fix(java): recursive check all nested depManagements with import scope for pom.xml files (#5982)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

.github/workflows/auto-update-labels.yaml

@@ -15,12 +15,12 @@ jobs:
         uses: actions/checkout@v4.1.1
 
       - name: Set up Go
-        uses: actions/setup-go@v4
+        uses: actions/setup-go@v5
         with:
           go-version-file: go.mod
 
       - name: Install aqua tools
-        uses: aquaproj/aqua-installer@v2.1.2
+        uses: aquaproj/aqua-installer@v2.2.0
         with:
           aqua_version: v1.25.0
 

.github/workflows/mkdocs-dev.yaml

@@ -16,7 +16,7 @@ jobs:
         with:
           fetch-depth: 0
           persist-credentials: true
-      - uses: actions/setup-python@v4
+      - uses: actions/setup-python@v5
         with:
           python-version: 3.x
       - name: Install dependencies

.github/workflows/mkdocs-latest.yaml

@@ -18,7 +18,7 @@ jobs:
         with:
           fetch-depth: 0
           persist-credentials: true
-      - uses: actions/setup-python@v4
+      - uses: actions/setup-python@v5
         with:
           python-version: 3.x
       - name: Install dependencies

.github/workflows/publish-chart.yaml

@@ -30,7 +30,7 @@ jobs:
         with:
           version: v3.5.0
       - name: Set up python
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@v5
         with:
           python-version: 3.7
       - name: Setup Chart Linting

.github/workflows/reusable-release.yaml

@@ -36,7 +36,7 @@ jobs:
           remove-haskell: 'true'
 
       - name: Cosign install
-        uses: sigstore/cosign-installer@1fc5bd396d372bee37d608f955b336615edf79c8
+        uses: sigstore/cosign-installer@9614fae9e5c5eddabb09f90a270fcb487c9f7149
 
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v3
@@ -74,7 +74,7 @@ jobs:
           fetch-depth: 0
 
       - name: Setup Go
-        uses: actions/setup-go@v4
+        uses: actions/setup-go@v5
         with:
           go-version-file: go.mod
 

.github/workflows/stale-issues.yaml

@@ -7,7 +7,7 @@ jobs:
     timeout-minutes: 1
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/stale@v8
+    - uses: actions/stale@v9
       with:
         repo-token: ${{ secrets.GITHUB_TOKEN }}
         stale-pr-message: 'This PR is stale because it has been labeled with inactivity.'

.github/workflows/test-docs.yaml

@@ -14,7 +14,7 @@ jobs:
       with:
         fetch-depth: 0
         persist-credentials: true
-    - uses: actions/setup-python@v4
+    - uses: actions/setup-python@v5
       with:
         python-version: 3.x
     - name: Install dependencies

.github/workflows/test.yaml

@@ -18,7 +18,7 @@ jobs:
       - uses: actions/checkout@v4.1.1
 
       - name: Set up Go
-        uses: actions/setup-go@v4
+        uses: actions/setup-go@v5
         with:
           go-version-file: go.mod
 
@@ -47,7 +47,7 @@ jobs:
         if: ${{ failure() && steps.lint.conclusion == 'failure' }}
 
       - name: Install tools
-        uses: aquaproj/aqua-installer@v2.1.2
+        uses: aquaproj/aqua-installer@v2.2.0
         with:
           aqua_version: v1.25.0
           aqua_opts: ""
@@ -72,12 +72,12 @@ jobs:
         uses: actions/checkout@v4.1.1
 
       - name: Set up Go
-        uses: actions/setup-go@v4
+        uses: actions/setup-go@v5
         with:
           go-version-file: go.mod
 
       - name: Install tools
-        uses: aquaproj/aqua-installer@v2.1.2
+        uses: aquaproj/aqua-installer@v2.2.0
         with:
           aqua_version: v1.25.0
 
@@ -101,12 +101,12 @@ jobs:
         uses: actions/checkout@v4.1.1
 
       - name: Set up Go
-        uses: actions/setup-go@v4
+        uses: actions/setup-go@v5
         with:
           go-version-file: go.mod
 
       - name: Install tools
-        uses: aquaproj/aqua-installer@v2.1.2
+        uses: aquaproj/aqua-installer@v2.2.0
         with:
           aqua_version: v1.25.0
 
@@ -121,12 +121,12 @@ jobs:
         uses: actions/checkout@v4.1.1
 
       - name: Set up Go
-        uses: actions/setup-go@v4
+        uses: actions/setup-go@v5
         with:
           go-version-file: go.mod
 
       - name: Install tools
-        uses: aquaproj/aqua-installer@v2.1.2
+        uses: aquaproj/aqua-installer@v2.2.0
         with:
           aqua_version: v1.25.0
 
@@ -152,11 +152,11 @@ jobs:
         uses: actions/checkout@v4.1.1
 
       - name: Set up Go
-        uses: actions/setup-go@v4
+        uses: actions/setup-go@v5
         with:
           go-version-file: go.mod
       - name: Install tools
-        uses: aquaproj/aqua-installer@v2.1.2
+        uses: aquaproj/aqua-installer@v2.2.0
         with:
           aqua_version: v1.25.0
       - name: Run vm integration tests
@@ -186,7 +186,7 @@ jobs:
       uses: actions/checkout@v4.1.1
 
     - name: Set up Go
-      uses: actions/setup-go@v4
+      uses: actions/setup-go@v5
       with:
         go-version-file: go.mod
 

Dockerfile

@@ -1,4 +1,4 @@
-FROM alpine:3.18.5
+FROM alpine:3.19.0
 RUN apk --no-cache add ca-certificates git
 COPY trivy /usr/local/bin/trivy
 COPY contrib/*.tpl contrib/

Dockerfile.canary

@@ -1,4 +1,4 @@
-FROM alpine:3.18.5
+FROM alpine:3.19.0
 RUN apk --no-cache add ca-certificates git
 
 # binaries were created with GoReleaser

brand/Trivy-OSS-Logo-Color-Horizontal-RGB-2022.svg

@@ -1,56 +0,0 @@
-<?xml version="1.0" encoding="iso-8859-1"?>
-<!-- Generator: Adobe Illustrator 26.3.1, SVG Export Plug-In . SVG Version: 6.00 Build 0)  -->
-<svg version="1.1" id="_x30_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
-	 viewBox="0 0 265 135" enable-background="new 0 0 265 135" xml:space="preserve">
-<g>
-	<path fill="#07242D" d="M148.629,103.076v5.928c-4.038,0-7.676-1.454-10.545-3.863c-3.605-3.025-5.894-7.565-5.894-12.638V62.815
-		h5.894v13.471h10.545v5.966h-10.545v10.395C138.164,98.419,142.84,103.076,148.629,103.076z"/>
-	<path fill="#07242D" d="M169.65,76.285v5.889c-5.591,0.011-10.143,4.446-10.345,9.984v16.845h-5.908V76.285h5.908v3.735
-		C162.113,77.689,165.718,76.291,169.65,76.285z"/>
-	<path fill="#07242D" d="M173.447,68.698v-5.9h5.897v5.9H173.447z M173.447,109.003V76.285h5.897v32.719H173.447z"/>
-	<path fill="#07242D" d="M215.508,76.285l-16.348,32.719l-16.364-32.719h6.699l9.665,19.32l9.646-19.32L215.508,76.285z"/>
-	<path fill="#07242D" d="M250.874,76.285c0,0,0,35.771,0,38.135c0,9.136-7.493,16.428-16.37,16.423
-		c-4.157,0-8.009-1.576-10.934-4.196l4.24-4.24c1.809,1.532,4.143,2.464,6.693,2.459c5.745,0,10.396-4.696,10.396-10.446v-9.141
-		c-2.85,2.359-6.488,3.724-10.396,3.724c-8.894,0.005-16.384-7.171-16.384-16.372c0-0.194,0-16.345,0-16.345h5.972
-		c0,0,0.003,15.907,0.003,16.345c0,5.722,4.659,10.451,10.409,10.446c5.745,0,10.396-4.701,10.396-10.446V76.285H250.874z"/>
-</g>
-<g>
-	<polygon fill="#FFFFFF" points="65.469,5.431 10.124,37.409 10.125,101.877 65.462,134.109 120.813,101.895 120.813,37.407 	"/>
-	<g>
-		<path fill="#1904DA" d="M63.957,92.94V79.575c-6.048-2.856-9.846-8.792-9.768-15.27l-12.456-7.193
-			c-0.783,7.101,0.852,14.447,4.636,20.771C50.545,84.86,56.46,89.923,63.957,92.94z"/>
-		<path fill="#1904DA" d="M63.957,111.255V95.742c-8.438-3.162-15.089-8.73-19.77-16.553c-4.275-7.141-5.989-15.458-4.842-23.457
-			l-11.564-6.678C21.14,74.652,36.57,101.186,63.957,111.255z"/>
-		<path fill="#08B1D5" d="M66.804,95.596v15.649c26.877-10.306,42.715-37.348,36.372-62.1l-11.488,6.693
-			c1.481,8.635,0.079,16.879-4.065,23.865C83.476,86.697,76.281,92.188,66.804,95.596z"/>
-		<path fill="#08B1D5" d="M66.804,79.551v13.402c8.456-3.219,14.89-8.239,18.632-14.548c3.675-6.197,5.016-13.512,3.896-21.2
-			L76.888,64.38C76.826,70.53,73.171,76.032,66.804,79.551z"/>
-		<path fill="#FFC900" d="M78.53,41.442c5.228,2.549,9.501,6.608,12.373,11.749l11.183-6.458c-0.075-0.106-0.146-0.211-0.211-0.316
-			c-4.4-7.116-10.209-12.47-17.267-15.913c-19.641-9.576-44.026-2.441-55.772,16.23l11.227,6.481
-			C48.47,40.151,65.268,34.975,78.53,41.442z"/>
-		<path fill="#FFC900" d="M65.771,55.646c1.762,0,3.527,0.385,5.182,1.193h0.001c2.175,1.062,3.954,2.75,5.158,4.894L88.7,54.463
-			c-2.618-4.7-6.516-8.409-11.285-10.735c-12.078-5.888-27.409-1.16-35.147,10.76l12.525,7.229
-			C57.397,57.836,61.572,55.646,65.771,55.646z"/>
-		<path fill="#08B1D5" d="M66.804,130.848l51.828-30.205V40.14l-13.177,7.677c7.242,26.586-9.654,55.513-38.651,66.142V130.848z"/>
-		<path fill="#1904DA" d="M25.5,47.738l-13.196-7.621v60.509l51.653,30.22v-16.883C34.902,103.736,18.087,74.773,25.5,47.738z"/>
-		<path fill="#FFC900" d="M85.722,28.218c7.498,3.656,13.661,9.329,18.316,16.859c0.074,0.12,0.164,0.245,0.263,0.376l13.056-7.539
-			L65.469,7.948l-51.9,29.973l13.061,7.54C39.042,25.644,64.896,18.062,85.722,28.218z"/>
-		<path fill="#FF0036" d="M74.264,64.806c0.001-0.014,0.022-0.508-0.015-1.301c-0.104-0.324-1.328-2.715-4.385-4.383
-			c-2.089-1.139-4.769-1.27-7.357-0.362c-2.536,0.891-4.688,2.664-5.922,4.873c-0.015,0.192-0.044,0.647-0.022,1.173
-			c0.167,4.129,2.721,9.743,7.931,12.311l0.802,0.383l0.696-0.372C71.055,74.294,74.07,69.803,74.264,64.806z"/>
-	</g>
-</g>
-<g>
-	<path fill="#07242D" d="M149.768,48.152h-8.789c-4.846,0-8.789-3.943-8.789-8.789c0-4.846,3.943-8.789,8.789-8.789
-		s8.789,3.943,8.789,8.789V48.152z M140.979,34.143c-2.878,0-5.22,2.342-5.22,5.22c0,2.878,2.342,5.22,5.22,5.22h5.22v-5.22
-		C146.199,36.485,143.858,34.143,140.979,34.143z"/>
-	<path fill="#07242D" d="M208.745,48.152h-8.789c-4.846,0-8.789-3.943-8.789-8.789c0-4.846,3.943-8.789,8.789-8.789
-		c4.846,0,8.789,3.943,8.789,8.789V48.152z M199.956,34.143c-2.878,0-5.22,2.342-5.22,5.22c0,2.878,2.342,5.22,5.22,5.22h5.22v-5.22
-		C205.176,36.485,202.835,34.143,199.956,34.143z"/>
-	<path fill="#07242D" d="M180.296,48.156c-4.848,0-8.793-3.944-8.793-8.793v-8.248h3.571v8.248c0,2.879,2.343,5.222,5.222,5.222
-		c2.879,0,5.222-2.343,5.222-5.222v-8.248h3.571v8.248C189.089,44.211,185.144,48.156,180.296,48.156z"/>
-	<path fill="#07242D" d="M160.636,30.574c-4.846,0-8.789,3.943-8.789,8.789c0,4.846,3.943,8.789,8.789,8.789l3.569-3.569h-3.569
-		c-2.878,0-5.22-2.342-5.22-5.22c0-2.878,2.342-5.22,5.22-5.22c2.878,0,5.22,2.342,5.22,5.22V56.54h3.569V39.363
-		C169.425,34.516,165.482,30.574,160.636,30.574z"/>
-</g>
-</svg>

brand/Trivy-OSS-Logo-Color-Horizontal-RGB.svg

@@ -0,0 +1,85 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Generator: Adobe Illustrator 28.0.0, SVG Export Plug-In . SVG Version: 6.00 Build 0)  -->
+<svg version="1.1" id="Layer_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
+	 viewBox="0 0 1920 891" style="enable-background:new 0 0 1920 891;" xml:space="preserve">
+<style type="text/css">
+	.st0{fill:#031730;}
+	.st1{fill:#08B1D5;}
+	.st2{fill:#1904DA;}
+	.st3{fill:#FFC900;}
+	.st4{fill:#FF0036;}
+</style>
+<g>
+	<g>
+		<g>
+			<g>
+				<g>
+					<path class="st0" d="M1437.8,277.53h-46.05c-25.39,0-46.05-20.66-46.05-46.05c0-25.39,20.66-46.05,46.05-46.05
+						c25.39,0,46.05,20.66,46.05,46.05V277.53z M1391.75,204.13c-15.08,0-27.35,12.27-27.35,27.35c0,15.08,12.27,27.35,27.35,27.35
+						h27.35v-27.35C1419.1,216.4,1406.84,204.13,1391.75,204.13z"/>
+				</g>
+			</g>
+			<g>
+				<g>
+					<path class="st0" d="M1746.82,277.53h-46.05c-25.39,0-46.05-20.66-46.05-46.05c0-25.39,20.66-46.05,46.05-46.05
+						c25.39,0,46.05,20.66,46.05,46.05V277.53z M1700.77,204.13c-15.08,0-27.35,12.27-27.35,27.35c0,15.08,12.27,27.35,27.35,27.35
+						h27.35v-27.35C1728.12,216.4,1715.85,204.13,1700.77,204.13z"/>
+				</g>
+			</g>
+			<g>
+				<path class="st0" d="M1597.76,277.55c-25.4,0-46.07-20.66-46.07-46.07v-43.22h18.71v43.22c0,15.09,12.28,27.36,27.36,27.36
+					s27.36-12.28,27.36-27.36v-43.22h18.71v43.22C1643.83,256.88,1623.16,277.55,1597.76,277.55z"/>
+			</g>
+			<g>
+				<path class="st0" d="M1494.75,185.43c-25.39,0-46.05,20.66-46.05,46.05c0,25.39,20.66,46.05,46.05,46.05l18.7-18.7h-18.7
+					c-15.08,0-27.35-12.27-27.35-27.35c0-15.08,12.27-27.35,27.35-27.35s27.35,12.27,27.35,27.35v90h18.7v-90
+					C1540.8,206.09,1520.14,185.43,1494.75,185.43z"/>
+			</g>
+		</g>
+	</g>
+	<g>
+		<g>
+			<path class="st0" d="M968.09,578.05v45.38c-30.92,0-58.76-11.12-80.72-29.55c-27.59-23.17-45.14-57.93-45.14-96.78V269.82h45.14
+				v103.14h80.72v45.68h-80.72v79.6C887.98,542.42,923.77,578.05,968.09,578.05z"/>
+			<path class="st0" d="M1128.93,372.97v45.08c-42.79,0.09-77.63,34.03-79.2,76.45v128.94h-45.21V372.96h45.21v28.59
+				C1071.24,383.73,1098.84,373.01,1128.93,372.97z"/>
+			<path class="st0" d="M1157.94,347.93v-39.5h45.14v39.5H1157.94z M1157.94,623.44V372.96h45.14v250.48H1157.94z"/>
+			<path class="st0" d="M1479.86,372.96l-125.14,250.48l-125.3-250.48h51.3l73.99,147.93l73.84-147.93H1479.86z"/>
+			<path class="st0" d="M1750.5,372.96c0,0,0,273.85,0,291.97c0,69.91-57.37,125.75-125.32,125.69
+				c-31.84,0.03-61.33-12.05-83.7-32.11l32.45-32.45c13.85,11.74,31.73,18.85,51.25,18.82c43.98,0,79.58-35.97,79.58-79.95v-69.99
+				c-21.82,18.06-49.68,28.52-79.58,28.49c-68.1,0.06-125.44-54.9-125.44-125.35c0-1.49,0-125.13,0-125.13h45.73
+				c0,0,0.02,121.79,0.02,125.13c0,43.8,35.68,80,79.69,79.96c43.98,0,79.58-35.97,79.58-79.96V372.96H1750.5z"/>
+		</g>
+	</g>
+	<g>
+		<g>
+			<g>
+				<path class="st1" d="M463.95,358.89c0.04,0,0.08,0,0.12,0c6.43,0.01,11.75-4.93,11.75-11.36V134.47l-11.99-6.7l-11.94,6.67
+					v213.1c0,6.43,5.32,11.38,11.75,11.35C463.73,358.89,463.84,358.89,463.95,358.89z"/>
+				<path class="st2" d="M392.02,455.6L194.35,588.27v15.11l11.26,6.17L405.34,475.5c5.13-3.44,6.41-10.31,3.09-15.52
+					c-0.14-0.22-0.28-0.44-0.42-0.67C404.58,453.78,397.42,451.98,392.02,455.6z"/>
+				<path class="st3" d="M522.51,475.6l199.56,133.93l11.23-6.15v-15.14L535.83,455.71c-5.4-3.62-12.56-1.83-16,3.69
+					c-0.13,0.21-0.26,0.42-0.4,0.63C516.09,465.26,517.36,472.15,522.51,475.6z"/>
+				<path class="st0" d="M757.23,277.9V264.2l-12.26-6.85l-0.91-0.48L475.5,106.89l-11.68-6.51l-11.63,6.51L183.58,256.88
+					l-0.91,0.48l-12.25,6.85v13.69l-0.91,0.53l0.91,0.48v13.64v325.01l12.45,6.8l261.62,143.33l3.3,1.82l16.08,8.81l16.04-8.81
+					l3.3-1.82l261.62-143.33l12.4-6.8V292.55v-13.6l0.96-0.53L757.23,277.9z M476.11,744.33V502.51c0-6.59-5.39-11.98-11.98-11.97
+					l-0.18,0l-0.12,0c-6.59-0.01-11.98,5.38-11.98,11.97v241.81L205.61,609.55l-11.26-6.17v-15.11V290.06l196.06,107.42
+					c5.66,3.1,12.84,1.02,15.97-4.63l0.14-0.25c3.16-5.71,1.06-12.96-4.67-16.1L208.33,270.47l243.55-136.03l11.94-6.67l11.99,6.7
+					l243.5,136.01L525.64,376.58c-5.7,3.12-7.48,10.25-4.32,15.92c0.05,0.1,0.11,0.19,0.16,0.29c3.1,5.62,10.02,7.85,15.65,4.77
+					l196.16-107.5v298.19v15.14l-11.23,6.15L476.11,744.33z"/>
+			</g>
+			<circle class="st4" cx="463.95" cy="424.72" r="34.73"/>
+		</g>
+		<path class="st1" d="M649.35,258.97L461.77,153.83c-5.77-3.23-7.82-10.53-4.59-16.29v0c3.23-5.77,10.53-7.82,16.29-4.59
+			l187.58,105.15c5.77,3.23,7.82,10.53,4.59,16.29v0C662.41,260.15,655.12,262.2,649.35,258.97z"/>
+		<path class="st1" d="M567.15,267.09l-105.38-59.07c-5.77-3.23-7.82-10.53-4.59-16.29v0c3.23-5.77,10.53-7.82,16.29-4.59
+			l105.38,59.07c5.77,3.23,7.82,10.53,4.59,16.29l0,0C580.21,268.26,572.92,270.32,567.15,267.09z"/>
+		<path class="st1" d="M601.67,286.44L601.67,286.44c-5.77-3.23-7.82-10.53-4.59-16.29v0c3.23-5.77,10.53-7.82,16.29-4.59l0,0
+			c5.77,3.23,7.82,10.53,4.59,16.29v0C614.73,287.61,607.44,289.67,601.67,286.44z"/>
+		<path class="st1" d="M497.04,283.82l-35-19.62c-5.77-3.23-7.82-10.53-4.59-16.29v0c3.23-5.77,10.53-7.82,16.29-4.59l35,19.62
+			c5.77,3.23,7.82,10.53,4.59,16.29l0,0C510.1,284.99,502.8,287.05,497.04,283.82z"/>
+		<path class="st1" d="M549.85,316.05l-20.26-11.36c-5.77-3.23-7.82-10.53-4.59-16.29h0c3.23-5.77,10.53-7.82,16.29-4.59
+			l20.26,11.36c5.77,3.23,7.82,10.53,4.59,16.29v0C562.91,317.23,555.61,319.28,549.85,316.05z"/>
+	</g>
+</g>
+</svg>

brand/Trivy-OSS-Logo-Color-Stacked-RGB-2022.svg

@@ -1,202 +0,0 @@
-<?xml version="1.0" encoding="iso-8859-1"?>
-<!-- Generator: Adobe Illustrator 26.3.1, SVG Export Plug-In . SVG Version: 6.00 Build 0)  -->
-<svg version="1.1" id="_x30_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
-	 viewBox="0 0 500 524" enable-background="new 0 0 500 524" xml:space="preserve">
-<g display="none">
-	<g display="inline">
-		<path fill="#07242D" d="M-483.763,450.803h-11.559l-22.557-22.807c-0.919,0.114-1.853,0.174-2.802,0.174v22.632h-8.238v-63.931
-			h8.239c0,0-0.016,33.158,0,33.158c4.013,0,7.684-1.656,10.29-4.32l9.86-10.073h11.814l-16.032,15.918
-			c-1.42,1.421-3.031,2.655-4.787,3.659L-483.763,450.803z"/>
-		<path fill="#07242D" d="M-438.316,405.517v22.819c0,0,0,0.033,0,0.049c0,12.39-10.039,22.418-22.429,22.418
-			c-12.389,0-22.421-10.059-22.421-22.448c0-0.017,0-22.837,0-22.837h7.989v22.819c0,7.967,6.466,14.457,14.433,14.457
-			c7.966,0,14.424-6.491,14.424-14.457v-22.819H-438.316z"/>
-		<path fill="#07242D" d="M-385.244,428.166c0,12.501-10.133,22.636-22.636,22.636c-5.485,0-10.514-1.95-14.431-5.196v5.196h-8.218
-			c0.005-0.516,0.005-63.931,0.005-63.931h8.217l-0.004,23.854c3.918-3.246,8.947-5.196,14.432-5.196
-			C-395.377,405.529-385.242,415.664-385.244,428.166z M-393.437,428.166c0-7.976-6.466-14.441-14.442-14.441
-			c-7.793,0-14.443,6.329-14.443,14.418c0,8.089,6.649,14.464,14.443,14.464C-399.903,442.607-393.437,436.142-393.437,428.166z"/>
-		<path fill="#07242D" d="M-335.539,431.11h-36.518c1.375,6.517,7.157,11.435,14.075,11.435c4.514,0,8.538-2.095,11.172-5.362h9.577
-			c-3.496,8.008-11.475,13.619-20.748,13.619c-12.489,0-22.644-10.173-22.644-22.676c0-12.503,10.155-22.608,22.644-22.608
-			C-344.426,405.411-333.664,417.688-335.539,431.11z M-344.611,422.85c-2.103-5.316-7.296-9.06-13.371-9.06
-			c-6.076,0-11.275,3.746-13.382,9.06H-344.611z"/>
-		<path fill="#07242D" d="M-306.194,420.895v7.548h-23.302v-7.548H-306.194z"/>
-		<path fill="#07242D" d="M-252.987,428.166c0,12.501-10.133,22.636-22.636,22.636c-5.485,0-10.514-1.95-14.431-5.196v5.196h-8.218
-			c0.005-0.516,0.005-63.931,0.005-63.931h8.218l-0.004,23.854c3.918-3.246,8.946-5.196,14.431-5.196
-			C-263.12,405.529-252.985,415.664-252.987,428.166z M-261.181,428.166c0-7.976-6.467-14.441-14.442-14.441
-			c-7.794,0-14.443,6.329-14.443,14.418c0,8.089,6.649,14.464,14.443,14.464C-267.647,442.607-261.181,436.142-261.181,428.166z"/>
-		<path fill="#07242D" d="M-203.283,431.11h-36.518c1.375,6.517,7.157,11.435,14.075,11.435c4.514,0,8.538-2.095,11.172-5.362h9.577
-			c-3.496,8.008-11.475,13.619-20.748,13.619c-12.489,0-22.644-10.173-22.644-22.676c0-12.503,10.155-22.608,22.644-22.608
-			C-212.17,405.411-201.408,417.688-203.283,431.11z M-212.355,422.85c-2.103-5.316-7.296-9.06-13.371-9.06
-			c-6.076,0-11.275,3.746-13.382,9.06H-212.355z"/>
-		<path fill="#07242D" d="M-151.113,428.114c0,15.871,0,22.688,0,22.688h-8.262c0,0,0-14.878,0-22.688
-			c0-8.095-6.591-14.327-14.363-14.327c-7.772,0-14.393,6.163-14.393,14.327c0,7.814,0,22.688,0,22.688h-8.26v-45.285
-			c0,0,3.539,0,8.26,0v5.101c0,0,5.421-5.101,14.393-5.101C-163.095,405.517-151.113,413.789-151.113,428.114z"/>
-		<path fill="#07242D" d="M-112.598,438.373l5.799,5.798c-4.098,4.097-9.758,6.632-16.01,6.632c-6.252,0-11.912-2.534-16.01-6.632
-			c-4.097-4.098-6.632-9.758-6.632-16.01s2.534-11.912,6.632-16.01c4.098-4.097,9.758-6.632,16.01-6.632
-			c6.252,0,11.912,2.534,16.01,6.632l-5.799,5.799c-2.613-2.615-6.224-4.231-10.212-4.231c-3.988,0-7.599,1.617-10.212,4.231
-			c-2.614,2.613-4.23,6.224-4.23,10.212s1.616,7.599,4.23,10.213c2.613,2.613,6.224,4.229,10.212,4.229
-			C-118.821,442.602-115.211,440.986-112.598,438.373z"/>
-		<path fill="#07242D" d="M-55.678,428.174c0,15.827,0,22.626,0,22.626h-8.239c0,0,0-14.838,0-22.626
-			c0-8.072-6.575-14.287-14.324-14.287c-7.751,0-14.353,6.146-14.353,14.287c0,7.793,0,22.626,0,22.626h-8.238v-63.929h8.238v23.856
-			c0,0,5.405-5.086,14.353-5.086C-67.626,405.641-55.678,413.889-55.678,428.174z"/>
-	</g>
-	<g display="inline">
-		<path fill="#07242D" d="M186.582,442.579v8.203c-5.588,0-10.623-2.012-14.594-5.346c-4.989-4.186-8.157-10.469-8.157-17.489
-			v-41.085h8.157v18.642h14.594v8.257h-14.594v14.386C172.1,436.134,178.571,442.579,186.582,442.579z"/>
-		<path fill="#07242D" d="M215.674,405.503v8.149c-7.739,0.015-14.037,6.152-14.317,13.818v23.312h-8.176v-45.279h8.176v5.169
-			C205.243,407.446,210.232,405.51,215.674,405.503z"/>
-		<path fill="#07242D" d="M220.928,395.003v-8.165h8.161v8.165H220.928z M220.928,450.782v-45.279h8.161v45.279H220.928z"/>
-		<path fill="#07242D" d="M279.137,405.503l-22.624,45.279l-22.647-45.279h9.271l13.376,26.737l13.349-26.737H279.137z"/>
-		<path fill="#07242D" d="M328.08,405.503c0,0,0,49.504,0,52.776c0,12.643-10.369,22.736-22.655,22.728
-			c-5.753,0-11.084-2.181-15.131-5.807l5.868-5.868c2.504,2.12,5.734,3.41,9.263,3.403c7.95,0,14.386-6.498,14.386-14.456v-12.651
-			c-3.944,3.264-8.979,5.154-14.386,5.154c-12.309,0.008-22.674-9.924-22.674-22.659c0-0.269,0-22.62,0-22.62h8.265
-			c0,0,0.004,22.014,0.004,22.62c0,7.919,6.448,14.463,14.406,14.456c7.95,0,14.386-6.506,14.386-14.456v-22.62H328.08z"/>
-	</g>
-	<g display="inline">
-		<path fill="#07242D" d="M1186.898,438.384c-0.411,4.687-4.656,12.67-15.302,12.67c-10.092,0-16.135-6.761-16.135-6.761
-			l5.797-5.801c4.906,4.664,10.338,4.372,10.338,4.372c3.473-0.238,6.258-2.643,6.469-5.471c0.242-3.235-2.009-5.486-6.469-6.124
-			c-2.098-0.307-7.184-0.791-11.36-4.533c-1.36-1.222-6.489-6.577-2.217-14.191c0.834-1.491,4.556-6.769,13.577-6.769
-			c0,0,7.434-0.53,14.311,5.086l-5.866,5.863c-1.16-0.96-4.46-2.904-8.444-2.881c-7.207,0.046-7.007,4.011-7.007,4.011
-			c0.061,3.166,2.874,4.864,7.007,5.409C1185.672,425.114,1187.309,433.743,1186.898,438.384z"/>
-		<path fill="#07242D" d="M1215.419,442.848v8.206c-5.59,0-10.626-2.013-14.599-5.348c-4.99-4.188-8.16-10.473-8.16-17.495v-41.099
-			h8.16v18.648h14.599v8.26h-14.599v14.391C1200.932,436.401,1207.405,442.848,1215.419,442.848z"/>
-		<path fill="#07242D" d="M1263.522,428.372v22.682h-22.705c-0.5,0-0.999-0.015-1.495-0.054c-6.431-0.423-12.128-3.527-15.985-8.214
-			c-3.289-4.003-5.171-8.928-5.186-14.414c0.526-25.548,35.106-31.264,44.03-7.699
-			C1263.068,423.132,1263.522,425.76,1263.522,428.372z M1255.131,428.372c0.054-12.824-15.563-19.132-24.433-10.135l-0.004-0.008
-			c-2.609,2.605-4.226,6.17-4.226,10.142c0,7.937,6.435,14.399,14.368,14.399c3.976,0,14.295,0,14.295,0
-			S1255.131,432.352,1255.131,428.372z"/>
-		<path fill="#07242D" d="M1293.898,405.76v8.152c-7.741,0.015-14.042,6.154-14.322,13.823v23.319h-8.179V405.76h8.179v5.171
-			C1283.464,407.704,1288.454,405.767,1293.898,405.76z"/>
-		<path fill="#07242D" d="M1344.448,428.411c0,12.509-10.135,22.643-22.639,22.643c-5.486,0-10.515-1.952-14.433-5.194v5.194h-8.221
-			c0.008-0.515,0.008-63.942,0.008-63.942h8.217l-0.004,23.857c3.919-3.25,8.947-5.202,14.433-5.202
-			C1334.313,405.767,1344.452,415.91,1344.448,428.411z M1336.254,428.411c0-7.975-6.466-14.445-14.445-14.445
-			c-7.795,0-14.445,6.331-14.445,14.422c0,8.091,6.65,14.468,14.445,14.468C1329.788,442.856,1336.254,436.394,1336.254,428.411z"/>
-		<path fill="#07242D" d="M1394.394,428.411c0,12.509-10.15,22.643-22.643,22.643s-22.651-10.135-22.651-22.643
-			s10.157-22.651,22.651-22.651S1394.394,415.91,1394.394,428.411z M1386.127,428.411c0-7.937-6.431-14.376-14.376-14.376
-			c-7.941,0-14.387,6.431-14.387,14.376s6.446,14.383,14.387,14.383C1379.696,442.794,1386.127,436.355,1386.127,428.411z"/>
-		<path fill="#07242D" d="M1444.414,428.372v22.682h-22.705c-0.499,0-0.999-0.015-1.494-0.054
-			c-6.431-0.423-12.128-3.527-15.985-8.214c-3.289-4.003-5.171-8.928-5.186-14.414c0.526-25.548,35.106-31.264,44.03-7.699
-			C1443.961,423.132,1444.414,425.76,1444.414,428.372z M1436.024,428.372c0.054-12.824-15.563-19.132-24.433-10.135l-0.004-0.008
-			c-2.609,2.605-4.226,6.17-4.226,10.142c0,7.937,6.435,14.399,14.368,14.399c3.976,0,14.295,0,14.295,0
-			S1436.024,432.352,1436.024,428.372z"/>
-		<path fill="#07242D" d="M1474.791,405.76v8.152c-7.741,0.015-14.042,6.154-14.322,13.823v23.319h-8.179V405.76h8.179v5.171
-			C1464.356,407.704,1469.347,405.767,1474.791,405.76z"/>
-		<path fill="#07242D" d="M1521.556,451.031h-8.214v-5.194c-3.919,3.242-8.951,5.194-14.43,5.194
-			c-12.501,0-22.635-10.127-22.635-22.628s10.135-22.636,22.635-22.636c5.478,0,10.511,1.952,14.43,5.194l0.008-23.85h8.221
-			C1521.572,387.112,1521.556,450.516,1521.556,451.031z M1513.35,428.38c0-8.091-6.646-14.422-14.437-14.422
-			c-7.975,0-14.445,6.469-14.445,14.445s6.469,14.437,14.445,14.437C1506.704,442.84,1513.35,436.471,1513.35,428.38z"/>
-	</g>
-	<g display="inline">
-		<path fill="#07242D" d="M1711.171,438.276l5.802,5.802c-4.1,4.096-9.763,6.632-16.014,6.632c-6.255,0-11.918-2.536-16.018-6.632
-			c-4.1-4.103-6.635-9.759-6.635-16.014s2.536-11.918,6.635-16.022c4.1-4.096,9.763-6.632,16.018-6.632
-			c6.251,0,11.915,2.536,16.014,6.632l-5.802,5.802c-2.613-2.613-6.224-4.234-10.213-4.234c-3.992,0-7.604,1.621-10.216,4.234
-			c-2.617,2.613-4.234,6.224-4.234,10.22c0,3.988,1.618,7.6,4.234,10.213c2.613,2.613,6.224,4.234,10.216,4.234
-			C1704.947,442.511,1708.559,440.889,1711.171,438.276z"/>
-		<path fill="#07242D" d="M1722.967,450.71v-63.95h8.241v63.95H1722.967z"/>
-		<path fill="#07242D" d="M1783.282,428.064c0,12.51-10.151,22.646-22.646,22.646c-12.495,0-22.654-10.136-22.654-22.646
-			s10.159-22.654,22.654-22.654C1773.131,405.41,1783.282,415.561,1783.282,428.064z M1775.013,428.064
-			c0-7.938-6.432-14.378-14.378-14.378c-7.942,0-14.389,6.432-14.389,14.378c0,7.946,6.447,14.385,14.389,14.385
-			C1768.581,442.449,1775.013,436.01,1775.013,428.064z"/>
-		<path fill="#07242D" d="M1833.833,405.41v22.823c0,0,0,0.038,0,0.054c0,12.395-10.04,22.423-22.435,22.423
-			c-12.395,0-22.427-10.059-22.427-22.454c0-0.015,0-22.846,0-22.846h7.992v22.823c0,7.976,6.466,14.462,14.435,14.462
-			c7.969,0,14.431-6.486,14.431-14.462V405.41H1833.833z"/>
-		<path fill="#07242D" d="M1884.777,450.687h-8.218v-5.195c-3.915,3.243-8.945,5.195-14.431,5.195
-			c-12.503,0-22.634-10.128-22.634-22.631c0-12.503,10.132-22.638,22.634-22.638c5.487,0,10.516,1.952,14.431,5.195l0.011-23.852
-			h8.219C1884.789,386.76,1884.773,450.172,1884.777,450.687z M1876.574,428.033c0-8.092-6.651-14.424-14.447-14.424
-			c-7.973,0-14.443,6.47-14.443,14.447c0,7.976,6.466,14.439,14.443,14.439C1869.923,442.495,1876.574,436.125,1876.574,428.033z"/>
-		<path fill="#07242D" d="M1922.865,438.038c-0.411,4.687-4.657,12.672-15.303,12.672c-10.094,0-16.137-6.762-16.137-6.762
-			l5.798-5.802c4.906,4.664,10.339,4.372,10.339,4.372c3.473-0.238,6.259-2.643,6.47-5.471c0.242-3.235-2.009-5.487-6.47-6.124
-			c-2.098-0.307-7.185-0.792-11.361-4.534c-1.36-1.222-6.489-6.578-2.217-14.193c0.834-1.491,4.557-6.77,13.578-6.77
-			c0,0,7.435-0.53,14.312,5.087l-5.867,5.863c-1.16-0.961-4.461-2.905-8.445-2.882c-7.208,0.046-7.008,4.011-7.008,4.011
-			c0.062,3.166,2.874,4.864,7.008,5.41C1921.639,424.767,1923.276,433.397,1922.865,438.038z"/>
-		<path fill="#07242D" d="M1975.107,428.041c0,12.526-10.151,22.73-22.661,22.73c-5.471,0-10.493-1.952-14.416-5.195v35.371h-8.276
-			V405.41h8.276v5.156c3.923-3.22,8.945-5.156,14.416-5.156C1964.956,405.41,1975.107,415.523,1975.107,428.041z M1966.831,428.041
-			c0-7.953-6.432-14.347-14.385-14.347s-14.416,6.393-14.416,14.347s6.463,14.462,14.416,14.462S1966.831,435.994,1966.831,428.041z
-			"/>
-		<path fill="#07242D" d="M1981.877,450.71v-63.95h8.245v63.95H1981.877z"/>
-		<path fill="#07242D" d="M2042.192,428.064c0,12.51-10.151,22.646-22.646,22.646c-12.495,0-22.654-10.136-22.654-22.646
-			s10.159-22.654,22.654-22.654C2032.041,405.41,2042.192,415.561,2042.192,428.064z M2033.916,428.064
-			c0-7.938-6.432-14.378-14.37-14.378c-7.946,0-14.393,6.432-14.393,14.378c0,7.946,6.447,14.385,14.393,14.385
-			C2027.484,442.449,2033.916,436.01,2033.916,428.064z"/>
-		<path fill="#07242D" d="M2049.016,394.906v-8.168h8.168v8.168H2049.016z M2049.016,450.71v-45.3h8.168v45.3H2049.016z"/>
-		<path fill="#07242D" d="M2087.737,442.503v8.207c-5.594,0-10.627-2.013-14.6-5.348c-4.987-4.188-8.161-10.474-8.161-17.497V386.76
-			h8.161v18.65h14.6v8.261h-14.6v14.393C2073.252,436.056,2079.722,442.503,2087.737,442.503z"/>
-	</g>
-	<g display="inline">
-		<path fill="#07242D" d="M690.837,442.596v8.206c-5.59,0-10.626-2.013-14.599-5.348c-4.99-4.188-8.16-10.473-8.16-17.495V386.86
-			h8.16v18.648h14.599v8.26h-14.599v14.391C676.35,436.15,682.823,442.596,690.837,442.596z"/>
-		<path fill="#07242D" d="M719.939,405.508v8.152c-7.737,0.015-14.042,6.154-14.322,13.823v23.319h-8.179v-45.294h8.179v5.171
-			C709.504,407.452,714.495,405.516,719.939,405.508z"/>
-		<path fill="#07242D" d="M766.789,428.12v22.682h-22.705c-0.499,0-0.999-0.015-1.494-0.054c-6.431-0.423-12.128-3.527-15.985-8.214
-			c-3.289-4.003-5.171-8.928-5.183-14.414c0.523-25.548,35.102-31.264,44.026-7.699C766.335,422.88,766.789,425.508,766.789,428.12z
-			 M758.398,428.12c0.054-12.824-15.563-19.132-24.433-10.135l-0.004-0.008c-2.609,2.605-4.226,6.17-4.226,10.142
-			c0,7.937,6.435,14.399,14.368,14.399c3.976,0,14.295,0,14.295,0S758.398,432.101,758.398,428.12z"/>
-		<path fill="#07242D" d="M805.36,438.37l5.801,5.801c-4.099,4.095-9.762,6.631-16.016,6.631c-6.254,0-11.913-2.536-16.012-6.631
-			c-4.099-4.103-6.631-9.766-6.631-16.02c0-6.247,2.532-11.909,6.631-16.012c4.099-4.095,9.758-6.631,16.012-6.631
-			c6.254,0,11.917,2.536,16.016,6.631l-5.801,5.801c-2.612-2.612-6.224-4.234-10.215-4.234c-3.988,0-7.599,1.621-10.211,4.234
-			c-2.616,2.612-4.234,6.224-4.234,10.211c0,3.995,1.617,7.607,4.234,10.219c2.612,2.612,6.224,4.234,10.211,4.234
-			C799.136,442.604,802.747,440.983,805.36,438.37z"/>
-		<path fill="#07242D" d="M858.664,431.109h-36.527c1.375,6.516,7.161,11.433,14.08,11.433c4.514,0,8.54-2.098,11.172-5.363h9.581
-			c-3.5,8.014-11.479,13.623-20.753,13.623c-12.493,0-22.647-10.173-22.647-22.682c0-12.501,10.154-22.612,22.647-22.612
-			C849.774,405.4,860.539,417.679,858.664,431.109z M849.59,422.842c-2.105-5.317-7.295-9.059-13.373-9.059
-			s-11.276,3.742-13.385,9.059H849.59z"/>
-		<path fill="#07242D" d="M908.514,431.109h-36.527c1.375,6.516,7.161,11.433,14.08,11.433c4.514,0,8.54-2.098,11.172-5.363h9.581
-			c-3.5,8.014-11.479,13.623-20.753,13.623c-12.493,0-22.647-10.173-22.647-22.682c0-12.501,10.154-22.612,22.647-22.612
-			C899.625,405.4,910.389,417.679,908.514,431.109z M899.44,422.842c-2.105-5.317-7.295-9.059-13.373-9.059
-			s-11.276,3.742-13.385,9.059H899.44z"/>
-	</g>
-</g>
-<g>
-	<path fill="#07242D" d="M186.351,471.553v8.229c-5.606,0-10.656-2.019-14.639-5.363c-5.005-4.199-8.182-10.502-8.182-17.544v-41.21
-		h8.182v18.699h14.639v8.282h-14.639v14.43C171.824,465.089,178.316,471.553,186.351,471.553z"/>
-	<path fill="#07242D" d="M215.533,434.363v8.175c-7.762,0.016-14.08,6.172-14.361,13.86v23.384h-8.202v-45.419h8.202v5.185
-		C205.069,436.313,210.074,434.371,215.533,434.363z"/>
-	<path fill="#07242D" d="M220.803,423.832v-8.191h8.186v8.191H220.803z M220.803,479.782v-45.419h8.186v45.419H220.803z"/>
-	<path fill="#07242D" d="M279.191,434.363l-22.694,45.419l-22.716-45.419h9.3l13.417,26.82l13.39-26.82H279.191z"/>
-	<path fill="#07242D" d="M328.286,434.363c0,0,0,49.656,0,52.938c0,12.682-10.402,22.805-22.725,22.798
-		c-5.771,0-11.118-2.188-15.178-5.824l5.887-5.887c2.512,2.126,5.751,3.42,9.291,3.413c7.975,0,14.431-6.519,14.431-14.5v-12.689
-		c-3.956,3.275-9.006,5.17-14.431,5.17c-12.346,0.007-22.743-9.954-22.743-22.728c0-0.27,0-22.69,0-22.69h8.291
-		c0,0,0.004,22.082,0.004,22.69c0,7.944,6.468,14.508,14.45,14.5c7.975,0,14.431-6.526,14.431-14.5v-22.691H328.286z"/>
-</g>
-<g>
-	<polygon fill="#FFFFFF" points="250.554,44.159 116.876,121.396 116.877,277.11 250.537,354.962 384.229,277.154 384.229,121.392 	
-		"/>
-	<g>
-		<path fill="#1904DA" d="M246.902,255.524v-32.282c-14.609-6.898-23.783-21.236-23.594-36.882l-30.086-17.374
-			c-1.892,17.15,2.057,34.896,11.198,50.171C214.507,236.009,228.793,248.237,246.902,255.524z"/>
-		<path fill="#1904DA" d="M246.902,299.761v-37.468c-20.381-7.638-36.445-21.086-47.752-39.981
-			c-10.325-17.249-14.466-37.337-11.695-56.657l-27.931-16.129C143.482,211.352,180.751,275.442,246.902,299.761z"/>
-		<path fill="#08B1D5" d="M253.779,261.938v37.797c64.918-24.892,103.171-90.209,87.852-149.994l-27.747,16.165
-			c3.578,20.856,0.191,40.77-9.818,57.644C294.046,240.446,276.67,253.707,253.779,261.938z"/>
-		<path fill="#08B1D5" d="M253.779,223.185v32.371c20.424-7.774,35.964-19.9,45.004-35.138c8.877-14.969,12.116-32.637,9.411-51.205
-			l-30.06,17.33C277.985,201.395,269.156,214.685,253.779,223.185z"/>
-		<path fill="#FFC900" d="M282.1,131.138c12.628,6.157,22.948,15.961,29.885,28.378l27.012-15.598
-			c-0.182-0.255-0.351-0.51-0.509-0.764c-10.628-17.188-24.658-30.12-41.707-38.435c-47.439-23.13-106.339-5.896-134.71,39.2
-			l27.117,15.654C209.496,128.018,250.069,115.518,282.1,131.138z"/>
-		<path fill="#FFC900" d="M251.284,165.445c4.256,0,8.519,0.931,12.516,2.881h0.002c5.253,2.564,9.549,6.643,12.458,11.821
-			l30.404-17.558c-6.323-11.352-15.738-20.312-27.257-25.93c-29.172-14.223-66.203-2.802-84.893,25.99l30.251,17.46
-			C231.056,170.735,241.141,165.445,251.284,165.445z"/>
-		<path fill="#08B1D5" d="M253.779,347.086l125.184-72.957V127.993l-31.828,18.542c17.491,64.215-23.319,134.084-93.356,159.757
-			V347.086z"/>
-		<path fill="#1904DA" d="M154.014,146.345l-31.873-18.406v146.151l124.761,72.993v-40.779
-			C176.723,281.599,136.109,211.643,154.014,146.345z"/>
-		<path fill="#FFC900" d="M299.471,99.198c18.111,8.832,32.995,22.533,44.241,40.722c0.179,0.289,0.397,0.592,0.636,0.908
-			l31.536-18.21l-125.33-72.378l-125.358,72.395l31.548,18.211C186.722,92.98,249.169,74.667,299.471,99.198z"/>
-		<path fill="#FF0036" d="M271.797,187.57c0.002-0.035,0.052-1.226-0.036-3.143c-0.251-0.783-3.208-6.558-10.592-10.586
-			c-5.045-2.751-11.518-3.068-17.769-0.874c-6.124,2.152-11.322,6.434-14.303,11.769c-0.036,0.464-0.105,1.563-0.052,2.832
-			c0.404,9.974,6.573,23.534,19.156,29.736l1.938,0.925l1.682-0.899C264.046,210.487,271.328,199.641,271.797,187.57z"/>
-	</g>
-</g>
-<g>
-	<path fill="#07242D" d="M186.846,398.474H175.2c-6.421,0-11.646-5.224-11.646-11.646c0-6.422,5.224-11.646,11.646-11.646
-		s11.646,5.224,11.646,11.646V398.474z M175.2,379.912c-3.814,0-6.916,3.103-6.916,6.916c0,3.814,3.103,6.916,6.916,6.916h6.916
-		v-6.916C182.117,383.015,179.014,379.912,175.2,379.912z"/>
-	<path fill="#07242D" d="M264.991,398.474h-11.646c-6.421,0-11.646-5.224-11.646-11.646c0-6.422,5.224-11.646,11.646-11.646
-		c6.421,0,11.646,5.224,11.646,11.646V398.474z M253.345,379.912c-3.814,0-6.916,3.103-6.916,6.916c0,3.814,3.103,6.916,6.916,6.916
-		h6.916v-6.916C260.261,383.015,257.159,379.912,253.345,379.912z"/>
-	<path fill="#07242D" d="M227.295,398.479c-6.424,0-11.651-5.226-11.651-11.651V375.9h4.731v10.928c0,3.815,3.104,6.919,6.919,6.919
-		c3.815,0,6.919-3.104,6.919-6.919V375.9h4.731v10.928C238.946,393.253,233.719,398.479,227.295,398.479z"/>
-	<path fill="#07242D" d="M201.245,375.183c-6.421,0-11.645,5.224-11.645,11.646c0,6.421,5.224,11.646,11.645,11.646l4.729-4.729
-		h-4.729c-3.814,0-6.916-3.103-6.916-6.916c0-3.814,3.103-6.916,6.916-6.916c3.814,0,6.916,3.103,6.916,6.916v22.76h4.729v-22.76
-		C212.891,380.407,207.666,375.183,201.245,375.183z"/>
-</g>
-</svg>

