of heap addresses of pthread_created thread",
         "Description": "** DISPUTED ** GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may guess the heap addresses of pthread_created thread. The component is: glibc. NOTE: the vendor's position is \"ASLR bypass itself is not a vulnerability.\"",
         "Severity": "MEDIUM",
@@ -272,6 +289,7 @@
         "VulnerabilityID": "CVE-2019-6488",
         "PkgName": "libc6",
         "InstalledVersion": "2.24-11+deb9u4",
+        "LayerID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5",
         "Title": "glibc: Incorrect attempt to use a 64-bit register for size_t in assembly codes results in segmentation fault",
         "Description": "The string component in the GNU C Library (aka glibc or libc6) through 2.28, when running on the x32 architecture, incorrectly attempts to use a 64-bit register for size_t in assembly codes, which can lead to a segmentation fault or possibly unspecified other impact, as demonstrated by a crash in __memmove_avx_unaligned_erms in sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S during a memcpy.",
         "Severity": "MEDIUM",
@@ -285,6 +303,7 @@
         "VulnerabilityID": "CVE-2019-9192",
         "PkgName": "libc6",
         "InstalledVersion": "2.24-11+deb9u4",
+        "LayerID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5",
         "Title": "glibc: uncontrolled recursion in function check_dst_limits_calc_pos_1 in posix/regexec.c",
         "Description": "** DISPUTED ** In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(|)(\\\\1\\\\1)*' in grep, a different issue than CVE-2018-20796. NOTE: the software maintainer disputes that this is a vulnerability because the behavior occurs only with a crafted pattern.",
         "Severity": "MEDIUM",
@@ -296,6 +315,7 @@
         "VulnerabilityID": "CVE-2019-7309",
         "PkgName": "libc6",
         "InstalledVersion": "2.24-11+deb9u4",
+        "LayerID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5",
         "Title": "glibc: memcmp function incorrectly returns zero",
         "Description": "In the GNU C Library (aka glibc or libc6) through 2.29, the memcmp function for the x32 architecture can incorrectly return zero (indicating that the inputs are equal) because the RDX most significant bit is mishandled.",
         "Severity": "LOW",
@@ -310,6 +330,7 @@
         "VulnerabilityID": "CVE-2007-6755",
         "PkgName": "libssl1.1",
         "InstalledVersion": "1.1.0k-1~deb9u1",
+        "LayerID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5",
         "Title": "Dual_EC_DRBG: weak pseudo random number generator",
         "Description": "The NIST SP 800-90A default statement of the Dual Elliptic Curve Deterministic Random Bit Generation (Dual_EC_DRBG) algorithm contains point Q constants with a possible relationship to certain \"skeleton key\" values, which might allow context-dependent attackers to defeat cryptographic protection mechanisms by leveraging knowledge of those values.  NOTE: this is a preliminary CVE for Dual_EC_DRBG; future research may provide additional details about point Q and associated attacks, and could potentially lead to a RECAST or REJECT of this CVE.",
         "Severity": "MEDIUM",
@@ -328,6 +349,7 @@
         "VulnerabilityID": "CVE-2010-0928",
         "PkgName": "libssl1.1",
         "InstalledVersion": "1.1.0k-1~deb9u1",
+        "LayerID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5",
         "Title": "openssl: RSA authentication weakness",
         "Description": "OpenSSL 0.9.8i on the Gaisler Research LEON3 SoC on the Xilinx Virtex-II Pro FPGA uses a Fixed Width Exponentiation (FWE) algorithm for certain signature calculations, and does not verify the signature before providing it to a caller, which makes it easier for physically proximate attackers to determine the private key via a modified supply voltage for the microprocessor, related to a \"fault-based attack.\"",
         "Severity": "MEDIUM",
@@ -345,6 +367,7 @@
         "PkgName": "libssl1.1",
         "InstalledVersion": "1.1.0k-1~deb9u1",
         "FixedVersion": "1.1.0l-1~deb9u1",
+        "LayerID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5",
         "Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
         "Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
         "Severity": "MEDIUM",
@@ -363,6 +386,7 @@
         "VulnerabilityID": "CVE-2007-6755",
         "PkgName": "openssl",
         "InstalledVersion": "1.1.0k-1~deb9u1",
+        "LayerID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5",
         "Title": "Dual_EC_DRBG: weak pseudo random number generator",
         "Description": "The NIST SP 800-90A default statement of the Dual Elliptic Curve Deterministic Random Bit Generation (Dual_EC_DRBG) algorithm contains point Q constants with a possible relationship to certain \"skeleton key\" values, which might allow context-dependent attackers to defeat cryptographic protection mechanisms by leveraging knowledge of those values.  NOTE: this is a preliminary CVE for Dual_EC_DRBG; future research may provide additional details about point Q and associated attacks, and could potentially lead to a RECAST or REJECT of this CVE.",
         "Severity": "MEDIUM",
@@ -381,6 +405,7 @@
         "VulnerabilityID": "CVE-2010-0928",
         "PkgName": "openssl",
         "InstalledVersion": "1.1.0k-1~deb9u1",
+        "LayerID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5",
         "Title": "openssl: RSA authentication weakness",
         "Description": "OpenSSL 0.9.8i on the Gaisler Research LEON3 SoC on the Xilinx Virtex-II Pro FPGA uses a Fixed Width Exponentiation (FWE) algorithm for certain signature calculations, and does not verify the signature before providing it to a caller, which makes it easier for physically proximate attackers to determine the private key via a modified supply voltage for the microprocessor, related to a \"fault-based attack.\"",
         "Severity": "MEDIUM",
@@ -398,6 +423,7 @@
         "PkgName": "openssl",
         "InstalledVersion": "1.1.0k-1~deb9u1",
         "FixedVersion": "1.1.0l-1~deb9u1",
+        "LayerID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5",
         "Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
         "Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
         "Severity": "MEDIUM",

integration/testdata/distroless-python27.json.golden

@@ -6,6 +6,7 @@
         "VulnerabilityID": "CVE-2019-12900",
         "PkgName": "libbz2-1.0",
         "InstalledVersion": "1.0.6-8.1",
+        "LayerID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e",
         "Title": "bzip2: out-of-bounds write in function BZ2_decompress",
         "Description": "BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds write when there are many selectors.",
         "Severity": "HIGH",
@@ -21,6 +22,7 @@
         "VulnerabilityID": "CVE-2018-1000001",
         "PkgName": "libc-bin",
         "InstalledVersion": "2.24-11+deb9u4",
+        "LayerID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e",
         "Title": "glibc: realpath() buffer underflow when getcwd() returns relative path allows privilege escalation",
         "Description": "In glibc 2.26 and earlier there is confusion in the usage of getcwd() by realpath() which can be used to write before the destination buffer leading to a buffer underflow and potential code execution.",
         "Severity": "HIGH",
@@ -42,6 +44,7 @@
         "VulnerabilityID": "CVE-2018-6485",
         "PkgName": "libc-bin",
         "InstalledVersion": "2.24-11+deb9u4",
+        "LayerID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e",
         "Title": "glibc: Integer overflow in posix_memalign in memalign functions",
         "Description": "An integer overflow in the implementation of the posix_memalign in memalign functions in the GNU C Library (aka glibc or libc6) 2.26 and earlier could cause these functions to return a pointer to a heap area that is too small, potentially leading to heap corruption.",
         "Severity": "HIGH",
@@ -60,6 +63,7 @@
         "VulnerabilityID": "CVE-2018-6551",
         "PkgName": "libc-bin",
         "InstalledVersion": "2.24-11+deb9u4",
+        "LayerID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e",
         "Title": "glibc: integer overflow in malloc functions",
         "Description": "The malloc implementation in the GNU C Library (aka glibc or libc6), from version 2.24 to 2.26 on powerpc, and only in version 2.26 on i386, did not properly handle malloc calls with arguments close to SIZE_MAX and could return a pointer to a heap region that is smaller than requested, eventually leading to heap corruption.",
         "Severity": "HIGH",
@@ -74,6 +78,7 @@
         "VulnerabilityID": "CVE-2019-1010022",
         "PkgName": "libc-bin",
         "InstalledVersion": "2.24-11+deb9u4",
+        "LayerID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e",
         "Title": "glibc: stack guard protection bypass",
         "Description": "GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass stack guard protection. The component is: nptl. The attack vector is: Exploit stack buffer overflow vulnerability and use this bypass vulnerability to bypass stack guard.",
         "Severity": "HIGH",
@@ -85,6 +90,7 @@
         "VulnerabilityID": "CVE-2019-9169",
         "PkgName": "libc-bin",
         "InstalledVersion": "2.24-11+deb9u4",
+        "LayerID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e",
         "Title": "glibc: regular-expression match via proceed_next_node in posix/regexec.c leads to heap-based buffer over-read",
         "Description": "In the GNU C Library (aka glibc or libc6) through 2.29, proceed_next_node in posix/regexec.c has a heap-based buffer over-read via an attempted case-insensitive regular-expression match.",
         "Severity": "HIGH",
@@ -104,6 +110,7 @@
         "VulnerabilityID": "CVE-2009-5155",
         "PkgName": "libc-bin",
         "InstalledVersion": "2.24-11+deb9u4",
+        "LayerID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e",
         "Title": "glibc: parse_reg_exp in posix/regcomp.c misparses alternatives leading to denial of service or trigger incorrect result",
         "Description": "In the GNU C Library (aka glibc or libc6) before 2.28, parse_reg_exp in posix/regcomp.c misparses alternatives, which allows attackers to cause a denial of service (assertion failure and application exit) or trigger an incorrect result by attempting a regular-expression match.",
         "Severity": "MEDIUM",
@@ -124,6 +131,7 @@
         "VulnerabilityID": "CVE-2010-4051",
         "PkgName": "libc-bin",
         "InstalledVersion": "2.24-11+deb9u4",
+        "LayerID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e",
         "Title": "CVE-2010-4052 glibc: De-recursivise regular expression engine",
         "Description": "The regcomp implementation in the GNU C Library (aka glibc or libc6) through 2.11.3, and 2.12.x through 2.12.2, allows context-dependent attackers to cause a denial of service (application crash) via a regular expression containing adjacent bounded repetitions that bypass the intended RE_DUP_MAX limitation, as demonstrated by a {10,}{10,}{10,}{10,}{10,} sequence in the proftpd.gnu.c exploit for ProFTPD, related to a \"RE_DUP_MAX overflow.\"",
         "Severity": "MEDIUM",
@@ -145,6 +153,7 @@
         "VulnerabilityID": "CVE-2010-4052",
         "PkgName": "libc-bin",
         "InstalledVersion": "2.24-11+deb9u4",
+        "LayerID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e",
         "Title": "CVE-2010-4051 CVE-2010-4052 glibc: De-recursivise regular expression engine",
         "Description": "Stack consumption vulnerability in the regcomp implementation in the GNU C Library (aka glibc or libc6) through 2.11.3, and 2.12.x through 2.12.2, allows context-dependent attackers to cause a denial of service (resource exhaustion) via a regular expression containing adjacent repetition operators, as demonstrated by a {10,}{10,}{10,}{10,} sequence in the proftpd.gnu.c exploit for ProFTPD.",
         "Severity": "MEDIUM",
@@ -166,6 +175,7 @@
         "VulnerabilityID": "CVE-2010-4756",
         "PkgName": "libc-bin",
         "InstalledVersion": "2.24-11+deb9u4",
+        "LayerID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e",
         "Title": "glibc: glob implementation can cause excessive CPU and memory consumption due to crafted glob expressions",
         "Description": "The glob implementation in the GNU C Library (aka glibc or libc6) allows remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in STAT commands to an FTP daemon, a different vulnerability than CVE-2010-2632.",
         "Severity": "MEDIUM",
@@ -179,6 +189,7 @@
         "VulnerabilityID": "CVE-2015-8985",
         "PkgName": "libc-bin",
         "InstalledVersion": "2.24-11+deb9u4",
+        "LayerID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e",
         "Title": "glibc: potential denial of service in pop_fail_stack()",
         "Description": "The pop_fail_stack function in the GNU C Library (aka glibc or libc6) allows context-dependent attackers to cause a denial of service (assertion failure and application crash) via vectors related to extended regular expression processing.",
         "Severity": "MEDIUM",
@@ -194,6 +205,7 @@
         "VulnerabilityID": "CVE-2016-10228",
         "PkgName": "libc-bin",
         "InstalledVersion": "2.24-11+deb9u4",
+        "LayerID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e",
         "Title": "glibc: iconv program can hang when invoked with the -c option",
         "Description": "The iconv program in the GNU C Library (aka glibc or libc6) 2.25 and earlier, when invoked with the -c option, enters an infinite loop when processing invalid multi-byte input sequences, leading to a denial of service.",
         "Severity": "MEDIUM",
@@ -207,6 +219,7 @@
         "VulnerabilityID": "CVE-2016-10739",
         "PkgName": "libc-bin",
         "InstalledVersion": "2.24-11+deb9u4",
+        "LayerID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e",
         "Title": "glibc: getaddrinfo should reject IP addresses with trailing characters",
         "Description": "In the GNU C Library (aka glibc or libc6) through 2.28, the getaddrinfo function would successfully parse a string that contained an IPv4 address followed by whitespace and arbitrary characters, which could lead applications to incorrectly assume that it had parsed a valid string, without the possibility of embedded HTTP headers or other potentially dangerous substrings.",
         "Severity": "MEDIUM",
@@ -223,6 +236,7 @@
         "VulnerabilityID": "CVE-2017-12132",
         "PkgName": "libc-bin",
         "InstalledVersion": "2.24-11+deb9u4",
+        "LayerID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e",
         "Title": "glibc: Fragmentation attacks possible when EDNS0 is enabled",
         "Description": "The DNS stub resolver in the GNU C Library (aka glibc or libc6) before version 2.26, when EDNS support is enabled, will solicit large UDP responses from name servers, potentially simplifying off-path DNS spoofing attacks due to IP fragmentation.",
         "Severity": "MEDIUM",
@@ -238,6 +252,7 @@
         "VulnerabilityID": "CVE-2018-20796",
         "PkgName": "libc-bin",
         "InstalledVersion": "2.24-11+deb9u4",
+        "LayerID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e",
         "Title": "glibc: uncontrolled recursion in function check_dst_limits_calc_pos_1 in posix/regexec.c",
         "Description": "In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(\\227|)(\\\\1\\\\1|t1|\\\\\\2537)+' in grep.",
         "Severity": "MEDIUM",
@@ -252,6 +267,7 @@
         "VulnerabilityID": "CVE-2019-1010023",
         "PkgName": "libc-bin",
         "InstalledVersion": "2.24-11+deb9u4",
+        "LayerID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e",
         "Description": "GNU Libc current is affected by: Re-mapping current loaded libray with malicious ELF file. The impact is: In worst case attacker may evaluate privileges. The component is: libld. The attack vector is: Attacker sends 2 ELF files to victim and asks to run ldd on it. ldd execute code.",
         "Severity": "MEDIUM",
         "References": [
@@ -264,6 +280,7 @@
         "VulnerabilityID": "CVE-2019-1010024",
         "PkgName": "libc-bin",
         "InstalledVersion": "2.24-11+deb9u4",
+        "LayerID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e",
         "Description": "GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass ASLR using cache of thread stack and heap. The component is: glibc.",
         "Severity": "MEDIUM",
         "References": [
@@ -276,6 +293,7 @@
         "VulnerabilityID": "CVE-2019-1010025",
         "PkgName": "libc-bin",
         "InstalledVersion": "2.24-11+deb9u4",
+        "LayerID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e",
         "Title": "glibc: information disclosure of heap addresses of pthread_created thread",
         "Description": "** DISPUTED ** GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may guess the heap addresses of pthread_created thread. The component is: glibc. NOTE: the vendor's position is \"ASLR bypass itself is not a vulnerability.\"",
         "Severity": "MEDIUM",
@@ -287,6 +305,7 @@
         "VulnerabilityID": "CVE-2019-6488",
         "PkgName": "libc-bin",
         "InstalledVersion": "2.24-11+deb9u4",
+        "LayerID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e",
         "Title": "glibc: Incorrect attempt to use a 64-bit register for size_t in assembly codes results in segmentation fault",
         "Description": "The string component in the GNU C Library (aka glibc or libc6) through 2.28, when running on the x32 architecture, incorrectly attempts to use a 64-bit register for size_t in assembly codes, which can lead to a segmentation fault or possibly unspecified other impact, as demonstrated by a crash in __memmove_avx_unaligned_erms in sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S during a memcpy.",
         "Severity": "MEDIUM",
@@ -300,6 +319,7 @@
         "VulnerabilityID": "CVE-2019-9192",
         "PkgName": "libc-bin",
         "InstalledVersion": "2.24-11+deb9u4",
+        "LayerID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e",
         "Title": "glibc: uncontrolled recursion in function check_dst_limits_calc_pos_1 in posix/regexec.c",
         "Description": "** DISPUTED ** In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(|)(\\\\1\\\\1)*' in grep, a different issue than CVE-2018-20796. NOTE: the software maintainer disputes that this is a vulnerability because the behavior occurs only with a crafted pattern.",
         "Severity": "MEDIUM",
@@ -311,6 +331,7 @@
         "VulnerabilityID": "CVE-2019-7309",
         "PkgName": "libc-bin",
         "InstalledVersion": "2.24-11+deb9u4",
+        "LayerID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e",
         "Title": "glibc: memcmp function incorrectly returns zero",
         "Description": "In the GNU C Library (aka glibc or libc6) through 2.29, the memcmp function for the x32 architecture can incorrectly return zero (indicating that the inputs are equal) because the RDX most significant bit is mishandled.",
         "Severity": "LOW",
@@ -325,6 +346,7 @@
         "VulnerabilityID": "CVE-2018-1000001",
         "PkgName": "libc6",
         "InstalledVersion": "2.24-11+deb9u4",
+        "LayerID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5",
         "Title": "glibc: realpath() buffer underflow when getcwd() returns relative path allows privilege escalation",
         "Description": "In glibc 2.26 and earlier there is confusion in the usage of getcwd() by realpath() which can be used to write before the destination buffer leading to a buffer underflow and potential code execution.",
         "Severity": "HIGH",
@@ -346,6 +368,7 @@
         "VulnerabilityID": "CVE-2018-6485",
         "PkgName": "libc6",
         "InstalledVersion": "2.24-11+deb9u4",
+        "LayerID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5",
         "Title": "glibc: Integer overflow in posix_memalign in memalign functions",
         "Description": "An integer overflow in the implementation of the posix_memalign in memalign functions in the GNU C Library (aka glibc or libc6) 2.26 and earlier could cause these functions to return a pointer to a heap area that is too small, potentially leading to heap corruption.",
         "Severity": "HIGH",
@@ -364,6 +387,7 @@
         "VulnerabilityID": "CVE-2018-6551",
         "PkgName": "libc6",
         "InstalledVersion": "2.24-11+deb9u4",
+        "LayerID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5",
         "Title": "glibc: integer overflow in malloc functions",
         "Description": "The malloc implementation in the GNU C Library (aka glibc or libc6), from version 2.24 to 2.26 on powerpc, and only in version 2.26 on i386, did not properly handle malloc calls with arguments close to SIZE_MAX and could return a pointer to a heap region that is smaller than requested, eventually leading to heap corruption.",
         "Severity": "HIGH",
@@ -378,6 +402,7 @@
         "VulnerabilityID": "CVE-2019-1010022",
         "PkgName": "libc6",
         "InstalledVersion": "2.24-11+deb9u4",
+        "LayerID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5",
         "Title": "glibc: stack guard protection bypass",
         "Description": "GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass stack guard protection. The component is: nptl. The attack vector is: Exploit stack buffer overflow vulnerability and use this bypass vulnerability to bypass stack guard.",
         "Severity": "HIGH",
@@ -389,6 +414,7 @@
         "VulnerabilityID": "CVE-2019-9169",
         "PkgName": "libc6",
         "InstalledVersion": "2.24-11+deb9u4",
+        "LayerID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5",
         "Title": "glibc: regular-expression match via proceed_next_node in posix/regexec.c leads to heap-based buffer over-read",
         "Description": "In the GNU C Library (aka glibc or libc6) through 2.29, proceed_next_node in posix/regexec.c has a heap-based buffer over-read via an attempted case-insensitive regular-expression match.",
         "Severity": "HIGH",
@@ -408,6 +434,7 @@
         "VulnerabilityID": "CVE-2009-5155",
         "PkgName": "libc6",
         "InstalledVersion": "2.24-11+deb9u4",
+        "LayerID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5",
         "Title": "glibc: parse_reg_exp in posix/regcomp.c misparses alternatives leading to denial of service or trigger incorrect result",
         "Description": "In the GNU C Library (aka glibc or libc6) before 2.28, parse_reg_exp in posix/regcomp.c misparses alternatives, which allows attackers to cause a denial of service (assertion failure and application exit) or trigger an incorrect result by attempting a regular-expression match.",
         "Severity": "MEDIUM",
@@ -428,6 +455,7 @@
         "VulnerabilityID": "CVE-2010-4051",
         "PkgName": "libc6",
         "InstalledVersion": "2.24-11+deb9u4",
+        "LayerID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5",
         "Title": "CVE-2010-4052 glibc: De-recursivise regular expression engine",
         "Description": "The regcomp implementation in the GNU C Library (aka glibc or libc6) through 2.11.3, and 2.12.x through 2.12.2, allows context-dependent attackers to cause a denial of service (application crash) via a regular expression containing adjacent bounded repetitions that bypass the intended RE_DUP_MAX limitation, as demonstrated by a {10,}{10,}{10,}{10,}{10,} sequence in the proftpd.gnu.c exploit for ProFTPD, related to a \"RE_DUP_MAX overflow.\"",
         "Severity": "MEDIUM",
@@ -449,6 +477,7 @@
         "VulnerabilityID": "CVE-2010-4052",
         "PkgName": "libc6",
         "InstalledVersion": "2.24-11+deb9u4",
+        "LayerID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5",
         "Title": "CVE-2010-4051 CVE-2010-4052 glibc: De-recursivise regular expression engine",
         "Description": "Stack consumption vulnerability in the regcomp implementation in the GNU C Library (aka glibc or libc6) through 2.11.3, and 2.12.x through 2.12.2, allows context-dependent attackers to cause a denial of service (resource exhaustion) via a regular expression containing adjacent repetition operators, as demonstrated by a {10,}{10,}{10,}{10,} sequence in the proftpd.gnu.c exploit for ProFTPD.",
         "Severity": "MEDIUM",
@@ -470,6 +499,7 @@
         "VulnerabilityID": "CVE-2010-4756",
         "PkgName": "libc6",
         "InstalledVersion": "2.24-11+deb9u4",
+        "LayerID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5",
         "Title": "glibc: glob implementation can cause excessive CPU and memory consumption due to crafted glob expressions",
         "Description": "The glob implementation in the GNU C Library (aka glibc or libc6) allows remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in STAT commands to an FTP daemon, a different vulnerability than CVE-2010-2632.",
         "Severity": "MEDIUM",
@@ -483,6 +513,7 @@
         "VulnerabilityID": "CVE-2015-8985",
         "PkgName": "libc6",
         "InstalledVersion": "2.24-11+deb9u4",
+        "LayerID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5",
         "Title": "glibc: potential denial of service in pop_fail_stack()",
         "Description": "The pop_fail_stack function in the GNU C Library (aka glibc or libc6) allows context-dependent attackers to cause a denial of service (assertion failure and application crash) via vectors related to extended regular expression processing.",
         "Severity": "MEDIUM",
@@ -498,6 +529,7 @@
         "VulnerabilityID": "CVE-2016-10228",
         "PkgName": "libc6",
         "InstalledVersion": "2.24-11+deb9u4",
+        "LayerID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5",
         "Title": "glibc: iconv program can hang when invoked with the -c option",
         "Description": "The iconv program in the GNU C Library (aka glibc or libc6) 2.25 and earlier, when invoked with the -c option, enters an infinite loop when processing invalid multi-byte input sequences, leading to a denial of service.",
         "Severity": "MEDIUM",
@@ -511,6 +543,7 @@
         "VulnerabilityID": "CVE-2016-10739",
         "PkgName": "libc6",
         "InstalledVersion": "2.24-11+deb9u4",
+        "LayerID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5",
         "Title": "glibc: getaddrinfo should reject IP addresses with trailing characters",
         "Description": "In the GNU C Library (aka glibc or libc6) through 2.28, the getaddrinfo function would successfully parse a string that contained an IPv4 address followed by whitespace and arbitrary characters, which could lead applications to incorrectly assume that it had parsed a valid string, without the possibility of embedded HTTP headers or other potentially dangerous substrings.",
         "Severity": "MEDIUM",
@@ -527,6 +560,7 @@
         "VulnerabilityID": "CVE-2017-12132",
         "PkgName": "libc6",
         "InstalledVersion": "2.24-11+deb9u4",
+        "LayerID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5",
         "Title": "glibc: Fragmentation attacks possible when EDNS0 is enabled",
         "Description": "The DNS stub resolver in the GNU C Library (aka glibc or libc6) before version 2.26, when EDNS support is enabled, will solicit large UDP responses from name servers, potentially simplifying off-path DNS spoofing attacks due to IP fragmentation.",
         "Severity": "MEDIUM",
@@ -542,6 +576,7 @@
         "VulnerabilityID": "CVE-2018-20796",
         "PkgName": "libc6",
         "InstalledVersion": "2.24-11+deb9u4",
+        "LayerID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5",
         "Title": "glibc: uncontrolled recursion in function check_dst_limits_calc_pos_1 in posix/regexec.c",
         "Description": "In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(\\227|)(\\\\1\\\\1|t1|\\\\\\2537)+' in grep.",
         "Severity": "MEDIUM",
@@ -556,6 +591,7 @@
         "VulnerabilityID": "CVE-2019-1010023",
         "PkgName": "libc6",
         "InstalledVersion": "2.24-11+deb9u4",
+        "LayerID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5",
         "Description": "GNU Libc current is affected by: Re-mapping current loaded libray with malicious ELF file. The impact is: In worst case attacker may evaluate privileges. The component is: libld. The attack vector is: Attacker sends 2 ELF files to victim and asks to run ldd on it. ldd execute code.",
         "Severity": "MEDIUM",
         "References": [
@@ -568,6 +604,7 @@
         "VulnerabilityID": "CVE-2019-1010024",
         "PkgName": "libc6",
         "InstalledVersion": "2.24-11+deb9u4",
+        "LayerID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5",
         "Description": "GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass ASLR using cache of thread stack and heap. The component is: glibc.",
         "Severity": "MEDIUM",
         "References": [
@@ -580,6 +617,7 @@
         "VulnerabilityID": "CVE-2019-1010025",
         "PkgName": "libc6",
         "InstalledVersion": "2.24-11+deb9u4",
+        "LayerID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5",
         "Title": "glibc: information disclosure of heap addresses of pthread_created thread",
         "Description": "** DISPUTED ** GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may guess the heap addresses of pthread_created thread. The component is: glibc. NOTE: the vendor's position is \"ASLR bypass itself is not a vulnerability.\"",
         "Severity": "MEDIUM",
@@ -591,6 +629,7 @@
         "VulnerabilityID": "CVE-2019-6488",
         "PkgName": "libc6",
         "InstalledVersion": "2.24-11+deb9u4",
+        "LayerID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5",
         "Title": "glibc: Incorrect attempt to use a 64-bit register for size_t in assembly codes results in segmentation fault",
         "Description": "The string component in the GNU C Library (aka glibc or libc6) through 2.28, when running on the x32 architecture, incorrectly attempts to use a 64-bit register for size_t in assembly codes, which can lead to a segmentation fault or possibly unspecified other impact, as demonstrated by a crash in __memmove_avx_unaligned_erms in sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S during a memcpy.",
         "Severity": "MEDIUM",
@@ -604,6 +643,7 @@
         "VulnerabilityID": "CVE-2019-9192",
         "PkgName": "libc6",
         "InstalledVersion": "2.24-11+deb9u4",
+        "LayerID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5",
         "Title": "glibc: uncontrolled recursion in function check_dst_limits_calc_pos_1 in posix/regexec.c",
         "Description": "** DISPUTED ** In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(|)(\\\\1\\\\1)*' in grep, a different issue than CVE-2018-20796. NOTE: the software maintainer disputes that this is a vulnerability because the behavior occurs only with a crafted pattern.",
         "Severity": "MEDIUM",
@@ -615,6 +655,7 @@
         "VulnerabilityID": "CVE-2019-7309",
         "PkgName": "libc6",
         "InstalledVersion": "2.24-11+deb9u4",
+        "LayerID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5",
         "Title": "glibc: memcmp function incorrectly returns zero",
         "Description": "In the GNU C Library (aka glibc or libc6) through 2.29, the memcmp function for the x32 architecture can incorrectly return zero (indicating that the inputs are equal) because the RDX most significant bit is mishandled.",
         "Severity": "LOW",
@@ -629,6 +670,7 @@
         "VulnerabilityID": "CVE-2013-0340",
         "PkgName": "libexpat1",
         "InstalledVersion": "2.2.0-2+deb9u2",
+        "LayerID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e",
         "Title": "expat: internal entity expansion",
         "Description": "expat 2.1.0 and earlier does not properly handle entities expansion unless an application developer uses the XML_SetEntityDeclHandler function, which allows remote attackers to cause a denial of service (resource consumption), send HTTP requests to intranet servers, or read arbitrary files via a crafted XML document, aka an XML External Entity (XXE) issue.  NOTE: it could be argued that because expat already provides the ability to disable external entity expansion, the responsibility for resolving this issue lies with application developers; according to this argument, this entry should be REJECTed, and each affected application would need its own CVE.",
         "Severity": "MEDIUM",
@@ -646,6 +688,7 @@
         "PkgName": "libexpat1",
         "InstalledVersion": "2.2.0-2+deb9u2",
         "FixedVersion": "2.2.0-2+deb9u3",
+        "LayerID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e",
         "Title": "expat: heap-based buffer over-read via crafted XML input",
         "Description": "In libexpat before 2.2.8, crafted XML input could fool the parser into changing from DTD parsing to document parsing too early; a consecutive call to XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber) then resulted in a heap-based buffer over-read.",
         "Severity": "MEDIUM",
@@ -665,6 +708,7 @@
         "VulnerabilityID": "CVE-2018-12886",
         "PkgName": "libgcc1",
         "InstalledVersion": "6.3.0-18+deb9u1",
+        "LayerID": "sha256:6189abe095d53c1c9f2bfc8f50128ee876b9a5d10f9eda1564e5f5357d6ffe61",
         "Title": "gcc: spilling of stack protection address in cfgexpand.c and function.c leads to stack-overflow protection bypass",
         "Description": "stack_protect_prologue in cfgexpand.c and stack_protect_epilogue in function.c in GNU Compiler Collection (GCC) 4.1 through 8 (under certain circumstances) generate instruction sequences when targeting ARM targets that spill the address of the stack protector guard, which allows an attacker to bypass the protection of -fstack-protector, -fstack-protector-all, -fstack-protector-strong, and -fstack-protector-explicit against stack overflow by controlling what the stack canary is compared against.",
         "Severity": "MEDIUM",
@@ -677,6 +721,7 @@
         "VulnerabilityID": "CVE-2018-12886",
         "PkgName": "libgomp1",
         "InstalledVersion": "6.3.0-18+deb9u1",
+        "LayerID": "sha256:6189abe095d53c1c9f2bfc8f50128ee876b9a5d10f9eda1564e5f5357d6ffe61",
         "Title": "gcc: spilling of stack protection address in cfgexpand.c and function.c leads to stack-overflow protection bypass",
         "Description": "stack_protect_prologue in cfgexpand.c and stack_protect_epilogue in function.c in GNU Compiler Collection (GCC) 4.1 through 8 (under certain circumstances) generate instruction sequences when targeting ARM targets that spill the address of the stack protector guard, which allows an attacker to bypass the protection of -fstack-protector, -fstack-protector-all, -fstack-protector-strong, and -fstack-protector-explicit against stack overflow by controlling what the stack canary is compared against.",
         "Severity": "MEDIUM",
@@ -689,6 +734,7 @@
         "VulnerabilityID": "CVE-2018-19211",
         "PkgName": "libncursesw5",
         "InstalledVersion": "6.0+20161126-1+deb9u2",
+        "LayerID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e",
         "Title": "ncurses: Null pointer dereference at function _nc_parse_entry in parse_entry.c",
         "Description": "In ncurses 6.1, there is a NULL pointer dereference at function _nc_parse_entry in parse_entry.c that will lead to a denial of service attack. The product proceeds to the dereference code path even after a \"dubious character `*' in name or alias field\" detection.",
         "Severity": "MEDIUM",
@@ -701,6 +747,7 @@
         "VulnerabilityID": "CVE-2019-17594",
         "PkgName": "libncursesw5",
         "InstalledVersion": "6.0+20161126-1+deb9u2",
+        "LayerID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e",
         "Description": "There is a heap-based buffer over-read in the _nc_find_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.",
         "Severity": "MEDIUM",
         "References": [
@@ -712,6 +759,7 @@
         "VulnerabilityID": "CVE-2019-17595",
         "PkgName": "libncursesw5",
         "InstalledVersion": "6.0+20161126-1+deb9u2",
+        "LayerID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e",
         "Description": "There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.",
         "Severity": "MEDIUM",
         "References": [
@@ -723,6 +771,7 @@
         "VulnerabilityID": "CVE-2019-5010",
         "PkgName": "libpython2.7-minimal",
         "InstalledVersion": "2.7.13-2+deb9u3",
+        "LayerID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e",
         "Title": "python: NULL pointer dereference using a specially crafted X509 certificate",
         "Description": "A null pointer dereference vulnerability was found in the certificate parsing code in Python. This causes a denial of service to applications when parsing specially crafted certificates. This vulnerability is unlikely to be triggered if application enables SSL/TLS certificate validation and accepts certificates only from trusted root certificate authorities.",
         "Severity": "HIGH",
@@ -735,6 +784,7 @@
         "VulnerabilityID": "CVE-2013-7040",
         "PkgName": "libpython2.7-minimal",
         "InstalledVersion": "2.7.13-2+deb9u3",
+        "LayerID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e",
         "Title": "python: hash secret can be recovered remotely",
         "Description": "Python 2.7 before 3.4 only uses the last eight bits of the prefix to randomize hash values, which causes it to compute hash values without restricting the ability to trigger hash collisions predictably and makes it easier for context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table.  NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-1150.",
         "Severity": "MEDIUM",
@@ -751,6 +801,7 @@
         "VulnerabilityID": "CVE-2017-17522",
         "PkgName": "libpython2.7-minimal",
         "InstalledVersion": "2.7.13-2+deb9u3",
+        "LayerID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e",
         "Title": "python: Command injection in Lib/webbrowser.py",
         "Description": "** DISPUTED ** Lib/webbrowser.py in Python through 3.6.3 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL. NOTE: a software maintainer indicates that exploitation is impossible because the code relies on subprocess.Popen and the default shell=False setting.",
         "Severity": "MEDIUM",
@@ -764,6 +815,7 @@
         "VulnerabilityID": "CVE-2018-1000030",
         "PkgName": "libpython2.7-minimal",
         "InstalledVersion": "2.7.13-2+deb9u3",
+        "LayerID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e",
         "Title": "python: Heap-Buffer-Overflow and Heap-Use-After-Free in Objects/fileobject.c",
         "Description": "Python 2.7.14 is vulnerable to a Heap-Buffer-Overflow as well as a Heap-Use-After-Free. Python versions prior to 2.7.14 may also be vulnerable and it appears that Python 2.7.17 and prior may also be vulnerable however this has not been confirmed. The vulnerability lies when multiply threads are handling large amounts of data. In both cases there is essentially a race condition that occurs. For the Heap-Buffer-Overflow, Thread 2 is creating the size for a buffer, but Thread1 is already writing to the buffer without knowing how much to write. So when a large amount of data is being processed, it is very easy to cause memory corruption using a Heap-Buffer-Overflow. As for the Use-After-Free, Thread3-\u003eMalloc-\u003eThread1-\u003eFree's-\u003eThread2-Re-uses-Free'd Memory. The PSRT has stated that this is not a security vulnerability due to the fact that the attacker must be able to run code, however in some situations, such as function as a service, this vulnerability can potentially be used by an attacker to violate a trust boundary, as such the DWF feels this issue deserves a CVE.",
         "Severity": "MEDIUM",
@@ -781,6 +833,7 @@
         "VulnerabilityID": "CVE-2018-20852",
         "PkgName": "libpython2.7-minimal",
         "InstalledVersion": "2.7.13-2+deb9u3",
+        "LayerID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e",
         "Title": "python: Cookie domain check returns incorrect results",
         "Description": "http.cookiejar.DefaultPolicy.domain_return_ok in Lib/http/cookiejar.py in Python before 3.7.3 does not correctly validate the domain: it can be tricked into sending existing cookies to the wrong server. An attacker may abuse this flaw by using a server with a hostname that has another valid hostname as a suffix (e.g., pythonicexample.com to steal cookies for example.com). When a program uses http.cookiejar.DefaultPolicy and tries to do an HTTP connection to an attacker-controlled server, existing cookies can be leaked to the attacker. This affects 2.x through 2.7.16, 3.x before 3.4.10, 3.5.x before 3.5.7, 3.6.x before 3.6.9, and 3.7.x before 3.7.3.",
         "Severity": "MEDIUM",
@@ -797,6 +850,7 @@
         "VulnerabilityID": "CVE-2019-16056",
         "PkgName": "libpython2.7-minimal",
         "InstalledVersion": "2.7.13-2+deb9u3",
+        "LayerID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e",
         "Title": "python: email.utils.parseaddr wrongly parses email addresses",
         "Description": "An issue was discovered in Python through 2.7.16, 3.x through 3.5.7, 3.6.x through 3.6.9, and 3.7.x through 3.7.4. The email module wrongly parses email addresses that contain multiple @ characters. An application that uses the email module and implements some kind of checks on the From/To headers of a message could be tricked into accepting an email address that should be denied. An attack may be the same as in CVE-2019-11340; however, this CVE applies to Python more generally.",
         "Severity": "MEDIUM",
@@ -816,6 +870,7 @@
         "VulnerabilityID": "CVE-2019-16935",
         "PkgName": "libpython2.7-minimal",
         "InstalledVersion": "2.7.13-2+deb9u3",
+        "LayerID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e",
         "Title": "python: XSS vulnerability in the documentation XML-RPC server in server_title field",
         "Description": "The documentation XML-RPC server in Python through 2.7.16, 3.x through 3.6.9, and 3.7.x through 3.7.4 has XSS via the server_title field. This occurs in Lib/DocXMLRPCServer.py in Python 2.x, and in Lib/xmlrpc/server.py in Python 3.x. If set_server_title is called with untrusted input, arbitrary JavaScript can be delivered to clients that visit the http URL for this server.",
         "Severity": "MEDIUM",
@@ -833,6 +888,7 @@
         "VulnerabilityID": "CVE-2019-9636",
         "PkgName": "libpython2.7-minimal",
         "InstalledVersion": "2.7.13-2+deb9u3",
+        "LayerID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e",
         "Title": "python: Information Disclosure due to urlsplit improper NFKC normalization",
         "Description": "Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by: Improper Handling of Unicode Encoding (with an incorrect netloc) during NFKC normalization. The impact is: Information disclosure (credentials, cookies, etc. that are cached against a given hostname). The components are: urllib.parse.urlsplit, urllib.parse.urlparse. The attack vector is: A specially crafted URL could be incorrectly parsed to locate cookies or authentication data and send that information to a different host than when parsed correctly.",
         "Severity": "MEDIUM",
@@ -872,6 +928,7 @@
         "VulnerabilityID": "CVE-2019-9740",
         "PkgName": "libpython2.7-minimal",
         "InstalledVersion": "2.7.13-2+deb9u3",
+        "LayerID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e",
         "Title": "python: CRLF injection via the query part of the url passed to urlopen()",
         "Description": "An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \\r\\n (specifically in the query string after a ? character) followed by an HTTP header or a Redis command.",
         "Severity": "MEDIUM",
@@ -888,6 +945,7 @@
         "VulnerabilityID": "CVE-2019-9947",
         "PkgName": "libpython2.7-minimal",
         "InstalledVersion": "2.7.13-2+deb9u3",
+        "LayerID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e",
         "Title": "python: CRLF injection via the path part of the url passed to urlopen()",
         "Description": "An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \\r\\n (specifically in the path component of a URL that lacks a ? character) followed by an HTTP header or a Redis command. This is similar to the CVE-2019-9740 query string issue.",
         "Severity": "MEDIUM",
@@ -904,6 +962,7 @@
         "VulnerabilityID": "CVE-2019-9948",
         "PkgName": "libpython2.7-minimal",
         "InstalledVersion": "2.7.13-2+deb9u3",
+        "LayerID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e",
         "Title": "python: Undocumented local_file protocol allows remote attackers to bypass protection mechanisms",
         "Description": "urllib in Python 2.x through 2.7.16 supports the local_file: scheme, which makes it easier for remote attackers to bypass protection mechanisms that blacklist file: URIs, as demonstrated by triggering a urllib.urlopen('local_file:///etc/passwd') call.",
         "Severity": "MEDIUM",
@@ -922,6 +981,7 @@
         "VulnerabilityID": "CVE-2019-8457",
         "PkgName": "libsqlite3-0",
         "InstalledVersion": "3.27.2-3~bpo9+1",
+        "LayerID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e",
         "Title": "sqlite3: heap out-of-bound read in function rtreenode()",
         "Description": "SQLite3 from 3.6.0 to and including 3.27.2 is vulnerable to heap out-of-bound read in the rtreenode() function when handling invalid rtree tables.",
         "Severity": "HIGH",
@@ -938,6 +998,7 @@
         "VulnerabilityID": "CVE-2017-13685",
         "PkgName": "libsqlite3-0",
         "InstalledVersion": "3.27.2-3~bpo9+1",
+        "LayerID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e",
         "Title": "sqlite: Local DoS via dump_callback function",
         "Description": "The dump_callback function in SQLite 3.20.0 allows remote attackers to cause a denial of service (EXC_BAD_ACCESS and application crash) via a crafted file.",
         "Severity": "MEDIUM",
@@ -951,6 +1012,7 @@
         "VulnerabilityID": "CVE-2018-20346",
         "PkgName": "libsqlite3-0",
         "InstalledVersion": "3.27.2-3~bpo9+1",
+        "LayerID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e",
         "Title": "CVE-2018-20505 CVE-2018-20506 sqlite: Multiple flaws in sqlite which can be triggered via corrupted internal databases (Magellan)",
         "Description": "SQLite before 3.25.3, when the FTS3 extension is enabled, encounters an integer overflow (and resultant buffer overflow) for FTS3 queries that occur after crafted changes to FTS3 shadow tables, allowing remote attackers to execute arbitrary code by leveraging the ability to run arbitrary SQL statements (such as in certain WebSQL use cases), aka Magellan.",
         "Severity": "MEDIUM",
@@ -985,6 +1047,7 @@
         "VulnerabilityID": "CVE-2018-20505",
         "PkgName": "libsqlite3-0",
         "InstalledVersion": "3.27.2-3~bpo9+1",
+        "LayerID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e",
         "Title": "CVE-2018-20346 CVE-2018-20505 CVE-2018-20506 sqlite: Multiple flaws in sqlite which can be triggered via corrupted internal databases (Magellan)",
         "Description": "SQLite 3.25.2, when queries are run on a table with a malformed PRIMARY KEY, allows remote attackers to cause a denial of service (application crash) by leveraging the ability to run arbitrary SQL statements (such as in certain WebSQL use cases).",
         "Severity": "MEDIUM",
@@ -1021,6 +1084,7 @@
         "VulnerabilityID": "CVE-2018-20506",
         "PkgName": "libsqlite3-0",
         "InstalledVersion": "3.27.2-3~bpo9+1",
+        "LayerID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e",
         "Title": "CVE-2018-20346 CVE-2018-20505 CVE-2018-20506 sqlite: Multiple flaws in sqlite which can be triggered via corrupted internal databases (Magellan)",
         "Description": "SQLite before 3.25.3, when the FTS3 extension is enabled, encounters an integer overflow (and resultant buffer overflow) for FTS3 queries in a \"merge\" operation that occurs after crafted changes to FTS3 shadow tables, allowing remote attackers to execute arbitrary code by leveraging the ability to run arbitrary SQL statements (such as in certain WebSQL use cases). This is a different vulnerability than CVE-2018-20346.",
         "Severity": "MEDIUM",
@@ -1059,6 +1123,7 @@
         "VulnerabilityID": "CVE-2018-8740",
         "PkgName": "libsqlite3-0",
         "InstalledVersion": "3.27.2-3~bpo9+1",
+        "LayerID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e",
         "Title": "sqlite: NULL pointer dereference with databases with schema corrupted with CREATE TABLE AS allows for denial of service",
         "Description": "In SQLite through 3.22.0, databases whose schema is corrupted using a CREATE TABLE AS statement could cause a NULL pointer dereference, related to build.c and prepare.c.",
         "Severity": "MEDIUM",
@@ -1077,6 +1142,7 @@
         "VulnerabilityID": "CVE-2019-16168",
         "PkgName": "libsqlite3-0",
         "InstalledVersion": "3.27.2-3~bpo9+1",
+        "LayerID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e",
         "Description": "In SQLite through 3.29.0, whereLoopAddBtreeIndex in sqlite3.c can crash a browser or other application because of missing validation of a sqlite_stat1 sz field, aka a \"severe division by zero in the query planner.\"",
         "Severity": "MEDIUM",
         "References": [
@@ -1090,6 +1156,7 @@
         "VulnerabilityID": "CVE-2019-5827",
         "PkgName": "libsqlite3-0",
         "InstalledVersion": "3.27.2-3~bpo9+1",
+        "LayerID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e",
         "Title": "chromium-browser: out-of-bounds access in SQLite",
         "Description": "Integer overflow in SQLite via WebSQL in Google Chrome prior to 74.0.3729.131 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.",
         "Severity": "MEDIUM",
@@ -1106,6 +1173,7 @@
         "VulnerabilityID": "CVE-2019-9936",
         "PkgName": "libsqlite3-0",
         "InstalledVersion": "3.27.2-3~bpo9+1",
+        "LayerID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e",
         "Title": "sqlite: heap-based buffer over-read in function fts5HashEntrySort in sqlite3.c",
         "Description": "In SQLite 3.27.2, running fts5 prefix queries inside a transaction could trigger a heap-based buffer over-read in fts5HashEntrySort in sqlite3.c, which may lead to an information leak. This is related to ext/fts5/fts5_hash.c.",
         "Severity": "MEDIUM",
@@ -1125,6 +1193,7 @@
         "VulnerabilityID": "CVE-2019-9937",
         "PkgName": "libsqlite3-0",
         "InstalledVersion": "3.27.2-3~bpo9+1",
+        "LayerID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e",
         "Title": "sqlite: null-pointer dereference in function fts5ChunkIterate in sqlite3.c",
         "Description": "In SQLite 3.27.2, interleaving reads and writes in a single transaction with an fts5 virtual table will lead to a NULL Pointer Dereference in fts5ChunkIterate in sqlite3.c. This is related to ext/fts5/fts5_hash.c and ext/fts5/fts5_index.c.",
         "Severity": "MEDIUM",
@@ -1144,6 +1213,7 @@
         "VulnerabilityID": "CVE-2007-6755",
         "PkgName": "libssl1.1",
         "InstalledVersion": "1.1.0k-1~deb9u1",
+        "LayerID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e",
         "Title": "Dual_EC_DRBG: weak pseudo random number generator",
         "Description": "The NIST SP 800-90A default statement of the Dual Elliptic Curve Deterministic Random Bit Generation (Dual_EC_DRBG) algorithm contains point Q constants with a possible relationship to certain \"skeleton key\" values, which might allow context-dependent attackers to defeat cryptographic protection mechanisms by leveraging knowledge of those values.  NOTE: this is a preliminary CVE for Dual_EC_DRBG; future research may provide additional details about point Q and associated attacks, and could potentially lead to a RECAST or REJECT of this CVE.",
         "Severity": "MEDIUM",
@@ -1162,6 +1232,7 @@
         "VulnerabilityID": "CVE-2010-0928",
         "PkgName": "libssl1.1",
         "InstalledVersion": "1.1.0k-1~deb9u1",
+        "LayerID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e",
         "Title": "openssl: RSA authentication weakness",
         "Description": "OpenSSL 0.9.8i on the Gaisler Research LEON3 SoC on the Xilinx Virtex-II Pro FPGA uses a Fixed Width Exponentiation (FWE) algorithm for certain signature calculations, and does not verify the signature before providing it to a caller, which makes it easier for physically proximate attackers to determine the private key via a modified supply voltage for the microprocessor, related to a \"fault-based attack.\"",
         "Severity": "MEDIUM",
@@ -1179,6 +1250,7 @@
         "PkgName": "libssl1.1",
         "InstalledVersion": "1.1.0k-1~deb9u1",
         "FixedVersion": "1.1.0l-1~deb9u1",
+        "LayerID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e",
         "Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
         "Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
         "Severity": "MEDIUM",
@@ -1197,6 +1269,7 @@
         "VulnerabilityID": "CVE-2018-12886",
         "PkgName": "libstdc++6",
         "InstalledVersion": "6.3.0-18+deb9u1",
+        "LayerID": "sha256:6189abe095d53c1c9f2bfc8f50128ee876b9a5d10f9eda1564e5f5357d6ffe61",
         "Title": "gcc: spilling of stack protection address in cfgexpand.c and function.c leads to stack-overflow protection bypass",
         "Description": "stack_protect_prologue in cfgexpand.c and stack_protect_epilogue in function.c in GNU Compiler Collection (GCC) 4.1 through 8 (under certain circumstances) generate instruction sequences when targeting ARM targets that spill the address of the stack protector guard, which allows an attacker to bypass the protection of -fstack-protector, -fstack-protector-all, -fstack-protector-strong, and -fstack-protector-explicit against stack overflow by controlling what the stack canary is compared against.",
         "Severity": "MEDIUM",
@@ -1209,6 +1282,7 @@
         "VulnerabilityID": "CVE-2018-19211",
         "PkgName": "libtinfo5",
         "InstalledVersion": "6.0+20161126-1+deb9u2",
+        "LayerID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e",
         "Title": "ncurses: Null pointer dereference at function _nc_parse_entry in parse_entry.c",
         "Description": "In ncurses 6.1, there is a NULL pointer dereference at function _nc_parse_entry in parse_entry.c that will lead to a denial of service attack. The product proceeds to the dereference code path even after a \"dubious character `*' in name or alias field\" detection.",
         "Severity": "MEDIUM",
@@ -1221,6 +1295,7 @@
         "VulnerabilityID": "CVE-2019-17594",
         "PkgName": "libtinfo5",
         "InstalledVersion": "6.0+20161126-1+deb9u2",
+        "LayerID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e",
         "Description": "There is a heap-based buffer over-read in the _nc_find_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.",
         "Severity": "MEDIUM",
         "References": [
@@ -1232,6 +1307,7 @@
         "VulnerabilityID": "CVE-2019-17595",
         "PkgName": "libtinfo5",
         "InstalledVersion": "6.0+20161126-1+deb9u2",
+        "LayerID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e",
         "Description": "There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.",
         "Severity": "MEDIUM",
         "References": [
@@ -1243,6 +1319,7 @@
         "VulnerabilityID": "CVE-2007-6755",
         "PkgName": "openssl",
         "InstalledVersion": "1.1.0k-1~deb9u1",
+        "LayerID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5",
         "Title": "Dual_EC_DRBG: weak pseudo random number generator",
         "Description": "The NIST SP 800-90A default statement of the Dual Elliptic Curve Deterministic Random Bit Generation (Dual_EC_DRBG) algorithm contains point Q constants with a possible relationship to certain \"skeleton key\" values, which might allow context-dependent attackers to defeat cryptographic protection mechanisms by leveraging knowledge of those values.  NOTE: this is a preliminary CVE for Dual_EC_DRBG; future research may provide additional details about point Q and associated attacks, and could potentially lead to a RECAST or REJECT of this CVE.",
         "Severity": "MEDIUM",
@@ -1261,6 +1338,7 @@
         "VulnerabilityID": "CVE-2010-0928",
         "PkgName": "openssl",
         "InstalledVersion": "1.1.0k-1~deb9u1",
+        "LayerID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5",
         "Title": "openssl: RSA authentication weakness",
         "Description": "OpenSSL 0.9.8i on the Gaisler Research LEON3 SoC on the Xilinx Virtex-II Pro FPGA uses a Fixed Width Exponentiation (FWE) algorithm for certain signature calculations, and does not verify the signature before providing it to a caller, which makes it easier for physically proximate attackers to determine the private key via a modified supply voltage for the microprocessor, related to a \"fault-based attack.\"",
         "Severity": "MEDIUM",
@@ -1278,6 +1356,7 @@
         "PkgName": "openssl",
         "InstalledVersion": "1.1.0k-1~deb9u1",
         "FixedVersion": "1.1.0l-1~deb9u1",
+        "LayerID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5",
         "Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
         "Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
         "Severity": "MEDIUM",
@@ -1296,6 +1375,7 @@
         "VulnerabilityID": "CVE-2019-5010",
         "PkgName": "python2.7-minimal",
         "InstalledVersion": "2.7.13-2+deb9u3",
+        "LayerID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e",
         "Title": "python: NULL pointer dereference using a specially crafted X509 certificate",
         "Description": "A null pointer dereference vulnerability was found in the certificate parsing code in Python. This causes a denial of service to applications when parsing specially crafted certificates. This vulnerability is unlikely to be triggered if application enables SSL/TLS certificate validation and accepts certificates only from trusted root certificate authorities.",
         "Severity": "HIGH",
@@ -1308,6 +1388,7 @@
         "VulnerabilityID": "CVE-2013-7040",
         "PkgName": "python2.7-minimal",
         "InstalledVersion": "2.7.13-2+deb9u3",
+        "LayerID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e",
         "Title": "python: hash secret can be recovered remotely",
         "Description": "Python 2.7 before 3.4 only uses the last eight bits of the prefix to randomize hash values, which causes it to compute hash values without restricting the ability to trigger hash collisions predictably and makes it easier for context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table.  NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-1150.",
         "Severity": "MEDIUM",
@@ -1324,6 +1405,7 @@
         "VulnerabilityID": "CVE-2017-17522",
         "PkgName": "python2.7-minimal",
         "InstalledVersion": "2.7.13-2+deb9u3",
+        "LayerID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e",
         "Title": "python: Command injection in Lib/webbrowser.py",
         "Description": "** DISPUTED ** Lib/webbrowser.py in Python through 3.6.3 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL. NOTE: a software maintainer indicates that exploitation is impossible because the code relies on subprocess.Popen and the default shell=False setting.",
         "Severity": "MEDIUM",
@@ -1337,6 +1419,7 @@
         "VulnerabilityID": "CVE-2018-1000030",
         "PkgName": "python2.7-minimal",
         "InstalledVersion": "2.7.13-2+deb9u3",
+        "LayerID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e",
         "Title": "python: Heap-Buffer-Overflow and Heap-Use-After-Free in Objects/fileobject.c",
         "Description": "Python 2.7.14 is vulnerable to a Heap-Buffer-Overflow as well as a Heap-Use-After-Free. Python versions prior to 2.7.14 may also be vulnerable and it appears that Python 2.7.17 and prior may also be vulnerable however this has not been confirmed. The vulnerability lies when multiply threads are handling large amounts of data. In both cases there is essentially a race condition that occurs. For the Heap-Buffer-Overflow, Thread 2 is creating the size for a buffer, but Thread1 is already writing to the buffer without knowing how much to write. So when a large amount of data is being processed, it is very easy to cause memory corruption using a Heap-Buffer-Overflow. As for the Use-After-Free, Thread3-\u003eMalloc-\u003eThread1-\u003eFree's-\u003eThread2-Re-uses-Free'd Memory. The PSRT has stated that this is not a security vulnerability due to the fact that the attacker must be able to run code, however in some situations, such as function as a service, this vulnerability can potentially be used by an attacker to violate a trust boundary, as such the DWF feels this issue deserves a CVE.",
         "Severity": "MEDIUM",
@@ -1354,6 +1437,7 @@
         "VulnerabilityID": "CVE-2018-20852",
         "PkgName": "python2.7-minimal",
         "InstalledVersion": "2.7.13-2+deb9u3",
+        "LayerID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e",
         "Title": "python: Cookie domain check returns incorrect results",
         "Description": "http.cookiejar.DefaultPolicy.domain_return_ok in Lib/http/cookiejar.py in Python before 3.7.3 does not correctly validate the domain: it can be tricked into sending existing cookies to the wrong server. An attacker may abuse this flaw by using a server with a hostname that has another valid hostname as a suffix (e.g., pythonicexample.com to steal cookies for example.com). When a program uses http.cookiejar.DefaultPolicy and tries to do an HTTP connection to an attacker-controlled server, existing cookies can be leaked to the attacker. This affects 2.x through 2.7.16, 3.x before 3.4.10, 3.5.x before 3.5.7, 3.6.x before 3.6.9, and 3.7.x before 3.7.3.",
         "Severity": "MEDIUM",
@@ -1370,6 +1454,7 @@
         "VulnerabilityID": "CVE-2019-16056",
         "PkgName": "python2.7-minimal",
         "InstalledVersion": "2.7.13-2+deb9u3",
+        "LayerID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e",
         "Title": "python: email.utils.parseaddr wrongly parses email addresses",
         "Description": "An issue was discovered in Python through 2.7.16, 3.x through 3.5.7, 3.6.x through 3.6.9, and 3.7.x through 3.7.4. The email module wrongly parses email addresses that contain multiple @ characters. An application that uses the email module and implements some kind of checks on the From/To headers of a message could be tricked into accepting an email address that should be denied. An attack may be the same as in CVE-2019-11340; however, this CVE applies to Python more generally.",
         "Severity": "MEDIUM",
@@ -1389,6 +1474,7 @@
         "VulnerabilityID": "CVE-2019-16935",
         "PkgName": "python2.7-minimal",
         "InstalledVersion": "2.7.13-2+deb9u3",
+        "LayerID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e",
         "Title": "python: XSS vulnerability in the documentation XML-RPC server in server_title field",
         "Description": "The documentation XML-RPC server in Python through 2.7.16, 3.x through 3.6.9, and 3.7.x through 3.7.4 has XSS via the server_title field. This occurs in Lib/DocXMLRPCServer.py in Python 2.x, and in Lib/xmlrpc/server.py in Python 3.x. If set_server_title is called with untrusted input, arbitrary JavaScript can be delivered to clients that visit the http URL for this server.",
         "Severity": "MEDIUM",
@@ -1406,6 +1492,7 @@
         "VulnerabilityID": "CVE-2019-9636",
         "PkgName": "python2.7-minimal",
         "InstalledVersion": "2.7.13-2+deb9u3",
+        "LayerID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e",
         "Title": "python: Information Disclosure due to urlsplit improper NFKC normalization",
         "Description": "Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by: Improper Handling of Unicode Encoding (with an incorrect netloc) during NFKC normalization. The impact is: Information disclosure (credentials, cookies, etc. that are cached against a given hostname). The components are: urllib.parse.urlsplit, urllib.parse.urlparse. The attack vector is: A specially crafted URL could be incorrectly parsed to locate cookies or authentication data and send that information to a different host than when parsed correctly.",
         "Severity": "MEDIUM",
@@ -1445,6 +1532,7 @@
         "VulnerabilityID": "CVE-2019-9740",
         "PkgName": "python2.7-minimal",
         "InstalledVersion": "2.7.13-2+deb9u3",
+        "LayerID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e",
         "Title": "python: CRLF injection via the query part of the url passed to urlopen()",
         "Description": "An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \\r\\n (specifically in the query string after a ? character) followed by an HTTP header or a Redis command.",
         "Severity": "MEDIUM",
@@ -1461,6 +1549,7 @@
         "VulnerabilityID": "CVE-2019-9947",
         "PkgName": "python2.7-minimal",
         "InstalledVersion": "2.7.13-2+deb9u3",
+        "LayerID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e",
         "Title": "python: CRLF injection via the path part of the url passed to urlopen()",
         "Description": "An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \\r\\n (specifically in the path component of a URL that lacks a ? character) followed by an HTTP header or a Redis command. This is similar to the CVE-2019-9740 query string issue.",
         "Severity": "MEDIUM",
@@ -1477,6 +1566,7 @@
         "VulnerabilityID": "CVE-2019-9948",
         "PkgName": "python2.7-minimal",
         "InstalledVersion": "2.7.13-2+deb9u3",
+        "LayerID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e",
         "Title": "python: Undocumented local_file protocol allows remote attackers to bypass protection mechanisms",
         "Description": "urllib in Python 2.x through 2.7.16 supports the local_file: scheme, which makes it easier for remote attackers to bypass protection mechanisms that blacklist file: URIs, as demonstrated by triggering a urllib.urlopen('local_file:///etc/passwd') call.",
         "Severity": "MEDIUM",

