release: v0.54.0 [main] (#7075)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

.github/DISCUSSION_TEMPLATE/bugs.yml

@@ -116,7 +116,7 @@ body:
       label: Checklist
       description: Have you tried the following?
       options:
-        - label: Run `trivy image --reset`
+        - label: Run `trivy clean --all`
         - label: Read [the troubleshooting](https://aquasecurity.github.io/trivy/latest/docs/references/troubleshooting/)
   - type: markdown
     attributes:

.github/actions/trivy-triage/Makefile

@@ -0,0 +1,3 @@
+.PHONEY: test
+test: helpers.js helpers.test.js
+	node --test helpers.test.js

.github/actions/trivy-triage/action.yaml

@@ -0,0 +1,29 @@
+name: 'trivy-discussion-triage'
+description: 'automatic triage of Trivy discussions'
+inputs:
+  discussion_num:
+    description: 'Discussion number to triage'
+    required: false
+runs:
+  using: "composite"
+  steps:
+    - name: Conditionally label discussions based on category and content
+      env:
+        GH_TOKEN: ${{ github.token }}
+      uses: actions/github-script@v6
+      with:
+        script: |
+          const {detectDiscussionLabels, fetchDiscussion, labelDiscussion } = require('${{ github.action_path }}/helpers.js');
+          const config = require('${{ github.action_path }}/config.json');
+          discussionNum = parseInt(${{ inputs.discussion_num }});
+          let discussion;
+          if (discussionNum > 0) {
+              discussion = (await fetchDiscussion(github, context.repo.owner, context.repo.repo, discussionNum)).repository.discussion;
+          } else {
+              discussion = context.payload.discussion;
+          }
+          const labels = detectDiscussionLabels(discussion, config.discussionLabels);
+          if (labels.length > 0) {
+              console.log(`Adding labels ${labels} to discussion ${discussion.node_id}`);
+              labelDiscussion(github, discussion.node_id, labels);
+          }

.github/actions/trivy-triage/config.json

@@ -0,0 +1,14 @@
+{
+    "discussionLabels": {
+        "Container Image":"LA_kwDOCsUTCM75TTQU",
+        "Filesystem":"LA_kwDOCsUTCM75TTQX",
+        "Git Repository":"LA_kwDOCsUTCM75TTQk",
+        "Virtual Machine Image":"LA_kwDOCsUTCM8AAAABMpz1bw",
+        "Kubernetes":"LA_kwDOCsUTCM75TTQv",
+        "AWS":"LA_kwDOCsUTCM8AAAABMpz1aA",
+        "Vulnerability":"LA_kwDOCsUTCM75TTPa",
+        "Misconfiguration":"LA_kwDOCsUTCM75TTP8",
+        "License":"LA_kwDOCsUTCM77ztRR",
+        "Secret":"LA_kwDOCsUTCM75TTQL"
+    }
+}

.github/actions/trivy-triage/helpers.js

@@ -0,0 +1,70 @@
+module.exports = {
+    detectDiscussionLabels: (discussion, configDiscussionLabels) => {
+        res = [];
+        const discussionId = discussion.id;
+        const category = discussion.category.name;
+        const body = discussion.body;
+        if (category !== "Ideas") {
+            console.log(`skipping discussion with category ${category} and body ${body}`);
+            return [];
+        }
+        const scannerPattern = /### Scanner\n\n(.+)/;
+        const scannerFound = body.match(scannerPattern);
+        if (scannerFound && scannerFound.length > 1) {
+            res.push(configDiscussionLabels[scannerFound[1]]);
+        }
+        const targetPattern = /### Target\n\n(.+)/;
+        const targetFound = body.match(targetPattern);
+        if (targetFound && targetFound.length > 1) {
+            res.push(configDiscussionLabels[targetFound[1]]);
+        }
+        return res;
+    },
+    fetchDiscussion: async (github, owner, repo, discussionNum) => {
+        const query = `query Discussion ($owner: String!, $repo: String!, $discussion_num: Int!){
+            repository(name: $repo, owner: $owner) {
+                discussion(number: $discussion_num) {
+                    number,
+                    id,
+                    body,
+                    category {
+                        id,
+                        name
+                    },
+                    labels(first: 100) {
+                        edges {
+                            node {
+                                id,
+                                name
+                            }
+                        }
+                    }
+                }
+            }
+        }`;
+        const vars = {
+            owner: owner,
+            repo: repo,
+            discussion_num: discussionNum
+        };
+        return github.graphql(query, vars);
+    },
+    labelDiscussion: async (github, discussionId, labelIds) => {
+        const query = `mutation AddLabels($labelId: ID!, $labelableId:ID!) {
+            addLabelsToLabelable(
+                input: {labelIds: [$labelId], labelableId: $labelableId}
+            ) {
+                clientMutationId
+            }
+        }`;
+        // TODO: add all labels in one call
+        labelIds.forEach((labelId) => {
+            const vars = {
+                labelId: labelId,
+                labelableId: discussionId
+            };
+            github.graphql(query, vars);
+        });
+    }
+};
+

.github/actions/trivy-triage/helpers.test.js

@@ -0,0 +1,87 @@
+const assert = require('node:assert/strict');
+const { describe, it } = require('node:test');
+const {detectDiscussionLabels} = require('./helpers.js');
+
+const configDiscussionLabels = {
+  "Container Image":"ContainerImageLabel",
+  "Filesystem":"FilesystemLabel",
+  "Vulnerability":"VulnerabilityLabel",
+  "Misconfiguration":"MisconfigurationLabel",
+};
+
+describe('trivy-triage', async function() {
+  describe('detectDiscussionLabels', async function() {
+    it('detect scanner label', async function() {
+      const discussion = {
+        body: 'hello hello\nbla bla.\n### Scanner\n\nVulnerability\n### Target\n\nContainer Image\nbye bye.', 
+        category: {
+          name: 'Ideas'
+        }
+      };
+      const labels = detectDiscussionLabels(discussion, configDiscussionLabels);
+      assert(labels.includes('VulnerabilityLabel'));
+    });
+    it('detect target label', async function() {
+      const discussion = {
+        body: 'hello hello\nbla bla.\n### Scanner\n\nVulnerability\n### Target\n\nContainer Image\nbye bye.', 
+        category: {
+          name: 'Ideas'
+        }
+      };
+      const labels = detectDiscussionLabels(discussion, configDiscussionLabels);
+      assert(labels.includes('ContainerImageLabel'));
+    });
+    it('detect label when it is first', async function() {
+      const discussion = {
+        body: '### Scanner\n\nVulnerability\n### Target\n\nContainer Image\nbye bye.', 
+        category: {
+          name: 'Ideas'
+        }
+      };
+      const labels = detectDiscussionLabels(discussion, configDiscussionLabels);
+      assert(labels.includes('ContainerImageLabel'));
+    });
+    it('detect label when it is last', async function() {
+      const discussion = {
+        body: '### Scanner\n\nVulnerability\n### Target\n\nContainer Image', 
+        category: {
+          name: 'Ideas'
+        }
+      };
+      const labels = detectDiscussionLabels(discussion, configDiscussionLabels);
+      assert(labels.includes('ContainerImageLabel'));
+    });
+    it('detect scanner and target labels', async function() {
+      const discussion = {
+        body: 'hello hello\nbla bla.\n### Scanner\n\nVulnerability\n### Target\n\nContainer Image\nbye bye.', 
+        category: {
+          name: 'Ideas'
+        }
+      };
+      const labels = detectDiscussionLabels(discussion, configDiscussionLabels);
+      assert(labels.includes('ContainerImageLabel'));
+      assert(labels.includes('VulnerabilityLabel'));
+    });
+    it('not detect other labels', async function() {
+      const discussion = {
+        body: 'hello hello\nbla bla.\n### Scanner\n\nVulnerability\n### Target\n\nContainer Image\nbye bye.', 
+        category: {
+          name: 'Ideas'
+        }
+      };
+      const labels = detectDiscussionLabels(discussion, configDiscussionLabels);
+      assert(!labels.includes('FilesystemLabel'));
+      assert(!labels.includes('MisconfigurationLabel'));
+    });
+    it('process only relevant categories', async function() {
+      const discussion = {
+        body: 'hello world', 
+        category: {
+          name: 'Announcements'
+        }
+      };
+      const labels = detectDiscussionLabels(discussion, configDiscussionLabels);
+      assert(labels.length === 0);
+    });
+  });
+});

.github/actions/trivy-triage/testutils/discussion-payload-sample.json

@@ -0,0 +1,65 @@
+{
+    "active_lock_reason": null,
+    "answer_chosen_at": null,
+    "answer_chosen_by": null,
+    "answer_html_url": null,
+    "author_association": "OWNER",
+    "body": "### Description\n\nlfdjs lfkdj dflsakjfd ';djk \r\nfadfd \r\nasdlkf \r\na;df \r\ndfsal;kfd ;akjl\n\n### Target\n\nContainer Image\n\n### Scanner\n\nMisconfiguration",
+    "category": {
+      "created_at": "2023-07-02T10:14:46.000+03:00",
+      "description": "Share ideas for new features",
+      "emoji": ":bulb:",
+      "id": 39743708,
+      "is_answerable": false,
+      "name": "Ideas",
+      "node_id": "DIC_kwDOE0GiPM4CXnDc",
+      "repository_id": 323068476,
+      "slug": "ideas",
+      "updated_at": "2023-07-02T10:14:46.000+03:00"
+    },
+    "comments": 0,
+    "created_at": "2023-09-11T08:40:11Z",
+    "html_url": "https://github.com/itaysk/testactions/discussions/9",
+    "id": 5614504,
+    "locked": false,
+    "node_id": "D_kwDOE0GiPM4AVauo",
+    "number": 9,
+    "reactions": {
+      "+1": 0,
+      "-1": 0,
+      "confused": 0,
+      "eyes": 0,
+      "heart": 0,
+      "hooray": 0,
+      "laugh": 0,
+      "rocket": 0,
+      "total_count": 0,
+      "url": "https://api.github.com/repos/itaysk/testactions/discussions/9/reactions"
+    },
+    "repository_url": "https://api.github.com/repos/itaysk/testactions",
+    "state": "open",
+    "state_reason": null,
+    "timeline_url": "https://api.github.com/repos/itaysk/testactions/discussions/9/timeline",
+    "title": "Title title",
+    "updated_at": "2023-09-11T08:40:11Z",
+    "user": {
+      "avatar_url": "https://avatars.githubusercontent.com/u/1161307?v=4",
+      "events_url": "https://api.github.com/users/itaysk/events{/privacy}",
+      "followers_url": "https://api.github.com/users/itaysk/followers",
+      "following_url": "https://api.github.com/users/itaysk/following{/other_user}",
+      "gists_url": "https://api.github.com/users/itaysk/gists{/gist_id}",
+      "gravatar_id": "",
+      "html_url": "https://github.com/itaysk",
+      "id": 1161307,
+      "login": "itaysk",
+      "node_id": "MDQ6VXNlcjExNjEzMDc=",
+      "organizations_url": "https://api.github.com/users/itaysk/orgs",
+      "received_events_url": "https://api.github.com/users/itaysk/received_events",
+      "repos_url": "https://api.github.com/users/itaysk/repos",
+      "site_admin": false,
+      "starred_url": "https://api.github.com/users/itaysk/starred{/owner}{/repo}",
+      "subscriptions_url": "https://api.github.com/users/itaysk/subscriptions",
+      "type": "User",
+      "url": "https://api.github.com/users/itaysk"
+    }
+}

.github/actions/trivy-triage/testutils/fetchDiscussion.sh

@@ -0,0 +1,29 @@
+#! /bin/bash
+# fetch discussion by discussion number
+# requires authenticated gh cli, assumes repo but current git repository
+# args:
+#   $1: discussion number, e.g 123, required
+
+discussion_num="$1"
+gh api graphql -F discussion_num="$discussion_num" -F repo="{repo}" -F owner="{owner}" -f query='
+    query Discussion ($owner: String!, $repo: String!, $discussion_num: Int!){
+    repository(name: $repo, owner: $owner) {
+        discussion(number: $discussion_num) {
+        number,
+        id,
+        body,
+        category {
+            id,
+            name
+        },
+        labels(first: 100) {
+            edges {
+            node {
+                id,
+                name
+            }
+            }
+        }
+        }
+    }
+    }'

.github/actions/trivy-triage/testutils/fetchLabels.sh

@@ -0,0 +1,16 @@
+#! /bin/bash
+# fetch labels and their IDs
+# requires authenticated gh cli, assumes repo but current git repository
+
+gh api graphql -F repo="{repo}" -F owner="{owner}" -f query='
+    query GetLabelIds($owner: String!, $repo: String!) {
+    repository(name: $repo, owner: $owner) {
+        id
+        labels(first: 100) {
+        nodes {
+            id
+            name
+        }
+        }
+    }
+    }'

.github/actions/trivy-triage/testutils/labelDiscussion.sh

@@ -0,0 +1,16 @@
+#! /bin/bash
+# add a label to a discussion
+# requires authenticated gh cli, assumes repo but current git repository
+# args:
+#   $1: discussion ID (not number!), e.g DIC_kwDOE0GiPM4CXnDc, required
+#   $2: label ID, e.g. MDU6TGFiZWwzNjIzNjY0MjQ=, required
+discussion_id="$1"
+label_id="$2"
+gh api graphql -F labelableId="$discussion_id" -F labelId="$label_id" -F repo="{repo}" -F owner="{owner}" -f query='
+        mutation AddLabels($labelId: ID!, $labelableId:ID!) {
+            addLabelsToLabelable(
+                input: {labelIds: [$labelId], labelableId: $labelableId}
+            ) {
+                clientMutationId
+            }
+        }'

.github/dependabot.yml

@@ -21,6 +21,8 @@ updates:
     directory: /
     schedule:
       interval: weekly
+    ignore:
+      - dependency-name: "github.com/aquasecurity/trivy-*" ## `trivy-*` dependencies are updated manually
     groups:
       aws:
         patterns:
@@ -33,5 +35,7 @@ updates:
         patterns:
           - "github.com/testcontainers/*"
       common:
+        exclude-patterns:
+          - "github.com/aquasecurity/trivy-*"
         patterns:
           - "*"

.github/workflows/backport.yaml

@@ -0,0 +1,58 @@
+name: Automatic Backporting
+
+on:
+  issue_comment:
+    types: [created]
+
+jobs:
+  check_permission:
+    name: Check comment author permissions
+    runs-on: ubuntu-latest
+    outputs:
+      is_maintainer: ${{ steps.check_permission.outputs.is_maintainer }}
+    steps:
+      - name: Check permission
+        id: check_permission
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          PERMISSION=$(gh api /repos/${{ github.repository }}/collaborators/${{ github.actor }}/permission --jq '.permission')
+          if [ "$PERMISSION" == "admin" ] || [ "$PERMISSION" == "write" ]; then
+           echo "is_maintainer=true" >> $GITHUB_OUTPUT
+          else
+           echo "is_maintainer=false" >> $GITHUB_OUTPUT
+          fi
+  
+
+  backport:
+    name: Backport PR
+    needs: check_permission # run this job after checking permissions
+    if: |
+      needs.check_permission.outputs.is_maintainer == 'true' &&      
+      github.event.issue.pull_request &&
+      github.event.issue.pull_request.merged_at != null &&
+      startsWith(github.event.comment.body, '@aqua-bot backport release/')
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Extract branch name
+        run: |
+          BRANCH_NAME=$(echo ${{ github.event.comment.body }} | grep -oE '@aqua-bot backport\s+(\S+)' | awk '{print $3}')
+          echo "BRANCH_NAME=$BRANCH_NAME" >> $GITHUB_ENV
+
+      - name: Set up Git user
+        run: |
+          git config --global user.email "actions@github.com"
+          git config --global user.name "GitHub Actions"
+
+      - name: Run backport script
+        run: ./misc/backport/backport.sh ${{ env.BRANCH_NAME }} ${{ github.event.issue.number }}
+        env:
+          # Use ORG_REPO_TOKEN instead of GITHUB_TOKEN
+          # This allows the created PR to trigger tests and other workflows
+          GITHUB_TOKEN: ${{ secrets.ORG_REPO_TOKEN }}

.github/workflows/bypass-test.yaml

@@ -8,12 +8,14 @@ on:
       - 'docs/**'
       - 'mkdocs.yml'
       - 'LICENSE'
+      - '.release-please-manifest.json'
   pull_request:
     paths:
       - '**.md'
       - 'docs/**'
       - 'mkdocs.yml'
       - 'LICENSE'
+      - '.release-please-manifest.json'
 jobs:
   test:
     name: Test

.github/workflows/release-please.yaml

@@ -50,12 +50,13 @@ jobs:
         run: |
           echo "version=$( echo "${{ github.event.head_commit.message }}" | sed 's/^release: v\([0-9]\+\.[0-9]\+\.[0-9]\+\).*$/\1/' )" >> $GITHUB_OUTPUT
           echo "pr_number=$( echo "${{ github.event.head_commit.message }}" | sed 's/.*(\#\([0-9]\+\)).*$/\1/' )" >> $GITHUB_OUTPUT
+          echo "release_branch=release/v$( echo "${{ github.event.head_commit.message }}" | sed 's/^release: v\([0-9]\+\.[0-9]\+\).*$/\1/' )" >> $GITHUB_OUTPUT
 
       - name: Tag release
         if: ${{ steps.extract_info.outputs.version }}
         uses: actions/github-script@v7
         with:
-          github-token: ${{ secrets.ORG_REPO_TOKEN }}
+          github-token: ${{ secrets.ORG_REPO_TOKEN }} # To trigger another workflow
           script: |
             await github.rest.git.createRef({
               owner: context.repo.owner,
@@ -64,6 +65,32 @@ jobs:
               sha: context.sha
             });
 
+      # When v0.50.0 is released, a release branch "release/v0.50" is created.
+      - name: Create release branch for patch versions
+        if: ${{ endsWith(steps.extract_info.outputs.version, '.0') }}
+        uses: actions/github-script@v7
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }} # Should not trigger the workflow again
+          script: |
+            const releaseBranch = '${{ steps.extract_info.outputs.release_branch }}';
+            await github.rest.git.createRef({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              ref: `refs/heads/${releaseBranch}`,
+              sha: context.sha
+            });
+      
+
+      # Add release branch to rulesets to enable merge queue
+      - name: Add release branch to rulesets
+        if: ${{ endsWith(steps.extract_info.outputs.version, '.0') }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.ORG_REPO_TOKEN }}
+        shell: bash
+        run: |
+          RULESET_ID=$(gh api /repos/${{ github.repository }}/rulesets --jq '.[] | select(.name=="release") | .id')
+          gh api /repos/${{ github.repository }}/rulesets/$RULESET_ID | jq '{conditions}' | jq '.conditions.ref_name.include += ["refs/heads/${{ steps.extract_info.outputs.release_branch }}"]' | gh api --method put --input - /repos/${{ github.repository }}/rulesets/$RULESET_ID
+
       # Since skip-github-release is specified, googleapis/release-please-action doesn't delete the label from PR.
       # This label prevents the subsequent PRs from being created. Therefore, we need to delete it ourselves.
       # cf. https://github.com/googleapis/release-please?tab=readme-ov-file#release-please-bot-does-not-create-a-release-pr-why
@@ -71,7 +98,7 @@ jobs:
         if: ${{ steps.extract_info.outputs.pr_number }}
         uses: actions/github-script@v7
         with:
-          github-token: ${{ secrets.ORG_REPO_TOKEN }}
+          github-token: ${{ secrets.GITHUB_TOKEN }}
           script: |
             const prNumber = parseInt('${{ steps.extract_info.outputs.pr_number }}', 10);
             github.rest.issues.removeLabel({

.github/workflows/reusable-release.yaml

@@ -19,7 +19,7 @@ env:
 jobs:
   release:
     name: Release
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-latest-m
     env:
       DOCKER_CLI_EXPERIMENTAL: "enabled"
     permissions:
@@ -27,15 +27,6 @@ jobs:
       packages: write # For GHCR
       contents: read  # Not required for public repositories, but for clarity
     steps:
-      - name: Maximize build space
-        uses: easimon/maximize-build-space@v10
-        with:
-          root-reserve-mb: 32768 # The Go cache (`~/.cache/go-build` and `~/go/pkg`) requires a lot of storage space.
-          remove-android: 'true'
-          remove-docker-images: 'true'
-          remove-dotnet: 'true'
-          remove-haskell: 'true'
-
       - name: Cosign install
         uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20
 
@@ -98,9 +89,9 @@ jobs:
           mkdir tmp    
 
       - name: GoReleaser
-        uses: goreleaser/goreleaser-action@v5
+        uses: goreleaser/goreleaser-action@v6
         with:
-          version: v1.20.0
+          version: v2.1.0
           args: release -f=${{ inputs.goreleaser_config}} ${{ inputs.goreleaser_options}}
         env:
           GITHUB_TOKEN: ${{ secrets.ORG_REPO_TOKEN }}
@@ -117,7 +108,7 @@ jobs:
       # because GoReleaser Free doesn't support pushing images with the `--snapshot` flag.
       - name: Build and push
         if: ${{ inputs.goreleaser_config == 'goreleaser-canary.yml' }}
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@v6
         with:
           platforms: linux/amd64, linux/arm64
           file: ./Dockerfile.canary # path to Dockerfile

.github/workflows/roadmap.yaml

@@ -11,7 +11,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       # 'kind/feature' AND 'priority/backlog' labels -> 'Backlog' column
-      - uses: actions/add-to-project@v1.0.1 # add new issue to project
+      - uses: actions/add-to-project@v1.0.2 # add new issue to project
         with:
           project-url: https://github.com/orgs/aquasecurity/projects/25
           github-token: ${{ secrets.ORG_PROJECT_TOKEN }}
@@ -28,7 +28,7 @@ jobs:
           field-values: Backlog
 
       # 'kind/feature' AND 'priority/important-longterm' labels -> 'Important (long-term)' column
-      - uses: actions/add-to-project@v1.0.1 # add new issue to project
+      - uses: actions/add-to-project@v1.0.2 # add new issue to project
         with:
           project-url: https://github.com/orgs/aquasecurity/projects/25
           github-token: ${{ secrets.ORG_PROJECT_TOKEN }}
@@ -45,7 +45,7 @@ jobs:
           field-values: Important (long-term)
 
       # 'kind/feature' AND 'priority/important-soon' labels -> 'Important (soon)' column
-      - uses: actions/add-to-project@v1.0.1 # add new issue to project
+      - uses: actions/add-to-project@v1.0.2 # add new issue to project
         with:
           project-url: https://github.com/orgs/aquasecurity/projects/25
           github-token: ${{ secrets.ORG_PROJECT_TOKEN }}
@@ -62,7 +62,7 @@ jobs:
           field-values: Important (soon)
 