brand/Trivy-OSS-Logo-White-Horizontal-RGB-2022.svg

@@ -1,84 +0,0 @@
-<?xml version="1.0" encoding="iso-8859-1"?>
-<!-- Generator: Adobe Illustrator 26.3.1, SVG Export Plug-In . SVG Version: 6.00 Build 0)  -->
-<svg version="1.1" id="_x30_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
-	 viewBox="0 0 265 135" enable-background="new 0 0 265 135" xml:space="preserve">
-<g display="none">
-	<polygon display="inline" fill="#FFFFFF" points="65.469,9.61 12.669,40.117 12.669,101.621 65.463,132.371 118.268,101.639 
-		118.268,40.115 	"/>
-	<g display="inline">
-		<path fill="#08B1D5" d="M64.511,80.035c-5.972-2.687-9.502-8.433-9.313-14.534l-12.765-7.371c-0.952,7.062,0.569,14.449,4.4,20.85
-			c4.078,6.813,9.966,11.887,17.678,14.825V80.035L64.511,80.035z"/>
-		<path fill="#08B1D5" d="M64.511,111.257V95.432c-8.26-3.017-14.588-8.448-18.931-15.703c-4.108-6.864-5.671-14.819-4.507-22.384
-			l-11.864-6.851C22.412,75.299,37.662,101.72,64.511,111.257z"/>
-		<path fill="#0D819B" d="M66.259,95.288v15.969c26.352-9.758,42.17-36.132,35.489-60.682l-11.8,6.874
-			c1.473,8.16,0.189,16.115-3.759,22.77C82.134,87.057,75.052,92.189,66.259,95.288z"/>
-		<path fill="#0D819B" d="M75.879,65.569c0.053,5.924-3.429,11.136-9.62,14.466v13.769c8.227-2.999,14.873-7.918,18.675-14.329
-			c3.681-6.207,4.934-13.613,3.671-21.243L75.879,65.569z"/>
-		<path fill="#F69421" d="M77.717,44.4c4.977,2.427,9.031,6.315,11.724,11.244c0.035,0.065,0.069,0.132,0.104,0.198l11.574-6.684
-			c-0.184-0.232-0.361-0.466-0.506-0.701c-4.246-6.868-9.855-12.036-16.673-15.361c-19.245-9.385-42.827-2.309-54.094,16.087
-			l11.546,6.665C49.232,43.242,65.013,38.204,77.717,44.4z"/>
-		<path fill="#F69421" d="M70.489,59.089c2.06,1.005,3.731,2.627,4.832,4.692c0.037,0.07,0.07,0.143,0.105,0.214l12.854-7.423
-			c-0.04-0.076-0.079-0.153-0.12-0.228c-2.546-4.662-6.379-8.339-11.082-10.632c-12.018-5.861-26.965-1.08-34.421,10.866
-			l12.783,7.379C58.771,58.613,65.217,56.518,70.489,59.089z"/>
-		<path fill="#0D819B" d="M116.672,41.881l-13.621,7.936c7.185,25.544-9.291,53.076-36.791,62.992v17.294l50.413-29.381V41.881z"/>
-		<path fill="#08B1D5" d="M14.265,41.864v58.842l50.245,29.397v-17.294C36.51,103.127,20.607,75.545,27.905,49.74l-13.001-7.508
-			L14.265,41.864z"/>
-		<path fill="#F69421" d="M14.987,40.606l1.484,0.857l12.109,6.989C40.23,29.398,64.649,22.066,84.579,31.784
-			c7.069,3.448,12.881,8.799,17.274,15.904c0.139,0.225,0.333,0.472,0.543,0.731l13.542-7.82l-50.47-29.146L14.987,40.606z"/>
-		<path fill="#F0DF36" d="M66.202,78.433c4.968-2.778,7.95-7.226,8.141-12.159c0,0,0.022-0.489-0.015-1.283
-			c-0.007-0.163-1.102-2.766-4.435-4.583c-4.476-2.441-10.828-0.093-13.372,4.583c0,0-0.061,0.574-0.033,1.283
-			c0.182,4.483,2.945,9.749,7.836,12.159l0.991,0.473L66.202,78.433z"/>
-	</g>
-</g>
-<g>
-	<path fill="#FFFFFF" d="M148.629,103.076v5.928c-4.038,0-7.676-1.454-10.545-3.863c-3.605-3.025-5.894-7.565-5.894-12.638V62.815
-		h5.894v13.471h10.545v5.966h-10.545v10.395C138.164,98.419,142.84,103.076,148.629,103.076z"/>
-	<path fill="#FFFFFF" d="M169.65,76.285v5.889c-5.591,0.011-10.143,4.446-10.345,9.984v16.845h-5.908V76.285h5.908v3.735
-		C162.113,77.689,165.718,76.291,169.65,76.285z"/>
-	<path fill="#FFFFFF" d="M173.447,68.698v-5.9h5.897v5.9H173.447z M173.447,109.003V76.285h5.897v32.719H173.447z"/>
-	<path fill="#FFFFFF" d="M215.508,76.285l-16.348,32.719l-16.364-32.719h6.699l9.665,19.32l9.646-19.32L215.508,76.285z"/>
-	<path fill="#FFFFFF" d="M250.874,76.285c0,0,0,35.771,0,38.135c0,9.136-7.493,16.428-16.37,16.423
-		c-4.157,0-8.009-1.576-10.934-4.196l4.24-4.24c1.809,1.532,4.143,2.464,6.693,2.459c5.745,0,10.396-4.696,10.396-10.446v-9.141
-		c-2.85,2.359-6.488,3.724-10.396,3.724c-8.894,0.005-16.384-7.171-16.384-16.372c0-0.194,0-16.345,0-16.345h5.972
-		c0,0,0.003,15.907,0.003,16.345c0,5.722,4.659,10.451,10.409,10.446c5.745,0,10.396-4.701,10.396-10.446V76.285H250.874z"/>
-</g>
-<g>
-	<polygon fill="#FFFFFF" points="65.469,5.431 10.124,37.409 10.125,101.877 65.462,134.109 120.813,101.895 120.813,37.407 	"/>
-	<g>
-		<path fill="#1904DA" d="M63.957,92.94V79.575c-6.048-2.856-9.846-8.792-9.768-15.27l-12.456-7.193
-			c-0.783,7.101,0.852,14.447,4.636,20.771C50.545,84.86,56.46,89.923,63.957,92.94z"/>
-		<path fill="#1904DA" d="M63.957,111.255V95.742c-8.438-3.162-15.089-8.73-19.77-16.553c-4.275-7.141-5.989-15.458-4.842-23.457
-			l-11.564-6.678C21.14,74.652,36.57,101.186,63.957,111.255z"/>
-		<path fill="#08B1D5" d="M66.804,95.596v15.649c26.877-10.306,42.715-37.348,36.372-62.1l-11.488,6.693
-			c1.481,8.635,0.079,16.879-4.065,23.865C83.476,86.697,76.281,92.188,66.804,95.596z"/>
-		<path fill="#08B1D5" d="M66.804,79.551v13.402c8.456-3.219,14.89-8.239,18.632-14.548c3.675-6.197,5.016-13.512,3.896-21.2
-			L76.888,64.38C76.826,70.53,73.171,76.032,66.804,79.551z"/>
-		<path fill="#FFC900" d="M78.53,41.442c5.228,2.549,9.501,6.608,12.373,11.749l11.183-6.458c-0.075-0.105-0.146-0.211-0.211-0.316
-			c-4.4-7.116-10.209-12.47-17.267-15.913c-19.641-9.576-44.026-2.441-55.772,16.23l11.227,6.481
-			C48.47,40.15,65.268,34.975,78.53,41.442z"/>
-		<path fill="#FFC900" d="M65.771,55.646c1.762,0,3.527,0.385,5.182,1.193h0.001c2.175,1.062,3.954,2.75,5.158,4.894L88.7,54.463
-			c-2.618-4.7-6.516-8.409-11.285-10.735c-12.078-5.888-27.409-1.16-35.147,10.76l12.525,7.229
-			C57.397,57.836,61.572,55.646,65.771,55.646z"/>
-		<path fill="#08B1D5" d="M66.804,130.848l51.828-30.205V40.14l-13.177,7.677c7.242,26.586-9.654,55.513-38.651,66.142V130.848z"/>
-		<path fill="#1904DA" d="M25.5,47.738l-13.196-7.621v60.509l51.653,30.22v-16.883C34.902,103.736,18.087,74.773,25.5,47.738z"/>
-		<path fill="#FFC900" d="M85.722,28.218c7.498,3.656,13.661,9.329,18.316,16.859c0.074,0.12,0.164,0.245,0.263,0.376l13.056-7.539
-			L65.469,7.948l-51.9,29.973l13.061,7.54C39.042,25.644,64.896,18.062,85.722,28.218z"/>
-		<path fill="#FF0036" d="M74.264,64.806c0.001-0.014,0.022-0.508-0.015-1.301c-0.104-0.324-1.328-2.715-4.385-4.383
-			c-2.089-1.139-4.769-1.27-7.357-0.362c-2.536,0.891-4.688,2.664-5.922,4.873c-0.015,0.192-0.044,0.647-0.022,1.173
-			c0.167,4.129,2.721,9.743,7.931,12.311l0.802,0.383l0.696-0.372C71.055,74.294,74.07,69.803,74.264,64.806z"/>
-	</g>
-</g>
-<g>
-	<path fill="#FFFFFF" d="M149.768,48.152h-8.789c-4.846,0-8.789-3.943-8.789-8.789c0-4.846,3.943-8.789,8.789-8.789
-		s8.789,3.943,8.789,8.789V48.152z M140.979,34.143c-2.878,0-5.22,2.342-5.22,5.22c0,2.878,2.342,5.22,5.22,5.22h5.22v-5.22
-		C146.199,36.485,143.858,34.143,140.979,34.143z"/>
-	<path fill="#FFFFFF" d="M208.745,48.152h-8.789c-4.846,0-8.789-3.943-8.789-8.789c0-4.846,3.943-8.789,8.789-8.789
-		c4.846,0,8.789,3.943,8.789,8.789V48.152z M199.956,34.143c-2.878,0-5.22,2.342-5.22,5.22c0,2.878,2.342,5.22,5.22,5.22h5.22v-5.22
-		C205.176,36.485,202.835,34.143,199.956,34.143z"/>
-	<path fill="#FFFFFF" d="M180.296,48.156c-4.848,0-8.793-3.944-8.793-8.793v-8.248h3.571v8.248c0,2.879,2.343,5.222,5.222,5.222
-		c2.879,0,5.222-2.343,5.222-5.222v-8.248h3.571v8.248C189.089,44.211,185.144,48.156,180.296,48.156z"/>
-	<path fill="#FFFFFF" d="M160.636,30.574c-4.846,0-8.789,3.943-8.789,8.789c0,4.846,3.943,8.789,8.789,8.789l3.569-3.569h-3.569
-		c-2.878,0-5.22-2.342-5.22-5.22c0-2.878,2.342-5.22,5.22-5.22c2.878,0,5.22,2.342,5.22,5.22V56.54h3.569V39.363
-		C169.425,34.516,165.482,30.574,160.636,30.574z"/>
-</g>
-</svg>

brand/Trivy-OSS-Logo-White-Horizontal-RGB.svg

@@ -0,0 +1,69 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Generator: Adobe Illustrator 28.0.0, SVG Export Plug-In . SVG Version: 6.00 Build 0)  -->
+<svg version="1.1" id="Layer_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
+	 viewBox="0 0 1920 891" style="enable-background:new 0 0 1920 891;" xml:space="preserve">
+<style type="text/css">
+	.st0{fill:#FFFFFF;}
+	.st1{fill:#50F0FF;}
+	.st2{fill:#0744DD;}
+	.st3{fill:#FFC900;}
+	.st4{fill:#FF0036;}
+</style>
+<g>
+	<g>
+		<path class="st0" d="M1421.86,281.92h-46.97c-25.9,0-46.97-21.07-46.97-46.97c0-25.9,21.07-46.97,46.97-46.97
+			c25.9,0,46.97,21.07,46.97,46.97V281.92z M1374.89,207.05c-15.38,0-27.9,12.52-27.9,27.9c0,15.38,12.52,27.9,27.9,27.9h27.9v-27.9
+			C1402.79,219.57,1390.28,207.05,1374.89,207.05z"/>
+		<path class="st0" d="M1737.06,281.92h-46.97c-25.9,0-46.97-21.07-46.97-46.97c0-25.9,21.07-46.97,46.97-46.97
+			c25.9,0,46.97,21.07,46.97,46.97V281.92z M1690.09,207.05c-15.38,0-27.9,12.52-27.9,27.9c0,15.38,12.52,27.9,27.9,27.9h27.9v-27.9
+			C1717.98,219.57,1705.47,207.05,1690.09,207.05z"/>
+		<path class="st0" d="M1585.02,281.94c-25.91,0-46.99-21.08-46.99-46.99v-44.08h19.08v44.08c0,15.39,12.52,27.91,27.91,27.91
+			c15.39,0,27.91-12.52,27.91-27.91v-44.08h19.09v44.08C1632.01,260.86,1610.92,281.94,1585.02,281.94z"/>
+		<path class="st0" d="M1479.94,187.98c-25.9,0-46.97,21.07-46.97,46.97c0,25.9,21.07,46.97,46.97,46.97l19.07-19.07h-19.07
+			c-15.38,0-27.9-12.52-27.9-27.9c0-15.38,12.52-27.9,27.9-27.9c15.38,0,27.9,12.52,27.9,27.9v91.8h19.07v-91.8
+			C1526.91,209.05,1505.84,187.98,1479.94,187.98z"/>
+	</g>
+	<g>
+		<path class="st0" d="M942.76,588.45v46.29c-31.53,0-59.94-11.34-82.34-30.14c-28.15-23.63-46.04-59.08-46.04-98.71V274.06h46.04
+			v105.2h82.34v46.59h-82.34v81.19C861.05,552.1,897.55,588.45,942.76,588.45z"/>
+		<path class="st0" d="M1106.82,379.26v45.98c-43.65,0.1-79.18,34.71-80.78,77.98v131.52h-46.12V379.26h46.12v29.16
+			C1047.97,390.24,1076.12,379.3,1106.82,379.26z"/>
+		<path class="st0" d="M1136.4,353.72v-40.29h46.05v40.29H1136.4z M1136.4,634.74V379.26h46.05v255.48H1136.4z"/>
+		<path class="st0" d="M1464.76,379.26l-127.64,255.48l-127.8-255.48h52.33l75.47,150.88l75.31-150.88H1464.76z"/>
+		<path class="st0" d="M1740.81,379.26c0,0,0,279.32,0,297.8c0,71.31-58.52,128.26-127.83,128.2
+			c-32.47,0.03-62.55-12.29-85.37-32.76l33.1-33.09c14.13,11.97,32.36,19.22,52.28,19.2c44.86,0,81.17-36.69,81.17-81.55v-71.39
+			c-22.26,18.42-50.67,29.09-81.17,29.06c-69.46,0.06-127.95-56-127.95-127.85c0-1.51,0-127.64,0-127.64h46.64
+			c0,0,0.02,124.23,0.02,127.64c0,44.67,36.39,81.6,81.28,81.55c44.86,0,81.17-36.69,81.17-81.55V379.26H1740.81z"/>
+	</g>
+	<g>
+		<g>
+			<g>
+				<path class="st1" d="M428.54,364.9c0.04,0,0.08,0,0.12,0c6.56,0.01,11.98-5.03,11.98-11.58V135.99l-12.23-6.83l-12.18,6.8
+					v217.36c0,6.56,5.43,11.61,11.98,11.58C428.32,364.9,428.43,364.9,428.54,364.9z"/>
+				<path class="st2" d="M355.18,463.55L153.55,598.87v15.41l11.49,6.29l203.73-136.73c5.23-3.51,6.53-10.52,3.15-15.84
+					c-0.14-0.23-0.29-0.45-0.43-0.68C367.99,461.7,360.68,459.86,355.18,463.55z"/>
+				<path class="st3" d="M488.27,483.95l203.55,136.61l11.45-6.28v-15.44L501.86,463.66c-5.51-3.7-12.82-1.87-16.32,3.76
+					c-0.13,0.21-0.27,0.43-0.4,0.64C481.73,473.4,483.02,480.43,488.27,483.95z"/>
+				<path class="st0" d="M727.69,282.29v-13.96l-12.5-6.98l-0.93-0.49L440.33,107.87l-11.92-6.64l-11.87,6.64L142.56,260.86
+					l-0.93,0.49l-12.5,6.98v13.96l-0.93,0.54l0.93,0.49v13.92v331.5l12.69,6.94l266.85,146.2l3.37,1.85l16.41,8.98l16.36-8.98
+					l3.37-1.85l266.85-146.2l12.65-6.94v-331.5v-13.87l0.98-0.54L727.69,282.29z M440.95,758.05V511.4c0-6.72-5.5-12.22-12.22-12.21
+					l-0.19,0l-0.13,0c-6.72-0.01-12.22,5.49-12.22,12.21v246.64L165.04,620.57l-11.49-6.29v-15.41V294.7l199.98,109.56
+					c5.77,3.16,13.1,1.04,16.28-4.72l0.14-0.26c3.22-5.83,1.08-13.22-4.76-16.42L167.81,274.72l248.42-138.75l12.18-6.8l12.23,6.83
+					l248.37,138.73L491.47,382.95c-5.81,3.18-7.63,10.45-4.41,16.24c0.05,0.1,0.11,0.2,0.16,0.29c3.16,5.73,10.22,8.01,15.96,4.86
+					L703.27,294.7v304.15v15.44l-11.45,6.28L440.95,758.05z"/>
+			</g>
+			<circle class="st4" cx="428.54" cy="432.05" r="35.42"/>
+		</g>
+		<path class="st1" d="M617.65,262.99L426.32,155.74c-5.88-3.3-7.98-10.74-4.68-16.62v0c3.3-5.88,10.74-7.98,16.62-4.68
+			l191.33,107.25c5.88,3.3,7.98,10.74,4.68,16.62l0,0C630.97,264.19,623.53,266.29,617.65,262.99z"/>
+		<path class="st1" d="M533.81,271.27l-107.48-60.25c-5.88-3.3-7.98-10.74-4.68-16.62v0c3.3-5.88,10.74-7.98,16.62-4.68
+			l107.48,60.25c5.88,3.3,7.98,10.74,4.68,16.62v0C547.13,272.47,539.69,274.56,533.81,271.27z"/>
+		<path class="st1" d="M569.02,291L569.02,291c-5.88-3.3-7.98-10.74-4.68-16.62l0,0c3.3-5.88,10.74-7.98,16.62-4.68v0
+			c5.88,3.3,7.98,10.74,4.68,16.62v0C582.34,292.2,574.9,294.3,569.02,291z"/>
+		<path class="st1" d="M462.29,288.33l-35.7-20.01c-5.88-3.3-7.98-10.74-4.68-16.62v0c3.3-5.88,10.74-7.98,16.62-4.68l35.7,20.01
+			c5.88,3.3,7.98,10.74,4.68,16.62v0C475.61,289.53,468.17,291.63,462.29,288.33z"/>
+		<path class="st1" d="M516.16,321.21l-20.67-11.58c-5.88-3.3-7.98-10.74-4.68-16.62v0c3.3-5.88,10.74-7.98,16.62-4.68l20.67,11.58
+			c5.88,3.3,7.98,10.74,4.68,16.62v0C529.48,322.41,522.04,324.51,516.16,321.21z"/>
+	</g>
+</g>
+</svg>

brand/Trivy-OSS-Logo-White-Stacked-RGB-2022.svg

@@ -1,59 +0,0 @@
-<?xml version="1.0" encoding="iso-8859-1"?>
-<!-- Generator: Adobe Illustrator 26.3.1, SVG Export Plug-In . SVG Version: 6.00 Build 0)  -->
-<svg version="1.1" id="_x30_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
-	 viewBox="0 0 500 524" enable-background="new 0 0 500 524" xml:space="preserve">
-<g>
-	<path fill="#FFFFFF" d="M186.351,471.553v8.229c-5.606,0-10.656-2.019-14.639-5.363c-5.005-4.199-8.182-10.502-8.182-17.544v-41.21
-		h8.182v18.699h14.639v8.282h-14.639v14.43C171.824,465.089,178.316,471.553,186.351,471.553z"/>
-	<path fill="#FFFFFF" d="M215.533,434.363v8.175c-7.762,0.016-14.08,6.172-14.361,13.86v23.384h-8.202v-45.419h8.202v5.185
-		C205.069,436.313,210.074,434.371,215.533,434.363z"/>
-	<path fill="#FFFFFF" d="M220.803,423.832v-8.191h8.186v8.191H220.803z M220.803,479.782v-45.419h8.186v45.419H220.803z"/>
-	<path fill="#FFFFFF" d="M279.191,434.363l-22.694,45.419l-22.716-45.419h9.3l13.417,26.82l13.39-26.82H279.191z"/>
-	<path fill="#FFFFFF" d="M328.286,434.363c0,0,0,49.656,0,52.938c0,12.682-10.402,22.805-22.725,22.798
-		c-5.771,0-11.118-2.188-15.178-5.824l5.887-5.887c2.512,2.126,5.751,3.42,9.291,3.413c7.975,0,14.431-6.519,14.431-14.5v-12.689
-		c-3.956,3.275-9.006,5.17-14.431,5.17c-12.346,0.007-22.743-9.954-22.743-22.728c0-0.27,0-22.69,0-22.69h8.291
-		c0,0,0.004,22.082,0.004,22.69c0,7.944,6.468,14.508,14.45,14.5c7.975,0,14.431-6.526,14.431-14.5v-22.691H328.286z"/>
-</g>
-<g>
-	<polygon fill="#FFFFFF" points="250.554,44.159 116.876,121.396 116.877,277.11 250.537,354.962 384.229,277.154 384.229,121.392 	
-		"/>
-	<g>
-		<path fill="#1904DA" d="M246.902,255.524v-32.282c-14.609-6.898-23.783-21.236-23.594-36.882l-30.086-17.374
-			c-1.892,17.15,2.057,34.896,11.198,50.171C214.507,236.009,228.793,248.237,246.902,255.524z"/>
-		<path fill="#1904DA" d="M246.902,299.761v-37.468c-20.381-7.638-36.445-21.086-47.752-39.981
-			c-10.325-17.249-14.466-37.337-11.695-56.657l-27.931-16.129C143.482,211.352,180.751,275.442,246.902,299.761z"/>
-		<path fill="#08B1D5" d="M253.779,261.938v37.797c64.918-24.892,103.171-90.209,87.852-149.994l-27.747,16.165
-			c3.578,20.856,0.191,40.77-9.818,57.644C294.046,240.446,276.67,253.707,253.779,261.938z"/>
-		<path fill="#08B1D5" d="M253.779,223.185v32.371c20.424-7.774,35.964-19.9,45.004-35.138c8.877-14.969,12.116-32.637,9.411-51.205
-			l-30.06,17.33C277.985,201.395,269.156,214.685,253.779,223.185z"/>
-		<path fill="#FFC900" d="M282.1,131.138c12.628,6.157,22.948,15.961,29.885,28.378l27.012-15.598
-			c-0.182-0.255-0.351-0.51-0.509-0.764c-10.628-17.188-24.658-30.12-41.707-38.435c-47.439-23.13-106.339-5.896-134.71,39.2
-			l27.117,15.654C209.496,128.018,250.069,115.518,282.1,131.138z"/>
-		<path fill="#FFC900" d="M251.284,165.445c4.256,0,8.519,0.931,12.516,2.881h0.002c5.253,2.564,9.549,6.643,12.458,11.821
-			l30.404-17.558c-6.323-11.352-15.738-20.312-27.257-25.93c-29.172-14.223-66.203-2.802-84.893,25.99l30.251,17.46
-			C231.056,170.735,241.141,165.445,251.284,165.445z"/>
-		<path fill="#08B1D5" d="M253.779,347.086l125.184-72.957V127.993l-31.828,18.542c17.491,64.215-23.319,134.084-93.356,159.757
-			V347.086z"/>
-		<path fill="#1904DA" d="M154.014,146.345l-31.873-18.406v146.151l124.761,72.993v-40.779
-			C176.723,281.599,136.109,211.643,154.014,146.345z"/>
-		<path fill="#FFC900" d="M299.471,99.198c18.111,8.832,32.995,22.533,44.241,40.722c0.179,0.289,0.397,0.592,0.636,0.908
-			l31.536-18.21l-125.33-72.378l-125.358,72.395l31.548,18.211C186.722,92.98,249.169,74.667,299.471,99.198z"/>
-		<path fill="#FF0036" d="M271.797,187.57c0.002-0.035,0.052-1.226-0.036-3.143c-0.251-0.783-3.208-6.558-10.592-10.586
-			c-5.045-2.751-11.518-3.068-17.769-0.874c-6.124,2.152-11.322,6.434-14.303,11.769c-0.036,0.464-0.105,1.563-0.052,2.832
-			c0.404,9.974,6.573,23.534,19.156,29.736l1.938,0.925l1.682-0.899C264.046,210.487,271.328,199.641,271.797,187.57z"/>
-	</g>
-</g>
-<g>
-	<path fill="#FFFFFF" d="M186.846,398.474H175.2c-6.421,0-11.646-5.224-11.646-11.646c0-6.422,5.224-11.646,11.646-11.646
-		s11.646,5.224,11.646,11.646V398.474z M175.2,379.912c-3.814,0-6.916,3.103-6.916,6.916c0,3.814,3.103,6.916,6.916,6.916h6.916
-		v-6.916C182.117,383.015,179.014,379.912,175.2,379.912z"/>
-	<path fill="#FFFFFF" d="M264.991,398.474h-11.646c-6.421,0-11.646-5.224-11.646-11.646c0-6.422,5.224-11.646,11.646-11.646
-		c6.421,0,11.646,5.224,11.646,11.646V398.474z M253.345,379.912c-3.814,0-6.916,3.103-6.916,6.916c0,3.814,3.103,6.916,6.916,6.916
-		h6.916v-6.916C260.261,383.015,257.159,379.912,253.345,379.912z"/>
-	<path fill="#FFFFFF" d="M227.295,398.479c-6.424,0-11.651-5.226-11.651-11.651V375.9h4.731v10.928c0,3.815,3.104,6.919,6.919,6.919
-		c3.815,0,6.919-3.104,6.919-6.919V375.9h4.731v10.928C238.946,393.253,233.719,398.479,227.295,398.479z"/>
-	<path fill="#FFFFFF" d="M201.245,375.183c-6.421,0-11.645,5.224-11.645,11.646c0,6.421,5.224,11.646,11.645,11.646l4.729-4.729
-		h-4.729c-3.814,0-6.916-3.103-6.916-6.916c0-3.814,3.103-6.916,6.916-6.916c3.814,0,6.916,3.103,6.916,6.916v22.76h4.729v-22.76
-		C212.891,380.407,207.666,375.183,201.245,375.183z"/>
-</g>
-</svg>

contrib/asff.tpl

@@ -128,7 +128,7 @@
         {
             "SchemaVersion": "2018-10-08",
             "Id": "{{ $target }}",
-            "ProductArn": "arn:aws:securityhub:{{ env "AWS_DEFAULT_REGION" }}::product/aquasecurity/aquasecurity",
+            "ProductArn": "arn:aws:securityhub:{{ env "AWS_REGION" }}::product/aquasecurity/aquasecurity",
             "GeneratorId": "Trivy",
             "AwsAccountId": "{{ env "AWS_ACCOUNT_ID" }}",
             "Types": [ "Sensitive Data Identifications" ],
@@ -145,7 +145,7 @@
                     "Type": "Other",
                     "Id": "{{ $target }}",
                     "Partition": "aws",
-                    "Region": "{{ env "AWS_DEFAULT_REGION" }}",
+                    "Region": "{{ env "AWS_REGION" }}",
                     "Details": {
                         "Other": {
                             "Filename": "{{ $target }}"

docs/community/contribute/discussion.md

@@ -24,7 +24,7 @@ There are 4 categories:
     If you find any false positives or false negatives, please make sure to report them under the "False Detection" category, not "Bugs".
 