integration/testdata/opensuse-leap-151.json.golden

@@ -7,6 +7,7 @@
         "PkgName": "cpio",
         "InstalledVersion": "2.12-lp151.2.68",
         "FixedVersion": "2.12-lp151.3.3.1",
+        "LayerID": "sha256:f7f9ae80878a1c56d8f9ca977a5d844168f7afc0c1429feef9366e713eac06ff",
         "Title": "Security update for cpio",
         "Severity": "MEDIUM",
         "References": [
@@ -19,6 +20,7 @@
         "PkgName": "libidn2-0",
         "InstalledVersion": "2.0.4-lp151.2.3",
         "FixedVersion": "2.2.0-lp151.3.3.1",
+        "LayerID": "sha256:f7f9ae80878a1c56d8f9ca977a5d844168f7afc0c1429feef9366e713eac06ff",
         "Title": "Security update for libidn2",
         "Severity": "MEDIUM",
         "References": [
@@ -31,6 +33,7 @@
         "PkgName": "libncurses6",
         "InstalledVersion": "6.1-lp151.5.41",
         "FixedVersion": "6.1-lp151.6.3.1",
+        "LayerID": "sha256:f7f9ae80878a1c56d8f9ca977a5d844168f7afc0c1429feef9366e713eac06ff",
         "Title": "Security update for ncurses",
         "Severity": "MEDIUM",
         "References": [
@@ -43,6 +46,7 @@
         "PkgName": "libssh4",
         "InstalledVersion": "0.8.7-lp151.2.3.1",
         "FixedVersion": "0.8.7-lp151.2.6.1",
+        "LayerID": "sha256:f7f9ae80878a1c56d8f9ca977a5d844168f7afc0c1429feef9366e713eac06ff",
         "Title": "Security update for libssh",
         "Severity": "MEDIUM",
         "References": [
@@ -55,6 +59,7 @@
         "PkgName": "libxml2-2",
         "InstalledVersion": "2.9.7-lp151.5.3.1",
         "FixedVersion": "2.9.7-lp151.5.6.1",
+        "LayerID": "sha256:f7f9ae80878a1c56d8f9ca977a5d844168f7afc0c1429feef9366e713eac06ff",
         "Title": "Security update for libxml2",
         "Severity": "UNKNOWN",
         "References": [
@@ -67,6 +72,7 @@
         "PkgName": "ncurses-utils",
         "InstalledVersion": "6.1-lp151.5.41",
         "FixedVersion": "6.1-lp151.6.3.1",
+        "LayerID": "sha256:f7f9ae80878a1c56d8f9ca977a5d844168f7afc0c1429feef9366e713eac06ff",
         "Title": "Security update for ncurses",
         "Severity": "MEDIUM",
         "References": [
@@ -79,6 +85,7 @@
         "PkgName": "permissions",
         "InstalledVersion": "20181116-lp151.4.6.1",
         "FixedVersion": "20181116-lp151.4.9.1",
+        "LayerID": "sha256:f7f9ae80878a1c56d8f9ca977a5d844168f7afc0c1429feef9366e713eac06ff",
         "Title": "Security update for permissions",
         "Severity": "MEDIUM",
         "References": [
@@ -91,6 +98,7 @@
         "PkgName": "terminfo-base",
         "InstalledVersion": "6.1-lp151.5.41",
         "FixedVersion": "6.1-lp151.6.3.1",
+        "LayerID": "sha256:f7f9ae80878a1c56d8f9ca977a5d844168f7afc0c1429feef9366e713eac06ff",
         "Title": "Security update for ncurses",
         "Severity": "MEDIUM",
         "References": [

integration/testdata/oraclelinux-6-slim.json.golden

@@ -7,6 +7,7 @@
         "PkgName": "libssh2",
         "InstalledVersion": "1.4.2-2.el6_7.1",
         "FixedVersion": "1.4.2-3.0.1.el6_10.1",
+        "LayerID": "sha256:a6f189f69066d36aff8efe2602482d28c02de433aef44ee9087b291df7e8fd08",
         "Title": "libssh2: Integer overflow in transport read resulting in out of bounds write",
         "Description": "An integer overflow flaw which could lead to an out of bounds write was discovered in libssh2 before 1.8.1 in the way packets are read from the server. A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server.",
         "Severity": "CRITICAL",
@@ -36,6 +37,7 @@
         "PkgName": "libssh2",
         "InstalledVersion": "1.4.2-2.el6_7.1",
         "FixedVersion": "1.4.2-3.0.1.el6_10.1",
+        "LayerID": "sha256:a6f189f69066d36aff8efe2602482d28c02de433aef44ee9087b291df7e8fd08",
         "Title": "libssh2: Integer overflow in keyboard interactive handling resulting in out of bounds write",
         "Description": "An integer overflow flaw, which could lead to an out of bounds write, was discovered in libssh2 before 1.8.1 in the way keyboard prompt requests are parsed. A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server.",
         "Severity": "MEDIUM",
@@ -59,6 +61,7 @@
         "PkgName": "libssh2",
         "InstalledVersion": "1.4.2-2.el6_7.1",
         "FixedVersion": "1.4.2-3.0.1.el6_10.1",
+        "LayerID": "sha256:a6f189f69066d36aff8efe2602482d28c02de433aef44ee9087b291df7e8fd08",
         "Title": "libssh2: Integer overflow in SSH packet processing channel resulting in out of bounds write",
         "Description": "An integer overflow flaw which could lead to an out of bounds write was discovered in libssh2 before 1.8.1 in the way SSH_MSG_CHANNEL_REQUEST packets with an exit signal are parsed. A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server.",
         "Severity": "MEDIUM",
@@ -82,6 +85,7 @@
         "PkgName": "libssh2",
         "InstalledVersion": "1.4.2-2.el6_7.1",
         "FixedVersion": "1.4.2-2.0.1.el6_7.1",
+        "LayerID": "sha256:a6f189f69066d36aff8efe2602482d28c02de433aef44ee9087b291df7e8fd08",
         "Title": "libssh2: Out-of-bounds memory comparison with specially crafted message channel request",
         "Description": "An out of bounds read flaw was discovered in libssh2 before 1.8.1 in the way SSH_MSG_CHANNEL_REQUEST packets with an exit status message and no payload are parsed. A remote attacker who compromises a SSH server may be able to cause a Denial of Service or read data in the client memory.",
         "Severity": "MEDIUM",
@@ -109,6 +113,7 @@
         "PkgName": "libssh2",
         "InstalledVersion": "1.4.2-2.el6_7.1",
         "FixedVersion": "1.4.2-3.0.1.el6_10.1",
+        "LayerID": "sha256:a6f189f69066d36aff8efe2602482d28c02de433aef44ee9087b291df7e8fd08",
         "Title": "libssh2: Integer overflow in user authenticate keyboard interactive allows out-of-bounds writes",
         "Description": "A flaw was found in libssh2 before 1.8.1. A server could send a multiple keyboard interactive response messages whose total length are greater than unsigned char max characters. This value is used as an index to copy memory causing in an out of bounds memory write error.",
         "Severity": "MEDIUM",
@@ -132,6 +137,7 @@
         "PkgName": "openssl",
         "InstalledVersion": "1.0.1e-57.0.6.el6",
         "FixedVersion": "1.0.1e-58.0.1.el6_10",
+        "LayerID": "sha256:a6f189f69066d36aff8efe2602482d28c02de433aef44ee9087b291df7e8fd08",
         "Title": "openssl: 0-byte record padding oracle",
         "Description": "If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable \"non-stitched\" ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway). Fixed in OpenSSL 1.0.2r (Affected 1.0.2-1.0.2q).",
         "Severity": "MEDIUM",

integration/testdata/oraclelinux-7-slim.json.golden

@@ -7,6 +7,7 @@
         "PkgName": "curl",
         "InstalledVersion": "7.29.0-51.0.1.el7_6.3",
         "FixedVersion": "7.29.0-54.0.1.el7",
+        "LayerID": "sha256:4fee40bcfecff11f540de853f7f0dc71efbab8c14ea599452b617e215562e3e2",
         "Title": "curl: Heap-based buffer over-read in the curl tool warning formatting",
         "Description": "Curl versions 7.14.1 through 7.61.1 are vulnerable to a heap-based buffer over-read in the tool_msgs.c:voutf() function that may result in information exposure and denial of service.",
         "Severity": "MEDIUM",
@@ -29,6 +30,7 @@
         "PkgName": "elfutils-libelf",
         "InstalledVersion": "0.172-2.el7",
         "FixedVersion": "0.176-2.el7",
+        "LayerID": "sha256:4fee40bcfecff11f540de853f7f0dc71efbab8c14ea599452b617e215562e3e2",
         "Title": "elfutils: Double-free due to double decompression of sections in crafted ELF causes crash",
         "Description": "libelf/elf_end.c in elfutils 0.173 allows remote attackers to cause a denial of service (double free and application crash) or possibly have unspecified other impact because it tries to decompress twice.",
         "Severity": "HIGH",
@@ -43,6 +45,7 @@
         "PkgName": "elfutils-libelf",
         "InstalledVersion": "0.172-2.el7",
         "FixedVersion": "0.176-2.el7",
+        "LayerID": "sha256:4fee40bcfecff11f540de853f7f0dc71efbab8c14ea599452b617e215562e3e2",
         "Title": "elfutils: Heap-based buffer over-read in libdw/dwarf_getaranges.c:dwarf_getaranges() via crafted file",
         "Description": "dwarf_getaranges in dwarf_getaranges.c in libdw in elfutils before 2018-08-18 allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted file.",
         "Severity": "MEDIUM",
@@ -61,6 +64,7 @@
         "PkgName": "elfutils-libelf",
         "InstalledVersion": "0.172-2.el7",
         "FixedVersion": "0.176-2.el7",
+        "LayerID": "sha256:4fee40bcfecff11f540de853f7f0dc71efbab8c14ea599452b617e215562e3e2",
         "Title": "elfutils: Heap-based buffer over-read in libdw/dwarf_getabbrev.c and libwd/dwarf_hasattr.c causes crash",
         "Description": "libdw in elfutils 0.173 checks the end of the attributes list incorrectly in dwarf_getabbrev in dwarf_getabbrev.c and dwarf_hasattr in dwarf_hasattr.c, leading to a heap-based buffer over-read and an application crash.",
         "Severity": "MEDIUM",
@@ -78,6 +82,7 @@
         "PkgName": "elfutils-libelf",
         "InstalledVersion": "0.172-2.el7",
         "FixedVersion": "0.176-2.el7",
+        "LayerID": "sha256:4fee40bcfecff11f540de853f7f0dc71efbab8c14ea599452b617e215562e3e2",
         "Title": "elfutils: invalid memory address dereference was discovered in dwfl_segment_report_module.c in libdwfl",
         "Description": "An invalid memory address dereference was discovered in dwfl_segment_report_module.c in libdwfl in elfutils through v0.174. The vulnerability allows attackers to cause a denial of service (application crash) with a crafted ELF file, as demonstrated by consider_notes.",
         "Severity": "MEDIUM",
@@ -94,6 +99,7 @@
         "PkgName": "elfutils-libelf",
         "InstalledVersion": "0.172-2.el7",
         "FixedVersion": "0.176-2.el7",
+        "LayerID": "sha256:4fee40bcfecff11f540de853f7f0dc71efbab8c14ea599452b617e215562e3e2",
         "Title": "elfutils: eu-size cannot handle recursive ar files",
         "Description": "An Invalid Memory Address Dereference exists in the function elf_end in libelf in elfutils through v0.174. Although eu-size is intended to support ar files inside ar files, handle_ar in size.c closes the outer ar file before handling all inner entries. The vulnerability allows attackers to cause a denial of service (application crash) with a crafted ELF file.",
         "Severity": "MEDIUM",
@@ -110,6 +116,7 @@
         "PkgName": "elfutils-libelf",
         "InstalledVersion": "0.172-2.el7",
         "FixedVersion": "0.176-2.el7",
+        "LayerID": "sha256:4fee40bcfecff11f540de853f7f0dc71efbab8c14ea599452b617e215562e3e2",
         "Title": "elfutils: Divide-by-zero in arlib_add_symbols function in arlib.c",
         "Description": "Divide-by-zero vulnerabilities in the function arlib_add_symbols() in arlib.c in elfutils 0.174 allow remote attackers to cause a denial of service (application crash) with a crafted ELF file, as demonstrated by eu-ranlib, because a zero sh_entsize is mishandled.",
         "Severity": "MEDIUM",
@@ -126,6 +133,7 @@
         "PkgName": "elfutils-libelf",
         "InstalledVersion": "0.172-2.el7",
         "FixedVersion": "0.176-2.el7",
+        "LayerID": "sha256:4fee40bcfecff11f540de853f7f0dc71efbab8c14ea599452b617e215562e3e2",
         "Title": "elfutils: heap-based buffer over-read in read_srclines in dwarf_getsrclines.c in libdw",
         "Description": "A heap-based buffer over-read was discovered in the function read_srclines in dwarf_getsrclines.c in libdw in elfutils 0.175. A crafted input can cause segmentation faults, leading to denial-of-service, as demonstrated by eu-nm.",
         "Severity": "MEDIUM",
@@ -142,6 +150,7 @@
         "PkgName": "elfutils-libelf",
         "InstalledVersion": "0.172-2.el7",
         "FixedVersion": "0.176-2.el7",
+        "LayerID": "sha256:4fee40bcfecff11f540de853f7f0dc71efbab8c14ea599452b617e215562e3e2",
         "Title": "elfutils: segmentation fault in elf64_xlatetom in libelf/elf32_xlatetom.c",
         "Description": "An issue was discovered in elfutils 0.175. A segmentation fault can occur in the function elf64_xlatetom in libelf/elf32_xlatetom.c, due to dwfl_segment_report_module not checking whether the dyn data read from a core file is truncated. A crafted input can cause a program crash, leading to denial-of-service, as demonstrated by eu-stack.",
         "Severity": "MEDIUM",
@@ -158,6 +167,7 @@
         "PkgName": "elfutils-libelf",
         "InstalledVersion": "0.172-2.el7",
         "FixedVersion": "0.176-2.el7",
+        "LayerID": "sha256:4fee40bcfecff11f540de853f7f0dc71efbab8c14ea599452b617e215562e3e2",
         "Title": "elfutils: out of bound write in elf_cvt_note in libelf/note_xlate.h",
         "Description": "In elfutils 0.175, a negative-sized memcpy is attempted in elf_cvt_note in libelf/note_xlate.h because of an incorrect overflow check. Crafted elf input causes a segmentation fault, leading to denial of service (program crash).",
         "Severity": "MEDIUM",
@@ -172,6 +182,7 @@
         "PkgName": "elfutils-libelf",
         "InstalledVersion": "0.172-2.el7",
         "FixedVersion": "0.176-2.el7",
+        "LayerID": "sha256:4fee40bcfecff11f540de853f7f0dc71efbab8c14ea599452b617e215562e3e2",
         "Title": "elfutils: heap-based buffer over-read in function elf32_xlatetom in elf32_xlatetom.c",
         "Description": "In elfutils 0.175, a heap-based buffer over-read was discovered in the function elf32_xlatetom in elf32_xlatetom.c in libelf. A crafted ELF input can cause a segmentation fault leading to denial of service (program crash) because ebl_core_note does not reject malformed core file notes.",
         "Severity": "MEDIUM",
@@ -188,6 +199,7 @@
         "PkgName": "glibc",
         "InstalledVersion": "2.17-260.0.17.el7_6.6",
         "FixedVersion": "2.17-292.0.1.el7",
+        "LayerID": "sha256:4fee40bcfecff11f540de853f7f0dc71efbab8c14ea599452b617e215562e3e2",
         "Title": "glibc: getaddrinfo should reject IP addresses with trailing characters",
         "Description": "In the GNU C Library (aka glibc or libc6) through 2.28, the getaddrinfo function would successfully parse a string that contained an IPv4 address followed by whitespace and arbitrary characters, which could lead applications to incorrectly assume that it had parsed a valid string, without the possibility of embedded HTTP headers or other potentially dangerous substrings.",
         "Severity": "MEDIUM",
@@ -205,6 +217,7 @@
         "PkgName": "glibc-common",
         "InstalledVersion": "2.17-260.0.17.el7_6.6",
         "FixedVersion": "2.17-292.0.1.el7",
+        "LayerID": "sha256:4fee40bcfecff11f540de853f7f0dc71efbab8c14ea599452b617e215562e3e2",
         "Title": "glibc: getaddrinfo should reject IP addresses with trailing characters",
         "Description": "In the GNU C Library (aka glibc or libc6) through 2.28, the getaddrinfo function would successfully parse a string that contained an IPv4 address followed by whitespace and arbitrary characters, which could lead applications to incorrectly assume that it had parsed a valid string, without the possibility of embedded HTTP headers or other potentially dangerous substrings.",
         "Severity": "MEDIUM",
@@ -222,6 +235,7 @@
         "PkgName": "libcurl",
         "InstalledVersion": "7.29.0-51.0.1.el7_6.3",
         "FixedVersion": "7.29.0-54.0.1.el7",
+        "LayerID": "sha256:4fee40bcfecff11f540de853f7f0dc71efbab8c14ea599452b617e215562e3e2",
         "Title": "curl: Heap-based buffer over-read in the curl tool warning formatting",
         "Description": "Curl versions 7.14.1 through 7.61.1 are vulnerable to a heap-based buffer over-read in the tool_msgs.c:voutf() function that may result in information exposure and denial of service.",
         "Severity": "MEDIUM",
@@ -244,6 +258,7 @@
         "PkgName": "libssh2",
         "InstalledVersion": "1.4.3-12.0.1.el7_6.3",
         "FixedVersion": "1.8.0-3.el7",
+        "LayerID": "sha256:4fee40bcfecff11f540de853f7f0dc71efbab8c14ea599452b617e215562e3e2",
         "Title": "libssh2: Zero-byte allocation with a specially crafted SFTP packed leading to an out-of-bounds read",
         "Description": "An out of bounds read flaw was discovered in libssh2 before 1.8.1 when a specially crafted SFTP packet is received from the server. A remote attacker who compromises a SSH server may be able to cause a Denial of Service or read data in the client memory.",
         "Severity": "MEDIUM",
@@ -271,6 +286,7 @@
         "PkgName": "libssh2",
         "InstalledVersion": "1.4.3-12.0.1.el7_6.3",
         "FixedVersion": "1.8.0-3.el7",
+        "LayerID": "sha256:4fee40bcfecff11f540de853f7f0dc71efbab8c14ea599452b617e215562e3e2",
         "Title": "libssh2: Out-of-bounds reads with specially crafted SSH packets",
         "Description": "An out of bounds read flaw was discovered in libssh2 before 1.8.1 in the way SSH packets with a padding length value greater than the packet length are parsed. A remote attacker who compromises a SSH server may be able to cause a Denial of Service or read data in the client memory.",
         "Severity": "MEDIUM",
@@ -292,6 +308,7 @@
         "PkgName": "nspr",
         "InstalledVersion": "4.19.0-1.el7_5",
         "FixedVersion": "4.21.0-1.el7",
+        "LayerID": "sha256:4fee40bcfecff11f540de853f7f0dc71efbab8c14ea599452b617e215562e3e2",
         "Title": "nss: Cache side-channel variant of the Bleichenbacher attack",
         "Description": "A cached side channel attack during handshakes using RSA encryption could allow for the decryption of encrypted content. This is a variant of the Adaptive Chosen Ciphertext attack (AKA Bleichenbacher attack) and affects all NSS versions prior to NSS 3.41.",
         "Severity": "MEDIUM",
@@ -307,6 +324,7 @@
         "PkgName": "nspr",
         "InstalledVersion": "4.19.0-1.el7_5",
         "FixedVersion": "4.21.0-1.el7",
+        "LayerID": "sha256:4fee40bcfecff11f540de853f7f0dc71efbab8c14ea599452b617e215562e3e2",
         "Title": "ROHNP: Key Extraction Side Channel in Multiple Crypto Libraries",
         "Description": "Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host.",
         "Severity": "LOW",
@@ -338,6 +356,7 @@
         "PkgName": "nss",
         "InstalledVersion": "3.36.0-7.1.el7_6",
         "FixedVersion": "3.44.0-4.el7",
+        "LayerID": "sha256:4fee40bcfecff11f540de853f7f0dc71efbab8c14ea599452b617e215562e3e2",
         "Title": "nss: Cache side-channel variant of the Bleichenbacher attack",
         "Description": "A cached side channel attack during handshakes using RSA encryption could allow for the decryption of encrypted content. This is a variant of the Adaptive Chosen Ciphertext attack (AKA Bleichenbacher attack) and affects all NSS versions prior to NSS 3.41.",
         "Severity": "MEDIUM",
@@ -353,6 +372,7 @@
         "PkgName": "nss",
         "InstalledVersion": "3.36.0-7.1.el7_6",
         "FixedVersion": "3.44.0-4.el7",
+        "LayerID": "sha256:4fee40bcfecff11f540de853f7f0dc71efbab8c14ea599452b617e215562e3e2",
         "Title": "ROHNP: Key Extraction Side Channel in Multiple Crypto Libraries",
         "Description": "Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host.",
         "Severity": "LOW",
@@ -384,6 +404,7 @@
         "PkgName": "nss-softokn",
         "InstalledVersion": "3.36.0-5.0.1.el7_5",
         "FixedVersion": "3.44.0-5.0.1.el7",
+        "LayerID": "sha256:4fee40bcfecff11f540de853f7f0dc71efbab8c14ea599452b617e215562e3e2",
         "Title": "nss: Cache side-channel variant of the Bleichenbacher attack",
         "Description": "A cached side channel attack during handshakes using RSA encryption could allow for the decryption of encrypted content. This is a variant of the Adaptive Chosen Ciphertext attack (AKA Bleichenbacher attack) and affects all NSS versions prior to NSS 3.41.",
         "Severity": "MEDIUM",
@@ -399,6 +420,7 @@
         "PkgName": "nss-softokn",
         "InstalledVersion": "3.36.0-5.0.1.el7_5",
         "FixedVersion": "3.44.0-5.0.1.el7",
+        "LayerID": "sha256:4fee40bcfecff11f540de853f7f0dc71efbab8c14ea599452b617e215562e3e2",
         "Title": "ROHNP: Key Extraction Side Channel in Multiple Crypto Libraries",
         "Description": "Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host.",
         "Severity": "LOW",
@@ -430,6 +452,7 @@
         "PkgName": "nss-softokn-freebl",
         "InstalledVersion": "3.36.0-5.0.1.el7_5",
         "FixedVersion": "3.44.0-5.0.1.el7",
+        "LayerID": "sha256:4fee40bcfecff11f540de853f7f0dc71efbab8c14ea599452b617e215562e3e2",
         "Title": "nss: Cache side-channel variant of the Bleichenbacher attack",
         "Description": "A cached side channel attack during handshakes using RSA encryption could allow for the decryption of encrypted content. This is a variant of the Adaptive Chosen Ciphertext attack (AKA Bleichenbacher attack) and affects all NSS versions prior to NSS 3.41.",
         "Severity": "MEDIUM",
@@ -445,6 +468,7 @@
         "PkgName": "nss-softokn-freebl",
         "InstalledVersion": "3.36.0-5.0.1.el7_5",
         "FixedVersion": "3.44.0-5.0.1.el7",
+        "LayerID": "sha256:4fee40bcfecff11f540de853f7f0dc71efbab8c14ea599452b617e215562e3e2",
         "Title": "ROHNP: Key Extraction Side Channel in Multiple Crypto Libraries",
         "Description": "Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host.",
         "Severity": "LOW",
@@ -476,6 +500,7 @@
         "PkgName": "nss-sysinit",
         "InstalledVersion": "3.36.0-7.1.el7_6",
         "FixedVersion": "3.44.0-4.el7",
+        "LayerID": "sha256:4fee40bcfecff11f540de853f7f0dc71efbab8c14ea599452b617e215562e3e2",
         "Title": "nss: Cache side-channel variant of the Bleichenbacher attack",
         "Description": "A cached side channel attack during handshakes using RSA encryption could allow for the decryption of encrypted content. This is a variant of the Adaptive Chosen Ciphertext attack (AKA Bleichenbacher attack) and affects all NSS versions prior to NSS 3.41.",
         "Severity": "MEDIUM",
@@ -491,6 +516,7 @@
         "PkgName": "nss-sysinit",
         "InstalledVersion": "3.36.0-7.1.el7_6",
         "FixedVersion": "3.44.0-4.el7",
+        "LayerID": "sha256:4fee40bcfecff11f540de853f7f0dc71efbab8c14ea599452b617e215562e3e2",
         "Title": "ROHNP: Key Extraction Side Channel in Multiple Crypto Libraries",
         "Description": "Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host.",
         "Severity": "LOW",
@@ -522,6 +548,7 @@
         "PkgName": "nss-tools",
         "InstalledVersion": "3.36.0-7.1.el7_6",
         "FixedVersion": "3.44.0-4.el7",
+        "LayerID": "sha256:4fee40bcfecff11f540de853f7f0dc71efbab8c14ea599452b617e215562e3e2",
         "Title": "nss: Cache side-channel variant of the Bleichenbacher attack",
         "Description": "A cached side channel attack during handshakes using RSA encryption could allow for the decryption of encrypted content. This is a variant of the Adaptive Chosen Ciphertext attack (AKA Bleichenbacher attack) and affects all NSS versions prior to NSS 3.41.",
         "Severity": "MEDIUM",
@@ -537,6 +564,7 @@
         "PkgName": "nss-tools",
         "InstalledVersion": "3.36.0-7.1.el7_6",
         "FixedVersion": "3.44.0-4.el7",
+        "LayerID": "sha256:4fee40bcfecff11f540de853f7f0dc71efbab8c14ea599452b617e215562e3e2",
         "Title": "ROHNP: Key Extraction Side Channel in Multiple Crypto Libraries",
         "Description": "Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host.",
         "Severity": "LOW",
@@ -568,6 +596,7 @@
         "PkgName": "nss-util",
         "InstalledVersion": "3.36.0-1.1.el7_6",
         "FixedVersion": "3.44.0-3.el7",
+        "LayerID": "sha256:4fee40bcfecff11f540de853f7f0dc71efbab8c14ea599452b617e215562e3e2",
         "Title": "nss: Cache side-channel variant of the Bleichenbacher attack",
         "Description": "A cached side channel attack during handshakes using RSA encryption could allow for the decryption of encrypted content. This is a variant of the Adaptive Chosen Ciphertext attack (AKA Bleichenbacher attack) and affects all NSS versions prior to NSS 3.41.",
         "Severity": "MEDIUM",
@@ -583,6 +612,7 @@
         "PkgName": "nss-util",
         "InstalledVersion": "3.36.0-1.1.el7_6",
         "FixedVersion": "3.44.0-3.el7",
+        "LayerID": "sha256:4fee40bcfecff11f540de853f7f0dc71efbab8c14ea599452b617e215562e3e2",
         "Title": "ROHNP: Key Extraction Side Channel in Multiple Crypto Libraries",
         "Description": "Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host.",
         "Severity": "LOW",
@@ -614,6 +644,7 @@
         "PkgName": "openssl-libs",
         "InstalledVersion": "1:1.0.2k-16.0.1.el7_6.1",
         "FixedVersion": "1:1.0.2k-19.0.1.el7",
+        "LayerID": "sha256:4fee40bcfecff11f540de853f7f0dc71efbab8c14ea599452b617e215562e3e2",
         "Title": "openssl: timing side channel attack in the DSA signature algorithm",
         "Description": "The OpenSSL DSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.1a (Affected 1.1.1). Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i). Fixed in OpenSSL 1.0.2q (Affected 1.0.2-1.0.2p).",
         "Severity": "MEDIUM",
@@ -643,6 +674,7 @@
         "PkgName": "openssl-libs",
         "InstalledVersion": "1:1.0.2k-16.0.1.el7_6.1",
         "FixedVersion": "1:1.0.2k-19.0.1.el7",
+        "LayerID": "sha256:4fee40bcfecff11f540de853f7f0dc71efbab8c14ea599452b617e215562e3e2",
         "Title": "openssl: 0-byte record padding oracle",
         "Description": "If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable \"non-stitched\" ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway). Fixed in OpenSSL 1.0.2r (Affected 1.0.2-1.0.2q).",
         "Severity": "MEDIUM",
@@ -676,6 +708,7 @@
         "PkgName": "python",
         "InstalledVersion": "2.7.5-80.0.1.el7_6",
         "FixedVersion": "2.7.5-86.0.1.el7",
+        "LayerID": "sha256:4fee40bcfecff11f540de853f7f0dc71efbab8c14ea599452b617e215562e3e2",
         "Title": "python: NULL pointer dereference using a specially crafted X509 certificate",
         "Description": "A null pointer dereference vulnerability was found in the certificate parsing code in Python. This causes a denial of service to applications when parsing specially crafted certificates. This vulnerability is unlikely to be triggered if application enables SSL/TLS certificate validation and accepts certificates only from trusted root certificate authorities.",
         "Severity": "HIGH",
@@ -689,6 +722,7 @@
         "PkgName": "python",
         "InstalledVersion": "2.7.5-80.0.1.el7_6",
         "FixedVersion": "2.7.5-86.0.1.el7",
+        "LayerID": "sha256:4fee40bcfecff11f540de853f7f0dc71efbab8c14ea599452b617e215562e3e2",
         "Title": "python: Missing salt initialization in _elementtree.c module",
         "Description": "Python's elementtree C accelerator failed to initialise Expat's hash salt during initialization. This could make it easy to conduct denial of service attacks against Expat by constructing an XML document that would cause pathological hash collisions in Expat's internal data structures, consuming large amounts CPU and RAM. Python 3.8, 3.7, 3.6, 3.5, 3.4, 2.7 are believed to be vulnerable.",
         "Severity": "MEDIUM",
@@ -714,6 +748,7 @@
         "PkgName": "python",
         "InstalledVersion": "2.7.5-80.0.1.el7_6",
         "FixedVersion": "2.7.5-86.0.1.el7",
+        "LayerID": "sha256:4fee40bcfecff11f540de853f7f0dc71efbab8c14ea599452b617e215562e3e2",
         "Title": "python: CRLF injection via the query part of the url passed to urlopen()",
         "Description": "An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \\r\\n (specifically in the query string after a ? character) followed by an HTTP header or a Redis command.",
         "Severity": "MEDIUM",
@@ -731,6 +766,7 @@
         "PkgName": "python",
         "InstalledVersion": "2.7.5-80.0.1.el7_6",
         "FixedVersion": "2.7.5-86.0.1.el7",
+        "LayerID": "sha256:4fee40bcfecff11f540de853f7f0dc71efbab8c14ea599452b617e215562e3e2",
         "Title": "python: CRLF injection via the path part of the url passed to urlopen()",
         "Description": "An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \\r\\n (specifically in the path component of a URL that lacks a ? character) followed by an HTTP header or a Redis command. This is similar to the CVE-2019-9740 query string issue.",
         "Severity": "MEDIUM",
@@ -748,6 +784,7 @@
         "PkgName": "python",
         "InstalledVersion": "2.7.5-80.0.1.el7_6",
         "FixedVersion": "2.7.5-86.0.1.el7",
+        "LayerID": "sha256:4fee40bcfecff11f540de853f7f0dc71efbab8c14ea599452b617e215562e3e2",
         "Title": "python: Undocumented local_file protocol allows remote attackers to bypass protection mechanisms",
         "Description": "urllib in Python 2.x through 2.7.16 supports the local_file: scheme, which makes it easier for remote attackers to bypass protection mechanisms that blacklist file: URIs, as demonstrated by triggering a urllib.urlopen('local_file:///etc/passwd') call.",
         "Severity": "MEDIUM",
@@ -767,6 +804,7 @@
         "PkgName": "python-libs",
         "InstalledVersion": "2.7.5-80.0.1.el7_6",
         "FixedVersion": "2.7.5-86.0.1.el7",
+        "LayerID": "sha256:4fee40bcfecff11f540de853f7f0dc71efbab8c14ea599452b617e215562e3e2",
         "Title": "python: NULL pointer dereference using a specially crafted X509 certificate",
         "Description": "A null pointer dereference vulnerability was found in the certificate parsing code in Python. This causes a denial of service to applications when parsing specially crafted certificates. This vulnerability is unlikely to be triggered if application enables SSL/TLS certificate validation and accepts certificates only from trusted root certificate authorities.",
         "Severity": "HIGH",
@@ -780,6 +818,7 @@
         "PkgName": "python-libs",
         "InstalledVersion": "2.7.5-80.0.1.el7_6",
         "FixedVersion": "2.7.5-86.0.1.el7",
+        "LayerID": "sha256:4fee40bcfecff11f540de853f7f0dc71efbab8c14ea599452b617e215562e3e2",
         "Title": "python: Missing salt initialization in _elementtree.c module",
         "Description": "Python's elementtree C accelerator failed to initialise Expat's hash salt during initialization. This could make it easy to conduct denial of service attacks against Expat by constructing an XML document that would cause pathological hash collisions in Expat's internal data structures, consuming large amounts CPU and RAM. Python 3.8, 3.7, 3.6, 3.5, 3.4, 2.7 are believed to be vulnerable.",
         "Severity": "MEDIUM",
@@ -805,6 +844,7 @@
         "PkgName": "python-libs",
         "InstalledVersion": "2.7.5-80.0.1.el7_6",
         "FixedVersion": "2.7.5-86.0.1.el7",
+        "LayerID": "sha256:4fee40bcfecff11f540de853f7f0dc71efbab8c14ea599452b617e215562e3e2",
         "Title": "python: CRLF injection via the query part of the url passed to urlopen()",
         "Description": "An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \\r\\n (specifically in the query string after a ? character) followed by an HTTP header or a Redis command.",
         "Severity": "MEDIUM",
@@ -822,6 +862,7 @@
         "PkgName": "python-libs",
         "InstalledVersion": "2.7.5-80.0.1.el7_6",
         "FixedVersion": "2.7.5-86.0.1.el7",
+        "LayerID": "sha256:4fee40bcfecff11f540de853f7f0dc71efbab8c14ea599452b617e215562e3e2",
         "Title": "python: CRLF injection via the path part of the url passed to urlopen()",
         "Description": "An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \\r\\n (specifically in the path component of a URL that lacks a ? character) followed by an HTTP header or a Redis command. This is similar to the CVE-2019-9740 query string issue.",
         "Severity": "MEDIUM",
@@ -839,6 +880,7 @@
         "PkgName": "python-libs",
         "InstalledVersion": "2.7.5-80.0.1.el7_6",
         "FixedVersion": "2.7.5-86.0.1.el7",
+        "LayerID": "sha256:4fee40bcfecff11f540de853f7f0dc71efbab8c14ea599452b617e215562e3e2",
         "Title": "python: Undocumented local_file protocol allows remote attackers to bypass protection mechanisms",
         "Description": "urllib in Python 2.x through 2.7.16 supports the local_file: scheme, which makes it easier for remote attackers to bypass protection mechanisms that blacklist file: URIs, as demonstrated by triggering a urllib.urlopen('local_file:///etc/passwd') call.",
         "Severity": "MEDIUM",