       # 'kind/feature' AND 'priority/critical-urgent' labels -> 'Urgent' column
-      - uses: actions/add-to-project@v1.0.1 # add new issue to project
+      - uses: actions/add-to-project@v1.0.2 # add new issue to project
         with:
           project-url: https://github.com/orgs/aquasecurity/projects/25
           github-token: ${{ secrets.ORG_PROJECT_TOKEN }}

.github/workflows/semantic-pr.yaml

@@ -29,7 +29,6 @@ jobs:
             chore
             revert
             release
-            BREAKING
 
           scopes: |
             vuln

.github/workflows/test.yaml

@@ -6,6 +6,7 @@ on:
       - 'docs/**'
       - 'mkdocs.yml'
       - 'LICENSE'
+      - '.release-please-manifest.json' ## don't run tests for release-please PRs
   merge_group:
 env:
   GO_VERSION: '1.22'
@@ -17,16 +18,6 @@ jobs:
       matrix:
         operating-system: [ubuntu-latest, windows-latest, macos-latest]
     steps:
-      - name: Maximize build space
-        uses: easimon/maximize-build-space@v10
-        with:
-          root-reserve-mb: 32768 # The golangci-lint uses a lot of space.
-          remove-android: "true"
-          remove-docker-images: "true"
-          remove-dotnet: "true"
-          remove-haskell: "true"
-        if: matrix.operating-system == 'ubuntu-latest'
-
       - uses: actions/checkout@v4.1.6
 
       - name: Set up Go
@@ -46,7 +37,7 @@ jobs:
         id: lint
         uses: golangci/golangci-lint-action@v6.0.1
         with:
-          version: v1.58
+          version: v1.59
           args: --verbose --out-format=line-number
         if: matrix.operating-system == 'ubuntu-latest'
 
@@ -98,15 +89,6 @@ jobs:
     name: K8s Integration Test
     runs-on: ubuntu-latest
     steps:
-      - name: Maximize build space
-        uses: easimon/maximize-build-space@v10
-        with:
-          root-reserve-mb: 32768 # The Go cache (`~/.cache/go-build` and `~/go/pkg`) requires a lot of storage space.
-          remove-android: "true"
-          remove-docker-images: "true"
-          remove-dotnet: "true"
-          remove-haskell: "true"
-
       - name: Check out code into the Go module directory
         uses: actions/checkout@v4.1.6
 
@@ -149,15 +131,6 @@ jobs:
     name: VM Integration Test
     runs-on: ubuntu-latest
     steps:
-      - name: Maximize build space
-        uses: easimon/maximize-build-space@v10
-        with:
-          root-reserve-mb: 32768 # The Go cache (`~/.cache/go-build` and `~/go/pkg`) requires a lot of storage space.
-          remove-android: 'true'
-          remove-docker-images: 'true'
-          remove-dotnet: 'true'
-          remove-haskell: 'true'
-
       - name: Checkout
         uses: actions/checkout@v4.1.6
 
@@ -182,16 +155,6 @@ jobs:
     env:
       DOCKER_CLI_EXPERIMENTAL: "enabled"
     steps:
-    - name: Maximize build space
-      uses: easimon/maximize-build-space@v10
-      with:
-        root-reserve-mb: 32768 # The Go cache (`~/.cache/go-build` and `~/go/pkg`) requires a lot of storage space.
-        remove-android: 'true'
-        remove-docker-images: 'true'
-        remove-dotnet: 'true'
-        remove-haskell: 'true'
-      if: matrix.operating-system == 'ubuntu-latest'
-
     - name: Checkout
       uses: actions/checkout@v4.1.6
 
@@ -213,7 +176,7 @@ jobs:
         fi
 
     - name: Run GoReleaser
-      uses: goreleaser/goreleaser-action@v5
+      uses: goreleaser/goreleaser-action@v6
       with:
-        version: v1.20.0
+        version: v2.1.0
         args: build --snapshot --clean --timeout 90m ${{ steps.goreleaser_id.outputs.id }}

.github/workflows/triage.yaml

@@ -0,0 +1,16 @@
+name: Triage Discussion
+on:
+  discussion:
+    types: [created]
+  workflow_dispatch:
+    inputs:
+      discussion_num:
+        required: true
+jobs:
+  label:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: ./.github/actions/trivy-triage
+        with:
+          discussion_num: ${{ github.event.inputs.discussion_num }}

.golangci.yaml

@@ -1,4 +1,14 @@
 linters-settings:
+  depguard:
+    rules:
+      main:
+        list-mode: lax
+        deny:
+          # Cannot use gomodguard, which examines go.mod, as "golang.org/x/exp/slices" is not a module and doesn't appear in go.mod.
+          - pkg: "golang.org/x/exp/slices"
+            desc: "Use 'slices' instead"
+          - pkg: "golang.org/x/exp/maps"
+            desc: "Use 'maps' or 'github.com/samber/lo' instead"
   dupl:
     threshold: 100
   errcheck:
@@ -74,13 +84,11 @@ linters-settings:
     ignore-generated-header: true
   testifylint:
     enable-all: true
-    disable:
-      - float-compare
-
 linters:
   disable-all: true
   enable:
     - bodyclose
+    - depguard
     - gci
     - goconst
     - gocritic

.release-please-manifest.json

@@ -1 +1 @@
-{".":"0.52.0"}
+{".":"0.54.0"}

.vex/oci.openvex.json

@@ -0,0 +1,145 @@
+{
+  "@context": "https://openvex.dev/ns/v0.2.0",
+  "@id": "https://openvex.dev/docs/public/vex-8e30ed756ae8e4196af93bf43edf68360f396a98c0268787453a3443b26e7d6c",
+  "author": "Aqua Security",
+  "timestamp": "2024-07-10T12:17:44.60495+04:00",
+  "version": 1,
+  "statements": [
+    {
+      "vulnerability": {
+        "name": "CVE-2023-42363"
+      },
+      "products": [
+        {
+          "@id": "pkg:oci/trivy?repository_url=index.docker.io%2Faquasec%2Ftrivy",
+          "subcomponents": [
+            {"@id": "pkg:apk/alpine/busybox"},
+            {"@id": "pkg:apk/alpine/busybox-binsh"},
+            {"@id": "pkg:apk/alpine/ssl_client"}
+          ]
+        },
+        {
+          "@id": "pkg:oci/trivy?repository_url=public.ecr.aws%2Faquasecurity%2Ftrivy",
+          "subcomponents": [
+            {"@id": "pkg:apk/alpine/busybox"},
+            {"@id": "pkg:apk/alpine/busybox-binsh"},
+            {"@id": "pkg:apk/alpine/ssl_client"}
+          ]
+        },
+        {
+          "@id": "pkg:oci/trivy?repository_url=ghcr.io/aquasecurity/trivy",
+          "subcomponents": [
+            {"@id": "pkg:apk/alpine/busybox"},
+            {"@id": "pkg:apk/alpine/busybox-binsh"},
+            {"@id": "pkg:apk/alpine/ssl_client"}
+          ]
+        }
+      ],
+      "status": "not_affected",
+      "justification": "vulnerable_code_cannot_be_controlled_by_adversary",
+      "impact_statement": "awk is not used"
+    },
+    {
+      "vulnerability": {
+        "name": "CVE-2023-42364"
+      },
+      "products": [
+        {
+          "@id": "pkg:oci/trivy?repository_url=index.docker.io%2Faquasec%2Ftrivy",
+          "subcomponents": [
+            {"@id": "pkg:apk/alpine/busybox"},
+            {"@id": "pkg:apk/alpine/busybox-binsh"},
+            {"@id": "pkg:apk/alpine/ssl_client"}
+          ]
+        },
+        {
+          "@id": "pkg:oci/trivy?repository_url=public.ecr.aws%2Faquasecurity%2Ftrivy",
+          "subcomponents": [
+            {"@id": "pkg:apk/alpine/busybox"},
+            {"@id": "pkg:apk/alpine/busybox-binsh"},
+            {"@id": "pkg:apk/alpine/ssl_client"}
+          ]
+        },
+        {
+          "@id": "pkg:oci/trivy?repository_url=ghcr.io/aquasecurity/trivy",
+          "subcomponents": [
+            {"@id": "pkg:apk/alpine/busybox"},
+            {"@id": "pkg:apk/alpine/busybox-binsh"},
+            {"@id": "pkg:apk/alpine/ssl_client"}
+          ]
+        }
+      ],
+      "status": "not_affected",
+      "justification": "vulnerable_code_cannot_be_controlled_by_adversary",
+      "impact_statement": "awk is not used"
+    },
+    {
+      "vulnerability": {
+        "name": "CVE-2023-42365"
+      },
+      "products": [
+        {
+          "@id": "pkg:oci/trivy?repository_url=index.docker.io%2Faquasec%2Ftrivy",
+          "subcomponents": [
+            {"@id": "pkg:apk/alpine/busybox"},
+            {"@id": "pkg:apk/alpine/busybox-binsh"},
+            {"@id": "pkg:apk/alpine/ssl_client"}
+          ]
+        },
+        {
+          "@id": "pkg:oci/trivy?repository_url=public.ecr.aws%2Faquasecurity%2Ftrivy",
+          "subcomponents": [
+            {"@id": "pkg:apk/alpine/busybox"},
+            {"@id": "pkg:apk/alpine/busybox-binsh"},
+            {"@id": "pkg:apk/alpine/ssl_client"}
+          ]
+        },
+        {
+          "@id": "pkg:oci/trivy?repository_url=ghcr.io/aquasecurity/trivy",
+          "subcomponents": [
+            {"@id": "pkg:apk/alpine/busybox"},
+            {"@id": "pkg:apk/alpine/busybox-binsh"},
+            {"@id": "pkg:apk/alpine/ssl_client"}
+          ]
+        }
+      ],
+      "status": "not_affected",
+      "justification": "vulnerable_code_cannot_be_controlled_by_adversary",
+      "impact_statement": "awk is not used"
+    },
+    {
+      "vulnerability": {
+        "name": "CVE-2023-42366"
+      },
+      "products": [
+        {
+          "@id": "pkg:oci/trivy?repository_url=index.docker.io%2Faquasec%2Ftrivy",
+          "subcomponents": [
+            {"@id": "pkg:apk/alpine/busybox"},
+            {"@id": "pkg:apk/alpine/busybox-binsh"},
+            {"@id": "pkg:apk/alpine/ssl_client"}
+          ]
+        },
+        {
+          "@id": "pkg:oci/trivy?repository_url=public.ecr.aws%2Faquasecurity%2Ftrivy",
+          "subcomponents": [
+            {"@id": "pkg:apk/alpine/busybox"},
+            {"@id": "pkg:apk/alpine/busybox-binsh"},
+            {"@id": "pkg:apk/alpine/ssl_client"}
+          ]
+        },
+        {
+          "@id": "pkg:oci/trivy?repository_url=ghcr.io/aquasecurity/trivy",
+          "subcomponents": [
+            {"@id": "pkg:apk/alpine/busybox"},
+            {"@id": "pkg:apk/alpine/busybox-binsh"},
+            {"@id": "pkg:apk/alpine/ssl_client"}
+          ]
+        }
+      ],
+      "status": "not_affected",
+      "justification": "vulnerable_code_cannot_be_controlled_by_adversary",
+      "impact_statement": "awk is not used"
+    }
+  ]
+}

.vex/trivy.openvex.json

@@ -0,0 +1,458 @@
+{
+  "@context": "https://openvex.dev/ns/v0.2.0",
+  "@id": "aquasecurity/trivy:613fd55abbc2857b5ca28b07a26f3cd4c8b0ddc4c8a97c57497a2d4c4880d7fc",
+  "author": "Aqua Security",
+  "timestamp": "2024-07-09T11:38:00.115697+04:00",
+  "version": 1,
+  "tooling": "https://github.com/aquasecurity/trivy/tree/main/magefiles/vex.go",
+  "statements": [
+    {
+      "vulnerability": {
+        "@id": "https://pkg.go.dev/vuln/GO-2024-2575",
+        "name": "GO-2024-2575",
+        "description": "Helm's Missing YAML Content Leads To Panic in helm.sh/helm/v3",
+        "aliases": [
+          "CVE-2024-26147",
+          "GHSA-r53h-jv2g-vpx6"
+        ]
+      },
+      "products": [
+        {
+          "@id": "pkg:golang/github.com/aquasecurity/trivy",
+          "identifiers": {
+            "purl": "pkg:golang/github.com/aquasecurity/trivy"
+          },
+          "subcomponents": [
+            {
+              "@id": "pkg:golang/helm.sh/helm/v3",
+              "identifiers": {
+                "purl": "pkg:golang/helm.sh/helm/v3"
+              }
+            }
+          ]
+        }
+      ],
+      "status": "not_affected",
+      "justification": "vulnerable_code_not_in_execute_path",
+      "impact_statement": "Govulncheck determined that the vulnerable code isn't called"
+    },
+    {
+      "vulnerability": {
+        "@id": "https://pkg.go.dev/vuln/GO-2023-1765",
+        "name": "GO-2023-1765",
+        "description": "Leaked shared secret and weak blinding in github.com/cloudflare/circl",
+        "aliases": [
+          "CVE-2023-1732",
+          "GHSA-2q89-485c-9j2x"
+        ]
+      },
+      "products": [
+        {
+          "@id": "pkg:golang/github.com/aquasecurity/trivy",
+          "identifiers": {
+            "purl": "pkg:golang/github.com/aquasecurity/trivy"
+          },
+          "subcomponents": [
+            {
+              "@id": "pkg:golang/github.com/cloudflare/circl",
+              "identifiers": {
+                "purl": "pkg:golang/github.com/cloudflare/circl"
+              }
+            }
+          ]
+        }
+      ],
+      "status": "not_affected",
+      "justification": "vulnerable_code_not_present",
+      "impact_statement": "Govulncheck determined that the vulnerable code isn't called"
+    },
+    {
+      "vulnerability": {
+        "@id": "https://pkg.go.dev/vuln/GO-2024-2512",
+        "name": "GO-2024-2512",
+        "description": "Classic builder cache poisoning in github.com/docker/docker",
+        "aliases": [
+          "CVE-2024-24557",
+          "GHSA-xw73-rw38-6vjc"
+        ]
+      },
+      "products": [
+        {
+          "@id": "pkg:golang/github.com/aquasecurity/trivy",
+          "identifiers": {
+            "purl": "pkg:golang/github.com/aquasecurity/trivy"
+          },
+          "subcomponents": [
+            {
+              "@id": "pkg:golang/github.com/docker/docker",
+              "identifiers": {
+                "purl": "pkg:golang/github.com/docker/docker"
+              }
+            }
+          ]
+        }
+      ],
+      "status": "not_affected",
+      "justification": "vulnerable_code_not_present",
+      "impact_statement": "Govulncheck determined that the vulnerable code isn't called"
+    },
+    {
+      "vulnerability": {
+        "@id": "https://pkg.go.dev/vuln/GO-2024-2453",
+        "name": "GO-2024-2453",
+        "description": "Timing side channel in github.com/cloudflare/circl",
+        "aliases": [
+          "GHSA-9763-4f94-gfch"
+        ]
+      },
+      "products": [
+        {
+          "@id": "pkg:golang/github.com/aquasecurity/trivy",
+          "identifiers": {
+            "purl": "pkg:golang/github.com/aquasecurity/trivy"
+          },
+          "subcomponents": [
+            {
+              "@id": "pkg:golang/github.com/cloudflare/circl",
+              "identifiers": {
+                "purl": "pkg:golang/github.com/cloudflare/circl"
+              }
+            }
+          ]
+        }
+      ],
+      "status": "not_affected",
+      "justification": "vulnerable_code_not_present",
+      "impact_statement": "Govulncheck determined that the vulnerable code isn't called"
+    },
+    {
+      "vulnerability": {
+        "@id": "https://pkg.go.dev/vuln/GO-2023-2048",
+        "name": "GO-2023-2048",
+        "description": "Paths outside of the rootfs could be produced on Windows in github.com/cyphar/filepath-securejoin",
+        "aliases": [
+          "GHSA-6xv5-86q9-7xr8"
+        ]
+      },
+      "products": [
+        {
+          "@id": "pkg:golang/github.com/aquasecurity/trivy",
+          "identifiers": {
+            "purl": "pkg:golang/github.com/aquasecurity/trivy"
+          },
+          "subcomponents": [
+            {
+              "@id": "pkg:golang/github.com/cyphar/filepath-securejoin",
+              "identifiers": {
+                "purl": "pkg:golang/github.com/cyphar/filepath-securejoin"
+              }
+            }
+          ]
+        }
+      ],
+      "status": "not_affected",
+      "justification": "vulnerable_code_not_in_execute_path",
+      "impact_statement": "Govulncheck determined that the vulnerable code isn't called"
+    },
+    {
+      "vulnerability": {
+        "@id": "https://pkg.go.dev/vuln/GO-2024-2497",
+        "name": "GO-2024-2497",
+        "description": "Privilege escalation in github.com/moby/buildkit",
+        "aliases": [
+          "CVE-2024-23653",
+          "GHSA-wr6v-9f75-vh2g"
+        ]
+      },
+      "products": [
+        {
+          "@id": "pkg:golang/github.com/aquasecurity/trivy",
+          "identifiers": {
+            "purl": "pkg:golang/github.com/aquasecurity/trivy"
+          },
+          "subcomponents": [
+            {
+              "@id": "pkg:golang/github.com/moby/buildkit",
+              "identifiers": {
+                "purl": "pkg:golang/github.com/moby/buildkit"
+              }
+            }
+          ]
+        }
+      ],
+      "status": "not_affected",
+      "justification": "vulnerable_code_not_present",
+      "impact_statement": "Govulncheck determined that the vulnerable code isn't called"
+    },
+    {
+      "vulnerability": {
+        "@id": "https://pkg.go.dev/vuln/GO-2023-2102",
+        "name": "GO-2023-2102",
+        "description": "HTTP/2 rapid reset can cause excessive work in net/http",
+        "aliases": [
+          "CVE-2023-39325",
+          "GHSA-4374-p667-p6c8"
+        ]
+      },
+      "products": [
+        {
+          "@id": "pkg:golang/github.com/aquasecurity/trivy",
+          "identifiers": {
+            "purl": "pkg:golang/github.com/aquasecurity/trivy"
+          },
+          "subcomponents": [
+            {
+              "@id": "pkg:golang/golang.org/x/net",
+              "identifiers": {
+                "purl": "pkg:golang/golang.org/x/net"
+              }
+            }
+          ]
+        }
+      ],
+      "status": "not_affected",
+      "justification": "vulnerable_code_not_in_execute_path",
+      "impact_statement": "Govulncheck determined that the vulnerable code isn't called"
+    },
+    {
+      "vulnerability": {
+        "@id": "https://pkg.go.dev/vuln/GO-2024-2493",
+        "name": "GO-2024-2493",
+        "description": "Host system file access in github.com/moby/buildkit",
+        "aliases": [
+          "CVE-2024-23651",
+          "GHSA-m3r6-h7wv-7xxv"
+        ]
+      },
+      "products": [
+        {
+          "@id": "pkg:golang/github.com/aquasecurity/trivy",
+          "identifiers": {
+            "purl": "pkg:golang/github.com/aquasecurity/trivy"
+          },
+          "subcomponents": [
+            {
+              "@id": "pkg:golang/github.com/moby/buildkit",
+              "identifiers": {
+                "purl": "pkg:golang/github.com/moby/buildkit"
+              }
+            }
+          ]
+        }
+      ],
+      "status": "not_affected",
+      "justification": "vulnerable_code_not_present",
+      "impact_statement": "Govulncheck determined that the vulnerable code isn't called"
+    },
+    {
+      "vulnerability": {
+        "@id": "https://pkg.go.dev/vuln/GO-2024-2491",
+        "name": "GO-2024-2491",
+        "description": "Container breakout through process.cwd trickery and leaked fds in github.com/opencontainers/runc",
+        "aliases": [
+          "CVE-2024-21626",
+          "GHSA-xr7r-f8xq-vfvv"
+        ]
+      },
+      "products": [
+        {
+          "@id": "pkg:golang/github.com/aquasecurity/trivy",
+          "identifiers": {
+            "purl": "pkg:golang/github.com/aquasecurity/trivy"
+          },
+          "subcomponents": [
+            {
+              "@id": "pkg:golang/github.com/opencontainers/runc",
+              "identifiers": {
+                "purl": "pkg:golang/github.com/opencontainers/runc"
+              }
+            }
+          ]
+        }
+      ],
+      "status": "not_affected",
+      "justification": "vulnerable_code_not_present",
+      "impact_statement": "Govulncheck determined that the vulnerable code isn't called"
+    },
+    {
+      "vulnerability": {
+        "@id": "https://pkg.go.dev/vuln/GO-2024-2494",
+        "name": "GO-2024-2494",
+        "description": "Host system modification in github.com/moby/buildkit",
+        "aliases": [
+          "CVE-2024-23652",
+          "GHSA-4v98-7qmw-rqr8"
+        ]
+      },
+      "products": [
+        {
+          "@id": "pkg:golang/github.com/aquasecurity/trivy",
+          "identifiers": {
+            "purl": "pkg:golang/github.com/aquasecurity/trivy"
+          },
+          "subcomponents": [
+            {
+              "@id": "pkg:golang/github.com/moby/buildkit",
+              "identifiers": {
+                "purl": "pkg:golang/github.com/moby/buildkit"
+              }
+            }
+          ]
+        }
+      ],
+      "status": "not_affected",
+      "justification": "vulnerable_code_not_present",
+      "impact_statement": "Govulncheck determined that the vulnerable code isn't called"
+    },
+    {
+      "vulnerability": {
+        "@id": "https://pkg.go.dev/vuln/GO-2023-2412",
+        "name": "GO-2023-2412",
+        "description": "RAPL accessibility in github.com/containerd/containerd",
+        "aliases": [
+          "GHSA-7ww5-4wqc-m92c"
+        ]
+      },
+      "products": [
+        {
+          "@id": "pkg:golang/github.com/aquasecurity/trivy",
+          "identifiers": {
+            "purl": "pkg:golang/github.com/aquasecurity/trivy"
+          },
+          "subcomponents": [
+            {
+              "@id": "pkg:golang/github.com/containerd/containerd",
+              "identifiers": {
+                "purl": "pkg:golang/github.com/containerd/containerd"
+              }
+            }
+          ]
+        }
+      ],
+      "status": "not_affected",
+      "justification": "vulnerable_code_not_present",
+      "impact_statement": "Govulncheck determined that the vulnerable code isn't called"
+    },
+    {
+      "vulnerability": {
+        "@id": "https://pkg.go.dev/vuln/GO-2023-1988",
+        "name": "GO-2023-1988",
+        "description": "Improper rendering of text nodes in golang.org/x/net/html",
+        "aliases": [
+          "CVE-2023-3978",
+          "GHSA-2wrh-6pvc-2jm9"
+        ]
+      },
+      "products": [
+        {
+          "@id": "pkg:golang/github.com/aquasecurity/trivy",
+          "identifiers": {
+            "purl": "pkg:golang/github.com/aquasecurity/trivy"
+          },
+          "subcomponents": [
+            {
+              "@id": "pkg:golang/golang.org/x/net",
+              "identifiers": {
+                "purl": "pkg:golang/golang.org/x/net"
+              }
+            }
+          ]
+        }
+      ],
+      "status": "not_affected",
+      "justification": "vulnerable_code_not_in_execute_path",
+      "impact_statement": "Govulncheck determined that the vulnerable code isn't called"
+    },
+    {
+      "vulnerability": {
+        "@id": "https://pkg.go.dev/vuln/GO-2024-2492",
+        "name": "GO-2024-2492",
+        "description": "Panic in github.com/moby/buildkit",
+        "aliases": [
+          "CVE-2024-23650",
+          "GHSA-9p26-698r-w4hx"
+        ]
+      },
+      "products": [
+        {
+          "@id": "pkg:golang/github.com/aquasecurity/trivy",
+          "identifiers": {
+            "purl": "pkg:golang/github.com/aquasecurity/trivy"
+          },
+          "subcomponents": [
+            {
+              "@id": "pkg:golang/github.com/moby/buildkit",
+              "identifiers": {
+                "purl": "pkg:golang/github.com/moby/buildkit"
+              }
+            }
+          ]
+        }
+      ],
+      "status": "not_affected",
+      "justification": "vulnerable_code_not_present",
+      "impact_statement": "Govulncheck determined that the vulnerable code isn't called"
+    },
+    {
+      "vulnerability": {
+        "@id": "https://pkg.go.dev/vuln/GO-2022-0646",
+        "name": "GO-2022-0646",
+        "description": "Use of risky cryptographic algorithm in github.com/aws/aws-sdk-go",
+        "aliases": [
+          "CVE-2020-8911",
+          "CVE-2020-8912",
+          "GHSA-7f33-f4f5-xwgw",
+          "GHSA-f5pg-7wfw-84q9"
+        ]
+      },
+      "products": [
+        {
+          "@id": "pkg:golang/github.com/aquasecurity/trivy",
+          "identifiers": {
+            "purl": "pkg:golang/github.com/aquasecurity/trivy"
+          },
+          "subcomponents": [
+            {
+              "@id": "pkg:golang/github.com/aws/aws-sdk-go",
+              "identifiers": {
+                "purl": "pkg:golang/github.com/aws/aws-sdk-go"
+              }
+            }
+          ]
+        }
+      ],
+      "status": "not_affected",
+      "justification": "vulnerable_code_not_present",
+      "impact_statement": "Govulncheck determined that the vulnerable code isn't called"
+    },
+    {
+      "vulnerability": {
+        "@id": "https://pkg.go.dev/vuln/GO-2023-2153",
+        "name": "GO-2023-2153",
+        "description": "Denial of service from HTTP/2 Rapid Reset in google.golang.org/grpc",
+        "aliases": [
+          "GHSA-m425-mq94-257g"
+        ]
+      },
+      "products": [
+        {
+          "@id": "pkg:golang/github.com/aquasecurity/trivy",
+          "identifiers": {
+            "purl": "pkg:golang/github.com/aquasecurity/trivy"
+          },
+          "subcomponents": [
+            {
+              "@id": "pkg:golang/google.golang.org/grpc",
+              "identifiers": {
+                "purl": "pkg:golang/google.golang.org/grpc"
+              }
+            }
+          ]
+        }
+      ],
+      "status": "not_affected",
+      "justification": "vulnerable_code_not_in_execute_path",
+      "impact_statement": "Govulncheck determined that the vulnerable code isn't called"
+    }
+  ]
+}