 ## False detection
-Trivy depends on [multiple data sources](https://aquasecurity.github.io/trivy/latest/docs/vulnerability/detection/data-source/).
+Trivy depends on [multiple data sources](https://aquasecurity.github.io/trivy/latest/docs/scanner/vulnerability/#data-sources).
 Sometime these databases contain mistakes.
 
 If Trivy can't detect any CVE-IDs or shows false positive result, at first please follow the next steps:

docs/docs/configuration/filtering.md

@@ -408,7 +408,7 @@ Total: 7 (UNKNOWN: 0, LOW: 1, MEDIUM: 1, HIGH: 3, CRITICAL: 2)
 
 </details>
 
-## By Open Policy Agent
+## By Rego
 
 |     Scanner      | Supported |
 |:----------------:|:---------:|
@@ -420,75 +420,68 @@ Total: 7 (UNKNOWN: 0, LOW: 1, MEDIUM: 1, HIGH: 3, CRITICAL: 2)
 !!! warning "EXPERIMENTAL"
     This feature might change without preserving backwards compatibility.
 
-Trivy supports Open Policy Agent (OPA) to filter vulnerabilities.
-You can specify a Rego file with `--ignore-policy` option.
+[Rego](https://www.openpolicyagent.org/docs/latest/policy-language/) is a policy language that allows you to express decision logic in a concise syntax. 
+Rego is part of the popular [Open Policy Agent (OPA)](https://www.openpolicyagent.org) CNCF project.
+For advanced filtering, Trivy allows you to use Rego language to filter vulnerabilities.
 
-The Rego package name must be `trivy` and it must include a rule called `ignore` which determines if each individual vulnerability should be excluded (ignore=true) or not (ignore=false). In the policy, each vulnerability will be available for inspection as the `input` variable. The structure of each vulnerability input is the same as for the Trivy JSON output.  
-There is a built-in Rego library with helper functions that you can import into your policy using: `import data.lib.trivy`. For more info about the helper functions, look at the library [here][helper]
+Use the `--ignore-policy` flag which takes a path to a Rego file that defines the filtering policy.
+The Rego package name must be `trivy` and it must include a "rule" named `ignore` which determines if each individual scan result should be excluded (ignore=true) or not (ignore=false).
+The `input` for the evaluation is each [DetectedVulnerability](https://github.com/aquasecurity/trivy/blob/00f2059e5d7bc2ca2e3e8b1562bdfede1ed570e3/pkg/types/vulnerability.go#L9) and [DetectedMisconfiguration](https://github.com/aquasecurity/trivy/blob/00f2059e5d7bc2ca2e3e8b1562bdfede1ed570e3/pkg/types/misconfiguration.go#L6).
 
-To get started, see the [example policy][policy].
+A practical way to observe the filtering policy input in your case, is to run a scan with the `--format json` option and look at the resulting structure:
 
 ```bash
-$ trivy image --ignore-policy contrib/example_policy/basic.rego centos:7
+trivy image -f json centos:7
+
+...
+  "Results": [
+    {
+      "Target": "centos:7 (centos 7.9.2009)",
+      "Class": "os-pkgs",
+      "Type": "centos",
+      "Vulnerabilities": [
+        {
+          "VulnerabilityID": "CVE-2015-5186",
+          "PkgID": "audit-libs@2.8.5-4.el7.x86_64",
+          "PkgName": "audit-libs",
+          "InstalledVersion": "2.8.5-4.el7",
+          "Layer": {
+            "Digest": "sha256:2d473b07cdd5f0912cd6f1a703352c82b512407db6b05b43f2553732b55df3bc",
+            "DiffID": "sha256:174f5685490326fc0a1c0f5570b8663732189b327007e47ff13d2ca59673db02"
+          },
+          "SeveritySource": "redhat",
+          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2015-5186",
+          "Title": "log terminal emulator escape sequences handling",
+          "Description": "Audit before 2.4.4 in Linux does not sanitize escape characters in filenames.",
+          "Severity": "MEDIUM",
+          "CweIDs": [
+            "CWE-20"
+          ],
+...
 ```
 
-<details>
-<summary>Result</summary>
+Each individual vulnerability (under `Results.Vulnerabilities`) or Misconfiguration (under `Results.Misconfigurations`) is evaluated for exclusion or inclusion by the `ignore` rule.
+
+The following is a Rego ignore policy that filters out every vulnerability with a specific CWE ID (as seen in the JSON example above):
+
+```rego
+package trivy
+
+default ignore = false
+
+ignore {
+	input.CweIDs[_] == "CWE-20"
+}
+```
 
 ```bash
-centos:7 (centos 7.9.2009)
-==========================
-Total: 9 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 4, CRITICAL: 5)
-
-+--------------+------------------+----------+-------------------+-------------------+-----------------------------------------+
-|   LIBRARY    | VULNERABILITY ID | SEVERITY | INSTALLED VERSION |   FIXED VERSION   |                  TITLE                  |
-+--------------+------------------+----------+-------------------+-------------------+-----------------------------------------+
-| glib2        | CVE-2015-8385    | HIGH     | 2.56.1-7.el7      |                   | pcre: buffer overflow caused            |
-|              |                  |          |                   |                   | by named forward reference              |
-|              |                  |          |                   |                   | to duplicate group number...            |
-|              |                  |          |                   |                   | -->avd.aquasec.com/nvd/cve-2015-8385    |
-+              +------------------+          +                   +-------------------+-----------------------------------------+
-|              | CVE-2016-3191    |          |                   |                   | pcre: workspace overflow for            |
-|              |                  |          |                   |                   | (*ACCEPT) with deeply nested            |
-|              |                  |          |                   |                   | parentheses (8.39/13, 10.22/12)         |
-|              |                  |          |                   |                   | -->avd.aquasec.com/nvd/cve-2016-3191    |
-+              +------------------+          +                   +-------------------+-----------------------------------------+
-|              | CVE-2021-27219   |          |                   | 2.56.1-9.el7_9    | glib: integer overflow in               |
-|              |                  |          |                   |                   | g_bytes_new function on                 |
-|              |                  |          |                   |                   | 64-bit platforms due to an...           |
-|              |                  |          |                   |                   | -->avd.aquasec.com/nvd/cve-2021-27219   |
-+--------------+------------------+----------+-------------------+-------------------+-----------------------------------------+
-| glibc        | CVE-2019-1010022 | CRITICAL | 2.17-317.el7      |                   | glibc: stack guard protection bypass    |
-|              |                  |          |                   |                   | -->avd.aquasec.com/nvd/cve-2019-1010022 |
-+--------------+                  +          +                   +-------------------+                                         +
-| glibc-common |                  |          |                   |                   |                                         |
-|              |                  |          |                   |                   |                                         |
-+--------------+------------------+          +-------------------+-------------------+-----------------------------------------+
-| nss          | CVE-2021-43527   |          | 3.53.1-3.el7_9    | 3.67.0-4.el7_9    | nss: Memory corruption in               |
-|              |                  |          |                   |                   | decodeECorDsaSignature with             |
-|              |                  |          |                   |                   | DSA signatures (and RSA-PSS)            |
-|              |                  |          |                   |                   | -->avd.aquasec.com/nvd/cve-2021-43527   |
-+--------------+                  +          +                   +                   +                                         +
-| nss-sysinit  |                  |          |                   |                   |                                         |
-|              |                  |          |                   |                   |                                         |
-|              |                  |          |                   |                   |                                         |
-|              |                  |          |                   |                   |                                         |
-+--------------+                  +          +                   +                   +                                         +
-| nss-tools    |                  |          |                   |                   |                                         |
-|              |                  |          |                   |                   |                                         |
-|              |                  |          |                   |                   |                                         |
-|              |                  |          |                   |                   |                                         |
-+--------------+------------------+----------+-------------------+-------------------+-----------------------------------------+
-| openssl-libs | CVE-2020-1971    | HIGH     | 1:1.0.2k-19.el7   | 1:1.0.2k-21.el7_9 | openssl: EDIPARTYNAME                   |
-|              |                  |          |                   |                   | NULL pointer de-reference               |
-|              |                  |          |                   |                   | -->avd.aquasec.com/nvd/cve-2020-1971    |
-+--------------+------------------+----------+-------------------+-------------------+-----------------------------------------+
+trivy image --ignore-policy contrib/example_policy/basic.rego centos:7
 ```
 
-</details>
+For more advanced use cases, there is a built-in Rego library with helper functions that you can import into your policy using: `import data.lib.trivy`.
+More info about the helper functions are in the library [here](https://github.com/aquasecurity/trivy/tree/{{ git.tag }}/pkg/result/module.go).
 
-[helper]: https://github.com/aquasecurity/trivy/tree/{{ git.tag }}/pkg/result/module.go
-[policy]: https://github.com/aquasecurity/trivy/tree/{{ git.tag }}/contrib/example_policy
+You can find more example policies [here](https://github.com/aquasecurity/trivy/tree/{{ git.tag }}/pkg/result/module.go)
 
 ## By Inline Comments
 
@@ -503,7 +496,7 @@ Some configuration file formats (e.g. Terraform) support inline comments.
 
 In cases where trivy can detect comments of a specific format immediately adjacent to resource definitions, it is possible to filter/ignore findings from a single point of resource definition (in contrast to `.trivyignore`, which has a directory-wide scope on all of the files scanned).
 
-The format for these comments is `trivy:ignore:<Vulnerability ID>` immediately following the format-specific line-comment token.
+The format for these comments is `trivy:ignore:<Vulnerability ID>` immediately following the format-specific line-comment token. You can add multiple ignores on the same comment line.
 
 For example, to filter a Vulnerability ID "AVD-GCP-0051" in a Terraform HCL file:
 
@@ -515,4 +508,14 @@ resource "google_container_cluster" "one_off_test" {
 }
 ```
 
+For example, to filter vulnerabilities "AVD-GCP-0051" and "AVD-GCP-0053" in a Terraform HCL file:
+
+```terraform
+#trivy:ignore:AVD-GCP-0051 trivy:ignore:AVD-GCP-0053
+resource "google_container_cluster" "one_off_test" {
+  name     = var.cluster_name
+  location = var.region
+}
+```
+
 [^1]: license name is used as id for `.trivyignore.yaml` files

docs/docs/coverage/language/golang.md

@@ -68,7 +68,7 @@ If there is a Go binary in your container image, Trivy automatically finds and s
 Also, you can scan your local binaries.
 
 ```
-$ trivy fs ./your_binary
+$ trivy rootfs ./your_binary
 ```
 
 !!! note

docs/docs/coverage/language/java.md

@@ -11,11 +11,11 @@ Each artifact supports the following scanners:
 
 The following table provides an outline of the features Trivy offers.
 
-| Artifact         |    Internet access    | Dev dependencies | [Dependency graph][dependency-graph] |
-|------------------|:---------------------:|:----------------:|:------------------------------------:|
-| JAR/WAR/PAR/EAR  |     Trivy Java DB     |     Include      |                  -                   |
-| pom.xml          | Maven repository [^1] |     Exclude      |                  ✓                   |
-| *gradle.lockfile |           -           |     Exclude      |                  -                   |
+| Artifact         |    Internet access    | Dev dependencies | [Dependency graph][dependency-graph] | Position |
+|------------------|:---------------------:|:----------------:|:------------------------------------:|:--------:|
+| JAR/WAR/PAR/EAR  |     Trivy Java DB     |     Include      |                  -                   |    -     |
+| pom.xml          | Maven repository [^1] |     Exclude      |                  ✓                   |  ✓[^7]   |
+| *gradle.lockfile |           -           |     Exclude      |                  -                   |    -     |
 
 These may be enabled or disabled depending on the target.
 See [here](./index.md) for the detail.
@@ -46,7 +46,7 @@ If your machine doesn't have the necessary files - Trivy tries to find the infor
 
 !!! Note
     Trivy only takes information about packages. We don't take a list of vulnerabilities for packages from the `maven repository`.
-    Information about data sources for Java you can see [here](../../scanner/vulnerability.md#data-sources_1).
+    Information about data sources for Java you can see [here](../../scanner/vulnerability.md#data-sources-1).
 
 You can disable connecting to the maven repository with the `--offline-scan` flag.
 The `--offline-scan` flag does not affect the Trivy database.
@@ -67,5 +67,6 @@ It doesn't require the internet access.
 [^4]: e.g. when parent pom.xml file has `../pom.xml` path
 [^5]: When you use dependency path in `relativePath` field in pom.xml file
 [^6]: `/Users/<username>/.m2/repository` (for Linux and Mac) and `C:/Users/<username>/.m2/repository` (for Windows) by default
+[^7]: To avoid confusion, Trivy only finds locations for direct dependencies from the base pom.xml file.
 
 [dependency-graph]: ../../configuration/reporting.md#show-origins-of-vulnerable-dependencies

docs/docs/coverage/language/nodejs.md

@@ -1,14 +1,15 @@
 # Node.js
 
-Trivy supports three types of Node.js package managers: `npm`, `Yarn` and `pnpm`.
+Trivy supports four types of Node.js package managers: `npm`, `Yarn`, `pnpm` and `Bun`[^1].
 
 The following scanners are supported.
 
-| Artifact | SBOM  | Vulnerability | License |
-| -------- | :---: | :-----------: | :-----: |
-| npm      |   ✓   |       ✓       |    ✓    |
-| Yarn     |   ✓   |       ✓       |    ✓    |
-| pnpm     |   ✓   |       ✓       |    -    |
+| Artifact | SBOM | Vulnerability | License |
+|----------|:----:|:-------------:|:-------:|
+| npm      |  ✓   |       ✓       |    ✓    |
+| Yarn     |  ✓   |       ✓       |    ✓    |
+| pnpm     |  ✓   |       ✓       |    -    |
+| Bun      |  ✓   |       ✓       |    ✓    |
 
 The following table provides an outline of the features Trivy offers.
 
@@ -17,11 +18,12 @@ The following table provides an outline of the features Trivy offers.
 |       npm       | package-lock.json |            ✓            | [Excluded](#npm)  |                  ✓                   |    ✓     |
 |      Yarn       | yarn.lock         |            ✓            | [Excluded](#yarn) |                  ✓                   |    ✓     |
 |      pnpm       | pnpm-lock.yaml    |            ✓            |     Excluded      |                  ✓                   |    -     |
+|       Bun       | yarn.lock         |            ✓            | [Excluded](#yarn) |                  ✓                   |    ✓     |
 
 In addition, Trivy scans installed packages with `package.json`.
 
 | File         | Dependency graph | Position | License |
-| ------------ | :--------------: | :------: | :-----: |
+|--------------|:----------------:|:--------:|:-------:|
 | package.json |        -         |    -     |    ✅    |
 
 These may be enabled or disabled depending on the target.
@@ -42,7 +44,10 @@ By default, Trivy doesn't report development dependencies. Use the `--include-de
 
 ### Yarn
 Trivy parses `yarn.lock`, which doesn't contain information about development dependencies.
-To exclude devDependencies, `package.json` also needs to be present next to `yarn.lock`. 
+Trivy also uses `package.json` file to handle [aliases](https://classic.yarnpkg.com/lang/en/docs/cli/add/#toc-yarn-add-alias).
+
+To exclude devDependencies and allow aliases, `package.json` also needs to be present next to `yarn.lock`.
+
 Trivy analyzes `.yarn` (Yarn 2+) or `node_modules` (Yarn Classic) folder next to the yarn.lock file to detect licenses.
 
 By default, Trivy doesn't report development dependencies. Use the `--include-dev-deps` flag to include them.
@@ -50,6 +55,12 @@ By default, Trivy doesn't report development dependencies. Use the `--include-de
 ### pnpm
 Trivy parses `pnpm-lock.yaml`, then finds production dependencies and builds a [tree][dependency-graph] of dependencies with vulnerabilities.
 
+### Bun
+Trivy supports scanning `yarn.lock` files generated by [Bun](https://bun.sh/docs/install/lockfile#how-do-i-inspect-bun-s-lockfile). You can use the command `bun install -y` to generate a Yarn-compatible `yarn.lock`.
+
+!!! note
+    `bun.lockb` is not supported.
+
 ## Packages
 Trivy parses the manifest files of installed packages in container image scanning and so on.
 
@@ -57,4 +68,6 @@ Trivy parses the manifest files of installed packages in container image scannin
 Trivy searches for `package.json` files under `node_modules` and identifies installed packages.
 It only extracts package names, versions and licenses for those packages.
 
-[dependency-graph]: ../../configuration/reporting.md#show-origins-of-vulnerable-dependencies
+[dependency-graph]: ../../configuration/reporting.md#show-origins-of-vulnerable-dependencies
+
+[^1]: [yarn.lock](#bun) must be generated

docs/docs/coverage/os/index.md

@@ -11,7 +11,7 @@ Trivy supports operating systems for
 
 | OS                                            | Supported Versions                  | Package Managers |
 |-----------------------------------------------|-------------------------------------|------------------|
-| [Alpine Linux](alpine.md)                     | 2.2 - 2.7, 3.0 - 3.18, edge         | apk              |
+| [Alpine Linux](alpine.md)                     | 2.2 - 2.7, 3.0 - 3.19, edge         | apk              |
 | [Wolfi Linux](wolfi.md)                       | (n/a)                               | apk              |
 | [Chainguard](chainguard.md)                   | (n/a)                               | apk              |
 | [Red Hat Enterprise Linux](rhel.md)           | 6, 7, 8                             | dnf/yum/rpm      |
@@ -42,4 +42,4 @@ Each page gives more details.
 
 [sbom]: ../../supply-chain/sbom.md
 [vuln]: ../../scanner/vulnerability.md
-[license]: ../../scanner/license.md
+[license]: ../../scanner/license.md

docs/docs/references/configuration/cli/trivy_filesystem.md

@@ -87,6 +87,7 @@ trivy filesystem [flags] PATH
       --token-header string               specify a header name for token in client/server mode (default "Trivy-Token")
       --trace                             enable more verbose trace output for custom queries
       --username strings                  username. Comma-separated usernames allowed.
+      --vex string                        [EXPERIMENTAL] file path to VEX
       --vuln-type strings                 comma-separated list of vulnerability types (os,library) (default [os,library])
 ```
 

docs/docs/references/configuration/cli/trivy_image.md

@@ -106,6 +106,7 @@ trivy image [flags] IMAGE_NAME
       --token-header string               specify a header name for token in client/server mode (default "Trivy-Token")
       --trace                             enable more verbose trace output for custom queries
       --username strings                  username. Comma-separated usernames allowed.
+      --vex string                        [EXPERIMENTAL] file path to VEX
       --vuln-type strings                 comma-separated list of vulnerability types (os,library) (default [os,library])
 ```
 

docs/docs/references/configuration/cli/trivy_kubernetes.md

@@ -28,6 +28,7 @@ trivy kubernetes [flags] { cluster | all | specific resources like kubectl. eg:
 
 ```
   -A, --all-namespaces                    fetch resources from all cluster namespaces
+      --burst int                         specify the maximum burst for throttle (default 10)
       --cache-backend string              cache backend (e.g. redis://localhost:6379) (default "fs")
       --cache-ttl duration                cache TTL when using redis as cache backend
       --clear-cache                       clear image caches without scanning
@@ -72,6 +73,7 @@ trivy kubernetes [flags] { cluster | all | specific resources like kubectl. eg:
       --password strings                  password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
       --policy-bundle-repository string   OCI registry URL to retrieve policy bundle from (default "ghcr.io/aquasecurity/trivy-policies:0")
       --policy-namespaces strings         Rego namespaces
+      --qps float                         specify the maximum QPS to the master from this client (default 5)
       --redis-ca string                   redis ca file location, if using redis as cache backend
       --redis-cert string                 redis certificate file location, if using redis as cache backend
       --redis-key string                  redis key file location, if using redis as cache backend
@@ -95,6 +97,7 @@ trivy kubernetes [flags] { cluster | all | specific resources like kubectl. eg:
       --tolerations strings               specify node-collector job tolerations (example: key1=value1:NoExecute,key2=value2:NoSchedule)
       --trace                             enable more verbose trace output for custom queries
       --username strings                  username. Comma-separated usernames allowed.
+      --vex string                        [EXPERIMENTAL] file path to VEX
       --vuln-type strings                 comma-separated list of vulnerability types (os,library) (default [os,library])
 ```
 

docs/docs/references/configuration/cli/trivy_repository.md

@@ -87,6 +87,7 @@ trivy repository [flags] (REPO_PATH | REPO_URL)
       --token-header string               specify a header name for token in client/server mode (default "Trivy-Token")
       --trace                             enable more verbose trace output for custom queries
       --username strings                  username. Comma-separated usernames allowed.
+      --vex string                        [EXPERIMENTAL] file path to VEX
       --vuln-type strings                 comma-separated list of vulnerability types (os,library) (default [os,library])
 ```
 

docs/docs/references/configuration/cli/trivy_rootfs.md

@@ -88,6 +88,7 @@ trivy rootfs [flags] ROOTDIR
       --token-header string               specify a header name for token in client/server mode (default "Trivy-Token")
       --trace                             enable more verbose trace output for custom queries
       --username strings                  username. Comma-separated usernames allowed.
+      --vex string                        [EXPERIMENTAL] file path to VEX
       --vuln-type strings                 comma-separated list of vulnerability types (os,library) (default [os,library])
 ```
 

docs/docs/references/configuration/cli/trivy_vm.md

@@ -75,6 +75,7 @@ trivy vm [flags] VM_IMAGE
       --tf-exclude-downloaded-modules     exclude misconfigurations for downloaded terraform modules
       --token string                      for authentication in client/server mode
       --token-header string               specify a header name for token in client/server mode (default "Trivy-Token")
+      --vex string                        [EXPERIMENTAL] file path to VEX
       --vuln-type strings                 comma-separated list of vulnerability types (os,library) (default [os,library])
 ```
 

docs/docs/references/troubleshooting.md

@@ -12,6 +12,61 @@
 
 Your scan may time out. Java takes a particularly long time to scan. Try increasing the value of the ---timeout option such as `--timeout 15m`.
 
+### Unable to initialize an image scanner
+
+!!! error
+    ```bash
+    $ trivy image ...
+    ...
+    2024-01-19T08:15:33.288Z	FATAL	image scan error: scan error: unable to initialize a scanner: unable to initialize an image scanner: 4 errors occurred:
+	* docker error: unable to inspect the image (ContainerImageName): Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?
+	* containerd error: containerd socket not found: /run/containerd/containerd.sock
+	* podman error: unable to initialize Podman client: no podman socket found: stat podman/podman.sock: no such file or directory
+	* remote error: GET https://index.docker.io/v2/ContainerImageName: MANIFEST_UNKNOWN: manifest unknown; unknown tag=0.1
+    ```
+    
+It means Trivy is unable to find the container image in the following places:
+
+* Docker Engine
+* containerd
+* Podman
+* A remote registry
+
+Please see error messages for details of each error.
+
+Common mistakes include the following, depending on where you are pulling images from:
+
+#### Common
+- Typos in the image name
+    - Common mistake :)
+- Forgetting to specify the registry
+    - By default, it is considered to be Docker Hub ( `index.docker.io` ).
+
+#### Docker Engine
+- Incorrect Docker host
+    - If the Docker daemon's socket path is not `/var/run/docker.sock`, you need to specify the `--docker-host` flag or the `DOCKER_HOST` environment variable.
+      The same applies when using TCP; you must specify the correct host address.
+
+#### containerd
+- Incorrect containerd address
+    - If you are using a non-default path, you need to specify the `CONTAINERD_ADDRESS` environment variable.
+      Please refer to [this documentation](../target/container_image.md#containerd).
+- Incorrect namespace
+    - If you are using a non-default namespace, you need to specify the `CONTAINERD_NAMESPACE` environment variable.
+      Please refer to [this documentation](../target/container_image.md#containerd).
+    - 
+#### Podman
+- Podman socket configuration
+    - You need to enable the Podman socket. Please refer to [this documentation](../target/container_image.md#podman).
+
+#### Container Registry
+- Unauthenticated
+    - If you are using a private container registry, you need to authenticate. Please refer to [this documentation](../advanced/private-registries/index.md).
+- Using a proxy
+    - If you are using a proxy within your network, you need to correctly set the `HTTP_PROXY`, `HTTPS_PROXY`, etc., environment variables.
+- Use of a self-signed certificate in the registry
+    - Because certificate verification will fail, you need to either trust that certificate or use the `--insecure` flag (not recommended in production).
+
 ### Certification
 
 !!! error

docs/docs/supply-chain/attestation/vuln.md

@@ -179,13 +179,14 @@ You can use Cosign to sign without keys by authenticating with an OpenID Connect
 
 ```
 $ trivy image --format cosign-vuln -o vuln.json <IMAGE>
-$ COSIGN_EXPERIMENTAL=1 cosign attest --type vuln --predicate vuln.json <IMAGE>
+$ cosign attest --type vuln --predicate vuln.json <IMAGE>
 ```
+This will provide a certificate in the output section.
 
-You can verify attestations.
+You can verify attestations:
 
 ```
-$ COSIGN_EXPERIMENTAL=1 cosign verify-attestation --type vuln <IMAGE>
+$ cosign verify-attestation --certificate=path-to-the-certificate --type vuln --certificate-identity Email-used-to-sign  --certificate-oidc-issuer='the-issuer-used' <IMAGE>
 ```
 
 [vuln-attest-spec]: https://github.com/sigstore/cosign/blob/95b74db89941e8ec85e768f639efd4d948db06cd/specs/COSIGN_VULN_ATTESTATION_SPEC.md

docs/docs/supply-chain/sbom.md

@@ -217,13 +217,16 @@ $ cat result.json | jq .
   "version": 1,
   "metadata": {
     "timestamp": "2022-02-22T15:11:40.270597Z",
-    "tools": [
-      {
-        "vendor": "aquasecurity",
-        "name": "trivy",
-        "version": "dev"
-      }
-    ],
+    "tools": {
+      "components": [
+        {
+          "type": "application",
+          "group": "aquasecurity",
+          "name": "trivy",
+          "version": "dev"
+        }
+      ]
+    },
     "component": {
       "bom-ref": "pkg:oci/alpine@sha256:21a3deaa0d32a8057914f36584b5288d2e5ecc984380bc0118285c70fa8c9300?repository_url=index.docker.io%2Flibrary%2Falpine&arch=amd64",
       "type": "container",

docs/docs/supply-chain/vex.md

@@ -4,15 +4,25 @@
     This feature might change without preserving backwards compatibility.
 
 Trivy supports filtering detected vulnerabilities using [the Vulnerability Exploitability Exchange (VEX)](https://www.ntia.gov/files/ntia/publications/vex_one-page_summary.pdf), a standardized format for sharing and exchanging information about vulnerabilities.
-By providing VEX alongside the Software Bill of Materials (SBOM) during scanning, it is possible to filter vulnerabilities based on their status.
-Currently, Trivy supports the following two formats:
+By providing VEX during scanning, it is possible to filter vulnerabilities based on their status.
+Currently, Trivy supports the following three formats:
 
 - [CycloneDX](https://cyclonedx.org/capabilities/vex/)
 - [OpenVEX](https://github.com/openvex/spec)
+- [CSAF](https://oasis-open.github.io/csaf-documentation/specification.html)
 
 This is still an experimental implementation, with only minimal functionality added.
 
 ## CycloneDX
+|     Target      | Supported |
+|:---------------:|:---------:|
+| Container Image |           |
+|   Filesystem    |           |
+| Code Repository |           |
+|    VM Image     |           |
+|   Kubernetes    |           |
+|      SBOM       |     ✅     |
+
 There are [two VEX formats](https://cyclonedx.org/capabilities/vex/) for CycloneDX:
 
 - Independent BOM and VEX BOM
@@ -27,7 +37,7 @@ The following steps are required:
 2. Create a VEX based on the SBOM generated in step 1
 3. Provide the VEX when scanning the CycloneDX SBOM
 
-### Generating the SBOM
+### Generate the SBOM
 You can generate a CycloneDX SBOM with Trivy as follows:
 
 ```shell
@@ -116,23 +126,24 @@ Total: 1 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
 CVE-2020-8911 is no longer shown as it is filtered out according to the given CycloneDX VEX document.
 
 ## OpenVEX
+|     Target      | Supported |
+|:---------------:|:---------:|
+| Container Image |     ✅     |
+|   Filesystem    |     ✅     |
+| Code Repository |     ✅     |
+|    VM Image     |     ✅     |
+|   Kubernetes    |     ✅     |
+|      SBOM       |     ✅     |
+
 Trivy also supports [OpenVEX][openvex] that is designed to be minimal, compliant, interoperable, and embeddable.
-Since OpenVEX aims to be SBOM format agnostic, both CycloneDX and SPDX formats are available for use as input SBOMs in Trivy.
+OpenVEX can be used in all Trivy targets, unlike CycloneDX VEX.
 
 The following steps are required:
 
-1. Generate a SBOM (CycloneDX or SPDX)
-2. Create a VEX based on the SBOM generated in step 1
-3. Provide the VEX when scanning the SBOM
+1. Create a VEX document
+2. Provide the VEX when scanning your target
 
-### Generating the SBOM
-You can generate a CycloneDX or SPDX SBOM with Trivy as follows:
-
-```shell
-$ trivy image --format spdx-json --output debian11.spdx.json debian:11
-```
-
-### Create the VEX
+### Create the VEX document
 Please see also [the example](https://github.com/openvex/examples).
 In Trivy, [the Package URL (PURL)][purl] is used as the product identifier.
 
@@ -166,11 +177,11 @@ In the above example, PURLs, located in `packages.externalRefs.referenceLocator`
     `pkg:deb/debian/curl@7.50.3-1` in OpenVEX matches `pkg:deb/debian/curl@7.50.3-1?arch=i386`, 
     while `pkg:deb/debian/curl@7.50.3-1?arch=amd64` does not match `pkg:deb/debian/curl@7.50.3-1?arch=i386`.
 
-### Scan SBOM with VEX
-Provide the VEX when scanning the SBOM.
+### Scan with VEX
+Provide the VEX when scanning your target.
 
 ```
-$ trivy sbom debian11.spdx.json --vex debian11.openvex
+$ trivy image debian:11 --vex debian11.openvex
 ...
 2023-04-26T17:56:05.358+0300    INFO    Filtered out the detected vulnerability {"VEX format": "OpenVEX", "vulnerability-id": "CVE-2019-8457", "status": "not_affected", "justification": "vulnerable_code_not_in_execute_path"}
 
@@ -181,5 +192,187 @@ Total: 80 (UNKNOWN: 0, LOW: 58, MEDIUM: 6, HIGH: 16, CRITICAL: 0)
 
 CVE-2019-8457 is no longer shown as it is filtered out according to the given OpenVEX document.
 
+
+## CSAF
+|     Target      | Supported |
+|:---------------:|:---------:|
+| Container Image |     ✅     |
+|   Filesystem    |     ✅     |
+| Code Repository |     ✅     |
+|    VM Image     |     ✅     |
+|   Kubernetes    |     ✅     |
+|      SBOM       |     ✅     |
+
+Trivy also supports [CSAF][csaf] format for VEX.
+Since CSAF aims to be SBOM format agnostic, both CycloneDX and SPDX formats are available for use as input SBOMs in Trivy.
+
+The following steps are required:
+
+1. Create a CSAF document
+2. Provide the CSAF when scanning your target
+
+
+### Create the CSAF document
+Create a CSAF document in JSON format as follows:
+
+```
+$ cat <<EOF > debian11.vex.csaf
+{
+  "document": {
+    "category": "csaf_vex",
+    "csaf_version": "2.0",
+    "notes": [
+      {
+        "category": "summary",
+        "text": "Example Company VEX document. Unofficial content for demonstration purposes only.",
+        "title": "Author comment"
+      }
+    ],
+    "publisher": {
+      "category": "vendor",
+      "name": "Example Company ProductCERT",
+      "namespace": "https://psirt.example.com"
+    },
+    "title": "AquaSecurity example VEX document",
+    "tracking": {
+      "current_release_date": "2024-01-01T11:00:00.000Z",
+      "generator": {
+        "date": "2024-01-01T11:00:00.000Z",
+        "engine": {
+          "name": "Secvisogram",
+          "version": "1.11.0"
+        }
+      },
+      "id": "2024-EVD-UC-01-A-001",
+      "initial_release_date": "2024-01-01T11:00:00.000Z",
+      "revision_history": [
+        {
+          "date": "2024-01-01T11:00:00.000Z",
+          "number": "1",
+          "summary": "Initial version."
+        }
+      ],
+      "status": "final",
+      "version": "1"
+    }
+  },
+  "product_tree": {
+    "branches": [
+      {
+        "branches": [
+          {
+            "branches": [
+              {
+                "category": "product_version",
+                "name": "5.3",
+                "product": {
+                  "name": "Database Libraries 5.3",
+                  "product_id": "LIBDB-5328",
+                  "product_identification_helper": {
+                    "purl": "pkg:deb/debian/libdb5.3@5.3.28%2Bdfsg1-0.8?arch=amd64\u0026distro=debian-11.8"
+                  }
+                }
+              }
+            ],
+            "category": "product_name",
+            "name": "Database Libraries"
+          }
+        ],
+        "category": "vendor",
+        "name": "Debian"
+      }
+    ]
+  },
+  "vulnerabilities": [
+    {
+      "cve": "CVE-2019-8457",
+      "notes": [
+        {
+          "category": "description",
+          "text": "SQLite3 from 3.6.0 to and including 3.27.2 is vulnerable to heap out-of-bound read in the rtreenode() function when handling invalid rtree tables.",
+          "title": "CVE description"
+        }
+      ],
+      "product_status": {
+        "known_not_affected": [
+          "LIBDB-5328"
+        ]
+      },
+      "threats": [
+        {
+          "category": "impact",
+          "details": "Vulnerable code not in execute path.",
+          "product_ids": [
+            "LIBDB-5328"
+          ]
+        }
+      ]
+    }
+  ]
+}
+EOF
+```
+
+### Scan with CSAF VEX
+Provide the CSAF document when scanning your target.
+
+```console
+$ trivy image debian:11 --vex debian11.vex.csaf
+...
+2024-01-02T10:28:26.704+0100	INFO	Filtered out the detected vulnerability	{"VEX format": "CSAF", "vulnerability-id": "CVE-2019-8457", "status": "not_affected"}
+
+debian11.spdx.json (debian 11.6)
+================================
+Total: 80 (UNKNOWN: 0, LOW: 58, MEDIUM: 6, HIGH: 16, CRITICAL: 0)
+```
+
+CVE-2019-8457 is no longer shown as it is filtered out according to the given CSAF document.
+
+## Appendix
+### PURL matching
+In the context of VEX, Package URLs (PURLs) are utilized to identify specific software packages and their versions.
+The PURL matching specification outlines how PURLs are interpreted for vulnerability exception processing, ensuring precise identification and broad coverage of software packages.
+
+!!! note
+    The following PURL matching rules are not formally defined within the current official PURL specification.
+    Instead, they represent [a community consensus][purl-matching] on how to interpret PURLs.
+
+Below are the key aspects of the PURL matching rules:
+
+#### Matching Without Version
+A PURL without a specified version (e.g., `pkg:maven/com.google.guava/guava`) matches all versions of that package.
+This rule simplifies the application of vulnerability exceptions to all versions of a package.
+
+**Example**: `pkg:maven/com.google.guava/guava` matches:
+
+- All versions of `guava`, such as `com.google.guava:guava:24.1.1`, `com.google.guava:guava:30.0`.
+ 
+#### Matching Without Qualifiers
+A PURL without any qualifiers (e.g., `pkg:maven/com.google.guava/guava@24.1.1`) matches any variation of that package, irrespective of qualifiers.
+This approach ensures broad matching capabilities, covering all architectural or platform-specific variations of a package version.
+
+**Example**: `pkg:maven/com.google.guava/guava@24.1.1` matches:
+
+- `pkg:maven/com.google.guava/guava@24.1.1?classifier=x86`
+- `pkg:maven/com.google.guava/guava@24.1.1?type=pom`
+
+#### Matching With Specific Qualifiers
+A PURL that includes specific qualifiers (e.g., `pkg:maven/com.google.guava/guava@24.1.1?classifier=x86`) matches only those package versions that include the same qualifiers.
+
+**Example**: `pkg:maven/com.google.guava/guava@24.1.1?classifier=x86` matches:
+
+- `pkg:maven/com.google.guava/guava@24.1.1?classifier=x86&type=dll`
+    - Extra qualifiers (e.g., `type=dll`) are ignored.
+
+does not match:
+
+- `pkg:maven/com.google.guava/guava@24.1.1`
+    - `classifier=x86` is missing.
+- `pkg:maven/com.google.guava/guava@24.1.1?classifier=sources`
+    - `classifier` must have the same value.
+
+
+[csaf]: https://oasis-open.github.io/csaf-documentation/specification.html
 [openvex]: https://github.com/openvex/spec
-[purl]: https://github.com/package-url/purl-spec
+[purl]: https://github.com/package-url/purl-spec
+[purl-matching]: https://github.com/openvex/spec/issues/27

docs/ecosystem/reporting.md

@@ -1,4 +1,4 @@
-# Security Management
+# Reporting
 
 ## SonarQube (Community)
 A Trivy plugin that converts JSON report to SonarQube [generic issues format](https://docs.sonarqube.org/9.6/analyzing-source-code/importing-external-issues/generic-issue-import-format/).
@@ -9,3 +9,13 @@ A Trivy plugin that converts JSON report to SonarQube [generic issues format](ht
 DefectDojo can parse Trivy JSON reports. The parser supports deduplication and auto-close features.
 