integration/testdata/photon-10.json.golden

@@ -7,6 +7,7 @@
         "PkgName": "bash",
         "InstalledVersion": "4.3.48-3.ph1",
         "FixedVersion": "4.3.48-4.ph1",
+        "LayerID": "sha256:9740df1ac227d21600b22524f869c9bec2d8c13446d1c8579a6195b6d855ae2b",
         "Title": "bash: heap-based buffer overflow during echo of unsupported characters",
         "Description": "A heap-based buffer overflow exists in GNU Bash before 4.3 when wide characters, not supported by the current locale set in the LC_CTYPE environment variable, are printed through the echo built-in function. A local attacker, who can provide data to print through the \"echo -e\" built-in function, may use this flaw to crash a script or execute code with the privileges of the bash process. This occurs because ansicstr() in lib/sh/strtrans.c mishandles u32cconv().",
         "Severity": "MEDIUM",
@@ -22,6 +23,7 @@
         "PkgName": "openssl",
         "InstalledVersion": "1.0.2s-1.ph1",
         "FixedVersion": "1.0.2t-1.ph1",
+        "LayerID": "sha256:9740df1ac227d21600b22524f869c9bec2d8c13446d1c8579a6195b6d855ae2b",
         "Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
         "Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
         "Severity": "MEDIUM",
@@ -41,6 +43,7 @@
         "PkgName": "openssl",
         "InstalledVersion": "1.0.2s-1.ph1",
         "FixedVersion": "1.0.2t-1.ph1",
+        "LayerID": "sha256:9740df1ac227d21600b22524f869c9bec2d8c13446d1c8579a6195b6d855ae2b",
         "Title": "openssl: side-channel weak encryption vulnerability",
         "Description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
         "Severity": "LOW",

integration/testdata/photon-20.json.golden

@@ -7,6 +7,7 @@
         "PkgName": "curl",
         "InstalledVersion": "7.59.0-7.ph2",
         "FixedVersion": "7.59.0-9.ph2",
+        "LayerID": "sha256:41cdb0d109d6a7cf33d6a439c3d6e586d7dba0be84606066693ea4573a4a9b66",
         "Title": "curl: double free due to subsequent call of realloc()",
         "Description": "Double-free vulnerability in the FTP-kerberos code in cURL 7.52.0 to 7.65.3.",
         "Severity": "HIGH",
@@ -23,6 +24,7 @@
         "PkgName": "curl",
         "InstalledVersion": "7.59.0-7.ph2",
         "FixedVersion": "7.59.0-9.ph2",
+        "LayerID": "sha256:41cdb0d109d6a7cf33d6a439c3d6e586d7dba0be84606066693ea4573a4a9b66",
         "Title": "curl: heap buffer overflow in function tftp_receive_packet()",
         "Description": "Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3.",
         "Severity": "HIGH",
@@ -40,6 +42,7 @@
         "PkgName": "curl",
         "InstalledVersion": "7.59.0-7.ph2",
         "FixedVersion": "7.59.0-8.ph2",
+        "LayerID": "sha256:41cdb0d109d6a7cf33d6a439c3d6e586d7dba0be84606066693ea4573a4a9b66",
         "Title": "curl: NTLM type-2 heap out-of-bounds buffer read",
         "Description": "libcurl versions from 7.36.0 to before 7.64.0 is vulnerable to a heap buffer out-of-bounds read. The function handling incoming NTLM type-2 messages (`lib/vauth/ntlm.c:ntlm_decode_type2_target`) does not validate incoming data correctly and is subject to an integer overflow vulnerability. Using that overflow, a malicious or broken NTLM server could trick libcurl to accept a bad length + offset combination that would lead to a buffer read out-of-bounds.",
         "Severity": "MEDIUM",
@@ -62,6 +65,7 @@
         "PkgName": "curl-libs",
         "InstalledVersion": "7.59.0-7.ph2",
         "FixedVersion": "7.59.0-9.ph2",
+        "LayerID": "sha256:41cdb0d109d6a7cf33d6a439c3d6e586d7dba0be84606066693ea4573a4a9b66",
         "Title": "curl: double free due to subsequent call of realloc()",
         "Description": "Double-free vulnerability in the FTP-kerberos code in cURL 7.52.0 to 7.65.3.",
         "Severity": "HIGH",
@@ -78,6 +82,7 @@
         "PkgName": "curl-libs",
         "InstalledVersion": "7.59.0-7.ph2",
         "FixedVersion": "7.59.0-9.ph2",
+        "LayerID": "sha256:41cdb0d109d6a7cf33d6a439c3d6e586d7dba0be84606066693ea4573a4a9b66",
         "Title": "curl: heap buffer overflow in function tftp_receive_packet()",
         "Description": "Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3.",
         "Severity": "HIGH",
@@ -95,6 +100,7 @@
         "PkgName": "curl-libs",
         "InstalledVersion": "7.59.0-7.ph2",
         "FixedVersion": "7.59.0-8.ph2",
+        "LayerID": "sha256:41cdb0d109d6a7cf33d6a439c3d6e586d7dba0be84606066693ea4573a4a9b66",
         "Title": "curl: NTLM type-2 heap out-of-bounds buffer read",
         "Description": "libcurl versions from 7.36.0 to before 7.64.0 is vulnerable to a heap buffer out-of-bounds read. The function handling incoming NTLM type-2 messages (`lib/vauth/ntlm.c:ntlm_decode_type2_target`) does not validate incoming data correctly and is subject to an integer overflow vulnerability. Using that overflow, a malicious or broken NTLM server could trick libcurl to accept a bad length + offset combination that would lead to a buffer read out-of-bounds.",
         "Severity": "MEDIUM",
@@ -117,6 +123,7 @@
         "PkgName": "e2fsprogs-libs",
         "InstalledVersion": "1.43.4-2.ph2",
         "FixedVersion": "1.43.4-3.ph2",
+        "LayerID": "sha256:41cdb0d109d6a7cf33d6a439c3d6e586d7dba0be84606066693ea4573a4a9b66",
         "Description": "An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.",
         "Severity": "MEDIUM",
         "References": [
@@ -133,6 +140,7 @@
         "PkgName": "expat-libs",
         "InstalledVersion": "2.2.4-1.ph2",
         "FixedVersion": "2.2.4-2.ph2",
+        "LayerID": "sha256:41cdb0d109d6a7cf33d6a439c3d6e586d7dba0be84606066693ea4573a4a9b66",
         "Title": "expat: large number of colons in input makes parser consume high amount of resources, leading to DoS",
         "Description": "In libexpat in Expat before 2.2.7, XML input including XML names that contain a large number of colons could make the XML parser consume a high amount of RAM and CPU resources while processing (enough to be usable for denial-of-service attacks).",
         "Severity": "HIGH",
@@ -157,6 +165,7 @@
         "PkgName": "libssh2",
         "InstalledVersion": "1.8.2-1.ph2",
         "FixedVersion": "1.9.0-1.ph2",
+        "LayerID": "sha256:41cdb0d109d6a7cf33d6a439c3d6e586d7dba0be84606066693ea4573a4a9b66",
         "Title": "libssh2: integer overflow in kex_method_diffie_hellman_group_exchange_sha256_key_exchange in kex.c leads to out-of-bounds write",
         "Description": "In libssh2 before 1.9.0, kex_method_diffie_hellman_group_exchange_sha256_key_exchange in kex.c has an integer overflow that could lead to an out-of-bounds read in the way packets are read from the server. A remote attacker who compromises a SSH server may be able to disclose sensitive information or cause a denial of service condition on the client system when a user connects to the server. This is related to an _libssh2_check_length mistake, and is different from the various issues fixed in 1.8.1, such as CVE-2019-3855.",
         "Severity": "MEDIUM",
@@ -174,6 +183,7 @@
         "PkgName": "openssl",
         "InstalledVersion": "1.0.2s-1.ph2",
         "FixedVersion": "1.0.2t-1.ph2",
+        "LayerID": "sha256:41cdb0d109d6a7cf33d6a439c3d6e586d7dba0be84606066693ea4573a4a9b66",
         "Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
         "Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
         "Severity": "MEDIUM",
@@ -193,6 +203,7 @@
         "PkgName": "openssl",
         "InstalledVersion": "1.0.2s-1.ph2",
         "FixedVersion": "1.0.2t-1.ph2",
+        "LayerID": "sha256:41cdb0d109d6a7cf33d6a439c3d6e586d7dba0be84606066693ea4573a4a9b66",
         "Title": "openssl: side-channel weak encryption vulnerability",
         "Description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
         "Severity": "LOW",
@@ -213,6 +224,7 @@
         "PkgName": "sqlite-libs",
         "InstalledVersion": "3.27.2-3.ph2",
         "FixedVersion": "3.27.2-5.ph2",
+        "LayerID": "sha256:41cdb0d109d6a7cf33d6a439c3d6e586d7dba0be84606066693ea4573a4a9b66",
         "Description": "In SQLite through 3.29.0, whereLoopAddBtreeIndex in sqlite3.c can crash a browser or other application because of missing validation of a sqlite_stat1 sz field, aka a \"severe division by zero in the query planner.\"",
         "Severity": "MEDIUM",
         "References": [

integration/testdata/photon-30.json.golden

@@ -7,6 +7,7 @@
         "PkgName": "curl",
         "InstalledVersion": "7.61.1-4.ph3",
         "FixedVersion": "7.61.1-5.ph3",
+        "LayerID": "sha256:0f379947a276b7b051643960392fa66c2f0cb493bc1dcd471abb5545005949fd",
         "Title": "curl: double free due to subsequent call of realloc()",
         "Description": "Double-free vulnerability in the FTP-kerberos code in cURL 7.52.0 to 7.65.3.",
         "Severity": "HIGH",
@@ -23,6 +24,7 @@
         "PkgName": "curl",
         "InstalledVersion": "7.61.1-4.ph3",
         "FixedVersion": "7.61.1-5.ph3",
+        "LayerID": "sha256:0f379947a276b7b051643960392fa66c2f0cb493bc1dcd471abb5545005949fd",
         "Title": "curl: heap buffer overflow in function tftp_receive_packet()",
         "Description": "Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3.",
         "Severity": "HIGH",
@@ -40,6 +42,7 @@
         "PkgName": "curl-libs",
         "InstalledVersion": "7.61.1-4.ph3",
         "FixedVersion": "7.61.1-5.ph3",
+        "LayerID": "sha256:0f379947a276b7b051643960392fa66c2f0cb493bc1dcd471abb5545005949fd",
         "Title": "curl: double free due to subsequent call of realloc()",
         "Description": "Double-free vulnerability in the FTP-kerberos code in cURL 7.52.0 to 7.65.3.",
         "Severity": "HIGH",
@@ -56,6 +59,7 @@
         "PkgName": "curl-libs",
         "InstalledVersion": "7.61.1-4.ph3",
         "FixedVersion": "7.61.1-5.ph3",
+        "LayerID": "sha256:0f379947a276b7b051643960392fa66c2f0cb493bc1dcd471abb5545005949fd",
         "Title": "curl: heap buffer overflow in function tftp_receive_packet()",
         "Description": "Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3.",
         "Severity": "HIGH",
@@ -73,6 +77,7 @@
         "PkgName": "e2fsprogs-libs",
         "InstalledVersion": "1.44.3-2.ph3",
         "FixedVersion": "1.44.3-3.ph3",
+        "LayerID": "sha256:0f379947a276b7b051643960392fa66c2f0cb493bc1dcd471abb5545005949fd",
         "Description": "An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.",
         "Severity": "MEDIUM",
         "References": [
@@ -89,6 +94,7 @@
         "PkgName": "openssl",
         "InstalledVersion": "1.0.2s-1.ph3",
         "FixedVersion": "1.0.2t-1.ph3",
+        "LayerID": "sha256:0f379947a276b7b051643960392fa66c2f0cb493bc1dcd471abb5545005949fd",
         "Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
         "Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
         "Severity": "MEDIUM",
@@ -108,6 +114,7 @@
         "PkgName": "openssl",
         "InstalledVersion": "1.0.2s-1.ph3",
         "FixedVersion": "1.0.2t-1.ph3",
+        "LayerID": "sha256:0f379947a276b7b051643960392fa66c2f0cb493bc1dcd471abb5545005949fd",
         "Title": "openssl: side-channel weak encryption vulnerability",
         "Description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
         "Severity": "LOW",
@@ -128,6 +135,7 @@
         "PkgName": "sqlite-libs",
         "InstalledVersion": "3.27.2-3.ph3",
         "FixedVersion": "3.27.2-5.ph3",
+        "LayerID": "sha256:0f379947a276b7b051643960392fa66c2f0cb493bc1dcd471abb5545005949fd",
         "Description": "In SQLite through 3.29.0, whereLoopAddBtreeIndex in sqlite3.c can crash a browser or other application because of missing validation of a sqlite_stat1 sz field, aka a \"severe division by zero in the query planner.\"",
         "Severity": "MEDIUM",
         "References": [

integration/testdata/ubuntu-1804-ignore-unfixed.json.golden

@@ -7,6 +7,7 @@
         "PkgName": "e2fsprogs",
         "InstalledVersion": "1.44.1-1ubuntu1.1",
         "FixedVersion": "1.44.1-1ubuntu1.2",
+        "LayerID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f",
         "Description": "An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.",
         "Severity": "MEDIUM",
         "References": [
@@ -23,6 +24,7 @@
         "PkgName": "libcom-err2",
         "InstalledVersion": "1.44.1-1ubuntu1.1",
         "FixedVersion": "1.44.1-1ubuntu1.2",
+        "LayerID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f",
         "Description": "An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.",
         "Severity": "MEDIUM",
         "References": [
@@ -39,6 +41,7 @@
         "PkgName": "libext2fs2",
         "InstalledVersion": "1.44.1-1ubuntu1.1",
         "FixedVersion": "1.44.1-1ubuntu1.2",
+        "LayerID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f",
         "Description": "An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.",
         "Severity": "MEDIUM",
         "References": [
@@ -55,6 +58,7 @@
         "PkgName": "libss2",
         "InstalledVersion": "1.44.1-1ubuntu1.1",
         "FixedVersion": "1.44.1-1ubuntu1.2",
+        "LayerID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f",
         "Description": "An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.",
         "Severity": "MEDIUM",
         "References": [
@@ -71,6 +75,7 @@
         "PkgName": "libsystemd0",
         "InstalledVersion": "237-3ubuntu10.25",
         "FixedVersion": "237-3ubuntu10.28",
+        "LayerID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f",
         "Title": "systemd: systemd-resolved allows unprivileged users to configure DNS",
         "Description": "In systemd 240, bus_open_system_watch_bind_with_description in shared/bus-util.c (as used by systemd-resolved to connect to the system D-Bus instance), calls sd_bus_set_trusted, which disables access controls for incoming D-Bus messages. An unprivileged user can exploit this by executing D-Bus methods that should be restricted to privileged users, in order to change the system's DNS resolver settings.",
         "Severity": "LOW",
@@ -87,6 +92,7 @@
         "PkgName": "libudev1",
         "InstalledVersion": "237-3ubuntu10.25",
         "FixedVersion": "237-3ubuntu10.28",
+        "LayerID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f",
         "Title": "systemd: systemd-resolved allows unprivileged users to configure DNS",
         "Description": "In systemd 240, bus_open_system_watch_bind_with_description in shared/bus-util.c (as used by systemd-resolved to connect to the system D-Bus instance), calls sd_bus_set_trusted, which disables access controls for incoming D-Bus messages. An unprivileged user can exploit this by executing D-Bus methods that should be restricted to privileged users, in order to change the system's DNS resolver settings.",
         "Severity": "LOW",
@@ -103,6 +109,7 @@
         "PkgName": "libzstd1",
         "InstalledVersion": "1.3.3+dfsg-2ubuntu1",
         "FixedVersion": "1.3.3+dfsg-2ubuntu1.1",
+        "LayerID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f",
         "Description": "A race condition in the one-pass compression functions of Zstandard prior to version 1.3.8 could allow an attacker to write bytes out of bounds if an output buffer smaller than the recommended size was used.",
         "Severity": "MEDIUM",
         "References": [

integration/testdata/ubuntu-1804.json.golden

@@ -6,6 +6,7 @@
         "VulnerabilityID": "CVE-2018-7738",
         "PkgName": "bsdutils",
         "InstalledVersion": "2.31.1-0.4ubuntu3.3",
+        "LayerID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f",
         "Title": "util-linux: Shell command injection in unescaped bash-completed mount point names",
         "Description": "In util-linux before 2.32-rc1, bash-completion/umount allows local users to gain privileges by embedding shell commands in a mountpoint name, which is mishandled during a umount command (within Bash) by a different user, as demonstrated by logging in as root and entering umount followed by a tab character for autocompletion.",
         "Severity": "HIGH",
@@ -22,6 +23,7 @@
         "VulnerabilityID": "CVE-2016-2781",
         "PkgName": "coreutils",
         "InstalledVersion": "8.28-1ubuntu1",
+        "LayerID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f",
         "Title": "coreutils: Non-privileged session can escape to the parent session in chroot",
         "Description": "chroot in GNU coreutils, when used with --userspec, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.",
         "Severity": "LOW",
@@ -34,6 +36,7 @@
         "VulnerabilityID": "CVE-2017-8283",
         "PkgName": "dpkg",
         "InstalledVersion": "1.19.0.5ubuntu2.1",
+        "LayerID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f",
         "Description": "dpkg-source in dpkg 1.3.0 through 1.18.23 is able to use a non-GNU patch program and does not offer a protection mechanism for blank-indented diff hunks, which allows remote attackers to conduct directory traversal attacks via a crafted Debian source package, as demonstrated by use of dpkg-source on NetBSD.",
         "Severity": "HIGH",
         "References": [
@@ -47,6 +50,7 @@
         "PkgName": "e2fsprogs",
         "InstalledVersion": "1.44.1-1ubuntu1.1",
         "FixedVersion": "1.44.1-1ubuntu1.2",
+        "LayerID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f",
         "Description": "An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.",
         "Severity": "MEDIUM",
         "References": [
@@ -62,6 +66,7 @@
         "VulnerabilityID": "CVE-2018-7738",
         "PkgName": "fdisk",
         "InstalledVersion": "2.31.1-0.4ubuntu3.3",
+        "LayerID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f",
         "Title": "util-linux: Shell command injection in unescaped bash-completed mount point names",
         "Description": "In util-linux before 2.32-rc1, bash-completion/umount allows local users to gain privileges by embedding shell commands in a mountpoint name, which is mishandled during a umount command (within Bash) by a different user, as demonstrated by logging in as root and entering umount followed by a tab character for autocompletion.",
         "Severity": "HIGH",
@@ -78,6 +83,7 @@
         "VulnerabilityID": "CVE-2019-13050",
         "PkgName": "gpgv",
         "InstalledVersion": "2.2.4-1ubuntu1.2",
+        "LayerID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f",
         "Title": "GnuPG: interaction between the sks-keyserver code and GnuPG allows for a Certificate Spamming Attack which leads to persistent DoS",
         "Description": "Interaction between the sks-keyserver code through 1.2.0 of the SKS keyserver network, and GnuPG through 2.2.16, makes it risky to have a GnuPG keyserver configuration line referring to a host on the SKS keyserver network. Retrieving data from this network may cause a persistent denial of service, because of a Certificate Spamming Attack.",
         "Severity": "MEDIUM",
@@ -92,6 +98,7 @@
         "VulnerabilityID": "CVE-2018-7738",
         "PkgName": "libblkid1",
         "InstalledVersion": "2.31.1-0.4ubuntu3.3",
+        "LayerID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f",
         "Title": "util-linux: Shell command injection in unescaped bash-completed mount point names",
         "Description": "In util-linux before 2.32-rc1, bash-completion/umount allows local users to gain privileges by embedding shell commands in a mountpoint name, which is mishandled during a umount command (within Bash) by a different user, as demonstrated by logging in as root and entering umount followed by a tab character for autocompletion.",
         "Severity": "HIGH",
@@ -108,6 +115,7 @@
         "VulnerabilityID": "CVE-2018-11236",
         "PkgName": "libc-bin",
         "InstalledVersion": "2.27-3ubuntu1",
+        "LayerID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f",
         "Title": "glibc: Integer overflow in stdlib/canonicalize.c on 32-bit architectures leading to stack-based buffer overflow",
         "Description": "stdlib/canonicalize.c in the GNU C Library (aka glibc or libc6) 2.27 and earlier, when processing very long pathname arguments to the realpath function, could encounter an integer overflow on 32-bit architectures, leading to a stack-based buffer overflow and, potentially, arbitrary code execution.",
         "Severity": "HIGH",
@@ -127,6 +135,7 @@
         "VulnerabilityID": "CVE-2019-9169",
         "PkgName": "libc-bin",
         "InstalledVersion": "2.27-3ubuntu1",
+        "LayerID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f",
         "Title": "glibc: regular-expression match via proceed_next_node in posix/regexec.c leads to heap-based buffer over-read",
         "Description": "In the GNU C Library (aka glibc or libc6) through 2.29, proceed_next_node in posix/regexec.c has a heap-based buffer over-read via an attempted case-insensitive regular-expression match.",
         "Severity": "HIGH",
@@ -146,6 +155,7 @@
         "VulnerabilityID": "CVE-2009-5155",
         "PkgName": "libc-bin",
         "InstalledVersion": "2.27-3ubuntu1",
+        "LayerID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f",
         "Title": "glibc: parse_reg_exp in posix/regcomp.c misparses alternatives leading to denial of service or trigger incorrect result",
         "Description": "In the GNU C Library (aka glibc or libc6) before 2.28, parse_reg_exp in posix/regcomp.c misparses alternatives, which allows attackers to cause a denial of service (assertion failure and application exit) or trigger an incorrect result by attempting a regular-expression match.",
         "Severity": "MEDIUM",
@@ -166,6 +176,7 @@
         "VulnerabilityID": "CVE-2015-8985",
         "PkgName": "libc-bin",
         "InstalledVersion": "2.27-3ubuntu1",
+        "LayerID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f",
         "Title": "glibc: potential denial of service in pop_fail_stack()",
         "Description": "The pop_fail_stack function in the GNU C Library (aka glibc or libc6) allows context-dependent attackers to cause a denial of service (assertion failure and application crash) via vectors related to extended regular expression processing.",
         "Severity": "MEDIUM",
@@ -181,6 +192,7 @@
         "VulnerabilityID": "CVE-2016-10228",
         "PkgName": "libc-bin",
         "InstalledVersion": "2.27-3ubuntu1",
+        "LayerID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f",
         "Title": "glibc: iconv program can hang when invoked with the -c option",
         "Description": "The iconv program in the GNU C Library (aka glibc or libc6) 2.25 and earlier, when invoked with the -c option, enters an infinite loop when processing invalid multi-byte input sequences, leading to a denial of service.",
         "Severity": "MEDIUM",
@@ -194,6 +206,7 @@
         "VulnerabilityID": "CVE-2016-10739",
         "PkgName": "libc-bin",
         "InstalledVersion": "2.27-3ubuntu1",
+        "LayerID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f",
         "Title": "glibc: getaddrinfo should reject IP addresses with trailing characters",
         "Description": "In the GNU C Library (aka glibc or libc6) through 2.28, the getaddrinfo function would successfully parse a string that contained an IPv4 address followed by whitespace and arbitrary characters, which could lead applications to incorrectly assume that it had parsed a valid string, without the possibility of embedded HTTP headers or other potentially dangerous substrings.",
         "Severity": "MEDIUM",
@@ -210,6 +223,7 @@
         "VulnerabilityID": "CVE-2018-11237",
         "PkgName": "libc-bin",
         "InstalledVersion": "2.27-3ubuntu1",
+        "LayerID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f",
         "Title": "glibc: Buffer overflow in __mempcpy_avx512_no_vzeroupper",
         "Description": "An AVX-512-optimized implementation of the mempcpy function in the GNU C Library (aka glibc or libc6) 2.27 and earlier may write data beyond the target buffer, leading to a buffer overflow in __mempcpy_avx512_no_vzeroupper.",
         "Severity": "MEDIUM",
@@ -229,6 +243,7 @@
         "VulnerabilityID": "CVE-2018-19591",
         "PkgName": "libc-bin",
         "InstalledVersion": "2.27-3ubuntu1",
+        "LayerID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f",
         "Title": "glibc: file descriptor leak in if_nametoindex() in sysdeps/unix/sysv/linux/if_index.c",
         "Description": "In the GNU C Library (aka glibc or libc6) through 2.28, attempting to resolve a crafted hostname via getaddrinfo() leads to the allocation of a socket descriptor that is not closed. This is related to the if_nametoindex() function.",
         "Severity": "MEDIUM",
@@ -249,6 +264,7 @@
         "VulnerabilityID": "CVE-2018-20796",
         "PkgName": "libc-bin",
         "InstalledVersion": "2.27-3ubuntu1",
+        "LayerID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f",
         "Title": "glibc: uncontrolled recursion in function check_dst_limits_calc_pos_1 in posix/regexec.c",
         "Description": "In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(\\227|)(\\\\1\\\\1|t1|\\\\\\2537)+' in grep.",
         "Severity": "MEDIUM",
@@ -263,6 +279,7 @@
         "VulnerabilityID": "CVE-2019-9192",
         "PkgName": "libc-bin",
         "InstalledVersion": "2.27-3ubuntu1",
+        "LayerID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f",
         "Title": "glibc: uncontrolled recursion in function check_dst_limits_calc_pos_1 in posix/regexec.c",
         "Description": "** DISPUTED ** In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(|)(\\\\1\\\\1)*' in grep, a different issue than CVE-2018-20796. NOTE: the software maintainer disputes that this is a vulnerability because the behavior occurs only with a crafted pattern.",
         "Severity": "MEDIUM",
@@ -274,6 +291,7 @@
         "VulnerabilityID": "CVE-2019-7309",
         "PkgName": "libc-bin",
         "InstalledVersion": "2.27-3ubuntu1",
+        "LayerID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f",
         "Title": "glibc: memcmp function incorrectly returns zero",
         "Description": "In the GNU C Library (aka glibc or libc6) through 2.29, the memcmp function for the x32 architecture can incorrectly return zero (indicating that the inputs are equal) because the RDX most significant bit is mishandled.",
         "Severity": "LOW",
@@ -288,6 +306,7 @@
         "VulnerabilityID": "CVE-2018-11236",
         "PkgName": "libc6",
         "InstalledVersion": "2.27-3ubuntu1",
+        "LayerID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f",
         "Title": "glibc: Integer overflow in stdlib/canonicalize.c on 32-bit architectures leading to stack-based buffer overflow",
         "Description": "stdlib/canonicalize.c in the GNU C Library (aka glibc or libc6) 2.27 and earlier, when processing very long pathname arguments to the realpath function, could encounter an integer overflow on 32-bit architectures, leading to a stack-based buffer overflow and, potentially, arbitrary code execution.",
         "Severity": "HIGH",
@@ -307,6 +326,7 @@
         "VulnerabilityID": "CVE-2019-9169",
         "PkgName": "libc6",
         "InstalledVersion": "2.27-3ubuntu1",
+        "LayerID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f",
         "Title": "glibc: regular-expression match via proceed_next_node in posix/regexec.c leads to heap-based buffer over-read",
         "Description": "In the GNU C Library (aka glibc or libc6) through 2.29, proceed_next_node in posix/regexec.c has a heap-based buffer over-read via an attempted case-insensitive regular-expression match.",
         "Severity": "HIGH",
@@ -326,6 +346,7 @@
         "VulnerabilityID": "CVE-2009-5155",
         "PkgName": "libc6",
         "InstalledVersion": "2.27-3ubuntu1",
+        "LayerID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f",
         "Title": "glibc: parse_reg_exp in posix/regcomp.c misparses alternatives leading to denial of service or trigger incorrect result",
         "Description": "In the GNU C Library (aka glibc or libc6) before 2.28, parse_reg_exp in posix/regcomp.c misparses alternatives, which allows attackers to cause a denial of service (assertion failure and application exit) or trigger an incorrect result by attempting a regular-expression match.",
         "Severity": "MEDIUM",
@@ -346,6 +367,7 @@
         "VulnerabilityID": "CVE-2015-8985",
         "PkgName": "libc6",
         "InstalledVersion": "2.27-3ubuntu1",
+        "LayerID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f",
         "Title": "glibc: potential denial of service in pop_fail_stack()",
         "Description": "The pop_fail_stack function in the GNU C Library (aka glibc or libc6) allows context-dependent attackers to cause a denial of service (assertion failure and application crash) via vectors related to extended regular expression processing.",
         "Severity": "MEDIUM",
@@ -361,6 +383,7 @@
         "VulnerabilityID": "CVE-2016-10228",
         "PkgName": "libc6",
         "InstalledVersion": "2.27-3ubuntu1",
+        "LayerID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f",
         "Title": "glibc: iconv program can hang when invoked with the -c option",
         "Description": "The iconv program in the GNU C Library (aka glibc or libc6) 2.25 and earlier, when invoked with the -c option, enters an infinite loop when processing invalid multi-byte input sequences, leading to a denial of service.",
         "Severity": "MEDIUM",
@@ -374,6 +397,7 @@
         "VulnerabilityID": "CVE-2016-10739",
         "PkgName": "libc6",
         "InstalledVersion": "2.27-3ubuntu1",
+        "LayerID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f",
         "Title": "glibc: getaddrinfo should reject IP addresses with trailing characters",
         "Description": "In the GNU C Library (aka glibc or libc6) through 2.28, the getaddrinfo function would successfully parse a string that contained an IPv4 address followed by whitespace and arbitrary characters, which could lead applications to incorrectly assume that it had parsed a valid string, without the possibility of embedded HTTP headers or other potentially dangerous substrings.",
         "Severity": "MEDIUM",
@@ -390,6 +414,7 @@
         "VulnerabilityID": "CVE-2018-11237",
         "PkgName": "libc6",
         "InstalledVersion": "2.27-3ubuntu1",
+        "LayerID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f",
         "Title": "glibc: Buffer overflow in __mempcpy_avx512_no_vzeroupper",
         "Description": "An AVX-512-optimized implementation of the mempcpy function in the GNU C Library (aka glibc or libc6) 2.27 and earlier may write data beyond the target buffer, leading to a buffer overflow in __mempcpy_avx512_no_vzeroupper.",
         "Severity": "MEDIUM",
@@ -409,6 +434,7 @@
         "VulnerabilityID": "CVE-2018-19591",
         "PkgName": "libc6",
         "InstalledVersion": "2.27-3ubuntu1",
+        "LayerID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f",
         "Title": "glibc: file descriptor leak in if_nametoindex() in sysdeps/unix/sysv/linux/if_index.c",
         "Description": "In the GNU C Library (aka glibc or libc6) through 2.28, attempting to resolve a crafted hostname via getaddrinfo() leads to the allocation of a socket descriptor that is not closed. This is related to the if_nametoindex() function.",
         "Severity": "MEDIUM",
@@ -429,6 +455,7 @@
         "VulnerabilityID": "CVE-2018-20796",
         "PkgName": "libc6",
         "InstalledVersion": "2.27-3ubuntu1",
+        "LayerID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f",
         "Title": "glibc: uncontrolled recursion in function check_dst_limits_calc_pos_1 in posix/regexec.c",
         "Description": "In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(\\227|)(\\\\1\\\\1|t1|\\\\\\2537)+' in grep.",
         "Severity": "MEDIUM",
@@ -443,6 +470,7 @@
         "VulnerabilityID": "CVE-2019-9192",
         "PkgName": "libc6",
         "InstalledVersion": "2.27-3ubuntu1",
+        "LayerID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f",
         "Title": "glibc: uncontrolled recursion in function check_dst_limits_calc_pos_1 in posix/regexec.c",
         "Description": "** DISPUTED ** In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(|)(\\\\1\\\\1)*' in grep, a different issue than CVE-2018-20796. NOTE: the software maintainer disputes that this is a vulnerability because the behavior occurs only with a crafted pattern.",
         "Severity": "MEDIUM",
@@ -454,6 +482,7 @@
         "VulnerabilityID": "CVE-2019-7309",
         "PkgName": "libc6",
         "InstalledVersion": "2.27-3ubuntu1",
+        "LayerID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f",
         "Title": "glibc: memcmp function incorrectly returns zero",
         "Description": "In the GNU C Library (aka glibc or libc6) through 2.29, the memcmp function for the x32 architecture can incorrectly return zero (indicating that the inputs are equal) because the RDX most significant bit is mishandled.",
         "Severity": "LOW",
@@ -469,6 +498,7 @@
         "PkgName": "libcom-err2",
         "InstalledVersion": "1.44.1-1ubuntu1.1",
         "FixedVersion": "1.44.1-1ubuntu1.2",
+        "LayerID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f",
         "Description": "An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.",
         "Severity": "MEDIUM",
         "References": [
@@ -485,6 +515,7 @@
         "PkgName": "libext2fs2",
         "InstalledVersion": "1.44.1-1ubuntu1.1",
         "FixedVersion": "1.44.1-1ubuntu1.2",
+        "LayerID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f",
         "Description": "An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.",
         "Severity": "MEDIUM",
         "References": [
@@ -500,6 +531,7 @@
         "VulnerabilityID": "CVE-2018-7738",
         "PkgName": "libfdisk1",
         "InstalledVersion": "2.31.1-0.4ubuntu3.3",
+        "LayerID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f",
         "Title": "util-linux: Shell command injection in unescaped bash-completed mount point names",
         "Description": "In util-linux before 2.32-rc1, bash-completion/umount allows local users to gain privileges by embedding shell commands in a mountpoint name, which is mishandled during a umount command (within Bash) by a different user, as demonstrated by logging in as root and entering umount followed by a tab character for autocompletion.",
         "Severity": "HIGH",
@@ -516,6 +548,7 @@
         "VulnerabilityID": "CVE-2019-12904",
         "PkgName": "libgcrypt20",
         "InstalledVersion": "1.8.1-4ubuntu1.1",
+        "LayerID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f",
         "Title": "Libgcrypt: physical addresses being available to other processes leads to a flush-and-reload side-channel attack",
         "Description": "In Libgcrypt 1.8.4, the C implementation of AES is vulnerable to a flush-and-reload side-channel attack because physical addresses are available to other processes. (The C implementation is used on platforms where an assembly-language implementation is unavailable.)",
         "Severity": "MEDIUM",
@@ -531,6 +564,7 @@
         "VulnerabilityID": "CVE-2019-13627",
         "PkgName": "libgcrypt20",
         "InstalledVersion": "1.8.1-4ubuntu1.1",
+        "LayerID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f",
         "Description": "It was discovered that there was a ECDSA timing attack in the libgcrypt20 cryptographic library. Version affected: 1.8.4-5, 1.7.6-2+deb9u3, and 1.6.3-2+deb8u4. Versions fixed: 1.8.5-2 and 1.6.3-2+deb8u7.",
         "Severity": "MEDIUM",
         "References": [
@@ -547,6 +581,7 @@
         "VulnerabilityID": "CVE-2018-16868",
         "PkgName": "libgnutls30",
         "InstalledVersion": "3.5.18-1ubuntu1.1",
+        "LayerID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f",
         "Title": "gnutls: Bleichenbacher-like side channel leakage in PKCS#1 v1.5 verification and padding oracle verification",
         "Description": "A Bleichenbacher type side-channel based padding oracle attack was found in the way gnutls handles verification of RSA decrypted PKCS#1 v1.5 data. An attacker who is able to run process on the same physical core as the victim process, could use this to extract plaintext or in some cases downgrade any TLS connections to a vulnerable server.",
         "Severity": "LOW",
@@ -563,6 +598,7 @@
         "VulnerabilityID": "CVE-2018-16869",
         "PkgName": "libhogweed4",
         "InstalledVersion": "3.4-1",
+        "LayerID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f",
         "Title": "nettle: Leaky data conversion exposing a manager oracle",
         "Description": "A Bleichenbacher type side-channel based padding oracle attack was found in the way nettle handles endian conversion of RSA decrypted PKCS#1 v1.5 data. An attacker who is able to run a process on the same physical core as the victim process, could use this flaw extract plaintext or in some cases downgrade any TLS connections to a vulnerable server.",
         "Severity": "LOW",
@@ -577,6 +613,7 @@
         "VulnerabilityID": "CVE-2018-7738",
         "PkgName": "libmount1",
         "InstalledVersion": "2.31.1-0.4ubuntu3.3",
+        "LayerID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f",
         "Title": "util-linux: Shell command injection in unescaped bash-completed mount point names",
         "Description": "In util-linux before 2.32-rc1, bash-completion/umount allows local users to gain privileges by embedding shell commands in a mountpoint name, which is mishandled during a umount command (within Bash) by a different user, as demonstrated by logging in as root and entering umount followed by a tab character for autocompletion.",
         "Severity": "HIGH",
@@ -593,6 +630,7 @@
         "VulnerabilityID": "CVE-2018-16869",
         "PkgName": "libnettle6",
         "InstalledVersion": "3.4-1",
+        "LayerID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f",
         "Title": "nettle: Leaky data conversion exposing a manager oracle",
         "Description": "A Bleichenbacher type side-channel based padding oracle attack was found in the way nettle handles endian conversion of RSA decrypted PKCS#1 v1.5 data. An attacker who is able to run a process on the same physical core as the victim process, could use this flaw extract plaintext or in some cases downgrade any TLS connections to a vulnerable server.",
         "Severity": "LOW",
@@ -607,6 +645,7 @@
         "VulnerabilityID": "CVE-2017-11164",
         "PkgName": "libpcre3",
         "InstalledVersion": "2:8.39-9",
+        "LayerID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f",
         "Title": "pcre: OP_KETRMAX feature in the match function in pcre_exec.c",
         "Description": "In PCRE 8.41, the OP_KETRMAX feature in the match function in pcre_exec.c allows stack exhaustion (uncontrolled recursion) when processing a crafted regular expression.",
         "Severity": "HIGH",
@@ -619,6 +658,7 @@
         "VulnerabilityID": "CVE-2017-7245",
         "PkgName": "libpcre3",
         "InstalledVersion": "2:8.39-9",
+        "LayerID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f",
         "Title": "pcre: stack-based buffer overflow write in pcre32_copy_substring",
         "Description": "Stack-based buffer overflow in the pcre32_copy_substring function in pcre_get.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (WRITE of size 4) or possibly have unspecified other impact via a crafted file.",
         "Severity": "MEDIUM",
@@ -633,6 +673,7 @@
         "VulnerabilityID": "CVE-2017-7246",
         "PkgName": "libpcre3",
         "InstalledVersion": "2:8.39-9",
+        "LayerID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f",
         "Title": "pcre: stack-based buffer overflow write in pcre32_copy_substring",
         "Description": "Stack-based buffer overflow in the pcre32_copy_substring function in pcre_get.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (WRITE of size 268) or possibly have unspecified other impact via a crafted file.",
         "Severity": "MEDIUM",
@@ -647,6 +688,7 @@
         "VulnerabilityID": "CVE-2018-7738",
         "PkgName": "libsmartcols1",
         "InstalledVersion": "2.31.1-0.4ubuntu3.3",
+        "LayerID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f",
         "Title": "util-linux: Shell command injection in unescaped bash-completed mount point names",
         "Description": "In util-linux before 2.32-rc1, bash-completion/umount allows local users to gain privileges by embedding shell commands in a mountpoint name, which is mishandled during a umount command (within Bash) by a different user, as demonstrated by logging in as root and entering umount followed by a tab character for autocompletion.",
         "Severity": "HIGH",
@@ -664,6 +706,7 @@
         "PkgName": "libss2",
         "InstalledVersion": "1.44.1-1ubuntu1.1",
         "FixedVersion": "1.44.1-1ubuntu1.2",
+        "LayerID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f",
         "Description": "An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.",
         "Severity": "MEDIUM",
         "References": [
@@ -679,6 +722,7 @@
         "VulnerabilityID": "CVE-2018-20839",
         "PkgName": "libsystemd0",
         "InstalledVersion": "237-3ubuntu10.25",
+        "LayerID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f",
         "Title": "systemd: mishandling of the current keyboard mode check leading to passwords being disclosed in cleartext to attacker",
         "Description": "systemd 242 changes the VT1 mode upon a logout, which allows attackers to read cleartext passwords in certain circumstances, such as watching a shutdown, or using Ctrl-Alt-F1 and Ctrl-Alt-F2. This occurs because the KDGKBMODE (aka current keyboard mode) check is mishandled.",
         "Severity": "MEDIUM",
@@ -694,6 +738,7 @@
         "VulnerabilityID": "CVE-2019-3843",
         "PkgName": "libsystemd0",
         "InstalledVersion": "237-3ubuntu10.25",
+        "LayerID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f",
         "Title": "systemd: services with DynamicUser can create SUID/SGID binaries",
         "Description": "It was discovered that a systemd service that uses DynamicUser property can create a SUID/SGID binary that would be allowed to run as the transient service UID/GID even after the service is terminated. A local attacker may use this flaw to access resources that will be owned by a potentially different service in the future, when the UID/GID will be recycled.",
         "Severity": "MEDIUM",
@@ -708,6 +753,7 @@
         "VulnerabilityID": "CVE-2019-3844",
         "PkgName": "libsystemd0",
         "InstalledVersion": "237-3ubuntu10.25",
+        "LayerID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f",
         "Title": "systemd: services with DynamicUser can get new privileges and create SGID binaries",
         "Description": "It was discovered that a systemd service that uses DynamicUser property can get new privileges through the execution of SUID binaries, which would allow to create binaries owned by the service transient group with the setgid bit set. A local attacker may use this flaw to access resources that will be owned by a potentially different service in the future, when the GID will be recycled.",
         "Severity": "MEDIUM",
@@ -722,6 +768,7 @@
         "PkgName": "libsystemd0",
         "InstalledVersion": "237-3ubuntu10.25",
         "FixedVersion": "237-3ubuntu10.28",
+        "LayerID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f",
         "Title": "systemd: systemd-resolved allows unprivileged users to configure DNS",
         "Description": "In systemd 240, bus_open_system_watch_bind_with_description in shared/bus-util.c (as used by systemd-resolved to connect to the system D-Bus instance), calls sd_bus_set_trusted, which disables access controls for incoming D-Bus messages. An unprivileged user can exploit this by executing D-Bus methods that should be restricted to privileged users, in order to change the system's DNS resolver settings.",
         "Severity": "LOW",
@@ -737,6 +784,7 @@
         "VulnerabilityID": "CVE-2018-1000654",
         "PkgName": "libtasn1-6",
         "InstalledVersion": "4.13-2",
+        "LayerID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f",
         "Title": "libtasn1: Infinite loop in _asn1_expand_object_id(ptree) leads to memory exhaustion",
         "Description": "GNU Libtasn1-4.13 libtasn1-4.13 version libtasn1-4.13, libtasn1-4.12 contains a DoS, specifically CPU usage will reach 100% when running asn1Paser against the POC due to an issue in _asn1_expand_object_id(p_tree), after a long time, the program will be killed. This attack appears to be exploitable via parsing a crafted file.",
         "Severity": "HIGH",
@@ -751,6 +799,7 @@
         "VulnerabilityID": "CVE-2018-20839",
         "PkgName": "libudev1",
         "InstalledVersion": "237-3ubuntu10.25",
+        "LayerID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f",
         "Title": "systemd: mishandling of the current keyboard mode check leading to passwords being disclosed in cleartext to attacker",
         "Description": "systemd 242 changes the VT1 mode upon a logout, which allows attackers to read cleartext passwords in certain circumstances, such as watching a shutdown, or using Ctrl-Alt-F1 and Ctrl-Alt-F2. This occurs because the KDGKBMODE (aka current keyboard mode) check is mishandled.",
         "Severity": "MEDIUM",
@@ -766,6 +815,7 @@
         "VulnerabilityID": "CVE-2019-3843",
         "PkgName": "libudev1",
         "InstalledVersion": "237-3ubuntu10.25",
+        "LayerID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f",
         "Title": "systemd: services with DynamicUser can create SUID/SGID binaries",
         "Description": "It was discovered that a systemd service that uses DynamicUser property can create a SUID/SGID binary that would be allowed to run as the transient service UID/GID even after the service is terminated. A local attacker may use this flaw to access resources that will be owned by a potentially different service in the future, when the UID/GID will be recycled.",
         "Severity": "MEDIUM",
@@ -780,6 +830,7 @@
         "VulnerabilityID": "CVE-2019-3844",
         "PkgName": "libudev1",
         "InstalledVersion": "237-3ubuntu10.25",
+        "LayerID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f",
         "Title": "systemd: services with DynamicUser can get new privileges and create SGID binaries",
         "Description": "It was discovered that a systemd service that uses DynamicUser property can get new privileges through the execution of SUID binaries, which would allow to create binaries owned by the service transient group with the setgid bit set. A local attacker may use this flaw to access resources that will be owned by a potentially different service in the future, when the GID will be recycled.",
         "Severity": "MEDIUM",
@@ -794,6 +845,7 @@
         "PkgName": "libudev1",
         "InstalledVersion": "237-3ubuntu10.25",
         "FixedVersion": "237-3ubuntu10.28",
+        "LayerID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f",
         "Title": "systemd: systemd-resolved allows unprivileged users to configure DNS",
         "Description": "In systemd 240, bus_open_system_watch_bind_with_description in shared/bus-util.c (as used by systemd-resolved to connect to the system D-Bus instance), calls sd_bus_set_trusted, which disables access controls for incoming D-Bus messages. An unprivileged user can exploit this by executing D-Bus methods that should be restricted to privileged users, in order to change the system's DNS resolver settings.",
         "Severity": "LOW",
@@ -809,6 +861,7 @@
         "VulnerabilityID": "CVE-2018-7738",
         "PkgName": "libuuid1",
         "InstalledVersion": "2.31.1-0.4ubuntu3.3",
+        "LayerID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f",
         "Title": "util-linux: Shell command injection in unescaped bash-completed mount point names",
         "Description": "In util-linux before 2.32-rc1, bash-completion/umount allows local users to gain privileges by embedding shell commands in a mountpoint name, which is mishandled during a umount command (within Bash) by a different user, as demonstrated by logging in as root and entering umount followed by a tab character for autocompletion.",
         "Severity": "HIGH",
@@ -826,6 +879,7 @@
         "PkgName": "libzstd1",
         "InstalledVersion": "1.3.3+dfsg-2ubuntu1",
         "FixedVersion": "1.3.3+dfsg-2ubuntu1.1",
+        "LayerID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f",
         "Description": "A race condition in the one-pass compression functions of Zstandard prior to version 1.3.8 could allow an attacker to write bytes out of bounds if an output buffer smaller than the recommended size was used.",
         "Severity": "MEDIUM",
         "References": [
@@ -840,6 +894,7 @@
         "VulnerabilityID": "CVE-2018-7169",
         "PkgName": "login",
         "InstalledVersion": "1:4.5-1ubuntu2",
+        "LayerID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f",
         "Title": "shadow-utils: newgidmap allows unprivileged user to drop supplementary groups potentially allowing privilege escalation",
         "Description": "An issue was discovered in shadow 4.5. newgidmap (in shadow-utils) is setuid and allows an unprivileged user to be placed in a user namespace where setgroups(2) is permitted. This allows an attacker to remove themselves from a supplementary group, which may allow access to certain filesystem paths if the administrator has used \"group blacklisting\" (e.g., chmod g-rwx) to restrict access to paths. This flaw effectively reverts a security feature in the kernel (in particular, the /proc/self/setgroups knob) to prevent this sort of privilege escalation.",
         "Severity": "MEDIUM",
@@ -852,6 +907,7 @@
         "VulnerabilityID": "CVE-2013-4235",
         "PkgName": "login",
         "InstalledVersion": "1:4.5-1ubuntu2",
+        "LayerID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f",
         "Title": "shadow-utils: TOCTOU race conditions by copying and removing directory trees",
         "Description": "A TOCTOU race condition was discovered in shadow-utils. A local attacker with write privileges in a directory removed or copied by usermod/userdel could potentially exploit this flaw, when the administrator invokes usermod/userdel, to delete or modify other files on the system.",
         "Severity": "LOW"
@@ -860,6 +916,7 @@
         "VulnerabilityID": "CVE-2018-7738",
         "PkgName": "mount",
         "InstalledVersion": "2.31.1-0.4ubuntu3.3",
+        "LayerID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f",
         "Title": "util-linux: Shell command injection in unescaped bash-completed mount point names",
         "Description": "In util-linux before 2.32-rc1, bash-completion/umount allows local users to gain privileges by embedding shell commands in a mountpoint name, which is mishandled during a umount command (within Bash) by a different user, as demonstrated by logging in as root and entering umount followed by a tab character for autocompletion.",
         "Severity": "HIGH",
@@ -876,6 +933,7 @@
         "VulnerabilityID": "CVE-2018-7169",
         "PkgName": "passwd",
         "InstalledVersion": "1:4.5-1ubuntu2",
+        "LayerID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f",
         "Title": "shadow-utils: newgidmap allows unprivileged user to drop supplementary groups potentially allowing privilege escalation",
         "Description": "An issue was discovered in shadow 4.5. newgidmap (in shadow-utils) is setuid and allows an unprivileged user to be placed in a user namespace where setgroups(2) is permitted. This allows an attacker to remove themselves from a supplementary group, which may allow access to certain filesystem paths if the administrator has used \"group blacklisting\" (e.g., chmod g-rwx) to restrict access to paths. This flaw effectively reverts a security feature in the kernel (in particular, the /proc/self/setgroups knob) to prevent this sort of privilege escalation.",
         "Severity": "MEDIUM",
@@ -888,6 +946,7 @@
         "VulnerabilityID": "CVE-2013-4235",
         "PkgName": "passwd",
         "InstalledVersion": "1:4.5-1ubuntu2",
+        "LayerID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f",
         "Title": "shadow-utils: TOCTOU race conditions by copying and removing directory trees",
         "Description": "A TOCTOU race condition was discovered in shadow-utils. A local attacker with write privileges in a directory removed or copied by usermod/userdel could potentially exploit this flaw, when the administrator invokes usermod/userdel, to delete or modify other files on the system.",
         "Severity": "LOW"
@@ -896,6 +955,7 @@
         "VulnerabilityID": "CVE-2018-20482",
         "PkgName": "tar",
         "InstalledVersion": "1.29b-2ubuntu0.1",
+        "LayerID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f",
         "Title": "tar: Infinite read loop in sparse_dump_region function in sparse.c",
         "Description": "GNU Tar through 1.30, when --sparse is used, mishandles file shrinkage during read access, which allows local users to cause a denial of service (infinite read loop in sparse_dump_region in sparse.c) by modifying a file that is supposed to be archived by a different user's process (e.g., a system backup running as root).",
         "Severity": "LOW",
@@ -916,6 +976,7 @@
         "VulnerabilityID": "CVE-2018-7738",
         "PkgName": "util-linux",
         "InstalledVersion": "2.31.1-0.4ubuntu3.3",
+        "LayerID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f",
         "Title": "util-linux: Shell command injection in unescaped bash-completed mount point names",
         "Description": "In util-linux before 2.32-rc1, bash-completion/umount allows local users to gain privileges by embedding shell commands in a mountpoint name, which is mishandled during a umount command (within Bash) by a different user, as demonstrated by logging in as root and entering umount followed by a tab character for autocompletion.",
         "Severity": "HIGH",