CHANGELOG.md

@@ -1,5 +1,104 @@
 # Changelog
 
+## [0.54.0](https://github.com/aquasecurity/trivy/compare/v0.53.0...v0.54.0) (2024-07-30)
+
+
+### Features
+
+* add `log.FilePath()` function for logger ([#7080](https://github.com/aquasecurity/trivy/issues/7080)) ([1f5f348](https://github.com/aquasecurity/trivy/commit/1f5f34895823fae81bf521fc939bee743a50e304))
+* add openSUSE tumbleweed detection and scanning ([#6965](https://github.com/aquasecurity/trivy/issues/6965)) ([17b5dbf](https://github.com/aquasecurity/trivy/commit/17b5dbfa12180414b87859c6c46bfe6cc5ecf7ba))
+* **cli:** rename `--vuln-type` flag to `--pkg-types` flag ([#7104](https://github.com/aquasecurity/trivy/issues/7104)) ([7cbdb0a](https://github.com/aquasecurity/trivy/commit/7cbdb0a0b5dff33e506e1c1f3119951fa241b432))
+* **mariner:** Add support for Azure Linux ([#7186](https://github.com/aquasecurity/trivy/issues/7186)) ([5cbc452](https://github.com/aquasecurity/trivy/commit/5cbc452a09822d1bf300ead88f0d613d4cf0349a))
+* **misconf:** enabled China configuration for ACRs ([#7156](https://github.com/aquasecurity/trivy/issues/7156)) ([d1ec89d](https://github.com/aquasecurity/trivy/commit/d1ec89d1db4b039f0e31076ccd1ca969fb15628e))
+* **nodejs:** add license parser to pnpm analyser ([#7036](https://github.com/aquasecurity/trivy/issues/7036)) ([03ac93d](https://github.com/aquasecurity/trivy/commit/03ac93dc208f1b40896f3fa11fa1d45293176dca))
+* **sbom:** add image labels into `SPDX` and `CycloneDX` reports ([#7257](https://github.com/aquasecurity/trivy/issues/7257)) ([4a2f492](https://github.com/aquasecurity/trivy/commit/4a2f492c6e685ff577fb96a7006cd0c43755baf4))
+* **sbom:** add vulnerability support for SPDX formats ([#7213](https://github.com/aquasecurity/trivy/issues/7213)) ([efb1f69](https://github.com/aquasecurity/trivy/commit/efb1f6938321eec3529ef4fea6608261f6771ae0))
+* share build-in rules ([#7207](https://github.com/aquasecurity/trivy/issues/7207)) ([bff317c](https://github.com/aquasecurity/trivy/commit/bff317c77bf4a5f615a80d9875d129213bd52f6d))
+* **vex:** retrieve VEX attestations from OCI registries ([#7249](https://github.com/aquasecurity/trivy/issues/7249)) ([c2fd2e0](https://github.com/aquasecurity/trivy/commit/c2fd2e0d89567a0ccd996dda8790f3c3305ea6f7))
+* **vex:** VEX Repository support ([#7206](https://github.com/aquasecurity/trivy/issues/7206)) ([88ba460](https://github.com/aquasecurity/trivy/commit/88ba46047c93e6046292523ae701de774dfdc4dc))
+* **vuln:** add `--pkg-relationships` ([#7237](https://github.com/aquasecurity/trivy/issues/7237)) ([5c37361](https://github.com/aquasecurity/trivy/commit/5c37361600d922db27dd594b2a80c010a19b3a6e))
+
+
+### Bug Fixes
+
+* Add dependencyManagement exclusions to the child exclusions ([#6969](https://github.com/aquasecurity/trivy/issues/6969)) ([dc68a66](https://github.com/aquasecurity/trivy/commit/dc68a662a701980d6529f61a65006f1e4728a3e5))
+* add missing platform and type to spec ([#7149](https://github.com/aquasecurity/trivy/issues/7149)) ([c8a7abd](https://github.com/aquasecurity/trivy/commit/c8a7abd3b508975fcf10c254d13d1a2cd42da657))
+* **cli:** error on missing config file ([#7154](https://github.com/aquasecurity/trivy/issues/7154)) ([7fa5e7d](https://github.com/aquasecurity/trivy/commit/7fa5e7d0ab67f20d434b2922725988695e32e6af))
+* close file when failed to open gzip ([#7164](https://github.com/aquasecurity/trivy/issues/7164)) ([2a577a7](https://github.com/aquasecurity/trivy/commit/2a577a7bae37e5731dceaea8740683573b6b70a5))
+* **dotnet:** don't include non-runtime libraries into report for `*.deps.json` files ([#7039](https://github.com/aquasecurity/trivy/issues/7039)) ([5bc662b](https://github.com/aquasecurity/trivy/commit/5bc662be9a8f072599f90abfd3b400c8ab055ed6))
+* **dotnet:** show `nuget package dir not found` log only when checking `nuget` packages ([#7194](https://github.com/aquasecurity/trivy/issues/7194)) ([d76feba](https://github.com/aquasecurity/trivy/commit/d76febaee107c645e864da0f4d74a8f6ae4ad232))
+* ignore nodes when listing permission is not allowed ([#7107](https://github.com/aquasecurity/trivy/issues/7107)) ([25f8143](https://github.com/aquasecurity/trivy/commit/25f8143f120965c636c5ea8386398b211b082398))
+* **java:** avoid panic if deps from `pom` in `it` dir are not found ([#7245](https://github.com/aquasecurity/trivy/issues/7245)) ([4e54a7e](https://github.com/aquasecurity/trivy/commit/4e54a7e84c33c1be80c52c6db78c634bc3911715))
+* **java:** use `go-mvn-version` to remove `Package` duplicates ([#7088](https://github.com/aquasecurity/trivy/issues/7088)) ([a7a304d](https://github.com/aquasecurity/trivy/commit/a7a304d53e1ce230f881c28c4f35885774cf3b9a))
+* **misconf:** do not evaluate TF when a load error occurs ([#7109](https://github.com/aquasecurity/trivy/issues/7109)) ([f27c236](https://github.com/aquasecurity/trivy/commit/f27c236d6e155cb366aeef619b6ea96d20fb93da))
+* **nodejs:** detect direct dependencies when using `latest` version for files `yarn.lock` + `package.json` ([#7110](https://github.com/aquasecurity/trivy/issues/7110)) ([54bb8bd](https://github.com/aquasecurity/trivy/commit/54bb8bdfb934d114b5570005853bf4bc0d40c609))
+* **report:** hide empty table when all secrets/license/misconfigs are ignored ([#7171](https://github.com/aquasecurity/trivy/issues/7171)) ([c3036de](https://github.com/aquasecurity/trivy/commit/c3036de6d7719323d306a9666ccc8d928d936f9a))
+* **secret:** skip regular strings contain secret patterns ([#7182](https://github.com/aquasecurity/trivy/issues/7182)) ([174b1e3](https://github.com/aquasecurity/trivy/commit/174b1e3515a6394cf8d523216d6267c1aefb820a))
+* **secret:** trim excessively long lines ([#7192](https://github.com/aquasecurity/trivy/issues/7192)) ([92b13be](https://github.com/aquasecurity/trivy/commit/92b13be668bd20f8e9dac2f0cb8e5a2708b9b3b5))
+* **secret:** update length of `hugging-face-access-token` ([#7216](https://github.com/aquasecurity/trivy/issues/7216)) ([8c87194](https://github.com/aquasecurity/trivy/commit/8c87194f0a6b194bc5d340c8a65bd99a3132d973))
+* **server:** pass license categories to options ([#7203](https://github.com/aquasecurity/trivy/issues/7203)) ([9d52018](https://github.com/aquasecurity/trivy/commit/9d5201808da89607ae43570bdf1f335b482a6b79))
+
+
+### Performance Improvements
+
+* **debian:** use `bytes.Index` in `emptyLineSplit` to cut allocation ([#7065](https://github.com/aquasecurity/trivy/issues/7065)) ([acbec05](https://github.com/aquasecurity/trivy/commit/acbec053c985388a26d899e73b4b7f5a6d1fa210))
+
+## [0.53.0](https://github.com/aquasecurity/trivy/compare/v0.52.0...v0.53.0) (2024-07-01)
+
+
+### ⚠ BREAKING CHANGES
+
+* **k8s:** node-collector dynamic commands support ([#6861](https://github.com/aquasecurity/trivy/issues/6861))
+* add clean subcommand ([#6993](https://github.com/aquasecurity/trivy/issues/6993))
+* **aws:** Remove aws subcommand ([#6995](https://github.com/aquasecurity/trivy/issues/6995))
+
+### Features
+
+* add clean subcommand ([#6993](https://github.com/aquasecurity/trivy/issues/6993)) ([8d0ae1f](https://github.com/aquasecurity/trivy/commit/8d0ae1f5de72d92a043dcd6b7c164d30e51b6047))
+* Add local ImageID to SARIF metadata ([#6522](https://github.com/aquasecurity/trivy/issues/6522)) ([f144e91](https://github.com/aquasecurity/trivy/commit/f144e912d34234f00b5a13b7a11a0019fa978b27))
+* add memory cache backend ([#7048](https://github.com/aquasecurity/trivy/issues/7048)) ([55ccd06](https://github.com/aquasecurity/trivy/commit/55ccd06df43f6ff28685f46d215ccb70f55916d2))
+* **aws:** Remove aws subcommand ([#6995](https://github.com/aquasecurity/trivy/issues/6995)) ([979e118](https://github.com/aquasecurity/trivy/commit/979e118a9e0ca8943bef9143f492d7eb1fd4d863))
+* **conda:** add licenses support for `environment.yml` files ([#6953](https://github.com/aquasecurity/trivy/issues/6953)) ([654217a](https://github.com/aquasecurity/trivy/commit/654217a65485ca0a07771ea61071977894eb4920))
+* **dart:** use first version of constraint for dependencies using SDK version ([#6239](https://github.com/aquasecurity/trivy/issues/6239)) ([042d6b0](https://github.com/aquasecurity/trivy/commit/042d6b08c283105c258a3dda98983b345a5305c3))
+* **image:** Set User-Agent header for Trivy container registry requests ([#6868](https://github.com/aquasecurity/trivy/issues/6868)) ([9b31697](https://github.com/aquasecurity/trivy/commit/9b31697274c8743d6e5a8f7a1a05daf60cd15910))
+* **java:** add support for `maven-metadata.xml` files for remote snapshot repositories. ([#6950](https://github.com/aquasecurity/trivy/issues/6950)) ([1f8fca1](https://github.com/aquasecurity/trivy/commit/1f8fca1fc77b989bb4e3ba820b297464dbdd825f))
+* **java:** add support for sbt projects using sbt-dependency-lock ([#6882](https://github.com/aquasecurity/trivy/issues/6882)) ([f18d035](https://github.com/aquasecurity/trivy/commit/f18d035ae13b281c96aa4ed69ca32e507d336e66))
+* **k8s:** node-collector dynamic commands support ([#6861](https://github.com/aquasecurity/trivy/issues/6861)) ([8d618e4](https://github.com/aquasecurity/trivy/commit/8d618e48a2f1b60c2e4c49cdd9deb8eb45c972b0))
+* **misconf:** add metadata to Cloud schema ([#6831](https://github.com/aquasecurity/trivy/issues/6831)) ([02d5404](https://github.com/aquasecurity/trivy/commit/02d540478d495416b50d7e8b187ff9f5bba41f45))
+* **misconf:** add support for AWS::EC2::SecurityGroupIngress/Egress ([#6755](https://github.com/aquasecurity/trivy/issues/6755)) ([55fa610](https://github.com/aquasecurity/trivy/commit/55fa6109cd0463fd3221aae41ca7b1d8c44ad430))
+* **misconf:** API Gateway V1 support for CloudFormation ([#6874](https://github.com/aquasecurity/trivy/issues/6874)) ([8491469](https://github.com/aquasecurity/trivy/commit/8491469f0b35bd9df706a433669f5b62239d4ef3))
+* **misconf:** support of selectors for all providers for Rego ([#6905](https://github.com/aquasecurity/trivy/issues/6905)) ([bc3741a](https://github.com/aquasecurity/trivy/commit/bc3741ae2c68cdd00fc0aef7e51985568b2eb78a))
+* **php:** add installed.json file support ([#4865](https://github.com/aquasecurity/trivy/issues/4865)) ([edc556b](https://github.com/aquasecurity/trivy/commit/edc556b85e3554c31e19b1ece189effb9ba2be12))
+* **plugin:** add support for nested archives ([#6845](https://github.com/aquasecurity/trivy/issues/6845)) ([622c67b](https://github.com/aquasecurity/trivy/commit/622c67b7647f94d0a0ca3acf711d8f847cdd8d98))
+* **sbom:** migrate to `CycloneDX v1.6` ([#6903](https://github.com/aquasecurity/trivy/issues/6903)) ([09e50ce](https://github.com/aquasecurity/trivy/commit/09e50ce6a82073ba62f1732d5aa0cd2701578693))
+
+
+### Bug Fixes
+
+* **c:** don't skip conan files from `file-patterns` and scan `.conan2` cache dir ([#6949](https://github.com/aquasecurity/trivy/issues/6949)) ([38b35dd](https://github.com/aquasecurity/trivy/commit/38b35dd3c804027e7a6e6a9d3c87b7ac333896c5))
+* **cli:** show info message only when --scanners is available ([#7032](https://github.com/aquasecurity/trivy/issues/7032)) ([e9fc3e3](https://github.com/aquasecurity/trivy/commit/e9fc3e3397564512038ddeca2adce0efcb3f93c5))
+* **cyclonedx:** trim non-URL info for `advisory.url` ([#6952](https://github.com/aquasecurity/trivy/issues/6952)) ([417212e](https://github.com/aquasecurity/trivy/commit/417212e0930aa52a27ebdc1b9370d2943ce0f8fa))
+* **debian:** take installed files from the origin layer ([#6849](https://github.com/aquasecurity/trivy/issues/6849)) ([089b953](https://github.com/aquasecurity/trivy/commit/089b953462260f01c40bdf588b2568ae0ef658bc))
+* **image:** parse `image.inspect.Created` field only for non-empty values ([#6948](https://github.com/aquasecurity/trivy/issues/6948)) ([0af5730](https://github.com/aquasecurity/trivy/commit/0af5730cbe56686417389c2fad643c1bdbb33999))
+* **license:** return license separation using separators  `,`, `or`, etc. ([#6916](https://github.com/aquasecurity/trivy/issues/6916)) ([52f7aa5](https://github.com/aquasecurity/trivy/commit/52f7aa54b520a90a19736703f8ea63cc20fab104))
+* **misconf:** fix caching of modules in subdirectories ([#6814](https://github.com/aquasecurity/trivy/issues/6814)) ([0bcfedb](https://github.com/aquasecurity/trivy/commit/0bcfedbcaa9bbe30ee5ecade5b98e9ce3cc54c9b))
+* **misconf:** fix parsing of engine links and frameworks ([#6937](https://github.com/aquasecurity/trivy/issues/6937)) ([ec68c9a](https://github.com/aquasecurity/trivy/commit/ec68c9ab4580d057720179173d58734402c92af4))
+* **misconf:** handle source prefix to ignore ([#6945](https://github.com/aquasecurity/trivy/issues/6945)) ([c3192f0](https://github.com/aquasecurity/trivy/commit/c3192f061d7e84eaf38df8df7c879dc00b4ca137))
+* **misconf:** parsing numbers without fraction as int ([#6834](https://github.com/aquasecurity/trivy/issues/6834)) ([8141a13](https://github.com/aquasecurity/trivy/commit/8141a137ba50b553a9da877d95c7ccb491d041c6))
+* **nodejs:** fix infinite loop when package link from `package-lock.json` file is broken ([#6858](https://github.com/aquasecurity/trivy/issues/6858)) ([cf5aa33](https://github.com/aquasecurity/trivy/commit/cf5aa336e660e4c98481ebf8d15dd4e54c38581e))
+* **nodejs:** fix infinity loops for `pnpm` with cyclic imports ([#6857](https://github.com/aquasecurity/trivy/issues/6857)) ([7d083bc](https://github.com/aquasecurity/trivy/commit/7d083bc890eccc3bf32765c6d7e922cab2e2ef94))
+* **plugin:** respect `--insecure` ([#7022](https://github.com/aquasecurity/trivy/issues/7022)) ([3d02a31](https://github.com/aquasecurity/trivy/commit/3d02a31b44924f9e2495aae087f7ca9de3314db4))
+* **purl:** add missed os types ([#6955](https://github.com/aquasecurity/trivy/issues/6955)) ([2d85a00](https://github.com/aquasecurity/trivy/commit/2d85a003b22298d1101f84559f7c6b470f2b3909))
+* **python:** compare pkg names from `poetry.lock` and `pyproject.toml` in lowercase ([#6852](https://github.com/aquasecurity/trivy/issues/6852)) ([faa9d92](https://github.com/aquasecurity/trivy/commit/faa9d92cfeb8d924deda2dac583b6c97099c08d9))
+* **sbom:** don't overwrite `srcEpoch` when decoding SBOM files ([#6866](https://github.com/aquasecurity/trivy/issues/6866)) ([04af59c](https://github.com/aquasecurity/trivy/commit/04af59c2906bcfc7f7970b4e8f45a90f04313170))
+* **sbom:** fix panic when scanning SBOM file without root component into SBOM format ([#7051](https://github.com/aquasecurity/trivy/issues/7051)) ([3d4ae8b](https://github.com/aquasecurity/trivy/commit/3d4ae8b5be94cd9b00badeece8d86c2258b2cd90))
+* **sbom:** take pkg name from `purl` for maven pkgs ([#7008](https://github.com/aquasecurity/trivy/issues/7008)) ([a76e328](https://github.com/aquasecurity/trivy/commit/a76e3286c413de3dec55394fb41dd627dfee37ae))
+* **sbom:** use `purl` for `bitnami` pkg names ([#6982](https://github.com/aquasecurity/trivy/issues/6982)) ([7eabb92](https://github.com/aquasecurity/trivy/commit/7eabb92ec2e617300433445718be07ac74956454))
+* **sbom:** use package UIDs for uniqueness ([#7042](https://github.com/aquasecurity/trivy/issues/7042)) ([14d71ba](https://github.com/aquasecurity/trivy/commit/14d71ba63c39e51dd4179ba2d6002b46e1816e90))
+* **secret:** `Asymmetric Private Key` shouldn't start with space ([#6867](https://github.com/aquasecurity/trivy/issues/6867)) ([bb26445](https://github.com/aquasecurity/trivy/commit/bb26445e3df198df77930329f532ac5ab7a67af2))
+* **suse:** Add SLES 15.6 and Leap 15.6 ([#6964](https://github.com/aquasecurity/trivy/issues/6964)) ([5ee4e9d](https://github.com/aquasecurity/trivy/commit/5ee4e9d30ea814f60fd5705361cabf2e83a47a78))
+* use embedded when command path not found ([#7037](https://github.com/aquasecurity/trivy/issues/7037)) ([137c916](https://github.com/aquasecurity/trivy/commit/137c9164238ffd989a0c5ed24f23a55bbf341f6e))
+
 ## [0.52.0](https://github.com/aquasecurity/trivy/compare/v0.51.1...v0.52.0) (2024-06-03)
 
 

docs/community/contribute/pr.md

@@ -1,7 +1,6 @@
 Thank you for taking interest in contributing to Trivy!
 