 👉 Get it at: <https://github.com/DefectDojo/django-DefectDojo>
+
+## Scan2html (Community)
+A Trivy plugin that scans and outputs the results to an interactive html file.
+
+👉 Get it at: <https://github.com/fatihtokus/scan2html>
+
+## Trivy-Streamlit (Community)
+Trivy-Streamlit is a Streamlit application that allows you to quickly parse the results from a Trivy JSON report.
+
+👉 Get it at: <https://github.com/mfreeman451/trivy-streamlit>

docs/imgs/logo-horizontal.svg

@@ -1,32 +1,85 @@
-<svg width="265" height="135" viewBox="0 0 265 135" fill="none" xmlns="http://www.w3.org/2000/svg">
-<path d="M148.629 103.077V109.005C144.591 109.005 140.953 107.551 138.084 105.142C134.479 102.117 132.19 97.5774 132.19 92.5044V62.8164H138.084V76.2874H148.629V82.2534H138.084V92.6484C138.164 98.4204 142.84 103.077 148.629 103.077Z" fill="#07242D"/>
-<path d="M169.65 76.2852V82.1742C164.059 82.1852 159.507 86.6201 159.305 92.1581V109.003H153.397V76.2852H159.305V80.0201C162.113 77.6891 165.718 76.2912 169.65 76.2852Z" fill="#07242D"/>
-<path d="M173.447 68.6988V62.7988H179.344V68.6988H173.447ZM173.447 109.004V76.2858H179.344V109.005H173.447V109.004Z" fill="#07242D"/>
-<path d="M215.508 76.2852L199.16 109.004L182.796 76.2852H189.495L199.16 95.6052L208.806 76.2852H215.508Z" fill="#07242D"/>
-<path d="M250.874 76.2852C250.874 76.2852 250.874 112.056 250.874 114.42C250.874 123.556 243.381 130.848 234.504 130.843C230.347 130.843 226.495 129.267 223.57 126.647L227.81 122.407C229.619 123.939 231.953 124.871 234.503 124.866C240.248 124.866 244.899 120.17 244.899 114.42V105.279C242.049 107.638 238.411 109.003 234.503 109.003C225.609 109.008 218.119 101.832 218.119 92.6311C218.119 92.4371 218.119 76.2862 218.119 76.2862H224.091C224.091 76.2862 224.094 92.1931 224.094 92.6311C224.094 98.3531 228.753 103.082 234.503 103.077C240.248 103.077 244.899 98.3761 244.899 92.6311V76.2852H250.874Z" fill="#07242D"/>
-<path d="M166.114 59.3782H169.243V39.9432C169.253 39.7722 169.243 39.5992 169.243 39.4262C169.243 34.6752 165.402 30.8242 160.651 30.8242C155.9 30.8242 152.049 34.6752 152.049 39.4262C152.049 44.1772 155.9 48.0282 160.651 48.0282H161.086L164.25 44.8782H160.89H160.651C157.64 44.8782 155.2 42.4372 155.2 39.4272C155.2 36.4172 157.641 33.9762 160.651 33.9762C163.662 33.9762 166.114 36.4172 166.114 39.4272V59.3782Z" fill="#07242D"/>
-<path d="M185.899 30.8242V39.5332C185.899 42.5742 183.434 45.0512 180.394 45.0512C177.353 45.0512 174.886 42.5742 174.886 39.5332V30.8242H171.837V39.5332C171.837 39.5332 171.837 39.5332 171.837 39.5402C171.837 44.2692 175.665 48.1082 180.394 48.1082C185.123 48.1082 188.955 44.2812 188.955 39.5522C188.955 39.5462 188.955 39.5332 188.955 39.5332V30.8242H185.899Z" fill="#07242D"/>
-<path d="M148.941 36.5135C145.536 27.5195 132.339 29.7035 132.139 39.4525C132.144 41.5465 132.863 43.4245 134.118 44.9545C135.59 46.7415 137.764 47.9275 140.219 48.0885C140.408 48.1005 140.598 48.1075 140.789 48.1075H149.454C149.454 48.1075 149.454 39.4515 149.454 39.4525C149.454 38.4535 149.281 37.4515 148.941 36.5135ZM146.252 44.9475C146.252 44.9475 142.315 44.9475 140.797 44.9475C137.769 44.9475 135.315 42.4795 135.315 39.4515C135.315 37.9345 135.932 36.5745 136.928 35.5815L136.929 35.5825C140.315 32.1515 146.274 34.5585 146.253 39.4515C146.252 40.9695 146.252 44.9475 146.252 44.9475Z" fill="#07242D"/>
-<path d="M208.351 36.5135C204.946 27.5195 191.749 29.7035 191.549 39.4525C191.554 41.5465 192.273 43.4245 193.528 44.9545C195 46.7415 197.174 47.9275 199.629 48.0885C199.818 48.1005 200.008 48.1075 200.199 48.1075H208.864C208.864 48.1075 208.864 39.4515 208.864 39.4525C208.863 38.4535 208.69 37.4515 208.351 36.5135ZM205.661 44.9475C205.661 44.9475 201.724 44.9475 200.206 44.9475C197.178 44.9475 194.724 42.4795 194.724 39.4515C194.724 37.9345 195.341 36.5745 196.337 35.5815L196.338 35.5825C199.724 32.1515 205.683 34.5585 205.662 39.4515C205.661 40.9695 205.661 44.9475 205.661 44.9475Z" fill="#07242D"/>
-<path d="M65.469 5.43164L10.124 37.4096L10.125 101.878L65.462 134.11L120.813 101.896V37.4076L65.469 5.43164Z" fill="white"/>
-<path d="M64.4641 79.2511C58.2051 76.4341 54.5051 70.4121 54.7021 64.0161L41.3221 56.2891C40.3241 63.6921 41.9181 71.4341 45.9341 78.1431C50.2081 85.2841 56.3811 90.6031 64.4651 93.6831V79.2511H64.4641Z" fill="#1904DA"/>
-<path d="M64.9709 94.4207L64.2839 94.1587C56.2419 91.0947 49.9219 85.7947 45.4989 78.4057C41.4619 71.6607 39.7999 63.7827 40.8199 56.2227L40.9209 55.4727L55.2169 63.7287L55.2079 64.0327C55.0139 70.3227 58.7289 76.1157 64.6709 78.7887L64.9699 78.9237V94.4207H64.9709ZM41.7329 57.1127C40.9499 64.2137 42.5849 71.5597 46.3689 77.8837C50.5449 84.8607 56.4599 89.9237 63.9569 92.9407V79.5767C57.9089 76.7207 54.1109 70.7847 54.1889 64.3067L41.7329 57.1127Z" fill="white"/>
-<path d="M64.4641 111.978V95.3902C55.8061 92.2282 49.1731 86.5352 44.6211 78.9302C40.3151 71.7362 38.6771 63.3972 39.8971 55.4672L27.4611 48.2852C20.3371 74.2882 36.3221 101.982 64.4641 111.978Z" fill="#1904DA"/>
-<path d="M64.9709 112.696L64.2949 112.456C50.5849 107.586 39.2219 98.3286 32.2989 86.3876C25.3779 74.4516 23.4859 60.8726 26.9719 48.1506L27.1459 47.5176L40.4509 55.2006L40.3989 55.5436C39.1879 63.4146 40.8429 71.6266 45.0569 78.6686C49.6779 86.3896 56.2659 91.8556 64.6389 94.9126L64.9719 95.0346V112.696H64.9709ZM27.7809 49.0556C21.1389 74.6526 36.5699 101.188 63.9569 111.256V95.7426C55.5189 92.5806 48.8679 87.0126 44.1869 79.1896C39.9119 72.0486 38.1979 63.7316 39.3449 55.7326L27.7809 49.0556Z" fill="white"/>
-<path d="M66.2969 95.24V111.979C93.9189 101.751 110.5 74.105 103.496 48.373L91.1269 55.579C92.6709 64.132 91.3249 72.47 87.1869 79.446C82.9369 86.613 75.5139 91.992 66.2969 95.24Z" fill="#08B1D5"/>
-<path d="M65.79 112.708V94.8806L66.129 94.7616C75.546 91.4436 82.676 86.0576 86.753 79.1876C90.825 72.3196 92.166 64.1876 90.629 55.6696L90.566 55.3196L103.812 47.6016L103.985 48.2396C110.962 73.8746 94.485 102.082 66.473 112.455L65.79 112.708ZM66.804 95.5976V111.247C93.681 100.941 109.519 73.8986 103.176 49.1466L91.688 55.8396C93.17 64.4746 91.767 72.7186 87.623 79.7046C83.476 86.6986 76.281 92.1896 66.804 95.5976Z" fill="white"/>
-<path d="M76.3809 64.0884C76.4369 70.2984 72.7869 75.7614 66.2969 79.2514V93.6844C74.9209 90.5404 81.8869 85.3844 85.8719 78.6654C89.7309 72.1594 91.0429 64.3964 89.7199 56.3984L76.3809 64.0884Z" fill="#08B1D5"/>
-<path d="M65.79 94.4097V78.9487L66.057 78.8048C72.348 75.4208 75.926 70.0588 75.873 64.0928L75.87 63.7967L90.101 55.5938L90.22 56.3158C91.575 64.5068 90.223 72.3247 86.308 78.9237C82.345 85.6057 75.486 90.8747 66.47 94.1607L65.79 94.4097ZM66.804 79.5528V92.9548C75.26 89.7358 81.694 84.7157 85.436 78.4067C89.111 72.2097 90.452 64.8948 89.332 57.2068L76.888 64.3817C76.826 70.5317 73.171 76.0338 66.804 79.5528Z" fill="white"/>
-<path d="M78.3069 41.8987C83.5239 44.4427 87.7739 48.5187 90.5959 53.6847C90.6329 53.7527 90.6679 53.8237 90.7049 53.8917L102.837 46.8857C102.644 46.6427 102.459 46.3967 102.306 46.1507C97.8549 38.9517 91.9759 33.5347 84.8299 30.0497C64.6569 20.2117 39.9379 27.6297 28.1289 46.9117L40.2319 53.8977C48.4489 40.6847 64.9909 35.4047 78.3069 41.8987Z" fill="#FFC900"/>
-<path d="M90.5038 54.5924L90.1508 53.9304C87.3788 48.8534 83.2058 44.8524 78.0848 42.3534C65.1428 36.0424 48.7038 41.2304 40.6608 54.1654L40.4018 54.5814L27.4238 47.0914L27.6948 46.6474C39.6018 27.2064 64.7978 19.7184 85.0508 29.5944C92.2848 33.1224 98.2348 38.6034 102.736 45.8844C102.879 46.1134 103.053 46.3434 103.233 46.5704L103.598 47.0314L90.5038 54.5924ZM28.8358 46.7354L40.0628 53.2164C48.4698 40.1524 65.2678 34.9764 78.5298 41.4434C83.7578 43.9924 88.0308 48.0514 90.9028 53.1924L102.087 46.7344C102.012 46.6294 101.941 46.5234 101.876 46.4184C97.4758 39.3024 91.6668 33.9484 84.6088 30.5054C64.9668 20.9294 40.5818 28.0644 28.8358 46.7354Z" fill="white"/>
-<path d="M70.7312 57.2939C72.8912 58.3469 74.6422 60.0479 75.7962 62.2119C75.8352 62.2849 75.8692 62.3619 75.9062 62.4359L89.3792 54.6559C89.3372 54.5769 89.2962 54.4949 89.2532 54.4169C86.5842 49.5309 82.5672 45.6759 77.6362 43.2719C65.0392 37.1279 49.3712 42.1399 41.5562 54.6619L54.9562 62.3959C58.4482 56.7959 65.2052 54.5999 70.7312 57.2939Z" fill="#FFC900"/>
-<path d="M75.6891 63.1474L75.3461 62.4474C74.2461 60.3824 72.5721 58.7574 70.5081 57.7504H70.5091C65.2351 55.1804 58.7351 57.2924 55.3861 62.6654L55.1281 63.0814L40.8491 54.8394L41.1271 54.3944C49.1731 41.5044 64.9661 36.5264 77.8601 42.8174C82.8851 45.2674 86.9801 49.1954 89.6991 54.1744L90.0601 54.8494L75.6891 63.1474ZM65.7711 55.6464C67.5331 55.6464 69.2981 56.0314 70.9531 56.8394H70.9541C73.1291 57.9014 74.9081 59.5894 76.1121 61.7334L88.7001 54.4634C86.0821 49.7634 82.1841 46.0544 77.4151 43.7284C65.3371 37.8404 50.0061 42.5684 42.2681 54.4884L54.7921 61.7174C57.3971 57.8364 61.5721 55.6464 65.7711 55.6464Z" fill="white"/>
-<path d="M119.14 39.2578L104.862 47.5758C112.393 74.3508 95.1229 103.21 66.2979 113.604V131.732L119.14 100.935V39.2578Z" fill="#08B1D5"/>
-<path d="M65.79 132.614V113.248L66.125 113.127C94.965 102.727 111.766 73.994 104.374 47.713L104.268 47.335L119.647 38.375V101.225L119.395 101.372L65.79 132.614ZM66.804 113.959V130.849L118.632 100.644V40.141L105.455 47.818C112.697 74.404 95.801 103.331 66.804 113.959Z" fill="white"/>
-<path d="M11.7979 39.2402V100.918L64.4648 131.731V113.603C35.1148 103.455 18.4449 74.5442 26.0949 47.4952L12.4679 39.6262L11.7979 39.2402Z" fill="#1904DA"/>
-<path d="M64.971 132.614L11.29 101.208V38.3613L26.69 47.2533L26.583 47.6333C19.022 74.3663 35.735 103.133 64.63 113.124L64.972 113.242V132.614H64.971ZM12.304 100.626L63.957 130.846V113.963C34.902 103.736 18.087 74.7733 25.5 47.7383L12.304 40.1173V100.626Z" fill="white"/>
-<path d="M12.5542 37.9232L14.1102 38.8222L26.8032 46.1482C39.0142 26.1752 64.6102 18.4892 85.5002 28.6762C92.9102 32.2902 99.0022 37.8992 103.607 45.3472C103.753 45.5832 103.956 45.8412 104.177 46.1132L118.372 37.9162L65.4692 7.36523L12.5542 37.9232Z" fill="#FFC900"/>
-<path d="M26.977 46.8333L11.541 37.9223L65.469 6.7793L65.723 6.9253L119.386 37.9153L104.056 46.7673L103.784 46.4323C103.547 46.1413 103.331 45.8643 103.176 45.6123C98.622 38.2473 92.601 32.7023 85.279 29.1303C64.768 19.1303 39.274 26.7213 27.236 46.4113L26.977 46.8333ZM13.569 37.9223L26.63 45.4623C39.042 25.6453 64.896 18.0633 85.722 28.2193C93.22 31.8763 99.382 37.5483 104.038 45.0783C104.112 45.1983 104.202 45.3233 104.301 45.4543L117.357 37.9153L65.469 7.9493L13.569 37.9223Z" fill="white"/>
-<path d="M66.2373 77.5717C71.4443 74.6597 74.5703 69.9977 74.7713 64.8267C74.7713 64.8267 74.7943 64.3137 74.7553 63.4817C74.7473 63.3107 73.6003 60.5827 70.1063 58.6777C65.4143 56.1197 58.7563 58.5807 56.0903 63.4817C56.0903 63.4817 56.0263 64.0827 56.0563 64.8267C56.2473 69.5267 59.1433 75.0457 64.2703 77.5717L65.3093 78.0677L66.2373 77.5717Z" fill="#FF445F"/>
-<path d="M65.3232 78.6355L64.0532 78.0294C58.4362 75.2604 55.7362 69.4144 55.5502 64.8475C55.5182 64.0745 55.5842 63.4544 55.5872 63.4274L55.6452 63.2394C56.9892 60.7704 59.3682 58.7895 62.1722 57.8035C65.0272 56.7995 68.0082 56.9554 70.3502 58.2314C73.8942 60.1634 75.2422 62.9965 75.2622 63.4575C75.3032 64.3175 75.2782 64.8484 75.2782 64.8484C75.0702 70.2064 71.8652 75.0054 66.4852 78.0145L65.3232 78.6355ZM56.5862 63.6325C56.5712 63.8245 56.5422 64.2795 56.5642 64.8055C56.7312 68.9345 59.2862 74.5484 64.4952 77.1164L65.2972 77.4995L65.9932 77.1274C71.0552 74.2944 74.0702 69.8044 74.2642 64.8074C74.2652 64.7934 74.2862 64.2995 74.2492 63.5065C74.1452 63.1825 72.9212 60.7915 69.8642 59.1235C67.7752 57.9845 65.0952 57.8535 62.5072 58.7615C59.9722 59.6505 57.8202 61.4234 56.5862 63.6325Z" fill="white"/>
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Generator: Adobe Illustrator 28.0.0, SVG Export Plug-In . SVG Version: 6.00 Build 0)  -->
+<svg version="1.1" id="Layer_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
+	 viewBox="0 0 1920 891" style="enable-background:new 0 0 1920 891;" xml:space="preserve">
+<style type="text/css">
+	.st0{fill:#031730;}
+	.st1{fill:#08B1D5;}
+	.st2{fill:#1904DA;}
+	.st3{fill:#FFC900;}
+	.st4{fill:#FF0036;}
+</style>
+<g>
+	<g>
+		<g>
+			<g>
+				<g>
+					<path class="st0" d="M1437.8,277.53h-46.05c-25.39,0-46.05-20.66-46.05-46.05c0-25.39,20.66-46.05,46.05-46.05
+						c25.39,0,46.05,20.66,46.05,46.05V277.53z M1391.75,204.13c-15.08,0-27.35,12.27-27.35,27.35c0,15.08,12.27,27.35,27.35,27.35
+						h27.35v-27.35C1419.1,216.4,1406.84,204.13,1391.75,204.13z"/>
+				</g>
+			</g>
+			<g>
+				<g>
+					<path class="st0" d="M1746.82,277.53h-46.05c-25.39,0-46.05-20.66-46.05-46.05c0-25.39,20.66-46.05,46.05-46.05
+						c25.39,0,46.05,20.66,46.05,46.05V277.53z M1700.77,204.13c-15.08,0-27.35,12.27-27.35,27.35c0,15.08,12.27,27.35,27.35,27.35
+						h27.35v-27.35C1728.12,216.4,1715.85,204.13,1700.77,204.13z"/>
+				</g>
+			</g>
+			<g>
+				<path class="st0" d="M1597.76,277.55c-25.4,0-46.07-20.66-46.07-46.07v-43.22h18.71v43.22c0,15.09,12.28,27.36,27.36,27.36
+					s27.36-12.28,27.36-27.36v-43.22h18.71v43.22C1643.83,256.88,1623.16,277.55,1597.76,277.55z"/>
+			</g>
+			<g>
+				<path class="st0" d="M1494.75,185.43c-25.39,0-46.05,20.66-46.05,46.05c0,25.39,20.66,46.05,46.05,46.05l18.7-18.7h-18.7
+					c-15.08,0-27.35-12.27-27.35-27.35c0-15.08,12.27-27.35,27.35-27.35s27.35,12.27,27.35,27.35v90h18.7v-90
+					C1540.8,206.09,1520.14,185.43,1494.75,185.43z"/>
+			</g>
+		</g>
+	</g>
+	<g>
+		<g>
+			<path class="st0" d="M968.09,578.05v45.38c-30.92,0-58.76-11.12-80.72-29.55c-27.59-23.17-45.14-57.93-45.14-96.78V269.82h45.14
+				v103.14h80.72v45.68h-80.72v79.6C887.98,542.42,923.77,578.05,968.09,578.05z"/>
+			<path class="st0" d="M1128.93,372.97v45.08c-42.79,0.09-77.63,34.03-79.2,76.45v128.94h-45.21V372.96h45.21v28.59
+				C1071.24,383.73,1098.84,373.01,1128.93,372.97z"/>
+			<path class="st0" d="M1157.94,347.93v-39.5h45.14v39.5H1157.94z M1157.94,623.44V372.96h45.14v250.48H1157.94z"/>
+			<path class="st0" d="M1479.86,372.96l-125.14,250.48l-125.3-250.48h51.3l73.99,147.93l73.84-147.93H1479.86z"/>
+			<path class="st0" d="M1750.5,372.96c0,0,0,273.85,0,291.97c0,69.91-57.37,125.75-125.32,125.69
+				c-31.84,0.03-61.33-12.05-83.7-32.11l32.45-32.45c13.85,11.74,31.73,18.85,51.25,18.82c43.98,0,79.58-35.97,79.58-79.95v-69.99
+				c-21.82,18.06-49.68,28.52-79.58,28.49c-68.1,0.06-125.44-54.9-125.44-125.35c0-1.49,0-125.13,0-125.13h45.73
+				c0,0,0.02,121.79,0.02,125.13c0,43.8,35.68,80,79.69,79.96c43.98,0,79.58-35.97,79.58-79.96V372.96H1750.5z"/>
+		</g>
+	</g>
+	<g>
+		<g>
+			<g>
+				<path class="st1" d="M463.95,358.89c0.04,0,0.08,0,0.12,0c6.43,0.01,11.75-4.93,11.75-11.36V134.47l-11.99-6.7l-11.94,6.67
+					v213.1c0,6.43,5.32,11.38,11.75,11.35C463.73,358.89,463.84,358.89,463.95,358.89z"/>
+				<path class="st2" d="M392.02,455.6L194.35,588.27v15.11l11.26,6.17L405.34,475.5c5.13-3.44,6.41-10.31,3.09-15.52
+					c-0.14-0.22-0.28-0.44-0.42-0.67C404.58,453.78,397.42,451.98,392.02,455.6z"/>
+				<path class="st3" d="M522.51,475.6l199.56,133.93l11.23-6.15v-15.14L535.83,455.71c-5.4-3.62-12.56-1.83-16,3.69
+					c-0.13,0.21-0.26,0.42-0.4,0.63C516.09,465.26,517.36,472.15,522.51,475.6z"/>
+				<path class="st0" d="M757.23,277.9V264.2l-12.26-6.85l-0.91-0.48L475.5,106.89l-11.68-6.51l-11.63,6.51L183.58,256.88
+					l-0.91,0.48l-12.25,6.85v13.69l-0.91,0.53l0.91,0.48v13.64v325.01l12.45,6.8l261.62,143.33l3.3,1.82l16.08,8.81l16.04-8.81
+					l3.3-1.82l261.62-143.33l12.4-6.8V292.55v-13.6l0.96-0.53L757.23,277.9z M476.11,744.33V502.51c0-6.59-5.39-11.98-11.98-11.97
+					l-0.18,0l-0.12,0c-6.59-0.01-11.98,5.38-11.98,11.97v241.81L205.61,609.55l-11.26-6.17v-15.11V290.06l196.06,107.42
+					c5.66,3.1,12.84,1.02,15.97-4.63l0.14-0.25c3.16-5.71,1.06-12.96-4.67-16.1L208.33,270.47l243.55-136.03l11.94-6.67l11.99,6.7
+					l243.5,136.01L525.64,376.58c-5.7,3.12-7.48,10.25-4.32,15.92c0.05,0.1,0.11,0.19,0.16,0.29c3.1,5.62,10.02,7.85,15.65,4.77
+					l196.16-107.5v298.19v15.14l-11.23,6.15L476.11,744.33z"/>
+			</g>
+			<circle class="st4" cx="463.95" cy="424.72" r="34.73"/>
+		</g>
+		<path class="st1" d="M649.35,258.97L461.77,153.83c-5.77-3.23-7.82-10.53-4.59-16.29v0c3.23-5.77,10.53-7.82,16.29-4.59
+			l187.58,105.15c5.77,3.23,7.82,10.53,4.59,16.29v0C662.41,260.15,655.12,262.2,649.35,258.97z"/>
+		<path class="st1" d="M567.15,267.09l-105.38-59.07c-5.77-3.23-7.82-10.53-4.59-16.29v0c3.23-5.77,10.53-7.82,16.29-4.59
+			l105.38,59.07c5.77,3.23,7.82,10.53,4.59,16.29l0,0C580.21,268.26,572.92,270.32,567.15,267.09z"/>
+		<path class="st1" d="M601.67,286.44L601.67,286.44c-5.77-3.23-7.82-10.53-4.59-16.29v0c3.23-5.77,10.53-7.82,16.29-4.59l0,0
+			c5.77,3.23,7.82,10.53,4.59,16.29v0C614.73,287.61,607.44,289.67,601.67,286.44z"/>
+		<path class="st1" d="M497.04,283.82l-35-19.62c-5.77-3.23-7.82-10.53-4.59-16.29v0c3.23-5.77,10.53-7.82,16.29-4.59l35,19.62
+			c5.77,3.23,7.82,10.53,4.59,16.29l0,0C510.1,284.99,502.8,287.05,497.04,283.82z"/>
+		<path class="st1" d="M549.85,316.05l-20.26-11.36c-5.77-3.23-7.82-10.53-4.59-16.29h0c3.23-5.77,10.53-7.82,16.29-4.59
+			l20.26,11.36c5.77,3.23,7.82,10.53,4.59,16.29v0C562.91,317.23,555.61,319.28,549.85,316.05z"/>
+	</g>
+</g>
 </svg>

docs/tutorials/kubernetes/kyverno.md

@@ -7,8 +7,9 @@ This tutorial details
 - Verify the container image has an attestation with Kyverno
 
 ### Prerequisites
-1. [Attestation of the vulnerability scan uploaded][vuln-attestation]
-2. A running Kubernetes cluster that kubectl is connected to
+1. A running Kubernetes cluster that kubectl is connected to
+2. A Container image signed with Cosign and an attestation generated for a Trivy Vulnerability scan.
+  [Follow this tutorial for more information.][vuln-attestation]
 
 ### Kyverno Policy to check attestation
 
@@ -24,11 +25,12 @@ kind: ClusterPolicy
 metadata:
   name: check-vulnerabilities
 spec:
-  validationFailureAction: enforce
-  webhookTimeoutSeconds: 10
+  validationFailureAction: Enforce
+  background: false
+  webhookTimeoutSeconds: 30
   failurePolicy: Fail
   rules:
-    - name: not-older-than-one-week
+    - name: checking-vulnerability-scan-not-older-than-one-hour
       match:
         any:
         - resources:
@@ -36,14 +38,23 @@ spec:
               - Pod
       verifyImages:
       - imageReferences:
-        - "CONTAINER-REGISTRY/*:*"
+        - "*"
         attestations:
-        - predicateType: cosign.sigstore.dev/attestation/vuln/v1
+        - type: https://cosign.sigstore.dev/attestation/vuln/v1
           conditions:
           - all:
-            - key: "{{ time_since('','{{metadata.scanFinishedOn}}','') }}"
+            - key: "{{ time_since('','{{ metadata.scanFinishedOn }}', '') }}"
               operator: LessThanOrEquals
-              value: "168h"
+              value: "1h"
+          attestors:
+          - count: 1
+            entries:
+            - keys:
+                publicKeys: |-
+                  -----BEGIN PUBLIC KEY-----
+                  abc
+                  xyz
+                  -----END PUBLIC KEY-----
 ```
 
 {% endraw %}
@@ -57,38 +68,12 @@ Next, apply the above policy:
 kubectl apply -f vuln-attestation.yaml
 ```
 
-To ensure that the policy worked, we can deploye an example deployment file with our container image:
+To ensure that the policy worked, we can deploy an example Kubernetes Pod with our container image:
 
-deployment.yaml
 ```
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: cns-website
-  namespace: app
-spec:
-  replicas: 2
-  selector:
-    matchLabels:
-      run: cns-website
-  template:
-    metadata:
-      labels:
-        run: cns-website
-    spec:
-      containers:
-      - name: cns-website
-        image: docker.io/anaisurlichs/cns-website:0.0.6
-        ports:
-          - containerPort: 80
-        imagePullPolicy: Always
-        resources:
-          limits:
-            memory: 512Mi
-            cpu: 200m
-        securityContext:
-          allowPrivilegeEscalation: false
+kubectl run app-signed --image= docker.io/anaisurlichs/signed-example@sha256:c5911ac313e0be82a740bd726dc290e655800a9588424ba4e0558c705d1287fd 
 ```
+Note that the image is based on the [signing tutorial.][vuln-attestation]
 
 Once we apply the deployment, it should pass since our attestation is available:
 ```
@@ -98,7 +83,7 @@ deployment.apps/cns-website created
 
 However, if we try to deploy any other container image, our deployment will fail. We can verify this by replacing the image referenced in the deployment with `docker.io/anaisurlichs/cns-website:0.0.5` and applying the deployment:
 ```
-kubectl apply -f deployment-two.yaml
+kubectl run app-unsigned --image=docker.io/anaisurlichs/cns-website:0.1.1 
 
 Resource: "apps/v1, Resource=deployments", GroupVersionKind: "apps/v1, Kind=Deployment"
 Name: "cns-website", Namespace: "app"

docs/tutorials/signing/vuln-attestation.md

@@ -1,36 +1,145 @@
 # Vulnerability Scan Record Attestation
 
-This tutorial details 
+This tutorial details how to
 
-- Scan your container image for vulnerabilities
-- Generate an attestation with Cosign
+- Scan container images for vulnerabilities
+- Generate an attestation, using Cosign, with and without generating a separate key pair
 
 #### Prerequisites
 
-1. Trivy CLI installed
-2. Cosign installed 
+1. [Trivy CLI](../../getting-started/installation.md) installed
+2. [Cosign CLI](https://docs.sigstore.dev/system_config/installation/) installed 
+3. Ensure that you have access to a container image in a remote container registry that you own/within your account. In this tutorial, we will use DockerHub.
 
-#### Scan Container Image for vulnerabilities
+## Scan Container Image for vulnerabilities
 
 Scan your container image for vulnerabilities and save the scan result to a scan.json file:
 ```
-trivy image --ignore-unfixed --format json --output scan.json anaisurlichs/cns-website:0.0.6
+trivy image --ignore-unfixed --format cosign-vuln --output scan.json DockerHubID/imagename:imagetag
 ```
 
-* --ignore-unfixed: Ensures that only the vulnerabilities are displayed that have a already a fix available
-* --output scan.json: The scan output is saved to a scan.json file instead of being displayed in the terminal.
-
-Note: Replace the container image with the container image that you would like to scan.
-
-#### Attestation of the vulnerability scan with Cosign
-
-The following command generates an attestation for the vulnerability scan and uploads it to our container image:
+For example:
 ```
-cosign attest --replace --predicate scan.json --type vuln anaisurlichs/cns-website:0.0.6
+trivy image --ignore-unfixed --format cosign-vuln --output scan.json anaisurlichs/signed-example:0.1
+```
+
+* `--ignore-unfixed`: Ensures only the vulnerabilities, which have a already a fix available, are displayed
+* `--output scan.json`: The scan output is saved to a scan.json file instead of being displayed in the terminal.
+
+Note: Replace the container image with the container image that you want to scan.
+
+## Option 1: Signing and Generating an attestation without new key pair
+
+#### Signing
+
+Sign the container image:
+```
+cosign sign DockerHubID/imagename@imageSHA
+```
+
+The `imageSHA` can be obtained through the following docker command:
+```
+docker image ls --digests
+```
+The SHA will be displayed next to the image name and tag.
+
+Note that it is better practice to sign the image SHA rather than the tag as the SHA will remain the same for the particular image that we have signed.
+
+For example:
+```
+cosign sign docker.io/anaisurlichs/signed-example@sha256:c5911ac313e0be82a740bd726dc290e655800a9588424ba4e0558c705d1287fd
+```
+
+#### Attestation
+
+The following command generates an attestation for the vulnerability scan and uploads it to the container image used:
+```
+cosign attest --predicate scan.json --type vuln docker.io/DockerHubID/imagename:imageSHA
+```
+
+For example:
+```
+cosign attest --predicate scan.json --type vuln docker.io/anaisurlichs/signed-example@sha256:c5911ac313e0be82a740bd726dc290e655800a9588424ba4e0558c705d1287fd
 ```
 
 Note: Replace the container image with the container image that you would like to scan.
 
+Next, Sigstore will ask you to verify with an account -- Microsoft, GitHub, or Google.
+
+Once done, the user will be provided with a certificate in the terminal where they ran the command. Example certificate:
+```
+-----BEGIN CERTIFICATE-----
+MIIC1TCCAlygAwIBAgIUfSXI7xTWSLq4nuygd8YPuhPZlEswCgYIKoZIzj0EAwMw
+NzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRl
+cm1lZGlhdGUwHhcNMjQwMTExMTMzODUzWhcNMjQwMTExMTM0ODUzWjAAMFkwEwYH
+KoZIzj0CAQYIKoZIzj0DAQcDQgAETcUNnK76mfo9G3j1c7NN6Vcn6yQPDX5rd3QB
+unkHs1Uk59CWv3qm6sUyRNYaATs9zdHAZqLck8G4P/Pj7+GzCKOCAXswggF3MA4G
+........
+-----END CERTIFICATE-----
+```
+
+
+## Option 2: Signing and Generating an attestation with a new Cosign key pair
+
+To generate an attestation for the container image with a separate key pair, we can use Cosign to generate a new key pair:
+```
+cosign generate-key-pair 
+```
+
+This will generate a `cosign.key` and a `cosign.pub` file. The `cosign.key` file is your private key that should be kept confidential as it is used to sign artefacts. However, the `cosign.pub` file contains the information of the corresponding public key. This key can be used by third parties to verify the attestation -- basically that this person who claims to have signed the attestation actually is the one who signed it. 
+
+#### Signing
+
+Sign the container image:
+```
+cosign sign --key cosign.key docker.io/anaisurlichs/signed-example@sha256:c5911ac313e0be82a740bd726dc290e655800a9588424ba4e0558c705d1287fd
+```
+
+#### Attestation
+
+To generate the attestation with the specific key pairs, run the following command:
+```
+cosign attest --key cosign.key --type vuln --predicate scan.json docker.io/anaisurlichs/signed-example@sha256:c5911ac313e0be82a740bd726dc290e655800a9588424ba4e0558c705d1287fd 
+```
+
+## Verify the attestation
+
+### Option 1 -- No separate key pair
+
+If you have not generated a key pair but received a certificate after the container image was signed, use the following command to verify the attestation:
+
+```
+cosign verify-attestation --type vuln --certificate-identity Email-used-to-sign  --certificate-oidc-issuer='the-issuer-used' docker.io/DockerHubID/imagename:imageSHA
+```
+
+For example, the command could be like this:
+```
+cosign verify-attestation --type vuln --certificate-identity urlichsanais@gmail.com  --certificate-oidc-issuer='https://github.com/login/oauth' anaisurlichs/signed-example@sha256:c5911ac313e0be82a740bd726dc290e655800a9588424ba4e0558c705d1287fd
+```
+
+### Option 2 -- Separate key pair
+
+If you have used a new cosign key pair, the attestation can be verified through the following command:
+```
+cosign verify-attestation --key cosign.pub --type vuln anaisurlichs/signed-example@sha256:c5911ac313e0be82a740bd726dc290e655800a9588424ba4e0558c705d1287fd 
+```
+
+<details>
+<summary>Output</summary>
+
+The output should look similar to the following:
+```
+Verification for anaisurlichs/signed-example@sha256:c5911ac313e0be82a740bd726dc290e655800a9588424ba4e0558c705d1287fd --
+The following checks were performed on each of these signatures:
+  - The cosign claims were validated
+  - Existence of the claims in the transparency log was verified offline
+  - The signatures were verified against the specified public key
+{"payloadType":"application/vnd.in-toto+json","payload":
+```
+</details>
+
+## More information
+
 See [here][vuln-attestation] for more details.
 