internal/app.go

@@ -104,6 +104,12 @@ var (
 		EnvVar: "TRIVY_DEBUG",
 	}
 
+	removedPkgsFlag = cli.BoolFlag{
+		Name:   "removed-pkgs",
+		Usage:  "detect vulnerabilities of removed packages (only for Alpine)",
+		EnvVar: "TRIVY_REMOVED_PKGS",
+	}
+
 	vulnTypeFlag = cli.StringFlag{
 		Name:   "vuln-type",
 		Value:  "os,library",
@@ -127,7 +133,7 @@ var (
 
 	timeoutFlag = cli.DurationFlag{
 		Name:   "timeout",
-		Value:  time.Second * 60,
+		Value:  time.Second * 120,
 		Usage:  "docker timeout",
 		EnvVar: "TRIVY_TIMEOUT",
 	}
@@ -192,6 +198,7 @@ OPTIONS:
 		noProgressFlag,
 		ignoreUnfixedFlag,
 		debugFlag,
+		removedPkgsFlag,
 		vulnTypeFlag,
 		cacheDirFlag,
 		ignoreFileFlag,
@@ -242,6 +249,7 @@ func NewClientCommand() cli.Command {
 			quietFlag,
 			ignoreUnfixedFlag,
 			debugFlag,
+			removedPkgsFlag,
 			vulnTypeFlag,
 			ignoreFileFlag,
 			cacheDirFlag,

internal/client/config/config.go

@@ -30,12 +30,13 @@ type Config struct {
 	Format   string
 	Template string
 
-	Timeout       time.Duration
-	vulnType      string
-	severities    string
-	IgnoreFile    string
-	IgnoreUnfixed bool
-	ExitCode      int
+	Timeout         time.Duration
+	ScanRemovedPkgs bool
+	vulnType        string
+	severities      string
+	IgnoreFile      string
+	IgnoreUnfixed   bool
+	ExitCode        int
 
 	RemoteAddr    string
 	token         string
@@ -73,12 +74,13 @@ func New(c *cli.Context) (Config, error) {
 		Format:   c.String("format"),
 		Template: c.String("template"),
 
-		Timeout:       c.Duration("timeout"),
-		vulnType:      c.String("vuln-type"),
-		severities:    c.String("severity"),
-		IgnoreFile:    c.String("ignorefile"),
-		IgnoreUnfixed: c.Bool("ignore-unfixed"),
-		ExitCode:      c.Int("exit-code"),
+		Timeout:         c.Duration("timeout"),
+		ScanRemovedPkgs: c.Bool("removed-pkgs"),
+		vulnType:        c.String("vuln-type"),
+		severities:      c.String("severity"),
+		IgnoreFile:      c.String("ignorefile"),
+		IgnoreUnfixed:   c.Bool("ignore-unfixed"),
+		ExitCode:        c.Int("exit-code"),
 
 		RemoteAddr:    c.String("remote"),
 		token:         c.String("token"),
@@ -108,6 +110,9 @@ func (c *Config) Init() (err error) {
 		c.logger.Error(`trivy requires at least 1 argument or --input option`)
 		cli.ShowAppHelp(c.context)
 		return xerrors.New("arguments error")
+	} else if len(args) > 1 {
+		c.logger.Error(`multiple images cannot be specified`)
+		return xerrors.New("arguments error")
 	}
 
 	c.Output = os.Stdout

internal/client/config/config_test.go

@@ -165,6 +165,17 @@ func TestConfig_Init(t *testing.T) {
 				CustomHeaders: make(http.Header),
 			},
 		},
+		{
+			name: "sad: multiple image names",
+			fields: fields{
+				severities: "MEDIUM",
+			},
+			args: []string{"centos:7", "alpine:3.10"},
+			logs: []string{
+				"multiple images cannot be specified",
+			},
+			wantErr: "arguments error",
+		},
 		{
 			name: "sad: no image name",
 			fields: fields{

internal/client/inject.go

@@ -3,18 +3,26 @@
 package client
 
 import (
+	"context"
+	"time"
+
 	"github.com/aquasecurity/fanal/cache"
-	"github.com/aquasecurity/trivy/pkg/rpc/client/library"
-	"github.com/aquasecurity/trivy/pkg/rpc/client/ospkg"
+	"github.com/aquasecurity/trivy/pkg/rpc/client"
 	"github.com/aquasecurity/trivy/pkg/scanner"
 	"github.com/aquasecurity/trivy/pkg/vulnerability"
 	"github.com/google/wire"
 )
 
-func initializeScanner(cacheClient cache.Cache, ospkgCustomHeaders ospkg.CustomHeaders, libraryCustomHeaders library.CustomHeaders,
-	ospkgURL ospkg.RemoteURL, libURL library.RemoteURL) scanner.Scanner {
-	wire.Build(scanner.ClientSet)
-	return scanner.Scanner{}
+func initializeDockerScanner(ctx context.Context, imageName string, layerCache cache.ImageCache, customHeaders client.CustomHeaders,
+	url client.RemoteURL, timeout time.Duration) (scanner.Scanner, func(), error) {
+	wire.Build(scanner.RemoteDockerSet)
+	return scanner.Scanner{}, nil, nil
+}
+
+func initializeArchiveScanner(ctx context.Context, filePath string, layerCache cache.ImageCache, customHeaders client.CustomHeaders,
+	url client.RemoteURL, timeout time.Duration) (scanner.Scanner, func(), error) {
+	wire.Build(scanner.RemoteArchiveSet)
+	return scanner.Scanner{}, nil, nil
 }
 
 func initializeVulnerabilityClient() vulnerability.Client {

internal/client/run.go

@@ -1,20 +1,19 @@
 package client
 
 import (
+	"context"
 	"os"
 
-	"github.com/urfave/cli"
-	"golang.org/x/xerrors"
-
-	"github.com/aquasecurity/fanal/cache"
 	"github.com/aquasecurity/trivy/internal/client/config"
-	"github.com/aquasecurity/trivy/internal/operation"
+	"github.com/aquasecurity/trivy/pkg/cache"
 	"github.com/aquasecurity/trivy/pkg/log"
 	"github.com/aquasecurity/trivy/pkg/report"
-	"github.com/aquasecurity/trivy/pkg/rpc/client/library"
-	"github.com/aquasecurity/trivy/pkg/rpc/client/ospkg"
+	"github.com/aquasecurity/trivy/pkg/rpc/client"
+	"github.com/aquasecurity/trivy/pkg/scanner"
 	"github.com/aquasecurity/trivy/pkg/types"
 	"github.com/aquasecurity/trivy/pkg/utils"
+	"github.com/urfave/cli"
+	"golang.org/x/xerrors"
 )
 
 func Run(cliCtx *cli.Context) error {
@@ -37,25 +36,42 @@ func run(c config.Config) (err error) {
 
 	// configure cache dir
 	utils.SetCacheDir(c.CacheDir)
-	cacheClient := cache.Initialize(c.CacheDir)
-	cacheOperation := operation.NewCache(cacheClient)
 	log.Logger.Debugf("cache dir:  %s", utils.CacheDir())
 
 	if c.ClearCache {
-		return cacheOperation.ClearImages()
+		log.Logger.Warn("A client doesn't have image cache")
+		return nil
 	}
 
+	var scanner scanner.Scanner
+	ctx := context.Background()
+	remoteCache := cache.NewRemoteCache(cache.RemoteURL(c.RemoteAddr), c.CustomHeaders)
+
+	var cleanup func()
+	if c.Input != "" {
+		// scan tar file
+		scanner, cleanup, err = initializeArchiveScanner(ctx, c.Input, remoteCache,
+			client.CustomHeaders(c.CustomHeaders), client.RemoteURL(c.RemoteAddr), c.Timeout)
+		if err != nil {
+			return xerrors.Errorf("unable to initialize the archive scanner: %w", err)
+		}
+	} else {
+		// scan an image in Docker Engine or Docker Registry
+		scanner, cleanup, err = initializeDockerScanner(ctx, c.ImageName, remoteCache,
+			client.CustomHeaders(c.CustomHeaders), client.RemoteURL(c.RemoteAddr), c.Timeout)
+		if err != nil {
+			return xerrors.Errorf("unable to initialize the docker scanner: %w", err)
+		}
+	}
+	defer cleanup()
+
 	scanOptions := types.ScanOptions{
-		VulnType:  c.VulnType,
-		Timeout:   c.Timeout,
-		RemoteURL: c.RemoteAddr,
+		VulnType:            c.VulnType,
+		ScanRemovedPackages: c.ScanRemovedPkgs,
 	}
 	log.Logger.Debugf("Vulnerability type:  %s", scanOptions.VulnType)
 
-	scanner := initializeScanner(cacheClient,
-		ospkg.CustomHeaders(c.CustomHeaders), library.CustomHeaders(c.CustomHeaders),
-		ospkg.RemoteURL(c.RemoteAddr), library.RemoteURL(c.RemoteAddr))
-	results, err := scanner.ScanImage(c.ImageName, c.Input, scanOptions)
+	results, err := scanner.ScanImage(scanOptions)
 	if err != nil {
 		return xerrors.Errorf("error in image scan: %w", err)
 	}

internal/client/wire_gen.go

@@ -6,31 +6,58 @@
 package client
 
 import (
+	"context"
+	"github.com/aquasecurity/fanal/analyzer"
 	"github.com/aquasecurity/fanal/cache"
+	"github.com/aquasecurity/fanal/extractor/docker"
 	"github.com/aquasecurity/trivy-db/pkg/db"
-	"github.com/aquasecurity/trivy/pkg/rpc/client/library"
-	"github.com/aquasecurity/trivy/pkg/rpc/client/ospkg"
+	"github.com/aquasecurity/trivy/pkg/rpc/client"
 	"github.com/aquasecurity/trivy/pkg/scanner"
-	library2 "github.com/aquasecurity/trivy/pkg/scanner/library"
-	ospkg2 "github.com/aquasecurity/trivy/pkg/scanner/ospkg"
+	"github.com/aquasecurity/trivy/pkg/types"
 	"github.com/aquasecurity/trivy/pkg/vulnerability"
+	"time"
 )
 
 // Injectors from inject.go:
 
-func initializeScanner(cacheClient cache.Cache, ospkgCustomHeaders ospkg.CustomHeaders, libraryCustomHeaders library.CustomHeaders, ospkgURL ospkg.RemoteURL, libURL library.RemoteURL) scanner.Scanner {
-	osDetector := ospkg.NewProtobufClient(ospkgURL)
-	detector := ospkg.NewDetector(ospkgCustomHeaders, osDetector)
-	ospkgScanner := ospkg2.NewScanner(detector)
-	libDetector := library.NewProtobufClient(libURL)
-	libraryDetector := library.NewDetector(libraryCustomHeaders, libDetector)
-	libraryScanner := library2.NewScanner(libraryDetector)
-	scannerScanner := scanner.NewScanner(cacheClient, ospkgScanner, libraryScanner)
-	return scannerScanner
+func initializeDockerScanner(ctx context.Context, imageName string, layerCache cache.ImageCache, customHeaders client.CustomHeaders, url client.RemoteURL, timeout time.Duration) (scanner.Scanner, func(), error) {
+	scannerScanner := client.NewProtobufClient(url)
+	clientScanner := client.NewScanner(customHeaders, scannerScanner)
+	dockerOption, err := types.GetDockerOption(timeout)
+	if err != nil {
+		return scanner.Scanner{}, nil, err
+	}
+	extractor, cleanup, err := docker.NewDockerExtractor(ctx, imageName, dockerOption)
+	if err != nil {
+		return scanner.Scanner{}, nil, err
+	}
+	config := analyzer.New(extractor, layerCache)
+	scanner2 := scanner.NewScanner(clientScanner, config)
+	return scanner2, func() {
+		cleanup()
+	}, nil
+}
+
+func initializeArchiveScanner(ctx context.Context, filePath string, layerCache cache.ImageCache, customHeaders client.CustomHeaders, url client.RemoteURL, timeout time.Duration) (scanner.Scanner, func(), error) {
+	scannerScanner := client.NewProtobufClient(url)
+	clientScanner := client.NewScanner(customHeaders, scannerScanner)
+	dockerOption, err := types.GetDockerOption(timeout)
+	if err != nil {
+		return scanner.Scanner{}, nil, err
+	}
+	extractor, cleanup, err := docker.NewDockerArchiveExtractor(ctx, filePath, dockerOption)
+	if err != nil {
+		return scanner.Scanner{}, nil, err
+	}
+	config := analyzer.New(extractor, layerCache)
+	scanner2 := scanner.NewScanner(clientScanner, config)
+	return scanner2, func() {
+		cleanup()
+	}, nil
 }
 
 func initializeVulnerabilityClient() vulnerability.Client {
 	config := db.Config{}
-	client := vulnerability.NewClient(config)
-	return client
+	vulnerabilityClient := vulnerability.NewClient(config)
+	return vulnerabilityClient
 }

internal/operation/operation.go

@@ -14,15 +14,16 @@ import (
 )
 
 var SuperSet = wire.NewSet(
-	cache.Initialize,
+	cache.NewFSCache,
+	wire.Bind(new(cache.LocalImageCache), new(cache.FSCache)),
 	NewCache,
 )
 
 type Cache struct {
-	client cache.Cache
+	client cache.LocalImageCache
 }
 
-func NewCache(client cache.Cache) Cache {
+func NewCache(client cache.LocalImageCache) Cache {
 	return Cache{client: client}
 }
 

internal/server/run.go

@@ -1,6 +1,7 @@
 package server
 
 import (
+	"github.com/aquasecurity/fanal/cache"
 	"github.com/urfave/cli"
 	"golang.org/x/xerrors"
 
@@ -30,8 +31,13 @@ func run(c config.Config) (err error) {
 	utils.SetCacheDir(c.CacheDir)
 	log.Logger.Debugf("cache dir:  %s", utils.CacheDir())
 
+	fsCache, err := cache.NewFSCache(utils.CacheDir())
+	if err != nil {
+		return xerrors.Errorf("unable to initialize cache: %w", err)
+	}
+
 	// server doesn't have image cache
-	cacheOperation := operation.NewCache(nil)
+	cacheOperation := operation.NewCache(fsCache)
 	if c.Reset {
 		return cacheOperation.ClearDB()
 	}
@@ -49,5 +55,5 @@ func run(c config.Config) (err error) {
 		return nil
 	}
 
-	return server.ListenAndServe(c.Listen, c)
+	return server.ListenAndServe(c, fsCache)
 }

internal/standalone/config/config.go

@@ -33,13 +33,14 @@ type Config struct {
 	Format   string
 	Template string
 
-	Timeout       time.Duration
-	vulnType      string
-	Light         bool
-	severities    string
-	IgnoreFile    string
-	IgnoreUnfixed bool
-	ExitCode      int
+	Timeout         time.Duration
+	ScanRemovedPkgs bool
+	vulnType        string
+	Light           bool
+	severities      string
+	IgnoreFile      string
+	IgnoreUnfixed   bool
+	ExitCode        int
 
 	// these variables are generated by Init()
 	ImageName  string
@@ -82,13 +83,14 @@ func New(c *cli.Context) (Config, error) {
 		Format:   c.String("format"),
 		Template: c.String("template"),
 
-		Timeout:       c.Duration("timeout"),
-		vulnType:      c.String("vuln-type"),
-		Light:         c.Bool("light"),
-		severities:    c.String("severity"),
-		IgnoreFile:    c.String("ignorefile"),
-		IgnoreUnfixed: c.Bool("ignore-unfixed"),
-		ExitCode:      c.Int("exit-code"),
+		Timeout:         c.Duration("timeout"),
+		ScanRemovedPkgs: c.Bool("removed-pkgs"),
+		vulnType:        c.String("vuln-type"),
+		Light:           c.Bool("light"),
+		severities:      c.String("severity"),
+		IgnoreFile:      c.String("ignorefile"),
+		IgnoreUnfixed:   c.Bool("ignore-unfixed"),
+		ExitCode:        c.Int("exit-code"),
 
 		onlyUpdate:  c.String("only-update"),
 		refresh:     c.Bool("refresh"),
@@ -97,6 +99,16 @@ func New(c *cli.Context) (Config, error) {
 }
 
 func (c *Config) Init() (err error) {
+	if c.Template != "" {
+		if c.Format == "" {
+			c.logger.Warn("--template is ignored because --format template is not specified. Use --template option with --format template option.")
+		} else if c.Format != "template" {
+			c.logger.Warnf("--template is ignored because --format %s is specified. Use --template option with --format template option.", c.Format)
+		}
+	}
+	if c.Format == "template" && c.Template == "" {
+		c.logger.Warn("--format template is ignored because --template not is specified. Specify --template option when you use --format template.")
+	}
 	if c.onlyUpdate != "" || c.refresh || c.autoRefresh {
 		c.logger.Warn("--only-update, --refresh and --auto-refresh are unnecessary and ignored now. These commands will be removed in the next version.")
 	}
@@ -118,6 +130,9 @@ func (c *Config) Init() (err error) {
 		c.logger.Error(`trivy requires at least 1 argument or --input option`)
 		cli.ShowAppHelp(c.context)
 		return xerrors.New("arguments error")
+	} else if len(args) > 1 {
+		c.logger.Error(`multiple images cannot be specified`)
+		return xerrors.New("arguments error")
 	}
 
 	c.Output = os.Stdout

internal/standalone/config/config_test.go

@@ -168,6 +168,68 @@ func TestConfig_Init(t *testing.T) {
 				onlyUpdate: "alpine",
 			},
 		},
+		{
+			name: "invalid option combination: --template enabled without --format",
+			fields: fields{
+				Template:   "@contrib/gitlab.tpl",
+				severities: "LOW",
+			},
+			args: []string{"gitlab/gitlab-ce:12.7.2-ce.0"},
+			logs: []string{
+				"--template is ignored because --format template is not specified. Use --template option with --format template option.",
+			},
+			want: Config{
+				AppVersion: "0.0.0",
+				ImageName:  "gitlab/gitlab-ce:12.7.2-ce.0",
+				Output:     os.Stdout,
+				Severities: []dbTypes.Severity{dbTypes.SeverityLow},
+				severities: "LOW",
+				Template:   "@contrib/gitlab.tpl",
+				VulnType:   []string{""},
+			},
+		},
+		{
+			name: "invalid option combination: --template and --format json",
+			fields: fields{
+				Format:     "json",
+				Template:   "@contrib/gitlab.tpl",
+				severities: "LOW",
+			},
+			args: []string{"gitlab/gitlab-ce:12.7.2-ce.0"},
+			logs: []string{
+				"--template is ignored because --format json is specified. Use --template option with --format template option.",
+			},
+			want: Config{
+				AppVersion: "0.0.0",
+				Format:     "json",
+				ImageName:  "gitlab/gitlab-ce:12.7.2-ce.0",
+				Output:     os.Stdout,
+				Severities: []dbTypes.Severity{dbTypes.SeverityLow},
+				severities: "LOW",
+				Template:   "@contrib/gitlab.tpl",
+				VulnType:   []string{""},
+			},
+		},
+		{
+			name: "invalid option combination: --format template without --template",
+			fields: fields{
+				Format:     "template",
+				severities: "LOW",
+			},
+			args: []string{"gitlab/gitlab-ce:12.7.2-ce.0"},
+			logs: []string{
+				"--format template is ignored because --template not is specified. Specify --template option when you use --format template.",
+			},
+			want: Config{
+				AppVersion: "0.0.0",
+				Format:     "template",
+				ImageName:  "gitlab/gitlab-ce:12.7.2-ce.0",
+				Output:     os.Stdout,
+				Severities: []dbTypes.Severity{dbTypes.SeverityLow},
+				severities: "LOW",
+				VulnType:   []string{""},
+			},
+		},
 		{
 			name: "with latest tag",
 			fields: fields{
@@ -204,6 +266,17 @@ func TestConfig_Init(t *testing.T) {
 			},
 			wantErr: "The --skip-update and --download-db-only option can not be specified both",
 		},
+		{
+			name: "sad: multiple image names",
+			fields: fields{
+				severities: "MEDIUM",
+			},
+			args: []string{"centos:7", "alpine:3.10"},
+			logs: []string{
+				"multiple images cannot be specified",
+			},
+			wantErr: "arguments error",
+		},
 		{
 			name: "sad: no image name",
 			fields: fields{

internal/standalone/inject.go

@@ -3,21 +3,25 @@
 package standalone
 
 import (
+	"context"
+	"time"
+
 	"github.com/aquasecurity/fanal/cache"
-	"github.com/aquasecurity/trivy/internal/operation"
 	"github.com/aquasecurity/trivy/pkg/scanner"
 	"github.com/aquasecurity/trivy/pkg/vulnerability"
 	"github.com/google/wire"
 )
 
-func initializeCacheClient(cacheDir string) (operation.Cache, error) {
-	wire.Build(operation.SuperSet)
-	return operation.Cache{}, nil
+func initializeDockerScanner(ctx context.Context, imageName string, layerCache cache.ImageCache, localImageCache cache.LocalImageCache,
+	timeout time.Duration) (scanner.Scanner, func(), error) {
+	wire.Build(scanner.StandaloneDockerSet)
+	return scanner.Scanner{}, nil, nil
 }
 
-func initializeScanner(c cache.Cache) scanner.Scanner {
-	wire.Build(scanner.StandaloneSet)
-	return scanner.Scanner{}
+func initializeArchiveScanner(ctx context.Context, filePath string, layerCache cache.ImageCache, localImageCache cache.LocalImageCache,
+	timeout time.Duration) (scanner.Scanner, func(), error) {
+	wire.Build(scanner.StandaloneArchiveSet)
+	return scanner.Scanner{}, nil, nil
 }
 
 func initializeVulnerabilityClient() vulnerability.Client {

internal/standalone/run.go

@@ -1,6 +1,7 @@
 package standalone
 
 import (
+	"context"
 	"io/ioutil"
 	l "log"
 	"os"
@@ -12,6 +13,7 @@ import (
 	"github.com/aquasecurity/trivy/internal/standalone/config"
 	"github.com/aquasecurity/trivy/pkg/log"
 	"github.com/aquasecurity/trivy/pkg/report"
+	"github.com/aquasecurity/trivy/pkg/scanner"
 	"github.com/aquasecurity/trivy/pkg/types"
 	"github.com/aquasecurity/trivy/pkg/utils"
 	"github.com/urfave/cli"
@@ -38,7 +40,11 @@ func run(c config.Config) (err error) {
 
 	// configure cache dir
 	utils.SetCacheDir(c.CacheDir)
-	cacheClient := cache.Initialize(c.CacheDir)
+	cacheClient, err := cache.NewFSCache(c.CacheDir)
+	if err != nil {
+		return xerrors.Errorf("unable to initialize the cache: %w", err)
+	}
+
 	cacheOperation := operation.NewCache(cacheClient)
 	log.Logger.Debugf("cache dir:  %s", utils.CacheDir())
 
@@ -63,14 +69,32 @@ func run(c config.Config) (err error) {
 		return nil
 	}
 
+	var scanner scanner.Scanner
+	ctx := context.Background()
+
+	var cleanup func()
+	if c.Input != "" {
+		// scan tar file
+		scanner, cleanup, err = initializeArchiveScanner(ctx, c.Input, cacheClient, cacheClient, c.Timeout)
+		if err != nil {
+			return xerrors.Errorf("unable to initialize the archive scanner: %w", err)
+		}
+	} else {
+		// scan an image in Docker Engine or Docker Registry
+		scanner, cleanup, err = initializeDockerScanner(ctx, c.ImageName, cacheClient, cacheClient, c.Timeout)
+		if err != nil {
+			return xerrors.Errorf("unable to initialize the docker scanner: %w", err)
+		}
+	}
+	defer cleanup()
+
 	scanOptions := types.ScanOptions{
-		VulnType: c.VulnType,
-		Timeout:  c.Timeout,
+		VulnType:            c.VulnType,
+		ScanRemovedPackages: c.ScanRemovedPkgs,
 	}
 	log.Logger.Debugf("Vulnerability type:  %s", scanOptions.VulnType)
 
-	scanner := initializeScanner(cacheClient)
-	results, err := scanner.ScanImage(c.ImageName, c.Input, scanOptions)
+	results, err := scanner.ScanImage(scanOptions)
 	if err != nil {
 		return xerrors.Errorf("error in image scan: %w", err)
 	}

internal/standalone/wire_gen.go

@@ -6,33 +6,62 @@
 package standalone
 
 import (
+	"context"
+	"github.com/aquasecurity/fanal/analyzer"
 	"github.com/aquasecurity/fanal/cache"
+	"github.com/aquasecurity/fanal/extractor/docker"
 	"github.com/aquasecurity/trivy-db/pkg/db"
-	"github.com/aquasecurity/trivy/internal/operation"
 	"github.com/aquasecurity/trivy/pkg/detector/library"
 	"github.com/aquasecurity/trivy/pkg/detector/ospkg"
 	"github.com/aquasecurity/trivy/pkg/scanner"
-	library2 "github.com/aquasecurity/trivy/pkg/scanner/library"
-	ospkg2 "github.com/aquasecurity/trivy/pkg/scanner/ospkg"
+	"github.com/aquasecurity/trivy/pkg/scanner/local"
+	"github.com/aquasecurity/trivy/pkg/types"
 	"github.com/aquasecurity/trivy/pkg/vulnerability"
+	"time"
 )
 
 // Injectors from inject.go:
 
-func initializeCacheClient(cacheDir string) (operation.Cache, error) {
-	cacheCache := cache.Initialize(cacheDir)
-	operationCache := operation.NewCache(cacheCache)
-	return operationCache, nil
-}
-
-func initializeScanner(c cache.Cache) scanner.Scanner {
+func initializeDockerScanner(ctx context.Context, imageName string, layerCache cache.ImageCache, localImageCache cache.LocalImageCache, timeout time.Duration) (scanner.Scanner, func(), error) {
+	applier := analyzer.NewApplier(localImageCache)
 	detector := ospkg.Detector{}
-	ospkgScanner := ospkg2.NewScanner(detector)
 	driverFactory := library.DriverFactory{}
 	libraryDetector := library.NewDetector(driverFactory)
-	libraryScanner := library2.NewScanner(libraryDetector)
-	scannerScanner := scanner.NewScanner(c, ospkgScanner, libraryScanner)
-	return scannerScanner
+	localScanner := local.NewScanner(applier, detector, libraryDetector)
+	dockerOption, err := types.GetDockerOption(timeout)
+	if err != nil {
+		return scanner.Scanner{}, nil, err
+	}
+	extractor, cleanup, err := docker.NewDockerExtractor(ctx, imageName, dockerOption)
+	if err != nil {
+		return scanner.Scanner{}, nil, err
+	}
+	config := analyzer.New(extractor, layerCache)
+	scannerScanner := scanner.NewScanner(localScanner, config)
+	return scannerScanner, func() {
+		cleanup()
+	}, nil
+}
+
+func initializeArchiveScanner(ctx context.Context, filePath string, layerCache cache.ImageCache, localImageCache cache.LocalImageCache, timeout time.Duration) (scanner.Scanner, func(), error) {
+	applier := analyzer.NewApplier(localImageCache)
+	detector := ospkg.Detector{}
+	driverFactory := library.DriverFactory{}
+	libraryDetector := library.NewDetector(driverFactory)
+	localScanner := local.NewScanner(applier, detector, libraryDetector)
+	dockerOption, err := types.GetDockerOption(timeout)
+	if err != nil {
+		return scanner.Scanner{}, nil, err
+	}
+	extractor, cleanup, err := docker.NewDockerArchiveExtractor(ctx, filePath, dockerOption)
+	if err != nil {
+		return scanner.Scanner{}, nil, err
+	}
+	config := analyzer.New(extractor, layerCache)
+	scannerScanner := scanner.NewScanner(localScanner, config)
+	return scannerScanner, func() {
+		cleanup()
+	}, nil
 }
 
 func initializeVulnerabilityClient() vulnerability.Client {

pkg/cache/remote.go

@@ -0,0 +1,51 @@
+package cache
+
+import (
+	"context"
+	"net/http"
+
+	"golang.org/x/xerrors"
+
+	"github.com/aquasecurity/fanal/cache"
+	"github.com/aquasecurity/fanal/types"
+	"github.com/aquasecurity/trivy/pkg/rpc"
+	"github.com/aquasecurity/trivy/pkg/rpc/client"
+	rpcCache "github.com/aquasecurity/trivy/rpc/cache"
+)
+
+type RemoteCache struct {
+	ctx    context.Context // for custom header
+	client rpcCache.Cache
+}
+
+type RemoteURL string
+
+func NewRemoteCache(url RemoteURL, customHeaders http.Header) cache.ImageCache {
+	ctx := client.WithCustomHeaders(context.Background(), customHeaders)
+	c := rpcCache.NewCacheProtobufClient(string(url), &http.Client{})
+	return &RemoteCache{ctx: ctx, client: c}
+}
+
+func (c RemoteCache) PutImage(imageID string, imageInfo types.ImageInfo) error {
+	_, err := c.client.PutImage(c.ctx, rpc.ConvertToRpcImageInfo(imageID, imageInfo))
+	if err != nil {
+		return xerrors.Errorf("unable to store cache on the server: %w", err)
+	}
+	return nil
+}
+
+func (c RemoteCache) PutLayer(layerID, decompressedLayerID string, layerInfo types.LayerInfo) error {
+	_, err := c.client.PutLayer(c.ctx, rpc.ConvertToRpcLayerInfo(layerID, decompressedLayerID, layerInfo))
+	if err != nil {
+		return xerrors.Errorf("unable to store cache on the server: %w", err)
+	}
+	return nil
+}
+
+func (c RemoteCache) MissingLayers(imageID string, layerIDs []string) (bool, []string, error) {
+	layers, err := c.client.MissingLayers(c.ctx, rpc.ConvertToMissingLayersRequest(imageID, layerIDs))
+	if err != nil {
+		return false, nil, xerrors.Errorf("unable to fetch missing layers: %w", err)
+	}
+	return layers.MissingImage, layers.MissingLayerIds, nil
+}

pkg/cache/remote_test.go

@@ -0,0 +1,294 @@
+package cache_test
+
+import (
+	"context"
+	"net/http"
+	"net/http/httptest"
+	"strings"
+	"testing"
+	"time"
+
+	google_protobuf "github.com/golang/protobuf/ptypes/empty"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"github.com/twitchtv/twirp"
+	"golang.org/x/xerrors"
+
+	fcache "github.com/aquasecurity/fanal/cache"
+	"github.com/aquasecurity/fanal/types"
+	"github.com/aquasecurity/trivy/pkg/cache"
+	rpcCache "github.com/aquasecurity/trivy/rpc/cache"
+	"github.com/aquasecurity/trivy/rpc/detector"
+)
+
+type mockCacheServer struct {
+	cache fcache.Cache
+}
+
+func (s *mockCacheServer) PutImage(_ context.Context, in *rpcCache.PutImageRequest) (*google_protobuf.Empty, error) {
+	if strings.Contains(in.ImageId, "invalid") {
+		return &google_protobuf.Empty{}, xerrors.New("invalid image ID")
+	}
+	return &google_protobuf.Empty{}, nil
+}
+
+func (s *mockCacheServer) PutLayer(_ context.Context, in *rpcCache.PutLayerRequest) (*google_protobuf.Empty, error) {
+	if strings.Contains(in.LayerId, "invalid") {
+		return &google_protobuf.Empty{}, xerrors.New("invalid layer ID")
+	}
+	return &google_protobuf.Empty{}, nil
+}
+
+func (s *mockCacheServer) MissingLayers(_ context.Context, in *rpcCache.MissingLayersRequest) (*rpcCache.MissingLayersResponse, error) {
+	var layerIDs []string
+	for _, layerID := range in.LayerIds[:len(in.LayerIds)-1] {
+		if strings.Contains(layerID, "invalid") {
+			return nil, xerrors.New("invalid layer ID")
+		}
+		layerIDs = append(layerIDs, layerID)
+	}
+	return &rpcCache.MissingLayersResponse{MissingImage: true, MissingLayerIds: layerIDs}, nil
+}
+
+func withToken(base http.Handler, token, tokenHeader string) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if token != "" && token != r.Header.Get(tokenHeader) {
+			detector.WriteError(w, twirp.NewError(twirp.Unauthenticated, "invalid token"))
+			return
+		}
+		base.ServeHTTP(w, r)
+	})
+}
+
+func TestRemoteCache_PutImage(t *testing.T) {
+	mux := http.NewServeMux()
+	layerHandler := rpcCache.NewCacheServer(new(mockCacheServer), nil)
+	mux.Handle(rpcCache.CachePathPrefix, withToken(layerHandler, "valid-token", "Trivy-Token"))
+	ts := httptest.NewServer(mux)
+
+	type args struct {
+		imageID       string
+		imageInfo     types.ImageInfo
+		customHeaders http.Header
+	}
+	tests := []struct {
+		name    string
+		args    args
+		wantErr string
+	}{
+		{
+			name: "happy path",
+			args: args{
+				imageID: "sha256:e7d92cdc71feacf90708cb59182d0df1b911f8ae022d29e8e95d75ca6a99776a",
+				imageInfo: types.ImageInfo{
+					SchemaVersion: 1,
+					Architecture:  "amd64",
+					Created:       time.Time{},
+					DockerVersion: "18.06",
+					OS:            "linux",
+					HistoryPackages: []types.Package{
+						{
+							Name:    "musl",
+							Version: "1.2.3",
+						},
+					},
+				},
+				customHeaders: http.Header{
+					"Trivy-Token": []string{"valid-token"},
+				},
+			},
+		},
+		{
+			name: "sad path",
+			args: args{
+				imageID: "sha256:invalid",
+				imageInfo: types.ImageInfo{
+					SchemaVersion: 1,
+					Architecture:  "amd64",
+					Created:       time.Time{},
+					DockerVersion: "18.06",
+					OS:            "linux",
+					HistoryPackages: []types.Package{
+						{
+							Name:    "musl",
+							Version: "1.2.3",
+						},
+					},
+				},
+				customHeaders: http.Header{
+					"Trivy-Token": []string{"valid-token"},
+				},
+			},
+			wantErr: "twirp error internal",
+		},
+		{
+			name: "sad path: invalid token",
+			args: args{
+				imageID: "sha256:invalid",
+				customHeaders: http.Header{
+					"Trivy-Token": []string{"invalid-token"},
+				},
+			},
+			wantErr: "twirp error unauthenticated",
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			c := cache.NewRemoteCache(cache.RemoteURL(ts.URL), tt.args.customHeaders)
+			err := c.PutImage(tt.args.imageID, tt.args.imageInfo)
+			if tt.wantErr != "" {
+				require.NotNil(t, err, tt.name)
+				assert.Contains(t, err.Error(), tt.wantErr, tt.name)
+				return
+			} else {
+				assert.NoError(t, err, tt.name)
+			}
+		})
+	}
+}
+
+func TestRemoteCache_PutLayer(t *testing.T) {
+	mux := http.NewServeMux()
+	layerHandler := rpcCache.NewCacheServer(new(mockCacheServer), nil)
+	mux.Handle(rpcCache.CachePathPrefix, withToken(layerHandler, "valid-token", "Trivy-Token"))
+	ts := httptest.NewServer(mux)
+
+	type args struct {
+		layerID             string
+		decompressedLayerID string
+		layerInfo           types.LayerInfo
+		customHeaders       http.Header
+	}
+	tests := []struct {
+		name    string
+		args    args
+		wantErr string
+	}{
+		{
+			name: "happy path",
+			args: args{
+				layerID:             "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5",
+				decompressedLayerID: "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5",
+				customHeaders: http.Header{
+					"Trivy-Token": []string{"valid-token"},
+				},
+			},
+		},
+		{
+			name: "sad path",
+			args: args{
+				layerID:             "sha256:invalid",
+				decompressedLayerID: "sha256:invalid",
+				customHeaders: http.Header{
+					"Trivy-Token": []string{"valid-token"},
+				},
+			},
+			wantErr: "twirp error internal",
+		},
+		{
+			name: "sad path: invalid token",
+			args: args{
+				layerID:             "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5",
+				decompressedLayerID: "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5",
+				customHeaders: http.Header{
+					"Trivy-Token": []string{"invalid-token"},
+				},
+			},
+			wantErr: "twirp error unauthenticated",
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			c := cache.NewRemoteCache(cache.RemoteURL(ts.URL), tt.args.customHeaders)
+			err := c.PutLayer(tt.args.layerID, tt.args.decompressedLayerID, tt.args.layerInfo)
+			if tt.wantErr != "" {
+				require.NotNil(t, err, tt.name)
+				assert.Contains(t, err.Error(), tt.wantErr, tt.name)
+				return
+			} else {
+				assert.NoError(t, err, tt.name)
+			}
+		})
+	}
+}
+
+func TestRemoteCache_MissingLayers(t *testing.T) {
+	mux := http.NewServeMux()
+	layerHandler := rpcCache.NewCacheServer(new(mockCacheServer), nil)
+	mux.Handle(rpcCache.CachePathPrefix, withToken(layerHandler, "valid-token", "Trivy-Token"))
+	ts := httptest.NewServer(mux)
+
+	type args struct {
+		imageID       string
+		layerIDs      []string
+		customHeaders http.Header
+	}
+	tests := []struct {
+		name                string
+		args                args
+		wantMissingImage    bool
+		wantMissingLayerIDs []string
+		wantErr             string
+	}{
+		{
+			name: "happy path",
+			args: args{
+				imageID: "sha256:e7d92cdc71feacf90708cb59182d0df1b911f8ae022d29e8e95d75ca6a99776a",
+				layerIDs: []string{
+					"sha256:932da51564135c98a49a34a193d6cd363d8fa4184d957fde16c9d8527b3f3b02",
+					"sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5",
+				},
+				customHeaders: http.Header{
+					"Trivy-Token": []string{"valid-token"},
+				},
+			},
+			wantMissingImage: true,
+			wantMissingLayerIDs: []string{
+				"sha256:932da51564135c98a49a34a193d6cd363d8fa4184d957fde16c9d8527b3f3b02",
+			},
+		},
+		{
+			name: "sad path",
+			args: args{
+				imageID: "sha256:e7d92cdc71feacf90708cb59182d0df1b911f8ae022d29e8e95d75ca6a99776a",
+				layerIDs: []string{
+					"sha256:invalid",
+					"sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5",
+				},
+				customHeaders: http.Header{
+					"Trivy-Token": []string{"valid-token"},
+				},
+			},
+			wantErr: "twirp error internal",
+		},
+		{
+			name: "sad path with invalid token",
+			args: args{
+				imageID: "sha256:e7d92cdc71feacf90708cb59182d0df1b911f8ae022d29e8e95d75ca6a99776a",
+				layerIDs: []string{
+					"sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5",
+				},
+				customHeaders: http.Header{
+					"Trivy-Token": []string{"invalid-token"},
+				},
+			},
+			wantErr: "twirp error unauthenticated",
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			c := cache.NewRemoteCache(cache.RemoteURL(ts.URL), tt.args.customHeaders)
+			gotMissingImage, gotMissingLayerIDs, err := c.MissingLayers(tt.args.imageID, tt.args.layerIDs)
+			if tt.wantErr != "" {
+				require.NotNil(t, err, tt.name)
+				assert.Contains(t, err.Error(), tt.wantErr, tt.name)
+				return
+			} else {
+				require.NoError(t, err, tt.name)
+			}
+
+			assert.Equal(t, tt.wantMissingImage, gotMissingImage)
+			assert.Equal(t, tt.wantMissingLayerIDs, gotMissingLayerIDs)
+		})
+	}
+}

pkg/detector/library/detect.go

@@ -2,14 +2,15 @@ package library
 
 import (
 	"path/filepath"
+	"time"
+
+	ftypes "github.com/aquasecurity/fanal/types"
 