-1. Every Pull Request should have an associated bug or feature issue unless you are fixing a trivial documentation issue.
-1. Please add the associated Issue link in the PR description.
+1. Every Pull Request should have an associated GitHub issue link in the PR description. Note that issues are created by Trivy maintainers based on feedback provided in a GitHub discussion. Please refer to the [issue](./issue.md) and [discussion](./discussion.md) pages for explanation about this process. If you think your change is trivial enough, you can skip the issue and instead add justification and explanation in the PR description.
 1. Your PR is more likely to be accepted if it focuses on just one change.
 1. There's no need to add or tag reviewers.
 1. If a reviewer commented on your code or asked for changes, please remember to respond with comment. Do not mark discussion as resolved. It's up to reviewer to mark it resolved (in case if suggested fix addresses problem properly). PRs with unresolved issues should not be merged (even if the comment is unclear or requires no action from your side).
@@ -122,7 +121,7 @@ os:
 - redhat
 - alma
 - rocky
-- mariner
+- azure
 - oracle
 - debian
 - ubuntu
@@ -185,12 +184,20 @@ others:
 
 The `<scope>` can be empty (e.g. if the change is a global or difficult to assign to a single component), in which case the parentheses are omitted.
 
+**Breaking changes**
+
+A PR, introducing a breaking API change, needs to append a `!` after the type/scope.
+
 ### Example titles
 
 ```
 feat(alma): add support for AlmaLinux
 ```
 
+```
+feat(vuln)!: delete the existing CLI flag
+```
+
 ```
 fix(oracle): handle advisories with ksplice versions
 ```

docs/community/maintainer/backporting.md

@@ -0,0 +1,59 @@
+# Backporting Process
+
+This document outlines the backporting process for Trivy, including when to create patch releases and how to perform the backporting.
+
+## When to Create Patch Releases
+
+In general, small changes should not be backported and should be included in the next minor release.
+However, patch releases should be made in the following cases:
+
+* Fixes for HIGH or CRITICAL vulnerabilities in Trivy itself or Trivy's dependencies
+* Fixes for bugs that cause panic during Trivy execution or otherwise interfere with normal usage
+
+In these cases, the fixes should be backported using the procedure [described below](#backporting-procedure).
+At the maintainer's discretion, other bug fixes may be included in the patch release containing these hotfixes.
+
+## Versioning
+
+Trivy follows [Semantic Versioning](https://semver.org/), using version numbers in the format MAJOR.MINOR.PATCH.
+When creating a patch release, the PATCH part of the version number is incremented.
+For example, if a fix is being distributed for v0.50.0, the patch release would be v0.50.1.
+
+## Backporting Procedure
+
+1. A release branch (e.g., `release/v0.50`) is automatically created when a new minor version is released.
+1. Create a pull request (PR) against the main branch with the necessary fixes. If the fixes are already merged into the main branch, skip this step.
+1. Once the PR with the fixes is merged, comment `@aqua-bot backport <release-branch>` on the PR (e.g., `@aqua-bot backport release/v0.50`). This will trigger the automated backporting process using GitHub Actions.
+1. The automated process will create a new PR with the backported changes. Ensure that all tests pass for this PR.
+1. Once the tests pass, merge the automatically created PR into the release branch.
+1. Merge [a release PR](release-flow.md) on the release branch and release the patch version.
+
+!!! note
+    Even if a conflict occurs, a PR is created by forceful commit, in which case the conflict should be resolved manually.
+    If you want to re-run a backport of the same PR, close the existing PR, delete the branch and re-run it.
+
+### Example
+To better understand the backporting procedure, let's walk through an example using the releases of v0.50.
+
+```mermaid
+gitGraph:
+  commit id:"Feature 1"
+  commit id:"v0.50.0 release" tag:"v0.50.0"
+
+  branch "release/v0.50"
+  
+  checkout main
+  commit id:"Bugfix 1"
+
+  checkout "release/v0.50"
+  cherry-pick id:"Bugfix 1"
+
+  checkout main
+  commit id:"Feature 2"
+  commit id:"Bugfix 2"
+  commit id:"Feature 3"
+
+  checkout "release/v0.50"
+  cherry-pick id:"Bugfix 2"
+  commit id:"v0.50.1 release" tag:"v0.50.1"
+```

docs/community/maintainer/release-flow.md

@@ -16,9 +16,10 @@ For detailed behavior, please refer to [the GitHub Actions configuration][workfl
 The release flow consists of the following main steps:
 
 1. Creating the release PR (automatically or manually)
-1. Drafting the release notes
+1. Drafting the release notes in GitHub Discussions
 1. Merging the release PR
-1. Updating the release notes
+1. Updating the release notes in GitHub Discussions
+1. Navigating to the release notes in GitHub Releases page
 
 ### Automatic Release PR Creation
 When a releasable commit (a commit with `feat` or `fix` prefix) is merged, a release PR is automatically created.
@@ -57,6 +58,23 @@ When the PR is merged, a tag is automatically created, and [GoReleaser][goreleas
 If the release completes without errors, a page for the release notes is created in GitHub Discussions (e.g., https://github.com/aquasecurity/trivy/discussions/6622).
 Copy the draft release notes, adjust the formatting, and finalize the release notes.
 
+### Navigating to the Release Notes
+To navigate to the release highlights and summary in GitHub Discussions, place a link in the GitHub Releases page as below:
+
+```
+## ⚡Release highlights and summary⚡
+
+👉 https://github.com/aquasecurity/trivy/discussions/6838
+
+## Changelog
+https://github.com/aquasecurity/trivy/blob/main/CHANGELOG.md#0520-2024-06-03
+```
+
+Replace URLs with appropriate ones.
+
+Example: https://github.com/aquasecurity/trivy/releases/tag/v0.52.0
+
+
 The release is now complete.
 
 [conventional-commits]: https://www.conventionalcommits.org/en/v1.0.0/

docs/docs/compliance/compliance.md

@@ -35,9 +35,231 @@ to specify a built-in compliance report, select it by ID like `trivy --complianc
 For the list of built-in compliance reports, please see the relevant section:
 
 - [Docker compliance](../target/container_image.md#compliance)
-- [Kubernetes compliance](../target/kubernetes.md#compliance) 
+- [Kubernetes compliance](../target/kubernetes.md#compliance)
 - [AWS compliance](../target/aws.md#compliance)
 
+## Contribute a Built-in Compliance Report
+
+### Define a Compliance spec, based on CIS benchmark or other specs
+
+Here is an example for CIS compliance report:
+
+```yaml
+---
+spec:
+  id: k8s-cis-1.23
+  title: CIS Kubernetes Benchmarks v1.23
+  description: CIS Kubernetes Benchmarks
+  platform: k8s
+  type: cis
+  version: '1.23'
+  relatedResources:
+  - https://www.cisecurity.org/benchmark/kubernetes
+  controls:
+  - id: 1.1.1
+    name: Ensure that the API server pod specification file permissions are set to
+      600 or more restrictive
+    description: Ensure that the API server pod specification file has permissions
+      of 600 or more restrictive
+    checks:
+    - id: AVD-KCV-0073
+    commands:
+    - id: CMD-0001
+    severity: HIGH
+
+```
+
+### Compliance ID
+
+ID field is the name used to execute the compliance scan via trivy
+example:
+
+```sh
+trivy k8s --compliance k8s-cis-1.23
+```
+
+ID naming convention: {platform}-{type}-{version}
+
+### Compliance Platform
+
+The platform field specifies the type of platform on which to run this compliance report.
+Supported platforms:
+
+- k8s (native kubernetes cluster)
+- eks (elastic kubernetes service)
+- aks (azure kubernetes service)
+- gke (google kubernetes engine)
+- rke2 (rancher kubernetes engine v2)
+- ocp (OpenShift Container Platform)
+- docker (docker engine)
+- aws (amazon web services)
+
+### Compliance Type
+
+The type field specifies the kind compliance report.
+
+- cis (Center for Internet Security)
+- nsa (National Security Agency)
+- pss (Pod Security Standards)
+
+### Compliance Version
+
+The version field specifies the version of the compliance report.
+
+- 1.23
+
+### Compliance Check ID
+
+Specify the check ID that needs to be evaluated based on the information collected from the command data output to assess the control.
+
+Example of how to define check data under [checks folder](https://github.com/aquasecurity/trivy-checks/tree/main/checks):
+
+```sh
+# METADATA
+# title: "Ensure that the --kubeconfig kubelet.conf file permissions are set to 600 or more restrictive"
+# description: "Ensure that the kubelet.conf file has permissions of 600 or more restrictive."
+# scope: package
+# schemas:
+# - input: schema["kubernetes"]
+# related_resources:
+# - https://www.cisecurity.org/benchmark/kubernetes
+# custom:
+#   id: KCV0073
+#   avd_id: AVD-KCV-0073
+#   severity: HIGH
+#   short_code: ensure-kubelet.conf-file-permissions-600-or-more-restrictive.
+#   recommended_action: "Change the kubelet.conf file permissions to 600 or more restrictive if exist"
+#   input:
+#     selector:
+#     - type: kubernetes
+package builtin.kubernetes.KCV0073
+
+import data.lib.kubernetes
+
+types := ["master", "worker"]
+
+validate_kubelet_file_permission(sp) := {"kubeletConfFilePermissions": violation} {
+ sp.kind == "NodeInfo"
+ sp.type == types[_]
+ violation := {permission | permission = sp.info.kubeletConfFilePermissions.values[_]; permission > 600}
+ count(violation) > 0
+}
+
+deny[res] {
+ output := validate_kubelet_file_permission(input)
+ msg := "Ensure that the --kubeconfig kubelet.conf file permissions are set to 600 or more restrictive"
+ res := result.new(msg, output)
+}
+```
+
+### Compliance Command ID
+
+***Note:*** This field is not mandatory, it is relevant to k8s compliance report when node-collector is in use
+
+Specify the command ID (#ref) that needs to be executed to collect the information required to evaluate the control.
+
+Example of how to define command data under [commands folder](https://github.com/aquasecurity/trivy-checks/tree/main/commands)
+
+```yaml
+---
+- id: CMD-0001
+  key: kubeletConfFilePermissions
+  title: kubelet.conf file permissions
+  nodeType: worker
+  audit: stat -c %a $kubelet.kubeconfig
+  platfroms:
+    - k8s
+    - aks
+```
+
+#### Command ID
+
+Find the next command ID by running the command on [trivy-checks project](https://github.com/aquasecurity/trivy-checks).
+
+```sh
+make command-id
+```
+
+#### Command Key
+
+- Re-use an existing key or specifiy a new one (make sure key name has no spaces)
+
+Note: The key value should match the key name evaluated by the Rego check.
+
+### Command Title
+
+Represent the purpose of the command
+
+### Command NodeType
+
+Specify the node type on which the command is supposed to run.
+
+- worker
+- master
+
+### Command Audit
+
+Specify here the shell command to be used please make sure to add error supression (2>/dev/null)
+
+### Command Platforms
+
+The list of platforms that support this command. Name should be taken from this list [Platforms](#compliance-platform)
+
+### Command Config Files
+
+The commands use a configuration file that helps obtain the paths to binaries and configuration files based on different platforms (e.g., Rancher, native Kubernetes, etc.).
+
+For example:
+
+```yaml
+kubelet:
+    bins:
+      - kubelet
+      - hyperkube kubelet
+    confs:
+      - /etc/kubernetes/kubelet-config.yaml
+      - /var/lib/kubelet/config.yaml
+```
+
+### Commands Files Location
+
+Currently checks files location are :`https://github.com/aquasecurity/trivy-checks/tree/main/checks`
+
+Command files location: `https://github.com/aquasecurity/trivy-checks/tree/main/commands`
+under command file
+
+Note: command config files will be located under `https://github.com/aquasecurity/trivy-checks/tree/main/commands` as well
+
+### Node-collector output
+
+The node collector will read commands and execute each command, and incorporate the output into the NodeInfo resource.
+
+example:
+
+```json
+{
+  "apiVersion": "v1",
+  "kind": "NodeInfo",
+  "metadata": {
+    "creationTimestamp": "2023-01-04T11:37:11+02:00"
+  },
+  "type": "master",
+  "info": {
+    "adminConfFileOwnership": {
+      "values": [
+        "root:root"
+      ]
+    },
+    "adminConfFilePermissions": {
+      "values": [
+        600
+      ]
+    }
+    ...
+  }
+}
+```
+
 ## Custom compliance
 
 You can create your own custom compliance report. A compliance report is a simple YAML document in the following format:

docs/docs/configuration/cache.md

@@ -1,60 +1,90 @@
 # Cache
 The cache directory includes 
 
+- Cache of previous scans (Scan cache).
 - [Vulnerability Database][trivy-db][^1]
 - [Java Index Database][trivy-java-db][^2]
 - [Misconfiguration Checks][misconf-checks][^3]
-- Cache of previous scans.
+- [VEX Repositories](../supply-chain/vex/repo.md)
  
 The cache option is common to all scanners.
 
 ## Clear Caches
-The `--clear-cache` option removes caches.
+`trivy clean` subcommand removes caches.
 
-**The scan is not performed.**
-
-```
-$ trivy image --clear-cache
+```bash
+$ trivy clean --scan-cache
 ```
 
 <details>
 <summary>Result</summary>
 
 ```
-2019-11-15T15:13:26.209+0200    INFO    Reopening vulnerability DB
-2019-11-15T15:13:26.209+0200    INFO    Removing image caches...
+2024-06-21T21:58:21+04:00       INFO    Removing scan cache...
 ```
 
 </details>
 
+If you want to delete cached vulnerability databases, use `--vuln-db`.
+You can also delete all caches with `--all`.
+See `trivy clean --help` for details.
+
 ## Cache Directory
 Specify where the cache is stored with `--cache-dir`.
 
-```
+```bash
 $ trivy --cache-dir /tmp/trivy/ image python:3.4-alpine3.9
 ```
 
-## Cache Backend
+## Scan Cache Backend
 !!! warning "EXPERIMENTAL"
     This feature might change without preserving backwards compatibility.
 
-Trivy supports local filesystem and Redis as the cache backend. This option is useful especially for client/server mode.
+Trivy utilizes a scan cache to store analysis results, such as package lists.
+It supports three types of backends for this cache: 
 
-Two options:
-
-- `fs`
-    - the cache path can be specified by `--cache-dir`
-- `redis://`
+- Local File System (`fs`)
+    - The cache path can be specified by `--cache-dir`
+- Memory (`memory`)
+- Redis (`redis://`)
     - `redis://[HOST]:[PORT]`
     - TTL can be configured via `--cache-ttl`
 
+### Local File System
+The local file system backend is the default choice for container and VM image scans.
+When scanning container images, it stores analysis results on a per-layer basis, using layer IDs as keys.
+This approach enables faster scans of the same container image or different images that share layers.
+
+!!! note
+    Internally, this backend uses [BoltDB][boltdb], which has an important limitation: only one process can access the cache at a time.
+    Subsequent processes attempting to access the cache will be locked.
+    For more details on this limitation, refer to the [troubleshooting guide][parallel-run].
+
+### Memory
+The memory backend stores analysis results in memory, which means the cache is discarded when the process ends.
+This makes it useful in scenarios where caching is not required or desired.
+It serves as the default for repository, filesystem and SBOM scans and can also be employed for container image scans when caching is unnecessary.
+
+To use the memory backend for a container image scan, you can use the following command:
+
+```bash
+$ trivy image debian:11 --cache-backend memory
 ```
+
+### Redis
+
+The Redis backend is particularly useful when you need to share the cache across multiple Trivy instances.
+You can set up Trivy to use a Redis backend with a command like this:
+
+```bash
 $ trivy server --cache-backend redis://localhost:6379
 ```
 
+This approach allows for centralized caching, which can be beneficial in distributed or high-concurrency environments.
+
 If you want to use TLS with Redis, you can enable it by specifying the `--redis-tls` flag.
 
-```shell
+```bash
 $ trivy server --cache-backend redis://localhost:6379 --redis-tls
 ```
 
@@ -71,6 +101,8 @@ $ trivy server --cache-backend redis://localhost:6379 \
 [trivy-db]: ./db.md#vulnerability-database
 [trivy-java-db]: ./db.md#java-index-database
 [misconf-checks]: ../scanner/misconfiguration/check/builtin.md
+[boltdb]: https://github.com/etcd-io/bbolt
+[parallel-run]: https://aquasecurity.github.io/trivy/v0.52/docs/references/troubleshooting/#running-in-parallel-takes-same-time-as-series-run
 
 [^1]: Downloaded when scanning for vulnerabilities
 [^2]: Downloaded when scanning `jar/war/par/ear` files

docs/docs/configuration/db.md

@@ -78,8 +78,10 @@ $ trivy image --java-db-repository registry.gitlab.com/gitlab-org/security-produ
     `java-db-registry:latest` => `java-db-registry:latest`, but `java-db-registry` => `java-db-registry:1`.
 
 ## Remove DBs
-The `--reset` flag removes all caches and databases.
+"trivy clean" command removes caches and databases.
 
 ```
-$ trivy image --reset
+$ trivy clean --vuln-db --java-db
+2024-06-24T11:42:31+06:00       INFO    Removing vulnerability database...
+2024-06-24T11:42:31+06:00       INFO    Removing Java database...
 ```

docs/docs/configuration/filtering.md

@@ -493,7 +493,7 @@ You can find more example checks [here](https://github.com/aquasecurity/trivy/tr
 |      Secret      |           |
 |     License      |           |
 
-Please refer to the [VEX documentation](../supply-chain/vex.md) for the details.
+Please refer to the [VEX documentation](../supply-chain/vex/index.md) for the details.
 
 
 [^1]: license name is used as id for `.trivyignore.yaml` files.

docs/docs/configuration/reporting.md

@@ -64,6 +64,7 @@ The following languages are currently supported:
 | PHP      | [composer.lock][composer-lock]             |
 | Java     | [pom.xml][pom-xml]                         |
 |          | [*gradle.lockfile][gradle-lockfile]        |
+|          | [*.sbt.lock][sbt-lockfile]                 |
 | Dart     | [pubspec.lock][pubspec-lock]               |
 
 This tree is the reverse of the dependency graph.
@@ -447,5 +448,6 @@ $ trivy convert --format table --severity CRITICAL result.json
 [composer-lock]: ../coverage/language/php.md#composer
 [pom-xml]: ../coverage/language/java.md#pomxml
 [gradle-lockfile]: ../coverage/language/java.md#gradlelock
+[sbt-lockfile]: ../coverage/language/java.md#sbt
 [pubspec-lock]: ../coverage/language/dart.md#dart
 [cargo-binaries]: ../coverage/language/rust.md#binaries

docs/docs/coverage/iac/terraform.md

@@ -47,4 +47,33 @@ trivy conf --tf-exclude-downloaded-modules ./configs
 ```
 
 ## Secret
-The secret scan is performed on plain text files, with no special treatment for Terraform.
+The secret scan is performed on plain text files, with no special treatment for Terraform.
+
+## Limitations
+
+### Terraform Plan JSON
+
+#### For each and count objects in expression
+
+The plan created by Terraform does not provide complete information about references in expressions that use `each` or `count` objects. For this reason, in some situations it is not possible to establish references between resources that are needed for checks when detecting misconfigurations. An example of such a configuration is:
+
+```hcl
+locals {
+  buckets = toset(["test"])
+}
+
+resource "aws_s3_bucket" "this" {
+  for_each = local.buckets
+  bucket = each.key
+}
+
+resource "aws_s3_bucket_acl" "this" {
+  for_each = local.buckets
+  bucket = aws_s3_bucket.this[each.key].id
+  acl    = "private"
+}
+```
+
+With this configuration, the plan will not contain information about which attribute of the `aws_s3_bucket` resource is referenced by the `aws_s3_bucket_acl` resource.
+
+See more [here](https://github.com/hashicorp/terraform/issues/30826).

docs/docs/coverage/language/c.md

@@ -23,10 +23,11 @@ In order to detect dependencies, Trivy searches for `conan.lock`[^1].
 
 ### Licenses
 The Conan lock file doesn't contain any license information.
-To obtain licenses we parse the `conanfile.py` files from the [conan cache directory][conan-cache-dir].
+To obtain licenses we parse the `conanfile.py` files from the [conan v1 cache directory][conan-v1-cache-dir] and [conan v2 cache directory][conan-v2-cache-dir].
 To correctly detection licenses, ensure that the cache directory contains all dependencies used.
 
-[conan-cache-dir]: https://docs.conan.io/1/mastering/custom_cache.html
+[conan-v1-cache-dir]: https://docs.conan.io/1/mastering/custom_cache.html
+[conan-v2-cache-dir]: https://docs.conan.io/2/reference/environment.html#conan-home
 [dependency-graph]: ../../configuration/reporting.md#show-origins-of-vulnerable-dependencies
 
 [^1]: The local cache should contain the dependencies used. See [licenses](#licenses).

docs/docs/coverage/language/dart.md

@@ -4,9 +4,9 @@ Trivy supports [Dart][dart].
 
 The following scanners are supported.
 
-| Package manager         | SBOM  | Vulnerability | License |
-|-------------------------| :---: | :-----------: |:-------:|
-| [Dart][dart-repository] |   ✓   |       ✓       |    -    |
+| Package manager         | SBOM | Vulnerability | License |
+|-------------------------|:----:|:-------------:|:-------:|
+| [Dart][dart-repository] |  ✓   |       ✓       |    -    |
 
 The following table provides an outline of the features Trivy offers.
 
@@ -21,6 +21,24 @@ In order to detect dependencies, Trivy searches for `pubspec.lock`.
 Trivy marks indirect dependencies, but `pubspec.lock` file doesn't have options to separate root and dev transitive dependencies.
 So Trivy includes all dependencies in report.
 