 [vuln-attestation]: ../../docs/supply-chain/attestation/vuln.md

go.mod

@@ -7,14 +7,14 @@ require (
 	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.9.0
 	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.4.0
 	github.com/BurntSushi/toml v1.3.2
-	github.com/CycloneDX/cyclonedx-go v0.7.2
+	github.com/CycloneDX/cyclonedx-go v0.8.0
 	github.com/GoogleCloudPlatform/docker-credential-gcr v2.0.5+incompatible
 	github.com/Masterminds/sprig/v3 v3.2.3
 	github.com/NYTimes/gziphandler v1.1.1
 	github.com/alicebob/miniredis/v2 v2.31.0
 	github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986
-	github.com/aquasecurity/defsec v0.93.2-0.20231208181342-318642ac6f08
-	github.com/aquasecurity/go-dep-parser v0.0.0-20231120074854-8322cc2242bf
+	github.com/aquasecurity/defsec v0.94.1
+	github.com/aquasecurity/go-dep-parser v0.0.0-20240131191227-2779e24d07b5
 	github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce
 	github.com/aquasecurity/go-npm-version v0.0.0-20201110091526-0b796d180798
 	github.com/aquasecurity/go-pep440-version v0.0.0-20210121094942-22b2f8951d46
@@ -23,28 +23,29 @@ require (
 	github.com/aquasecurity/table v1.8.0
 	github.com/aquasecurity/testdocker v0.0.0-20230111101738-e741bda259da
 	github.com/aquasecurity/tml v0.6.1
-	github.com/aquasecurity/trivy-aws v0.5.0
+	github.com/aquasecurity/trivy-aws v0.7.1
 	github.com/aquasecurity/trivy-db v0.0.0-20231005141211-4fc651f7ac8d
-	github.com/aquasecurity/trivy-iac v0.7.1
-	github.com/aquasecurity/trivy-java-db v0.0.0-20230209231723-7cddb1406728
-	github.com/aquasecurity/trivy-kubernetes v0.5.9-0.20231203080602-50a069120091
-	github.com/aquasecurity/trivy-policies v0.6.1-0.20231120231532-f6f2330bf842
-	github.com/aws/aws-sdk-go-v2 v1.23.5
-	github.com/aws/aws-sdk-go-v2/config v1.25.11
-	github.com/aws/aws-sdk-go-v2/credentials v1.16.9
-	github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.11.90
-	github.com/aws/aws-sdk-go-v2/service/ec2 v1.116.0
-	github.com/aws/aws-sdk-go-v2/service/ecr v1.24.1
-	github.com/aws/aws-sdk-go-v2/service/s3 v1.40.2
-	github.com/aws/aws-sdk-go-v2/service/sts v1.26.2
-	github.com/bmatcuk/doublestar/v4 v4.6.0
+	github.com/aquasecurity/trivy-iac v0.8.0
+	github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48
+	github.com/aquasecurity/trivy-kubernetes v0.6.3-0.20240118072219-c433b06f98e1
+	github.com/aquasecurity/trivy-policies v0.8.0
+	github.com/aws/aws-sdk-go-v2 v1.24.1
+	github.com/aws/aws-sdk-go-v2/config v1.26.3
+	github.com/aws/aws-sdk-go-v2/credentials v1.16.14
+	github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.15.11
+	github.com/aws/aws-sdk-go-v2/service/ec2 v1.142.0
+	github.com/aws/aws-sdk-go-v2/service/ecr v1.24.6
+	github.com/aws/aws-sdk-go-v2/service/s3 v1.48.0
+	github.com/aws/aws-sdk-go-v2/service/sts v1.26.7
+	github.com/bmatcuk/doublestar/v4 v4.6.1
 	github.com/cenkalti/backoff v2.2.1+incompatible
 	github.com/cheggaaa/pb/v3 v3.1.4
-	github.com/containerd/containerd v1.7.7
+	github.com/containerd/containerd v1.7.11
+	github.com/csaf-poc/csaf_distribution/v3 v3.0.0
 	github.com/docker/docker v24.0.7+incompatible
 	github.com/docker/go-connections v0.4.0
 	github.com/fatih/color v1.15.0
-	github.com/go-git/go-git/v5 v5.10.1
+	github.com/go-git/go-git/v5 v5.11.0
 	github.com/go-openapi/runtime v0.26.0
 	github.com/go-openapi/strfmt v0.21.7
 	github.com/go-redis/redis/v8 v8.11.5
@@ -52,9 +53,9 @@ require (
 	github.com/golang/protobuf v1.5.3
 	github.com/google/go-containerregistry v0.17.0
 	github.com/google/licenseclassifier/v2 v2.0.0
-	github.com/google/uuid v1.4.0
+	github.com/google/uuid v1.5.0
 	github.com/google/wire v0.5.0
-	github.com/hashicorp/go-getter v1.7.2
+	github.com/hashicorp/go-getter v1.7.3
 	github.com/hashicorp/go-multierror v1.1.1
 	github.com/hashicorp/golang-lru/v2 v2.0.6
 	github.com/in-toto/in-toto-golang v0.9.0
@@ -67,8 +68,8 @@ require (
 	github.com/magefile/mage v1.15.0
 	github.com/mailru/easyjson v0.7.7
 	github.com/masahiro331/go-disk v0.0.0-20220919035250-c8da316f91ac
-	github.com/masahiro331/go-ebs-file v0.0.0-20230228042409-005c81d4ae43
-	github.com/masahiro331/go-ext4-filesystem v0.0.0-20230612143131-27ccd485b7a1
+	github.com/masahiro331/go-ebs-file v0.0.0-20240112135404-d5fbb1d46323
+	github.com/masahiro331/go-ext4-filesystem v0.0.0-20231208112839-4339555a0cd4
 	github.com/masahiro331/go-mvn-version v0.0.0-20210429150710-d3157d602a08
 	github.com/masahiro331/go-vmdk-parser v0.0.0-20221225061455-612096e4bbbd
 	github.com/masahiro331/go-xfs-filesystem v0.0.0-20230608043311-a335f4599b70
@@ -76,53 +77,53 @@ require (
 	github.com/mitchellh/hashstructure/v2 v2.0.2
 	github.com/mitchellh/mapstructure v1.5.0
 	github.com/moby/buildkit v0.11.6
-	github.com/open-policy-agent/opa v0.58.0
+	github.com/open-policy-agent/opa v0.60.0
 	github.com/opencontainers/go-digest v1.0.0
 	github.com/opencontainers/image-spec v1.1.0-rc5
 	github.com/openvex/go-vex v0.2.5
 	github.com/owenrumney/go-sarif/v2 v2.3.0
 	github.com/package-url/packageurl-go v0.1.2
 	github.com/quasilyte/go-ruleguard/dsl v0.3.22
-	github.com/samber/lo v1.38.1
+	github.com/samber/lo v1.39.0
 	github.com/saracen/walker v0.1.3
-	github.com/secure-systems-lab/go-securesystemslib v0.7.0
+	github.com/secure-systems-lab/go-securesystemslib v0.8.0
 	github.com/sigstore/rekor v1.2.2
 	github.com/sirupsen/logrus v1.9.3
 	github.com/sosedoff/gitkit v0.4.0
 	github.com/spdx/tools-golang v0.5.4-0.20231108154018-0c0f394b5e1a // v0.5.3 with necessary changes. Can be upgraded to version 0.5.4 after release.
 	github.com/spf13/cast v1.5.1
-	github.com/spf13/cobra v1.7.0
+	github.com/spf13/cobra v1.8.0
 	github.com/spf13/pflag v1.0.5
 	github.com/spf13/viper v1.16.0
 	github.com/stretchr/testify v1.8.4
-	github.com/testcontainers/testcontainers-go v0.26.0
+	github.com/testcontainers/testcontainers-go v0.27.0
 	github.com/testcontainers/testcontainers-go/modules/localstack v0.26.0
 	github.com/tetratelabs/wazero v1.2.1
 	github.com/twitchtv/twirp v8.1.2+incompatible
 	github.com/xeipuuv/gojsonschema v1.2.0
 	github.com/xlab/treeprint v1.2.0
-	go.etcd.io/bbolt v1.3.7
+	go.etcd.io/bbolt v1.3.8
 	go.uber.org/zap v1.26.0
-	golang.org/x/exp v0.0.0-20230522175609-2e198f4a06a1
+	golang.org/x/exp v0.0.0-20231110203233-9a3e6036ecaa
 	golang.org/x/mod v0.14.0
-	golang.org/x/sync v0.4.0
-	golang.org/x/term v0.14.0
+	golang.org/x/sync v0.6.0
+	golang.org/x/term v0.16.0
 	golang.org/x/text v0.14.0
 	golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2
-	google.golang.org/protobuf v1.31.0
+	google.golang.org/protobuf v1.32.0
 	gopkg.in/yaml.v3 v3.0.1
-	k8s.io/api v0.28.4
-	k8s.io/utils v0.0.0-20230406110748-d93618cff8a2
-	modernc.org/sqlite v1.23.1
+	k8s.io/api v0.29.0
+	k8s.io/utils v0.0.0-20231127182322-b307cd553661
+	modernc.org/sqlite v1.28.0
 )
 
 require github.com/bitnami/go-version v0.0.0-20231130084017-bb00604d650c
 
 require (
-	cloud.google.com/go v0.110.7 // indirect
+	cloud.google.com/go v0.110.8 // indirect
 	cloud.google.com/go/compute v1.23.0 // indirect
 	cloud.google.com/go/compute/metadata v0.2.3 // indirect
-	cloud.google.com/go/iam v1.1.1 // indirect
+	cloud.google.com/go/iam v1.1.2 // indirect
 	cloud.google.com/go/storage v1.31.0 // indirect
 	dario.cat/mergo v1.0.0 // indirect
 	github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24 // indirect
@@ -131,20 +132,22 @@ require (
 	github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 // indirect
 	github.com/Azure/go-autorest v14.2.0+incompatible // indirect
 	github.com/Azure/go-autorest/autorest v0.11.29 // indirect
-	github.com/Azure/go-autorest/autorest/adal v0.9.22 // indirect
+	github.com/Azure/go-autorest/autorest/adal v0.9.23 // indirect
 	github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect
 	github.com/Azure/go-autorest/logger v0.2.1 // indirect
 	github.com/Azure/go-autorest/tracing v0.6.0 // indirect
 	github.com/AzureAD/microsoft-authentication-library-for-go v1.1.1 // indirect
+	github.com/Intevation/gval v1.3.0 // indirect
+	github.com/Intevation/jsonpath v0.2.1 // indirect
 	github.com/MakeNowJust/heredoc v1.0.0 // indirect
 	github.com/Masterminds/goutils v1.1.1 // indirect
 	github.com/Masterminds/semver v1.5.0 // indirect
 	github.com/Masterminds/semver/v3 v3.2.1 // indirect
 	github.com/Masterminds/squirrel v1.5.4 // indirect
 	github.com/Microsoft/go-winio v0.6.1 // indirect
-	github.com/Microsoft/hcsshim v0.11.1 // indirect
+	github.com/Microsoft/hcsshim v0.11.4 // indirect
 	github.com/OneOfOne/xxhash v1.2.8 // indirect
-	github.com/ProtonMail/go-crypto v0.0.0-20230828082145-3c4c8a2d2371 // indirect
+	github.com/ProtonMail/go-crypto v0.0.0-20230923063757-afb1ddc0824c // indirect
 	github.com/VividCortex/ewma v1.2.0 // indirect
 	github.com/agext/levenshtein v1.2.3 // indirect
 	github.com/agnivade/levenshtein v1.1.1 // indirect
@@ -155,60 +158,60 @@ require (
 	github.com/apparentlymart/go-textseg/v13 v13.0.0 // indirect
 	github.com/apparentlymart/go-textseg/v15 v15.0.0 // indirect
 	github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
-	github.com/aws/aws-sdk-go v1.48.4 // indirect
-	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.4.14 // indirect
-	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.14.9 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/configsources v1.2.8 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.5.8 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/ini v1.7.1 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/v4a v1.1.6 // indirect
-	github.com/aws/aws-sdk-go-v2/service/accessanalyzer v1.21.1 // indirect
-	github.com/aws/aws-sdk-go-v2/service/apigateway v1.18.0 // indirect
-	github.com/aws/aws-sdk-go-v2/service/apigatewayv2 v1.14.5 // indirect
-	github.com/aws/aws-sdk-go-v2/service/athena v1.31.6 // indirect
-	github.com/aws/aws-sdk-go-v2/service/cloudfront v1.28.5 // indirect
-	github.com/aws/aws-sdk-go-v2/service/cloudtrail v1.29.1 // indirect
-	github.com/aws/aws-sdk-go-v2/service/cloudwatch v1.27.7 // indirect
-	github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs v1.23.5 // indirect
-	github.com/aws/aws-sdk-go-v2/service/codebuild v1.22.0 // indirect
-	github.com/aws/aws-sdk-go-v2/service/docdb v1.23.5 // indirect
-	github.com/aws/aws-sdk-go-v2/service/dynamodb v1.21.5 // indirect
-	github.com/aws/aws-sdk-go-v2/service/ebs v1.18.1 // indirect
-	github.com/aws/aws-sdk-go-v2/service/ecs v1.30.1 // indirect
-	github.com/aws/aws-sdk-go-v2/service/efs v1.21.6 // indirect
-	github.com/aws/aws-sdk-go-v2/service/eks v1.29.5 // indirect
-	github.com/aws/aws-sdk-go-v2/service/elasticache v1.29.3 // indirect
-	github.com/aws/aws-sdk-go-v2/service/elasticloadbalancingv2 v1.21.3 // indirect
-	github.com/aws/aws-sdk-go-v2/service/elasticsearchservice v1.20.6 // indirect
-	github.com/aws/aws-sdk-go-v2/service/emr v1.28.7 // indirect
-	github.com/aws/aws-sdk-go-v2/service/iam v1.22.5 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.10.3 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.1.38 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/endpoint-discovery v1.7.35 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.10.8 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.15.6 // indirect
-	github.com/aws/aws-sdk-go-v2/service/kafka v1.22.6 // indirect
-	github.com/aws/aws-sdk-go-v2/service/kinesis v1.18.5 // indirect
-	github.com/aws/aws-sdk-go-v2/service/kms v1.24.5 // indirect
-	github.com/aws/aws-sdk-go-v2/service/lambda v1.39.5 // indirect
-	github.com/aws/aws-sdk-go-v2/service/mq v1.16.5 // indirect
-	github.com/aws/aws-sdk-go-v2/service/neptune v1.21.5 // indirect
-	github.com/aws/aws-sdk-go-v2/service/rds v1.54.0 // indirect
-	github.com/aws/aws-sdk-go-v2/service/redshift v1.29.5 // indirect
-	github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.21.3 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sns v1.21.5 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sqs v1.24.5 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sso v1.18.2 // indirect
-	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.21.2 // indirect
-	github.com/aws/aws-sdk-go-v2/service/workspaces v1.31.1 // indirect
-	github.com/aws/smithy-go v1.18.1 // indirect
+	github.com/aws/aws-sdk-go v1.49.21 // indirect
+	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.5.4 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.14.11 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.2.10 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.5.10 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/ini v1.7.2 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/v4a v1.2.10 // indirect
+	github.com/aws/aws-sdk-go-v2/service/accessanalyzer v1.26.7 // indirect
+	github.com/aws/aws-sdk-go-v2/service/apigateway v1.21.6 // indirect
+	github.com/aws/aws-sdk-go-v2/service/apigatewayv2 v1.18.6 // indirect
+	github.com/aws/aws-sdk-go-v2/service/athena v1.37.3 // indirect
+	github.com/aws/aws-sdk-go-v2/service/cloudfront v1.32.5 // indirect
+	github.com/aws/aws-sdk-go-v2/service/cloudtrail v1.35.6 // indirect
+	github.com/aws/aws-sdk-go-v2/service/cloudwatch v1.32.2 // indirect
+	github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs v1.30.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/codebuild v1.26.5 // indirect
+	github.com/aws/aws-sdk-go-v2/service/docdb v1.29.6 // indirect
+	github.com/aws/aws-sdk-go-v2/service/dynamodb v1.26.8 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ebs v1.21.7 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ecs v1.35.6 // indirect
+	github.com/aws/aws-sdk-go-v2/service/efs v1.26.5 // indirect
+	github.com/aws/aws-sdk-go-v2/service/eks v1.37.0 // indirect
+	github.com/aws/aws-sdk-go-v2/service/elasticache v1.34.6 // indirect
+	github.com/aws/aws-sdk-go-v2/service/elasticloadbalancingv2 v1.26.6 // indirect
+	github.com/aws/aws-sdk-go-v2/service/elasticsearchservice v1.25.0 // indirect
+	github.com/aws/aws-sdk-go-v2/service/emr v1.36.0 // indirect
+	github.com/aws/aws-sdk-go-v2/service/iam v1.28.7 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.10.4 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.2.10 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/endpoint-discovery v1.8.11 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.10.10 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.16.10 // indirect
+	github.com/aws/aws-sdk-go-v2/service/kafka v1.28.5 // indirect
+	github.com/aws/aws-sdk-go-v2/service/kinesis v1.24.6 // indirect
+	github.com/aws/aws-sdk-go-v2/service/kms v1.27.7 // indirect
+	github.com/aws/aws-sdk-go-v2/service/lambda v1.49.6 // indirect
+	github.com/aws/aws-sdk-go-v2/service/mq v1.20.6 // indirect
+	github.com/aws/aws-sdk-go-v2/service/neptune v1.28.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/rds v1.66.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/redshift v1.39.7 // indirect
+	github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.26.0 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sns v1.26.6 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sqs v1.29.6 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.18.6 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.21.6 // indirect
+	github.com/aws/aws-sdk-go-v2/service/workspaces v1.35.6 // indirect
+	github.com/aws/smithy-go v1.19.0 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d // indirect
 	github.com/briandowns/spinner v1.23.0 // indirect
 	github.com/cenkalti/backoff/v4 v4.2.1 // indirect
 	github.com/cespare/xxhash/v2 v2.2.0 // indirect
 	github.com/chai2010/gettext-go v1.0.2 // indirect
-	github.com/cloudflare/circl v1.3.3 // indirect
+	github.com/cloudflare/circl v1.3.7 // indirect
 	github.com/containerd/cgroups v1.1.0 // indirect
 	github.com/containerd/continuity v0.4.2 // indirect
 	github.com/containerd/fifo v1.1.0 // indirect
@@ -218,12 +221,12 @@ require (
 	github.com/containerd/typeurl v1.0.2 // indirect
 	github.com/containerd/typeurl/v2 v2.1.1 // indirect
 	github.com/cpuguy83/dockercfg v0.3.1 // indirect
-	github.com/cpuguy83/go-md2man/v2 v2.0.2 // indirect
+	github.com/cpuguy83/go-md2man/v2 v2.0.3 // indirect
 	github.com/cyphar/filepath-securejoin v0.2.4 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect
 	github.com/dlclark/regexp2 v1.4.0 // indirect
-	github.com/docker/cli v24.0.5+incompatible // indirect
+	github.com/docker/cli v24.0.6+incompatible // indirect
 	github.com/docker/distribution v2.8.2+incompatible // indirect
 	github.com/docker/docker-credential-helpers v0.7.0 // indirect
 	github.com/docker/go-events v0.0.0-20190806004212-e31b211e4f1c // indirect
@@ -231,17 +234,18 @@ require (
 	github.com/docker/go-units v0.5.0 // indirect
 	github.com/docker/libtrust v0.0.0-20160708172513-aabc10ec26b7 // indirect
 	github.com/dustin/go-humanize v1.0.1 // indirect
-	github.com/emicklei/go-restful/v3 v3.10.1 // indirect
+	github.com/emicklei/go-restful/v3 v3.11.0 // indirect
 	github.com/emirpasic/gods v1.18.1 // indirect
-	github.com/evanphx/json-patch v5.6.0+incompatible // indirect
+	github.com/evanphx/json-patch v5.7.0+incompatible // indirect
 	github.com/exponent-io/jsonpath v0.0.0-20151013193312-d6023ce2651d // indirect
+	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/fsnotify/fsnotify v1.7.0 // indirect
 	github.com/go-errors/errors v1.4.2 // indirect
 	github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
 	github.com/go-git/go-billy/v5 v5.5.0 // indirect
 	github.com/go-gorp/gorp/v3 v3.1.0 // indirect
 	github.com/go-ini/ini v1.67.0 // indirect
-	github.com/go-logr/logr v1.3.0 // indirect
+	github.com/go-logr/logr v1.4.1 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-openapi/analysis v0.21.4 // indirect
 	github.com/go-openapi/errors v0.20.4 // indirect
@@ -251,29 +255,35 @@ require (
 	github.com/go-openapi/spec v0.20.9 // indirect
 	github.com/go-openapi/swag v0.22.4 // indirect
 	github.com/go-openapi/validate v0.22.1 // indirect
+	github.com/go-sql-driver/mysql v1.7.1 // indirect
+	github.com/go-test/deep v1.1.0 // indirect
 	github.com/gobwas/glob v0.2.3 // indirect
-	github.com/goccy/go-yaml v1.8.1 // indirect
+	github.com/goccy/go-yaml v1.9.5 // indirect
 	github.com/gofrs/uuid v4.3.1+incompatible // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang-jwt/jwt/v4 v4.5.0 // indirect
 	github.com/golang-jwt/jwt/v5 v5.0.0 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/google/btree v1.1.2 // indirect
+	github.com/google/flatbuffers v2.0.8+incompatible // indirect
 	github.com/google/gnostic-models v0.6.8 // indirect
 	github.com/google/go-cmp v0.6.0 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
+	github.com/google/pprof v0.0.0-20230406165453-00490a63f317 // indirect
 	github.com/google/s2a-go v0.1.5 // indirect
 	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
 	github.com/googleapis/enterprise-certificate-proxy v0.2.5 // indirect
 	github.com/googleapis/gax-go/v2 v2.12.0 // indirect
-	github.com/gorilla/mux v1.8.0 // indirect
+	github.com/gorilla/mux v1.8.1 // indirect
+	github.com/gorilla/websocket v1.5.0 // indirect
 	github.com/gosuri/uitable v0.0.4 // indirect
-	github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7 // indirect
+	github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
 	github.com/hashicorp/go-safetemp v1.0.0 // indirect
 	github.com/hashicorp/go-uuid v1.0.3 // indirect
 	github.com/hashicorp/go-version v1.6.0 // indirect
+	github.com/hashicorp/golang-lru v0.6.0 // indirect
 	github.com/hashicorp/hcl v1.0.0 // indirect
 	github.com/hashicorp/hcl/v2 v2.19.1 // indirect
 	github.com/huandu/xstrings v1.4.0 // indirect
@@ -301,7 +311,7 @@ require (
 	github.com/mattn/go-runewidth v0.0.14 // indirect
 	github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect
 	github.com/microsoft/go-rustaudit v0.0.0-20220808201409-204dfee52032 // indirect
-	github.com/miekg/dns v1.1.50 // indirect
+	github.com/miekg/dns v1.1.53 // indirect
 	github.com/mitchellh/copystructure v1.2.0 // indirect
 	github.com/mitchellh/go-homedir v1.1.0 // indirect
 	github.com/mitchellh/go-testing-interface v1.14.1 // indirect
@@ -319,9 +329,10 @@ require (
 	github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 // indirect
 	github.com/morikuni/aec v1.0.0 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
+	github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f // indirect
 	github.com/oklog/ulid v1.3.1 // indirect
 	github.com/olekukonko/tablewriter v0.0.5 // indirect
-	github.com/opencontainers/runc v1.1.5 // indirect
+	github.com/opencontainers/runc v1.1.12 // indirect
 	github.com/opencontainers/runtime-spec v1.1.0-rc.1 // indirect
 	github.com/opencontainers/selinux v1.11.0 // indirect
 	github.com/opentracing/opentracing-go v1.2.0 // indirect
@@ -341,7 +352,8 @@ require (
 	github.com/rivo/uniseg v0.2.0 // indirect
 	github.com/rubenv/sql-migrate v1.5.2 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
-	github.com/sergi/go-diff v1.2.0 // indirect
+	github.com/santhosh-tekuri/jsonschema/v5 v5.3.1 // indirect
+	github.com/sergi/go-diff v1.3.1 // indirect
 	github.com/shibumi/go-pathspec v1.3.0 // indirect
 	github.com/shopspring/decimal v1.3.1 // indirect
 	github.com/skeema/knownhosts v1.2.1 // indirect
@@ -361,53 +373,55 @@ require (
 	github.com/zclconf/go-cty-yaml v1.0.3 // indirect
 	go.mongodb.org/mongo-driver v1.11.3 // indirect
 	go.opencensus.io v0.24.0 // indirect
-	go.opentelemetry.io/otel v1.19.0 // indirect
-	go.opentelemetry.io/otel/metric v1.19.0 // indirect
-	go.opentelemetry.io/otel/sdk v1.19.0 // indirect
-	go.opentelemetry.io/otel/trace v1.19.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.46.1 // indirect
+	go.opentelemetry.io/otel v1.21.0 // indirect
+	go.opentelemetry.io/otel/metric v1.21.0 // indirect
+	go.opentelemetry.io/otel/sdk v1.21.0 // indirect
+	go.opentelemetry.io/otel/trace v1.21.0 // indirect
 	go.starlark.net v0.0.0-20230525235612-a134d8f9ddca // indirect
+	go.uber.org/goleak v1.3.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
-	golang.org/x/crypto v0.15.0 // indirect
-	golang.org/x/net v0.18.0 // indirect
-	golang.org/x/oauth2 v0.11.0 // indirect
-	golang.org/x/sys v0.14.0 // indirect
-	golang.org/x/time v0.3.0 // indirect
-	golang.org/x/tools v0.13.0 // indirect
+	golang.org/x/crypto v0.18.0 // indirect
+	golang.org/x/net v0.20.0 // indirect
+	golang.org/x/oauth2 v0.13.0 // indirect
+	golang.org/x/sys v0.16.0 // indirect
+	golang.org/x/time v0.5.0 // indirect
+	golang.org/x/tools v0.15.0 // indirect
 	google.golang.org/api v0.138.0 // indirect
-	google.golang.org/appengine v1.6.7 // indirect
-	google.golang.org/genproto v0.0.0-20230822172742-b8732ec3820d // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20230822172742-b8732ec3820d // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20230822172742-b8732ec3820d // indirect
-	google.golang.org/grpc v1.59.0 // indirect
+	google.golang.org/appengine v1.6.8 // indirect
+	google.golang.org/genproto v0.0.0-20231002182017-d307bd883b97 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20231002182017-d307bd883b97 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20231002182017-d307bd883b97 // indirect
+	google.golang.org/grpc v1.60.1 // indirect
 	gopkg.in/cheggaaa/pb.v1 v1.0.28 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
-	helm.sh/helm/v3 v3.13.0 // indirect
-	k8s.io/apiextensions-apiserver v0.28.2 // indirect
-	k8s.io/apimachinery v0.28.4 // indirect
-	k8s.io/apiserver v0.28.2 // indirect
-	k8s.io/cli-runtime v0.28.4 // indirect
-	k8s.io/client-go v0.28.4 // indirect
-	k8s.io/component-base v0.28.3 // indirect
-	k8s.io/klog/v2 v2.110.1 // indirect
-	k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9 // indirect
-	k8s.io/kubectl v0.28.3 // indirect
+	helm.sh/helm/v3 v3.14.0 // indirect
+	k8s.io/apiextensions-apiserver v0.29.0 // indirect
+	k8s.io/apimachinery v0.29.0 // indirect
+	k8s.io/apiserver v0.29.0 // indirect
+	k8s.io/cli-runtime v0.29.0 // indirect
+	k8s.io/client-go v0.29.0 // indirect
+	k8s.io/component-base v0.29.0 // indirect
+	k8s.io/klog/v2 v2.120.0 // indirect
+	k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00 // indirect
+	k8s.io/kubectl v0.29.0 // indirect
 	lukechampine.com/uint128 v1.2.0 // indirect
 	modernc.org/cc/v3 v3.40.0 // indirect
 	modernc.org/ccgo/v3 v3.16.13 // indirect
-	modernc.org/libc v1.22.5 // indirect
-	modernc.org/mathutil v1.5.0 // indirect
-	modernc.org/memory v1.5.0 // indirect
+	modernc.org/libc v1.29.0 // indirect
+	modernc.org/mathutil v1.6.0 // indirect
+	modernc.org/memory v1.7.2 // indirect
 	modernc.org/opt v0.1.3 // indirect
 	modernc.org/strutil v1.1.3 // indirect
-	modernc.org/token v1.0.1 // indirect
-	oras.land/oras-go v1.2.3 // indirect
+	modernc.org/token v1.1.0 // indirect
+	oras.land/oras-go v1.2.4 // indirect
 	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
 	sigs.k8s.io/kustomize/api v0.13.5-0.20230601165947-6ce0bf390ce3 // indirect
 	sigs.k8s.io/kustomize/kyaml v0.14.3-0.20230601165947-6ce0bf390ce3 // indirect
-	sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect
+	sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect
 	sigs.k8s.io/yaml v1.4.0 // indirect
 )
 

integration/aws_cloud_test.go

@@ -8,13 +8,14 @@ import (
 	"testing"
 	"time"
 
-	awscommands "github.com/aquasecurity/trivy/pkg/cloud/aws/commands"
-	"github.com/aquasecurity/trivy/pkg/flag"
 	dockercontainer "github.com/docker/docker/api/types/container"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
-	testcontainers "github.com/testcontainers/testcontainers-go"
+	"github.com/testcontainers/testcontainers-go"
 	"github.com/testcontainers/testcontainers-go/modules/localstack"
+
+	awscommands "github.com/aquasecurity/trivy/pkg/cloud/aws/commands"
+	"github.com/aquasecurity/trivy/pkg/flag"
 )
 
 func TestAwsCommandRun(t *testing.T) {

integration/client_server_test.go

@@ -5,6 +5,7 @@ package integration
 import (
 	"context"
 	"fmt"
+	"github.com/aquasecurity/trivy/pkg/types"
 	"os"
 	"path/filepath"
 	"strings"
@@ -15,17 +16,15 @@ import (
 	"github.com/docker/go-connections/nat"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
-	testcontainers "github.com/testcontainers/testcontainers-go"
+	"github.com/testcontainers/testcontainers-go"
 
-	"github.com/aquasecurity/trivy/pkg/clock"
 	"github.com/aquasecurity/trivy/pkg/report"
-	"github.com/aquasecurity/trivy/pkg/uuid"
 )
 
 type csArgs struct {
 	Command           string
 	RemoteAddrOption  string
-	Format            string
+	Format            types.Format
 	TemplatePath      string
 	IgnoreUnfixed     bool
 	Severity          []string
@@ -266,19 +265,15 @@ func TestClientServer(t *testing.T) {
 
 	addr, cacheDir := setup(t, setupOptions{})
 
-	for _, c := range tests {
-		t.Run(c.name, func(t *testing.T) {
-			osArgs, outputFile := setupClient(t, c.args, addr, cacheDir, c.golden)
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			osArgs := setupClient(t, tt.args, addr, cacheDir, tt.golden)
 
-			if c.args.secretConfig != "" {
-				osArgs = append(osArgs, "--secret-config", c.args.secretConfig)
+			if tt.args.secretConfig != "" {
+				osArgs = append(osArgs, "--secret-config", tt.args.secretConfig)
 			}
 
-			//
-			err := execute(osArgs)
-			require.NoError(t, err)
-
-			compareReports(t, c.golden, outputFile, nil)
+			runTest(t, osArgs, tt.golden, "", types.FormatJSON, runOptions{})
 		})
 	}
 }
@@ -364,8 +359,6 @@ func TestClientServerWithFormat(t *testing.T) {
 	}
 
 	fakeTime := time.Date(2021, 8, 25, 12, 20, 30, 5, time.UTC)
-	clock.SetFakeTime(t, fakeTime)
-
 	report.CustomTemplateFuncMap = map[string]interface{}{
 		"now": func() time.Time {
 			return fakeTime
@@ -392,19 +385,9 @@ func TestClientServerWithFormat(t *testing.T) {
 		t.Run(tt.name, func(t *testing.T) {
 			t.Setenv("AWS_REGION", "test-region")
 			t.Setenv("AWS_ACCOUNT_ID", "123456789012")
-			osArgs, outputFile := setupClient(t, tt.args, addr, cacheDir, tt.golden)
+			osArgs := setupClient(t, tt.args, addr, cacheDir, tt.golden)
 
-			// Run Trivy client
-			err := execute(osArgs)
-			require.NoError(t, err)
-
-			want, err := os.ReadFile(tt.golden)
-			require.NoError(t, err)
-
-			got, err := os.ReadFile(outputFile)
-			require.NoError(t, err)
-
-			assert.EqualValues(t, string(want), string(got))
+			runTest(t, osArgs, tt.golden, "", tt.args.Format, runOptions{})
 		})
 	}
 }
@@ -428,22 +411,16 @@ func TestClientServerWithCycloneDX(t *testing.T) {
 	addr, cacheDir := setup(t, setupOptions{})
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			clock.SetFakeTime(t, time.Date(2021, 8, 25, 12, 20, 30, 5, time.UTC))
-			uuid.SetFakeUUID(t, "3ff14136-e09f-4df9-80ea-%012d")
-
-			osArgs, outputFile := setupClient(t, tt.args, addr, cacheDir, tt.golden)
-
-			// Run Trivy client
-			err := execute(osArgs)
-			require.NoError(t, err)
-
-			compareCycloneDX(t, tt.golden, outputFile)
+			osArgs := setupClient(t, tt.args, addr, cacheDir, tt.golden)
+			runTest(t, osArgs, tt.golden, "", types.FormatCycloneDX, runOptions{
+				fakeUUID: "3ff14136-e09f-4df9-80ea-%012d",
+			})
 		})
 	}
 }
 
 func TestClientServerWithToken(t *testing.T) {
-	cases := []struct {
+	tests := []struct {
 		name    string
 		args    csArgs
 		golden  string
@@ -485,20 +462,10 @@ func TestClientServerWithToken(t *testing.T) {
 		tokenHeader: serverTokenHeader,
 	})
 
-	for _, c := range cases {
-		t.Run(c.name, func(t *testing.T) {
-			osArgs, outputFile := setupClient(t, c.args, addr, cacheDir, c.golden)
-
-			// Run Trivy client
-			err := execute(osArgs)
-			if c.wantErr != "" {
-				require.Error(t, err, c.name)
-				assert.Contains(t, err.Error(), c.wantErr, c.name)
-				return
-			}
-
-			require.NoError(t, err, c.name)
-			compareReports(t, c.golden, outputFile, nil)
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			osArgs := setupClient(t, tt.args, addr, cacheDir, tt.golden)
+			runTest(t, osArgs, tt.golden, "", types.FormatJSON, runOptions{wantErr: tt.wantErr})
 		})
 	}
 }
@@ -521,25 +488,22 @@ func TestClientServerWithRedis(t *testing.T) {
 	golden := "testdata/alpine-39.json.golden"
 
 	t.Run("alpine 3.9", func(t *testing.T) {
-		osArgs, outputFile := setupClient(t, testArgs, addr, cacheDir, golden)
+		osArgs := setupClient(t, testArgs, addr, cacheDir, golden)
 
 		// Run Trivy client
-		err := execute(osArgs)
-		require.NoError(t, err)
-
-		compareReports(t, golden, outputFile, nil)
+		runTest(t, osArgs, golden, "", types.FormatJSON, runOptions{})
 	})
 
 	// Terminate the Redis container
 	require.NoError(t, redisC.Terminate(ctx))
 
 	t.Run("sad path", func(t *testing.T) {
-		osArgs, _ := setupClient(t, testArgs, addr, cacheDir, golden)
+		osArgs := setupClient(t, testArgs, addr, cacheDir, golden)
 
 		// Run Trivy client
-		err := execute(osArgs)
-		require.Error(t, err)
-		assert.Contains(t, err.Error(), "connect: connection refused")
+		runTest(t, osArgs, "", "", types.FormatJSON, runOptions{
+			wantErr: "unable to store cache",
+		})
 	})
 }
 
@@ -599,7 +563,7 @@ func setupServer(addr, token, tokenHeader, cacheDir, cacheBackend string) []stri
 	return osArgs
 }
 
-func setupClient(t *testing.T, c csArgs, addr string, cacheDir string, golden string) ([]string, string) {
+func setupClient(t *testing.T, c csArgs, addr string, cacheDir string, golden string) []string {
 	if c.Command == "" {
 		c.Command = "image"
 	}
@@ -616,7 +580,7 @@ func setupClient(t *testing.T, c csArgs, addr string, cacheDir string, golden st
 	}
 
 	if c.Format != "" {
-		osArgs = append(osArgs, "--format", c.Format)
+		osArgs = append(osArgs, "--format", string(c.Format))
 		if c.TemplatePath != "" {
 			osArgs = append(osArgs, "--template", c.TemplatePath)
 		}
@@ -646,19 +610,11 @@ func setupClient(t *testing.T, c csArgs, addr string, cacheDir string, golden st
 		osArgs = append(osArgs, "--input", c.Input)
 	}
 