 	"github.com/google/wire"
 
 	"github.com/aquasecurity/trivy/pkg/log"
 	"github.com/knqyf263/go-version"
 
-	ptypes "github.com/aquasecurity/go-dep-parser/pkg/types"
-
 	"golang.org/x/xerrors"
 
 	"github.com/aquasecurity/trivy/pkg/types"
@@ -23,7 +24,7 @@ var SuperSet = wire.NewSet(
 )
 
 type Operation interface {
-	Detect(string, []ptypes.Library) ([]types.DetectedVulnerability, error)
+	Detect(imageName string, filePath string, created time.Time, pkgs []ftypes.LibraryInfo) (vulns []types.DetectedVulnerability, err error)
 }
 
 type Detector struct {
@@ -34,7 +35,7 @@ func NewDetector(factory Factory) Detector {
 	return Detector{driverFactory: factory}
 }
 
-func (d Detector) Detect(filePath string, pkgs []ptypes.Library) ([]types.DetectedVulnerability, error) {
+func (d Detector) Detect(_, filePath string, _ time.Time, pkgs []ftypes.LibraryInfo) ([]types.DetectedVulnerability, error) {
 	log.Logger.Debugf("Detecting library vulnerabilities, path: %s", filePath)
 	driver := d.driverFactory.NewDriver(filepath.Base(filePath))
 	if driver == nil {
@@ -49,21 +50,25 @@ func (d Detector) Detect(filePath string, pkgs []ptypes.Library) ([]types.Detect
 	return vulns, nil
 }
 
-func detect(driver Driver, libs []ptypes.Library) ([]types.DetectedVulnerability, error) {
+func detect(driver Driver, libs []ftypes.LibraryInfo) ([]types.DetectedVulnerability, error) {
 	log.Logger.Infof("Detecting %s vulnerabilities...", driver.Type())
 	var vulnerabilities []types.DetectedVulnerability
 	for _, lib := range libs {
-		v, err := version.NewVersion(lib.Version)
+		v, err := version.NewVersion(lib.Library.Version)
 		if err != nil {
 			log.Logger.Debugf("invalid version, library: %s, version: %s, error: %s\n",
-				lib.Name, lib.Version, err)
+				lib.Library.Name, lib.Library.Version, err)
 			continue
 		}
 
-		vulns, err := driver.Detect(lib.Name, v)
+		vulns, err := driver.Detect(lib.Library.Name, v)
 		if err != nil {
 			return nil, xerrors.Errorf("failed to detect %s vulnerabilities: %w", driver.Type(), err)
 		}
+
+		for i := range vulns {
+			vulns[i].LayerID = lib.LayerID
+		}
 		vulnerabilities = append(vulnerabilities, vulns...)
 	}
 

pkg/detector/library/detector_mock.go

@@ -1,46 +0,0 @@
-package library
-
-import (
-	ptypes "github.com/aquasecurity/go-dep-parser/pkg/types"
-	"github.com/aquasecurity/trivy/pkg/types"
-	"github.com/stretchr/testify/mock"
-)
-
-type MockDetector struct {
-	mock.Mock
-}
-
-type DetectInput struct {
-	FilePath string
-	Libs     []ptypes.Library
-}
-type DetectOutput struct {
-	Vulns []types.DetectedVulnerability
-	Err   error
-}
-type DetectExpectation struct {
-	Args       DetectInput
-	ReturnArgs DetectOutput
-}
-
-func NewMockDetector(detectExpectations []DetectExpectation) *MockDetector {
-	mockDetector := new(MockDetector)
-	for _, e := range detectExpectations {
-		mockDetector.On("Detect", e.Args.FilePath, e.Args.Libs).Return(
-			e.ReturnArgs.Vulns, e.ReturnArgs.Err)
-	}
-	return mockDetector
-}
-
-func (_m *MockDetector) Detect(a string, b []ptypes.Library) ([]types.DetectedVulnerability, error) {
-	ret := _m.Called(a, b)
-	ret0 := ret.Get(0)
-	if ret0 == nil {
-		return nil, ret.Error(1)
-	}
-	vulns, ok := ret0.([]types.DetectedVulnerability)
-	if !ok {
-		return nil, ret.Error(1)
-	}
-	return vulns, ret.Error(1)
-}

pkg/detector/library/mock_operation.go

@@ -0,0 +1,88 @@
+// Code generated by mockery v1.0.0. DO NOT EDIT.
+
+package library
+
+import mock "github.com/stretchr/testify/mock"
+import pkgtypes "github.com/aquasecurity/trivy/pkg/types"
+import time "time"
+import types "github.com/aquasecurity/fanal/types"
+
+// MockOperation is an autogenerated mock type for the Operation type
+type MockOperation struct {
+	mock.Mock
+}
+
+type OperationDetectArgs struct {
+	ImageName         string
+	ImageNameAnything bool
+	FilePath          string
+	FilePathAnything  bool
+	Created           time.Time
+	CreatedAnything   bool
+	Pkgs              []types.LibraryInfo
+	PkgsAnything      bool
+}
+
+type OperationDetectReturns struct {
+	Vulns []pkgtypes.DetectedVulnerability
+	Err   error
+}
+
+type OperationDetectExpectation struct {
+	Args    OperationDetectArgs
+	Returns OperationDetectReturns
+}
+
+func (_m *MockOperation) ApplyDetectExpectation(e OperationDetectExpectation) {
+	var args []interface{}
+	if e.Args.ImageNameAnything {
+		args = append(args, mock.Anything)
+	} else {
+		args = append(args, e.Args.ImageName)
+	}
+	if e.Args.FilePathAnything {
+		args = append(args, mock.Anything)
+	} else {
+		args = append(args, e.Args.FilePath)
+	}
+	if e.Args.CreatedAnything {
+		args = append(args, mock.Anything)
+	} else {
+		args = append(args, e.Args.Created)
+	}
+	if e.Args.PkgsAnything {
+		args = append(args, mock.Anything)
+	} else {
+		args = append(args, e.Args.Pkgs)
+	}
+	_m.On("Detect", args...).Return(e.Returns.Vulns, e.Returns.Err)
+}
+
+func (_m *MockOperation) ApplyDetectExpectations(expectations []OperationDetectExpectation) {
+	for _, e := range expectations {
+		_m.ApplyDetectExpectation(e)
+	}
+}
+
+// Detect provides a mock function with given fields: imageName, filePath, created, pkgs
+func (_m *MockOperation) Detect(imageName string, filePath string, created time.Time, pkgs []types.LibraryInfo) ([]pkgtypes.DetectedVulnerability, error) {
+	ret := _m.Called(imageName, filePath, created, pkgs)
+
+	var r0 []pkgtypes.DetectedVulnerability
+	if rf, ok := ret.Get(0).(func(string, string, time.Time, []types.LibraryInfo) []pkgtypes.DetectedVulnerability); ok {
+		r0 = rf(imageName, filePath, created, pkgs)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).([]pkgtypes.DetectedVulnerability)
+		}
+	}
+
+	var r1 error
+	if rf, ok := ret.Get(1).(func(string, string, time.Time, []types.LibraryInfo) error); ok {
+		r1 = rf(imageName, filePath, created, pkgs)
+	} else {
+		r1 = ret.Error(1)
+	}
+
+	return r0, r1
+}

pkg/detector/ospkg/alpine/alpine.go

@@ -7,7 +7,7 @@ import (
 	version "github.com/knqyf263/go-deb-version"
 	"golang.org/x/xerrors"
 
-	"github.com/aquasecurity/fanal/analyzer"
+	ftypes "github.com/aquasecurity/fanal/types"
 	dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
 	"github.com/aquasecurity/trivy-db/pkg/vulnsrc/alpine"
 	"github.com/aquasecurity/trivy/pkg/log"
@@ -50,7 +50,7 @@ func NewScanner() *Scanner {
 	}
 }
 
-func (s *Scanner) Detect(osVer string, pkgs []analyzer.Package) ([]types.DetectedVulnerability, error) {
+func (s *Scanner) Detect(osVer string, pkgs []ftypes.Package) ([]types.DetectedVulnerability, error) {
 	log.Logger.Info("Detecting Alpine vulnerabilities...")
 	if strings.Count(osVer, ".") > 1 {
 		osVer = osVer[:strings.LastIndex(osVer, ".")]
@@ -85,6 +85,7 @@ func (s *Scanner) Detect(osVer string, pkgs []analyzer.Package) ([]types.Detecte
 					PkgName:          pkg.Name,
 					InstalledVersion: installed,
 					FixedVersion:     adv.FixedVersion,
+					LayerID:          pkg.LayerID,
 				}
 				vulns = append(vulns, vuln)
 			}

pkg/detector/ospkg/alpine/alpine_test.go

@@ -6,9 +6,10 @@ import (
 	"testing"
 	"time"
 
+	ftypes "github.com/aquasecurity/fanal/types"
+
 	"github.com/stretchr/testify/assert"
 
-	"github.com/aquasecurity/fanal/analyzer"
 	dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
 	"github.com/aquasecurity/trivy/pkg/types"
 
@@ -23,7 +24,7 @@ func TestMain(m *testing.M) {
 func TestScanner_Detect(t *testing.T) {
 	type args struct {
 		osVer string
-		pkgs  []analyzer.Package
+		pkgs  []ftypes.Package
 	}
 	type getInput struct {
 		osVer   string
@@ -52,10 +53,11 @@ func TestScanner_Detect(t *testing.T) {
 			name: "happy path",
 			args: args{
 				osVer: "3.10.2",
-				pkgs: []analyzer.Package{
+				pkgs: []ftypes.Package{
 					{
 						Name:    "ansible",
 						Version: "2.6.4",
+						LayerID: "sha256:932da51564135c98a49a34a193d6cd363d8fa4184d957fde16c9d8527b3f3b02",
 					},
 					{
 						Name:    "invalid",
@@ -102,6 +104,7 @@ func TestScanner_Detect(t *testing.T) {
 					VulnerabilityID:  "CVE-2019-10217",
 					InstalledVersion: "2.6.4",
 					FixedVersion:     "2.8.4-r0",
+					LayerID:          "sha256:932da51564135c98a49a34a193d6cd363d8fa4184d957fde16c9d8527b3f3b02",
 				},
 			},
 		},
@@ -109,7 +112,7 @@ func TestScanner_Detect(t *testing.T) {
 			name: "contain rc",
 			args: args{
 				osVer: "3.9",
-				pkgs: []analyzer.Package{
+				pkgs: []ftypes.Package{
 					{
 						Name:    "jq",
 						Version: "1.6-r0",
@@ -150,7 +153,7 @@ func TestScanner_Detect(t *testing.T) {
 			name: "Get returns an error",
 			args: args{
 				osVer: "3.8.1",
-				pkgs: []analyzer.Package{
+				pkgs: []ftypes.Package{
 					{
 						Name:    "jq",
 						Version: "1.6-r0",

pkg/detector/ospkg/amazon/amazon.go

@@ -3,12 +3,11 @@ package amazon
 import (
 	"strings"
 
-	"go.uber.org/zap"
-
 	version "github.com/knqyf263/go-deb-version"
+	"go.uber.org/zap"
 	"golang.org/x/xerrors"
 
-	"github.com/aquasecurity/fanal/analyzer"
+	ftypes "github.com/aquasecurity/fanal/types"
 	dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
 	"github.com/aquasecurity/trivy-db/pkg/vulnsrc/amazon"
 	"github.com/aquasecurity/trivy/pkg/log"
@@ -28,7 +27,7 @@ func NewScanner() *Scanner {
 	}
 }
 
-func (s *Scanner) Detect(osVer string, pkgs []analyzer.Package) ([]types.DetectedVulnerability, error) {
+func (s *Scanner) Detect(osVer string, pkgs []ftypes.Package) ([]types.DetectedVulnerability, error) {
 	log.Logger.Info("Detecting Amazon Linux vulnerabilities...")
 
 	osVer = strings.Fields(osVer)[0]
@@ -69,6 +68,7 @@ func (s *Scanner) Detect(osVer string, pkgs []analyzer.Package) ([]types.Detecte
 					PkgName:          pkg.Name,
 					InstalledVersion: installed,
 					FixedVersion:     adv.FixedVersion,
+					LayerID:          pkg.LayerID,
 				}
 				vulns = append(vulns, vuln)
 			}

pkg/detector/ospkg/amazon/amazon_test.go

@@ -9,7 +9,7 @@ import (
 	"go.uber.org/zap/zapcore"
 	"go.uber.org/zap/zaptest/observer"
 
-	"github.com/aquasecurity/fanal/analyzer"
+	ftypes "github.com/aquasecurity/fanal/types"
 	dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
 	"github.com/aquasecurity/trivy/pkg/log"
 	"github.com/aquasecurity/trivy/pkg/types"
@@ -52,13 +52,14 @@ func TestScanner_Detect(t *testing.T) {
 			},
 		}
 
-		vuls, err := s.Detect("3.1.0", []analyzer.Package{
+		vuls, err := s.Detect("3.1.0", []ftypes.Package{
 			{
 				Name:       "testpkg",
 				Version:    "2.1.0",
 				Release:    "hotfix",
 				SrcRelease: "test-hotfix",
 				SrcVersion: "2.1.0",
+				LayerID:    "sha256:932da51564135c98a49a34a193d6cd363d8fa4184d957fde16c9d8527b3f3b02",
 			},
 			{
 				Name: "foopkg",
@@ -71,6 +72,7 @@ func TestScanner_Detect(t *testing.T) {
 				PkgName:          "testpkg",
 				InstalledVersion: "2.1.0-hotfix",
 				FixedVersion:     "3.0.0",
+				LayerID:          "sha256:932da51564135c98a49a34a193d6cd363d8fa4184d957fde16c9d8527b3f3b02",
 			},
 		}, vuls)
 
@@ -89,7 +91,7 @@ func TestScanner_Detect(t *testing.T) {
 				},
 			},
 		}
-		vuls, err := s.Detect("foo", []analyzer.Package{
+		vuls, err := s.Detect("foo", []ftypes.Package{
 			{
 				Name: "testpkg",
 			},
@@ -115,7 +117,7 @@ func TestScanner_Detect(t *testing.T) {
 			},
 		}
 
-		vuls, err := s.Detect("3.1.0", []analyzer.Package{
+		vuls, err := s.Detect("3.1.0", []ftypes.Package{
 			{
 				Name:    "testpkg",
 				Version: "badsourceversion",
@@ -144,7 +146,7 @@ func TestScanner_Detect(t *testing.T) {
 			},
 		}
 
-		vuls, err := s.Detect("3.1.0", []analyzer.Package{
+		vuls, err := s.Detect("3.1.0", []ftypes.Package{
 			{
 				Name:    "testpkg",
 				Version: "3.1.0",

pkg/detector/ospkg/debian/debian.go

@@ -10,7 +10,7 @@ import (
 	version "github.com/knqyf263/go-deb-version"
 	"golang.org/x/xerrors"
 
-	"github.com/aquasecurity/fanal/analyzer"
+	ftypes "github.com/aquasecurity/fanal/types"
 	dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
 	"github.com/aquasecurity/trivy/pkg/log"
 	"github.com/aquasecurity/trivy/pkg/scanner/utils"
@@ -52,7 +52,7 @@ func NewScanner() *Scanner {
 	}
 }
 
-func (s *Scanner) Detect(osVer string, pkgs []analyzer.Package) ([]types.DetectedVulnerability, error) {
+func (s *Scanner) Detect(osVer string, pkgs []ftypes.Package) ([]types.DetectedVulnerability, error) {
 	log.Logger.Info("Detecting Debian vulnerabilities...")
 
 	if strings.Count(osVer, ".") > 0 {
@@ -88,6 +88,7 @@ func (s *Scanner) Detect(osVer string, pkgs []analyzer.Package) ([]types.Detecte
 					PkgName:          pkg.Name,
 					InstalledVersion: installed,
 					FixedVersion:     adv.FixedVersion,
+					LayerID:          pkg.LayerID,
 				}
 				vulns = append(vulns, vuln)
 			}
@@ -101,6 +102,8 @@ func (s *Scanner) Detect(osVer string, pkgs []analyzer.Package) ([]types.Detecte
 				VulnerabilityID:  adv.VulnerabilityID,
 				PkgName:          pkg.Name,
 				InstalledVersion: installed,
+				//FixedVersion: adv.FixedVersion, // TODO: Why is this missing?
+				LayerID: pkg.LayerID,
 			}
 			vulns = append(vulns, vuln)
 		}

pkg/detector/ospkg/debian/debian_test.go

@@ -5,9 +5,52 @@ import (
 	"testing"
 	"time"
 
+	dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
+
+	ftypes "github.com/aquasecurity/fanal/types"
 	"github.com/aquasecurity/trivy/pkg/log"
+	"github.com/aquasecurity/trivy/pkg/types"
+	"github.com/stretchr/testify/assert"
 )
 
+type MockOvalConfig struct {
+	update func(string) error
+	get    func(string, string) ([]dbTypes.Advisory, error)
+}
+
+func (mdc MockOvalConfig) Update(a string) error {
+	if mdc.update != nil {
+		return mdc.update(a)
+	}
+	return nil
+}
+
+func (mdc MockOvalConfig) Get(a string, b string) ([]dbTypes.Advisory, error) {
+	if mdc.get != nil {
+		return mdc.get(a, b)
+	}
+	return []dbTypes.Advisory{}, nil
+}
+
+type MockDebianConfig struct {
+	update func(string) error
+	get    func(string, string) ([]dbTypes.Advisory, error)
+}
+
+func (mdc MockDebianConfig) Update(a string) error {
+	if mdc.update != nil {
+		return mdc.update(a)
+	}
+	return nil
+}
+
+func (mdc MockDebianConfig) Get(a string, b string) ([]dbTypes.Advisory, error) {
+	if mdc.get != nil {
+		return mdc.get(a, b)
+	}
+	return []dbTypes.Advisory{}, nil
+}
+
 func TestMain(m *testing.M) {
 	log.InitLogger(false, false)
 	os.Exit(m.Run())
@@ -62,3 +105,63 @@ func TestScanner_IsSupportedVersion(t *testing.T) {
 		})
 	}
 }
+
+func TestScanner_Detect(t *testing.T) {
+	t.Run("happy path", func(t *testing.T) {
+		s := &Scanner{
+			vs: MockDebianConfig{
+				get: func(s string, s2 string) (advisories []dbTypes.Advisory, err error) {
+					return []dbTypes.Advisory{
+						{
+							VulnerabilityID: "debian-123",
+							FixedVersion:    "3.0.0",
+						},
+					}, nil
+				},
+			},
+			ovalVs: MockOvalConfig{
+				get: func(s string, s2 string) (advisories []dbTypes.Advisory, e error) {
+					return []dbTypes.Advisory{
+						{
+							VulnerabilityID: "oval-123",
+							FixedVersion:    "3.0.0",
+						},
+					}, nil
+				},
+			},
+		}
+
+		vuls, err := s.Detect("3.1.0", []ftypes.Package{
+			{
+				Name:       "testpkg",
+				Version:    "2.1.0",
+				Release:    "hotfix",
+				SrcRelease: "test-hotfix",
+				SrcVersion: "2.1.0",
+				LayerID:    "sha256:932da51564135c98a49a34a193d6cd363d8fa4184d957fde16c9d8527b3f3b02",
+			},
+			{
+				Name: "foopkg",
+			},
+		})
+		assert.NoError(t, err)
+		assert.Equal(t, []types.DetectedVulnerability{
+			{
+				VulnerabilityID:  "oval-123",
+				PkgName:          "testpkg",
+				InstalledVersion: "2.1.0-test-hotfix",
+				FixedVersion:     "3.0.0",
+				LayerID:          "sha256:932da51564135c98a49a34a193d6cd363d8fa4184d957fde16c9d8527b3f3b02",
+			},
+			{
+				VulnerabilityID:  "debian-123",
+				PkgName:          "testpkg",
+				InstalledVersion: "2.1.0-test-hotfix",
+				//FixedVersion:     "3.0.0",
+				LayerID: "sha256:932da51564135c98a49a34a193d6cd363d8fa4184d957fde16c9d8527b3f3b02",
+			},
+		}, vuls)
+	})
+
+	// TODO: Add unhappy paths
+}

pkg/detector/ospkg/detect.go

@@ -1,6 +1,13 @@
 package ospkg
 
 import (
+	"time"
+
+	"github.com/google/wire"
+	"golang.org/x/xerrors"
+
+	fos "github.com/aquasecurity/fanal/analyzer/os"
+	ftypes "github.com/aquasecurity/fanal/types"
 	"github.com/aquasecurity/trivy/pkg/detector/ospkg/alpine"
 	"github.com/aquasecurity/trivy/pkg/detector/ospkg/amazon"
 	"github.com/aquasecurity/trivy/pkg/detector/ospkg/debian"
@@ -10,11 +17,6 @@ import (
 	"github.com/aquasecurity/trivy/pkg/detector/ospkg/suse"
 	"github.com/aquasecurity/trivy/pkg/detector/ospkg/ubuntu"
 	"github.com/aquasecurity/trivy/pkg/log"
-	"github.com/google/wire"
-	"golang.org/x/xerrors"
-
-	"github.com/aquasecurity/fanal/analyzer"
-	fos "github.com/aquasecurity/fanal/analyzer/os"
 	"github.com/aquasecurity/trivy/pkg/types"
 )
 
@@ -28,17 +30,17 @@ var (
 )
 
 type Operation interface {
-	Detect(string, string, []analyzer.Package) ([]types.DetectedVulnerability, bool, error)
+	Detect(string, string, string, time.Time, []ftypes.Package) ([]types.DetectedVulnerability, bool, error)
 }
 
 type Driver interface {
-	Detect(string, []analyzer.Package) ([]types.DetectedVulnerability, error)
+	Detect(string, []ftypes.Package) ([]types.DetectedVulnerability, error)
 	IsSupportedVersion(string, string) bool
 }
 
 type Detector struct{}
 
-func (d Detector) Detect(osFamily, osName string, pkgs []analyzer.Package) ([]types.DetectedVulnerability, bool, error) {
+func (d Detector) Detect(_, osFamily, osName string, _ time.Time, pkgs []ftypes.Package) ([]types.DetectedVulnerability, bool, error) {
 	driver := newDriver(osFamily, osName)
 	if driver == nil {
 		return nil, false, ErrUnsupportedOS

pkg/detector/ospkg/detector_mock.go

@@ -1,7 +1,9 @@
 package ospkg
 
 import (
-	"github.com/aquasecurity/fanal/analyzer"
+	"time"
+
+	ftypes "github.com/aquasecurity/fanal/types"
 	"github.com/aquasecurity/trivy/pkg/types"
 	"github.com/stretchr/testify/mock"
 )
@@ -11,9 +13,11 @@ type MockDetector struct {
 }
 
 type DetectInput struct {
-	OSFamily string
-	OSName   string
-	Pkgs     []analyzer.Package
+	ImageName string
+	OSFamily  string
+	OSName    string
+	Created   time.Time
+	Pkgs      []ftypes.Package
 }
 type DetectOutput struct {
 	Vulns []types.DetectedVulnerability
@@ -28,14 +32,14 @@ type DetectExpectation struct {
 func NewMockDetector(detectExpectations []DetectExpectation) *MockDetector {
 	mockDetector := new(MockDetector)
 	for _, e := range detectExpectations {
-		mockDetector.On("Detect", e.Args.OSFamily, e.Args.OSName, e.Args.Pkgs).Return(
+		mockDetector.On("Detect", e.Args.ImageName, e.Args.OSFamily, e.Args.OSName, e.Args.Created, e.Args.Pkgs).Return(
 			e.ReturnArgs.Vulns, e.ReturnArgs.Eosl, e.ReturnArgs.Err)
 	}
 	return mockDetector
 }
 
-func (_m *MockDetector) Detect(a, b string, c []analyzer.Package) ([]types.DetectedVulnerability, bool, error) {
-	ret := _m.Called(a, b, c)
+func (_m *MockDetector) Detect(a string, b string, c string, d time.Time, e []ftypes.Package) ([]types.DetectedVulnerability, bool, error) {
+	ret := _m.Called(a, b, c, d, e)
 	ret0 := ret.Get(0)
 	if ret0 == nil {
 		return nil, false, ret.Error(2)

pkg/detector/ospkg/oracle/oracle.go

@@ -9,7 +9,7 @@ import (
 
 	"golang.org/x/xerrors"
 
-	"github.com/aquasecurity/fanal/analyzer"
+	ftypes "github.com/aquasecurity/fanal/types"
 	dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
 	"github.com/aquasecurity/trivy/pkg/log"
 	"github.com/aquasecurity/trivy/pkg/scanner/utils"
@@ -44,7 +44,7 @@ func NewScanner() *Scanner {
 	}
 }
 
-func (s *Scanner) Detect(osVer string, pkgs []analyzer.Package) ([]types.DetectedVulnerability, error) {
+func (s *Scanner) Detect(osVer string, pkgs []ftypes.Package) ([]types.DetectedVulnerability, error) {
 	log.Logger.Info("Detecting Oracle Linux vulnerabilities...")
 
 	if strings.Count(osVer, ".") > 0 {
@@ -64,11 +64,13 @@ func (s *Scanner) Detect(osVer string, pkgs []analyzer.Package) ([]types.Detecte
 		installed := utils.FormatVersion(pkg)
 		installedVersion := version.NewVersion(installed)
 		for _, adv := range advisories {
+			// TODO: We don't seem to ignore advisories with no FixedVersion like we do elsewhere, expected?
 			fixedVersion := version.NewVersion(adv.FixedVersion)
 			vuln := types.DetectedVulnerability{
 				VulnerabilityID:  adv.VulnerabilityID,
 				PkgName:          pkg.Name,
 				InstalledVersion: installed,
+				LayerID:          pkg.LayerID,
 			}
 			if installedVersion.LessThan(fixedVersion) {
 				vuln.FixedVersion = adv.FixedVersion

pkg/detector/ospkg/oracle/oracle_test.go

@@ -5,6 +5,11 @@ import (
 	"testing"
 	"time"
 
+	ftypes "github.com/aquasecurity/fanal/types"
+	dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
+	"github.com/aquasecurity/trivy/pkg/types"
+	"github.com/stretchr/testify/assert"
+
 	oracleoval "github.com/aquasecurity/trivy-db/pkg/vulnsrc/oracle-oval"
 	"github.com/aquasecurity/trivy/pkg/log"
 
@@ -12,6 +17,25 @@ import (
 	clocktesting "k8s.io/utils/clock/testing"
 )
 
+type MockOracleConfig struct {
+	update func(string) error
+	get    func(string, string) ([]dbTypes.Advisory, error)
+}
+
+func (moc MockOracleConfig) Update(a string) error {
+	if moc.update != nil {
+		return moc.update(a)
+	}
+	return nil
+}
+
+func (moc MockOracleConfig) Get(a string, b string) ([]dbTypes.Advisory, error) {
+	if moc.get != nil {
+		return moc.get(a, b)
+	}
+	return []dbTypes.Advisory{}, nil
+}
+
 func TestMain(m *testing.M) {
 	log.InitLogger(false, false)
 	os.Exit(m.Run())
@@ -94,3 +118,46 @@ func TestScanner_IsSupportedVersion(t *testing.T) {
 	}
 
 }
+
+func TestScanner_Detect(t *testing.T) {
+	t.Run("happy path", func(t *testing.T) {
+		s := &Scanner{
+			vs: MockOracleConfig{
+				get: func(s string, s2 string) (advisories []dbTypes.Advisory, err error) {
+					return []dbTypes.Advisory{
+						{
+							VulnerabilityID: "oracle-123",
+							FixedVersion:    "3.0.0",
+						},
+					}, nil
+				},
+			},
+		}
+
+		vuls, err := s.Detect("3.1.0", []ftypes.Package{
+			{
+				Name:       "testpkg",
+				Version:    "2.1.0",
+				Release:    "hotfix",
+				SrcRelease: "test-hotfix",
+				SrcVersion: "2.1.0",
+				LayerID:    "sha256:932da51564135c98a49a34a193d6cd363d8fa4184d957fde16c9d8527b3f3b02",
+			},
+			//{
+			//	Name: "foopkg",
+			//},
+		})
+		assert.NoError(t, err)
+		assert.Equal(t, []types.DetectedVulnerability{
+			{
+				VulnerabilityID:  "oracle-123",
+				PkgName:          "testpkg",
+				InstalledVersion: "2.1.0-hotfix",
+				FixedVersion:     "3.0.0",
+				LayerID:          "sha256:932da51564135c98a49a34a193d6cd363d8fa4184d957fde16c9d8527b3f3b02",
+			},
+		}, vuls)
+	})
+
+	// TODO: Add unhappy paths
+}

pkg/detector/ospkg/photon/photon.go

@@ -8,7 +8,7 @@ import (
 
 	"golang.org/x/xerrors"
 
-	"github.com/aquasecurity/fanal/analyzer"
+	ftypes "github.com/aquasecurity/fanal/types"
 	dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
 	"github.com/aquasecurity/trivy/pkg/log"
 	"github.com/aquasecurity/trivy/pkg/scanner/utils"
@@ -33,7 +33,7 @@ func NewScanner() *Scanner {
 	}
 }
 
-func (s *Scanner) Detect(osVer string, pkgs []analyzer.Package) ([]types.DetectedVulnerability, error) {
+func (s *Scanner) Detect(osVer string, pkgs []ftypes.Package) ([]types.DetectedVulnerability, error) {
 	log.Logger.Info("Detecting Photon Linux vulnerabilities...")
 	log.Logger.Debugf("Photon Linux: os version: %s", osVer)
 	log.Logger.Debugf("Photon Linux: the number of packages: %d", len(pkgs))
@@ -53,6 +53,7 @@ func (s *Scanner) Detect(osVer string, pkgs []analyzer.Package) ([]types.Detecte
 				VulnerabilityID:  adv.VulnerabilityID,
 				PkgName:          pkg.Name,
 				InstalledVersion: installed,
+				LayerID:          pkg.LayerID,
 			}
 			if installedVersion.LessThan(fixedVersion) {
 				vuln.FixedVersion = adv.FixedVersion

pkg/detector/ospkg/photon/photon_test.go

@@ -0,0 +1,76 @@
+package photon
+
+import (
+	"os"
+	"testing"
+
+	ftypes "github.com/aquasecurity/fanal/types"
+	dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
+	"github.com/aquasecurity/trivy/pkg/log"
+	"github.com/aquasecurity/trivy/pkg/types"
+	"github.com/stretchr/testify/assert"
+)
+
+type MockPhotonConfig struct {
+	update func(string) error
+	get    func(string, string) ([]dbTypes.Advisory, error)
+}
+
+func (mpc MockPhotonConfig) Update(a string) error {
+	if mpc.update != nil {
+		return mpc.update(a)
+	}
+	return nil
+}
+
+func (mpc MockPhotonConfig) Get(a string, b string) ([]dbTypes.Advisory, error) {
+	if mpc.get != nil {
+		return mpc.get(a, b)
+	}
+	return []dbTypes.Advisory{}, nil
+}
+
+func TestMain(m *testing.M) {
+	log.InitLogger(false, false)
+	os.Exit(m.Run())
+}
+
+func TestScanner_Detect(t *testing.T) {
+	t.Run("happy path", func(t *testing.T) {
+		s := &Scanner{
+			vs: MockPhotonConfig{
+				get: func(s string, s2 string) (advisories []dbTypes.Advisory, err error) {
+					return []dbTypes.Advisory{
+						{
+							VulnerabilityID: "photon-123",
+							FixedVersion:    "3.0.0",
+						},
+					}, nil
+				},
+			},
+		}
+
+		vuls, err := s.Detect("3.1.0", []ftypes.Package{
+			{
+				Name:       "testpkg",
+				Version:    "2.1.0",
+				Release:    "hotfix",
+				SrcRelease: "test-hotfix",
+				SrcVersion: "2.1.0",
+				LayerID:    "sha256:932da51564135c98a49a34a193d6cd363d8fa4184d957fde16c9d8527b3f3b02",
+			},
+		})
+		assert.NoError(t, err)
+		assert.Equal(t, []types.DetectedVulnerability{
+			{
+				VulnerabilityID:  "photon-123",
+				PkgName:          "testpkg",
+				InstalledVersion: "2.1.0-hotfix",
+				FixedVersion:     "3.0.0",
+				LayerID:          "sha256:932da51564135c98a49a34a193d6cd363d8fa4184d957fde16c9d8527b3f3b02",
+			},
+		}, vuls)
+	})
+
+	// TODO: Add unhappy paths
+}

pkg/detector/ospkg/redhat/redhat.go

@@ -9,8 +9,8 @@ import (
 	version "github.com/knqyf263/go-rpm-version"
 	"golang.org/x/xerrors"
 
-	"github.com/aquasecurity/fanal/analyzer"
 	"github.com/aquasecurity/fanal/analyzer/os"
+	ftypes "github.com/aquasecurity/fanal/types"
 	dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
 	"github.com/aquasecurity/trivy/pkg/log"
 	"github.com/aquasecurity/trivy/pkg/scanner/utils"
@@ -47,7 +47,7 @@ func NewScanner() *Scanner {
 	}
 }
 
-func (s *Scanner) Detect(osVer string, pkgs []analyzer.Package) ([]types.DetectedVulnerability, error) {
+func (s *Scanner) Detect(osVer string, pkgs []ftypes.Package) ([]types.DetectedVulnerability, error) {
 	log.Logger.Info("Detecting RHEL/CentOS vulnerabilities...")
 	if strings.Count(osVer, ".") > 0 {
 		osVer = osVer[:strings.Index(osVer, ".")]
@@ -57,25 +57,44 @@ func (s *Scanner) Detect(osVer string, pkgs []analyzer.Package) ([]types.Detecte
 
 	var vulns []types.DetectedVulnerability
 	for _, pkg := range pkgs {
+		// For Red Hat Security Data API containing only source package names
 		advisories, err := s.vs.Get(osVer, pkg.SrcName)
 		if err != nil {
 			return nil, xerrors.Errorf("failed to get Red Hat advisories: %w", err)
 		}
 
-		installed := utils.FormatSrcVersion(pkg)
+		installed := utils.FormatVersion(pkg)
 		installedVersion := version.NewVersion(installed)
-		for _, adv := range advisories {
-			fixedVersion := version.NewVersion(adv.FixedVersion)
 
+		for _, adv := range advisories {
+			if adv.FixedVersion != "" {
+				continue
+			}
 			vuln := types.DetectedVulnerability{
 				VulnerabilityID:  adv.VulnerabilityID,
 				PkgName:          pkg.Name,
 				InstalledVersion: installed,
+				LayerID:          pkg.LayerID,
 			}
+			vulns = append(vulns, vuln)
+		}
+
+		// For Red Hat OVAL containing only binary package names
+		advisories, err = s.vs.Get(osVer, pkg.Name)
+		if err != nil {
+			return nil, xerrors.Errorf("failed to get Red Hat advisories: %w", err)
+		}
+
+		for _, adv := range advisories {
+			fixedVersion := version.NewVersion(adv.FixedVersion)
 			if installedVersion.LessThan(fixedVersion) {
-				vuln.FixedVersion = fixedVersion.String()
-				vulns = append(vulns, vuln)
-			} else if adv.FixedVersion == "" {
+				vuln := types.DetectedVulnerability{
+					VulnerabilityID:  adv.VulnerabilityID,
+					PkgName:          pkg.Name,
+					InstalledVersion: installed,
+					FixedVersion:     fixedVersion.String(),
+					LayerID:          pkg.LayerID,
+				}
 				vulns = append(vulns, vuln)
 			}
 		}

pkg/detector/ospkg/redhat/redhat_test.go

@@ -5,7 +5,15 @@ import (
 	"testing"
 	"time"
 
+	ftypes "github.com/aquasecurity/fanal/types"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"golang.org/x/xerrors"
+
+	dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
 	"github.com/aquasecurity/trivy/pkg/log"
+	"github.com/aquasecurity/trivy/pkg/types"
 )
 
 func TestMain(m *testing.M) {
@@ -13,6 +21,200 @@ func TestMain(m *testing.M) {
 	os.Exit(m.Run())
 }
 
+func TestScanner_Detect(t *testing.T) {
+	type args struct {
+		osVer string
+		pkgs  []ftypes.Package
+	}
+	tests := []struct {
+		name    string
+		args    args
+		get     []dbTypes.GetExpectation
+		want    []types.DetectedVulnerability
+		wantErr bool
+	}{
+		{
+			name: "happy path: src pkg name is different from bin pkg name",
+			args: args{
+				osVer: "7.6",
+				pkgs: []ftypes.Package{
+					{
+						Name:       "vim-minimal",
+						Version:    "7.4.160",
+						Release:    "5.el7",
+						Epoch:      2,
+						Arch:       "x86_64",
+						SrcName:    "vim",
+						SrcVersion: "7.4.160",
+						SrcRelease: "5.el7",
+						SrcEpoch:   2,
+						LayerID:    "sha256:932da51564135c98a49a34a193d6cd363d8fa4184d957fde16c9d8527b3f3b02",
+					},
+				},
+			},
+			get: []dbTypes.GetExpectation{
+				{
+					Args: dbTypes.GetArgs{
+						Release: "7",
+						PkgName: "vim",
+					},
+					Returns: dbTypes.GetReturns{
+						Advisories: []dbTypes.Advisory{
+							{
+								VulnerabilityID: "CVE-2017-5953",
+								FixedVersion:    "",
+							},
+							{
+								VulnerabilityID: "CVE-2017-6350",
+								FixedVersion:    "",
+							},
+						},
+					},
+				},
+				{
+					Args: dbTypes.GetArgs{
+						Release: "7",
+						PkgName: "vim-minimal",
+					},
+					Returns: dbTypes.GetReturns{
+						Advisories: []dbTypes.Advisory{
+							{
+								VulnerabilityID: "CVE-2019-12735",
+								FixedVersion:    "2:7.4.160-6.el7_6",
+							},
+						},
+					},
+				},
+			},
+			want: []types.DetectedVulnerability{
+				{
+					VulnerabilityID:  "CVE-2017-5953",
+					PkgName:          "vim-minimal",
+					InstalledVersion: "2:7.4.160-5.el7",
+					LayerID:          "sha256:932da51564135c98a49a34a193d6cd363d8fa4184d957fde16c9d8527b3f3b02",
+				},
+				{
+					VulnerabilityID:  "CVE-2017-6350",
+					PkgName:          "vim-minimal",
+					InstalledVersion: "2:7.4.160-5.el7",
+					LayerID:          "sha256:932da51564135c98a49a34a193d6cd363d8fa4184d957fde16c9d8527b3f3b02",
+				},
+				{
+					VulnerabilityID:  "CVE-2019-12735",
+					PkgName:          "vim-minimal",
+					InstalledVersion: "2:7.4.160-5.el7",
+					FixedVersion:     "2:7.4.160-6.el7_6",
+					LayerID:          "sha256:932da51564135c98a49a34a193d6cd363d8fa4184d957fde16c9d8527b3f3b02",
+				},
+			},
+		},
+		{
+			name: "happy path: src pkg name is the same as bin pkg name",
+			args: args{
+				osVer: "6.5",
+				pkgs: []ftypes.Package{
+					{
+						Name:       "nss",
+						Version:    "3.36.0",
+						Release:    "7.1.el7_6",
+						Epoch:      0,
+						Arch:       "x86_64",
+						SrcName:    "nss",
+						SrcVersion: "3.36.0",
+						SrcRelease: "7.4.160",
+						SrcEpoch:   0,
+					},
+				},
+			},
+			get: []dbTypes.GetExpectation{
+				{
+					Args: dbTypes.GetArgs{
+						Release: "6",
+						PkgName: "nss",
+					},
+					Returns: dbTypes.GetReturns{
+						Advisories: []dbTypes.Advisory{
+							{
+								VulnerabilityID: "CVE-2015-2808",
+								FixedVersion:    "",
+							},
+							{
+								VulnerabilityID: "CVE-2016-2183",
+								FixedVersion:    "",
+							},
+							{
+								VulnerabilityID: "CVE-2018-12404",
+								FixedVersion:    "3.44.0-4.el7",
+							},
+						},
+					},
+				},
+			},
+			want: []types.DetectedVulnerability{
+				{
+					VulnerabilityID:  "CVE-2015-2808",
+					PkgName:          "nss",
+					InstalledVersion: "3.36.0-7.1.el7_6",
+				},
+				{
+					VulnerabilityID:  "CVE-2016-2183",
+					PkgName:          "nss",
+					InstalledVersion: "3.36.0-7.1.el7_6",
+				},
+				{
+					VulnerabilityID:  "CVE-2018-12404",
+					PkgName:          "nss",
+					InstalledVersion: "3.36.0-7.1.el7_6",
+					FixedVersion:     "3.44.0-4.el7",
+				},
+			},
+		},
+		{
+			name: "sad path: Get returns an error",
+			args: args{
+				osVer: "5",
+				pkgs: []ftypes.Package{
+					{
+						Name:       "nss",
+						Version:    "3.36.0",
+						Release:    "7.1.el7_6",
+						Epoch:      0,
+						Arch:       "x86_64",
+						SrcName:    "nss",
+						SrcVersion: "3.36.0",
+						SrcRelease: "7.4.160",
+						SrcEpoch:   0,
+					},
+				},
+			},
+			get: []dbTypes.GetExpectation{
+				{
+					Args: dbTypes.GetArgs{
+						Release: "5",
+						PkgName: "nss",
+					},
+					Returns: dbTypes.GetReturns{
+						Err: xerrors.New("error"),
+					},
+				},
+			},
+			wantErr: true,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			mockVs := new(dbTypes.MockVulnSrc)
+			mockVs.ApplyGetExpectations(tt.get)
+			s := &Scanner{
+				vs: mockVs,
+			}
+			got, err := s.Detect(tt.args.osVer, tt.args.pkgs)
+			require.Equal(t, tt.wantErr, err != nil)
+			assert.Equal(t, tt.want, got)
+		})
+	}
+}
+
 func TestScanner_IsSupportedVersion(t *testing.T) {
 	vectors := map[string]struct {
 		now       time.Time

pkg/detector/ospkg/suse/suse.go

@@ -3,16 +3,17 @@ package suse
 import (
 	"time"
 
-	"github.com/aquasecurity/fanal/analyzer"
+	"golang.org/x/xerrors"
+	"k8s.io/utils/clock"
+
 	fos "github.com/aquasecurity/fanal/analyzer/os"
+	ftypes "github.com/aquasecurity/fanal/types"
 	dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
 	susecvrf "github.com/aquasecurity/trivy-db/pkg/vulnsrc/suse-cvrf"
 	"github.com/aquasecurity/trivy/pkg/log"
 	"github.com/aquasecurity/trivy/pkg/scanner/utils"
 	"github.com/aquasecurity/trivy/pkg/types"
 	version "github.com/knqyf263/go-rpm-version"
-	"golang.org/x/xerrors"
-	"k8s.io/utils/clock"
 )
 
 var (
@@ -79,7 +80,7 @@ func NewScanner(t SUSEType) *Scanner {
 	return nil
 }
 
-func (s *Scanner) Detect(osVer string, pkgs []analyzer.Package) ([]types.DetectedVulnerability, error) {
+func (s *Scanner) Detect(osVer string, pkgs []ftypes.Package) ([]types.DetectedVulnerability, error) {
 	log.Logger.Info("Detecting SUSE vulnerabilities...")
 	log.Logger.Debugf("SUSE: os version: %s", osVer)
 	log.Logger.Debugf("SUSE: the number of packages: %d", len(pkgs))
@@ -99,6 +100,7 @@ func (s *Scanner) Detect(osVer string, pkgs []analyzer.Package) ([]types.Detecte
 				VulnerabilityID:  adv.VulnerabilityID,
 				PkgName:          pkg.Name,
 				InstalledVersion: installed,
+				LayerID:          pkg.LayerID,
 			}
 			if installedVersion.LessThan(fixedVersion) {
 				vuln.FixedVersion = adv.FixedVersion

pkg/detector/ospkg/suse/suse_test.go

@@ -5,6 +5,11 @@ import (
 	"testing"
 	"time"
 