+### SDK dependencies
+Dart uses version `0.0.0` for SDK dependencies (e.g. Flutter). It is not possible to accurately determine the versions of these dependencies.
+
+Therefore, we use the first version of the constraint for the SDK.
+
+For example in this case the version of `flutter` should be `3.3.0`:
+```yaml
+flutter:
+  dependency: "direct main"
+  description: flutter
+  source: sdk
+  version: "0.0.0"
+sdks:
+  dart: ">=2.18.0 <3.0.0"
+  flutter: "^3.3.0"
+```
+
+### Dependency tree
 To build `dependency tree` Trivy parses [cache directory][cache-directory]. Currently supported default directories and `PUB_CACHE` environment (absolute path only).
 !!! note
     Make sure the cache directory contains all the dependencies installed in your application. To download missing dependencies, use `dart pub get` command.     

docs/docs/coverage/language/dotnet.md

@@ -21,6 +21,9 @@ The following table provides an outline of the features Trivy offers.
 ## *.deps.json
 Trivy parses `*.deps.json` files. Trivy currently excludes dev dependencies from the report.
 
+!!! note
+    Trivy only includes runtime dependencies in the report.
+
 ## packages.config
 Trivy only finds dependency names and versions from `packages.config` files. To build dependency graph, it is better to use `packages.lock.json` files.
 

docs/docs/coverage/language/golang.md

@@ -66,7 +66,7 @@ such as `go mod download`, `go mod tidy`, etc.
 Trivy traverses `$GOPATH/pkg/mod` and collects those extra information.
 
 ### Go binaries
-Trivy scans binaries built by Go.
+Trivy scans binaries built by Go, which include [module information](https://tip.golang.org/doc/go1.18#go-version).
 If there is a Go binary in your container image, Trivy automatically finds and scans it.
 
 Also, you can scan your local binaries.

docs/docs/coverage/language/index.md

@@ -26,7 +26,8 @@ On the other hand, when the target is a post-build artifact, like a container im
 |                      | egg package[^1]                                                                            |     ✅     |     ✅      |       -        |       -        |
 |                      | wheel package[^2]                                                                          |     ✅     |     ✅      |       -        |       -        |
 |                      | conda package[^3]                                                                          |     ✅     |     ✅      |       -        |       -        |
-| [PHP](php.md)        | composer.lock                                                                              |     ✅     |     ✅      |       ✅        |       ✅        |
+| [PHP](php.md)        | composer.lock                                                                              |     -     |     -      |       ✅        |       ✅        |
+|                      | installed.json                                                                             |     ✅     |     ✅      |       -        |       -        |
 | [Node.js](nodejs.md) | package-lock.json                                                                          |     -     |     -      |       ✅        |       ✅        |
 |                      | yarn.lock                                                                                  |     -     |     -      |       ✅        |       ✅        |
 |                      | pnpm-lock.yaml                                                                             |     -     |     -      |       ✅        |       ✅        |
@@ -38,6 +39,7 @@ On the other hand, when the target is a post-build artifact, like a container im
 | [Java](java.md)      | JAR/WAR/PAR/EAR[^4]                                                                        |     ✅     |     ✅      |       -        |       -        |
 |                      | pom.xml                                                                                    |     -     |     -      |       ✅        |       ✅        |
 |                      | *gradle.lockfile                                                                           |     -     |     -      |       ✅        |       ✅        |
+|                      | *.sbt.lock                                                                                 |     -     |     -      |       ✅        |       ✅        |
 | [Go](golang.md)      | Binaries built by Go                                                                       |     ✅     |     ✅      |       -        |       -        |
 |                      | go.mod                                                                                     |     -     |     -      |       ✅        |       ✅        |
 | [Rust](rust.md)      | Cargo.lock                                                                                 |     ✅     |     ✅      |       ✅        |       ✅        |

docs/docs/coverage/language/java.md

@@ -1,5 +1,5 @@
 # Java
-Trivy supports three types of Java scanning: `JAR/WAR/PAR/EAR`, `pom.xml` and `*gradle.lockfile` files.
+Trivy supports four types of Java scanning: `JAR/WAR/PAR/EAR`, `pom.xml`, `*gradle.lockfile` and `*.sbt.lock` files.
 
 Each artifact supports the following scanners:
 
@@ -8,6 +8,7 @@ Each artifact supports the following scanners:
 | JAR/WAR/PAR/EAR  |  ✓   |       ✓       |    -    |
 | pom.xml          |  ✓   |       ✓       |    ✓    |
 | *gradle.lockfile |  ✓   |       ✓       |    ✓    |
+| *.sbt.lock       |  ✓   |       ✓       |    -    |
 
 The following table provides an outline of the features Trivy offers.
 
@@ -16,6 +17,7 @@ The following table provides an outline of the features Trivy offers.
 | JAR/WAR/PAR/EAR  |     Trivy Java DB     |     Include      |                  -                   |    -     |
 | pom.xml          | Maven repository [^1] |     Exclude      |                  ✓                   |  ✓[^7]   |
 | *gradle.lockfile |           -           |     Exclude      |                  ✓                   |    ✓     |
+| *.sbt.lock       |          -            |     Exclude      |                  -                   |    ✓     |
 
 These may be enabled or disabled depending on the target.
 See [here](./index.md) for the detail.
@@ -94,6 +96,15 @@ Trity also can detect licenses for dependencies.
 
 Make sure that you have cache[^8] directory to find licenses from `*.pom` dependency files.
 
+
+## SBT
+
+`build.sbt.lock` files only contain information about used dependencies. This requires a lockfile generated using the
+[sbt-dependency-lock][sbt-dependency-lock] plugin.
+
+!!!note
+    All necessary files are checked locally. SBT file scanning doesn't require internet access.
+
 [^1]: Uses maven repository to get information about dependencies. Internet access required.
 [^2]: It means `*.jar`, `*.war`, `*.par` and `*.ear` file
 [^3]: `ArtifactID`, `GroupID` and `Version`
@@ -106,4 +117,5 @@ Make sure that you have cache[^8] directory to find licenses from `*.pom` depend
 [dependency-graph]: ../../configuration/reporting.md#show-origins-of-vulnerable-dependencies
 [maven-invoker-plugin]: https://maven.apache.org/plugins/maven-invoker-plugin/usage.html
 [maven-central]: https://repo.maven.apache.org/maven2/
-[maven-pom-repos]: https://maven.apache.org/settings.html#repositories
+[maven-pom-repos]: https://maven.apache.org/settings.html#repositories
+[sbt-dependency-lock]: https://stringbean.github.io/sbt-dependency-lock

docs/docs/coverage/language/nodejs.md

@@ -8,7 +8,7 @@ The following scanners are supported.
 |----------|:----:|:-------------:|:-------:|
 | npm      |  ✓   |       ✓       |    ✓    |
 | Yarn     |  ✓   |       ✓       |    ✓    |
-| pnpm     |  ✓   |       ✓       |    -    |
+| pnpm     |  ✓   |       ✓       |    ✓    |
 | Bun      |  ✓   |       ✓       |    ✓    |
 
 The following table provides an outline of the features Trivy offers.
@@ -54,6 +54,7 @@ By default, Trivy doesn't report development dependencies. Use the `--include-de
 
 ### pnpm
 Trivy parses `pnpm-lock.yaml`, then finds production dependencies and builds a [tree][dependency-graph] of dependencies with vulnerabilities.
+To identify licenses, you need to download dependencies to `node_modules` beforehand. Trivy analyzes `node_modules` for licenses.
 
 #### lock file v9 version
 Trivy supports `Dev` field for `pnpm-lock.yaml` v9 or later. Use the `--include-dev-deps` flag to include the developer's dependencies in the result.

docs/docs/coverage/language/php.md

@@ -4,23 +4,27 @@ Trivy supports [Composer][composer], which is a tool for dependency management i
 
 The following scanners are supported.
 
-| Package manager | SBOM  | Vulnerability | License |
-| --------------- | :---: | :-----------: | :-----: |
-| Composer        |   ✓   |       ✓       |    ✓    |
+| Package manager | SBOM | Vulnerability | License |
+|-----------------|:----:|:-------------:|:-------:|
+| Composer        |  ✓   |       ✓       |    ✓    |
 
 The following table provides an outline of the features Trivy offers.
 
 
-| Package manager | File          | Transitive dependencies | Dev dependencies | [Dependency graph][dependency-graph] | Position |
-|-----------------|---------------|:-----------------------:|:----------------:|:------------------------------------:|:--------:|
-| Composer        | composer.lock |            ✓            |     Excluded     |                  ✓                   |    ✓     |
+| Package manager | File           | Transitive dependencies | Dev dependencies | [Dependency graph][dependency-graph] | Position |
+|-----------------|----------------|:-----------------------:|:----------------:|:------------------------------------:|:--------:|
+| Composer        | composer.lock  |            ✓            |     Excluded     |                  ✓                   |    ✓     |
+| Composer        | installed.json |            ✓            |     Excluded     |                  -                   |    ✓     |
 
-## Composer
+## composer.lock
 In order to detect dependencies, Trivy searches for `composer.lock`.
 
 Trivy also supports dependency trees; however, to display an accurate tree, it needs to know whether each package is a direct dependency of the project.
 Since this information is not included in `composer.lock`, Trivy parses `composer.json`, which should be located next to `composer.lock`.
 If you want to see the dependency tree, please ensure that `composer.json` is present.
 
+## installed.json
+Trivy also supports dependency detection for `installed.json` files. By default, you can find this file at `path_to_app/vendor/composer/installed.json`.
+
 [composer]: https://getcomposer.org/
 [dependency-graph]: ../../configuration/reporting.md#show-origins-of-vulnerable-dependencies

docs/docs/coverage/os/azure.md

@@ -1,4 +1,7 @@
-# CBL-Mariner
+# Azure Linux (CBL-Mariner)
+
+*CBL-Mariner was rebranded to Azure Linux for version 3.0 onwards.*
+
 Trivy supports the following scanners for OS packages.
 
 | Version          | SBOM  | Vulnerability | License |
@@ -7,6 +10,8 @@ Trivy supports the following scanners for OS packages.
 | 1.0 (Distroless) |   ✔   |       ✔       |         |
 | 2.0              |   ✔   |       ✔       |    ✔    |
 | 2.0 (Distroless) |   ✔   |       ✔       |         |
+| 3.0              |   ✔   |       ✔       |    ✔    |
+| 3.0 (Distroless) |   ✔   |       ✔       |         |
 
 
 The following table provides an outline of the targets Trivy supports.
@@ -15,6 +20,7 @@ The following table provides an outline of the targets Trivy supports.
 | ------- | :-------------: | :-------------: | :----------: |
 | 1.0     |        ✔        |        ✔        | amd64, arm64 |
 | 2.0     |        ✔        |        ✔        | amd64, arm64 |
+| 3.0     |        ✔        |        ✔        | amd64, arm64 |
 
 The table below outlines the features offered by Trivy.
 
@@ -24,22 +30,22 @@ The table below outlines the features offered by Trivy.
 | [Dependency graph][dependency-graph] |     ✓     |
 
 ## SBOM
-Trivy detects packages that have been installed through package managers such as `dnf` and `yum`.
+Trivy detects packages that have been installed through package managers such as `tdnf`, `dnf` and `yum`.
 
 ## Vulnerability
-CBL-Mariner offers its own security advisories, and these are utilized when scanning CBL-Mariner for vulnerabilities.
+Azure Linux offers its own security advisories, and these are utilized when scanning Azure Linux for vulnerabilities.
 
 ### Data Source
 See [here](../../scanner/vulnerability.md#data-sources).
 
 ### Fixed Version
-Trivy takes fixed versions from [CBL-Mariner OVAL][oval].
+Trivy takes fixed versions from [Azure Linux OVAL][oval].
 
 ### Severity
-Trivy calculates the severity of an issue based on the severity provided in [CBL-Mariner OVAL][oval].
+Trivy calculates the severity of an issue based on the severity provided in [Azure Linux OVAL][oval].
 
 ### Status
-Trivy supports the following [vulnerability statuses] for CBL-Mariner.
+Trivy supports the following [vulnerability statuses] for Azure Linux.
 
 |       Status        | Supported |
 | :-----------------: | :-------: |
@@ -55,12 +61,11 @@ Trivy supports the following [vulnerability statuses] for CBL-Mariner.
 Trivy identifies licenses by examining the metadata of RPM packages.
 
 !!! note
-    License detection is not supported for CBL-Mariner Distroless.
+    License detection is not supported for Azure Linux Distroless images.
 
 
 [dependency-graph]: ../../configuration/reporting.md#show-origins-of-vulnerable-dependencies
-[cbl-mariner]: https://github.com/microsoft/CBL-Mariner
 
-[oval]: https://github.com/microsoft/CBL-MarinerVulnerabilityData/
+[oval]: https://github.com/microsoft/AzureLinuxVulnerabilityData/
 
 [vulnerability statuses]: ../../configuration/filtering.md#by-status

docs/docs/coverage/os/conda.md

@@ -6,31 +6,38 @@ Trivy supports the following scanners for Conda packages.
 |:-------------:|:---------:|
 |     SBOM      |     ✓     |
 | Vulnerability |     -     |
-|    License    |   ✓[^1]   |
+|    License    |     ✓     |
 
 
-## SBOM
-Trivy detects packages that have been installed with `Conda`.
 
+## `<package>.json`
+### SBOM
+Trivy parses `<conda-root>/envs/<env>/conda-meta/<package>.json` files to find the dependencies installed in your env.
 
-### `<package>.json`
-Trivy parses `<conda-root>/envs/<env>/conda-meta/<package>.json` files to find the version and license for the dependencies installed in your env.
+### License
+The `<package>.json` files contain package license information.
+Trivy includes licenses for the packages it finds without having to parse additional files.
 
-### `environment.yml`[^2]
-Trivy supports parsing [environment.yml][environment.yml][^2] files to find dependency list.
+## `environment.yml`[^1]
+### SBOM
+Trivy supports parsing [environment.yml][environment.yml][^1] files to find dependency list.
 
-!!! note
-    License detection is currently not supported.
-
-`environment.yml`[^2] files supports [version range][env-version-range]. We can't be sure about versions for these dependencies.
-Therefore, you need to use `conda env export` command to get dependency list in `Conda` default format before scanning `environment.yml`[^2] file.
+`environment.yml`[^1] files supports [version range][env-version-range]. We can't be sure about versions for these dependencies.
+Therefore, you need to use `conda env export` command to get dependency list in `Conda` default format before scanning `environment.yml`[^1] file.
 
 !!! note
     For dependencies in a non-Conda format, Trivy doesn't include a version of them.
 
+### License
+Trivy parses `conda-meta/<package>.json` files at the [prefix] path.
 
-[^1]: License detection is only supported for `<package>.json` files
-[^2]: Trivy supports both `yaml` and `yml` extensions.
+To correctly define licenses, make sure your `environment.yml`[^1] contains `prefix` field and `prefix` directory contains `package.json` files.
+
+!!! note 
+    To get correct `environment.yml`[^1] file and fill `prefix` directory - use `conda env export` command.
+
+[^1]: Trivy supports both `yaml` and `yml` extensions.
 
 [environment.yml]: https://conda.io/projects/conda/en/latest/user-guide/tasks/manage-environments.html#sharing-an-environment
 [env-version-range]: https://docs.conda.io/projects/conda-build/en/latest/resources/package-spec.html#examples-of-package-specs
+[prefix]: https://conda.io/projects/conda/en/latest/user-guide/tasks/manage-environments.html#specifying-a-location-for-an-environment

docs/docs/coverage/os/index.md

@@ -9,24 +9,25 @@ Trivy supports operating systems for
 
 ## Supported OS
 
-| OS                                   | Supported Versions                  | Package Managers |
-|--------------------------------------|-------------------------------------|------------------|
-| [Alpine Linux](alpine.md)            | 2.2 - 2.7, 3.0 - 3.20, edge         | apk              |
-| [Wolfi Linux](wolfi.md)              | (n/a)                               | apk              |
-| [Chainguard](chainguard.md)          | (n/a)                               | apk              |
-| [Red Hat Enterprise Linux](rhel.md)  | 6, 7, 8                             | dnf/yum/rpm      |
-| [CentOS](centos.md)[^1]              | 6, 7, 8                             | dnf/yum/rpm      |
-| [AlmaLinux](alma.md)                 | 8, 9                                | dnf/yum/rpm      |
-| [Rocky Linux](rocky.md)              | 8, 9                                | dnf/yum/rpm      |
-| [Oracle Linux](oracle.md)            | 5, 6, 7, 8                          | dnf/yum/rpm      |
-| [CBL-Mariner](cbl-mariner.md)        | 1.0, 2.0                            | dnf/yum/rpm      |
-| [Amazon Linux](amazon.md)            | 1, 2, 2023                          | dnf/yum/rpm      |
-| [openSUSE Leap](suse.md)             | 42, 15                              | zypper/rpm       |
-| [SUSE Enterprise Linux](suse.md)     | 11, 12, 15                          | zypper/rpm       |
-| [Photon OS](photon.md)               | 1.0, 2.0, 3.0, 4.0                  | tndf/yum/rpm     |
-| [Debian GNU/Linux](debian.md)        | 7, 8, 9, 10, 11, 12                 | apt/dpkg         |
-| [Ubuntu](ubuntu.md)                  | All versions supported by Canonical | apt/dpkg         |
-| [OSs with installed Conda](conda.md) | -                                   | conda            |
+| OS                                    | Supported Versions                  | Package Managers |
+|---------------------------------------|-------------------------------------|------------------|
+| [Alpine Linux](alpine.md)             | 2.2 - 2.7, 3.0 - 3.20, edge         | apk              |
+| [Wolfi Linux](wolfi.md)               | (n/a)                               | apk              |
+| [Chainguard](chainguard.md)           | (n/a)                               | apk              |
+| [Red Hat Enterprise Linux](rhel.md)   | 6, 7, 8                             | dnf/yum/rpm      |
+| [CentOS](centos.md)[^1]               | 6, 7, 8                             | dnf/yum/rpm      |
+| [AlmaLinux](alma.md)                  | 8, 9                                | dnf/yum/rpm      |
+| [Rocky Linux](rocky.md)               | 8, 9                                | dnf/yum/rpm      |
+| [Oracle Linux](oracle.md)             | 5, 6, 7, 8                          | dnf/yum/rpm      |
+| [Azure Linux (CBL-Mariner)](azure.md) | 1.0, 2.0, 3.0                       | tdnf/dnf/yum/rpm |
+| [Amazon Linux](amazon.md)             | 1, 2, 2023                          | dnf/yum/rpm      |
+| [openSUSE Leap](suse.md)              | 42, 15                              | zypper/rpm       |
+| [openSUSE Tumbleweed](suse.md)        | (n/a)                               | zypper/rpm       |
+| [SUSE Enterprise Linux](suse.md)      | 11, 12, 15                          | zypper/rpm       |
+| [Photon OS](photon.md)                | 1.0, 2.0, 3.0, 4.0                  | tndf/yum/rpm     |
+| [Debian GNU/Linux](debian.md)         | 7, 8, 9, 10, 11, 12                 | apt/dpkg         |
+| [Ubuntu](ubuntu.md)                   | All versions supported by Canonical | apt/dpkg         |
+| [OSs with installed Conda](conda.md)  | -                                   | conda            |
 
 ## Supported container images
 

docs/docs/coverage/os/suse.md

@@ -2,6 +2,7 @@
 Trivy supports the following distributions:
 
 - openSUSE Leap
+- openSUSE Tumbleweed
 - SUSE Enterprise Linux (SLE)
 
 Please see [here](index.md#supported-os) for supported versions.
@@ -35,6 +36,6 @@ Trivy identifies licenses by examining the metadata of RPM packages.
 
 
 [dependency-graph]: ../../configuration/reporting.md#show-origins-of-vulnerable-dependencies
-[cvrf]: http://ftp.suse.com/pub/projects/security/cvrf/
+[cvrf]: https://ftp.suse.com/pub/projects/security/cvrf/
 
-[vulnerability statuses]: ../../configuration/filtering.md#by-status
+[vulnerability statuses]: ../../configuration/filtering.md#by-status

docs/docs/plugin/user-guide.md

@@ -40,8 +40,6 @@ $ trivy plugin install referrer
 
 This command will download the plugin and install it in the plugin cache.
 