-	// Set up the output file
-	outputFile := filepath.Join(t.TempDir(), "output.json")
-	if *update {
-		outputFile = golden
-	}
-
-	osArgs = append(osArgs, "--output", outputFile)
-
 	if c.Target != "" {
 		osArgs = append(osArgs, c.Target)
 	}
 
-	return osArgs, outputFile
+	return osArgs
 }
 
 func setupRedis(t *testing.T, ctx context.Context) (testcontainers.Container, string) {

integration/config_test.go

@@ -0,0 +1,230 @@
+//go:build integration
+
+package integration
+
+import (
+	"fmt"
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+
+	"github.com/aquasecurity/trivy/pkg/types"
+)
+
+// TestConfiguration tests the configuration of the CLI flags, environmental variables, and config file
+func TestConfiguration(t *testing.T) {
+	type args struct {
+		input      string
+		flags      map[string]string
+		envs       map[string]string
+		configFile string
+	}
+	type test struct {
+		name    string
+		args    args
+		golden  string
+		wantErr string
+	}
+
+	tests := []test{
+		{
+			name: "skip files",
+			args: args{
+				input: "testdata/fixtures/repo/gomod",
+				flags: map[string]string{
+					"scanners":   "vuln",
+					"skip-files": "path/to/dummy,testdata/fixtures/repo/gomod/submod2/go.mod",
+				},
+				envs: map[string]string{
+					"TRIVY_SCANNERS":   "vuln",
+					"TRIVY_SKIP_FILES": "path/to/dummy,testdata/fixtures/repo/gomod/submod2/go.mod",
+				},
+				configFile: `---
+scan:
+  scanners:
+    - vuln
+  skip-files:
+    - path/to/dummy
+    - testdata/fixtures/repo/gomod/submod2/go.mod
+`,
+			},
+			golden: "testdata/gomod-skip.json.golden",
+		},
+		{
+			name: "dockerfile with custom file pattern",
+			args: args{
+				input: "testdata/fixtures/repo/dockerfile_file_pattern",
+				flags: map[string]string{
+					"scanners":      "misconfig",
+					"file-patterns": "dockerfile:Customfile",
+					"namespaces":    "testing",
+				},
+				envs: map[string]string{
+					"TRIVY_SCANNERS":      "misconfig",
+					"TRIVY_FILE_PATTERNS": "dockerfile:Customfile",
+					"TRIVY_NAMESPACES":    "testing",
+				},
+				configFile: `---
+scan:
+  scanners:
+    - misconfig
+  file-patterns:
+    - dockerfile:Customfile
+rego:
+  skip-policy-update: true
+  namespaces: 
+    - testing
+`,
+			},
+			golden: "testdata/dockerfile_file_pattern.json.golden",
+		},
+		{
+			name: "key alias", // "--scanners" vs "--security-checks"
+			args: args{
+				input: "testdata/fixtures/repo/gomod",
+				flags: map[string]string{
+					"security-checks": "vuln",
+				},
+				envs: map[string]string{
+					"TRIVY_SECURITY_CHECKS": "vuln",
+				},
+				configFile: `---
+scan:
+  security-checks:
+    - vuln
+`,
+			},
+			golden: "testdata/gomod.json.golden",
+		},
+		{
+			name: "value alias", // "--scanners vuln" vs "--scanners vulnerability"
+			args: args{
+				input: "testdata/fixtures/repo/gomod",
+				flags: map[string]string{
+					"scanners": "vulnerability",
+				},
+				envs: map[string]string{
+					"TRIVY_SCANNERS": "vulnerability",
+				},
+				configFile: `---
+scan:
+  scanners:
+    - vulnerability
+`,
+			},
+			golden: "testdata/gomod.json.golden",
+		},
+		{
+			name: "invalid value",
+			args: args{
+				input: "testdata/fixtures/repo/gomod",
+				flags: map[string]string{
+					"scanners": "vulnerability",
+					"severity": "CRITICAL,INVALID",
+				},
+				envs: map[string]string{
+					"TRIVY_SCANNERS": "vulnerability",
+					"TRIVY_SEVERITY": "CRITICAL,INVALID",
+				},
+				configFile: `---
+scan:
+  scanners:
+    - vulnerability
+severity:
+  - CRITICAL
+  - INVALID
+`,
+			},
+			wantErr: `invalid argument "[CRITICAL INVALID]" for "--severity" flag`,
+		},
+	}
+
+	// Set up testing DB
+	cacheDir := initDB(t)
+
+	// Set a temp dir so that modules will not be loaded
+	t.Setenv("XDG_DATA_HOME", cacheDir)
+
+	for _, tt := range tests {
+		command := "repo"
+
+		t.Run(tt.name+" with CLI flags", func(t *testing.T) {
+			osArgs := []string{
+				"--format",
+				"json",
+				"--cache-dir",
+				cacheDir,
+				"--skip-db-update",
+				"--skip-policy-update",
+				command,
+				tt.args.input,
+			}
+			for key, value := range tt.args.flags {
+				osArgs = append(osArgs, "--"+key, value)
+			}
+
+			// Set up the output file
+			outputFile := filepath.Join(t.TempDir(), "output.json")
+			osArgs = append(osArgs, "--output", outputFile)
+
+			runTest(t, osArgs, tt.golden, outputFile, types.FormatJSON, runOptions{
+				wantErr: tt.wantErr,
+			})
+		})
+
+		t.Run(tt.name+" with environmental variables", func(t *testing.T) {
+			// Set up the output file
+			outputFile := filepath.Join(t.TempDir(), "output.json")
+
+			t.Setenv("TRIVY_OUTPUT", outputFile)
+			t.Setenv("TRIVY_FORMAT", "json")
+			t.Setenv("TRIVY_CACHE_DIR", cacheDir)
+			t.Setenv("TRIVY_SKIP_DB_UPDATE", "true")
+			t.Setenv("TRIVY_SKIP_POLICY_UPDATE", "true")
+			for key, value := range tt.args.envs {
+				t.Setenv(key, value)
+			}
+
+			osArgs := []string{
+				command,
+				tt.args.input,
+			}
+
+			runTest(t, osArgs, tt.golden, outputFile, types.FormatJSON, runOptions{
+				wantErr: tt.wantErr,
+			})
+		})
+
+		t.Run(tt.name+" with config file", func(t *testing.T) {
+			// Set up the output file
+			outputFile := filepath.Join(t.TempDir(), "output.json")
+
+			configFile := tt.args.configFile
+			configFile = configFile + fmt.Sprintf(`
+format: json
+output: %s
+cache:
+  dir: %s
+db:
+  skip-update: true
+`, outputFile, cacheDir)
+
+			configPath := filepath.Join(t.TempDir(), "trivy.yaml")
+			err := os.WriteFile(configPath, []byte(configFile), 0444)
+			require.NoError(t, err)
+
+			osArgs := []string{
+				command,
+				"--config",
+				configPath,
+				tt.args.input,
+			}
+
+			runTest(t, osArgs, tt.golden, outputFile, types.FormatJSON, runOptions{
+				wantErr: tt.wantErr,
+			})
+		})
+	}
+}

integration/docker_engine_test.go

@@ -5,9 +5,9 @@ package integration
 
 import (
 	"context"
+	"github.com/aquasecurity/trivy/pkg/types"
 	"io"
 	"os"
-	"path/filepath"
 	"strings"
 	"testing"
 
@@ -40,18 +40,24 @@ func TestDockerEngine(t *testing.T) {
 			golden:   "testdata/alpine-39.json.golden",
 		},
 		{
-			name:     "alpine:3.9, with high and critical severity",
-			severity: []string{"HIGH", "CRITICAL"},
+			name: "alpine:3.9, with high and critical severity",
+			severity: []string{
+				"HIGH",
+				"CRITICAL",
+			},
 			imageTag: "ghcr.io/aquasecurity/trivy-test-images:alpine-39",
 			input:    "testdata/fixtures/images/alpine-39.tar.gz",
 			golden:   "testdata/alpine-39-high-critical.json.golden",
 		},
 		{
-			name:      "alpine:3.9, with .trivyignore",
-			imageTag:  "ghcr.io/aquasecurity/trivy-test-images:alpine-39",
-			ignoreIDs: []string{"CVE-2019-1549", "CVE-2019-14697"},
-			input:     "testdata/fixtures/images/alpine-39.tar.gz",
-			golden:    "testdata/alpine-39-ignore-cveids.json.golden",
+			name:     "alpine:3.9, with .trivyignore",
+			imageTag: "ghcr.io/aquasecurity/trivy-test-images:alpine-39",
+			ignoreIDs: []string{
+				"CVE-2019-1549",
+				"CVE-2019-14697",
+			},
+			input:  "testdata/fixtures/images/alpine-39.tar.gz",
+			golden: "testdata/alpine-39-ignore-cveids.json.golden",
 		},
 		{
 			name:     "alpine:3.10",
@@ -244,13 +250,28 @@ func TestDockerEngine(t *testing.T) {
 				// tag our image to something unique
 				err = cli.ImageTag(ctx, tt.imageTag, tt.input)
 				require.NoError(t, err, tt.name)
+
+				// cleanup
+				t.Cleanup(func() {
+					_, err = cli.ImageRemove(ctx, tt.input, api.ImageRemoveOptions{
+						Force:         true,
+						PruneChildren: true,
+					})
+					_, err = cli.ImageRemove(ctx, tt.imageTag, api.ImageRemoveOptions{
+						Force:         true,
+						PruneChildren: true,
+					})
+					assert.NoError(t, err, tt.name)
+				})
 			}
 
-			tmpDir := t.TempDir()
-			output := filepath.Join(tmpDir, "result.json")
-
-			osArgs := []string{"--cache-dir", cacheDir, "image",
-				"--skip-update", "--format=json", "--output", output}
+			osArgs := []string{
+				"--cache-dir",
+				cacheDir,
+				"image",
+				"--skip-update",
+				"--format=json",
+			}
 
 			if tt.ignoreUnfixed {
 				osArgs = append(osArgs, "--ignore-unfixed")
@@ -258,12 +279,18 @@ func TestDockerEngine(t *testing.T) {
 
 			if len(tt.ignoreStatus) != 0 {
 				osArgs = append(osArgs,
-					[]string{"--ignore-status", strings.Join(tt.ignoreStatus, ",")}...,
+					[]string{
+						"--ignore-status",
+						strings.Join(tt.ignoreStatus, ","),
+					}...,
 				)
 			}
 			if len(tt.severity) != 0 {
 				osArgs = append(osArgs,
-					[]string{"--severity", strings.Join(tt.severity, ",")}...,
+					[]string{
+						"--severity",
+						strings.Join(tt.severity, ","),
+					}...,
 				)
 			}
 			if len(tt.ignoreIDs) != 0 {
@@ -275,28 +302,7 @@ func TestDockerEngine(t *testing.T) {
 			osArgs = append(osArgs, tt.input)
 
 			// Run Trivy
-			err = execute(osArgs)
-			if tt.wantErr != "" {
-				require.Error(t, err)
-				assert.Contains(t, err.Error(), tt.wantErr, tt.name)
-				return
-			}
-
-			assert.NoError(t, err, tt.name)
-
-			// check for vulnerability output info
-			compareReports(t, tt.golden, output, nil)
-
-			// cleanup
-			_, err = cli.ImageRemove(ctx, tt.input, api.ImageRemoveOptions{
-				Force:         true,
-				PruneChildren: true,
-			})
-			_, err = cli.ImageRemove(ctx, tt.imageTag, api.ImageRemoveOptions{
-				Force:         true,
-				PruneChildren: true,
-			})
-			assert.NoError(t, err, tt.name)
+			runTest(t, osArgs, tt.golden, "", types.FormatJSON, runOptions{wantErr: tt.wantErr})
 		})
 	}
 }

integration/integration_test.go

@@ -21,6 +21,7 @@ import (
 	spdxjson "github.com/spdx/tools-golang/json"
 	"github.com/spdx/tools-golang/spdx"
 	"github.com/spdx/tools-golang/spdxlib"
+	"github.com/spf13/viper"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"github.com/xeipuuv/gojsonschema"
@@ -31,6 +32,7 @@ import (
 	"github.com/aquasecurity/trivy/pkg/commands"
 	"github.com/aquasecurity/trivy/pkg/dbtest"
 	"github.com/aquasecurity/trivy/pkg/types"
+	"github.com/aquasecurity/trivy/pkg/uuid"
 
 	_ "modernc.org/sqlite"
 )
@@ -44,8 +46,6 @@ func initDB(t *testing.T) string {
 	entries, err := os.ReadDir(fixtureDir)
 	require.NoError(t, err)
 
-	clock.SetFakeTime(t, time.Date(2021, 8, 25, 12, 20, 30, 5, time.UTC))
-
 	var fixtures []string
 	for _, entry := range entries {
 		if entry.IsDir() {
@@ -192,21 +192,81 @@ func readSpdxJson(t *testing.T, filePath string) *spdx.Document {
 	return bom
 }
 
+type runOptions struct {
+	wantErr  string
+	override func(want, got *types.Report)
+	fakeUUID string
+}
+
+// runTest runs Trivy with the given args and compares the output with the golden file.
+// If outputFile is empty, the output file is created in a temporary directory.
+// If update is true, the golden file is updated.
+func runTest(t *testing.T, osArgs []string, wantFile, outputFile string, format types.Format, opts runOptions) {
+	if opts.fakeUUID != "" {
+		uuid.SetFakeUUID(t, opts.fakeUUID)
+	}
+
+	if outputFile == "" {
+		// Set up the output file
+		outputFile = filepath.Join(t.TempDir(), "output.json")
+		if *update && opts.override == nil {
+			outputFile = wantFile
+		}
+	}
+	osArgs = append(osArgs, "--output", outputFile)
+
+	// Run Trivy
+	err := execute(osArgs)
+	if opts.wantErr != "" {
+		require.ErrorContains(t, err, opts.wantErr)
+		return
+	}
+	require.NoError(t, err)
+
+	// Compare want and got
+	switch format {
+	case types.FormatCycloneDX:
+		compareCycloneDX(t, wantFile, outputFile)
+	case types.FormatSPDXJSON:
+		compareSPDXJson(t, wantFile, outputFile)
+	case types.FormatJSON:
+		compareReports(t, wantFile, outputFile, opts.override)
+	case types.FormatTemplate, types.FormatSarif, types.FormatGitHub:
+		compareRawFiles(t, wantFile, outputFile)
+	default:
+		require.Fail(t, "invalid format", "format: %s", format)
+	}
+}
+
 func execute(osArgs []string) error {
+	// viper.XXX() (e.g. viper.ReadInConfig()) affects the global state, so we need to reset it after each test.
+	defer viper.Reset()
+
+	// Set a fake time
+	ctx := clock.With(context.Background(), time.Date(2021, 8, 25, 12, 20, 30, 5, time.UTC))
+
 	// Setup CLI App
 	app := commands.NewApp()
 	app.SetOut(io.Discard)
+	app.SetArgs(osArgs)
 
 	// Run Trivy
-	app.SetArgs(osArgs)
-	return app.Execute()
+	return app.ExecuteContext(ctx)
 }
 
-func compareReports(t *testing.T, wantFile, gotFile string, override func(*types.Report)) {
+func compareRawFiles(t *testing.T, wantFile, gotFile string) {
+	want, err := os.ReadFile(wantFile)
+	require.NoError(t, err)
+	got, err := os.ReadFile(gotFile)
+	require.NoError(t, err)
+	assert.EqualValues(t, string(want), string(got))
+}
+
+func compareReports(t *testing.T, wantFile, gotFile string, override func(want, got *types.Report)) {
 	want := readReport(t, wantFile)
 	got := readReport(t, gotFile)
 	if override != nil {
-		override(&want)
+		override(&want, &got)
 	}
 	assert.Equal(t, want, got)
 }

integration/module_test.go

@@ -3,11 +3,10 @@
 package integration
 
 import (
+	"github.com/aquasecurity/trivy/pkg/types"
 	"path/filepath"
 	"testing"
 
-	"github.com/stretchr/testify/require"
-
 	"github.com/aquasecurity/trivy/pkg/fanal/analyzer"
 	"github.com/aquasecurity/trivy/pkg/scanner/post"
 )
@@ -51,27 +50,13 @@ func TestModule(t *testing.T) {
 				tt.input,
 			}
 
-			// Set up the output file
-			outputFile := filepath.Join(t.TempDir(), "output.json")
-			if *update {
-				outputFile = tt.golden
-			}
-
-			osArgs = append(osArgs, []string{
-				"--output",
-				outputFile,
-			}...)
-
-			// Run Trivy
-			err := execute(osArgs)
-			require.NoError(t, err)
-			defer func() {
+			t.Cleanup(func() {
 				analyzer.DeregisterAnalyzer("spring4shell")
 				post.DeregisterPostScanner("spring4shell")
-			}()
+			})
 
-			// Compare want and got
-			compareReports(t, tt.golden, outputFile, nil)
+			// Run Trivy
+			runTest(t, osArgs, tt.golden, "", types.FormatJSON, runOptions{})
 		})
 	}
 }

integration/registry_test.go

@@ -1,5 +1,4 @@
 //go:build integration
-// +build integration
 
 package integration
 
@@ -11,6 +10,7 @@ import (
 	"crypto/x509"
 	"encoding/json"
 	"fmt"
+	"github.com/aquasecurity/trivy/pkg/types"
 	"io"
 	"net/http"
 	"net/url"
@@ -24,9 +24,8 @@ import (
 	"github.com/google/go-containerregistry/pkg/name"
 	"github.com/google/go-containerregistry/pkg/v1/remote"
 	"github.com/google/go-containerregistry/pkg/v1/tarball"
-	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
-	testcontainers "github.com/testcontainers/testcontainers-go"
+	"github.com/testcontainers/testcontainers-go"
 	"github.com/testcontainers/testcontainers-go/wait"
 )
 
@@ -62,7 +61,10 @@ func setupRegistry(ctx context.Context, baseDir string, authURL *url.URL) (testc
 		HostConfigModifier: func(hostConfig *dockercontainer.HostConfig) {
 			hostConfig.AutoRemove = true
 		},
-		WaitingFor: wait.ForLog("listening on [::]:5443"),
+		WaitingFor: wait.ForHTTP("v2").WithTLS(true).WithAllowInsecure(true).
+			WithStatusCodeMatcher(func(status int) bool {
+				return status == http.StatusUnauthorized
+			}),
 	}
 
 	registryC, err := testcontainers.GenericContainer(ctx, testcontainers.GenericContainerRequest{
@@ -191,62 +193,50 @@ func TestRegistry(t *testing.T) {
 			imageRef, err := name.ParseReference(s)
 			require.NoError(t, err)
 
-			// 1. Load a test image from the tar file, tag it and push to the test registry.
+			// Load a test image from the tar file, tag it and push to the test registry.
 			err = replicateImage(imageRef, tc.imageFile, auth)
 			require.NoError(t, err)
 
-			// 2. Scan it
-			resultFile, err := scan(t, imageRef, baseDir, tc.golden, tc.option)
+			osArgs, err := scan(t, imageRef, baseDir, tc.golden, tc.option)
 
-			if tc.wantErr != "" {
-				require.Error(t, err)
-				require.Contains(t, err.Error(), tc.wantErr, err)
-				return
-			}
-			require.NoError(t, err)
-
-			// 3. Read want and got
-			want := readReport(t, tc.golden)
-			got := readReport(t, resultFile)
-
-			// 4 Update some dynamic fields
-			want.ArtifactName = s
-			for i := range want.Results {
-				want.Results[i].Target = fmt.Sprintf("%s (alpine 3.10.2)", s)
-			}
-
-			// 5. Compare want and got
-			assert.Equal(t, want, got)
+			// Run Trivy
+			runTest(t, osArgs, tc.golden, "", types.FormatJSON, runOptions{
+				wantErr: tc.wantErr,
+				override: func(_, got *types.Report) {
+					got.ArtifactName = tc.imageName
+					for i := range got.Results {
+						got.Results[i].Target = fmt.Sprintf("%s (alpine 3.10.2)", tc.imageName)
+					}
+				},
+			})
 		})
 	}
 }
 
-func scan(t *testing.T, imageRef name.Reference, baseDir, goldenFile string, opt registryOption) (string, error) {
+func scan(t *testing.T, imageRef name.Reference, baseDir, goldenFile string, opt registryOption) ([]string, error) {
 	// Set up testing DB
 	cacheDir := initDB(t)
 
 	// Set a temp dir so that modules will not be loaded
 	t.Setenv("XDG_DATA_HOME", cacheDir)
 
-	// Setup the output file
-	outputFile := filepath.Join(t.TempDir(), "output.json")
-	if *update {
-		outputFile = goldenFile
-	}
-
 	// Setup env
 	if err := setupEnv(t, imageRef, baseDir, opt); err != nil {
-		return "", err
+		return nil, err
 	}
 
-	osArgs := []string{"-q", "--cache-dir", cacheDir, "image", "--format", "json", "--skip-update",
-		"--output", outputFile, imageRef.Name()}
-
-	// Run Trivy
-	if err := execute(osArgs); err != nil {
-		return "", err
+	osArgs := []string{
+		"-q",
+		"--cache-dir",
+		cacheDir,
+		"image",
+		"--format",
+		"json",
+		"--skip-update",
+		imageRef.Name(),
 	}
-	return outputFile, nil
+
+	return osArgs, nil
 }
 
 func setupEnv(t *testing.T, imageRef name.Reference, baseDir string, opt registryOption) error {

integration/repo_test.go

@@ -4,19 +4,13 @@ package integration
 
 import (
 	"fmt"
+	"github.com/stretchr/testify/assert"
 	"os"
-	"path/filepath"
 	"strings"
 	"testing"
-	"time"
 
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-
-	"github.com/aquasecurity/trivy/pkg/clock"
 	ftypes "github.com/aquasecurity/trivy/pkg/fanal/types"
 	"github.com/aquasecurity/trivy/pkg/types"
-	"github.com/aquasecurity/trivy/pkg/uuid"
 )
 
 // TestRepository tests `trivy repo` with the local code repositories
@@ -43,7 +37,7 @@ func TestRepository(t *testing.T) {
 		name     string
 		args     args
 		golden   string
-		override func(*types.Report)
+		override func(want, got *types.Report)
 	}{
 		{
 			name: "gomod",
@@ -375,8 +369,8 @@ func TestRepository(t *testing.T) {
 				skipFiles: []string{"testdata/fixtures/repo/gomod/submod2/go.mod"},
 			},
 			golden: "testdata/gomod-skip.json.golden",
-			override: func(report *types.Report) {
-				report.ArtifactType = ftypes.ArtifactFilesystem
+			override: func(want, _ *types.Report) {
+				want.ArtifactType = ftypes.ArtifactFilesystem
 			},
 		},
 		{
@@ -389,8 +383,8 @@ func TestRepository(t *testing.T) {
 				input:       "testdata/fixtures/repo/custom-policy",
 			},
 			golden: "testdata/dockerfile-custom-policies.json.golden",
-			override: func(report *types.Report) {
-				report.ArtifactType = ftypes.ArtifactFilesystem
+			override: func(want, got *types.Report) {
+				want.ArtifactType = ftypes.ArtifactFilesystem
 			},
 		},
 	}
@@ -403,7 +397,6 @@ func TestRepository(t *testing.T) {
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-
 			command := "repo"
 			if tt.args.command != "" {
 				command = tt.args.command
@@ -416,13 +409,17 @@ func TestRepository(t *testing.T) {
 
 			osArgs := []string{
 				"-q",
-				"--cache-dir", cacheDir,
+				"--cache-dir",
+				cacheDir,
 				command,
 				"--skip-db-update",
 				"--skip-policy-update",
-				"--format", string(format),
-				"--parallel", fmt.Sprint(tt.args.parallel),
+				"--format",
+				string(format),
+				"--parallel",
+				fmt.Sprint(tt.args.parallel),
 				"--offline-scan",
+				tt.args.input,
 			}
 
 			if tt.args.scanner != "" {
@@ -478,12 +475,6 @@ func TestRepository(t *testing.T) {
 				}
 			}
 
-			// Setup the output file
-			outputFile := filepath.Join(t.TempDir(), "output.json")
-			if *update && tt.override == nil {
-				outputFile = tt.golden
-			}
-
 			if tt.args.listAllPkgs {
 				osArgs = append(osArgs, "--list-all-pkgs")
 			}
@@ -496,27 +487,10 @@ func TestRepository(t *testing.T) {
 				osArgs = append(osArgs, "--secret-config", tt.args.secretConfig)
 			}
 
-			osArgs = append(osArgs, "--output", outputFile)
-			osArgs = append(osArgs, tt.args.input)
-
-			clock.SetFakeTime(t, time.Date(2021, 8, 25, 12, 20, 30, 5, time.UTC))
-			uuid.SetFakeUUID(t, "3ff14136-e09f-4df9-80ea-%012d")
-
-			// Run "trivy repo"
-			err := execute(osArgs)
-			require.NoError(t, err)
-
-			// Compare want and got
-			switch format {
-			case types.FormatCycloneDX:
-				compareCycloneDX(t, tt.golden, outputFile)
-			case types.FormatSPDXJSON:
-				compareSPDXJson(t, tt.golden, outputFile)
-			case types.FormatJSON:
-				compareReports(t, tt.golden, outputFile, tt.override)
-			default:
-				require.Fail(t, "invalid format", "format: %s", format)
-			}
+			runTest(t, osArgs, tt.golden, "", format, runOptions{
+				fakeUUID: "3ff14136-e09f-4df9-80ea-%012d",
+				override: tt.override,
+			})
 		})
 	}
 }

integration/sbom_test.go

@@ -41,9 +41,21 @@ func TestSBOM(t *testing.T) {
 					{
 						Target: "testdata/fixtures/sbom/centos-7-cyclonedx.json (centos 7.6.1810)",
 						Vulnerabilities: []types.DetectedVulnerability{
-							{PkgRef: "pkg:rpm/centos/bash@4.2.46-31.el7?arch=x86_64&distro=centos-7.6.1810"},
-							{PkgRef: "pkg:rpm/centos/openssl-libs@1.0.2k-16.el7?arch=x86_64&epoch=1&distro=centos-7.6.1810"},
-							{PkgRef: "pkg:rpm/centos/openssl-libs@1.0.2k-16.el7?arch=x86_64&epoch=1&distro=centos-7.6.1810"},
+							{
+								PkgIdentifier: ftypes.PkgIdentifier{
+									BOMRef: "pkg:rpm/centos/bash@4.2.46-31.el7?arch=x86_64&distro=centos-7.6.1810",
+								},
+							},
+							{
+								PkgIdentifier: ftypes.PkgIdentifier{
+									BOMRef: "pkg:rpm/centos/openssl-libs@1.0.2k-16.el7?arch=x86_64&epoch=1&distro=centos-7.6.1810",
+								},
+							},
+							{
+								PkgIdentifier: ftypes.PkgIdentifier{
+									BOMRef: "pkg:rpm/centos/openssl-libs@1.0.2k-16.el7?arch=x86_64&epoch=1&distro=centos-7.6.1810",
+								},
+							},
 						},
 					},
 				},
@@ -82,9 +94,21 @@ func TestSBOM(t *testing.T) {
 					{
 						Target: "testdata/fixtures/sbom/centos-7-cyclonedx.intoto.jsonl (centos 7.6.1810)",
 						Vulnerabilities: []types.DetectedVulnerability{
-							{PkgRef: "pkg:rpm/centos/bash@4.2.46-31.el7?arch=x86_64&distro=centos-7.6.1810"},
-							{PkgRef: "pkg:rpm/centos/openssl-libs@1.0.2k-16.el7?arch=x86_64&epoch=1&distro=centos-7.6.1810"},
-							{PkgRef: "pkg:rpm/centos/openssl-libs@1.0.2k-16.el7?arch=x86_64&epoch=1&distro=centos-7.6.1810"},
+							{
+								PkgIdentifier: ftypes.PkgIdentifier{
+									BOMRef: "pkg:rpm/centos/bash@4.2.46-31.el7?arch=x86_64&distro=centos-7.6.1810",
+								},
+							},
+							{
+								PkgIdentifier: ftypes.PkgIdentifier{
+									BOMRef: "pkg:rpm/centos/openssl-libs@1.0.2k-16.el7?arch=x86_64&epoch=1&distro=centos-7.6.1810",
+								},
+							},
+							{
+								PkgIdentifier: ftypes.PkgIdentifier{
+									BOMRef: "pkg:rpm/centos/openssl-libs@1.0.2k-16.el7?arch=x86_64&epoch=1&distro=centos-7.6.1810",
+								},
+							},
 						},
 					},
 				},
@@ -104,11 +128,6 @@ func TestSBOM(t *testing.T) {
 				Results: types.Results{
 					{
 						Target: "testdata/fixtures/sbom/centos-7-spdx.txt (centos 7.6.1810)",
-						Vulnerabilities: []types.DetectedVulnerability{
-							{PkgRef: "pkg:rpm/centos/bash@4.2.46-31.el7?arch=x86_64&distro=centos-7.6.1810"},
-							{PkgRef: "pkg:rpm/centos/openssl-libs@1.0.2k-16.el7?arch=x86_64&epoch=1&distro=centos-7.6.1810"},
-							{PkgRef: "pkg:rpm/centos/openssl-libs@1.0.2k-16.el7?arch=x86_64&epoch=1&distro=centos-7.6.1810"},
-						},
 					},
 				},
 			},
@@ -127,11 +146,6 @@ func TestSBOM(t *testing.T) {
 				Results: types.Results{
 					{
 						Target: "testdata/fixtures/sbom/centos-7-spdx.json (centos 7.6.1810)",
-						Vulnerabilities: []types.DetectedVulnerability{
-							{PkgRef: "pkg:rpm/centos/bash@4.2.46-31.el7?arch=x86_64&distro=centos-7.6.1810"},
-							{PkgRef: "pkg:rpm/centos/openssl-libs@1.0.2k-16.el7?arch=x86_64&epoch=1&distro=centos-7.6.1810"},
-							{PkgRef: "pkg:rpm/centos/openssl-libs@1.0.2k-16.el7?arch=x86_64&epoch=1&distro=centos-7.6.1810"},
-						},
 					},
 				},
 			},
@@ -199,7 +213,12 @@ func compareSBOMReports(t *testing.T, wantFile, gotFile string, overrideWant typ
 	for i, result := range overrideWant.Results {
 		want.Results[i].Target = result.Target
 		for j, vuln := range result.Vulnerabilities {
-			want.Results[i].Vulnerabilities[j].PkgRef = vuln.PkgRef
+			if vuln.PkgIdentifier.PURL != nil {
+				want.Results[i].Vulnerabilities[j].PkgIdentifier.PURL = vuln.PkgIdentifier.PURL
+			}
+			if vuln.PkgIdentifier.BOMRef != "" {
+				want.Results[i].Vulnerabilities[j].PkgIdentifier.BOMRef = vuln.PkgIdentifier.BOMRef
+			}
 		}
 	}
 

integration/standalone_tar_test.go

@@ -3,6 +3,7 @@
 package integration
 
 import (
+	"github.com/aquasecurity/trivy/pkg/types"
 	"os"
 	"path/filepath"
 	"strings"
@@ -17,28 +18,28 @@ func TestTar(t *testing.T) {
 		IgnoreUnfixed bool
 		Severity      []string
 		IgnoreIDs     []string
-		Format        string
+		Format        types.Format
 		Input         string
 		SkipDirs      []string
 		SkipFiles     []string
 	}
 	tests := []struct {
-		name     string
-		testArgs args
-		golden   string
+		name   string
+		args   args
+		golden string
 	}{
 		{
 			name: "alpine 3.9",
-			testArgs: args{
-				Format: "json",
+			args: args{
+				Format: types.FormatJSON,
 				Input:  "testdata/fixtures/images/alpine-39.tar.gz",
 			},
 			golden: "testdata/alpine-39.json.golden",
 		},
 		{
 			name: "alpine 3.9 with skip dirs",
-			testArgs: args{
-				Format: "json",
+			args: args{
+				Format: types.FormatJSON,
 				Input:  "testdata/fixtures/images/alpine-39.tar.gz",
 				SkipDirs: []string{
 					"/etc",
@@ -48,8 +49,8 @@ func TestTar(t *testing.T) {
 		},
 		{
 			name: "alpine 3.9 with skip files",
-			testArgs: args{
-				Format: "json",
+			args: args{
+				Format: types.FormatJSON,
 				Input:  "testdata/fixtures/images/alpine-39.tar.gz",
 				SkipFiles: []string{
 					"/etc",
@@ -132,224 +133,224 @@ func TestTar(t *testing.T) {
 		},
 		{
 			name: "alpine 3.9 with high and critical severity",
-			testArgs: args{
+			args: args{
 				IgnoreUnfixed: true,
 				Severity: []string{
 					"HIGH",
 					"CRITICAL",
 				},
-				Format: "json",
+				Format: types.FormatJSON,
 				Input:  "testdata/fixtures/images/alpine-39.tar.gz",
 			},
 			golden: "testdata/alpine-39-high-critical.json.golden",
 		},
 		{
 			name: "alpine 3.9 with .trivyignore",
-			testArgs: args{
+			args: args{
 				IgnoreUnfixed: false,
 				IgnoreIDs: []string{
 					"CVE-2019-1549",
 					"CVE-2019-14697",
 				},
-				Format: "json",
+				Format: types.FormatJSON,
 				Input:  "testdata/fixtures/images/alpine-39.tar.gz",
 			},
 			golden: "testdata/alpine-39-ignore-cveids.json.golden",
 		},
 		{
 			name: "alpine 3.10",
-			testArgs: args{
-				Format: "json",
+			args: args{
+				Format: types.FormatJSON,
 				Input:  "testdata/fixtures/images/alpine-310.tar.gz",
 			},
 			golden: "testdata/alpine-310.json.golden",
 		},
 		{
 			name: "alpine distroless",
-			testArgs: args{
-				Format: "json",
+			args: args{
+				Format: types.FormatJSON,
 				Input:  "testdata/fixtures/images/alpine-distroless.tar.gz",
 			},
 			golden: "testdata/alpine-distroless.json.golden",
 		},
 		{
 			name: "amazon linux 1",
-			testArgs: args{
-				Format: "json",
+			args: args{
+				Format: types.FormatJSON,
 				Input:  "testdata/fixtures/images/amazon-1.tar.gz",
 			},
 			golden: "testdata/amazon-1.json.golden",
 		},
 		{
 			name: "amazon linux 2",
-			testArgs: args{
-				Format: "json",
+			args: args{
+				Format: types.FormatJSON,
 				Input:  "testdata/fixtures/images/amazon-2.tar.gz",
 			},
 			golden: "testdata/amazon-2.json.golden",
 		},
 		{
 			name: "debian buster/10",
-			testArgs: args{
-				Format: "json",
+			args: args{
+				Format: types.FormatJSON,
 				Input:  "testdata/fixtures/images/debian-buster.tar.gz",
 			},
 			golden: "testdata/debian-buster.json.golden",
 		},
 		{
 			name: "debian buster/10 with --ignore-unfixed option",
-			testArgs: args{
+			args: args{
 				IgnoreUnfixed: true,
-				Format:        "json",
+				Format:        types.FormatJSON,
 				Input:         "testdata/fixtures/images/debian-buster.tar.gz",
 			},
 			golden: "testdata/debian-buster-ignore-unfixed.json.golden",
 		},
 		{
 			name: "debian stretch/9",
-			testArgs: args{
-				Format: "json",
+			args: args{
+				Format: types.FormatJSON,
 				Input:  "testdata/fixtures/images/debian-stretch.tar.gz",
 			},
 			golden: "testdata/debian-stretch.json.golden",
 		},
 		{
 			name: "ubuntu 18.04",
-			testArgs: args{
-				Format: "json",
+			args: args{
+				Format: types.FormatJSON,
 				Input:  "testdata/fixtures/images/ubuntu-1804.tar.gz",
 			},
 			golden: "testdata/ubuntu-1804.json.golden",
 		},
 		{
 			name: "ubuntu 18.04 with --ignore-unfixed option",
-			testArgs: args{
+			args: args{
 				IgnoreUnfixed: true,
-				Format:        "json",
+				Format:        types.FormatJSON,
 				Input:         "testdata/fixtures/images/ubuntu-1804.tar.gz",
 			},
 			golden: "testdata/ubuntu-1804-ignore-unfixed.json.golden",
 		},
 		{
 			name: "centos 7",
-			testArgs: args{
-				Format: "json",
+			args: args{
+				Format: types.FormatJSON,
 				Input:  "testdata/fixtures/images/centos-7.tar.gz",
 			},
 			golden: "testdata/centos-7.json.golden",
 		},
 		{
 			name: "centos 7with --ignore-unfixed option",
-			testArgs: args{
+			args: args{
 				IgnoreUnfixed: true,
-				Format:        "json",
+				Format:        types.FormatJSON,
 				Input:         "testdata/fixtures/images/centos-7.tar.gz",
 			},
 			golden: "testdata/centos-7-ignore-unfixed.json.golden",
 		},
 		{
 			name: "centos 7 with medium severity",
-			testArgs: args{
+			args: args{
 				IgnoreUnfixed: true,
 				Severity:      []string{"MEDIUM"},
-				Format:        "json",
+				Format:        types.FormatJSON,
 				Input:         "testdata/fixtures/images/centos-7.tar.gz",
 			},
 			golden: "testdata/centos-7-medium.json.golden",
 		},
 		{
 			name: "centos 6",
-			testArgs: args{
-				Format: "json",
+			args: args{
+				Format: types.FormatJSON,
 				Input:  "testdata/fixtures/images/centos-6.tar.gz",
 			},
 			golden: "testdata/centos-6.json.golden",
 		},
 		{
 			name: "ubi 7",
-			testArgs: args{
-				Format: "json",
+			args: args{
+				Format: types.FormatJSON,
 				Input:  "testdata/fixtures/images/ubi-7.tar.gz",
 			},
 			golden: "testdata/ubi-7.json.golden",
 		},
 		{
 			name: "almalinux 8",
-			testArgs: args{
-				Format: "json",
+			args: args{
+				Format: types.FormatJSON,
 				Input:  "testdata/fixtures/images/almalinux-8.tar.gz",
 			},
 			golden: "testdata/almalinux-8.json.golden",
 		},
 		{
 			name: "rocky linux 8",
-			testArgs: args{
-				Format: "json",
+			args: args{
+				Format: types.FormatJSON,
 				Input:  "testdata/fixtures/images/rockylinux-8.tar.gz",
 			},
 			golden: "testdata/rockylinux-8.json.golden",
 		},
 		{
 			name: "distroless base",
-			testArgs: args{
-				Format: "json",
+			args: args{
+				Format: types.FormatJSON,
 				Input:  "testdata/fixtures/images/distroless-base.tar.gz",
 			},
 			golden: "testdata/distroless-base.json.golden",
 		},
 		{
 			name: "distroless python27",
-			testArgs: args{
-				Format: "json",
+			args: args{
+				Format: types.FormatJSON,
 				Input:  "testdata/fixtures/images/distroless-python27.tar.gz",
 			},
 			golden: "testdata/distroless-python27.json.golden",
 		},
 		{
 			name: "oracle linux 8",
-			testArgs: args{
-				Format: "json",
+			args: args{
+				Format: types.FormatJSON,
 				Input:  "testdata/fixtures/images/oraclelinux-8.tar.gz",
 			},
 			golden: "testdata/oraclelinux-8.json.golden",
 		},
 		{
 			name: "opensuse leap 15.1",
-			testArgs: args{
-				Format: "json",
+			args: args{
+				Format: types.FormatJSON,
 				Input:  "testdata/fixtures/images/opensuse-leap-151.tar.gz",
 			},
 			golden: "testdata/opensuse-leap-151.json.golden",
 		},
 		{
 			name: "photon 3.0",
-			testArgs: args{
-				Format: "json",
+			args: args{
+				Format: types.FormatJSON,
 				Input:  "testdata/fixtures/images/photon-30.tar.gz",
 			},
 			golden: "testdata/photon-30.json.golden",
 		},
 		{
 			name: "CBL-Mariner 1.0",
-			testArgs: args{
-				Format: "json",
+			args: args{
+				Format: types.FormatJSON,
 				Input:  "testdata/fixtures/images/mariner-1.0.tar.gz",
 			},
 			golden: "testdata/mariner-1.0.json.golden",
 		},
 		{
 			name: "busybox with Cargo.lock integration",
-			testArgs: args{
-				Format: "json",
+			args: args{
+				Format: types.FormatJSON,
 				Input:  "testdata/fixtures/images/busybox-with-lockfile.tar.gz",
 			},
 			golden: "testdata/busybox-with-lockfile.json.golden",
 		},
 		{
 			name: "fluentd with RubyGems",
-			testArgs: args{
+			args: args{
 				IgnoreUnfixed: true,
-				Format:        "json",
+				Format:        types.FormatJSON,
 				Input:         "testdata/fixtures/images/fluentd-multiple-lockfiles.tar.gz",
 			},
 			golden: "testdata/fluentd-gems.json.golden",
@@ -370,55 +371,40 @@ func TestTar(t *testing.T) {
 				"image",
 				"-q",
 				"--format",
-				tt.testArgs.Format,
+				string(tt.args.Format),
 				"--skip-update",
 			}
 