+	ftypes "github.com/aquasecurity/fanal/types"
+	dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
+	"github.com/aquasecurity/trivy/pkg/types"
+	"github.com/stretchr/testify/assert"
+
 	susecvrf "github.com/aquasecurity/trivy-db/pkg/vulnsrc/suse-cvrf"
 	"github.com/aquasecurity/trivy/pkg/log"
 
@@ -12,6 +17,25 @@ import (
 	clocktesting "k8s.io/utils/clock/testing"
 )
 
+type MockSuseConfig struct {
+	update func(string) error
+	get    func(string, string) ([]dbTypes.Advisory, error)
+}
+
+func (msc MockSuseConfig) Update(a string) error {
+	if msc.update != nil {
+		return msc.update(a)
+	}
+	return nil
+}
+
+func (msc MockSuseConfig) Get(a string, b string) ([]dbTypes.Advisory, error) {
+	if msc.get != nil {
+		return msc.get(a, b)
+	}
+	return []dbTypes.Advisory{}, nil
+}
+
 func TestMain(m *testing.M) {
 	log.InitLogger(false, false)
 	os.Exit(m.Run())
@@ -90,3 +114,43 @@ func TestScanner_IsSupportedVersion(t *testing.T) {
 	}
 
 }
+
+func TestScanner_Detect(t *testing.T) {
+	t.Run("happy path", func(t *testing.T) {
+		s := &Scanner{
+			vs: MockSuseConfig{
+				get: func(s string, s2 string) (advisories []dbTypes.Advisory, err error) {
+					return []dbTypes.Advisory{
+						{
+							VulnerabilityID: "suse-123",
+							FixedVersion:    "3.0.0",
+						},
+					}, nil
+				},
+			},
+		}
+
+		vuls, err := s.Detect("3.1.0", []ftypes.Package{
+			{
+				Name:       "testpkg",
+				Version:    "2.1.0",
+				Release:    "hotfix",
+				SrcRelease: "test-hotfix",
+				SrcVersion: "2.1.0",
+				LayerID:    "sha256:932da51564135c98a49a34a193d6cd363d8fa4184d957fde16c9d8527b3f3b02",
+			},
+		})
+		assert.NoError(t, err)
+		assert.Equal(t, []types.DetectedVulnerability{
+			{
+				VulnerabilityID:  "suse-123",
+				PkgName:          "testpkg",
+				InstalledVersion: "2.1.0-hotfix",
+				FixedVersion:     "3.0.0",
+				LayerID:          "sha256:932da51564135c98a49a34a193d6cd363d8fa4184d957fde16c9d8527b3f3b02",
+			},
+		}, vuls)
+	})
+
+	// TODO: Add unhappy paths
+}

pkg/detector/ospkg/ubuntu/ubnutu_test.go

@@ -1,70 +0,0 @@
-package ubuntu
-
-import (
-	"os"
-	"testing"
-	"time"
-
-	"github.com/aquasecurity/trivy/pkg/log"
-)
-
-func TestMain(m *testing.M) {
-	log.InitLogger(false, false)
-	os.Exit(m.Run())
-}
-
-func TestScanner_IsSupportedVersion(t *testing.T) {
-	vectors := map[string]struct {
-		now       time.Time
-		osFamily  string
-		osVersion string
-		expected  bool
-	}{
-		"ubuntu12.04 eol ends": {
-			now:       time.Date(2019, 3, 31, 23, 59, 59, 0, time.UTC),
-			osFamily:  "ubuntu",
-			osVersion: "12.04",
-			expected:  true,
-		},
-		"ubuntu12.04": {
-			now:       time.Date(2019, 4, 31, 23, 59, 59, 0, time.UTC),
-			osFamily:  "ubuntu",
-			osVersion: "12.04",
-			expected:  false,
-		},
-		"ubuntu12.10": {
-			now:       time.Date(2019, 4, 31, 23, 59, 59, 0, time.UTC),
-			osFamily:  "ubuntu",
-			osVersion: "12.10",
-			expected:  false,
-		},
-		"ubuntu18.04": {
-			now:       time.Date(2019, 4, 31, 23, 59, 59, 0, time.UTC),
-			osFamily:  "ubuntu",
-			osVersion: "18.04",
-			expected:  true,
-		},
-		"ubuntu19.04": {
-			now:       time.Date(2019, 4, 31, 23, 59, 59, 0, time.UTC),
-			osFamily:  "ubuntu",
-			osVersion: "19.04",
-			expected:  true,
-		},
-		"unknown": {
-			now:       time.Date(2019, 4, 31, 23, 59, 59, 0, time.UTC),
-			osFamily:  "ubuntu",
-			osVersion: "unknown",
-			expected:  false,
-		},
-	}
-
-	for testName, v := range vectors {
-		s := NewScanner()
-		t.Run(testName, func(t *testing.T) {
-			actual := s.isSupportedVersion(v.now, v.osFamily, v.osVersion)
-			if actual != v.expected {
-				t.Errorf("[%s] got %v, want %v", testName, actual, v.expected)
-			}
-		})
-	}
-}

pkg/detector/ospkg/ubuntu/ubuntu.go

@@ -3,13 +3,12 @@ package ubuntu
 import (
 	"time"
 
-	"github.com/aquasecurity/trivy-db/pkg/vulnsrc/ubuntu"
-
 	version "github.com/knqyf263/go-deb-version"
 	"golang.org/x/xerrors"
 
-	"github.com/aquasecurity/fanal/analyzer"
+	ftypes "github.com/aquasecurity/fanal/types"
 	dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
+	"github.com/aquasecurity/trivy-db/pkg/vulnsrc/ubuntu"
 	"github.com/aquasecurity/trivy/pkg/log"
 	"github.com/aquasecurity/trivy/pkg/scanner/utils"
 	"github.com/aquasecurity/trivy/pkg/types"
@@ -61,7 +60,7 @@ func NewScanner() *Scanner {
 	}
 }
 
-func (s *Scanner) Detect(osVer string, pkgs []analyzer.Package) ([]types.DetectedVulnerability, error) {
+func (s *Scanner) Detect(osVer string, pkgs []ftypes.Package) ([]types.DetectedVulnerability, error) {
 	log.Logger.Info("Detecting Ubuntu vulnerabilities...")
 	log.Logger.Debugf("ubuntu: os version: %s", osVer)
 	log.Logger.Debugf("ubuntu: the number of packages: %d", len(pkgs))
@@ -86,6 +85,7 @@ func (s *Scanner) Detect(osVer string, pkgs []analyzer.Package) ([]types.Detecte
 				PkgName:          pkg.Name,
 				InstalledVersion: installed,
 				FixedVersion:     adv.FixedVersion,
+				LayerID:          pkg.LayerID,
 			}
 
 			if adv.FixedVersion == "" {

pkg/detector/ospkg/ubuntu/ubuntu_test.go

@@ -0,0 +1,135 @@
+package ubuntu
+
+import (
+	"os"
+	"testing"
+	"time"
+
+	ftypes "github.com/aquasecurity/fanal/types"
+	"github.com/aquasecurity/trivy/pkg/types"
+	"github.com/stretchr/testify/assert"
+
+	dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
+
+	"github.com/aquasecurity/trivy/pkg/log"
+)
+
+type MockUbuntuConfig struct {
+	update func(string) error
+	get    func(string, string) ([]dbTypes.Advisory, error)
+}
+
+func (muc MockUbuntuConfig) Update(a string) error {
+	if muc.update != nil {
+		return muc.update(a)
+	}
+	return nil
+}
+
+func (muc MockUbuntuConfig) Get(a string, b string) ([]dbTypes.Advisory, error) {
+	if muc.get != nil {
+		return muc.get(a, b)
+	}
+	return []dbTypes.Advisory{}, nil
+}
+
+func TestMain(m *testing.M) {
+	log.InitLogger(false, false)
+	os.Exit(m.Run())
+}
+
+func TestScanner_IsSupportedVersion(t *testing.T) {
+	vectors := map[string]struct {
+		now       time.Time
+		osFamily  string
+		osVersion string
+		expected  bool
+	}{
+		"ubuntu12.04 eol ends": {
+			now:       time.Date(2019, 3, 31, 23, 59, 59, 0, time.UTC),
+			osFamily:  "ubuntu",
+			osVersion: "12.04",
+			expected:  true,
+		},
+		"ubuntu12.04": {
+			now:       time.Date(2019, 4, 31, 23, 59, 59, 0, time.UTC),
+			osFamily:  "ubuntu",
+			osVersion: "12.04",
+			expected:  false,
+		},
+		"ubuntu12.10": {
+			now:       time.Date(2019, 4, 31, 23, 59, 59, 0, time.UTC),
+			osFamily:  "ubuntu",
+			osVersion: "12.10",
+			expected:  false,
+		},
+		"ubuntu18.04": {
+			now:       time.Date(2019, 4, 31, 23, 59, 59, 0, time.UTC),
+			osFamily:  "ubuntu",
+			osVersion: "18.04",
+			expected:  true,
+		},
+		"ubuntu19.04": {
+			now:       time.Date(2019, 4, 31, 23, 59, 59, 0, time.UTC),
+			osFamily:  "ubuntu",
+			osVersion: "19.04",
+			expected:  true,
+		},
+		"unknown": {
+			now:       time.Date(2019, 4, 31, 23, 59, 59, 0, time.UTC),
+			osFamily:  "ubuntu",
+			osVersion: "unknown",
+			expected:  false,
+		},
+	}
+
+	for testName, v := range vectors {
+		s := NewScanner()
+		t.Run(testName, func(t *testing.T) {
+			actual := s.isSupportedVersion(v.now, v.osFamily, v.osVersion)
+			if actual != v.expected {
+				t.Errorf("[%s] got %v, want %v", testName, actual, v.expected)
+			}
+		})
+	}
+}
+
+func TestScanner_Detect(t *testing.T) {
+	t.Run("happy path", func(t *testing.T) {
+		s := &Scanner{
+			vs: MockUbuntuConfig{
+				get: func(s string, s2 string) (advisories []dbTypes.Advisory, err error) {
+					return []dbTypes.Advisory{
+						{
+							VulnerabilityID: "ubuntu-123",
+							FixedVersion:    "3.0.0",
+						},
+					}, nil
+				},
+			},
+		}
+
+		vuls, err := s.Detect("3.1.0", []ftypes.Package{
+			{
+				Name:       "testpkg",
+				Version:    "2.1.0",
+				Release:    "hotfix",
+				SrcRelease: "test-hotfix",
+				SrcVersion: "2.1.0",
+				LayerID:    "sha256:932da51564135c98a49a34a193d6cd363d8fa4184d957fde16c9d8527b3f3b02",
+			},
+		})
+		assert.NoError(t, err)
+		assert.Equal(t, []types.DetectedVulnerability{
+			{
+				VulnerabilityID:  "ubuntu-123",
+				PkgName:          "testpkg",
+				InstalledVersion: "2.1.0-test-hotfix",
+				FixedVersion:     "3.0.0",
+				LayerID:          "sha256:932da51564135c98a49a34a193d6cd363d8fa4184d957fde16c9d8527b3f3b02",
+			},
+		}, vuls)
+	})
+
+	// TODO: Add unhappy paths
+}

pkg/rpc/client/client.go

@@ -0,0 +1,62 @@
+package client
+
+import (
+	"context"
+	"net/http"
+
+	"github.com/aquasecurity/trivy/pkg/types"
+
+	"github.com/google/wire"
+	digest "github.com/opencontainers/go-digest"
+	"golang.org/x/xerrors"
+
+	ftypes "github.com/aquasecurity/fanal/types"
+	"github.com/aquasecurity/trivy/pkg/report"
+	r "github.com/aquasecurity/trivy/pkg/rpc"
+	rpc "github.com/aquasecurity/trivy/rpc/scanner"
+)
+
+var SuperSet = wire.NewSet(
+	NewProtobufClient,
+	NewScanner,
+)
+
+type RemoteURL string
+
+func NewProtobufClient(remoteURL RemoteURL) rpc.Scanner {
+	return rpc.NewScannerProtobufClient(string(remoteURL), &http.Client{})
+}
+
+type CustomHeaders http.Header
+
+type Scanner struct {
+	customHeaders CustomHeaders
+	client        rpc.Scanner
+}
+
+func NewScanner(customHeaders CustomHeaders, s rpc.Scanner) Scanner {
+	return Scanner{customHeaders: customHeaders, client: s}
+}
+
+func (s Scanner) Scan(target string, imageID digest.Digest, layerIDs []string, options types.ScanOptions) (report.Results, *ftypes.OS, bool, error) {
+	ctx := WithCustomHeaders(context.Background(), http.Header(s.customHeaders))
+
+	var res *rpc.ScanResponse
+	err := r.Retry(func() error {
+		var err error
+		res, err = s.client.Scan(ctx, &rpc.ScanRequest{
+			Target:   target,
+			ImageId:  string(imageID),
+			LayerIds: layerIDs,
+			Options: &rpc.ScanOptions{
+				VulnType: options.VulnType,
+			},
+		})
+		return err
+	})
+	if err != nil {
+		return nil, nil, false, xerrors.Errorf("failed to detect vulnerabilities via RPC: %w", err)
+	}
+
+	return r.ConvertFromRpcResults(res.Results), r.ConvertFromRpcOS(res.Os), res.Eosl, nil
+}

pkg/rpc/client/client_test.go

@@ -0,0 +1,243 @@
+package client
+
+import (
+	"context"
+	"errors"
+	"testing"
+
+	dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
+
+	"github.com/aquasecurity/trivy/rpc/common"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/stretchr/testify/mock"
+
+	ftypes "github.com/aquasecurity/fanal/types"
+	"github.com/aquasecurity/trivy/pkg/report"
+	"github.com/aquasecurity/trivy/pkg/types"
+	"github.com/aquasecurity/trivy/rpc/scanner"
+	digest "github.com/opencontainers/go-digest"
+)
+
+type mockScanner struct {
+	mock.Mock
+}
+
+type scanArgs struct {
+	Ctx             context.Context
+	CtxAnything     bool
+	Request         *scanner.ScanRequest
+	RequestAnything bool
+}
+
+type scanReturns struct {
+	Res *scanner.ScanResponse
+	Err error
+}
+
+type scanExpectation struct {
+	Args    scanArgs
+	Returns scanReturns
+}
+
+func (_m *mockScanner) ApplyScanExpectation(e scanExpectation) {
+	var args []interface{}
+	if e.Args.CtxAnything {
+		args = append(args, mock.Anything)
+	} else {
+		args = append(args, e.Args.Ctx)
+	}
+	if e.Args.RequestAnything {
+		args = append(args, mock.Anything)
+	} else {
+		args = append(args, e.Args.Request)
+	}
+	_m.On("Scan", args...).Return(e.Returns.Res, e.Returns.Err)
+}
+
+func (_m *mockScanner) ApplyScanExpectations(expectations []scanExpectation) {
+	for _, e := range expectations {
+		_m.ApplyScanExpectation(e)
+	}
+}
+
+// Scan provides a mock function with given fields: Ctx, Request
+func (_m *mockScanner) Scan(Ctx context.Context, Request *scanner.ScanRequest) (*scanner.ScanResponse, error) {
+	ret := _m.Called(Ctx, Request)
+
+	var r0 *scanner.ScanResponse
+	if rf, ok := ret.Get(0).(func(context.Context, *scanner.ScanRequest) *scanner.ScanResponse); ok {
+		r0 = rf(Ctx, Request)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*scanner.ScanResponse)
+		}
+	}
+
+	var r1 error
+	if rf, ok := ret.Get(1).(func(context.Context, *scanner.ScanRequest) error); ok {
+		r1 = rf(Ctx, Request)
+	} else {
+		r1 = ret.Error(1)
+	}
+
+	return r0, r1
+}
+
+func TestScanner_Scan(t *testing.T) {
+	type fields struct {
+		customHeaders CustomHeaders
+	}
+	type args struct {
+		target   string
+		imageID  digest.Digest
+		layerIDs []string
+		options  types.ScanOptions
+	}
+	tests := []struct {
+		name            string
+		fields          fields
+		args            args
+		scanExpectation scanExpectation
+		wantResults     report.Results
+		wantOS          *ftypes.OS
+		wantEosl        bool
+		wantErr         string
+	}{
+		{
+			name: "happy path",
+			fields: fields{
+				customHeaders: CustomHeaders{
+					"Trivy-Token": []string{"foo"},
+				},
+			},
+			args: args{
+				target:   "alpine:3.11",
+				imageID:  "sha256:e7d92cdc71feacf90708cb59182d0df1b911f8ae022d29e8e95d75ca6a99776a",
+				layerIDs: []string{"sha256:5216338b40a7b96416b8b9858974bbe4acc3096ee60acbc4dfb1ee02aecceb10"},
+				options: types.ScanOptions{
+					VulnType: []string{"os"},
+				},
+			},
+			scanExpectation: scanExpectation{
+				Args: scanArgs{
+					CtxAnything: true,
+					Request: &scanner.ScanRequest{
+						Target:   "alpine:3.11",
+						ImageId:  "sha256:e7d92cdc71feacf90708cb59182d0df1b911f8ae022d29e8e95d75ca6a99776a",
+						LayerIds: []string{"sha256:5216338b40a7b96416b8b9858974bbe4acc3096ee60acbc4dfb1ee02aecceb10"},
+						Options: &scanner.ScanOptions{
+							VulnType: []string{"os"},
+						},
+					},
+				},
+				Returns: scanReturns{
+					Res: &scanner.ScanResponse{
+						Os: &common.OS{
+							Family: "alpine",
+							Name:   "3.11",
+						},
+						Eosl: true,
+						Results: []*scanner.Result{
+							{
+								Target: "alpine:3.11",
+								Vulnerabilities: []*common.Vulnerability{
+									{
+										VulnerabilityId:  "CVE-2020-0001",
+										PkgName:          "musl",
+										InstalledVersion: "1.2.3",
+										FixedVersion:     "1.2.4",
+										Title:            "DoS",
+										Description:      "Denial os Service",
+										Severity:         common.Severity_CRITICAL,
+										References:       []string{"http://exammple.com"},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+			wantResults: report.Results{
+				{
+					Target: "alpine:3.11",
+					Vulnerabilities: []types.DetectedVulnerability{
+						{
+							VulnerabilityID:  "CVE-2020-0001",
+							PkgName:          "musl",
+							InstalledVersion: "1.2.3",
+							FixedVersion:     "1.2.4",
+							Vulnerability: dbTypes.Vulnerability{
+								Title:       "DoS",
+								Description: "Denial os Service",
+								Severity:    "CRITICAL",
+								References:  []string{"http://exammple.com"},
+							},
+						},
+					},
+				},
+			},
+			wantOS: &ftypes.OS{
+				Family: "alpine",
+				Name:   "3.11",
+			},
+			wantEosl: true,
+		},
+		{
+			name: "sad path: Scan returns an error",
+			fields: fields{
+				customHeaders: CustomHeaders{
+					"Trivy-Token": []string{"foo"},
+				},
+			},
+			args: args{
+				target:   "alpine:3.11",
+				imageID:  "sha256:e7d92cdc71feacf90708cb59182d0df1b911f8ae022d29e8e95d75ca6a99776a",
+				layerIDs: []string{"sha256:5216338b40a7b96416b8b9858974bbe4acc3096ee60acbc4dfb1ee02aecceb10"},
+				options: types.ScanOptions{
+					VulnType: []string{"os"},
+				},
+			},
+			scanExpectation: scanExpectation{
+				Args: scanArgs{
+					CtxAnything: true,
+					Request: &scanner.ScanRequest{
+						Target:   "alpine:3.11",
+						ImageId:  "sha256:e7d92cdc71feacf90708cb59182d0df1b911f8ae022d29e8e95d75ca6a99776a",
+						LayerIds: []string{"sha256:5216338b40a7b96416b8b9858974bbe4acc3096ee60acbc4dfb1ee02aecceb10"},
+						Options: &scanner.ScanOptions{
+							VulnType: []string{"os"},
+						},
+					},
+				},
+				Returns: scanReturns{
+					Err: errors.New("error"),
+				},
+			},
+			wantErr: "failed to detect vulnerabilities via RPC",
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			mockClient := new(mockScanner)
+			mockClient.ApplyScanExpectation(tt.scanExpectation)
+
+			s := NewScanner(tt.fields.customHeaders, mockClient)
+			gotResults, gotOS, gotEosl, err := s.Scan(tt.args.target, tt.args.imageID, tt.args.layerIDs, tt.args.options)
+
+			if tt.wantErr != "" {
+				require.NotNil(t, err, tt.name)
+				require.Contains(t, err.Error(), tt.wantErr, tt.name)
+				return
+			} else {
+				require.NoError(t, err, tt.name)
+			}
+
+			assert.Equal(t, tt.wantResults, gotResults)
+			assert.Equal(t, tt.wantOS, gotOS)
+			assert.Equal(t, tt.wantEosl, gotEosl)
+		})
+	}
+}

pkg/rpc/client/library/client.go

@@ -1,58 +0,0 @@
-package library
-
-import (
-	"context"
-	"net/http"
-
-	"github.com/google/wire"
-	"golang.org/x/xerrors"
-
-	ptypes "github.com/aquasecurity/go-dep-parser/pkg/types"
-	detector "github.com/aquasecurity/trivy/pkg/detector/library"
-	r "github.com/aquasecurity/trivy/pkg/rpc"
-	"github.com/aquasecurity/trivy/pkg/rpc/client"
-	"github.com/aquasecurity/trivy/pkg/types"
-	rpc "github.com/aquasecurity/trivy/rpc/detector"
-)
-
-var SuperSet = wire.NewSet(
-	NewProtobufClient,
-	NewDetector,
-	wire.Bind(new(detector.Operation), new(Detector)),
-)
-
-type RemoteURL string
-
-func NewProtobufClient(remoteURL RemoteURL) rpc.LibDetector {
-	return rpc.NewLibDetectorProtobufClient(string(remoteURL), &http.Client{})
-}
-
-type CustomHeaders http.Header
-
-type Detector struct {
-	customHeaders CustomHeaders
-	client        rpc.LibDetector
-}
-
-func NewDetector(customHeaders CustomHeaders, detector rpc.LibDetector) Detector {
-	return Detector{customHeaders: customHeaders, client: detector}
-}
-
-func (d Detector) Detect(filePath string, libs []ptypes.Library) ([]types.DetectedVulnerability, error) {
-	ctx := client.WithCustomHeaders(context.Background(), http.Header(d.customHeaders))
-
-	var res *rpc.DetectResponse
-	err := r.Retry(func() error {
-		var err error
-		res, err = d.client.Detect(ctx, &rpc.LibDetectRequest{
-			FilePath:  filePath,
-			Libraries: r.ConvertToRpcLibraries(libs),
-		})
-		return err
-	})
-	if err != nil {
-		return nil, xerrors.Errorf("failed to detect vulnerabilities via RPC: %w", err)
-	}
-
-	return r.ConvertFromRpcVulns(res.Vulnerabilities), nil
-}

pkg/rpc/client/library/client_test.go

@@ -1,160 +0,0 @@
-package library
-
-import (
-	"context"
-	"testing"
-
-	"golang.org/x/xerrors"
-
-	"github.com/stretchr/testify/assert"
-
-	"github.com/stretchr/testify/require"
-
-	ptypes "github.com/aquasecurity/go-dep-parser/pkg/types"
-	dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
-	"github.com/aquasecurity/trivy/pkg/types"
-	"github.com/aquasecurity/trivy/rpc/detector"
-	"github.com/stretchr/testify/mock"
-)
-
-type mockDetector struct {
-	mock.Mock
-}
-
-func (_m *mockDetector) Detect(a context.Context, b *detector.LibDetectRequest) (*detector.DetectResponse, error) {
-	ret := _m.Called(a, b)
-	ret0 := ret.Get(0)
-	if ret0 == nil {
-		return nil, ret.Error(1)
-	}
-	res, ok := ret0.(*detector.DetectResponse)
-	if !ok {
-		return nil, ret.Error(1)
-	}
-	return res, ret.Error(1)
-}
-
-func TestDetectClient_Detect(t *testing.T) {
-	type detectInput struct {
-		req *detector.LibDetectRequest
-	}
-	type detectOutput struct {
-		res *detector.DetectResponse
-		err error
-	}
-	type detect struct {
-		input  detectInput
-		output detectOutput
-	}
-
-	type fields struct {
-		customHeaders CustomHeaders
-	}
-
-	type args struct {
-		filePath string
-		libs     []ptypes.Library
-	}
-	tests := []struct {
-		name    string
-		fields  fields
-		args    args
-		detect  detect
-		want    []types.DetectedVulnerability
-		wantErr string
-	}{
-		{
-			name: "happy path",
-			fields: fields{
-				customHeaders: CustomHeaders{
-					"Trivy-Token": []string{"token"},
-				},
-			},
-			args: args{
-				filePath: "app/Pipfile.lock",
-				libs: []ptypes.Library{
-					{Name: "django", Version: "3.0.0"},
-				},
-			},
-			detect: detect{
-				input: detectInput{req: &detector.LibDetectRequest{
-					FilePath: "app/Pipfile.lock",
-					Libraries: []*detector.Library{
-						{Name: "django", Version: "3.0.0"},
-					},
-				},
-				},
-				output: detectOutput{
-					res: &detector.DetectResponse{
-						Vulnerabilities: []*detector.Vulnerability{
-							{
-								VulnerabilityId:  "CVE-2019-0001",
-								PkgName:          "django",
-								InstalledVersion: "3.0.0",
-								FixedVersion:     "3.0.1",
-								Title:            "RCE",
-								Description:      "Remote Code Execution",
-								Severity:         detector.Severity_CRITICAL,
-							},
-						},
-					},
-				},
-			},
-			want: []types.DetectedVulnerability{
-				{
-					VulnerabilityID:  "CVE-2019-0001",
-					PkgName:          "django",
-					InstalledVersion: "3.0.0",
-					FixedVersion:     "3.0.1",
-					Vulnerability: dbTypes.Vulnerability{
-						Title:       "RCE",
-						Description: "Remote Code Execution",
-						Severity:    "CRITICAL",
-					},
-				},
-			},
-		},
-		{
-			name:   "Detect returns an error",
-			fields: fields{},
-			args: args{
-				filePath: "app/Pipfile.lock",
-				libs: []ptypes.Library{
-					{Name: "django", Version: "3.0.0"},
-				},
-			},
-			detect: detect{
-				input: detectInput{req: &detector.LibDetectRequest{
-					FilePath: "app/Pipfile.lock",
-					Libraries: []*detector.Library{
-						{Name: "django", Version: "3.0.0"},
-					},
-				},
-				},
-				output: detectOutput{
-					err: xerrors.New("error"),
-				},
-			},
-			wantErr: "failed to detect vulnerabilities via RPC",
-		},
-	}
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			mockDetector := new(mockDetector)
-			mockDetector.On("Detect", mock.Anything, tt.detect.input.req).Return(
-				tt.detect.output.res, tt.detect.output.err)
-
-			d := NewDetector(tt.fields.customHeaders, mockDetector)
-			got, err := d.Detect(tt.args.filePath, tt.args.libs)
-			if tt.wantErr != "" {
-				require.NotNil(t, err, tt.name)
-				assert.Contains(t, err.Error(), tt.wantErr, tt.name)
-				return
-			} else {
-				assert.NoError(t, err, tt.name)
-			}
-			assert.Equal(t, tt.want, got, tt.name)
-			mockDetector.AssertExpectations(t)
-		})
-	}
-}

pkg/rpc/client/ospkg/client.go

@@ -1,59 +0,0 @@
-package ospkg
-
-import (
-	"context"
-	"net/http"
-
-	"github.com/google/wire"
-	"golang.org/x/xerrors"
-
-	"github.com/aquasecurity/fanal/analyzer"
-	detector "github.com/aquasecurity/trivy/pkg/detector/ospkg"
-	r "github.com/aquasecurity/trivy/pkg/rpc"
-	"github.com/aquasecurity/trivy/pkg/rpc/client"
-	"github.com/aquasecurity/trivy/pkg/types"
-	rpc "github.com/aquasecurity/trivy/rpc/detector"
-)
-
-var SuperSet = wire.NewSet(
-	NewProtobufClient,
-	NewDetector,
-	wire.Bind(new(detector.Operation), new(Detector)),
-)
-
-type RemoteURL string
-
-func NewProtobufClient(remoteURL RemoteURL) rpc.OSDetector {
-	return rpc.NewOSDetectorProtobufClient(string(remoteURL), &http.Client{})
-}
-
-type CustomHeaders http.Header
-
-type Detector struct {
-	customHeaders CustomHeaders
-	client        rpc.OSDetector
-}
-
-func NewDetector(customHeaders CustomHeaders, detector rpc.OSDetector) Detector {
-	return Detector{customHeaders: customHeaders, client: detector}
-}
-
-func (d Detector) Detect(osFamily, osName string, pkgs []analyzer.Package) ([]types.DetectedVulnerability, bool, error) {
-	ctx := client.WithCustomHeaders(context.Background(), http.Header(d.customHeaders))
-
-	var res *rpc.DetectResponse
-	err := r.Retry(func() error {
-		var err error
-		res, err = d.client.Detect(ctx, &rpc.OSDetectRequest{
-			OsFamily: osFamily,
-			OsName:   osName,
-			Packages: r.ConvertToRpcPkgs(pkgs),
-		})
-		return err
-	})
-	if err != nil {
-		return nil, false, xerrors.Errorf("failed to detect vulnerabilities via RPC: %w", err)
-	}
-
-	return r.ConvertFromRpcVulns(res.Vulnerabilities), res.Eosl, nil
-}

pkg/rpc/client/ospkg/client_test.go

@@ -1,186 +0,0 @@
-package ospkg
-
-import (
-	"context"
-	"testing"
-
-	"golang.org/x/xerrors"
-
-	"github.com/stretchr/testify/assert"
-
-	"github.com/stretchr/testify/require"
-
-	"github.com/aquasecurity/fanal/analyzer"
-	dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
-	"github.com/aquasecurity/trivy/pkg/types"
-	"github.com/aquasecurity/trivy/rpc/detector"
-	"github.com/stretchr/testify/mock"
-)
-
-type mockDetector struct {
-	mock.Mock
-}
-
-func (_m *mockDetector) Detect(a context.Context, b *detector.OSDetectRequest) (*detector.DetectResponse, error) {
-	ret := _m.Called(a, b)
-	ret0 := ret.Get(0)
-	if ret0 == nil {
-		return nil, ret.Error(1)
-	}
-	res, ok := ret0.(*detector.DetectResponse)
-	if !ok {
-		return nil, ret.Error(1)
-	}
-	return res, ret.Error(1)
-}
-
-func TestDetectClient_Detect(t *testing.T) {
-	type detectInput struct {
-		req *detector.OSDetectRequest
-	}
-	type detectOutput struct {
-		res *detector.DetectResponse
-		err error
-	}
-	type detect struct {
-		input  detectInput
-		output detectOutput
-	}
-
-	type fields struct {
-		customHeaders CustomHeaders
-	}
-	type args struct {
-		osFamily string
-		osName   string
-		pkgs     []analyzer.Package
-	}
-	tests := []struct {
-		name    string
-		fields  fields
-		args    args
-		detect  detect
-		want    []types.DetectedVulnerability
-		wantErr string
-	}{
-		{
-			name: "happy path",
-			fields: fields{
-				customHeaders: CustomHeaders{
-					"Trivy-Token": []string{"token"},
-				},
-			},
-			args: args{
-				osFamily: "alpine",
-				osName:   "3.10.2",
-				pkgs: []analyzer.Package{
-					{
-						Name:    "openssl",
-						Version: "1.0.1e",
-						Release: "1",
-						Epoch:   0,
-					},
-				},
-			},
-			detect: detect{
-				input: detectInput{
-					req: &detector.OSDetectRequest{
-						OsFamily: "alpine",
-						OsName:   "3.10.2",
-						Packages: []*detector.Package{
-							{
-								Name:    "openssl",
-								Version: "1.0.1e",
-								Release: "1",
-								Epoch:   0,
-							},
-						},
-					},
-				},
-				output: detectOutput{
-					res: &detector.DetectResponse{
-						Vulnerabilities: []*detector.Vulnerability{
-							{
-								VulnerabilityId:  "CVE-2019-0001",
-								PkgName:          "bash",
-								InstalledVersion: "1.2.3",
-								FixedVersion:     "1.2.4",
-								Title:            "RCE",
-								Description:      "Remote Code Execution",
-								Severity:         detector.Severity_HIGH,
-							},
-						},
-					},
-				},
-			},
-			want: []types.DetectedVulnerability{
-				{
-					VulnerabilityID:  "CVE-2019-0001",
-					PkgName:          "bash",
-					InstalledVersion: "1.2.3",
-					FixedVersion:     "1.2.4",
-					Vulnerability: dbTypes.Vulnerability{
-						Title:       "RCE",
-						Description: "Remote Code Execution",
-						Severity:    "HIGH",
-					},
-				},
-			},
-		},
-		{
-			name:   "Detect returns an error",
-			fields: fields{},
-			args: args{
-				osFamily: "alpine",
-				osName:   "3.10.2",
-				pkgs: []analyzer.Package{
-					{
-						Name:    "openssl",
-						Version: "1.0.1e",
-						Release: "1",
-						Epoch:   0,
-					},
-				},
-			},
-			detect: detect{
-				input: detectInput{
-					req: &detector.OSDetectRequest{
-						OsFamily: "alpine",
-						OsName:   "3.10.2",
-						Packages: []*detector.Package{
-							{
-								Name:    "openssl",
-								Version: "1.0.1e",
-								Release: "1",
-								Epoch:   0,
-							},
-						},
-					},
-				},
-				output: detectOutput{
-					err: xerrors.New("error"),
-				},
-			},
-			wantErr: "failed to detect vulnerabilities via RPC",
-		},
-	}
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			mockDetector := new(mockDetector)
-			mockDetector.On("Detect", mock.Anything, tt.detect.input.req).Return(
-				tt.detect.output.res, tt.detect.output.err)
-
-			d := NewDetector(tt.fields.customHeaders, mockDetector)
-			got, _, err := d.Detect(tt.args.osFamily, tt.args.osName, tt.args.pkgs)
-			if tt.wantErr != "" {
-				require.NotNil(t, err, tt.name)
-				assert.Contains(t, err.Error(), tt.wantErr, tt.name)
-				return
-			} else {
-				assert.NoError(t, err, tt.name)
-			}
-			assert.Equal(t, tt.want, got, tt.name)
-			mockDetector.AssertExpectations(t)
-		})
-	}
-}

pkg/rpc/convert.go

@@ -1,18 +1,24 @@
 package rpc
 
 import (
-	"github.com/aquasecurity/fanal/analyzer"
-	ptypes "github.com/aquasecurity/go-dep-parser/pkg/types"
+	"github.com/golang/protobuf/ptypes"
+	"github.com/opencontainers/go-digest"
+
+	ftypes "github.com/aquasecurity/fanal/types"
+	deptypes "github.com/aquasecurity/go-dep-parser/pkg/types"
 	dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
 	"github.com/aquasecurity/trivy/pkg/log"
+	"github.com/aquasecurity/trivy/pkg/report"
 	"github.com/aquasecurity/trivy/pkg/types"
-	"github.com/aquasecurity/trivy/rpc/detector"
+	"github.com/aquasecurity/trivy/rpc/cache"
+	"github.com/aquasecurity/trivy/rpc/common"
+	"github.com/aquasecurity/trivy/rpc/scanner"
 )
 
-func ConvertToRpcPkgs(pkgs []analyzer.Package) []*detector.Package {
-	var rpcPkgs []*detector.Package
+func ConvertToRpcPkgs(pkgs []ftypes.Package) []*common.Package {
+	var rpcPkgs []*common.Package
 	for _, pkg := range pkgs {
-		rpcPkgs = append(rpcPkgs, &detector.Package{
+		rpcPkgs = append(rpcPkgs, &common.Package{
 			Name:       pkg.Name,
 			Version:    pkg.Version,
 			Release:    pkg.Release,
@@ -27,10 +33,10 @@ func ConvertToRpcPkgs(pkgs []analyzer.Package) []*detector.Package {
 	return rpcPkgs
 }
 
-func ConvertFromRpcPkgs(rpcPkgs []*detector.Package) []analyzer.Package {
-	var pkgs []analyzer.Package
+func ConvertFromRpcPkgs(rpcPkgs []*common.Package) []ftypes.Package {
+	var pkgs []ftypes.Package
 	for _, pkg := range rpcPkgs {
-		pkgs = append(pkgs, analyzer.Package{
+		pkgs = append(pkgs, ftypes.Package{
 			Name:       pkg.Name,
 			Version:    pkg.Version,
 			Release:    pkg.Release,
@@ -45,21 +51,23 @@ func ConvertFromRpcPkgs(rpcPkgs []*detector.Package) []analyzer.Package {
 	return pkgs
 }
 
-func ConvertFromRpcLibraries(rpcLibs []*detector.Library) []ptypes.Library {
-	var libs []ptypes.Library
+func ConvertFromRpcLibraries(rpcLibs []*common.Library) []ftypes.LibraryInfo {
+	var libs []ftypes.LibraryInfo
 	for _, l := range rpcLibs {
-		libs = append(libs, ptypes.Library{
-			Name:    l.Name,
-			Version: l.Version,
+		libs = append(libs, ftypes.LibraryInfo{
+			Library: deptypes.Library{
+				Name:    l.Name,
+				Version: l.Version,
+			},
 		})
 	}
 	return libs
 }
 
-func ConvertToRpcLibraries(libs []ptypes.Library) []*detector.Library {
-	var rpcLibs []*detector.Library
+func ConvertToRpcLibraries(libs []deptypes.Library) []*common.Library {
+	var rpcLibs []*common.Library
 	for _, l := range libs {
-		rpcLibs = append(rpcLibs, &detector.Library{
+		rpcLibs = append(rpcLibs, &common.Library{
 			Name:    l.Name,
 			Version: l.Version,
 		})
@@ -67,7 +75,7 @@ func ConvertToRpcLibraries(libs []ptypes.Library) []*detector.Library {
 	return rpcLibs
 }
 
-func ConvertFromRpcVulns(rpcVulns []*detector.Vulnerability) []types.DetectedVulnerability {
+func ConvertFromRpcVulns(rpcVulns []*common.Vulnerability) []types.DetectedVulnerability {
 	var vulns []types.DetectedVulnerability
 	for _, vuln := range rpcVulns {
 		severity := dbTypes.Severity(vuln.Severity)
@@ -87,24 +95,207 @@ func ConvertFromRpcVulns(rpcVulns []*detector.Vulnerability) []types.DetectedVul
 	return vulns
 }
 
-func ConvertToRpcVulns(vulns []types.DetectedVulnerability) []*detector.Vulnerability {
-	var rpcVulns []*detector.Vulnerability
+func ConvertToRpcVulns(vulns []types.DetectedVulnerability) []*common.Vulnerability {
+	var rpcVulns []*common.Vulnerability
 	for _, vuln := range vulns {
 		severity, err := dbTypes.NewSeverity(vuln.Severity)
 		if err != nil {
 			log.Logger.Warn(err)
 		}
 
-		rpcVulns = append(rpcVulns, &detector.Vulnerability{
+		rpcVulns = append(rpcVulns, &common.Vulnerability{
 			VulnerabilityId:  vuln.VulnerabilityID,
 			PkgName:          vuln.PkgName,
 			InstalledVersion: vuln.InstalledVersion,
 			FixedVersion:     vuln.FixedVersion,
 			Title:            vuln.Title,
 			Description:      vuln.Description,
-			Severity:         detector.Severity(severity),
+			Severity:         common.Severity(severity),
 			References:       vuln.References,
+			LayerId:          string(vuln.LayerID),
 		})
 	}
 	return rpcVulns
 }
+
+func ConvertFromRpcResults(rpcResults []*scanner.Result) []report.Result {
+	var results []report.Result
+	for _, result := range rpcResults {
+		var vulns []types.DetectedVulnerability
+		for _, vuln := range result.Vulnerabilities {
+			severity := dbTypes.Severity(vuln.Severity)
+			vulns = append(vulns, types.DetectedVulnerability{
+				VulnerabilityID:  vuln.VulnerabilityId,
+				PkgName:          vuln.PkgName,
+				InstalledVersion: vuln.InstalledVersion,
+				FixedVersion:     vuln.FixedVersion,
+				Vulnerability: dbTypes.Vulnerability{
+					Title:       vuln.Title,
+					Description: vuln.Description,
+					Severity:    severity.String(),
+					References:  vuln.References,
+				},
+				LayerID: digest.Digest(vuln.LayerId),
+			})
+		}
+		results = append(results, report.Result{
+			Target:          result.Target,
+			Vulnerabilities: vulns,
+		})
+	}
+	return results
+}
+
+func ConvertFromRpcOS(rpcOS *common.OS) *ftypes.OS {
+	if rpcOS == nil {
+		return nil
+	}
+	return &ftypes.OS{
+		Family: rpcOS.Family,
+		Name:   rpcOS.Name,
+	}
+}
+
+func ConvertFromRpcPackageInfos(rpcPkgInfos []*common.PackageInfo) []ftypes.PackageInfo {
+	var pkgInfos []ftypes.PackageInfo
+	for _, rpcPkgInfo := range rpcPkgInfos {
+		pkgInfos = append(pkgInfos, ftypes.PackageInfo{
+			FilePath: rpcPkgInfo.FilePath,
+			Packages: ConvertFromRpcPkgs(rpcPkgInfo.Packages),
+		})
+	}
+	return pkgInfos
+}
+
+func ConvertFromRpcApplications(rpcApps []*common.Application) []ftypes.Application {
+	var apps []ftypes.Application
+	for _, rpcApp := range rpcApps {
+		apps = append(apps, ftypes.Application{
+			Type:      rpcApp.Type,
+			FilePath:  rpcApp.FilePath,
+			Libraries: ConvertFromRpcLibraries(rpcApp.Libraries),
+		})
+	}
+	return apps
+}
+
+func ConvertFromRpcPutImageRequest(req *cache.PutImageRequest) ftypes.ImageInfo {
+	created, _ := ptypes.Timestamp(req.ImageInfo.Created)
+	return ftypes.ImageInfo{
+		SchemaVersion:   int(req.ImageInfo.SchemaVersion),
+		Architecture:    req.ImageInfo.Architecture,
+		Created:         created,
+		DockerVersion:   req.ImageInfo.DockerVersion,
+		OS:              req.ImageInfo.Os,
+		HistoryPackages: ConvertFromRpcPkgs(req.ImageInfo.HistoryPackages),
+	}
+}
+
+func ConvertFromRpcPutLayerRequest(req *cache.PutLayerRequest) ftypes.LayerInfo {
+	return ftypes.LayerInfo{
+		SchemaVersion: int(req.LayerInfo.SchemaVersion),
+		OS:            ConvertFromRpcOS(req.LayerInfo.Os),
+		PackageInfos:  ConvertFromRpcPackageInfos(req.LayerInfo.PackageInfos),
+		Applications:  ConvertFromRpcApplications(req.LayerInfo.Applications),
+		OpaqueDirs:    req.LayerInfo.OpaqueDirs,
+		WhiteoutFiles: req.LayerInfo.WhiteoutFiles,
+	}
+}
+
+func ConvertToRpcOS(fos *ftypes.OS) *common.OS {
+	if fos == nil {
+		return nil
+	}
+	return &common.OS{
+		Family: fos.Family,
+		Name:   fos.Name,
+	}
+}
+
+func ConvertToRpcImageInfo(imageID string, imageInfo ftypes.ImageInfo) *cache.PutImageRequest {
+	t, err := ptypes.TimestampProto(imageInfo.Created)
+	if err != nil {
+		log.Logger.Warnf("invalid timestamp: %s", err)
+	}
+
+	return &cache.PutImageRequest{
+		ImageId: imageID,
+		ImageInfo: &cache.ImageInfo{
+			SchemaVersion:   int32(imageInfo.SchemaVersion),
+			Architecture:    imageInfo.Architecture,
+			Created:         t,
+			DockerVersion:   imageInfo.DockerVersion,
+			Os:              imageInfo.OS,
+			HistoryPackages: ConvertToRpcPkgs(imageInfo.HistoryPackages),
+		},
+	}
+}
+
+func ConvertToRpcLayerInfo(layerID, decompressedLayerID string, layerInfo ftypes.LayerInfo) *cache.PutLayerRequest {
+	var packageInfos []*common.PackageInfo
+	for _, pkgInfo := range layerInfo.PackageInfos {
+		packageInfos = append(packageInfos, &common.PackageInfo{
+			FilePath: pkgInfo.FilePath,
+			Packages: ConvertToRpcPkgs(pkgInfo.Packages),
+		})
+	}
+
+	var applications []*common.Application
+	for _, app := range layerInfo.Applications {
+		var libs []*common.Library
+		for _, lib := range app.Libraries {
+			libs = append(libs, &common.Library{
+				Name:    lib.Library.Name,
+				Version: lib.Library.Version,
+			})
+
+		}
+		applications = append(applications, &common.Application{
+			Type:      app.Type,
+			FilePath:  app.FilePath,
+			Libraries: libs,
+		})
+	}
+
+	return &cache.PutLayerRequest{
+		LayerId:             layerID,
+		DecompressedLayerId: decompressedLayerID,
+		LayerInfo: &cache.LayerInfo{
+			SchemaVersion: ftypes.LayerJSONSchemaVersion,
+			Os:            ConvertToRpcOS(layerInfo.OS),
+			PackageInfos:  packageInfos,
+			Applications:  applications,
+			OpaqueDirs:    layerInfo.OpaqueDirs,
+			WhiteoutFiles: layerInfo.WhiteoutFiles,
+		},
+	}
+}
+
+func ConvertToMissingLayersRequest(imageID string, layerIDs []string) *cache.MissingLayersRequest {
+	return &cache.MissingLayersRequest{
+		ImageId:  imageID,
+		LayerIds: layerIDs,
+	}
+}
+
+func ConvertToRpcScanResponse(results report.Results, os *ftypes.OS, eosl bool) *scanner.ScanResponse {
+	rpcOS := &common.OS{}
+	if os != nil {
+		rpcOS.Family = os.Family
+		rpcOS.Name = os.Name
+	}
+
+	var rpcResults []*scanner.Result
+	for _, result := range results {
+		rpcResults = append(rpcResults, &scanner.Result{
+			Target:          result.Target,
+			Vulnerabilities: ConvertToRpcVulns(result.Vulnerabilities),
+		})
+	}
+
+	return &scanner.ScanResponse{
+		Os:      rpcOS,
+		Eosl:    eosl,
+		Results: rpcResults,
+	}
+}

pkg/rpc/convert_test.go

@@ -4,13 +4,15 @@ import (
 	"os"
 	"testing"
 