-
-
 Trivy adheres to the XDG specification, so the location depends on whether XDG_DATA_HOME is set.
 Trivy will now search XDG_DATA_HOME for the location of the Trivy plugins cache.
 The preference order is as follows:
@@ -55,7 +53,10 @@ Furthermore, it is possible to download plugins that are not registered in the i
 $ trivy plugin install github.com/aquasecurity/trivy-plugin-kubectl
 ```
 ```bash
-$ trivy plugin install myplugin.tar.gz
+$ trivy plugin install https://github.com/aquasecurity/trivy-plugin-kubectl/archive/refs/heads/main.zip
+```
+```bash
+$ trivy plugin install ./myplugin.tar.gz
 ```
 
 If the plugin's Git repository is [properly tagged](./developer-guide.md#tagging-plugin-repositories), you can specify the version to install like this:

docs/docs/references/configuration/cli/trivy.md

@@ -43,7 +43,7 @@ trivy [global flags] command [flags] target
 
 ### SEE ALSO
 
-* [trivy aws](trivy_aws.md)	 - [EXPERIMENTAL] Scan AWS account
+* [trivy clean](trivy_clean.md)	 - Remove cached files
 * [trivy config](trivy_config.md)	 - Scan config files for misconfigurations
 * [trivy convert](trivy_convert.md)	 - Convert Trivy JSON report into a different format
 * [trivy filesystem](trivy_filesystem.md)	 - Scan local filesystem
@@ -56,5 +56,6 @@ trivy [global flags] command [flags] target
 * [trivy sbom](trivy_sbom.md)	 - Scan SBOM for vulnerabilities and licenses
 * [trivy server](trivy_server.md)	 - Server mode
 * [trivy version](trivy_version.md)	 - Print the version
+* [trivy vex](trivy_vex.md)	 - [EXPERIMENTAL] VEX utilities
 * [trivy vm](trivy_vm.md)	 - [EXPERIMENTAL] Scan a virtual machine image
 

docs/docs/references/configuration/cli/trivy_aws.md

@@ -1,127 +0,0 @@
-## trivy aws
-
-[EXPERIMENTAL] Scan AWS account
-
-### Synopsis
-
-Scan an AWS account for misconfigurations. Trivy uses the same authentication methods as the AWS CLI. See https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html
-
-The following services are supported:
-
-- accessanalyzer
-- api-gateway
-- athena
-- cloudfront
-- cloudtrail
-- cloudwatch
-- codebuild
-- documentdb
-- dynamodb
-- ec2
-- ecr
-- ecs
-- efs
-- eks
-- elasticache
-- elasticsearch
-- elb
-- emr
-- iam
-- kinesis
-- kms
-- lambda
-- mq
-- msk
-- neptune
-- rds
-- redshift
-- s3
-- sns
-- sqs
-- ssm
-- workspaces
-
-
-```
-trivy aws [flags]
-```
-
-### Examples
-
-```
-  # basic scanning
-  $ trivy aws --region us-east-1
-
-  # limit scan to a single service:
-  $ trivy aws --region us-east-1 --service s3
-
-  # limit scan to multiple services:
-  $ trivy aws --region us-east-1 --service s3 --service ec2
-
-  # force refresh of cache for fresh results
-  $ trivy aws --region us-east-1 --update-cache
-
-```
-
-### Options
-
-```
-      --account string                    The AWS account to scan. It's useful to specify this when reviewing cached results for multiple accounts.
-      --arn string                        The AWS ARN to show results for. Useful to filter results once a scan is cached.
-      --cf-params strings                 specify paths to override the CloudFormation parameters files
-      --check-namespaces strings          Rego namespaces
-      --checks-bundle-repository string   OCI registry URL to retrieve checks bundle from (default "ghcr.io/aquasecurity/trivy-checks:0")
-      --compliance string                 compliance report to generate (aws-cis-1.2,aws-cis-1.4)
-      --config-check strings              specify the paths to the Rego check files or to the directories containing them, applying config files
-      --config-data strings               specify paths from which data for the Rego checks will be recursively loaded
-      --dependency-tree                   [EXPERIMENTAL] show dependency origin tree of vulnerable packages
-      --endpoint string                   AWS Endpoint override
-      --exit-code int                     specify exit code when any security issues are found
-  -f, --format string                     format (table,json,template,sarif,cyclonedx,spdx,spdx-json,github,cosign-vuln) (default "table")
-      --helm-api-versions strings         Available API versions used for Capabilities.APIVersions. This flag is the same as the api-versions flag of the helm template command. (can specify multiple or separate values with commas: policy/v1/PodDisruptionBudget,apps/v1/Deployment)
-      --helm-kube-version string          Kubernetes version used for Capabilities.KubeVersion. This flag is the same as the kube-version flag of the helm template command.
-      --helm-set strings                  specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
-      --helm-set-file strings             specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2)
-      --helm-set-string strings           specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
-      --helm-values strings               specify paths to override the Helm values.yaml files
-  -h, --help                              help for aws
-      --ignore-policy string              specify the Rego file path to evaluate each vulnerability
-      --ignorefile string                 specify .trivyignore file (default ".trivyignore")
-      --include-deprecated-checks         include deprecated checks
-      --include-non-failures              include successes and exceptions, available with '--scanners misconfig'
-      --list-all-pkgs                     output all packages in the JSON report regardless of vulnerability
-      --max-cache-age duration            The maximum age of the cloud cache. Cached data will be required from the cloud provider if it is older than this. (default 24h0m0s)
-      --misconfig-scanners strings        comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot])
-  -o, --output string                     output file name
-      --output-plugin-arg string          [EXPERIMENTAL] output plugin arguments
-      --region string                     AWS Region to scan
-      --report string                     specify a report format for the output (all,summary) (default "all")
-      --reset-checks-bundle               remove checks bundle
-      --service strings                   Only scan AWS Service(s) specified with this flag. Can specify multiple services using --service A --service B etc.
-  -s, --severity strings                  severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
-      --skip-check-update                 skip fetching rego check updates
-      --skip-service strings              Skip selected AWS Service(s) specified with this flag. Can specify multiple services using --skip-service A --skip-service B etc.
-  -t, --template string                   output template
-      --tf-exclude-downloaded-modules     exclude misconfigurations for downloaded terraform modules
-      --tf-vars strings                   specify paths to override the Terraform tfvars files
-      --trace                             enable more verbose trace output for custom queries
-      --update-cache                      Update the cache for the applicable cloud provider instead of using cached results.
-```
-
-### Options inherited from parent commands
-
-```
-      --cache-dir string          cache directory (default "/path/to/cache")
-  -c, --config string             config path (default "trivy.yaml")
-  -d, --debug                     debug mode
-      --generate-default-config   write the default config to trivy-default.yaml
-      --insecure                  allow insecure server connections
-  -q, --quiet                     suppress progress bar and log output
-      --timeout duration          timeout (default 5m0s)
-  -v, --version                   show version
-```
-
-### SEE ALSO
-
-* [trivy](trivy.md)	 - Unified security scanner
-

docs/docs/references/configuration/cli/trivy_clean.md

@@ -0,0 +1,51 @@
+## trivy clean
+
+Remove cached files
+
+```
+trivy clean [flags]
+```
+
+### Examples
+
+```
+  # Remove all caches
+  $ trivy clean --all
+
+  # Remove scan cache
+  $ trivy clean --scan-cache
+
+  # Remove vulnerability database
+  $ trivy clean --vuln-db
+
+```
+
+### Options
+
+```
+  -a, --all             remove all caches
+      --checks-bundle   remove checks bundle
+  -h, --help            help for clean
+      --java-db         remove Java database
+      --scan-cache      remove scan cache (container and VM image analysis results)
+      --vex-repo        remove VEX repositories
+      --vuln-db         remove vulnerability database
+```
+
+### Options inherited from parent commands
+
+```
+      --cache-dir string          cache directory (default "/path/to/cache")
+  -c, --config string             config path (default "trivy.yaml")
+  -d, --debug                     debug mode
+      --generate-default-config   write the default config to trivy-default.yaml
+      --insecure                  allow insecure server connections
+  -q, --quiet                     suppress progress bar and log output
+      --timeout duration          timeout (default 5m0s)
+  -v, --version                   show version
+```
+
+### SEE ALSO
+
+* [trivy](trivy.md)	 - Unified security scanner
+

docs/docs/references/configuration/cli/trivy_config.md

@@ -9,12 +9,11 @@ trivy config [flags] DIR
 ### Options
 
 ```
-      --cache-backend string              cache backend (e.g. redis://localhost:6379) (default "fs")
+      --cache-backend string              [EXPERIMENTAL] cache backend (e.g. redis://localhost:6379) (default "memory")
       --cache-ttl duration                cache TTL when using redis as cache backend
       --cf-params strings                 specify paths to override the CloudFormation parameters files
       --check-namespaces strings          Rego namespaces
       --checks-bundle-repository string   OCI registry URL to retrieve checks bundle from (default "ghcr.io/aquasecurity/trivy-checks:0")
-      --clear-cache                       clear image caches without scanning
       --compliance string                 compliance report to generate
       --config-check strings              specify the paths to the Rego check files or to the directories containing them, applying config files
       --config-data strings               specify paths from which data for the Rego checks will be recursively loaded
@@ -45,7 +44,6 @@ trivy config [flags] DIR
       --redis-tls                         enable redis TLS with public certificates, if using redis as cache backend
       --registry-token string             registry token
       --report string                     specify a compliance report format for the output (all,summary) (default "all")
-      --reset-checks-bundle               remove checks bundle
   -s, --severity strings                  severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
       --skip-check-update                 skip fetching rego check updates
       --skip-dirs strings                 specify the directories or glob patterns to skip

docs/docs/references/configuration/cli/trivy_filesystem.md

@@ -19,12 +19,11 @@ trivy filesystem [flags] PATH
 ### Options
 
 ```
-      --cache-backend string              cache backend (e.g. redis://localhost:6379) (default "fs")
+      --cache-backend string              [EXPERIMENTAL] cache backend (e.g. redis://localhost:6379) (default "memory")
       --cache-ttl duration                cache TTL when using redis as cache backend
       --cf-params strings                 specify paths to override the CloudFormation parameters files
       --check-namespaces strings          Rego namespaces
       --checks-bundle-repository string   OCI registry URL to retrieve checks bundle from (default "ghcr.io/aquasecurity/trivy-checks:0")
-      --clear-cache                       clear image caches without scanning
       --compliance string                 compliance report to generate
       --config-check strings              specify the paths to the Rego check files or to the directories containing them, applying config files
       --config-data strings               specify paths from which data for the Rego checks will be recursively loaded
@@ -64,6 +63,8 @@ trivy filesystem [flags] PATH
       --output-plugin-arg string          [EXPERIMENTAL] output plugin arguments
       --parallel int                      number of goroutines enabled for parallel scanning, set 0 to auto-detect parallelism (default 5)
       --password strings                  password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
+      --pkg-relationships strings         list of package relationships (unknown,root,direct,indirect) (default [unknown,root,direct,indirect])
+      --pkg-types strings                 list of package types (os,library) (default [os,library])
       --redis-ca string                   redis ca file location, if using redis as cache backend
       --redis-cert string                 redis certificate file location, if using redis as cache backend
       --redis-key string                  redis key file location, if using redis as cache backend
@@ -71,8 +72,6 @@ trivy filesystem [flags] PATH
       --registry-token string             registry token
       --rekor-url string                  [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
       --report string                     specify a compliance report format for the output (all,summary) (default "all")
-      --reset                             remove all caches and database
-      --reset-checks-bundle               remove checks bundle
       --sbom-sources strings              [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
       --scanners strings                  comma-separated list of what security issues to detect (vuln,misconfig,secret,license) (default [vuln,secret])
       --secret-config string              specify a path to config file for secret scanning (default "trivy-secret.yaml")
@@ -84,6 +83,7 @@ trivy filesystem [flags] PATH
       --skip-dirs strings                 specify the directories or glob patterns to skip
       --skip-files strings                specify the files or glob patterns to skip
       --skip-java-db-update               skip updating Java index database
+      --skip-vex-repo-update              [EXPERIMENTAL] Skip VEX Repository update
   -t, --template string                   output template
       --tf-exclude-downloaded-modules     exclude misconfigurations for downloaded terraform modules
       --tf-vars strings                   specify paths to override the Terraform tfvars files
@@ -91,8 +91,7 @@ trivy filesystem [flags] PATH
       --token-header string               specify a header name for token in client/server mode (default "Trivy-Token")
       --trace                             enable more verbose trace output for custom queries
       --username strings                  username. Comma-separated usernames allowed.
-      --vex string                        [EXPERIMENTAL] file path to VEX
-      --vuln-type strings                 comma-separated list of vulnerability types (os,library) (default [os,library])
+      --vex strings                       [EXPERIMENTAL] VEX sources ("repo", "oci" or file path)
 ```
 
 ### Options inherited from parent commands

docs/docs/references/configuration/cli/trivy_image.md

@@ -34,12 +34,11 @@ trivy image [flags] IMAGE_NAME
 ### Options
 
 ```
-      --cache-backend string              cache backend (e.g. redis://localhost:6379) (default "fs")
+      --cache-backend string              [EXPERIMENTAL] cache backend (e.g. redis://localhost:6379) (default "fs")
       --cache-ttl duration                cache TTL when using redis as cache backend
       --check-namespaces strings          Rego namespaces
       --checks-bundle-repository string   OCI registry URL to retrieve checks bundle from (default "ghcr.io/aquasecurity/trivy-checks:0")
-      --clear-cache                       clear image caches without scanning
-      --compliance string                 compliance report to generate (docker-cis)
+      --compliance string                 compliance report to generate (docker-cis-1.6.0)
       --config-check strings              specify the paths to the Rego check files or to the directories containing them, applying config files
       --config-data strings               specify paths from which data for the Rego checks will be recursively loaded
       --custom-headers strings            custom headers in client mode
@@ -82,6 +81,8 @@ trivy image [flags] IMAGE_NAME
       --output-plugin-arg string          [EXPERIMENTAL] output plugin arguments
       --parallel int                      number of goroutines enabled for parallel scanning, set 0 to auto-detect parallelism (default 5)
       --password strings                  password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
+      --pkg-relationships strings         list of package relationships (unknown,root,direct,indirect) (default [unknown,root,direct,indirect])
+      --pkg-types strings                 list of package types (os,library) (default [os,library])
       --platform string                   set platform in the form os/arch if image is multi-platform capable
       --podman-host string                unix podman socket path to use for podman scanning
       --redis-ca string                   redis ca file location, if using redis as cache backend
@@ -92,8 +93,6 @@ trivy image [flags] IMAGE_NAME
       --rekor-url string                  [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
       --removed-pkgs                      detect vulnerabilities of removed packages (only for Alpine)
       --report string                     specify a format for the compliance report. (all,summary) (default "summary")
-      --reset                             remove all caches and database
-      --reset-checks-bundle               remove checks bundle
       --sbom-sources strings              [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
       --scanners strings                  comma-separated list of what security issues to detect (vuln,misconfig,secret,license) (default [vuln,secret])
       --secret-config string              specify a path to config file for secret scanning (default "trivy-secret.yaml")
@@ -105,14 +104,14 @@ trivy image [flags] IMAGE_NAME
       --skip-dirs strings                 specify the directories or glob patterns to skip
       --skip-files strings                specify the files or glob patterns to skip
       --skip-java-db-update               skip updating Java index database
+      --skip-vex-repo-update              [EXPERIMENTAL] Skip VEX Repository update
   -t, --template string                   output template
       --tf-exclude-downloaded-modules     exclude misconfigurations for downloaded terraform modules
       --token string                      for authentication in client/server mode
       --token-header string               specify a header name for token in client/server mode (default "Trivy-Token")
       --trace                             enable more verbose trace output for custom queries
       --username strings                  username. Comma-separated usernames allowed.
-      --vex string                        [EXPERIMENTAL] file path to VEX
-      --vuln-type strings                 comma-separated list of vulnerability types (os,library) (default [os,library])
+      --vex strings                       [EXPERIMENTAL] VEX sources ("repo", "oci" or file path)
 ```
 
 ### Options inherited from parent commands

docs/docs/references/configuration/cli/trivy_kubernetes.md

@@ -30,12 +30,11 @@ trivy kubernetes [flags] [CONTEXT]
 
 ```
       --burst int                         specify the maximum burst for throttle (default 10)
-      --cache-backend string              cache backend (e.g. redis://localhost:6379) (default "fs")
+      --cache-backend string              [EXPERIMENTAL] cache backend (e.g. redis://localhost:6379) (default "fs")
       --cache-ttl duration                cache TTL when using redis as cache backend
       --check-namespaces strings          Rego namespaces
       --checks-bundle-repository string   OCI registry URL to retrieve checks bundle from (default "ghcr.io/aquasecurity/trivy-checks:0")
-      --clear-cache                       clear image caches without scanning
-      --compliance string                 compliance report to generate (k8s-nsa,k8s-cis,k8s-pss-baseline,k8s-pss-restricted)
+      --compliance string                 compliance report to generate (k8s-nsa-1.0,k8s-cis-1.23,eks-cis-1.4,rke2-cis-1.24,k8s-pss-baseline-0.1,k8s-pss-restricted-0.1)
       --config-check strings              specify the paths to the Rego check files or to the directories containing them, applying config files
       --config-data strings               specify paths from which data for the Rego checks will be recursively loaded
       --db-repository string              OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db:2")
@@ -72,13 +71,15 @@ trivy kubernetes [flags] [CONTEXT]
       --list-all-pkgs                     output all packages in the JSON report regardless of vulnerability
       --misconfig-scanners strings        comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot])
       --no-progress                       suppress progress bar
-      --node-collector-imageref string    indicate the image reference for the node-collector scan job (default "ghcr.io/aquasecurity/node-collector:0.2.1")
+      --node-collector-imageref string    indicate the image reference for the node-collector scan job (default "ghcr.io/aquasecurity/node-collector:0.3.1")
       --node-collector-namespace string   specify the namespace in which the node-collector job should be deployed (default "trivy-temp")
       --offline-scan                      do not issue API requests to identify dependencies
   -o, --output string                     output file name
       --output-plugin-arg string          [EXPERIMENTAL] output plugin arguments
       --parallel int                      number of goroutines enabled for parallel scanning, set 0 to auto-detect parallelism (default 5)
       --password strings                  password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
+      --pkg-relationships strings         list of package relationships (unknown,root,direct,indirect) (default [unknown,root,direct,indirect])
+      --pkg-types strings                 list of package types (os,library) (default [os,library])
       --qps float                         specify the maximum QPS to the master from this client (default 5)
       --redis-ca string                   redis ca file location, if using redis as cache backend
       --redis-cert string                 redis certificate file location, if using redis as cache backend
@@ -87,8 +88,6 @@ trivy kubernetes [flags] [CONTEXT]
       --registry-token string             registry token
       --rekor-url string                  [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
       --report string                     specify a report format for the output (all,summary) (default "all")
-      --reset                             remove all caches and database
-      --reset-checks-bundle               remove checks bundle
       --sbom-sources strings              [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
       --scanners strings                  comma-separated list of what security issues to detect (vuln,misconfig,secret,rbac) (default [vuln,misconfig,secret,rbac])
       --secret-config string              specify a path to config file for secret scanning (default "trivy-secret.yaml")
@@ -100,13 +99,13 @@ trivy kubernetes [flags] [CONTEXT]
       --skip-files strings                specify the files or glob patterns to skip
       --skip-images                       skip the downloading and scanning of images (vulnerabilities and secrets) in the cluster resources
       --skip-java-db-update               skip updating Java index database
+      --skip-vex-repo-update              [EXPERIMENTAL] Skip VEX Repository update
   -t, --template string                   output template
       --tf-exclude-downloaded-modules     exclude misconfigurations for downloaded terraform modules
       --tolerations strings               specify node-collector job tolerations (example: key1=value1:NoExecute,key2=value2:NoSchedule)
       --trace                             enable more verbose trace output for custom queries
       --username strings                  username. Comma-separated usernames allowed.
-      --vex string                        [EXPERIMENTAL] file path to VEX
-      --vuln-type strings                 comma-separated list of vulnerability types (os,library) (default [os,library])
+      --vex strings                       [EXPERIMENTAL] VEX sources ("repo", "oci" or file path)
 ```
 
 ### Options inherited from parent commands

docs/docs/references/configuration/cli/trivy_repository.md

@@ -19,12 +19,11 @@ trivy repository [flags] (REPO_PATH | REPO_URL)
 
 ```
       --branch string                     pass the branch name to be scanned
-      --cache-backend string              cache backend (e.g. redis://localhost:6379) (default "fs")
+      --cache-backend string              [EXPERIMENTAL] cache backend (e.g. redis://localhost:6379) (default "memory")
       --cache-ttl duration                cache TTL when using redis as cache backend
       --cf-params strings                 specify paths to override the CloudFormation parameters files
       --check-namespaces strings          Rego namespaces
       --checks-bundle-repository string   OCI registry URL to retrieve checks bundle from (default "ghcr.io/aquasecurity/trivy-checks:0")
-      --clear-cache                       clear image caches without scanning
       --commit string                     pass the commit hash to be scanned
       --config-check strings              specify the paths to the Rego check files or to the directories containing them, applying config files
       --config-data strings               specify paths from which data for the Rego checks will be recursively loaded
@@ -64,14 +63,14 @@ trivy repository [flags] (REPO_PATH | REPO_URL)
       --output-plugin-arg string          [EXPERIMENTAL] output plugin arguments
       --parallel int                      number of goroutines enabled for parallel scanning, set 0 to auto-detect parallelism (default 5)
       --password strings                  password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
+      --pkg-relationships strings         list of package relationships (unknown,root,direct,indirect) (default [unknown,root,direct,indirect])
+      --pkg-types strings                 list of package types (os,library) (default [os,library])
       --redis-ca string                   redis ca file location, if using redis as cache backend
       --redis-cert string                 redis certificate file location, if using redis as cache backend
       --redis-key string                  redis key file location, if using redis as cache backend
       --redis-tls                         enable redis TLS with public certificates, if using redis as cache backend
       --registry-token string             registry token
       --rekor-url string                  [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
-      --reset                             remove all caches and database
-      --reset-checks-bundle               remove checks bundle
       --sbom-sources strings              [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
       --scanners strings                  comma-separated list of what security issues to detect (vuln,misconfig,secret,license) (default [vuln,secret])
       --secret-config string              specify a path to config file for secret scanning (default "trivy-secret.yaml")
@@ -83,6 +82,7 @@ trivy repository [flags] (REPO_PATH | REPO_URL)
       --skip-dirs strings                 specify the directories or glob patterns to skip
       --skip-files strings                specify the files or glob patterns to skip
       --skip-java-db-update               skip updating Java index database
+      --skip-vex-repo-update              [EXPERIMENTAL] Skip VEX Repository update
       --tag string                        pass the tag name to be scanned
   -t, --template string                   output template
       --tf-exclude-downloaded-modules     exclude misconfigurations for downloaded terraform modules
@@ -91,8 +91,7 @@ trivy repository [flags] (REPO_PATH | REPO_URL)
       --token-header string               specify a header name for token in client/server mode (default "Trivy-Token")
       --trace                             enable more verbose trace output for custom queries
       --username strings                  username. Comma-separated usernames allowed.
-      --vex string                        [EXPERIMENTAL] file path to VEX
-      --vuln-type strings                 comma-separated list of vulnerability types (os,library) (default [os,library])
+      --vex strings                       [EXPERIMENTAL] VEX sources ("repo", "oci" or file path)
 ```
 