-			if tt.testArgs.IgnoreUnfixed {
+			if tt.args.IgnoreUnfixed {
 				osArgs = append(osArgs, "--ignore-unfixed")
 			}
-			if len(tt.testArgs.Severity) != 0 {
-				osArgs = append(osArgs, "--severity", strings.Join(tt.testArgs.Severity, ","))
+			if len(tt.args.Severity) != 0 {
+				osArgs = append(osArgs, "--severity", strings.Join(tt.args.Severity, ","))
 			}
-			if len(tt.testArgs.IgnoreIDs) != 0 {
+			if len(tt.args.IgnoreIDs) != 0 {
 				trivyIgnore := ".trivyignore"
-				err := os.WriteFile(trivyIgnore, []byte(strings.Join(tt.testArgs.IgnoreIDs, "\n")), 0444)
+				err := os.WriteFile(trivyIgnore, []byte(strings.Join(tt.args.IgnoreIDs, "\n")), 0444)
 				assert.NoError(t, err, "failed to write .trivyignore")
 				defer os.Remove(trivyIgnore)
 			}
-			if tt.testArgs.Input != "" {
-				osArgs = append(osArgs, "--input", tt.testArgs.Input)
+			if tt.args.Input != "" {
+				osArgs = append(osArgs, "--input", tt.args.Input)
 			}
 
-			if len(tt.testArgs.SkipFiles) != 0 {
-				for _, skipFile := range tt.testArgs.SkipFiles {
+			if len(tt.args.SkipFiles) != 0 {
+				for _, skipFile := range tt.args.SkipFiles {
 					osArgs = append(osArgs, "--skip-files", skipFile)
 				}
 			}
 
-			if len(tt.testArgs.SkipDirs) != 0 {
-				for _, skipDir := range tt.testArgs.SkipDirs {
+			if len(tt.args.SkipDirs) != 0 {
+				for _, skipDir := range tt.args.SkipDirs {
 					osArgs = append(osArgs, "--skip-dirs", skipDir)
 				}
 			}
 
-			// Set up the output file
-			outputFile := filepath.Join(t.TempDir(), "output.json")
-			if *update {
-				outputFile = tt.golden
-			}
-
-			osArgs = append(osArgs, []string{
-				"--output",
-				outputFile,
-			}...)
-
 			// Run Trivy
-			err := execute(osArgs)
-			require.NoError(t, err)
-
-			// Compare want and got
-			compareReports(t, tt.golden, outputFile, nil)
+			runTest(t, osArgs, tt.golden, "", tt.args.Format, runOptions{})
 		})
 	}
 }
@@ -479,8 +465,6 @@ func TestTarWithEnv(t *testing.T) {
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			osArgs := []string{"image"}
-
 			t.Setenv("TRIVY_FORMAT", tt.testArgs.Format)
 			t.Setenv("TRIVY_CACHE_DIR", cacheDir)
 			t.Setenv("TRIVY_QUIET", "true")
@@ -493,27 +477,15 @@ func TestTarWithEnv(t *testing.T) {
 				t.Setenv("TRIVY_SEVERITY", strings.Join(tt.testArgs.Severity, ","))
 			}
 			if tt.testArgs.Input != "" {
-				osArgs = append(osArgs, "--input", tt.testArgs.Input)
+				t.Setenv("TRIVY_INPUT", tt.testArgs.Input)
 			}
 
 			if len(tt.testArgs.SkipDirs) != 0 {
 				t.Setenv("TRIVY_SKIP_DIRS", strings.Join(tt.testArgs.SkipDirs, ","))
 			}
 
-			// Set up the output file
-			outputFile := filepath.Join(t.TempDir(), "output.json")
-
-			osArgs = append(osArgs, []string{
-				"--output",
-				outputFile,
-			}...)
-
 			// Run Trivy
-			err := execute(osArgs)
-			require.NoError(t, err)
-
-			// Compare want and got
-			compareReports(t, tt.golden, outputFile, nil)
+			runTest(t, []string{"image"}, tt.golden, "", types.FormatJSON, runOptions{})
 		})
 	}
 }
@@ -531,13 +503,13 @@ func TestTarWithConfigFile(t *testing.T) {
 			configFile: `quiet: true
 format: json
 severity:
-  - HIGH
-  - CRITICAL
+ - HIGH
+ - CRITICAL
 vulnerability:
-  type:
-    - os
+ type:
+   - os
 cache:
-  dir: /should/be/overwritten
+ dir: /should/be/overwritten
 `,
 			golden: "testdata/alpine-39-high-critical.json.golden",
 		},
@@ -547,9 +519,9 @@ cache:
 			configFile: `quiet: true
 format: json
 vulnerability:
-  ignore-unfixed: true
+ ignore-unfixed: true
 cache:
-  dir: /should/be/overwritten
+ dir: /should/be/overwritten
 `,
 			golden: "testdata/debian-buster-ignore-unfixed.json.golden",
 		},
@@ -563,10 +535,7 @@ cache:
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			tmpDir := t.TempDir()
-			outputFile := filepath.Join(tmpDir, "output.json")
-			configPath := filepath.Join(tmpDir, "trivy.yaml")
-
+			configPath := filepath.Join(t.TempDir(), "trivy.yaml")
 			err := os.WriteFile(configPath, []byte(tt.configFile), 0600)
 			require.NoError(t, err)
 
@@ -579,16 +548,10 @@ cache:
 				configPath,
 				"--input",
 				tt.input,
-				"--output",
-				outputFile,
 			}
 
 			// Run Trivy
-			err = execute(osArgs)
-			require.NoError(t, err)
-
-			// Compare want and got
-			compareReports(t, tt.golden, outputFile, nil)
+			runTest(t, osArgs, tt.golden, "", types.FormatJSON, runOptions{})
 		})
 	}
 }

integration/testdata/almalinux-8.json.golden

@@ -56,6 +56,9 @@
           "VulnerabilityID": "CVE-2021-3712",
           "PkgID": "openssl-libs@1.1.1k-4.el8.x86_64",
           "PkgName": "openssl-libs",
+          "PkgIdentifier": {
+            "PURL": "pkg:rpm/alma/openssl-libs@1.1.1k-4.el8?arch=x86_64\u0026distro=alma-8.5\u0026epoch=1"
+          },
           "InstalledVersion": "1:1.1.1k-4.el8",
           "FixedVersion": "1:1.1.1k-5.el8_5",
           "Status": "fixed",

integration/testdata/alpine-310-registry.json.golden

@@ -1,7 +1,7 @@
 {
   "SchemaVersion": 2,
   "CreatedAt": "2021-08-25T12:20:30.000000005Z",
-  "ArtifactName": "localhost:53869/alpine:3.10",
+  "ArtifactName": "alpine:3.10",
   "ArtifactType": "container_image",
   "Metadata": {
     "OS": {
@@ -14,10 +14,10 @@
       "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
     ],
     "RepoTags": [
-      "localhost:53869/alpine:3.10"
+      "alpine:3.10"
     ],
     "RepoDigests": [
-      "localhost:53869/alpine@sha256:b1c5a500182b21d0bfa5a584a8526b56d8be316f89e87d951be04abed2446e60"
+      "alpine@sha256:b1c5a500182b21d0bfa5a584a8526b56d8be316f89e87d951be04abed2446e60"
     ],
     "ImageConfig": {
       "architecture": "amd64",
@@ -56,7 +56,7 @@
   },
   "Results": [
     {
-      "Target": "localhost:53869/alpine:3.10 (alpine 3.10.2)",
+      "Target": "alpine:3.10 (alpine 3.10.2)",
       "Class": "os-pkgs",
       "Type": "alpine",
       "Vulnerabilities": [
@@ -64,6 +64,9 @@
           "VulnerabilityID": "CVE-2019-1549",
           "PkgID": "libcrypto1.1@1.1.1c-r0",
           "PkgName": "libcrypto1.1",
+          "PkgIdentifier": {
+            "PURL": "pkg:apk/alpine/libcrypto1.1@1.1.1c-r0?arch=x86_64\u0026distro=3.10.2"
+          },
           "InstalledVersion": "1.1.1c-r0",
           "FixedVersion": "1.1.1d-r0",
           "Status": "fixed",
@@ -133,6 +136,9 @@
           "VulnerabilityID": "CVE-2019-1551",
           "PkgID": "libcrypto1.1@1.1.1c-r0",
           "PkgName": "libcrypto1.1",
+          "PkgIdentifier": {
+            "PURL": "pkg:apk/alpine/libcrypto1.1@1.1.1c-r0?arch=x86_64\u0026distro=3.10.2"
+          },
           "InstalledVersion": "1.1.1c-r0",
           "FixedVersion": "1.1.1d-r2",
           "Status": "fixed",
@@ -212,6 +218,9 @@
           "VulnerabilityID": "CVE-2019-1549",
           "PkgID": "libssl1.1@1.1.1c-r0",
           "PkgName": "libssl1.1",
+          "PkgIdentifier": {
+            "PURL": "pkg:apk/alpine/libssl1.1@1.1.1c-r0?arch=x86_64\u0026distro=3.10.2"
+          },
           "InstalledVersion": "1.1.1c-r0",
           "FixedVersion": "1.1.1d-r0",
           "Status": "fixed",
@@ -281,6 +290,9 @@
           "VulnerabilityID": "CVE-2019-1551",
           "PkgID": "libssl1.1@1.1.1c-r0",
           "PkgName": "libssl1.1",
+          "PkgIdentifier": {
+            "PURL": "pkg:apk/alpine/libssl1.1@1.1.1c-r0?arch=x86_64\u0026distro=3.10.2"
+          },
           "InstalledVersion": "1.1.1c-r0",
           "FixedVersion": "1.1.1d-r2",
           "Status": "fixed",

integration/testdata/alpine-310.json.golden

@@ -58,6 +58,9 @@
           "VulnerabilityID": "CVE-2019-1549",
           "PkgID": "libcrypto1.1@1.1.1c-r0",
           "PkgName": "libcrypto1.1",
+          "PkgIdentifier": {
+            "PURL": "pkg:apk/alpine/libcrypto1.1@1.1.1c-r0?arch=x86_64\u0026distro=3.10.2"
+          },
           "InstalledVersion": "1.1.1c-r0",
           "FixedVersion": "1.1.1d-r0",
           "Status": "fixed",
@@ -127,6 +130,9 @@
           "VulnerabilityID": "CVE-2019-1551",
           "PkgID": "libcrypto1.1@1.1.1c-r0",
           "PkgName": "libcrypto1.1",
+          "PkgIdentifier": {
+            "PURL": "pkg:apk/alpine/libcrypto1.1@1.1.1c-r0?arch=x86_64\u0026distro=3.10.2"
+          },
           "InstalledVersion": "1.1.1c-r0",
           "FixedVersion": "1.1.1d-r2",
           "Status": "fixed",
@@ -206,6 +212,9 @@
           "VulnerabilityID": "CVE-2019-1549",
           "PkgID": "libssl1.1@1.1.1c-r0",
           "PkgName": "libssl1.1",
+          "PkgIdentifier": {
+            "PURL": "pkg:apk/alpine/libssl1.1@1.1.1c-r0?arch=x86_64\u0026distro=3.10.2"
+          },
           "InstalledVersion": "1.1.1c-r0",
           "FixedVersion": "1.1.1d-r0",
           "Status": "fixed",
@@ -275,6 +284,9 @@
           "VulnerabilityID": "CVE-2019-1551",
           "PkgID": "libssl1.1@1.1.1c-r0",
           "PkgName": "libssl1.1",
+          "PkgIdentifier": {
+            "PURL": "pkg:apk/alpine/libssl1.1@1.1.1c-r0?arch=x86_64\u0026distro=3.10.2"
+          },
           "InstalledVersion": "1.1.1c-r0",
           "FixedVersion": "1.1.1d-r2",
           "Status": "fixed",

integration/testdata/alpine-310.sarif.golden

@@ -23,8 +23,8 @@
               },
               "helpUri": "https://avd.aquasec.com/nvd/cve-2019-1549",
               "help": {
-                "text": "Vulnerability CVE-2019-1549\\nSeverity: MEDIUM\\nPackage: libssl1.1\\nFixed Version: 1.1.1d-r0\\nLink: [CVE-2019-1549](https://avd.aquasec.com/nvd/cve-2019-1549)\\nOpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
-                "markdown": "**Vulnerability CVE-2019-1549**\\n| Severity | Package | Fixed Version | Link |\\n| --- | --- | --- | --- |\\n|MEDIUM|libssl1.1|1.1.1d-r0|[CVE-2019-1549](https://avd.aquasec.com/nvd/cve-2019-1549)|\\n\\nOpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c)."
+                "text": "Vulnerability CVE-2019-1549\nSeverity: MEDIUM\nPackage: libssl1.1\nFixed Version: 1.1.1d-r0\nLink: [CVE-2019-1549](https://avd.aquasec.com/nvd/cve-2019-1549)\nOpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
+                "markdown": "**Vulnerability CVE-2019-1549**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|MEDIUM|libssl1.1|1.1.1d-r0|[CVE-2019-1549](https://avd.aquasec.com/nvd/cve-2019-1549)|\n\nOpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c)."
               },
               "properties": {
                 "precision": "very-high",
@@ -50,8 +50,8 @@
               },
               "helpUri": "https://avd.aquasec.com/nvd/cve-2019-1551",
               "help": {
-                "text": "Vulnerability CVE-2019-1551\\nSeverity: MEDIUM\\nPackage: libssl1.1\\nFixed Version: 1.1.1d-r2\\nLink: [CVE-2019-1551](https://avd.aquasec.com/nvd/cve-2019-1551)\\nThere is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).",
-                "markdown": "**Vulnerability CVE-2019-1551**\\n| Severity | Package | Fixed Version | Link |\\n| --- | --- | --- | --- |\\n|MEDIUM|libssl1.1|1.1.1d-r2|[CVE-2019-1551](https://avd.aquasec.com/nvd/cve-2019-1551)|\\n\\nThere is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t)."
+                "text": "Vulnerability CVE-2019-1551\nSeverity: MEDIUM\nPackage: libssl1.1\nFixed Version: 1.1.1d-r2\nLink: [CVE-2019-1551](https://avd.aquasec.com/nvd/cve-2019-1551)\nThere is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).",
+                "markdown": "**Vulnerability CVE-2019-1551**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|MEDIUM|libssl1.1|1.1.1d-r2|[CVE-2019-1551](https://avd.aquasec.com/nvd/cve-2019-1551)|\n\nThere is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t)."
               },
               "properties": {
                 "precision": "very-high",
@@ -73,7 +73,7 @@
           "ruleIndex": 0,
           "level": "warning",
           "message": {
-            "text": "Package: libcrypto1.1\\nInstalled Version: 1.1.1c-r0\\nVulnerability CVE-2019-1549\\nSeverity: MEDIUM\\nFixed Version: 1.1.1d-r0\\nLink: [CVE-2019-1549](https://avd.aquasec.com/nvd/cve-2019-1549)"
+            "text": "Package: libcrypto1.1\nInstalled Version: 1.1.1c-r0\nVulnerability CVE-2019-1549\nSeverity: MEDIUM\nFixed Version: 1.1.1d-r0\nLink: [CVE-2019-1549](https://avd.aquasec.com/nvd/cve-2019-1549)"
           },
           "locations": [
             {
@@ -100,7 +100,7 @@
           "ruleIndex": 1,
           "level": "warning",
           "message": {
-            "text": "Package: libcrypto1.1\\nInstalled Version: 1.1.1c-r0\\nVulnerability CVE-2019-1551\\nSeverity: MEDIUM\\nFixed Version: 1.1.1d-r2\\nLink: [CVE-2019-1551](https://avd.aquasec.com/nvd/cve-2019-1551)"
+            "text": "Package: libcrypto1.1\nInstalled Version: 1.1.1c-r0\nVulnerability CVE-2019-1551\nSeverity: MEDIUM\nFixed Version: 1.1.1d-r2\nLink: [CVE-2019-1551](https://avd.aquasec.com/nvd/cve-2019-1551)"
           },
           "locations": [
             {
@@ -127,7 +127,7 @@
           "ruleIndex": 0,
           "level": "warning",
           "message": {
-            "text": "Package: libssl1.1\\nInstalled Version: 1.1.1c-r0\\nVulnerability CVE-2019-1549\\nSeverity: MEDIUM\\nFixed Version: 1.1.1d-r0\\nLink: [CVE-2019-1549](https://avd.aquasec.com/nvd/cve-2019-1549)"
+            "text": "Package: libssl1.1\nInstalled Version: 1.1.1c-r0\nVulnerability CVE-2019-1549\nSeverity: MEDIUM\nFixed Version: 1.1.1d-r0\nLink: [CVE-2019-1549](https://avd.aquasec.com/nvd/cve-2019-1549)"
           },
           "locations": [
             {
@@ -154,7 +154,7 @@
           "ruleIndex": 1,
           "level": "warning",
           "message": {
-            "text": "Package: libssl1.1\\nInstalled Version: 1.1.1c-r0\\nVulnerability CVE-2019-1551\\nSeverity: MEDIUM\\nFixed Version: 1.1.1d-r2\\nLink: [CVE-2019-1551](https://avd.aquasec.com/nvd/cve-2019-1551)"
+            "text": "Package: libssl1.1\nInstalled Version: 1.1.1c-r0\nVulnerability CVE-2019-1551\nSeverity: MEDIUM\nFixed Version: 1.1.1d-r2\nLink: [CVE-2019-1551](https://avd.aquasec.com/nvd/cve-2019-1551)"
           },
           "locations": [
             {

integration/testdata/alpine-39-high-critical.json.golden

@@ -58,6 +58,9 @@
           "VulnerabilityID": "CVE-2019-14697",
           "PkgID": "musl@1.1.20-r4",
           "PkgName": "musl",
+          "PkgIdentifier": {
+            "PURL": "pkg:apk/alpine/musl@1.1.20-r4?arch=x86_64\u0026distro=3.9.4"
+          },
           "InstalledVersion": "1.1.20-r4",
           "FixedVersion": "1.1.20-r5",
           "Status": "fixed",
@@ -100,6 +103,9 @@
           "VulnerabilityID": "CVE-2019-14697",
           "PkgID": "musl-utils@1.1.20-r4",
           "PkgName": "musl-utils",
+          "PkgIdentifier": {
+            "PURL": "pkg:apk/alpine/musl-utils@1.1.20-r4?arch=x86_64\u0026distro=3.9.4"
+          },
           "InstalledVersion": "1.1.20-r4",
           "FixedVersion": "1.1.20-r5",
           "Status": "fixed",

integration/testdata/alpine-39-ignore-cveids.json.golden

@@ -58,6 +58,9 @@
           "VulnerabilityID": "CVE-2019-1551",
           "PkgID": "libcrypto1.1@1.1.1b-r1",
           "PkgName": "libcrypto1.1",
+          "PkgIdentifier": {
+            "PURL": "pkg:apk/alpine/libcrypto1.1@1.1.1b-r1?arch=x86_64\u0026distro=3.9.4"
+          },
           "InstalledVersion": "1.1.1b-r1",
           "FixedVersion": "1.1.1d-r2",
           "Status": "fixed",
@@ -137,6 +140,9 @@
           "VulnerabilityID": "CVE-2019-1551",
           "PkgID": "libssl1.1@1.1.1b-r1",
           "PkgName": "libssl1.1",
+          "PkgIdentifier": {
+            "PURL": "pkg:apk/alpine/libssl1.1@1.1.1b-r1?arch=x86_64\u0026distro=3.9.4"
+          },
           "InstalledVersion": "1.1.1b-r1",
           "FixedVersion": "1.1.1d-r2",
           "Status": "fixed",

integration/testdata/alpine-39.json.golden

@@ -58,6 +58,9 @@
           "VulnerabilityID": "CVE-2019-1549",
           "PkgID": "libcrypto1.1@1.1.1b-r1",
           "PkgName": "libcrypto1.1",
+          "PkgIdentifier": {
+            "PURL": "pkg:apk/alpine/libcrypto1.1@1.1.1b-r1?arch=x86_64\u0026distro=3.9.4"
+          },
           "InstalledVersion": "1.1.1b-r1",
           "FixedVersion": "1.1.1d-r0",
           "Status": "fixed",
@@ -127,6 +130,9 @@
           "VulnerabilityID": "CVE-2019-1551",
           "PkgID": "libcrypto1.1@1.1.1b-r1",
           "PkgName": "libcrypto1.1",
+          "PkgIdentifier": {
+            "PURL": "pkg:apk/alpine/libcrypto1.1@1.1.1b-r1?arch=x86_64\u0026distro=3.9.4"
+          },
           "InstalledVersion": "1.1.1b-r1",
           "FixedVersion": "1.1.1d-r2",
           "Status": "fixed",
@@ -206,6 +212,9 @@
           "VulnerabilityID": "CVE-2019-1549",
           "PkgID": "libssl1.1@1.1.1b-r1",
           "PkgName": "libssl1.1",
+          "PkgIdentifier": {
+            "PURL": "pkg:apk/alpine/libssl1.1@1.1.1b-r1?arch=x86_64\u0026distro=3.9.4"
+          },
           "InstalledVersion": "1.1.1b-r1",
           "FixedVersion": "1.1.1d-r0",
           "Status": "fixed",
@@ -275,6 +284,9 @@
           "VulnerabilityID": "CVE-2019-1551",
           "PkgID": "libssl1.1@1.1.1b-r1",
           "PkgName": "libssl1.1",
+          "PkgIdentifier": {
+            "PURL": "pkg:apk/alpine/libssl1.1@1.1.1b-r1?arch=x86_64\u0026distro=3.9.4"
+          },
           "InstalledVersion": "1.1.1b-r1",
           "FixedVersion": "1.1.1d-r2",
           "Status": "fixed",
@@ -354,6 +366,9 @@
           "VulnerabilityID": "CVE-2019-14697",
           "PkgID": "musl@1.1.20-r4",
           "PkgName": "musl",
+          "PkgIdentifier": {
+            "PURL": "pkg:apk/alpine/musl@1.1.20-r4?arch=x86_64\u0026distro=3.9.4"
+          },
           "InstalledVersion": "1.1.20-r4",
           "FixedVersion": "1.1.20-r5",
           "Status": "fixed",
@@ -396,6 +411,9 @@
           "VulnerabilityID": "CVE-2019-14697",
           "PkgID": "musl-utils@1.1.20-r4",
           "PkgName": "musl-utils",
+          "PkgIdentifier": {
+            "PURL": "pkg:apk/alpine/musl-utils@1.1.20-r4?arch=x86_64\u0026distro=3.9.4"
+          },
           "InstalledVersion": "1.1.20-r4",
           "FixedVersion": "1.1.20-r5",
           "Status": "fixed",

integration/testdata/alpine-distroless.json.golden

@@ -53,6 +53,9 @@
           "VulnerabilityID": "CVE-2022-24765",
           "PkgID": "git@2.35.1-r2",
           "PkgName": "git",
+          "PkgIdentifier": {
+            "PURL": "pkg:apk/alpine/git@2.35.1-r2?arch=x86_64\u0026distro=3.16"
+          },
           "InstalledVersion": "2.35.1-r2",
           "FixedVersion": "2.35.2-r0",
           "Status": "fixed",

integration/testdata/amazon-1.json.golden

@@ -57,6 +57,9 @@
           "VulnerabilityID": "CVE-2019-5481",
           "PkgID": "curl@7.61.1-11.91.amzn1.x86_64",
           "PkgName": "curl",
+          "PkgIdentifier": {
+            "PURL": "pkg:rpm/amazon/curl@7.61.1-11.91.amzn1?arch=x86_64\u0026distro=amazon-AMI+release+2018.03"
+          },
           "InstalledVersion": "7.61.1-11.91.amzn1",
           "FixedVersion": "7.61.1-12.93.amzn1",
           "Status": "fixed",

integration/testdata/amazon-2.json.golden

@@ -57,6 +57,9 @@
           "VulnerabilityID": "CVE-2019-5481",
           "PkgID": "curl@7.61.1-9.amzn2.0.1.x86_64",
           "PkgName": "curl",
+          "PkgIdentifier": {
+            "PURL": "pkg:rpm/amazon/curl@7.61.1-9.amzn2.0.1?arch=x86_64\u0026distro=amazon-2+%28Karoo%29"
+          },
           "InstalledVersion": "7.61.1-9.amzn2.0.1",
           "FixedVersion": "7.61.1-12.amzn2.0.1",
           "Status": "fixed",
@@ -125,6 +128,9 @@
           "VulnerabilityID": "CVE-2019-5436",
           "PkgID": "curl@7.61.1-9.amzn2.0.1.x86_64",
           "PkgName": "curl",
+          "PkgIdentifier": {
+            "PURL": "pkg:rpm/amazon/curl@7.61.1-9.amzn2.0.1?arch=x86_64\u0026distro=amazon-2+%28Karoo%29"
+          },
           "InstalledVersion": "7.61.1-9.amzn2.0.1",
           "FixedVersion": "7.61.1-11.amzn2.0.2",
           "Status": "fixed",

integration/testdata/amazonlinux2-gp2-x86-vm.json.golden

@@ -29,6 +29,9 @@
           "VulnerabilityID": "CVE-2022-38177",
           "PkgID": "bind-export-libs@9.11.4-26.P2.amzn2.5.2.x86_64",
           "PkgName": "bind-export-libs",
+          "PkgIdentifier": {
+            "PURL": "pkg:rpm/amazon/bind-export-libs@9.11.4-26.P2.amzn2.5.2?arch=x86_64\u0026distro=amazon-2+%28Karoo%29\u0026epoch=32"
+          },
           "InstalledVersion": "32:9.11.4-26.P2.amzn2.5.2",
           "FixedVersion": "99:9.11.4-26.P2.amzn2.13",
           "Status": "fixed",

integration/testdata/busybox-with-lockfile.json.golden

@@ -57,6 +57,9 @@
           "VulnerabilityID": "CVE-2019-15542",
           "PkgID": "ammonia@1.9.0",
           "PkgName": "ammonia",
+          "PkgIdentifier": {
+            "PURL": "pkg:cargo/ammonia@1.9.0"
+          },
           "InstalledVersion": "1.9.0",
           "FixedVersion": "\u003e= 2.1.0",
           "Status": "fixed",
@@ -99,6 +102,9 @@
           "VulnerabilityID": "CVE-2021-38193",
           "PkgID": "ammonia@1.9.0",
           "PkgName": "ammonia",
+          "PkgIdentifier": {
+            "PURL": "pkg:cargo/ammonia@1.9.0"
+          },
           "InstalledVersion": "1.9.0",
           "FixedVersion": "\u003e= 3.1.0, \u003e= 2.1.3, \u003c 3.0.0",
           "Status": "fixed",

integration/testdata/centos-6.json.golden

@@ -79,6 +79,9 @@
           "VulnerabilityID": "CVE-2020-29573",
           "PkgID": "glibc@2.12-1.212.el6.x86_64",
           "PkgName": "glibc",
+          "PkgIdentifier": {
+            "PURL": "pkg:rpm/centos/glibc@2.12-1.212.el6?arch=x86_64\u0026distro=centos-6.10"
+          },
           "InstalledVersion": "2.12-1.212.el6",
           "Status": "end_of_life",
           "Layer": {
@@ -132,6 +135,9 @@
           ],
           "PkgID": "openssl@1.0.1e-57.el6.x86_64",
           "PkgName": "openssl",
+          "PkgIdentifier": {
+            "PURL": "pkg:rpm/centos/openssl@1.0.1e-57.el6?arch=x86_64\u0026distro=centos-6.10"
+          },
           "InstalledVersion": "1.0.1e-57.el6",
           "FixedVersion": "1.0.1e-58.el6_10",
           "Status": "fixed",

integration/testdata/centos-7-ignore-unfixed.json.golden

@@ -72,6 +72,9 @@
           ],
           "PkgID": "openssl-libs@1.0.2k-16.el7.x86_64",
           "PkgName": "openssl-libs",
+          "PkgIdentifier": {
+            "PURL": "pkg:rpm/centos/openssl-libs@1.0.2k-16.el7?arch=x86_64\u0026distro=centos-7.6.1810\u0026epoch=1"
+          },
           "InstalledVersion": "1:1.0.2k-16.el7",
           "FixedVersion": "1:1.0.2k-19.el7",
           "Status": "fixed",
@@ -162,6 +165,9 @@
           ],
           "PkgID": "openssl-libs@1.0.2k-16.el7.x86_64",
           "PkgName": "openssl-libs",
+          "PkgIdentifier": {
+            "PURL": "pkg:rpm/centos/openssl-libs@1.0.2k-16.el7?arch=x86_64\u0026distro=centos-7.6.1810\u0026epoch=1"
+          },
           "InstalledVersion": "1:1.0.2k-16.el7",
           "FixedVersion": "1:1.0.2k-19.el7",
           "Status": "fixed",

integration/testdata/centos-7-medium.json.golden

@@ -72,6 +72,9 @@
           ],
           "PkgID": "openssl-libs@1.0.2k-16.el7.x86_64",
           "PkgName": "openssl-libs",
+          "PkgIdentifier": {
+            "PURL": "pkg:rpm/centos/openssl-libs@1.0.2k-16.el7?arch=x86_64\u0026distro=centos-7.6.1810\u0026epoch=1"
+          },
           "InstalledVersion": "1:1.0.2k-16.el7",
           "FixedVersion": "1:1.0.2k-19.el7",
           "Status": "fixed",

integration/testdata/centos-7.json.golden

@@ -69,6 +69,9 @@
           "VulnerabilityID": "CVE-2019-18276",
           "PkgID": "bash@4.2.46-31.el7.x86_64",
           "PkgName": "bash",
+          "PkgIdentifier": {
+            "PURL": "pkg:rpm/centos/bash@4.2.46-31.el7?arch=x86_64\u0026distro=centos-7.6.1810"
+          },
           "InstalledVersion": "4.2.46-31.el7",
           "Status": "will_not_fix",
           "Layer": {
@@ -126,6 +129,9 @@
           ],
           "PkgID": "openssl-libs@1.0.2k-16.el7.x86_64",
           "PkgName": "openssl-libs",
+          "PkgIdentifier": {
+            "PURL": "pkg:rpm/centos/openssl-libs@1.0.2k-16.el7?arch=x86_64\u0026distro=centos-7.6.1810\u0026epoch=1"
+          },
           "InstalledVersion": "1:1.0.2k-16.el7",
           "FixedVersion": "1:1.0.2k-19.el7",
           "Status": "fixed",
@@ -216,6 +222,9 @@
           ],
           "PkgID": "openssl-libs@1.0.2k-16.el7.x86_64",
           "PkgName": "openssl-libs",
+          "PkgIdentifier": {
+            "PURL": "pkg:rpm/centos/openssl-libs@1.0.2k-16.el7?arch=x86_64\u0026distro=centos-7.6.1810\u0026epoch=1"
+          },
           "InstalledVersion": "1:1.0.2k-16.el7",
           "FixedVersion": "1:1.0.2k-19.el7",
           "Status": "fixed",

integration/testdata/cocoapods.json.golden

@@ -24,6 +24,9 @@
         {
           "ID": "_NIODataStructures@2.41.0",
           "Name": "_NIODataStructures",
+          "Identifier": {
+            "PURL": "pkg:cocoapods/_NIODataStructures@2.41.0"
+          },
           "Version": "2.41.0",
           "Layer": {}
         }
@@ -33,6 +36,9 @@
           "VulnerabilityID": "CVE-2022-3215",
           "PkgID": "_NIODataStructures@2.41.0",
           "PkgName": "_NIODataStructures",
+          "PkgIdentifier": {
+            "PURL": "pkg:cocoapods/_NIODataStructures@2.41.0"
+          },
           "InstalledVersion": "2.41.0",
           "FixedVersion": "2.29.1, 2.39.1, 2.42.0",
           "Status": "fixed",

integration/testdata/composer.lock.json.golden

@@ -24,6 +24,9 @@
         {
           "ID": "guzzlehttp/guzzle@7.4.4",
           "Name": "guzzlehttp/guzzle",
+          "Identifier": {
+            "PURL": "pkg:composer/guzzlehttp/guzzle@7.4.4"
+          },
           "Version": "7.4.4",
           "Licenses": [
             "MIT"
@@ -42,6 +45,9 @@
         {
           "ID": "guzzlehttp/psr7@1.8.3",
           "Name": "guzzlehttp/psr7",
+          "Identifier": {
+            "PURL": "pkg:composer/guzzlehttp/psr7@1.8.3"
+          },
           "Version": "1.8.3",
           "Licenses": [
             "MIT"
@@ -61,6 +67,9 @@
           "VulnerabilityID": "CVE-2022-24775",
           "PkgID": "guzzlehttp/psr7@1.8.3",
           "PkgName": "guzzlehttp/psr7",
+          "PkgIdentifier": {
+            "PURL": "pkg:composer/guzzlehttp/psr7@1.8.3"
+          },
           "InstalledVersion": "1.8.3",
           "FixedVersion": "1.8.4",
           "Status": "fixed",