+	"github.com/aquasecurity/trivy/rpc/common"
+
+	ftypes "github.com/aquasecurity/fanal/types"
+
 	"github.com/aquasecurity/trivy/pkg/log"
 
-	"github.com/aquasecurity/fanal/analyzer"
 	ptypes "github.com/aquasecurity/go-dep-parser/pkg/types"
 	dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
 	"github.com/aquasecurity/trivy/pkg/types"
-	"github.com/aquasecurity/trivy/rpc/detector"
 	"github.com/stretchr/testify/assert"
 )
 
@@ -22,17 +24,17 @@ func TestMain(m *testing.M) {
 
 func TestConvertToRpcPkgs(t *testing.T) {
 	type args struct {
-		pkgs []analyzer.Package
+		pkgs []ftypes.Package
 	}
 	tests := []struct {
 		name string
 		args args
-		want []*detector.Package
+		want []*common.Package
 	}{
 		{
 			name: "happy path",
 			args: args{
-				pkgs: []analyzer.Package{
+				pkgs: []ftypes.Package{
 					{
 						Name:       "binary",
 						Version:    "1.2.3",
@@ -46,7 +48,7 @@ func TestConvertToRpcPkgs(t *testing.T) {
 					},
 				},
 			},
-			want: []*detector.Package{
+			want: []*common.Package{
 				{
 					Name:       "binary",
 					Version:    "1.2.3",
@@ -71,16 +73,16 @@ func TestConvertToRpcPkgs(t *testing.T) {
 
 func TestConvertFromRpcPkgs(t *testing.T) {
 	type args struct {
-		rpcPkgs []*detector.Package
+		rpcPkgs []*common.Package
 	}
 	tests := []struct {
 		name string
 		args args
-		want []analyzer.Package
+		want []ftypes.Package
 	}{
 		{
 			args: args{
-				rpcPkgs: []*detector.Package{
+				rpcPkgs: []*common.Package{
 					{
 						Name:       "binary",
 						Version:    "1.2.3",
@@ -94,7 +96,7 @@ func TestConvertFromRpcPkgs(t *testing.T) {
 					},
 				},
 			},
-			want: []analyzer.Package{
+			want: []ftypes.Package{
 				{
 					Name:       "binary",
 					Version:    "1.2.3",
@@ -119,24 +121,24 @@ func TestConvertFromRpcPkgs(t *testing.T) {
 
 func TestConvertFromRpcLibraries(t *testing.T) {
 	type args struct {
-		rpcLibs []*detector.Library
+		rpcLibs []*common.Library
 	}
 	tests := []struct {
 		name string
 		args args
-		want []ptypes.Library
+		want []ftypes.LibraryInfo
 	}{
 		{
 			name: "happy path",
 			args: args{
-				rpcLibs: []*detector.Library{
+				rpcLibs: []*common.Library{
 					{Name: "foo", Version: "1.2.3"},
 					{Name: "bar", Version: "4.5.6"},
 				},
 			},
-			want: []ptypes.Library{
-				{Name: "foo", Version: "1.2.3"},
-				{Name: "bar", Version: "4.5.6"},
+			want: []ftypes.LibraryInfo{
+				{Library: ptypes.Library{Name: "foo", Version: "1.2.3"}},
+				{Library: ptypes.Library{Name: "bar", Version: "4.5.6"}},
 			},
 		},
 	}
@@ -155,7 +157,7 @@ func TestConvertToRpcLibraries(t *testing.T) {
 	tests := []struct {
 		name string
 		args args
-		want []*detector.Library
+		want []*common.Library
 	}{
 		{
 			name: "happy path",
@@ -165,7 +167,7 @@ func TestConvertToRpcLibraries(t *testing.T) {
 					{Name: "bar", Version: "4.5.6"},
 				},
 			},
-			want: []*detector.Library{
+			want: []*common.Library{
 				{Name: "foo", Version: "1.2.3"},
 				{Name: "bar", Version: "4.5.6"},
 			},
@@ -181,7 +183,7 @@ func TestConvertToRpcLibraries(t *testing.T) {
 
 func TestConvertFromRpcVulns(t *testing.T) {
 	type args struct {
-		rpcVulns []*detector.Vulnerability
+		rpcVulns []*common.Vulnerability
 	}
 	tests := []struct {
 		name string
@@ -191,7 +193,7 @@ func TestConvertFromRpcVulns(t *testing.T) {
 		{
 			name: "happy path",
 			args: args{
-				rpcVulns: []*detector.Vulnerability{
+				rpcVulns: []*common.Vulnerability{
 					{
 						VulnerabilityId:  "CVE-2019-0001",
 						PkgName:          "foo",
@@ -199,7 +201,7 @@ func TestConvertFromRpcVulns(t *testing.T) {
 						FixedVersion:     "1.2.4",
 						Title:            "DoS",
 						Description:      "Denial of Service",
-						Severity:         detector.Severity_CRITICAL,
+						Severity:         common.Severity_CRITICAL,
 						References:       []string{"http://example.com"},
 					},
 				},
@@ -235,7 +237,7 @@ func TestConvertToRpcVulns(t *testing.T) {
 	tests := []struct {
 		name string
 		args args
-		want []*detector.Vulnerability
+		want []*common.Vulnerability
 	}{
 		{
 			name: "happy path",
@@ -255,7 +257,7 @@ func TestConvertToRpcVulns(t *testing.T) {
 					},
 				},
 			},
-			want: []*detector.Vulnerability{
+			want: []*common.Vulnerability{
 				{
 					VulnerabilityId:  "CVE-2019-0001",
 					PkgName:          "foo",
@@ -263,7 +265,7 @@ func TestConvertToRpcVulns(t *testing.T) {
 					FixedVersion:     "1.2.4",
 					Title:            "DoS",
 					Description:      "Denial of Service",
-					Severity:         detector.Severity_MEDIUM,
+					Severity:         common.Severity_MEDIUM,
 					References:       []string{"http://example.com"},
 				},
 			},
@@ -286,7 +288,7 @@ func TestConvertToRpcVulns(t *testing.T) {
 					},
 				},
 			},
-			want: []*detector.Vulnerability{
+			want: []*common.Vulnerability{
 				{
 					VulnerabilityId:  "CVE-2019-0002",
 					PkgName:          "bar",
@@ -294,7 +296,7 @@ func TestConvertToRpcVulns(t *testing.T) {
 					FixedVersion:     "1.2.4",
 					Title:            "DoS",
 					Description:      "Denial of Service",
-					Severity:         detector.Severity_UNKNOWN,
+					Severity:         common.Severity_UNKNOWN,
 					References:       []string{"http://example.com"},
 				},
 			},

pkg/rpc/server/inject.go

@@ -3,12 +3,17 @@
 package server
 
 import (
-	"github.com/google/wire"
-
+	"github.com/aquasecurity/fanal/cache"
 	"github.com/aquasecurity/trivy/pkg/rpc/server/library"
 	"github.com/aquasecurity/trivy/pkg/rpc/server/ospkg"
+	"github.com/google/wire"
 )
 
+func initializeScanServer(localLayerCache cache.LocalImageCache) *ScanServer {
+	wire.Build(ScanSuperSet)
+	return &ScanServer{}
+}
+
 func initializeOspkgServer() *ospkg.Server {
 	wire.Build(ospkg.SuperSet)
 	return &ospkg.Server{}
@@ -20,6 +25,6 @@ func initializeLibServer() *library.Server {
 }
 
 func initializeDBWorker(quiet bool) dbWorker {
-	wire.Build(SuperSet)
+	wire.Build(DBWorkerSuperSet)
 	return dbWorker{}
 }

pkg/rpc/server/library/server.go

@@ -2,6 +2,7 @@ package library
 
 import (
 	"context"
+	"time"
 
 	"github.com/google/wire"
 	"golang.org/x/xerrors"
@@ -19,6 +20,7 @@ var SuperSet = wire.NewSet(
 	NewServer,
 )
 
+// Server is for backward compatibility
 type Server struct {
 	detector   detector.Operation
 	vulnClient vulnerability.Operation
@@ -28,8 +30,9 @@ func NewServer(detector detector.Operation, vulnClient vulnerability.Operation)
 	return &Server{detector: detector, vulnClient: vulnClient}
 }
 
-func (s *Server) Detect(ctx context.Context, req *proto.LibDetectRequest) (res *proto.DetectResponse, err error) {
-	vulns, err := s.detector.Detect(req.FilePath, rpc.ConvertFromRpcLibraries(req.Libraries))
+// Detect is for backward compatibility
+func (s *Server) Detect(_ context.Context, req *proto.LibDetectRequest) (res *proto.DetectResponse, err error) {
+	vulns, err := s.detector.Detect("", req.FilePath, time.Time{}, rpc.ConvertFromRpcLibraries(req.Libraries))
 	if err != nil {
 		err = xerrors.Errorf("failed to detect library vulnerabilities: %w", err)
 		log.Logger.Error(err)

pkg/rpc/server/library/server_test.go

@@ -5,19 +5,19 @@ import (
 	"os"
 	"testing"
 
-	"github.com/aquasecurity/trivy/pkg/detector/library"
-
-	"github.com/aquasecurity/trivy/pkg/log"
-
-	"golang.org/x/xerrors"
+	ftypes "github.com/aquasecurity/fanal/types"
 
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+	"golang.org/x/xerrors"
 
 	ptypes "github.com/aquasecurity/go-dep-parser/pkg/types"
 	dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
+	"github.com/aquasecurity/trivy/pkg/detector/library"
+	"github.com/aquasecurity/trivy/pkg/log"
 	"github.com/aquasecurity/trivy/pkg/types"
 	"github.com/aquasecurity/trivy/pkg/vulnerability"
+	"github.com/aquasecurity/trivy/rpc/common"
 	proto "github.com/aquasecurity/trivy/rpc/detector"
 )
 
@@ -32,30 +32,34 @@ func TestServer_Detect(t *testing.T) {
 		req *proto.LibDetectRequest
 	}
 	tests := []struct {
-		name    string
-		args    args
-		detect  library.DetectExpectation
-		wantRes *proto.DetectResponse
-		wantErr string
+		name                string
+		args                args
+		detectExpectation   library.OperationDetectExpectation
+		fillInfoExpectation vulnerability.FillInfoExpectation
+		wantRes             *proto.DetectResponse
+		wantErr             string
 	}{
 		{
 			name: "happy path",
 			args: args{
 				req: &proto.LibDetectRequest{
-					FilePath: "app/Pipfile.lock",
-					Libraries: []*proto.Library{
+					ImageName: "alpine:3.10",
+					FilePath:  "app/Pipfile.lock",
+					Libraries: []*common.Library{
 						{Name: "django", Version: "3.0.0"},
 					},
 				},
 			},
-			detect: library.DetectExpectation{
-				Args: library.DetectInput{
+			detectExpectation: library.OperationDetectExpectation{
+				Args: library.OperationDetectArgs{
 					FilePath: "app/Pipfile.lock",
-					Libs: []ptypes.Library{
-						{Name: "django", Version: "3.0.0"},
+					Pkgs: []ftypes.LibraryInfo{
+						{
+							Library: ptypes.Library{Name: "django", Version: "3.0.0"},
+						},
 					},
 				},
-				ReturnArgs: library.DetectOutput{
+				Returns: library.OperationDetectReturns{
 					Vulns: []types.DetectedVulnerability{
 						{
 							VulnerabilityID:  "CVE-2019-0001",
@@ -72,8 +76,27 @@ func TestServer_Detect(t *testing.T) {
 					},
 				},
 			},
+			fillInfoExpectation: vulnerability.FillInfoExpectation{
+				Args: vulnerability.FillInfoArgs{
+					Vulns: []types.DetectedVulnerability{
+						{
+							VulnerabilityID:  "CVE-2019-0001",
+							PkgName:          "test",
+							InstalledVersion: "1",
+							FixedVersion:     "2",
+							Vulnerability: dbTypes.Vulnerability{
+								Title:       "title",
+								Description: "description",
+								Severity:    "MEDIUM",
+								References:  []string{"http://example.com"},
+							},
+						},
+					},
+					Light: false,
+				},
+			},
 			wantRes: &proto.DetectResponse{
-				Vulnerabilities: []*proto.Vulnerability{
+				Vulnerabilities: []*common.Vulnerability{
 					{
 						VulnerabilityId:  "CVE-2019-0001",
 						PkgName:          "test",
@@ -81,7 +104,7 @@ func TestServer_Detect(t *testing.T) {
 						FixedVersion:     "2",
 						Title:            "title",
 						Description:      "description",
-						Severity:         proto.Severity_MEDIUM,
+						Severity:         common.Severity_MEDIUM,
 						References:       []string{"http://example.com"},
 					},
 				},
@@ -91,20 +114,21 @@ func TestServer_Detect(t *testing.T) {
 			name: "Detect returns an error",
 			args: args{
 				req: &proto.LibDetectRequest{
-					FilePath: "app/Pipfile.lock",
-					Libraries: []*proto.Library{
+					ImageName: "alpine:3.10",
+					FilePath:  "app/Pipfile.lock",
+					Libraries: []*common.Library{
 						{Name: "django", Version: "3.0.0"},
 					},
 				},
 			},
-			detect: library.DetectExpectation{
-				Args: library.DetectInput{
+			detectExpectation: library.OperationDetectExpectation{
+				Args: library.OperationDetectArgs{
 					FilePath: "app/Pipfile.lock",
-					Libs: []ptypes.Library{
-						{Name: "django", Version: "3.0.0"},
+					Pkgs: []ftypes.LibraryInfo{
+						{Library: ptypes.Library{Name: "django", Version: "3.0.0"}},
 					},
 				},
-				ReturnArgs: library.DetectOutput{
+				Returns: library.OperationDetectReturns{
 					Err: xerrors.New("error"),
 				},
 			},
@@ -113,8 +137,10 @@ func TestServer_Detect(t *testing.T) {
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			mockDetector := library.NewMockDetector([]library.DetectExpectation{tt.detect})
-			mockVulnClient := vulnerability.NewMockVulnClient()
+			mockDetector := new(library.MockOperation)
+			mockDetector.ApplyDetectExpectation(tt.detectExpectation)
+			mockVulnClient := new(vulnerability.MockOperation)
+			mockVulnClient.ApplyFillInfoExpectation(tt.fillInfoExpectation)
 
 			s := NewServer(mockDetector, mockVulnClient)
 			ctx := context.TODO()

pkg/rpc/server/listen.go

@@ -0,0 +1,148 @@
+package server
+
+import (
+	"context"
+	"io/ioutil"
+	"net/http"
+	"os"
+	"sync"
+	"time"
+
+	"github.com/google/wire"
+	"github.com/twitchtv/twirp"
+	"golang.org/x/xerrors"
+
+	"github.com/aquasecurity/fanal/cache"
+	"github.com/aquasecurity/trivy-db/pkg/db"
+	"github.com/aquasecurity/trivy/internal/server/config"
+	dbFile "github.com/aquasecurity/trivy/pkg/db"
+	"github.com/aquasecurity/trivy/pkg/log"
+	"github.com/aquasecurity/trivy/pkg/utils"
+	rpcCache "github.com/aquasecurity/trivy/rpc/cache"
+	"github.com/aquasecurity/trivy/rpc/detector"
+	rpcDetector "github.com/aquasecurity/trivy/rpc/detector"
+	rpcScanner "github.com/aquasecurity/trivy/rpc/scanner"
+)
+
+var DBWorkerSuperSet = wire.NewSet(
+	dbFile.SuperSet,
+	newDBWorker,
+)
+
+func ListenAndServe(c config.Config, fsCache cache.FSCache) error {
+	requestWg := &sync.WaitGroup{}
+	dbUpdateWg := &sync.WaitGroup{}
+
+	withWaitGroup := func(base http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			// Stop processing requests during DB update
+			dbUpdateWg.Wait()
+
+			// Wait for all requests to be processed before DB update
+			requestWg.Add(1)
+			defer requestWg.Done()
+
+			base.ServeHTTP(w, r)
+
+		})
+	}
+
+	go func() {
+		worker := initializeDBWorker(true)
+		ctx := context.Background()
+		for {
+			time.Sleep(1 * time.Hour)
+			if err := worker.update(ctx, c.AppVersion, c.CacheDir, dbUpdateWg, requestWg); err != nil {
+				log.Logger.Errorf("%+v\n", err)
+			}
+		}
+	}()
+
+	mux := http.NewServeMux()
+
+	scanHandler := rpcScanner.NewScannerServer(initializeScanServer(fsCache), nil)
+	mux.Handle(rpcScanner.ScannerPathPrefix, withToken(withWaitGroup(scanHandler), c.Token, c.TokenHeader))
+
+	layerHandler := rpcCache.NewCacheServer(NewCacheServer(fsCache), nil)
+	mux.Handle(rpcCache.CachePathPrefix, withToken(withWaitGroup(layerHandler), c.Token, c.TokenHeader))
+
+	// osHandler is for backward compatibility
+	osHandler := rpcDetector.NewOSDetectorServer(initializeOspkgServer(), nil)
+	mux.Handle(rpcDetector.OSDetectorPathPrefix, withToken(withWaitGroup(osHandler), c.Token, c.TokenHeader))
+
+	// libHandler is for backward compatibility
+	libHandler := rpcDetector.NewLibDetectorServer(initializeLibServer(), nil)
+	mux.Handle(rpcDetector.LibDetectorPathPrefix, withToken(withWaitGroup(libHandler), c.Token, c.TokenHeader))
+
+	log.Logger.Infof("Listening %s...", c.Listen)
+
+	return http.ListenAndServe(c.Listen, mux)
+}
+
+func withToken(base http.Handler, token, tokenHeader string) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if token != "" && token != r.Header.Get(tokenHeader) {
+			detector.WriteError(w, twirp.NewError(twirp.Unauthenticated, "invalid token"))
+			return
+		}
+		base.ServeHTTP(w, r)
+	})
+}
+
+type dbWorker struct {
+	dbClient dbFile.Operation
+}
+
+func newDBWorker(dbClient dbFile.Operation) dbWorker {
+	return dbWorker{dbClient: dbClient}
+}
+
+func (w dbWorker) update(ctx context.Context, appVersion, cacheDir string,
+	dbUpdateWg, requestWg *sync.WaitGroup) error {
+	needsUpdate, err := w.dbClient.NeedsUpdate(ctx, appVersion, false, false)
+	if err != nil {
+		return xerrors.Errorf("failed to check if db needs an update")
+	} else if !needsUpdate {
+		return nil
+	}
+
+	log.Logger.Info("Updating DB...")
+	if err = w.hotUpdate(ctx, cacheDir, dbUpdateWg, requestWg); err != nil {
+		return xerrors.Errorf("failed DB hot update")
+	}
+	return nil
+}
+
+func (w dbWorker) hotUpdate(ctx context.Context, cacheDir string, dbUpdateWg, requestWg *sync.WaitGroup) error {
+	tmpDir, err := ioutil.TempDir("", "db")
+	if err != nil {
+		return xerrors.Errorf("failed to create a temp dir: %w", err)
+	}
+	defer os.RemoveAll(tmpDir)
+
+	if err := w.dbClient.Download(ctx, tmpDir, false); err != nil {
+		return xerrors.Errorf("failed to download vulnerability DB: %w", err)
+	}
+
+	log.Logger.Info("Suspending all requests during DB update")
+	dbUpdateWg.Add(1)
+	defer dbUpdateWg.Done()
+
+	log.Logger.Info("Waiting for all requests to be processed before DB update...")
+	requestWg.Wait()
+
+	if err = db.Close(); err != nil {
+		return xerrors.Errorf("failed to close DB: %w", err)
+	}
+
+	if _, err = utils.CopyFile(db.Path(tmpDir), db.Path(cacheDir)); err != nil {
+		return xerrors.Errorf("failed to copy the database file: %w", err)
+	}
+
+	log.Logger.Info("Reopening DB...")
+	if err = db.Init(cacheDir); err != nil {
+		return xerrors.Errorf("failed to open DB: %w", err)
+	}
+
+	return nil
+}

pkg/rpc/server/listen_test.go

@@ -0,0 +1,157 @@
+package server
+
+import (
+	"context"
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"sync"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/mock"
+	"github.com/stretchr/testify/require"
+	"golang.org/x/xerrors"
+
+	"github.com/aquasecurity/trivy-db/pkg/db"
+	dbFile "github.com/aquasecurity/trivy/pkg/db"
+	"github.com/aquasecurity/trivy/pkg/log"
+)
+
+func TestMain(m *testing.M) {
+	log.InitLogger(false, false)
+	os.Exit(m.Run())
+}
+
+func Test_dbWorker_update(t *testing.T) {
+	type needsUpdateInput struct {
+		appVersion string
+		skip       bool
+	}
+	type needsUpdateOutput struct {
+		needsUpdate bool
+		err         error
+	}
+	type needsUpdate struct {
+		input  needsUpdateInput
+		output needsUpdateOutput
+	}
+
+	type download struct {
+		call bool
+		err  error
+	}
+
+	type args struct {
+		appVersion string
+	}
+	tests := []struct {
+		name        string
+		needsUpdate needsUpdate
+		download    download
+		args        args
+		want        db.Metadata
+		wantErr     string
+	}{
+		{
+			name: "happy path",
+			needsUpdate: needsUpdate{
+				input:  needsUpdateInput{appVersion: "1", skip: false},
+				output: needsUpdateOutput{needsUpdate: true},
+			},
+			download: download{
+				call: true,
+			},
+			args: args{appVersion: "1"},
+			want: db.Metadata{
+				Version:    1,
+				Type:       db.TypeFull,
+				NextUpdate: time.Date(3000, 1, 1, 0, 0, 0, 0, time.UTC),
+				UpdatedAt:  time.Date(3000, 1, 1, 0, 0, 0, 0, time.UTC),
+			},
+		},
+		{
+			name: "not update",
+			needsUpdate: needsUpdate{
+				input:  needsUpdateInput{appVersion: "1", skip: false},
+				output: needsUpdateOutput{needsUpdate: false},
+			},
+			args: args{appVersion: "1"},
+		},
+		{
+			name: "NeedsUpdate returns an error",
+			needsUpdate: needsUpdate{
+				input:  needsUpdateInput{appVersion: "1", skip: false},
+				output: needsUpdateOutput{err: xerrors.New("fail")},
+			},
+			args:    args{appVersion: "1"},
+			wantErr: "failed to check if db needs an update",
+		},
+		{
+			name: "Download returns an error",
+			needsUpdate: needsUpdate{
+				input:  needsUpdateInput{appVersion: "1", skip: false},
+				output: needsUpdateOutput{needsUpdate: true},
+			},
+			download: download{
+				call: true,
+				err:  xerrors.New("fail"),
+			},
+			args:    args{appVersion: "1"},
+			wantErr: "failed DB hot update",
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			cacheDir, err := ioutil.TempDir("", "server-test")
+			require.NoError(t, err, tt.name)
+
+			require.NoError(t, db.Init(cacheDir), tt.name)
+
+			mockDBClient := new(dbFile.MockClient)
+			mockDBClient.On("NeedsUpdate", mock.Anything,
+				tt.needsUpdate.input.appVersion, false, tt.needsUpdate.input.skip).Return(
+				tt.needsUpdate.output.needsUpdate, tt.needsUpdate.output.err)
+
+			if tt.download.call {
+				mockDBClient.On("Download", mock.Anything, mock.Anything, false).Run(
+					func(args mock.Arguments) {
+						// fake download: copy testdata/new.db to tmpDir/db/trivy.db
+						content, err := ioutil.ReadFile("testdata/new.db")
+						require.NoError(t, err, tt.name)
+
+						tmpDir := args.String(1)
+						dbPath := db.Path(tmpDir)
+						require.NoError(t, os.MkdirAll(filepath.Dir(dbPath), 0777), tt.name)
+						err = ioutil.WriteFile(dbPath, content, 0444)
+						require.NoError(t, err, tt.name)
+					}).Return(tt.download.err)
+			}
+
+			w := newDBWorker(mockDBClient)
+
+			var dbUpdateWg, requestWg sync.WaitGroup
+			err = w.update(context.Background(), tt.args.appVersion, cacheDir,
+				&dbUpdateWg, &requestWg)
+			if tt.wantErr != "" {
+				require.NotNil(t, err, tt.name)
+				assert.Contains(t, err.Error(), tt.wantErr, tt.name)
+				return
+			} else {
+				assert.NoError(t, err, tt.name)
+			}
+
+			if !tt.download.call {
+				return
+			}
+
+			dbc := db.Config{}
+			got, err := dbc.GetMetadata()
+			assert.NoError(t, err, tt.name)
+			assert.Equal(t, tt.want, got, tt.name)
+
+			mockDBClient.AssertExpectations(t)
+		})
+	}
+}

pkg/rpc/server/ospkg/server.go

@@ -2,6 +2,7 @@ package ospkg
 
 import (
 	"context"
+	"time"
 
 	"github.com/google/wire"
 	"golang.org/x/xerrors"
@@ -19,6 +20,7 @@ var SuperSet = wire.NewSet(
 	NewServer,
 )
 
+// Server is for backward compatibility
 type Server struct {
 	detector   detector.Operation
 	vulnClient vulnerability.Operation
@@ -28,8 +30,9 @@ func NewServer(detector detector.Operation, vulnClient vulnerability.Operation)
 	return &Server{detector: detector, vulnClient: vulnClient}
 }
 
-func (s *Server) Detect(ctx context.Context, req *proto.OSDetectRequest) (res *proto.DetectResponse, err error) {
-	vulns, eosl, err := s.detector.Detect(req.OsFamily, req.OsName, rpc.ConvertFromRpcPkgs(req.Packages))
+// Detect is for backward compatibility
+func (s *Server) Detect(_ context.Context, req *proto.OSDetectRequest) (res *proto.DetectResponse, err error) {
+	vulns, eosl, err := s.detector.Detect("", req.OsFamily, req.OsName, time.Time{}, rpc.ConvertFromRpcPkgs(req.Packages))
 	if err != nil {
 		err = xerrors.Errorf("failed to detect vulnerabilities of OS packages: %w", err)
 		log.Logger.Error(err)

pkg/rpc/server/ospkg/server_test.go

@@ -9,12 +9,13 @@ import (
 	"github.com/stretchr/testify/require"
 	"golang.org/x/xerrors"
 
-	"github.com/aquasecurity/fanal/analyzer"
+	ftypes "github.com/aquasecurity/fanal/types"
 	dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
 	"github.com/aquasecurity/trivy/pkg/detector/ospkg"
 	"github.com/aquasecurity/trivy/pkg/log"
 	"github.com/aquasecurity/trivy/pkg/types"
 	"github.com/aquasecurity/trivy/pkg/vulnerability"
+	"github.com/aquasecurity/trivy/rpc/common"
 	proto "github.com/aquasecurity/trivy/rpc/detector"
 )
 
@@ -29,11 +30,12 @@ func TestServer_Detect(t *testing.T) {
 		req *proto.OSDetectRequest
 	}
 	tests := []struct {
-		name    string
-		args    args
-		detect  ospkg.DetectExpectation
-		wantRes *proto.DetectResponse
-		wantErr string
+		name                string
+		args                args
+		detectExpectation   ospkg.DetectExpectation
+		fillInfoExpectation vulnerability.FillInfoExpectation
+		wantRes             *proto.DetectResponse
+		wantErr             string
 	}{
 		{
 			name: "happy path",
@@ -41,16 +43,16 @@ func TestServer_Detect(t *testing.T) {
 				req: &proto.OSDetectRequest{
 					OsFamily: "alpine",
 					OsName:   "3.10.2",
-					Packages: []*proto.Package{
+					Packages: []*common.Package{
 						{Name: "musl", Version: "1.1.22-r3"},
 					},
 				},
 			},
-			detect: ospkg.DetectExpectation{
+			detectExpectation: ospkg.DetectExpectation{
 				Args: ospkg.DetectInput{
 					OSFamily: "alpine",
 					OSName:   "3.10.2",
-					Pkgs: []analyzer.Package{
+					Pkgs: []ftypes.Package{
 						{Name: "musl", Version: "1.1.22-r3"},
 					},
 				},
@@ -66,12 +68,25 @@ func TestServer_Detect(t *testing.T) {
 					},
 				},
 			},
+			fillInfoExpectation: vulnerability.FillInfoExpectation{
+				Args: vulnerability.FillInfoArgs{
+					Vulns: []types.DetectedVulnerability{
+						{
+							VulnerabilityID: "CVE-2019-0001",
+							PkgName:         "musl",
+							Vulnerability: dbTypes.Vulnerability{
+								Severity: "HIGH",
+							}},
+					},
+					Light: false,
+				},
+			},
 			wantRes: &proto.DetectResponse{
-				Vulnerabilities: []*proto.Vulnerability{
+				Vulnerabilities: []*common.Vulnerability{
 					{
 						VulnerabilityId: "CVE-2019-0001",
 						PkgName:         "musl",
-						Severity:        proto.Severity_HIGH,
+						Severity:        common.Severity_HIGH,
 					},
 				},
 			},
@@ -82,16 +97,16 @@ func TestServer_Detect(t *testing.T) {
 				req: &proto.OSDetectRequest{
 					OsFamily: "alpine",
 					OsName:   "3.10.2",
-					Packages: []*proto.Package{
+					Packages: []*common.Package{
 						{Name: "musl", Version: "1.1.22-r3"},
 					},
 				},
 			},
-			detect: ospkg.DetectExpectation{
+			detectExpectation: ospkg.DetectExpectation{
 				Args: ospkg.DetectInput{
 					OSFamily: "alpine",
 					OSName:   "3.10.2",
-					Pkgs: []analyzer.Package{
+					Pkgs: []ftypes.Package{
 						{Name: "musl", Version: "1.1.22-r3"},
 					},
 				},
@@ -104,8 +119,9 @@ func TestServer_Detect(t *testing.T) {
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			mockDetector := ospkg.NewMockDetector([]ospkg.DetectExpectation{tt.detect})
-			mockVulnClient := vulnerability.NewMockVulnClient()
+			mockDetector := ospkg.NewMockDetector([]ospkg.DetectExpectation{tt.detectExpectation})
+			mockVulnClient := new(vulnerability.MockOperation)
+			mockVulnClient.ApplyFillInfoExpectation(tt.fillInfoExpectation)
 
 			s := NewServer(mockDetector, mockVulnClient)
 			gotRes, err := s.Detect(context.TODO(), tt.args.req)

pkg/rpc/server/server.go

@@ -2,136 +2,94 @@ package server
 
 import (
 	"context"
-	"io/ioutil"
-	"net/http"
-	"os"
-	"sync"
-	"time"
 
+	google_protobuf "github.com/golang/protobuf/ptypes/empty"
 	"github.com/google/wire"
-
-	"github.com/twitchtv/twirp"
+	digest "github.com/opencontainers/go-digest"
 	"golang.org/x/xerrors"
 
-	"github.com/aquasecurity/trivy-db/pkg/db"
-	"github.com/aquasecurity/trivy/internal/server/config"
-	dbFile "github.com/aquasecurity/trivy/pkg/db"
-	"github.com/aquasecurity/trivy/pkg/log"
-	"github.com/aquasecurity/trivy/pkg/utils"
-	rpc "github.com/aquasecurity/trivy/rpc/detector"
+	"github.com/aquasecurity/fanal/cache"
+	ftypes "github.com/aquasecurity/fanal/types"
+	"github.com/aquasecurity/trivy/pkg/rpc"
+	"github.com/aquasecurity/trivy/pkg/scanner"
+	"github.com/aquasecurity/trivy/pkg/scanner/local"
+	"github.com/aquasecurity/trivy/pkg/types"
+	"github.com/aquasecurity/trivy/pkg/vulnerability"
+	rpcCache "github.com/aquasecurity/trivy/rpc/cache"
+	rpcScanner "github.com/aquasecurity/trivy/rpc/scanner"
 )
 
-var SuperSet = wire.NewSet(
-	dbFile.SuperSet,
-	newDBWorker,
+var ScanSuperSet = wire.NewSet(
+	local.SuperSet,
+	wire.Bind(new(scanner.Driver), new(local.Scanner)),
+	vulnerability.SuperSet,
+	NewScanServer,
 )
 
-func ListenAndServe(addr string, c config.Config) error {
-	requestWg := &sync.WaitGroup{}
-	dbUpdateWg := &sync.WaitGroup{}
-
-	withWaitGroup := func(base http.Handler) http.Handler {
-		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-			// Stop processing requests during DB update
-			dbUpdateWg.Wait()
-
-			// Wait for all requests to be processed before DB update
-			requestWg.Add(1)
-			defer requestWg.Done()
-
-			base.ServeHTTP(w, r)
-
-		})
-	}
-
-	go func() {
-		worker := initializeDBWorker(true)
-		ctx := context.Background()
-		for {
-			time.Sleep(1 * time.Hour)
-			if err := worker.update(ctx, c.AppVersion, c.CacheDir, dbUpdateWg, requestWg); err != nil {
-				log.Logger.Errorf("%+v\n", err)
-			}
-		}
-	}()
-
-	mux := http.NewServeMux()
-
-	osHandler := rpc.NewOSDetectorServer(initializeOspkgServer(), nil)
-	mux.Handle(rpc.OSDetectorPathPrefix, withToken(withWaitGroup(osHandler), c.Token, c.TokenHeader))
-
-	libHandler := rpc.NewLibDetectorServer(initializeLibServer(), nil)
-	mux.Handle(rpc.LibDetectorPathPrefix, withToken(withWaitGroup(libHandler), c.Token, c.TokenHeader))
-
-	log.Logger.Infof("Listening %s...", addr)
-
-	return http.ListenAndServe(addr, mux)
+type ScanServer struct {
+	localScanner scanner.Driver
+	vulnClient   vulnerability.Operation
 }
 
-func withToken(base http.Handler, token, tokenHeader string) http.Handler {
-	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		if token != "" && token != r.Header.Get(tokenHeader) {
-			rpc.WriteError(w, twirp.NewError(twirp.Unauthenticated, "invalid token"))
-			return
-		}
-		base.ServeHTTP(w, r)
-	})
+func NewScanServer(s scanner.Driver, vulnClient vulnerability.Operation) *ScanServer {
+	return &ScanServer{localScanner: s, vulnClient: vulnClient}
 }
 
-type dbWorker struct {
-	dbClient dbFile.Operation
-}
-
-func newDBWorker(dbClient dbFile.Operation) dbWorker {
-	return dbWorker{dbClient: dbClient}
-}
-
-func (w dbWorker) update(ctx context.Context, appVersion, cacheDir string,
-	dbUpdateWg, requestWg *sync.WaitGroup) error {
-	needsUpdate, err := w.dbClient.NeedsUpdate(ctx, appVersion, false, false)
+func (s *ScanServer) Scan(_ context.Context, in *rpcScanner.ScanRequest) (*rpcScanner.ScanResponse, error) {
+	options := types.ScanOptions{VulnType: in.Options.VulnType}
+	results, os, eosl, err := s.localScanner.Scan(in.Target, digest.Digest(in.ImageId), in.LayerIds, options)
 	if err != nil {
-		return xerrors.Errorf("failed to check if db needs an update")
-	} else if !needsUpdate {
-		return nil
+		return nil, xerrors.Errorf("failed scan, %s: %w", in.Target, err)
 	}
 
-	log.Logger.Info("Updating DB...")
-	if err = w.hotUpdate(ctx, cacheDir, dbUpdateWg, requestWg); err != nil {
-		return xerrors.Errorf("failed DB hot update")
+	for i := range results {
+		s.vulnClient.FillInfo(results[i].Vulnerabilities, false)
 	}
-	return nil
+	return rpc.ConvertToRpcScanResponse(results, os, eosl), nil
 }
 
-func (w dbWorker) hotUpdate(ctx context.Context, cacheDir string, dbUpdateWg, requestWg *sync.WaitGroup) error {
-	tmpDir, err := ioutil.TempDir("", "db")
-	if err != nil {
-		return xerrors.Errorf("failed to create a temp dir: %w", err)
-	}
-	defer os.RemoveAll(tmpDir)
-
-	if err := w.dbClient.Download(ctx, tmpDir, false); err != nil {
-		return xerrors.Errorf("failed to download vulnerability DB: %w", err)
-	}
-
-	log.Logger.Info("Suspending all requests during DB update")
-	dbUpdateWg.Add(1)
-	defer dbUpdateWg.Done()
-
-	log.Logger.Info("Waiting for all requests to be processed before DB update...")
-	requestWg.Wait()
-
-	if err = db.Close(); err != nil {
-		return xerrors.Errorf("failed to close DB: %w", err)
-	}
-
-	if _, err = utils.CopyFile(db.Path(tmpDir), db.Path(cacheDir)); err != nil {
-		return xerrors.Errorf("failed to copy the database file: %w", err)
-	}
-
-	log.Logger.Info("Reopening DB...")
-	if err = db.Init(cacheDir); err != nil {
-		return xerrors.Errorf("failed to open DB: %w", err)
-	}
-
-	return nil
+type CacheServer struct {
+	cache cache.Cache
+}
+
+func NewCacheServer(c cache.Cache) *CacheServer {
+	return &CacheServer{cache: c}
+}
+
+func (s *CacheServer) PutImage(_ context.Context, in *rpcCache.PutImageRequest) (*google_protobuf.Empty, error) {
+	if in.ImageInfo == nil {
+		return nil, xerrors.Errorf("empty image info")
+	}
+	imageInfo := rpc.ConvertFromRpcPutImageRequest(in)
+	if err := s.cache.PutImage(in.ImageId, imageInfo); err != nil {
+		return nil, xerrors.Errorf("unable to store image info in cache: %w", err)
+	}
+	return &google_protobuf.Empty{}, nil
+}
+
+func (s *CacheServer) PutLayer(_ context.Context, in *rpcCache.PutLayerRequest) (*google_protobuf.Empty, error) {
+	if in.LayerInfo == nil {
+		return nil, xerrors.Errorf("empty layer info")
+	}
+	layerInfo := rpc.ConvertFromRpcPutLayerRequest(in)
+	if err := s.cache.PutLayer(in.LayerId, in.DecompressedLayerId, layerInfo); err != nil {
+		return nil, xerrors.Errorf("unable to store layer info in cache: %w", err)
+	}
+	return &google_protobuf.Empty{}, nil
+}
+
+func (s *CacheServer) MissingLayers(_ context.Context, in *rpcCache.MissingLayersRequest) (*rpcCache.MissingLayersResponse, error) {
+	var layerIDs []string
+	for _, layerID := range in.LayerIds {
+		l, err := s.cache.GetLayer(layerID)
+		if err != nil || l.SchemaVersion != ftypes.LayerJSONSchemaVersion {
+			layerIDs = append(layerIDs, layerID)
+		}
+	}
+	var missingImage bool
+	img, err := s.cache.GetImage(in.ImageId)
+	if err != nil || img.SchemaVersion != ftypes.ImageJSONSchemaVersion {
+		missingImage = true
+	}
+	return &rpcCache.MissingLayersResponse{MissingImage: missingImage, MissingLayerIds: layerIDs}, nil
 }

pkg/rpc/server/server_test.go

@@ -2,138 +2,256 @@ package server
 
 import (
 	"context"
-	"io/ioutil"
-	"os"
-	"path/filepath"
-	"sync"
+	"errors"
 	"testing"
 	"time"
 
+	deptypes "github.com/aquasecurity/go-dep-parser/pkg/types"
+
+	"github.com/golang/protobuf/ptypes/timestamp"
+
+	"github.com/golang/protobuf/ptypes"
+
+	google_protobuf "github.com/golang/protobuf/ptypes/empty"
 	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/mock"
 	"github.com/stretchr/testify/require"
 	"golang.org/x/xerrors"
 
-	"github.com/aquasecurity/trivy-db/pkg/db"
-	dbFile "github.com/aquasecurity/trivy/pkg/db"
-	"github.com/aquasecurity/trivy/pkg/log"
+	"github.com/aquasecurity/fanal/cache"
+	ftypes "github.com/aquasecurity/fanal/types"
+	dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
+	"github.com/aquasecurity/trivy/pkg/report"
+	"github.com/aquasecurity/trivy/pkg/scanner"
+	"github.com/aquasecurity/trivy/pkg/types"
+	"github.com/aquasecurity/trivy/pkg/vulnerability"
+	rpcCache "github.com/aquasecurity/trivy/rpc/cache"
+	"github.com/aquasecurity/trivy/rpc/common"
+	rpcScanner "github.com/aquasecurity/trivy/rpc/scanner"
 )
 
-func TestMain(m *testing.M) {
-	log.InitLogger(false, false)
-	os.Exit(m.Run())
+type mockCache struct {
+	cache.MockImageCache
+	cache.MockLocalImageCache
 }
 