 ### Options inherited from parent commands

docs/docs/references/configuration/cli/trivy_rootfs.md

@@ -22,12 +22,11 @@ trivy rootfs [flags] ROOTDIR
 ### Options
 
 ```
-      --cache-backend string              cache backend (e.g. redis://localhost:6379) (default "fs")
+      --cache-backend string              [EXPERIMENTAL] cache backend (e.g. redis://localhost:6379) (default "memory")
       --cache-ttl duration                cache TTL when using redis as cache backend
       --cf-params strings                 specify paths to override the CloudFormation parameters files
       --check-namespaces strings          Rego namespaces
       --checks-bundle-repository string   OCI registry URL to retrieve checks bundle from (default "ghcr.io/aquasecurity/trivy-checks:0")
-      --clear-cache                       clear image caches without scanning
       --config-check strings              specify the paths to the Rego check files or to the directories containing them, applying config files
       --config-data strings               specify paths from which data for the Rego checks will be recursively loaded
       --custom-headers strings            custom headers in client mode
@@ -66,14 +65,14 @@ trivy rootfs [flags] ROOTDIR
       --output-plugin-arg string          [EXPERIMENTAL] output plugin arguments
       --parallel int                      number of goroutines enabled for parallel scanning, set 0 to auto-detect parallelism (default 5)
       --password strings                  password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
+      --pkg-relationships strings         list of package relationships (unknown,root,direct,indirect) (default [unknown,root,direct,indirect])
+      --pkg-types strings                 list of package types (os,library) (default [os,library])
       --redis-ca string                   redis ca file location, if using redis as cache backend
       --redis-cert string                 redis certificate file location, if using redis as cache backend
       --redis-key string                  redis key file location, if using redis as cache backend
       --redis-tls                         enable redis TLS with public certificates, if using redis as cache backend
       --registry-token string             registry token
       --rekor-url string                  [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
-      --reset                             remove all caches and database
-      --reset-checks-bundle               remove checks bundle
       --sbom-sources strings              [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
       --scanners strings                  comma-separated list of what security issues to detect (vuln,misconfig,secret,license) (default [vuln,secret])
       --secret-config string              specify a path to config file for secret scanning (default "trivy-secret.yaml")
@@ -85,6 +84,7 @@ trivy rootfs [flags] ROOTDIR
       --skip-dirs strings                 specify the directories or glob patterns to skip
       --skip-files strings                specify the files or glob patterns to skip
       --skip-java-db-update               skip updating Java index database
+      --skip-vex-repo-update              [EXPERIMENTAL] Skip VEX Repository update
   -t, --template string                   output template
       --tf-exclude-downloaded-modules     exclude misconfigurations for downloaded terraform modules
       --tf-vars strings                   specify paths to override the Terraform tfvars files
@@ -92,8 +92,7 @@ trivy rootfs [flags] ROOTDIR
       --token-header string               specify a header name for token in client/server mode (default "Trivy-Token")
       --trace                             enable more verbose trace output for custom queries
       --username strings                  username. Comma-separated usernames allowed.
-      --vex string                        [EXPERIMENTAL] file path to VEX
-      --vuln-type strings                 comma-separated list of vulnerability types (os,library) (default [os,library])
+      --vex strings                       [EXPERIMENTAL] VEX sources ("repo", "oci" or file path)
 ```
 
 ### Options inherited from parent commands

docs/docs/references/configuration/cli/trivy_sbom.md

@@ -20,9 +20,8 @@ trivy sbom [flags] SBOM_PATH
 ### Options
 
 ```
-      --cache-backend string        cache backend (e.g. redis://localhost:6379) (default "fs")
+      --cache-backend string        [EXPERIMENTAL] cache backend (e.g. redis://localhost:6379) (default "memory")
       --cache-ttl duration          cache TTL when using redis as cache backend
-      --clear-cache                 clear image caches without scanning
       --compliance string           compliance report to generate
       --custom-headers strings      custom headers in client mode
       --db-repository string        OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db:2")
@@ -44,12 +43,13 @@ trivy sbom [flags] SBOM_PATH
       --offline-scan                do not issue API requests to identify dependencies
   -o, --output string               output file name
       --output-plugin-arg string    [EXPERIMENTAL] output plugin arguments
+      --pkg-relationships strings   list of package relationships (unknown,root,direct,indirect) (default [unknown,root,direct,indirect])
+      --pkg-types strings           list of package types (os,library) (default [os,library])
       --redis-ca string             redis ca file location, if using redis as cache backend
       --redis-cert string           redis certificate file location, if using redis as cache backend
       --redis-key string            redis key file location, if using redis as cache backend
       --redis-tls                   enable redis TLS with public certificates, if using redis as cache backend
       --rekor-url string            [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
-      --reset                       remove all caches and database
       --sbom-sources strings        [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
       --scanners strings            comma-separated list of what security issues to detect (vuln,license) (default [vuln])
       --server string               server address in client mode
@@ -59,11 +59,11 @@ trivy sbom [flags] SBOM_PATH
       --skip-dirs strings           specify the directories or glob patterns to skip
       --skip-files strings          specify the files or glob patterns to skip
       --skip-java-db-update         skip updating Java index database
+      --skip-vex-repo-update        [EXPERIMENTAL] Skip VEX Repository update
   -t, --template string             output template
       --token string                for authentication in client/server mode
       --token-header string         specify a header name for token in client/server mode (default "Trivy-Token")
-      --vex string                  [EXPERIMENTAL] file path to VEX
-      --vuln-type strings           comma-separated list of vulnerability types (os,library) (default [os,library])
+      --vex strings                 [EXPERIMENTAL] VEX sources ("repo", "oci" or file path)
 ```
 
 ### Options inherited from parent commands

docs/docs/references/configuration/cli/trivy_server.md

@@ -20,9 +20,8 @@ trivy server [flags]
 ### Options
 
 ```
-      --cache-backend string     cache backend (e.g. redis://localhost:6379) (default "fs")
+      --cache-backend string     [EXPERIMENTAL] cache backend (e.g. redis://localhost:6379) (default "fs")
       --cache-ttl duration       cache TTL when using redis as cache backend
-      --clear-cache              clear image caches without scanning
       --db-repository string     OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db:2")
       --download-db-only         download/update vulnerability database but don't run a scan
       --enable-modules strings   [EXPERIMENTAL] module names to enable
@@ -36,7 +35,6 @@ trivy server [flags]
       --redis-key string         redis key file location, if using redis as cache backend
       --redis-tls                enable redis TLS with public certificates, if using redis as cache backend
       --registry-token string    registry token
-      --reset                    remove all caches and database
       --skip-db-update           skip updating vulnerability database
       --token string             for authentication in client/server mode
       --token-header string      specify a header name for token in client/server mode (default "Trivy-Token")

docs/docs/references/configuration/cli/trivy_vex.md

@@ -0,0 +1,28 @@
+## trivy vex
+
+[EXPERIMENTAL] VEX utilities
+
+### Options
+
+```
+  -h, --help   help for vex
+```
+
+### Options inherited from parent commands
+
+```
+      --cache-dir string          cache directory (default "/path/to/cache")
+  -c, --config string             config path (default "trivy.yaml")
+  -d, --debug                     debug mode
+      --generate-default-config   write the default config to trivy-default.yaml
+      --insecure                  allow insecure server connections
+  -q, --quiet                     suppress progress bar and log output
+      --timeout duration          timeout (default 5m0s)
+  -v, --version                   show version
+```
+
+### SEE ALSO
+
+* [trivy](trivy.md)	 - Unified security scanner
+* [trivy vex repo](trivy_vex_repo.md)	 - Manage VEX repositories
+

docs/docs/references/configuration/cli/trivy_vex_repo.md

@@ -0,0 +1,44 @@
+## trivy vex repo
+
+Manage VEX repositories
+
+### Examples
+
+```
+  # Initialize the configuration file
+  $ trivy vex repo init
+
+  # List VEX repositories
+  $ trivy vex repo list
+
+  # Download the VEX repositories
+  $ trivy vex repo download
+
+```
+
+### Options
+
+```
+  -h, --help   help for repo
+```
+
+### Options inherited from parent commands
+
+```
+      --cache-dir string          cache directory (default "/path/to/cache")
+  -c, --config string             config path (default "trivy.yaml")
+  -d, --debug                     debug mode
+      --generate-default-config   write the default config to trivy-default.yaml
+      --insecure                  allow insecure server connections
+  -q, --quiet                     suppress progress bar and log output
+      --timeout duration          timeout (default 5m0s)
+  -v, --version                   show version
+```
+
+### SEE ALSO
+
+* [trivy vex](trivy_vex.md)	 - [EXPERIMENTAL] VEX utilities
+* [trivy vex repo download](trivy_vex_repo_download.md)	 - Download the VEX repositories
+* [trivy vex repo init](trivy_vex_repo_init.md)	 - Initialize a configuration file
+* [trivy vex repo list](trivy_vex_repo_list.md)	 - List VEX repositories
+

docs/docs/references/configuration/cli/trivy_vex_repo_download.md

@@ -0,0 +1,35 @@
+## trivy vex repo download
+
+Download the VEX repositories
+
+### Synopsis
+
+Downloads enabled VEX repositories. If specific repository names are provided as arguments, only those repositories will be downloaded. Otherwise, all enabled repositories are downloaded.
+
+```
+trivy vex repo download [REPO_NAMES] [flags]
+```
+
+### Options
+
+```
+  -h, --help   help for download
+```
+
+### Options inherited from parent commands
+
+```
+      --cache-dir string          cache directory (default "/path/to/cache")
+  -c, --config string             config path (default "trivy.yaml")
+  -d, --debug                     debug mode
+      --generate-default-config   write the default config to trivy-default.yaml
+      --insecure                  allow insecure server connections
+  -q, --quiet                     suppress progress bar and log output
+      --timeout duration          timeout (default 5m0s)
+  -v, --version                   show version
+```
+
+### SEE ALSO
+
+* [trivy vex repo](trivy_vex_repo.md)	 - Manage VEX repositories
+

docs/docs/references/configuration/cli/trivy_vex_repo_init.md

@@ -0,0 +1,31 @@
+## trivy vex repo init
+
+Initialize a configuration file
+
+```
+trivy vex repo init [flags]
+```
+
+### Options
+
+```
+  -h, --help   help for init
+```
+
+### Options inherited from parent commands
+
+```
+      --cache-dir string          cache directory (default "/path/to/cache")
+  -c, --config string             config path (default "trivy.yaml")
+  -d, --debug                     debug mode
+      --generate-default-config   write the default config to trivy-default.yaml
+      --insecure                  allow insecure server connections
+  -q, --quiet                     suppress progress bar and log output
+      --timeout duration          timeout (default 5m0s)
+  -v, --version                   show version
+```
+
+### SEE ALSO
+
+* [trivy vex repo](trivy_vex_repo.md)	 - Manage VEX repositories
+

docs/docs/references/configuration/cli/trivy_vex_repo_list.md

@@ -0,0 +1,31 @@
+## trivy vex repo list
+
+List VEX repositories
+
+```
+trivy vex repo list [flags]
+```
+
+### Options
+
+```
+  -h, --help   help for list
+```
+
+### Options inherited from parent commands
+
+```
+      --cache-dir string          cache directory (default "/path/to/cache")
+  -c, --config string             config path (default "trivy.yaml")
+  -d, --debug                     debug mode
+      --generate-default-config   write the default config to trivy-default.yaml
+      --insecure                  allow insecure server connections
+  -q, --quiet                     suppress progress bar and log output
+      --timeout duration          timeout (default 5m0s)
+  -v, --version                   show version
+```
+
+### SEE ALSO
+
+* [trivy vex repo](trivy_vex_repo.md)	 - Manage VEX repositories
+

docs/docs/references/configuration/cli/trivy_vm.md

@@ -21,10 +21,9 @@ trivy vm [flags] VM_IMAGE
 
 ```
       --aws-region string                 AWS region to scan
-      --cache-backend string              cache backend (e.g. redis://localhost:6379) (default "fs")
+      --cache-backend string              [EXPERIMENTAL] cache backend (e.g. redis://localhost:6379) (default "fs")
       --cache-ttl duration                cache TTL when using redis as cache backend
       --checks-bundle-repository string   OCI registry URL to retrieve checks bundle from (default "ghcr.io/aquasecurity/trivy-checks:0")
-      --clear-cache                       clear image caches without scanning
       --compliance string                 compliance report to generate
       --custom-headers strings            custom headers in client mode
       --db-repository string              OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db:2")
@@ -57,13 +56,13 @@ trivy vm [flags] VM_IMAGE
   -o, --output string                     output file name
       --output-plugin-arg string          [EXPERIMENTAL] output plugin arguments
       --parallel int                      number of goroutines enabled for parallel scanning, set 0 to auto-detect parallelism (default 5)
+      --pkg-relationships strings         list of package relationships (unknown,root,direct,indirect) (default [unknown,root,direct,indirect])
+      --pkg-types strings                 list of package types (os,library) (default [os,library])
       --redis-ca string                   redis ca file location, if using redis as cache backend
       --redis-cert string                 redis certificate file location, if using redis as cache backend
       --redis-key string                  redis key file location, if using redis as cache backend
       --redis-tls                         enable redis TLS with public certificates, if using redis as cache backend
       --rekor-url string                  [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
-      --reset                             remove all caches and database
-      --reset-checks-bundle               remove checks bundle
       --sbom-sources strings              [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
       --scanners strings                  comma-separated list of what security issues to detect (vuln,misconfig,secret,license) (default [vuln,secret])
       --secret-config string              specify a path to config file for secret scanning (default "trivy-secret.yaml")
@@ -74,12 +73,12 @@ trivy vm [flags] VM_IMAGE
       --skip-dirs strings                 specify the directories or glob patterns to skip
       --skip-files strings                specify the files or glob patterns to skip
       --skip-java-db-update               skip updating Java index database
+      --skip-vex-repo-update              [EXPERIMENTAL] Skip VEX Repository update
   -t, --template string                   output template
       --tf-exclude-downloaded-modules     exclude misconfigurations for downloaded terraform modules
       --token string                      for authentication in client/server mode
       --token-header string               specify a header name for token in client/server mode (default "Trivy-Token")
-      --vex string                        [EXPERIMENTAL] file path to VEX
-      --vuln-type strings                 comma-separated list of vulnerability types (os,library) (default [os,library])
+      --vex strings                       [EXPERIMENTAL] VEX sources ("repo", "oci" or file path)
 ```
 
 ### Options inherited from parent commands

docs/docs/references/configuration/config-file.md

@@ -81,6 +81,13 @@ severity:
   - MEDIUM
   - HIGH
   - CRITICAL
+    
+# Same as '--pkg-types'
+# Default is 'os,library'
+pkg-types:
+  - os
+  - library
+    
 
 scan:
   # Same as '--compliance'
@@ -261,12 +268,6 @@ Available with vulnerability scanning
 
 ```yaml
 vulnerability:
-  # Same as '--vuln-type'
-  # Default is 'os,library'
-  type:
-    - os
-    - library
-
   # Same as '--ignore-unfixed'
   # Default is false
   ignore-unfixed: false
@@ -275,6 +276,16 @@ vulnerability:
   # Default is empty
   ignore-status: 
     - end_of_life
+
+  # Same as '--vex'
+  # Default is empty
+  vex:
+    - path/to/vex/file
+    - repo
+
+  # Same as '--skip-vex-repo-update'
+  # Default is false
+  skip-vex-repo-update: true
 ```
 
 ## License Options
@@ -351,9 +362,9 @@ rego:
   # Default is false
   trace: false
 
-  # Same as '--skip-policy-update'
+  # Same as '--skip-check-update'
   # Default is false
-  skip-policy-update: false
+  skip-check-update: false
 
   # Same as '--config-policy'
   # Default is empty

docs/docs/references/troubleshooting.md

@@ -264,10 +264,10 @@ $ brew install aquasecurity/trivy/trivy
 ## Others
 ### Unknown error
 
-Try again with `--reset` option:
+Try again after running `trivy clean --all`:
 
 ```
-$ trivy image --reset
+$ trivy clean --all
 ```
 
 [air-gapped]: ../advanced/air-gap.md

docs/docs/scanner/vulnerability.md

@@ -1,13 +1,12 @@
 # Vulnerability Scanning
-Trivy detects known vulnerabilities according to the versions of installed packages.
+Trivy detects known vulnerabilities in software components that it finds in the scan target.
 
-The following packages are supported.
+The following are supported:
 
 - [OS packages](#os-packages)
 - [Language-specific packages](#language-specific-packages)
-- [Kubernetes components (control plane, node and addons)](#kubernetes)
-
-Trivy also detects known vulnerabilities in Kubernetes components using KBOM (Kubernetes bill of Material) scanning. To learn more, see the [documentation for Kubernetes scanning](../target/kubernetes.md#KBOM).
+- [Non-packaged software](#non-packaged-software)
+- [Kubernetes components](#kubernetes)
 
 ## OS Packages
 Trivy is capable of automatically detecting installed OS packages when scanning container images, VM images and running hosts.
@@ -20,22 +19,22 @@ See [here](../coverage/os/index.md#supported-os) for the supported OSes.
 
 ### Data Sources
 
-| OS            | Source                                                       |
-| ------------- | ------------------------------------------------------------ |
-| Arch Linux    | [Vulnerable Issues][arch]                                    |
-| Alpine Linux  | [secdb][alpine]                                              |
-| Wolfi Linux   | [secdb][wolfi]                                               |
-| Chainguard    | [secdb][chainguard]                                          |
-| Amazon Linux  | [Amazon Linux Security Center][amazon]                       |
-| Debian        | [Security Bug Tracker][debian-tracker] / [OVAL][debian-oval] |
-| Ubuntu        | [Ubuntu CVE Tracker][ubuntu]                                 |
-| RHEL/CentOS   | [OVAL][rhel-oval] / [Security Data][rhel-api]                |
-| AlmaLinux     | [AlmaLinux Product Errata][alma]                             |
-| Rocky Linux   | [Rocky Linux UpdateInfo][rocky]                              |
-| Oracle Linux  | [OVAL][oracle]                                               |
-| CBL-Mariner   | [OVAL][mariner]                                              |
-| OpenSUSE/SLES | [CVRF][suse]                                                 |
-| Photon OS     | [Photon Security Advisory][photon]                           |
+| OS                        | Source                                                       |
+|---------------------------|--------------------------------------------------------------|
+| Arch Linux                | [Vulnerable Issues][arch]                                    |
+| Alpine Linux              | [secdb][alpine]                                              |
+| Wolfi Linux               | [secdb][wolfi]                                               |
+| Chainguard                | [secdb][chainguard]                                          |
+| Amazon Linux              | [Amazon Linux Security Center][amazon]                       |
+| Debian                    | [Security Bug Tracker][debian-tracker] / [OVAL][debian-oval] |
+| Ubuntu                    | [Ubuntu CVE Tracker][ubuntu]                                 |
+| RHEL/CentOS               | [OVAL][rhel-oval] / [Security Data][rhel-api]                |
+| AlmaLinux                 | [AlmaLinux Product Errata][alma]                             |
+| Rocky Linux               | [Rocky Linux UpdateInfo][rocky]                              |
+| Oracle Linux              | [OVAL][oracle]                                               |
+| Azure Linux (CBL-Mariner) | [OVAL][azure]                                                |
+| OpenSUSE/SLES             | [CVRF][suse]                                                 |
+| Photon OS                 | [Photon Security Advisory][photon]                           |
 
 #### Data Source Selection
 Trivy **only** consumes security advisories from the sources listed in the above table.
@@ -66,7 +65,44 @@ If the data source does not provide a severity, the severity is determined based
 | 7.0-8.9          | High     |
 | 9.0-10.0         | Critical |
 
-If the CVSS score is also not provided, it falls back to [NVD][nvd], and if NVD does not have severity, it will be UNKNOWN.
+If the CVSS score is also not provided, it falls back to [NVD][nvd].
+
+NVD and some vendors may delay severity analysis, while other vendors, such as Red Hat, are able to quickly evaluate and announce the severity of vulnerabilities.
+To avoid marking too many vulnerabilities as "UNKNOWN" severity, Trivy uses severity ratings from other vendors when the NVD information is not yet available.
+The order of preference for vendor severity data can be found [here](https://github.com/aquasecurity/trivy-db/blob/79d0fbd1e246f3c77eef4b9826fe4bf65940b221/pkg/vulnsrc/vulnerability/vulnerability.go#L17-L19).
+
+You can reference `SeveritySource` in the [JSON reporting format](../configuration/reporting.md#json) to see from where the severity is taken for a given vulnerability.
+
+```shell
+"SeveritySource": "debian",
+```
+
+
+In addition, you can see all the vendor severity ratings.
+
+```json
+"VendorSeverity": {
+  "amazon": 2,
+  "cbl-mariner": 4,
+  "ghsa": 4,
+  "nvd": 4,
+  "photon": 4,
+  "redhat": 2,
+  "ubuntu": 2
+}
+```
+
+Here is the severity mapping in Trivy:
+
+| Number | Severity |
+|:------:|----------|
+|   0    | Unknown  |
+|   1    | Low      |
+|   2    | Medium   |
+|   3    | High     |
+|   4    | Critical |
+
+If no vendor has a severity, the `UNKNOWN` severity will be used.
 
 ### Unfixed Vulnerabilities
 The unfixed/unfixable vulnerabilities mean that the patch has not yet been provided on their distribution.
@@ -101,9 +137,18 @@ See [here](../coverage/language/index.md#supported-languages) for the supported
 
 [^1]: Intentional delay between vulnerability disclosure and registration in the DB
 
+## Non-packaged software
+
+If you have software that is not managed by a package manager, Trivy can still detect vulnerabilities in it in some cases:
+
+- [Using SBOM from Sigstore Rekor](../supply-chain/attestation/rekor/#non-packaged-binaries)
+- [Go Binaries with embedded module information](../coverage/language/golang/#go-binaries)
+- [Rust Binaries with embedded information](../coverage/language/rust/#binaries)
+- [SBOM embedded in container images](../supply-chain/container-image/#sbom-embedded-in-container-images)
+
 ## Kubernetes
 
-Trivy can detect vulnerabilities in Kubernetes clusters and components.
+Trivy can detect vulnerabilities in Kubernetes clusters and components by scanning a Kubernetes Cluster, or a KBOM (Kubernetes bill of Material). To learn more, see the [documentation for Kubernetes scanning](../target/kubernetes.md).
 
 ### Data Sources
 
@@ -157,9 +202,10 @@ Currently, specifying a username and password is not supported.
 This section describes vulnerability-specific configuration.
 Other common options are documented [here](../configuration/index.md).
 
-### Enabling a subset of package types
+### Enabling a Subset of Package Types
+
 It's possible to only enable certain package types if you prefer.
-You can do so by passing the `--vuln-type` option.
+You can do so by passing the `--pkg-types` option.
 This flag takes a comma-separated list of package types.
 
 Available values:
@@ -170,7 +216,7 @@ Available values:
     - Scan language-specific packages (e.g. packages installed by `pip`, `npm`, or `gem`).
 