integration/testdata/conan.json.golden

@@ -24,6 +24,9 @@
         {
           "ID": "bzip2/1.0.8",
           "Name": "bzip2",
+          "Identifier": {
+            "PURL": "pkg:conan/bzip2@1.0.8"
+          },
           "Version": "1.0.8",
           "Indirect": true,
           "Layer": {},
@@ -37,6 +40,9 @@
         {
           "ID": "expat/2.4.8",
           "Name": "expat",
+          "Identifier": {
+            "PURL": "pkg:conan/expat@2.4.8"
+          },
           "Version": "2.4.8",
           "Indirect": true,
           "Layer": {},
@@ -50,6 +56,9 @@
         {
           "ID": "openssl/1.1.1q",
           "Name": "openssl",
+          "Identifier": {
+            "PURL": "pkg:conan/openssl@1.1.1q"
+          },
           "Version": "1.1.1q",
           "Indirect": true,
           "Layer": {},
@@ -63,6 +72,9 @@
         {
           "ID": "pcre/8.43",
           "Name": "pcre",
+          "Identifier": {
+            "PURL": "pkg:conan/pcre@8.43"
+          },
           "Version": "8.43",
           "Indirect": true,
           "DependsOn": [
@@ -80,6 +92,9 @@
         {
           "ID": "poco/1.9.4",
           "Name": "poco",
+          "Identifier": {
+            "PURL": "pkg:conan/poco@1.9.4"
+          },
           "Version": "1.9.4",
           "DependsOn": [
             "pcre/8.43",
@@ -99,6 +114,9 @@
         {
           "ID": "sqlite3/3.39.2",
           "Name": "sqlite3",
+          "Identifier": {
+            "PURL": "pkg:conan/sqlite3@3.39.2"
+          },
           "Version": "3.39.2",
           "Indirect": true,
           "Layer": {},
@@ -112,6 +130,9 @@
         {
           "ID": "zlib/1.2.12",
           "Name": "zlib",
+          "Identifier": {
+            "PURL": "pkg:conan/zlib@1.2.12"
+          },
           "Version": "1.2.12",
           "Indirect": true,
           "Layer": {},
@@ -128,6 +149,9 @@
           "VulnerabilityID": "CVE-2020-14155",
           "PkgID": "pcre/8.43",
           "PkgName": "pcre",
+          "PkgIdentifier": {
+            "PURL": "pkg:conan/pcre@8.43"
+          },
           "InstalledVersion": "8.43",
           "FixedVersion": "8.45",
           "Status": "fixed",

integration/testdata/conda-cyclonedx.json.golden

@@ -6,13 +6,16 @@
   "version": 1,
   "metadata": {
     "timestamp": "2021-08-25T12:20:30+00:00",
-    "tools": [
-      {
-        "vendor": "aquasecurity",
-        "name": "trivy",
-        "version": "dev"
-      }
-    ],
+    "tools": {
+      "components": [
+        {
+          "type": "application",
+          "group": "aquasecurity",
+          "name": "trivy",
+          "version": "dev"
+        }
+      ]
+    },
     "component": {
       "bom-ref": "3ff14136-e09f-4df9-80ea-000000000002",
       "type": "application",

integration/testdata/conda-spdx.json.golden

@@ -22,7 +22,7 @@
     },
     {
       "name": "openssl",
-      "SPDXID": "SPDXRef-Package-c75d9dc75200186f",
+      "SPDXID": "SPDXRef-Package-20b95c21bfbf9fc4",
       "versionInfo": "1.1.1q",
       "supplier": "NOASSERTION",
       "downloadLocation": "NONE",
@@ -43,7 +43,7 @@
     },
     {
       "name": "pip",
-      "SPDXID": "SPDXRef-Package-195557cddf18e4a9",
+      "SPDXID": "SPDXRef-Package-11a429ec3bd01d80",
       "versionInfo": "22.2.2",
       "supplier": "NOASSERTION",
       "downloadLocation": "NONE",
@@ -74,17 +74,6 @@
     }
   ],
   "files": [
-    {
-      "fileName": "miniconda3/envs/testenv/conda-meta/pip-22.2.2-py38h06a4308_0.json",
-      "SPDXID": "SPDXRef-File-7eb62e2a3edddc0a",
-      "checksums": [
-        {
-          "algorithm": "SHA1",
-          "checksumValue": "a6a2db7668f1ad541d704369fc66c96a4415aa24"
-        }
-      ],
-      "copyrightText": ""
-    },
     {
       "fileName": "miniconda3/envs/testenv/conda-meta/openssl-1.1.1q-h7f8727e_0.json",
       "SPDXID": "SPDXRef-File-600e5e0110a84891",
@@ -95,6 +84,17 @@
         }
       ],
       "copyrightText": ""
+    },
+    {
+      "fileName": "miniconda3/envs/testenv/conda-meta/pip-22.2.2-py38h06a4308_0.json",
+      "SPDXID": "SPDXRef-File-7eb62e2a3edddc0a",
+      "checksums": [
+        {
+          "algorithm": "SHA1",
+          "checksumValue": "a6a2db7668f1ad541d704369fc66c96a4415aa24"
+        }
+      ],
+      "copyrightText": ""
     }
   ],
   "relationships": [
@@ -110,22 +110,22 @@
     },
     {
       "spdxElementId": "SPDXRef-Application-ee5ef1aa4ac89125",
-      "relatedSpdxElement": "SPDXRef-Package-195557cddf18e4a9",
+      "relatedSpdxElement": "SPDXRef-Package-20b95c21bfbf9fc4",
       "relationshipType": "CONTAINS"
     },
     {
-      "spdxElementId": "SPDXRef-Package-195557cddf18e4a9",
-      "relatedSpdxElement": "SPDXRef-File-7eb62e2a3edddc0a",
+      "spdxElementId": "SPDXRef-Package-20b95c21bfbf9fc4",
+      "relatedSpdxElement": "SPDXRef-File-600e5e0110a84891",
       "relationshipType": "CONTAINS"
     },
     {
       "spdxElementId": "SPDXRef-Application-ee5ef1aa4ac89125",
-      "relatedSpdxElement": "SPDXRef-Package-c75d9dc75200186f",
+      "relatedSpdxElement": "SPDXRef-Package-11a429ec3bd01d80",
       "relationshipType": "CONTAINS"
     },
     {
-      "spdxElementId": "SPDXRef-Package-c75d9dc75200186f",
-      "relatedSpdxElement": "SPDXRef-File-600e5e0110a84891",
+      "spdxElementId": "SPDXRef-Package-11a429ec3bd01d80",
+      "relatedSpdxElement": "SPDXRef-File-7eb62e2a3edddc0a",
       "relationshipType": "CONTAINS"
     }
   ]

integration/testdata/debian-buster-ignore-unfixed.json.golden

@@ -60,6 +60,9 @@
           ],
           "PkgID": "libidn2-0@2.0.5-1",
           "PkgName": "libidn2-0",
+          "PkgIdentifier": {
+            "PURL": "pkg:deb/debian/libidn2-0@2.0.5-1?arch=amd64\u0026distro=debian-10.1"
+          },
           "InstalledVersion": "2.0.5-1",
           "FixedVersion": "2.0.5-1+deb10u1",
           "Status": "fixed",

integration/testdata/debian-buster.json.golden

@@ -57,6 +57,9 @@
           "VulnerabilityID": "CVE-2019-18276",
           "PkgID": "bash@5.0-4",
           "PkgName": "bash",
+          "PkgIdentifier": {
+            "PURL": "pkg:deb/debian/bash@5.0-4?arch=amd64\u0026distro=debian-10.1"
+          },
           "InstalledVersion": "5.0-4",
           "Status": "affected",
           "Layer": {
@@ -120,6 +123,9 @@
           ],
           "PkgID": "libidn2-0@2.0.5-1",
           "PkgName": "libidn2-0",
+          "PkgIdentifier": {
+            "PURL": "pkg:deb/debian/libidn2-0@2.0.5-1?arch=amd64\u0026distro=debian-10.1"
+          },
           "InstalledVersion": "2.0.5-1",
           "FixedVersion": "2.0.5-1+deb10u1",
           "Status": "fixed",

integration/testdata/debian-stretch.json.golden

@@ -6,8 +6,7 @@
   "Metadata": {
     "OS": {
       "Family": "debian",
-      "Name": "9.9",
-      "EOSL": true
+      "Name": "9.9"
     },
     "ImageID": "sha256:f26939cc87ef44a6fc554eedd0a976ab30b5bc2769d65d2e986b6c5f1fd4053d",
     "DiffIDs": [
@@ -58,6 +57,9 @@
           "VulnerabilityID": "CVE-2019-18276",
           "PkgID": "bash@4.4-5",
           "PkgName": "bash",
+          "PkgIdentifier": {
+            "PURL": "pkg:deb/debian/bash@4.4-5?arch=amd64\u0026distro=debian-9.9"
+          },
           "InstalledVersion": "4.4-5",
           "Status": "end_of_life",
           "Layer": {
@@ -121,6 +123,9 @@
           ],
           "PkgID": "e2fslibs@1.43.4-2",
           "PkgName": "e2fslibs",
+          "PkgIdentifier": {
+            "PURL": "pkg:deb/debian/e2fslibs@1.43.4-2?arch=amd64\u0026distro=debian-9.9"
+          },
           "InstalledVersion": "1.43.4-2",
           "FixedVersion": "1.43.4-2+deb9u1",
           "Status": "fixed",
@@ -191,6 +196,9 @@
           ],
           "PkgID": "e2fsprogs@1.43.4-2",
           "PkgName": "e2fsprogs",
+          "PkgIdentifier": {
+            "PURL": "pkg:deb/debian/e2fsprogs@1.43.4-2?arch=amd64\u0026distro=debian-9.9"
+          },
           "InstalledVersion": "1.43.4-2",
           "FixedVersion": "1.43.4-2+deb9u1",
           "Status": "fixed",
@@ -261,6 +269,9 @@
           ],
           "PkgID": "libcomerr2@1.43.4-2",
           "PkgName": "libcomerr2",
+          "PkgIdentifier": {
+            "PURL": "pkg:deb/debian/libcomerr2@1.43.4-2?arch=amd64\u0026distro=debian-9.9"
+          },
           "InstalledVersion": "1.43.4-2",
           "FixedVersion": "1.43.4-2+deb9u1",
           "Status": "fixed",
@@ -331,6 +342,9 @@
           ],
           "PkgID": "libss2@1.43.4-2",
           "PkgName": "libss2",
+          "PkgIdentifier": {
+            "PURL": "pkg:deb/debian/libss2@1.43.4-2?arch=amd64\u0026distro=debian-9.9"
+          },
           "InstalledVersion": "1.43.4-2",
           "FixedVersion": "1.43.4-2+deb9u1",
           "Status": "fixed",

integration/testdata/distroless-base.json.golden

@@ -6,8 +6,7 @@
   "Metadata": {
     "OS": {
       "Family": "debian",
-      "Name": "9.9",
-      "EOSL": true
+      "Name": "9.9"
     },
     "ImageID": "sha256:7f04a8d247173b1f2546d22913af637bbab4e7411e00ae6207da8d94c445750d",
     "DiffIDs": [
@@ -56,6 +55,9 @@
           "VulnerabilityID": "CVE-2019-1551",
           "PkgID": "libssl1.1@1.1.0k-1~deb9u1",
           "PkgName": "libssl1.1",
+          "PkgIdentifier": {
+            "PURL": "pkg:deb/debian/libssl1.1@1.1.0k-1~deb9u1?arch=amd64\u0026distro=debian-9.9"
+          },
           "InstalledVersion": "1.1.0k-1~deb9u1",
           "Status": "affected",
           "Layer": {
@@ -137,6 +139,9 @@
           ],
           "PkgID": "libssl1.1@1.1.0k-1~deb9u1",
           "PkgName": "libssl1.1",
+          "PkgIdentifier": {
+            "PURL": "pkg:deb/debian/libssl1.1@1.1.0k-1~deb9u1?arch=amd64\u0026distro=debian-9.9"
+          },
           "InstalledVersion": "1.1.0k-1~deb9u1",
           "FixedVersion": "1.1.0l-1~deb9u1",
           "Status": "fixed",
@@ -224,6 +229,9 @@
           "VulnerabilityID": "CVE-2019-1551",
           "PkgID": "openssl@1.1.0k-1~deb9u1",
           "PkgName": "openssl",
+          "PkgIdentifier": {
+            "PURL": "pkg:deb/debian/openssl@1.1.0k-1~deb9u1?arch=amd64\u0026distro=debian-9.9"
+          },
           "InstalledVersion": "1.1.0k-1~deb9u1",
           "Status": "affected",
           "Layer": {
@@ -305,6 +313,9 @@
           ],
           "PkgID": "openssl@1.1.0k-1~deb9u1",
           "PkgName": "openssl",
+          "PkgIdentifier": {
+            "PURL": "pkg:deb/debian/openssl@1.1.0k-1~deb9u1?arch=amd64\u0026distro=debian-9.9"
+          },
           "InstalledVersion": "1.1.0k-1~deb9u1",
           "FixedVersion": "1.1.0l-1~deb9u1",
           "Status": "fixed",

integration/testdata/distroless-python27.json.golden

@@ -6,8 +6,7 @@
   "Metadata": {
     "OS": {
       "Family": "debian",
-      "Name": "9.9",
-      "EOSL": true
+      "Name": "9.9"
     },
     "ImageID": "sha256:6fcac2cc8a710f21577b5bbd534e0bfc841c0cca569b57182ba19054696cddda",
     "DiffIDs": [
@@ -73,6 +72,9 @@
           "VulnerabilityID": "CVE-2019-1551",
           "PkgID": "libssl1.1@1.1.0k-1~deb9u1",
           "PkgName": "libssl1.1",
+          "PkgIdentifier": {
+            "PURL": "pkg:deb/debian/libssl1.1@1.1.0k-1~deb9u1?arch=amd64\u0026distro=debian-9.9"
+          },
           "InstalledVersion": "1.1.0k-1~deb9u1",
           "Status": "affected",
           "Layer": {
@@ -154,6 +156,9 @@
           ],
           "PkgID": "libssl1.1@1.1.0k-1~deb9u1",
           "PkgName": "libssl1.1",
+          "PkgIdentifier": {
+            "PURL": "pkg:deb/debian/libssl1.1@1.1.0k-1~deb9u1?arch=amd64\u0026distro=debian-9.9"
+          },
           "InstalledVersion": "1.1.0k-1~deb9u1",
           "FixedVersion": "1.1.0l-1~deb9u1",
           "Status": "fixed",
@@ -241,6 +246,9 @@
           "VulnerabilityID": "CVE-2019-1551",
           "PkgID": "openssl@1.1.0k-1~deb9u1",
           "PkgName": "openssl",
+          "PkgIdentifier": {
+            "PURL": "pkg:deb/debian/openssl@1.1.0k-1~deb9u1?arch=amd64\u0026distro=debian-9.9"
+          },
           "InstalledVersion": "1.1.0k-1~deb9u1",
           "Status": "affected",
           "Layer": {
@@ -322,6 +330,9 @@
           ],
           "PkgID": "openssl@1.1.0k-1~deb9u1",
           "PkgName": "openssl",
+          "PkgIdentifier": {
+            "PURL": "pkg:deb/debian/openssl@1.1.0k-1~deb9u1?arch=amd64\u0026distro=debian-9.9"
+          },
           "InstalledVersion": "1.1.0k-1~deb9u1",
           "FixedVersion": "1.1.0l-1~deb9u1",
           "Status": "fixed",

integration/testdata/dotnet.json.golden

@@ -23,6 +23,9 @@
       "Packages": [
         {
           "Name": "Newtonsoft.Json",
+          "Identifier": {
+            "PURL": "pkg:nuget/Newtonsoft.Json@9.0.1"
+          },
           "Version": "9.0.1",
           "Layer": {},
           "Locations": [
@@ -37,6 +40,9 @@
         {
           "VulnerabilityID": "GHSA-5crp-9r3c-p9vr",
           "PkgName": "Newtonsoft.Json",
+          "PkgIdentifier": {
+            "PURL": "pkg:nuget/Newtonsoft.Json@9.0.1"
+          },
           "InstalledVersion": "9.0.1",
           "FixedVersion": "13.0.1",
           "Status": "fixed",

integration/testdata/fixtures/sbom/centos-7-cyclonedx.json

@@ -40,7 +40,9 @@
       "version": "4.2.46-31.el7",
       "licenses": [
         {
-          "expression": "GPLv3+"
+          "license": {
+            "name": "GPLv3+"
+          }
         }
       ],
       "purl": "pkg:rpm/centos/bash@4.2.46-31.el7?arch=x86_64&distro=centos-7.6.1810",
@@ -78,7 +80,9 @@
       "version": "1.0.2k-16.el7",
       "licenses": [
         {
-          "expression": "OpenSSL"
+          "license": {
+            "name": "OpenSSL+"
+          }
         }
       ],
       "purl": "pkg:rpm/centos/openssl-libs@1.0.2k-16.el7?arch=x86_64&epoch=1&distro=centos-7.6.1810",

integration/testdata/fixtures/sbom/fluentd-multiple-lockfiles-cyclonedx.json

@@ -126,7 +126,9 @@
       "version": "6.0.2.1",
       "licenses": [
         {
-          "expression": "MIT"
+          "license": {
+            "name": "MIT"
+          }
         }
       ],
       "purl": "pkg:gem/activesupport@6.0.2.1",

integration/testdata/fluentd-gems.json.golden

@@ -113,6 +113,9 @@
           ],
           "PkgID": "libidn2-0@2.0.5-1",
           "PkgName": "libidn2-0",
+          "PkgIdentifier": {
+            "PURL": "pkg:deb/debian/libidn2-0@2.0.5-1?arch=amd64\u0026distro=debian-10.2"
+          },
           "InstalledVersion": "2.0.5-1",
           "FixedVersion": "2.0.5-1+deb10u1",
           "Status": "fixed",
@@ -181,6 +184,9 @@
           "VulnerabilityID": "CVE-2020-8165",
           "PkgName": "activesupport",
           "PkgPath": "var/lib/gems/2.5.0/specifications/activesupport-6.0.2.1.gemspec",
+          "PkgIdentifier": {
+            "PURL": "pkg:gem/activesupport@6.0.2.1"
+          },
           "InstalledVersion": "6.0.2.1",
           "FixedVersion": "6.0.3.1, 5.2.4.3",
           "Status": "fixed",

integration/testdata/fluentd-multiple-lockfiles.cdx.json.golden

@@ -6,13 +6,16 @@
   "version": 1,
   "metadata": {
     "timestamp": "2021-08-25T12:20:30+00:00",
-    "tools": [
-      {
-        "vendor": "aquasecurity",
-        "name": "trivy",
-        "version": "dev"
-      }
-    ],
+    "tools": {
+      "components": [
+        {
+          "type": "application",
+          "group": "aquasecurity",
+          "name": "trivy",
+          "version": "dev"
+        }
+      ]
+    },
     "component": {
       "bom-ref": "3ff14136-e09f-4df9-80ea-000000000002",
       "type": "container",

integration/testdata/fluentd-multiple-lockfiles.json.golden

@@ -28,12 +28,15 @@
         {
           "VulnerabilityID": "CVE-2019-18276",
           "PkgName": "bash",
+          "PkgIdentifier": {
+            "PURL": "pkg:deb/debian/bash@5.0-4?distro=debian-10.2",
+            "BOMRef": "pkg:deb/debian/bash@5.0-4?distro=debian-10.2"
+          },
           "InstalledVersion": "5.0-4",
           "Status": "affected",
           "Layer": {},
           "SeveritySource": "debian",
           "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-18276",
-          "PkgRef": "pkg:deb/debian/bash@5.0-4?distro=debian-10.2",
           "DataSource": {
             "ID": "debian",
             "Name": "Debian Security Tracker",
@@ -88,13 +91,16 @@
             "DSA-4613-1"
           ],
           "PkgName": "libidn2-0",
+          "PkgIdentifier": {
+            "PURL": "pkg:deb/debian/libidn2-0@2.0.5-1?distro=debian-10.2",
+            "BOMRef": "pkg:deb/debian/libidn2-0@2.0.5-1?distro=debian-10.2"
+          },
           "InstalledVersion": "2.0.5-1",
           "FixedVersion": "2.0.5-1+deb10u1",
           "Status": "fixed",
           "Layer": {},
           "SeveritySource": "nvd",
           "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-18224",
-          "PkgRef": "pkg:deb/debian/libidn2-0@2.0.5-1?distro=debian-10.2",
           "DataSource": {
             "ID": "debian",
             "Name": "Debian Security Tracker",
@@ -154,13 +160,16 @@
           "VulnerabilityID": "CVE-2020-8165",
           "PkgName": "activesupport",
           "PkgPath": "var/lib/gems/2.5.0/specifications/activesupport-6.0.2.1.gemspec",
+          "PkgIdentifier": {
+            "PURL": "pkg:gem/activesupport@6.0.2.1",
+            "BOMRef": "pkg:gem/activesupport@6.0.2.1?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Factivesupport-6.0.2.1.gemspec"
+          },
           "InstalledVersion": "6.0.2.1",
           "FixedVersion": "6.0.3.1, 5.2.4.3",
           "Status": "fixed",
           "Layer": {},
           "SeveritySource": "ghsa",
           "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-8165",
-          "PkgRef": "pkg:gem/activesupport@6.0.2.1?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Factivesupport-6.0.2.1.gemspec",
           "DataSource": {
             "ID": "ghsa",
             "Name": "GitHub Security Advisory RubyGems",

integration/testdata/gomod-skip.json.golden

@@ -25,6 +25,9 @@
           "VulnerabilityID": "GMS-2022-20",
           "PkgID": "github.com/docker/distribution@v2.7.1+incompatible",
           "PkgName": "github.com/docker/distribution",
+          "PkgIdentifier": {
+            "PURL": "pkg:golang/github.com/docker/distribution@2.7.1%2Bincompatible"
+          },
           "InstalledVersion": "2.7.1+incompatible",
           "FixedVersion": "v2.8.0",
           "Status": "fixed",
@@ -48,6 +51,9 @@
           "VulnerabilityID": "CVE-2022-23628",
           "PkgID": "github.com/open-policy-agent/opa@v0.35.0",
           "PkgName": "github.com/open-policy-agent/opa",
+          "PkgIdentifier": {
+            "PURL": "pkg:golang/github.com/open-policy-agent/opa@0.35.0"
+          },
           "InstalledVersion": "0.35.0",
           "FixedVersion": "0.37.0",
           "Status": "fixed",
@@ -91,6 +97,9 @@
           "VulnerabilityID": "CVE-2021-38561",
           "PkgID": "golang.org/x/text@v0.3.6",
           "PkgName": "golang.org/x/text",
+          "PkgIdentifier": {
+            "PURL": "pkg:golang/golang.org/x/text@0.3.6"
+          },
           "InstalledVersion": "0.3.6",
           "FixedVersion": "0.3.7",
           "Status": "fixed",
@@ -120,6 +129,9 @@
           "VulnerabilityID": "GMS-2022-20",
           "PkgID": "github.com/docker/distribution@v2.7.1+incompatible",
           "PkgName": "github.com/docker/distribution",
+          "PkgIdentifier": {
+            "PURL": "pkg:golang/github.com/docker/distribution@2.7.1%2Bincompatible"
+          },
           "InstalledVersion": "2.7.1+incompatible",
           "FixedVersion": "v2.8.0",
           "Status": "fixed",

integration/testdata/gomod.json.golden

@@ -25,6 +25,9 @@
           "VulnerabilityID": "GMS-2022-20",
           "PkgID": "github.com/docker/distribution@v2.7.1+incompatible",
           "PkgName": "github.com/docker/distribution",
+          "PkgIdentifier": {
+            "PURL": "pkg:golang/github.com/docker/distribution@2.7.1%2Bincompatible"
+          },
           "InstalledVersion": "2.7.1+incompatible",
           "FixedVersion": "v2.8.0",
           "Status": "fixed",
@@ -48,6 +51,9 @@
           "VulnerabilityID": "CVE-2022-23628",
           "PkgID": "github.com/open-policy-agent/opa@v0.35.0",
           "PkgName": "github.com/open-policy-agent/opa",
+          "PkgIdentifier": {
+            "PURL": "pkg:golang/github.com/open-policy-agent/opa@0.35.0"
+          },
           "InstalledVersion": "0.35.0",
           "FixedVersion": "0.37.0",
           "Status": "fixed",
@@ -91,6 +97,9 @@
           "VulnerabilityID": "CVE-2021-38561",
           "PkgID": "golang.org/x/text@v0.3.6",
           "PkgName": "golang.org/x/text",
+          "PkgIdentifier": {
+            "PURL": "pkg:golang/golang.org/x/text@0.3.6"
+          },
           "InstalledVersion": "0.3.6",
           "FixedVersion": "0.3.7",
           "Status": "fixed",
@@ -120,6 +129,9 @@
           "VulnerabilityID": "GMS-2022-20",
           "PkgID": "github.com/docker/distribution@v2.7.1+incompatible",
           "PkgName": "github.com/docker/distribution",
+          "PkgIdentifier": {
+            "PURL": "pkg:golang/github.com/docker/distribution@2.7.1%2Bincompatible"
+          },
           "InstalledVersion": "2.7.1+incompatible",
           "FixedVersion": "v2.8.0",
           "Status": "fixed",
@@ -150,6 +162,9 @@
           "VulnerabilityID": "GMS-2022-20",
           "PkgID": "github.com/docker/distribution@v2.7.1+incompatible",
           "PkgName": "github.com/docker/distribution",
+          "PkgIdentifier": {
+            "PURL": "pkg:golang/github.com/docker/distribution@2.7.1%2Bincompatible"
+          },
           "InstalledVersion": "2.7.1+incompatible",
           "FixedVersion": "v2.8.0",
           "Status": "fixed",

integration/testdata/gradle.json.golden

@@ -24,6 +24,9 @@
         {
           "VulnerabilityID": "CVE-2020-9548",
           "PkgName": "com.fasterxml.jackson.core:jackson-databind",
+          "PkgIdentifier": {
+            "PURL": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.1"
+          },
           "InstalledVersion": "2.9.1",
           "FixedVersion": "2.9.10.4",
           "Status": "fixed",
@@ -85,6 +88,9 @@
         {
           "VulnerabilityID": "CVE-2021-20190",
           "PkgName": "com.fasterxml.jackson.core:jackson-databind",
+          "PkgIdentifier": {
+            "PURL": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.1"
+          },
           "InstalledVersion": "2.9.1",
           "FixedVersion": "2.9.10.7",
           "Status": "fixed",

integration/testdata/helm.json.golden

@@ -21,8 +21,8 @@
       "Class": "config",
       "Type": "helm",
       "MisconfSummary": {
-        "Successes": 141,
-        "Failures": 15,
+        "Successes": 125,
+        "Failures": 14,
         "Exceptions": 0
       },
       "Misconfigurations": [
@@ -312,7 +312,7 @@
           "Namespace": "builtin.kubernetes.KSV014",
           "Query": "data.builtin.kubernetes.KSV014.deny",
           "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.",
-          "Severity": "LOW",
+          "Severity": "HIGH",
           "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014",
           "References": [
             "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/",
@@ -880,32 +880,6 @@
             }
           }
         },
-        {
-          "Type": "Helm Security Check",
-          "ID": "KSV116",
-          "AVDID": "AVD-KSV-0116",
-          "Title": "Runs with a root primary or supplementary GID",
-          "Description": "According to pod security standard 'Non-root groups', containers should be forbidden from running with a root primary or supplementary GID.",
-          "Message": "deployment nginx-deployment in default namespace should set spec.securityContext.runAsGroup, spec.securityContext.supplementalGroups[*] and spec.securityContext.fsGroup to integer greater than 0",
-          "Namespace": "builtin.kubernetes.KSV116",
-          "Query": "data.builtin.kubernetes.KSV116.deny",
-          "Resolution": "Set 'containers[].securityContext.runAsGroup' to a non-zero integer or leave undefined.",
-          "Severity": "LOW",
-          "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv116",
-          "References": [
-            "https://kubesec.io/basics/containers-securitycontext-runasuser/",
-            "https://avd.aquasec.com/misconfig/ksv116"
-          ],
-          "Status": "FAIL",
-          "Layer": {},
-          "CauseMetadata": {
-            "Provider": "Kubernetes",
-            "Service": "general",
-            "Code": {
-              "Lines": null
-            }
-          }
-        },
         {
           "Type": "Helm Security Check",
           "ID": "KSV117",

integration/testdata/helm_testchart.json.golden

@@ -21,8 +21,8 @@
       "Class": "config",
       "Type": "helm",
       "MisconfSummary": {
-        "Successes": 151,
-        "Failures": 5,
+        "Successes": 135,
+        "Failures": 4,
         "Exceptions": 0
       },
       "Misconfigurations": [
@@ -308,32 +308,6 @@
             }
           }
         },
-        {
-          "Type": "Helm Security Check",
-          "ID": "KSV116",
-          "AVDID": "AVD-KSV-0116",
-          "Title": "Runs with a root primary or supplementary GID",
-          "Description": "According to pod security standard 'Non-root groups', containers should be forbidden from running with a root primary or supplementary GID.",
-          "Message": "deployment testchart in default namespace should set spec.securityContext.runAsGroup, spec.securityContext.supplementalGroups[*] and spec.securityContext.fsGroup to integer greater than 0",
-          "Namespace": "builtin.kubernetes.KSV116",
-          "Query": "data.builtin.kubernetes.KSV116.deny",
-          "Resolution": "Set 'containers[].securityContext.runAsGroup' to a non-zero integer or leave undefined.",
-          "Severity": "LOW",
-          "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv116",
-          "References": [
-            "https://kubesec.io/basics/containers-securitycontext-runasuser/",
-            "https://avd.aquasec.com/misconfig/ksv116"
-          ],
-          "Status": "FAIL",
-          "Layer": {},
-          "CauseMetadata": {
-            "Provider": "Kubernetes",
-            "Service": "general",
-            "Code": {
-              "Lines": null
-            }
-          }
-        },
         {
           "Type": "Helm Security Check",
           "ID": "KSV117",
@@ -367,76 +341,20 @@
       "Class": "config",
       "Type": "helm",
       "MisconfSummary": {
-        "Successes": 155,
-        "Failures": 1,
+        "Successes": 106,
+        "Failures": 0,
         "Exceptions": 0
-      },
-      "Misconfigurations": [
-        {
-          "Type": "Helm Security Check",
-          "ID": "KSV116",
-          "AVDID": "AVD-KSV-0116",
-          "Title": "Runs with a root primary or supplementary GID",
-          "Description": "According to pod security standard 'Non-root groups', containers should be forbidden from running with a root primary or supplementary GID.",
-          "Message": "service testchart in default namespace should set spec.securityContext.runAsGroup, spec.securityContext.supplementalGroups[*] and spec.securityContext.fsGroup to integer greater than 0",
-          "Namespace": "builtin.kubernetes.KSV116",
-          "Query": "data.builtin.kubernetes.KSV116.deny",
-          "Resolution": "Set 'containers[].securityContext.runAsGroup' to a non-zero integer or leave undefined.",
-          "Severity": "LOW",
-          "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv116",
-          "References": [
-            "https://kubesec.io/basics/containers-securitycontext-runasuser/",
-            "https://avd.aquasec.com/misconfig/ksv116"
-          ],
-          "Status": "FAIL",
-          "Layer": {},
-          "CauseMetadata": {
-            "Provider": "Kubernetes",
-            "Service": "general",
-            "Code": {
-              "Lines": null
-            }
-          }
-        }
-      ]
+      }
     },
     {
       "Target": "templates/serviceaccount.yaml",
       "Class": "config",
       "Type": "helm",
       "MisconfSummary": {
-        "Successes": 155,
-        "Failures": 1,
+        "Successes": 105,
+        "Failures": 0,
         "Exceptions": 0
-      },
-      "Misconfigurations": [
-        {
-          "Type": "Helm Security Check",
-          "ID": "KSV116",
-          "AVDID": "AVD-KSV-0116",
-          "Title": "Runs with a root primary or supplementary GID",
-          "Description": "According to pod security standard 'Non-root groups', containers should be forbidden from running with a root primary or supplementary GID.",
-          "Message": "serviceaccount testchart in default namespace should set spec.securityContext.runAsGroup, spec.securityContext.supplementalGroups[*] and spec.securityContext.fsGroup to integer greater than 0",
-          "Namespace": "builtin.kubernetes.KSV116",
-          "Query": "data.builtin.kubernetes.KSV116.deny",
-          "Resolution": "Set 'containers[].securityContext.runAsGroup' to a non-zero integer or leave undefined.",
-          "Severity": "LOW",
-          "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv116",
-          "References": [
-            "https://kubesec.io/basics/containers-securitycontext-runasuser/",
-            "https://avd.aquasec.com/misconfig/ksv116"
-          ],
-          "Status": "FAIL",
-          "Layer": {},
-          "CauseMetadata": {
-            "Provider": "Kubernetes",
-            "Service": "general",
-            "Code": {
-              "Lines": null
-            }
-          }
-        }
-      ]
+      }
     }
   ]
 }

integration/testdata/helm_testchart.overridden.json.golden

@@ -21,8 +21,8 @@
       "Class": "config",
       "Type": "helm",
       "MisconfSummary": {
-        "Successes": 149,
-        "Failures": 7,
+        "Successes": 133,
+        "Failures": 6,
         "Exceptions": 0
       },
       "Misconfigurations": [
@@ -535,32 +535,6 @@
             }
           }
         },
-        {
-          "Type": "Helm Security Check",
-          "ID": "KSV116",
-          "AVDID": "AVD-KSV-0116",
-          "Title": "Runs with a root primary or supplementary GID",
-          "Description": "According to pod security standard 'Non-root groups', containers should be forbidden from running with a root primary or supplementary GID.",
-          "Message": "deployment testchart in default namespace should set spec.securityContext.runAsGroup, spec.securityContext.supplementalGroups[*] and spec.securityContext.fsGroup to integer greater than 0",
-          "Namespace": "builtin.kubernetes.KSV116",
-          "Query": "data.builtin.kubernetes.KSV116.deny",
-          "Resolution": "Set 'containers[].securityContext.runAsGroup' to a non-zero integer or leave undefined.",
-          "Severity": "LOW",
-          "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv116",
-          "References": [
-            "https://kubesec.io/basics/containers-securitycontext-runasuser/",
-            "https://avd.aquasec.com/misconfig/ksv116"
-          ],
-          "Status": "FAIL",
-          "Layer": {},
-          "CauseMetadata": {
-            "Provider": "Kubernetes",
-            "Service": "general",
-            "Code": {
-              "Lines": null
-            }
-          }
-        },
         {
           "Type": "Helm Security Check",
           "ID": "KSV117",
@@ -594,76 +568,20 @@
       "Class": "config",
       "Type": "helm",
       "MisconfSummary": {
-        "Successes": 155,
-        "Failures": 1,
+        "Successes": 106,
+        "Failures": 0,
         "Exceptions": 0
-      },
-      "Misconfigurations": [
-        {
-          "Type": "Helm Security Check",
-          "ID": "KSV116",
-          "AVDID": "AVD-KSV-0116",
-          "Title": "Runs with a root primary or supplementary GID",
-          "Description": "According to pod security standard 'Non-root groups', containers should be forbidden from running with a root primary or supplementary GID.",
-          "Message": "service testchart in default namespace should set spec.securityContext.runAsGroup, spec.securityContext.supplementalGroups[*] and spec.securityContext.fsGroup to integer greater than 0",
-          "Namespace": "builtin.kubernetes.KSV116",
-          "Query": "data.builtin.kubernetes.KSV116.deny",
-          "Resolution": "Set 'containers[].securityContext.runAsGroup' to a non-zero integer or leave undefined.",
-          "Severity": "LOW",
-          "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv116",
-          "References": [
-            "https://kubesec.io/basics/containers-securitycontext-runasuser/",
-            "https://avd.aquasec.com/misconfig/ksv116"
-          ],
-          "Status": "FAIL",
-          "Layer": {},
-          "CauseMetadata": {
-            "Provider": "Kubernetes",
-            "Service": "general",
-            "Code": {
-              "Lines": null
-            }
-          }
-        }
-      ]
+      }
     },
     {
       "Target": "templates/serviceaccount.yaml",
       "Class": "config",
       "Type": "helm",
       "MisconfSummary": {
-        "Successes": 155,
-        "Failures": 1,
+        "Successes": 105,
+        "Failures": 0,
         "Exceptions": 0
-      },
-      "Misconfigurations": [
-        {
-          "Type": "Helm Security Check",
-          "ID": "KSV116",
-          "AVDID": "AVD-KSV-0116",
-          "Title": "Runs with a root primary or supplementary GID",
-          "Description": "According to pod security standard 'Non-root groups', containers should be forbidden from running with a root primary or supplementary GID.",
-          "Message": "serviceaccount testchart in default namespace should set spec.securityContext.runAsGroup, spec.securityContext.supplementalGroups[*] and spec.securityContext.fsGroup to integer greater than 0",
-          "Namespace": "builtin.kubernetes.KSV116",
-          "Query": "data.builtin.kubernetes.KSV116.deny",
-          "Resolution": "Set 'containers[].securityContext.runAsGroup' to a non-zero integer or leave undefined.",
-          "Severity": "LOW",
-          "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv116",
-          "References": [
-            "https://kubesec.io/basics/containers-securitycontext-runasuser/",
-            "https://avd.aquasec.com/misconfig/ksv116"
-          ],
-          "Status": "FAIL",
-          "Layer": {},
-          "CauseMetadata": {
-            "Provider": "Kubernetes",
-            "Service": "general",
-            "Code": {
-              "Lines": null
-            }
-          }
-        }
-      ]
+      }
     }
   ]
 }

integration/testdata/mariner-1.0.json.golden

@@ -41,6 +41,9 @@
         {
           "VulnerabilityID": "CVE-2022-0261",
           "PkgName": "vim",
+          "PkgIdentifier": {
+            "PURL": "pkg:cbl-mariner/vim@8.2.4081-1.cm1?arch=x86_64"
+          },
           "InstalledVersion": "8.2.4081-1.cm1",
           "Status": "affected",
           "Layer": {
@@ -74,6 +77,9 @@
         {
           "VulnerabilityID": "CVE-2022-0158",
           "PkgName": "vim",
+          "PkgIdentifier": {
+            "PURL": "pkg:cbl-mariner/vim@8.2.4081-1.cm1?arch=x86_64"
+          },
           "InstalledVersion": "8.2.4081-1.cm1",
           "FixedVersion": "8.2.4082-1.cm1",
           "Status": "fixed",