-func Test_dbWorker_update(t *testing.T) {
-	type needsUpdateInput struct {
-		appVersion string
-		skip       bool
-	}
-	type needsUpdateOutput struct {
-		needsUpdate bool
-		err         error
-	}
-	type needsUpdate struct {
-		input  needsUpdateInput
-		output needsUpdateOutput
-	}
-
-	type download struct {
-		call bool
-		err  error
-	}
-
+func TestScanServer_Scan(t *testing.T) {
 	type args struct {
-		appVersion string
+		in *rpcScanner.ScanRequest
 	}
 	tests := []struct {
-		name        string
-		needsUpdate needsUpdate
-		download    download
-		args        args
-		want        db.Metadata
-		wantErr     string
+		name                string
+		args                args
+		scanExpectation     scanner.ScanExpectation
+		fillInfoExpectation vulnerability.FillInfoExpectation
+		want                *rpcScanner.ScanResponse
+		wantErr             string
 	}{
 		{
 			name: "happy path",
-			needsUpdate: needsUpdate{
-				input:  needsUpdateInput{appVersion: "1", skip: false},
-				output: needsUpdateOutput{needsUpdate: true},
+			args: args{
+				in: &rpcScanner.ScanRequest{
+					Target:   "alpine:3.11",
+					ImageId:  "sha256:e7d92cdc71feacf90708cb59182d0df1b911f8ae022d29e8e95d75ca6a99776a",
+					LayerIds: []string{"sha256:5216338b40a7b96416b8b9858974bbe4acc3096ee60acbc4dfb1ee02aecceb10"},
+					Options:  &rpcScanner.ScanOptions{},
+				},
 			},
-			download: download{
-				call: true,
+			scanExpectation: scanner.ScanExpectation{
+				Args: scanner.ScanArgs{
+					Target:   "alpine:3.11",
+					ImageID:  "sha256:e7d92cdc71feacf90708cb59182d0df1b911f8ae022d29e8e95d75ca6a99776a",
+					LayerIDs: []string{"sha256:5216338b40a7b96416b8b9858974bbe4acc3096ee60acbc4dfb1ee02aecceb10"},
+				},
+				Returns: scanner.ScanReturns{
+					Results: report.Results{
+						{
+							Target: "alpine:3.11 (alpine 3.11)",
+							Vulnerabilities: []types.DetectedVulnerability{
+								{
+									VulnerabilityID:  "CVE-2019-0001",
+									PkgName:          "musl",
+									InstalledVersion: "1.2.3",
+									FixedVersion:     "1.2.4",
+									Vulnerability:    dbTypes.Vulnerability{},
+								},
+							},
+						},
+					},
+					OsFound: &ftypes.OS{
+						Family: "alpine",
+						Name:   "3.11",
+					},
+				},
 			},
-			args: args{appVersion: "1"},
-			want: db.Metadata{
-				Version:    1,
-				Type:       db.TypeFull,
-				NextUpdate: time.Date(3000, 1, 1, 0, 0, 0, 0, time.UTC),
-				UpdatedAt:  time.Date(3000, 1, 1, 0, 0, 0, 0, time.UTC),
+			fillInfoExpectation: vulnerability.FillInfoExpectation{
+				Args: vulnerability.FillInfoArgs{
+					Vulns: []types.DetectedVulnerability{
+						{
+							VulnerabilityID:  "CVE-2019-0001",
+							PkgName:          "musl",
+							InstalledVersion: "1.2.3",
+							FixedVersion:     "1.2.4",
+							Vulnerability:    dbTypes.Vulnerability{},
+						},
+					},
+					Light: false,
+				},
+			},
+			want: &rpcScanner.ScanResponse{
+				Os: &common.OS{
+					Family: "alpine",
+					Name:   "3.11",
+				},
+				Eosl: false,
+				Results: []*rpcScanner.Result{
+					{
+						Target: "alpine:3.11 (alpine 3.11)",
+						Vulnerabilities: []*common.Vulnerability{
+							{
+								VulnerabilityId:  "CVE-2019-0001",
+								PkgName:          "musl",
+								InstalledVersion: "1.2.3",
+								FixedVersion:     "1.2.4",
+							},
+						},
+					},
+				},
 			},
 		},
 		{
-			name: "not update",
-			needsUpdate: needsUpdate{
-				input:  needsUpdateInput{appVersion: "1", skip: false},
-				output: needsUpdateOutput{needsUpdate: false},
+			name: "sad path: Scan returns an error",
+			args: args{
+				in: &rpcScanner.ScanRequest{
+					Target:   "alpine:3.11",
+					ImageId:  "sha256:e7d92cdc71feacf90708cb59182d0df1b911f8ae022d29e8e95d75ca6a99776a",
+					LayerIds: []string{"sha256:5216338b40a7b96416b8b9858974bbe4acc3096ee60acbc4dfb1ee02aecceb10"},
+					Options:  &rpcScanner.ScanOptions{},
+				},
 			},
-			args: args{appVersion: "1"},
+			scanExpectation: scanner.ScanExpectation{
+				Args: scanner.ScanArgs{
+					Target:   "alpine:3.11",
+					ImageID:  "sha256:e7d92cdc71feacf90708cb59182d0df1b911f8ae022d29e8e95d75ca6a99776a",
+					LayerIDs: []string{"sha256:5216338b40a7b96416b8b9858974bbe4acc3096ee60acbc4dfb1ee02aecceb10"},
+				},
+				Returns: scanner.ScanReturns{
+					Err: errors.New("error"),
+				},
+			},
+			wantErr: "failed scan, alpine:3.11",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			mockDriver := new(scanner.MockDriver)
+			mockDriver.ApplyScanExpectation(tt.scanExpectation)
+
+			mockVulnClient := new(vulnerability.MockOperation)
+			mockVulnClient.ApplyFillInfoExpectation(tt.fillInfoExpectation)
+
+			s := NewScanServer(mockDriver, mockVulnClient)
+			got, err := s.Scan(context.Background(), tt.args.in)
+			if tt.wantErr != "" {
+				require.NotNil(t, err, tt.name)
+				assert.Contains(t, err.Error(), tt.wantErr, tt.name)
+				return
+			} else {
+				assert.NoError(t, err, tt.name)
+			}
+			assert.Equal(t, tt.want, got)
+		})
+	}
+}
+
+func TestCacheServer_PutImage(t *testing.T) {
+	type args struct {
+		in *rpcCache.PutImageRequest
+	}
+	tests := []struct {
+		name     string
+		args     args
+		putImage cache.ImageCachePutImageExpectation
+		want     *google_protobuf.Empty
+		wantErr  string
+	}{
+		{
+			name: "happy path",
+			args: args{
+				in: &rpcCache.PutImageRequest{
+					ImageId: "sha256:e7d92cdc71feacf90708cb59182d0df1b911f8ae022d29e8e95d75ca6a99776a",
+					ImageInfo: &rpcCache.ImageInfo{
+						SchemaVersion: 1,
+						Architecture:  "amd64",
+						Created: func() *timestamp.Timestamp {
+							d := time.Date(2020, 1, 2, 3, 4, 5, 6, time.UTC)
+							t, _ := ptypes.TimestampProto(d)
+							return t
+						}(),
+						DockerVersion: "18.09",
+						Os:            "linux",
+					},
+				},
+			},
+			putImage: cache.ImageCachePutImageExpectation{
+				Args: cache.ImageCachePutImageArgs{
+					ImageID: "sha256:e7d92cdc71feacf90708cb59182d0df1b911f8ae022d29e8e95d75ca6a99776a",
+					ImageInfo: ftypes.ImageInfo{
+						SchemaVersion: 1,
+						Architecture:  "amd64",
+						Created:       time.Date(2020, 1, 2, 3, 4, 5, 6, time.UTC),
+						DockerVersion: "18.09",
+						OS:            "linux",
+					},
+				},
+			},
+			want: &google_protobuf.Empty{},
 		},
 		{
-			name: "NeedsUpdate returns an error",
-			needsUpdate: needsUpdate{
-				input:  needsUpdateInput{appVersion: "1", skip: false},
-				output: needsUpdateOutput{err: xerrors.New("fail")},
+			name: "sad path",
+			args: args{
+				in: &rpcCache.PutImageRequest{
+					ImageId: "sha256:e7d92cdc71feacf90708cb59182d0df1b911f8ae022d29e8e95d75ca6a99776a",
+					ImageInfo: &rpcCache.ImageInfo{
+						SchemaVersion: 1,
+						Created: func() *timestamp.Timestamp {
+							d := time.Date(2020, 1, 2, 3, 4, 5, 6, time.UTC)
+							t, _ := ptypes.TimestampProto(d)
+							return t
+						}(),
+					},
+				},
 			},
-			args:    args{appVersion: "1"},
-			wantErr: "failed to check if db needs an update",
+			putImage: cache.ImageCachePutImageExpectation{
+				Args: cache.ImageCachePutImageArgs{
+					ImageID: "sha256:e7d92cdc71feacf90708cb59182d0df1b911f8ae022d29e8e95d75ca6a99776a",
+					ImageInfo: ftypes.ImageInfo{
+						SchemaVersion: 1,
+						Created:       time.Date(2020, 1, 2, 3, 4, 5, 6, time.UTC),
+					},
+				},
+				Returns: cache.ImageCachePutImageReturns{
+					Err: xerrors.New("error"),
+				},
+			},
+			wantErr: "unable to store image info in cache",
 		},
 		{
-			name: "Download returns an error",
-			needsUpdate: needsUpdate{
-				input:  needsUpdateInput{appVersion: "1", skip: false},
-				output: needsUpdateOutput{needsUpdate: true},
+			name: "sad path: empty image info",
+			args: args{
+				in: &rpcCache.PutImageRequest{},
 			},
-			download: download{
-				call: true,
-				err:  xerrors.New("fail"),
-			},
-			args:    args{appVersion: "1"},
-			wantErr: "failed DB hot update",
+			wantErr: "empty image info",
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			cacheDir, err := ioutil.TempDir("", "server-test")
-			require.NoError(t, err, tt.name)
+			mockCache := new(mockCache)
+			mockCache.ApplyPutImageExpectation(tt.putImage)
 
-			require.NoError(t, db.Init(cacheDir), tt.name)
+			s := NewCacheServer(mockCache)
+			got, err := s.PutImage(context.Background(), tt.args.in)
 
-			mockDBClient := new(dbFile.MockClient)
-			mockDBClient.On("NeedsUpdate", mock.Anything,
-				tt.needsUpdate.input.appVersion, false, tt.needsUpdate.input.skip).Return(
-				tt.needsUpdate.output.needsUpdate, tt.needsUpdate.output.err)
-
-			if tt.download.call {
-				mockDBClient.On("Download", mock.Anything, mock.Anything, false).Run(
-					func(args mock.Arguments) {
-						// fake download: copy testdata/new.db to tmpDir/db/trivy.db
-						content, err := ioutil.ReadFile("testdata/new.db")
-						require.NoError(t, err, tt.name)
-
-						tmpDir := args.String(1)
-						dbPath := db.Path(tmpDir)
-						require.NoError(t, os.MkdirAll(filepath.Dir(dbPath), 0777), tt.name)
-						err = ioutil.WriteFile(dbPath, content, 0444)
-						require.NoError(t, err, tt.name)
-					}).Return(tt.download.err)
-			}
-
-			w := newDBWorker(mockDBClient)
-
-			var dbUpdateWg, requestWg sync.WaitGroup
-			err = w.update(context.Background(), tt.args.appVersion, cacheDir,
-				&dbUpdateWg, &requestWg)
 			if tt.wantErr != "" {
 				require.NotNil(t, err, tt.name)
 				assert.Contains(t, err.Error(), tt.wantErr, tt.name)
@@ -142,16 +260,341 @@ func Test_dbWorker_update(t *testing.T) {
 				assert.NoError(t, err, tt.name)
 			}
 
-			if !tt.download.call {
-				return
-			}
-
-			dbc := db.Config{}
-			got, err := dbc.GetMetadata()
-			assert.NoError(t, err, tt.name)
-			assert.Equal(t, tt.want, got, tt.name)
-
-			mockDBClient.AssertExpectations(t)
+			assert.Equal(t, tt.want, got)
+		})
+	}
+}
+
+func TestCacheServer_PutLayer(t *testing.T) {
+	type args struct {
+		in *rpcCache.PutLayerRequest
+	}
+	tests := []struct {
+		name     string
+		args     args
+		putLayer cache.ImageCachePutLayerExpectation
+		want     *google_protobuf.Empty
+		wantErr  string
+	}{
+		{
+			name: "happy path",
+			args: args{
+				in: &rpcCache.PutLayerRequest{
+					LayerId:             "sha256:154ad0735c360b212b167f424d33a62305770a1fcfb6363882f5c436cfbd9812",
+					DecompressedLayerId: "sha256:b2a1a2d80bf0c747a4f6b0ca6af5eef23f043fcdb1ed4f3a3e750aef2dc68079",
+					LayerInfo: &rpcCache.LayerInfo{
+						SchemaVersion: 1,
+						Os: &common.OS{
+							Family: "alpine",
+							Name:   "3.11",
+						},
+						PackageInfos: []*common.PackageInfo{
+							{
+								FilePath: "lib/apk/db/installed",
+								Packages: []*common.Package{
+									{
+										Name:       "binary",
+										Version:    "1.2.3",
+										Release:    "1",
+										Epoch:      2,
+										Arch:       "x86_64",
+										SrcName:    "src",
+										SrcVersion: "1.2.3",
+										SrcRelease: "1",
+										SrcEpoch:   2,
+									},
+									{
+										Name:       "vim-minimal",
+										Version:    "7.4.160",
+										Release:    "5.el7",
+										Epoch:      2,
+										Arch:       "x86_64",
+										SrcName:    "vim",
+										SrcVersion: "7.4.160",
+										SrcRelease: "5.el7",
+										SrcEpoch:   2,
+									},
+								},
+							},
+						},
+						Applications: []*common.Application{
+							{
+								Type:     "composer",
+								FilePath: "php-app/composer.lock",
+								Libraries: []*common.Library{
+									{
+										Name:    "guzzlehttp/guzzle",
+										Version: "6.2.0",
+									},
+									{
+										Name:    "guzzlehttp/promises",
+										Version: "v1.3.1",
+									},
+								},
+							},
+						},
+						OpaqueDirs:    []string{"etc/"},
+						WhiteoutFiles: []string{"etc/hostname"},
+					},
+				},
+			},
+			putLayer: cache.ImageCachePutLayerExpectation{
+				Args: cache.ImageCachePutLayerArgs{
+					LayerID:             "sha256:154ad0735c360b212b167f424d33a62305770a1fcfb6363882f5c436cfbd9812",
+					DecompressedLayerID: "sha256:b2a1a2d80bf0c747a4f6b0ca6af5eef23f043fcdb1ed4f3a3e750aef2dc68079",
+					LayerInfo: ftypes.LayerInfo{
+						SchemaVersion: 1,
+						OS: &ftypes.OS{
+							Family: "alpine",
+							Name:   "3.11",
+						},
+						PackageInfos: []ftypes.PackageInfo{
+							{
+								FilePath: "lib/apk/db/installed",
+								Packages: []ftypes.Package{
+									{
+										Name:       "binary",
+										Version:    "1.2.3",
+										Release:    "1",
+										Epoch:      2,
+										Arch:       "x86_64",
+										SrcName:    "src",
+										SrcVersion: "1.2.3",
+										SrcRelease: "1",
+										SrcEpoch:   2,
+									},
+									{
+										Name:       "vim-minimal",
+										Version:    "7.4.160",
+										Release:    "5.el7",
+										Epoch:      2,
+										Arch:       "x86_64",
+										SrcName:    "vim",
+										SrcVersion: "7.4.160",
+										SrcRelease: "5.el7",
+										SrcEpoch:   2,
+									},
+								},
+							},
+						},
+						Applications: []ftypes.Application{
+							{
+								Type:     "composer",
+								FilePath: "php-app/composer.lock",
+								Libraries: []ftypes.LibraryInfo{
+									{
+										Library: deptypes.Library{
+											Name:    "guzzlehttp/guzzle",
+											Version: "6.2.0",
+										},
+									},
+									{
+										Library: deptypes.Library{
+											Name:    "guzzlehttp/promises",
+											Version: "v1.3.1",
+										},
+									},
+								},
+							},
+						},
+						OpaqueDirs:    []string{"etc/"},
+						WhiteoutFiles: []string{"etc/hostname"},
+					},
+				},
+			},
+			want: &google_protobuf.Empty{},
+		},
+		{
+			name: "sad path",
+			args: args{
+				in: &rpcCache.PutLayerRequest{
+					LayerInfo: &rpcCache.LayerInfo{
+						SchemaVersion: 1,
+					},
+				},
+			},
+			putLayer: cache.ImageCachePutLayerExpectation{
+				Args: cache.ImageCachePutLayerArgs{
+					LayerIDAnything:             true,
+					DecompressedLayerIDAnything: true,
+					LayerInfoAnything:           true,
+				},
+				Returns: cache.ImageCachePutLayerReturns{
+					Err: xerrors.New("error"),
+				},
+			},
+			wantErr: "unable to store layer info in cache",
+		},
+		{
+			name: "sad path: empty layer info",
+			args: args{
+				in: &rpcCache.PutLayerRequest{},
+			},
+			putLayer: cache.ImageCachePutLayerExpectation{
+				Args: cache.ImageCachePutLayerArgs{
+					LayerIDAnything:             true,
+					DecompressedLayerIDAnything: true,
+					LayerInfoAnything:           true,
+				},
+				Returns: cache.ImageCachePutLayerReturns{
+					Err: xerrors.New("error"),
+				},
+			},
+			wantErr: "empty layer info",
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			mockCache := new(mockCache)
+			mockCache.ApplyPutLayerExpectation(tt.putLayer)
+
+			s := NewCacheServer(mockCache)
+			got, err := s.PutLayer(context.Background(), tt.args.in)
+
+			if tt.wantErr != "" {
+				require.NotNil(t, err, tt.name)
+				assert.Contains(t, err.Error(), tt.wantErr, tt.name)
+				return
+			} else {
+				assert.NoError(t, err, tt.name)
+			}
+
+			assert.Equal(t, tt.want, got)
+		})
+	}
+}
+
+func TestCacheServer_MissingLayers(t *testing.T) {
+	type args struct {
+		ctx context.Context
+		in  *rpcCache.MissingLayersRequest
+	}
+	tests := []struct {
+		name                 string
+		args                 args
+		getLayerExpectations []cache.LocalImageCacheGetLayerExpectation
+		getImageExpectations []cache.LocalImageCacheGetImageExpectation
+		want                 *rpcCache.MissingLayersResponse
+		wantErr              string
+	}{
+		{
+			name: "happy path",
+			args: args{
+				in: &rpcCache.MissingLayersRequest{
+					ImageId: "sha256:e7d92cdc71feacf90708cb59182d0df1b911f8ae022d29e8e95d75ca6a99776a",
+					LayerIds: []string{
+						"sha256:932da51564135c98a49a34a193d6cd363d8fa4184d957fde16c9d8527b3f3b02",
+						"sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5",
+					},
+				},
+			},
+			getLayerExpectations: []cache.LocalImageCacheGetLayerExpectation{
+				{
+					Args: cache.LocalImageCacheGetLayerArgs{
+						LayerID: "sha256:932da51564135c98a49a34a193d6cd363d8fa4184d957fde16c9d8527b3f3b02",
+					},
+					Returns: cache.LocalImageCacheGetLayerReturns{
+						LayerInfo: ftypes.LayerInfo{},
+					},
+				},
+				{
+					Args: cache.LocalImageCacheGetLayerArgs{
+						LayerID: "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5",
+					},
+					Returns: cache.LocalImageCacheGetLayerReturns{
+						LayerInfo: ftypes.LayerInfo{
+							SchemaVersion: 1,
+						},
+					},
+				},
+			},
+			getImageExpectations: []cache.LocalImageCacheGetImageExpectation{
+				{
+					Args: cache.LocalImageCacheGetImageArgs{
+						ImageID: "sha256:e7d92cdc71feacf90708cb59182d0df1b911f8ae022d29e8e95d75ca6a99776a",
+					},
+					Returns: cache.LocalImageCacheGetImageReturns{
+						ImageInfo: ftypes.ImageInfo{
+							SchemaVersion: 1,
+						},
+					},
+				},
+			},
+			want: &rpcCache.MissingLayersResponse{
+				MissingImage:    false,
+				MissingLayerIds: []string{"sha256:932da51564135c98a49a34a193d6cd363d8fa4184d957fde16c9d8527b3f3b02"},
+			},
+		},
+		{
+			name: "schema version doesn't match",
+			args: args{
+				in: &rpcCache.MissingLayersRequest{
+					ImageId: "sha256:e7d92cdc71feacf90708cb59182d0df1b911f8ae022d29e8e95d75ca6a99776a",
+					LayerIds: []string{
+						"sha256:932da51564135c98a49a34a193d6cd363d8fa4184d957fde16c9d8527b3f3b02",
+						"sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5",
+					},
+				},
+			},
+			getLayerExpectations: []cache.LocalImageCacheGetLayerExpectation{
+				{
+					Args: cache.LocalImageCacheGetLayerArgs{
+						LayerID: "sha256:932da51564135c98a49a34a193d6cd363d8fa4184d957fde16c9d8527b3f3b02",
+					},
+					Returns: cache.LocalImageCacheGetLayerReturns{
+						LayerInfo: ftypes.LayerInfo{
+							SchemaVersion: 0,
+						},
+					},
+				},
+				{
+					Args: cache.LocalImageCacheGetLayerArgs{
+						LayerID: "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5",
+					},
+					Returns: cache.LocalImageCacheGetLayerReturns{
+						LayerInfo: ftypes.LayerInfo{
+							SchemaVersion: -1,
+						},
+					},
+				},
+			},
+			getImageExpectations: []cache.LocalImageCacheGetImageExpectation{
+				{
+					Args: cache.LocalImageCacheGetImageArgs{
+						ImageID: "sha256:e7d92cdc71feacf90708cb59182d0df1b911f8ae022d29e8e95d75ca6a99776a",
+					},
+					Returns: cache.LocalImageCacheGetImageReturns{
+						ImageInfo: ftypes.ImageInfo{},
+					},
+				},
+			},
+			want: &rpcCache.MissingLayersResponse{
+				MissingImage: true,
+				MissingLayerIds: []string{
+					"sha256:932da51564135c98a49a34a193d6cd363d8fa4184d957fde16c9d8527b3f3b02",
+					"sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5",
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			mockCache := new(mockCache)
+			mockCache.ApplyGetLayerExpectations(tt.getLayerExpectations)
+			mockCache.ApplyGetImageExpectations(tt.getImageExpectations)
+
+			s := NewCacheServer(mockCache)
+			got, err := s.MissingLayers(tt.args.ctx, tt.args.in)
+			if tt.wantErr != "" {
+				require.NotNil(t, err, tt.name)
+				assert.Contains(t, err.Error(), tt.wantErr, tt.name)
+				return
+			} else {
+				assert.NoError(t, err, tt.name)
+			}
+
+			assert.Equal(t, tt.want, got)
+			mockCache.MockLocalImageCache.AssertExpectations(t)
 		})
 	}
 }

pkg/rpc/server/wire_gen.go

@@ -6,34 +6,49 @@
 package server
 
 import (
+	"github.com/aquasecurity/fanal/analyzer"
+	"github.com/aquasecurity/fanal/cache"
 	"github.com/aquasecurity/trivy-db/pkg/db"
 	db2 "github.com/aquasecurity/trivy/pkg/db"
-	library2 "github.com/aquasecurity/trivy/pkg/detector/library"
-	ospkg2 "github.com/aquasecurity/trivy/pkg/detector/ospkg"
+	"github.com/aquasecurity/trivy/pkg/detector/library"
+	"github.com/aquasecurity/trivy/pkg/detector/ospkg"
 	"github.com/aquasecurity/trivy/pkg/github"
 	"github.com/aquasecurity/trivy/pkg/indicator"
-	"github.com/aquasecurity/trivy/pkg/rpc/server/library"
-	"github.com/aquasecurity/trivy/pkg/rpc/server/ospkg"
+	library2 "github.com/aquasecurity/trivy/pkg/rpc/server/library"
+	ospkg2 "github.com/aquasecurity/trivy/pkg/rpc/server/ospkg"
+	"github.com/aquasecurity/trivy/pkg/scanner/local"
 	"github.com/aquasecurity/trivy/pkg/vulnerability"
 	"k8s.io/utils/clock"
 )
 
 // Injectors from inject.go:
 
-func initializeOspkgServer() *ospkg.Server {
-	detector := ospkg2.Detector{}
+func initializeScanServer(localLayerCache cache.LocalImageCache) *ScanServer {
+	applier := analyzer.NewApplier(localLayerCache)
+	detector := ospkg.Detector{}
+	driverFactory := library.DriverFactory{}
+	libraryDetector := library.NewDetector(driverFactory)
+	scanner := local.NewScanner(applier, detector, libraryDetector)
 	config := db.Config{}
 	client := vulnerability.NewClient(config)
-	server := ospkg.NewServer(detector, client)
+	scanServer := NewScanServer(scanner, client)
+	return scanServer
+}
+
+func initializeOspkgServer() *ospkg2.Server {
+	detector := ospkg.Detector{}
+	config := db.Config{}
+	client := vulnerability.NewClient(config)
+	server := ospkg2.NewServer(detector, client)
 	return server
 }
 
-func initializeLibServer() *library.Server {
-	driverFactory := library2.DriverFactory{}
-	detector := library2.NewDetector(driverFactory)
+func initializeLibServer() *library2.Server {
+	driverFactory := library.DriverFactory{}
+	detector := library.NewDetector(driverFactory)
 	config := db.Config{}
 	client := vulnerability.NewClient(config)
-	server := library.NewServer(detector, client)
+	server := library2.NewServer(detector, client)
 	return server
 }
 

pkg/scanner/library/scan.go

@@ -1,67 +0,0 @@
-package library
-
-import (
-	"io/ioutil"
-	"os"
-
-	detector "github.com/aquasecurity/trivy/pkg/detector/library"
-
-	"github.com/aquasecurity/fanal/analyzer"
-	_ "github.com/aquasecurity/fanal/analyzer/library/bundler"
-	_ "github.com/aquasecurity/fanal/analyzer/library/cargo"
-	_ "github.com/aquasecurity/fanal/analyzer/library/composer"
-	_ "github.com/aquasecurity/fanal/analyzer/library/npm"
-	_ "github.com/aquasecurity/fanal/analyzer/library/pipenv"
-	_ "github.com/aquasecurity/fanal/analyzer/library/poetry"
-	_ "github.com/aquasecurity/fanal/analyzer/library/yarn"
-	"github.com/aquasecurity/fanal/extractor"
-	"github.com/aquasecurity/trivy/pkg/types"
-	"golang.org/x/xerrors"
-)
-
-type Scanner struct {
-	detector detector.Operation
-}
-
-func NewScanner(detector detector.Operation) Scanner {
-	return Scanner{detector: detector}
-}
-
-func (s Scanner) Scan(files extractor.FileMap) (map[string][]types.DetectedVulnerability, error) {
-	results, err := analyzer.GetLibraries(files)
-	if err != nil {
-		return nil, xerrors.Errorf("failed to analyze libraries: %w", err)
-	}
-
-	vulnerabilities := map[string][]types.DetectedVulnerability{}
-	for path, libs := range results {
-		vulns, err := s.detector.Detect(string(path), libs)
-		if err != nil {
-			return nil, xerrors.Errorf("failed library scan: %w", err)
-		}
-
-		vulnerabilities[string(path)] = vulns
-	}
-	return vulnerabilities, nil
-}
-
-func (s Scanner) ScanFile(f *os.File) ([]types.DetectedVulnerability, error) {
-	content, err := ioutil.ReadAll(f)
-	if err != nil {
-		return nil, err
-	}
-	files := extractor.FileMap{
-		f.Name(): content,
-	}
-
-	results, err := s.Scan(files)
-	if err != nil {
-		return nil, err
-	}
-
-	// need only 1 result
-	for _, vulns := range results {
-		return vulns, nil
-	}
-	return nil, nil
-}

pkg/scanner/library/scan_test.go

@@ -1,201 +0,0 @@
-package library
-
-import (
-	"testing"
-
-	library2 "github.com/aquasecurity/trivy/pkg/detector/library"
-
-	"golang.org/x/xerrors"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-
-	"github.com/aquasecurity/fanal/extractor"
-	ptypes "github.com/aquasecurity/go-dep-parser/pkg/types"
-	"github.com/aquasecurity/trivy/pkg/types"
-)
-
-func TestScanner_Scan(t *testing.T) {
-	type detectInput struct {
-		filePath string
-		libs     []ptypes.Library
-	}
-	type detectOutput struct {
-		vulns []types.DetectedVulnerability
-		err   error
-	}
-	type detect struct {
-		input  detectInput
-		output detectOutput
-	}
-	type args struct {
-		files extractor.FileMap
-	}
-	tests := []struct {
-		name    string
-		args    args
-		detect  []detect
-		want    map[string][]types.DetectedVulnerability
-		wantErr string
-	}{
-		{
-			name: "happy",
-			args: args{
-				files: extractor.FileMap{
-					"app/Pipfile.lock": []byte(`{
-    "_meta": {
-        "hash": {
-            "sha256": "ad1805ab0e16cf08032c3fe45eeaa29b79e9c196650411977af14e31b12ff0cd"
-        },
-        "pipfile-spec": 6,
-        "requires": {
-            "python_version": "3.7"
-        },
-        "sources": [
-            {
-                "name": "pypi",
-                "url": "https://pypi.python.org/simple",
-                "verify_ssl": true
-            }
-        ]
-    },
-    "default": {
-        "django": {
-            "hashes": [
-                "sha256:665457d4146bbd34ae9d2970fa3b37082d7b225b0671bfd24c337458f229db78",
-                "sha256:bde46d4dbc410678e89bc95ea5d312dd6eb4c37d0fa0e19c9415cad94addf22f"
-            ],
-            "index": "pypi",
-            "version": "==3.0.0"
-        }
-    }
-}
-`),
-					"app/package-lock.json": []byte(`{
-  "version": "1.0.0",
-  "lockfileVersion": 1,
-  "requires": true,
-  "dependencies": {
-    "react": {
-      "version": "16.8.6",
-      "resolved": "https://registry.npmjs.org/react/-/react-16.8.6.tgz",
-      "integrity": "sha512-pC0uMkhLaHm11ZSJULfOBqV4tIZkx87ZLvbbQYunNixAAvjnC+snJCg0XQXn9VIsttVsbZP/H/ewzgsd5fxKXw==",
-      "requires": {
-        "loose-envify": "^1.1.0",
-        "object-assign": "^4.1.1",
-        "prop-types": "^15.6.2",
-        "scheduler": "^0.13.6"
-      }
-    }
-  }
-}`),
-				},
-			},
-			detect: []detect{
-				{
-					input: detectInput{
-						filePath: "app/Pipfile.lock",
-						libs: []ptypes.Library{
-							{Name: "django", Version: "3.0.0"},
-						},
-					},
-					output: detectOutput{
-						vulns: []types.DetectedVulnerability{
-							{VulnerabilityID: "CVE-2019-0001"},
-						},
-					},
-				},
-				{
-					input: detectInput{
-						filePath: "app/package-lock.json",
-						libs: []ptypes.Library{
-							{Name: "react", Version: "16.8.6"},
-						},
-					},
-					output: detectOutput{
-						vulns: []types.DetectedVulnerability{
-							{VulnerabilityID: "CVE-2019-0002"},
-							{VulnerabilityID: "CVE-2019-0003"},
-						},
-					},
-				},
-			},
-			want: map[string][]types.DetectedVulnerability{
-				"app/Pipfile.lock": {{VulnerabilityID: "CVE-2019-0001"}},
-				"app/package-lock.json": {
-					{VulnerabilityID: "CVE-2019-0002"},
-					{VulnerabilityID: "CVE-2019-0003"},
-				},
-			},
-		},
-		{
-			name: "broken lock file",
-			args: args{
-				files: extractor.FileMap{
-					"app/Pipfile.lock": []byte(`{broken}`),
-				},
-			},
-			wantErr: "failed to analyze libraries",
-		},
-		{
-			name: "Detect returns an error",
-			args: args{
-				files: extractor.FileMap{
-					"app/package-lock.json": []byte(`{
-  "version": "1.0.0",
-  "lockfileVersion": 1,
-  "requires": true,
-  "dependencies": {
-    "react": {
-      "version": "16.8.6",
-      "resolved": "https://registry.npmjs.org/react/-/react-16.8.6.tgz",
-      "integrity": "sha512-pC0uMkhLaHm11ZSJULfOBqV4tIZkx87ZLvbbQYunNixAAvjnC+snJCg0XQXn9VIsttVsbZP/H/ewzgsd5fxKXw==",
-      "requires": {
-        "loose-envify": "^1.1.0",
-        "object-assign": "^4.1.1",
-        "prop-types": "^15.6.2",
-        "scheduler": "^0.13.6"
-      }
-    }
-  }
-}`),
-				},
-			},
-			detect: []detect{
-				{
-					input: detectInput{
-						filePath: "app/package-lock.json",
-						libs: []ptypes.Library{
-							{Name: "react", Version: "16.8.6"},
-						},
-					},
-					output: detectOutput{err: xerrors.New("error")},
-				},
-			},
-			wantErr: "failed library scan",
-		},
-	}
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			mockDetector := new(library2.MockDetector)
-			for _, d := range tt.detect {
-				mockDetector.On("Detect", d.input.filePath, d.input.libs).Return(
-					d.output.vulns, d.output.err)
-			}
-
-			s := Scanner{
-				detector: mockDetector,
-			}
-			got, err := s.Scan(tt.args.files)
-			if tt.wantErr != "" {
-				require.NotNil(t, err, tt.name)
-				assert.Contains(t, err.Error(), tt.wantErr, tt.name)
-				return
-			} else {
-				assert.NoError(t, err, tt.name)
-			}
-			assert.Equal(t, tt.want, got, tt.name)
-			mockDetector.AssertExpectations(t)
-		})
-	}
-}

pkg/scanner/local/mock_applier.go

@@ -0,0 +1,71 @@
+// Code generated by mockery v1.0.0. DO NOT EDIT.
+
+package local
+
+import digest "github.com/opencontainers/go-digest"
+import mock "github.com/stretchr/testify/mock"
+import types "github.com/aquasecurity/fanal/types"
+
+// MockApplier is an autogenerated mock type for the Applier type
+type MockApplier struct {
+	mock.Mock
+}
+
+type ApplierApplyLayersArgs struct {
+	ImageID          digest.Digest
+	ImageIDAnything  bool
+	LayerIDs         []string
+	LayerIDsAnything bool
+}
+
+type ApplierApplyLayersReturns struct {
+	Detail types.ImageDetail
+	Err    error
+}
+
+type ApplierApplyLayersExpectation struct {
+	Args    ApplierApplyLayersArgs
+	Returns ApplierApplyLayersReturns
+}
+
+func (_m *MockApplier) ApplyApplyLayersExpectation(e ApplierApplyLayersExpectation) {
+	var args []interface{}
+	if e.Args.ImageIDAnything {
+		args = append(args, mock.Anything)
+	} else {
+		args = append(args, e.Args.ImageID)
+	}
+	if e.Args.LayerIDsAnything {
+		args = append(args, mock.Anything)
+	} else {
+		args = append(args, e.Args.LayerIDs)
+	}
+	_m.On("ApplyLayers", args...).Return(e.Returns.Detail, e.Returns.Err)
+}
+
+func (_m *MockApplier) ApplyApplyLayersExpectations(expectations []ApplierApplyLayersExpectation) {
+	for _, e := range expectations {
+		_m.ApplyApplyLayersExpectation(e)
+	}
+}
+
+// ApplyLayers provides a mock function with given fields: imageID, layerIDs
+func (_m *MockApplier) ApplyLayers(imageID digest.Digest, layerIDs []string) (types.ImageDetail, error) {
+	ret := _m.Called(imageID, layerIDs)
+
+	var r0 types.ImageDetail
+	if rf, ok := ret.Get(0).(func(digest.Digest, []string) types.ImageDetail); ok {
+		r0 = rf(imageID, layerIDs)
+	} else {
+		r0 = ret.Get(0).(types.ImageDetail)
+	}
+
+	var r1 error
+	if rf, ok := ret.Get(1).(func(digest.Digest, []string) error); ok {
+		r1 = rf(imageID, layerIDs)
+	} else {
+		r1 = ret.Error(1)
+	}
+
+	return r0, r1
+}

pkg/scanner/local/mock_library_detector.go

@@ -0,0 +1,88 @@
+// Code generated by mockery v1.0.0. DO NOT EDIT.
+
+package local
+
+import mock "github.com/stretchr/testify/mock"
+import pkgtypes "github.com/aquasecurity/trivy/pkg/types"
+import time "time"
+import types "github.com/aquasecurity/fanal/types"
+
+// MockLibraryDetector is an autogenerated mock type for the LibraryDetector type
+type MockLibraryDetector struct {
+	mock.Mock
+}
+
+type LibraryDetectorDetectArgs struct {
+	ImageName         string
+	ImageNameAnything bool
+	FilePath          string
+	FilePathAnything  bool
+	Created           time.Time
+	CreatedAnything   bool
+	Pkgs              []types.LibraryInfo
+	PkgsAnything      bool
+}
+
+type LibraryDetectorDetectReturns struct {
+	DetectedVulns []pkgtypes.DetectedVulnerability
+	Err           error
+}
+
+type LibraryDetectorDetectExpectation struct {
+	Args    LibraryDetectorDetectArgs
+	Returns LibraryDetectorDetectReturns
+}
+
+func (_m *MockLibraryDetector) ApplyDetectExpectation(e LibraryDetectorDetectExpectation) {
+	var args []interface{}
+	if e.Args.ImageNameAnything {
+		args = append(args, mock.Anything)
+	} else {
+		args = append(args, e.Args.ImageName)
+	}
+	if e.Args.FilePathAnything {
+		args = append(args, mock.Anything)
+	} else {
+		args = append(args, e.Args.FilePath)
+	}
+	if e.Args.CreatedAnything {
+		args = append(args, mock.Anything)
+	} else {
+		args = append(args, e.Args.Created)
+	}
+	if e.Args.PkgsAnything {
+		args = append(args, mock.Anything)
+	} else {
+		args = append(args, e.Args.Pkgs)
+	}
+	_m.On("Detect", args...).Return(e.Returns.DetectedVulns, e.Returns.Err)
+}
+
+func (_m *MockLibraryDetector) ApplyDetectExpectations(expectations []LibraryDetectorDetectExpectation) {
+	for _, e := range expectations {
+		_m.ApplyDetectExpectation(e)
+	}
+}
+
+// Detect provides a mock function with given fields: imageName, filePath, created, pkgs
+func (_m *MockLibraryDetector) Detect(imageName string, filePath string, created time.Time, pkgs []types.LibraryInfo) ([]pkgtypes.DetectedVulnerability, error) {
+	ret := _m.Called(imageName, filePath, created, pkgs)
+
+	var r0 []pkgtypes.DetectedVulnerability
+	if rf, ok := ret.Get(0).(func(string, string, time.Time, []types.LibraryInfo) []pkgtypes.DetectedVulnerability); ok {
+		r0 = rf(imageName, filePath, created, pkgs)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).([]pkgtypes.DetectedVulnerability)
+		}
+	}
+
+	var r1 error
+	if rf, ok := ret.Get(1).(func(string, string, time.Time, []types.LibraryInfo) error); ok {
+		r1 = rf(imageName, filePath, created, pkgs)
+	} else {
+		r1 = ret.Error(1)
+	}
+
+	return r0, r1
+}

pkg/scanner/local/mock_ospkg_detector.go

@@ -0,0 +1,103 @@
+// Code generated by mockery v1.0.0. DO NOT EDIT.
+
+package local
+
+import mock "github.com/stretchr/testify/mock"
+import pkgtypes "github.com/aquasecurity/trivy/pkg/types"
+import time "time"
+import types "github.com/aquasecurity/fanal/types"
+
+// MockOspkgDetector is an autogenerated mock type for the OspkgDetector type
+type MockOspkgDetector struct {
+	mock.Mock
+}
+
+type OspkgDetectorDetectArgs struct {
+	ImageName         string
+	ImageNameAnything bool
+	OsFamily          string
+	OsFamilyAnything  bool
+	OsName            string
+	OsNameAnything    bool
+	Created           time.Time
+	CreatedAnything   bool
+	Pkgs              []types.Package
+	PkgsAnything      bool
+}
+
+type OspkgDetectorDetectReturns struct {
+	DetectedVulns []pkgtypes.DetectedVulnerability
+	Eosl          bool
+	Err           error
+}
+
+type OspkgDetectorDetectExpectation struct {
+	Args    OspkgDetectorDetectArgs
+	Returns OspkgDetectorDetectReturns
+}
+
+func (_m *MockOspkgDetector) ApplyDetectExpectation(e OspkgDetectorDetectExpectation) {
+	var args []interface{}
+	if e.Args.ImageNameAnything {
+		args = append(args, mock.Anything)
+	} else {
+		args = append(args, e.Args.ImageName)
+	}
+	if e.Args.OsFamilyAnything {
+		args = append(args, mock.Anything)
+	} else {
+		args = append(args, e.Args.OsFamily)
+	}
+	if e.Args.OsNameAnything {
+		args = append(args, mock.Anything)
+	} else {
+		args = append(args, e.Args.OsName)
+	}
+	if e.Args.CreatedAnything {
+		args = append(args, mock.Anything)
+	} else {
+		args = append(args, e.Args.Created)
+	}
+	if e.Args.PkgsAnything {
+		args = append(args, mock.Anything)
+	} else {
+		args = append(args, e.Args.Pkgs)
+	}
+	_m.On("Detect", args...).Return(e.Returns.DetectedVulns, e.Returns.Eosl, e.Returns.Err)
+}
+
+func (_m *MockOspkgDetector) ApplyDetectExpectations(expectations []OspkgDetectorDetectExpectation) {
+	for _, e := range expectations {
+		_m.ApplyDetectExpectation(e)
+	}
+}
+
+// Detect provides a mock function with given fields: imageName, osFamily, osName, created, pkgs
+func (_m *MockOspkgDetector) Detect(imageName string, osFamily string, osName string, created time.Time, pkgs []types.Package) ([]pkgtypes.DetectedVulnerability, bool, error) {
+	ret := _m.Called(imageName, osFamily, osName, created, pkgs)
+
+	var r0 []pkgtypes.DetectedVulnerability
+	if rf, ok := ret.Get(0).(func(string, string, string, time.Time, []types.Package) []pkgtypes.DetectedVulnerability); ok {
+		r0 = rf(imageName, osFamily, osName, created, pkgs)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).([]pkgtypes.DetectedVulnerability)
+		}
+	}
+
+	var r1 bool
+	if rf, ok := ret.Get(1).(func(string, string, string, time.Time, []types.Package) bool); ok {
+		r1 = rf(imageName, osFamily, osName, created, pkgs)
+	} else {
+		r1 = ret.Get(1).(bool)
+	}
+
+	var r2 error
+	if rf, ok := ret.Get(2).(func(string, string, string, time.Time, []types.Package) error); ok {
+		r2 = rf(imageName, osFamily, osName, created, pkgs)
+	} else {
+		r2 = ret.Error(2)
+	}
+
+	return r0, r1, r2
+}

pkg/scanner/local/scan.go

@@ -0,0 +1,159 @@
+package local
+
+import (
+	"fmt"
+	"sort"
+	"time"
+
+	"github.com/aquasecurity/trivy/pkg/types"
+	"github.com/aquasecurity/trivy/pkg/utils"
+
+	"github.com/aquasecurity/fanal/analyzer"
+
+	"github.com/google/wire"
+	digest "github.com/opencontainers/go-digest"
+	"golang.org/x/xerrors"
+
+	_ "github.com/aquasecurity/fanal/analyzer/command/apk"
+	_ "github.com/aquasecurity/fanal/analyzer/library/bundler"
+	_ "github.com/aquasecurity/fanal/analyzer/library/cargo"
+	_ "github.com/aquasecurity/fanal/analyzer/library/composer"
+	_ "github.com/aquasecurity/fanal/analyzer/library/npm"
+	_ "github.com/aquasecurity/fanal/analyzer/library/pipenv"
+	_ "github.com/aquasecurity/fanal/analyzer/library/poetry"
+	_ "github.com/aquasecurity/fanal/analyzer/library/yarn"
+	_ "github.com/aquasecurity/fanal/analyzer/os/alpine"
+	_ "github.com/aquasecurity/fanal/analyzer/os/amazonlinux"
+	_ "github.com/aquasecurity/fanal/analyzer/os/debianbase"
+	_ "github.com/aquasecurity/fanal/analyzer/os/photon"
+	_ "github.com/aquasecurity/fanal/analyzer/os/redhatbase"
+	_ "github.com/aquasecurity/fanal/analyzer/os/suse"
+	_ "github.com/aquasecurity/fanal/analyzer/pkg/apk"
+	_ "github.com/aquasecurity/fanal/analyzer/pkg/dpkg"
+	_ "github.com/aquasecurity/fanal/analyzer/pkg/rpmcmd"
+	ftypes "github.com/aquasecurity/fanal/types"
+	libDetector "github.com/aquasecurity/trivy/pkg/detector/library"
+	ospkgDetector "github.com/aquasecurity/trivy/pkg/detector/ospkg"
+	"github.com/aquasecurity/trivy/pkg/report"
+)
+
+var SuperSet = wire.NewSet(
+	analyzer.NewApplier,
+	wire.Bind(new(Applier), new(analyzer.Applier)),
+	ospkgDetector.SuperSet,
+	wire.Bind(new(OspkgDetector), new(ospkgDetector.Detector)),
+	libDetector.SuperSet,
+	wire.Bind(new(LibraryDetector), new(libDetector.Detector)),
+	NewScanner,
+)
+
+type Applier interface {
+	ApplyLayers(imageID digest.Digest, layerIDs []string) (detail ftypes.ImageDetail, err error)
+}
+
+type OspkgDetector interface {
+	Detect(imageName, osFamily, osName string, created time.Time, pkgs []ftypes.Package) (detectedVulns []types.DetectedVulnerability, eosl bool, err error)
+}
+
+type LibraryDetector interface {
+	Detect(imageName, filePath string, created time.Time, pkgs []ftypes.LibraryInfo) (detectedVulns []types.DetectedVulnerability, err error)
+}
+
+type Scanner struct {
+	applier       Applier
+	ospkgDetector OspkgDetector
+	libDetector   LibraryDetector
+}
+
+func NewScanner(applier Applier, ospkgDetector OspkgDetector, libDetector LibraryDetector) Scanner {
+	return Scanner{applier: applier, ospkgDetector: ospkgDetector, libDetector: libDetector}
+}
+
+func (s Scanner) Scan(target string, imageID digest.Digest, layerIDs []string, options types.ScanOptions) (report.Results, *ftypes.OS, bool, error) {
+	imageDetail, err := s.applier.ApplyLayers(imageID, layerIDs)
+	if err != nil {
+		return nil, nil, false, xerrors.Errorf("failed to apply layers: %w", err)
+	}
+
+	var eosl bool
+	var results report.Results
+
+	if utils.StringInSlice("os", options.VulnType) {
+		pkgs := imageDetail.Packages
+		if options.ScanRemovedPackages {
+			pkgs = mergePkgs(pkgs, imageDetail.HistoryPackages)
+		}
+
+		var result *report.Result
+		result, eosl, err = s.scanOSPkg(target, imageDetail.OS.Family, imageDetail.OS.Name, pkgs)
+		if err != nil {
+			return nil, nil, false, xerrors.Errorf("failed to scan OS packages: %w", err)
+		}
+		if result != nil {
+			results = append(results, *result)
+		}
+	}
+
+	if utils.StringInSlice("library", options.VulnType) {
+		libResults, err := s.scanLibrary(imageDetail.Applications)
+		if err != nil {
+			return nil, nil, false, xerrors.Errorf("failed to scan application libraries: %w", err)
+		}
+		results = append(results, libResults...)
+	}
+
+	return results, imageDetail.OS, eosl, nil
+}
+
+func (s Scanner) scanOSPkg(target, osFamily, osName string, pkgs []ftypes.Package) (*report.Result, bool, error) {
+	if osFamily == "" {
+		return nil, false, nil
+	}
+	vulns, eosl, err := s.ospkgDetector.Detect("", osFamily, osName, time.Time{}, pkgs)
+	if err == ospkgDetector.ErrUnsupportedOS {
+		return nil, false, nil
+	} else if err != nil {
+		return nil, false, xerrors.Errorf("failed vulnerability detection of OS packages: %w", err)
+	}
+
+	imageDetail := fmt.Sprintf("%s (%s %s)", target, osFamily, osName)
+	result := &report.Result{
+		Target:          imageDetail,
+		Vulnerabilities: vulns,
+	}
+	return result, eosl, nil
+}
+
+func (s Scanner) scanLibrary(apps []ftypes.Application) (report.Results, error) {
+	var results report.Results
+	for _, app := range apps {
+		vulns, err := s.libDetector.Detect("", app.FilePath, time.Time{}, app.Libraries)
+		if err != nil {
+			return nil, xerrors.Errorf("failed vulnerability detection of libraries: %w", err)
+		}
+
+		results = append(results, report.Result{
+			Target:          app.FilePath,
+			Vulnerabilities: vulns,
+		})
+	}
+	sort.Slice(results, func(i, j int) bool {
+		return results[i].Target < results[j].Target
+	})
+	return results, nil
+}
+
+func mergePkgs(pkgs, pkgsFromCommands []ftypes.Package) []ftypes.Package {
+	// pkg has priority over pkgsFromCommands
+	uniqPkgs := map[string]struct{}{}
+	for _, pkg := range pkgs {
+		uniqPkgs[pkg.Name] = struct{}{}
+	}
+	for _, pkg := range pkgsFromCommands {
+		if _, ok := uniqPkgs[pkg.Name]; ok {
+			continue
+		}
+		pkgs = append(pkgs, pkg)
+	}
+	return pkgs
+}