 ```bash
-$ trivy image --vuln-type os ruby:2.4.0
+$ trivy image --pkg-types os ruby:2.4.0
 ```
 
 
@@ -223,6 +269,45 @@ Total: 7 (UNKNOWN: 0, LOW: 1, MEDIUM: 1, HIGH: 3, CRITICAL: 2)
 
 </details>
 
+!!! info
+    This flag filters the packages themselves, so it also affects the `--list-all-pkgs` option and SBOM generation.
+
+### Filtering by Package Relationships
+
+
+Trivy supports filtering vulnerabilities based on the relationship of packages within a project.
+This is achieved through the `--pkg-relationships` flag.
+This feature allows you to focus on vulnerabilities in specific types of dependencies, such as only those in direct dependencies.
+
+In Trivy, there are four types of package relationships:
+
+1. `root`: The root package being scanned
+2. `direct`: Direct dependencies of the root package
+3. `indirect`: Transitive dependencies
+4. `unknown`: Packages whose relationship cannot be determined
+
+The available relationships may vary depending on the ecosystem.
+To see which relationships are supported for a particular project, you can use the JSON output format and check the `Relationship` field:
+
+```
+$ trivy repo -f json --list-all-pkgs /path/to/project
+```
+
+To scan only the root package and its direct dependencies, you can use the flag as follows:
+
+```
+$ trivy repo --pkg-relationships root,direct /path/to/project
+```
+
+By default, all relationships are included in the scan.
+
+!!! info
+    This flag filters the packages themselves, so it also affects the `--list-all-pkgs` option and SBOM generation.
+
+!!! warning
+    As it may not provide a complete package list, `--pkg-relationships` cannot be used with `--dependency-tree`, `--vex` or SBOM generation.
+
+
 [^1]: https://github.com/GoogleContainerTools/distroless
 
 [nvd-CVE-2023-0464]: https://nvd.nist.gov/vuln/detail/CVE-2023-0464
@@ -243,7 +328,7 @@ Total: 7 (UNKNOWN: 0, LOW: 1, MEDIUM: 1, HIGH: 3, CRITICAL: 2)
 [oracle]: https://linux.oracle.com/security/oval/
 [suse]: http://ftp.suse.com/pub/projects/security/cvrf/
 [photon]: https://packages.vmware.com/photon/photon_cve_metadata/
-[mariner]: https://github.com/microsoft/CBL-MarinerVulnerabilityData/
+[azure]: https://github.com/microsoft/AzureLinuxVulnerabilityData/
 
 [php-ghsa]: https://github.com/advisories?query=ecosystem%3Acomposer
 [python-ghsa]: https://github.com/advisories?query=ecosystem%3Apip

docs/docs/supply-chain/sbom.md

@@ -731,17 +731,20 @@ $ cat result.spdx.json | jq .
 </details>
 
 ## Scanning
-Trivy can take SBOM documents as input for scanning.
+
+### SBOM as Target
+Trivy can take SBOM documents as input for scanning, e.g `trivy sbom ./sbom.spdx`.
 See [here](../target/sbom.md) for more details.
 
-Also, Trivy searches for SBOM files in container images.
+### SBOM Detection inside Targets
+Trivy searches for SBOM files in container images with the following extensions:
+- `.spdx`
+- `.spdx.json`
+- `.cdx`
+- `.cdx.json`
 
-```bash
-$ trivy image bitnami/elasticsearch:8.7.1
-```
+In addition, Trivy automatically detects SBOM files in [Bitnami images](https://github.com/bitnami/containers), [see here](../coverage/os/bitnami.md) for more details.
 
-For example, [Bitnami images](https://github.com/bitnami/containers) contain SBOM files in `/opt/bitnami` directory.
-Trivy automatically detects the SBOM files and uses them for scanning.
 It is enabled in the following targets.
 
 |     Target      | Enabled |
@@ -755,6 +758,9 @@ It is enabled in the following targets.
 |       AWS       |         |
 |      SBOM       |         |
 
+### SBOM Discovery for Container Images
+
+When scanning container images, Trivy can discover SBOM for those images. [See here](../target/container_image.md) for more details.
 
 [spdx]: https://spdx.dev/wp-content/uploads/sites/41/2020/08/SPDX-specification-2-2.pdf
 

docs/docs/supply-chain/vex/file.md

@@ -1,11 +1,11 @@
-# Vulnerability Exploitability Exchange (VEX)
+# Local VEX Files
 
 !!! warning "EXPERIMENTAL"
     This feature might change without preserving backwards compatibility.
 
-Trivy supports filtering detected vulnerabilities using [the Vulnerability Exploitability Exchange (VEX)](https://www.ntia.gov/files/ntia/publications/vex_one-page_summary.pdf), a standardized format for sharing and exchanging information about vulnerabilities.
-By providing VEX during scanning, it is possible to filter vulnerabilities based on their status.
-Currently, Trivy supports the following three formats:
+In addition to [VEX repositories](./repo.md), Trivy also supports the use of local VEX files for vulnerability filtering.
+This method is useful when you have specific VEX documents that you want to apply to your scans.
+Currently, Trivy supports the following formats:
 
 - [CycloneDX](https://cyclonedx.org/capabilities/vex/)
 - [OpenVEX](https://github.com/openvex/spec)
@@ -263,6 +263,8 @@ $ trivy image ghcr.io/aquasecurity/trivy:0.50.0 --vex trivy.openvex.json
 VEX documents can indeed be reused across different container images, eliminating the need to issue separate VEX documents for each image.
 This is particularly useful when there is a common component or library that is used across multiple projects or container images.
 
+You can see [the appendix](#applying-vex-to-dependency-trees) for more details on how VEX is applied in Trivy.
+
 ### Scan with VEX
 Provide the VEX when scanning your target.
 
@@ -412,6 +414,8 @@ At present, the specified relationship category is not taken into account and al
 - installed_on
 - installed_with
 
+You can see [the appendix](#applying-vex-to-dependency-trees) for more details on how VEX is applied in Trivy.
+
 ### Scan with CSAF VEX
 Provide the CSAF document when scanning your target.
 
@@ -470,6 +474,103 @@ does not match:
 - `pkg:maven/com.google.guava/guava@24.1.1?classifier=sources`
     - `classifier` must have the same value.
 
+### Applying VEX to Dependency Trees
+
+Trivy internally generates a dependency tree and applies VEX statements to this graph.
+Let's consider a project with the following dependency tree, where `Module C v2.0.0` is assumed to have a vulnerability CVE-XXXX-YYYY:
+
+```mermaid
+graph TD;
+  modRootA(Module Root A v1.0.0)
+  modB(Module B v1.0.0) 
+  modC(Module C v2.0.0)
+
+  modRootA-->modB
+  modB-->modC
+```
+
+Now, suppose a VEX statement is issued for `Module B` as follows:
+
+```json
+"statements": [
+  {
+    "vulnerability": {"name": "CVE-XXXX-YYYY"},
+    "products": [
+      {
+        "@id": "pkg:golang/module-b@1.0.0",
+        "subcomponents": [
+          { "@id": "pkg:golang/module-c@2.0.0" }
+        ]
+      }
+    ],
+    "status": "not_affected",
+    "justification": "vulnerable_code_not_in_execute_path"  
+  }
+]
+```
+
+It declares that `Module B` is not affected by CVE-XXXX-YYYY on `Module C`.
+
+!!! note
+    The VEX in this example defines the relationship between `Module B` and `Module C`.
+    However, as Trivy traverses all parents from vulnerable packages, it is also possible to define a VEX for the relationship between a vulnerable package and any parent, such as `Module A` and `Module C`, etc.
+
+Mapping this VEX onto the dependency tree would look like this:
+
+```mermaid
+graph TD;
+  modRootA(Module Root A v1.0.0)
+  
+  subgraph "VEX (Not Affected)"
+  modB(Module B v1.0.0)
+  modC(Module C v2.0.0)
+  end
+
+  modRootA-->modB
+  modB-->modC
+```
+
+In this case, it's clear that `Module Root A` is also not affected by CVE-XXXX-YYYY, so this vulnerability is suppressed.
+
+Now, let's consider another project:
+
+```mermaid
+graph TD;
+  modRootZ(Module Root Z v1.0.0)
+  modB'(Module B v1.0.0)
+  modC'(Module C v2.0.0)
+  modD'(Module D v3.0.0)
+
+  modRootZ-->modB'
+  modRootZ-->modD'
+  modB'-->modC'
+  modD'-->modC'
+```
+
+Assuming the same VEX as before, applying it to this dependency tree would look like:
+
+```mermaid
+graph TD;
+  modRootZ(Module Root Z v1.0.0)
+  
+  subgraph "VEX (Not Affected)"
+  modB'(Module B v1.0.0)
+  modC'(Module C v2.0.0)
+  end
+  
+  modD'(Module D v3.0.0)
+
+  modRootZ-->modB'
+  modRootZ-->modD'
+  modB'-->modC'
+  modD'-->modC'
+```
+
+`Module Root Z` depends on `Module C` via multiple paths.
+While the VEX tells us that `Module B` is not affected by the vulnerability, `Module D` might be.
+In the absence of a VEX, the default assumption is that it is affected.
+Taking all of this into account, Trivy determines that `Module Root Z` is affected by this vulnerability.
+
 
 [csaf]: https://oasis-open.github.io/csaf-documentation/specification.html
 [openvex]: https://github.com/openvex/spec

docs/docs/supply-chain/vex/index.md

@@ -0,0 +1,35 @@
+# Vulnerability Exploitability Exchange (VEX)
+
+!!! warning "EXPERIMENTAL"
+    This feature might change without preserving backwards compatibility.
+
+Trivy supports filtering detected vulnerabilities using the [Vulnerability Exploitability eXchange (VEX)](https://www.ntia.gov/files/ntia/publications/vex_one-page_summary.pdf), a standardized format for sharing and exchanging information about vulnerabilities.
+By providing VEX during scanning, it is possible to filter vulnerabilities based on their status.
+
+## VEX Usage Methods
+
+Trivy currently supports two methods for utilizing VEX:
+
+1. [VEX Repository](./repo.md)
+2. [Local VEX Files](./file.md)
+3. [VEX Attestation](./oci.md)
+
+### Enabling VEX
+To enable VEX, use the `--vex` option.
+You can specify the method to use:
+
+- To enable the VEX Repository: `--vex repo`
+- To use a local VEX file: `--vex /path/to/vex-document.json`
+- To enable VEX attestation discovery in OCI registry: `--vex oci`
+
+```bash
+$ trivy image ghcr.io/aquasecurity/trivy:0.52.0 --vex repo
+```
+
+You can enable these methods simultaneously.
+The order of specification determines the priority:
+
+- `--vex repo --vex /path/to/vex-document.json`: VEX Repository has priority
+- `--vex /path/to/vex-document.json --vex repo`: Local file has priority
+
+For detailed information on each method, please refer to each page.

docs/docs/supply-chain/vex/oci.md

@@ -0,0 +1,121 @@
+# Discover VEX Attestation in OCI Registry
+
+!!! warning "EXPERIMENTAL"
+    This feature might change without preserving backwards compatibility.
+
+Trivy can discover VEX attestations for container images.
+This feature allows you to automatically use VEX during container image scanning.
+
+## How It Works
+
+Trivy can automatically discover and utilize VEX attestations for container images during scanning by using the `--vex oci` flag.
+This process enhances vulnerability detection results by incorporating the information from the VEX attestation.
+
+To use this feature, follow these three steps:
+
+1. Create a VEX document
+2. Generate and upload a VEX attestation to an OCI registry
+3. Use the VEX attestation with Trivy
+
+Steps 1 and 2 are not necessary if you are trying to scan a third-party container image and already have VEX attestation attached.
+
+Let's go through each step in detail.
+
+!!! note
+    In the following examples, the `cosign` command will write an attestation to a target OCI registry, so you must have permission to write.
+    If you want to avoid writing an OCI registry and only want to see an attestation, add the `--no-upload` option to the cosign command.
+
+### Step 1: Create a VEX Document
+
+Currently, Trivy does not have a built-in feature to create VEX documents, so you need to create them manually.
+You can refer to the [OpenVEX section](./file.md#openvex) for guidance on creating VEX files.
+
+For container image vulnerabilities, the product ID should be the OCI type in the [PURL][purl] format.
+For example:
+
+```
+pkg:oci/trivy?repository_url=ghcr.io/aquasecurity/trivy
+```
+
+This product ID applies the VEX statement to all tags of the `ghcr.io/aquasecurity/trivy` container image.
+If you want to declare a statement for a specific digest only, you can use:
+
+```
+pkg:oci/trivy@sha256:5bd5ab35814f86783561603ebb35d5d5d99006dcdcd5c3f828ea1afb4c12d159?repository_url=ghcr.io/aquasecurity/trivy
+```
+
+!!! note
+    Using an image tag, like `pkg:oci/trivy?repository_url=ghcr.io/aquasecurity/trivy&tag=0.50.0`, is not supported in the product ID at the moment.
+
+Next, specify vulnerable packages as subcomponents, such as `pkg:apk/alpine/busybox`.
+You can also include the package version and other [qualifiers][qualifiers] (e.g., `arch`) to limit statements, like `pkg:apk/alpine/busybox@1.36.1-r29?arch=x86`.
+
+Lastly, include the vulnerability IDs.
+
+Here's an example VEX document:
+
+```json
+{
+  "@context": "https://openvex.dev/ns/v0.2.0",
+  "@id": "https://openvex.dev/docs/public/vex-2e67563e128250cbcb3e98930df948dd053e43271d70dc50cfa22d57e03fe96f",
+  "author": "Aqua Security",
+  "timestamp": "2024-07-30T19:07:16.853479631-06:00",
+  "version": 1,
+  "statements": [
+    {
+      "vulnerability": {
+        "name": "CVE-2023-42363"
+      },
+      "products": [
+        {
+          "@id": "pkg:oci/trivy?repository_url=ghcr.io/aquasecurity/trivy",
+          "subcomponents": [
+            {"@id": "pkg:apk/alpine/busybox"},
+            {"@id": "pkg:apk/alpine/busybox-binsh"}
+          ]
+        }
+      ],
+      "status": "not_affected",
+      "justification": "vulnerable_code_cannot_be_controlled_by_adversary",
+      "impact_statement": "awk is not used"
+    }
+  ]
+}
+```
+
+You can also refer to [Trivy's example](https://github.com/aquasecurity/trivy/blob/4e54a7e84c33c1be80c52c6db78c634bc3911715/.vex/oci.openvex.json) for more inspiration.
+
+### Step 2: Generate and Upload a VEX Attestation to an OCI Registry
+
+You can use the [Cosign command](https://docs.sigstore.dev/verifying/attestation/) to generate and upload the VEX attestation.
+Cosign offers methods both with and without keys.
+For detailed instructions, please refer to the Cosign documentation.
+
+To generate and attach a VEX attestation to your image, use the following command:
+
+```
+$ cosign attest --predicate oci.openvex.json --type openvex <IMAGE>
+```
+
+Note that this command attaches the attestation only to the specified image tag.
+If needed, repeat the process for other tags and digests.
+
+### Step 3: Use VEX Attestation with Trivy
+
+Once you've attached the VEX attestation to the container image, Trivy can automatically discover and use it during scanning.
+Simply add the `--vex oci` flag when scanning a container image:
+
+```
+$ trivy image --vex oci <IMAGE>
+```
+
+To see which vulnerabilities were filtered by the VEX attestation, use the `--show-suppressed` flag:
+
+```
+$ trivy image --vex oci --show-suppressed <IMAGE>
+```
+
+The `<IMAGE>` specified in these commands must be the same as the one to which you attached the VEX attestation.
+
+[purl]: https://github.com/package-url/purl-spec
+[qualifiers]: https://github.com/package-url/purl-spec/blob/master/PURL-TYPES.rst

docs/docs/supply-chain/vex/repo.md

@@ -0,0 +1,210 @@
+# VEX Repository
+
+!!! warning "EXPERIMENTAL"
+    This feature might change without preserving backwards compatibility.
+
+## Using VEX Repository
+
+Trivy can download and utilize VEX documents from repositories that comply with [the VEX Repository Specification][vex-repo].
+While it's planned to be enabled by default in the future, currently it can be activated by explicitly specifying `--vex repo`.
+
+```
+$ trivy image ghcr.io/aquasecurity/trivy:0.52.0 --vex repo
+2024-07-20T11:22:58+04:00       INFO    [vex] The default repository config has been created    
+file_path="/Users/teppei/.trivy/vex/repository.yaml"
+2024-07-20T11:23:23+04:00       INFO    [vex] Updating repository...    repo="default" url="https://github.com/aquasecurity/vexhub"
+```
+
+During scanning, Trivy generates PURLs for discovered packages and searches for matching PURLs in the VEX Repository.
+If a match is found, the corresponding VEX is utilized.
+
+### Configuration File
+
+#### Default Configuration
+
+When `--vex repo` is specified for the first time, a default configuration file is created at `$HOME/.trivy/vex/repository.yaml`.
+The home directory can be configured through environment variable `$XDG_DATA_HOME`.
+
+You can also create the configuration file in advance using the `trivy vex repo init` command and edit it.
+
+The default configuration file looks like this:
+
+```yaml
+repositories:
+  - name: default
+    url: https://github.com/aquasecurity/vexhub
+    enabled: true
+    username: ""
+    password: ""
+    token: ""
+```
+
+By default, [VEX Hub][vexhub] managed by Aqua Security is used.
+VEX Hub primarily trusts VEX documents published by the package maintainers.
+
+#### Show Configuration
+You can see the config file path and the configured repositories with `trivy vex repo list`:
+
+```bash
+$ trivy vex repo list
+VEX Repositories (config: /home/username/.trivy/vex/repository.yaml)
+
+- Name: default
+  URL: https://github.com/aquasecurity/vexhub
+  Status: Enabled
+```
+
+#### Custom Repositories
+
+If you want to trust VEX documents published by other organizations or use your own VEX repository, you can specify a custom repository that complies with [the VEX Repository Specification][vex-repo].
+You can add a custom repository as below:
+
+```yaml
+- name: custom
+  url: https://example.com/custom-repo
+  enabled: true
+```
+
+
+#### Authentication
+
+For private repositories:
+
+- `username`/`password` can be used for Basic authentication
+- `token` can be used for Bearer authentication
+
+```yaml
+- name: custom
+  url: https://example.com/custom-repo
+  enabled: true
+  token: "my-token"
+```
+
+#### Repository Priority
+
+The priority of VEX repositories is determined by their order in the configuration file.
+You can add repositories with higher priority than the default or even remove the default VEX Hub.
+
+```yaml
+- name: repo1
+  url: https://example.com/repo1
+- name: repo2
+  url: https://example.com/repo2
+```
+
+In this configuration, when Trivy detects a vulnerability in a package, it generates a PURL for that package and searches for matching VEX documents in the configured repositories.
+The search process follows this order:
+
+1. Trivy first looks for a VEX document matching the package's PURL in `repo1`.
+2. If no matching VEX document is found in `repo1`, Trivy then searches in `repo2`.
+3. This process continues through all configured repositories until a match is found.
+ 
+If a matching VEX document is found in any repository (e.g., `repo1`), the search stops, and Trivy uses that VEX document.
+Subsequent repositories (e.g., `repo2`) are not checked for that specific vulnerability and package combination.
+
+It's important to note that the first matching VEX document found determines the final status of the vulnerability.
+For example, if `repo1` states that a package is "Affected" by a vulnerability, this status will be used even if `repo2` states that the same package is "Not Affected" for the same vulnerability.
+The "Affected" status from the higher-priority repository (`repo1`) takes precedence, and Trivy will consider the package as affected by the vulnerability.
+
+### Repository Updates
+
+VEX repositories are automatically updated during scanning.
+Updates are performed based on the update frequency specified by the repository.
+
+To disable auto-update, pass `--skip-vex-repo-update`.
+
+```shell
+$ trivy image ghcr.io/aquasecurity/trivy:0.50.0 --vex repo --skip-vex-repo-update
+```
+
+To download VEX repositories in advance without scanning, use `trivy vex repo download`.
+
+The cache can be cleared with `trivy clean --vex-repo`.
+
+### Displaying Filtered Vulnerabilities
+
+To see which vulnerabilities were filtered and why, use the `--show-suppressed` option:
+
+```shell
+$ trivy image ghcr.io/aquasecurity/trivy:0.50.0 --vex repo --show-suppressed
+...
+
+Suppressed Vulnerabilities (Total: 4)
+=====================================
+┌───────────────┬────────────────┬──────────┬──────────────┬───────────────────────────────────────────────────┬──────────────────────────────────────────┐
+│    Library    │ Vulnerability  │ Severity │    Status    │                     Statement                     │                  Source                  │
+├───────────────┼────────────────┼──────────┼──────────────┼───────────────────────────────────────────────────┼──────────────────────────────────────────┤
+│ busybox       │ CVE-2023-42364 │ MEDIUM   │ not_affected │ vulnerable_code_cannot_be_controlled_by_adversary │ VEX Repository: default                  │
+│               │                │          │              │                                                   │ (https://github.com/aquasecurity/vexhub) │
+│               ├────────────────┤          │              │                                                   │                                          │
+│               │ CVE-2023-42365 │          │              │                                                   │                                          │
+│               │                │          │              │                                                   │                                          │
+├───────────────┼────────────────┤          │              │                                                   │                                          │
+│ busybox-binsh │ CVE-2023-42364 │          │              │                                                   │                                          │
+│               │                │          │              │                                                   │                                          │
+│               ├────────────────┤          │              │                                                   │                                          │
+│               │ CVE-2023-42365 │          │              │                                                   │                                          │
+│               │                │          │              │                                                   │                                          │
+└───────────────┴────────────────┴──────────┴──────────────┴───────────────────────────────────────────────────┴──────────────────────────────────────────┘
+
+```
+
+## Publishing VEX Documents
+
+### For OSS Projects
+
+As an OSS developer or maintainer, you may encounter vulnerabilities in the packages your project depends on.
+These vulnerabilities might be discovered through your own scans or reported by third parties using your OSS project.
+
+While Trivy strives to minimize false positives, it doesn't perform code graph analysis, which means it can't evaluate exploitability at the code level.
+Consequently, Trivy may report vulnerabilities even in cases where:
+
+1. The vulnerable function in a dependency is never called in your project.
+2. The vulnerable code cannot be controlled by an attacker in the context of your project.
+
+If you're confident that a reported vulnerability in a dependency doesn't affect your OSS project or container image, you can publish a VEX document to reduce noise in Trivy scans.
+To assess exploitability, you have several options:
+
+1. Manual assessment: As a maintainer, you can read the source code and determine if the vulnerability is exploitable in your project's context.
+2. Automated assessment: You can use SAST (Static Application Security Testing) tools or similar tools to analyze the code and determine exploitability.
+
+By publishing VEX documents in the source repository, Trivy can automatically utilize them through VEX Hub.
+The main steps are:
+
+1. Generate a VEX document
+2. Commit the VEX document to the `.vex/` directory in the source repository (e.g., [Trivy's VEX][trivy-vex])
+3. Register your project's [PURL][purl] in VEX Hub
+
+Step 3 is only necessary once.
+After that, updating the VEX file in your repository will automatically be fetched by VEX Hub and utilized by Trivy.
+See the [VEX Hub repository][vexhub] for more information.
+
+If you want to issue a VEX for an OSS project that you don't maintain, consider first proposing the VEX publication to the original repository.
+Many OSS maintainers are open to contributions that improve the security posture of their projects.
+However, if your proposal is not accepted, or if you want to issue a VEX with statements that differ from the maintainer's judgment, you may want to consider creating a [custom repository](#hosting-custom-repositories).
+
+### For Private Projects
+
+If you're working on private software or personal projects, you have several options:
+
+1. [Local VEX files](./file.md): You can create local VEX files and have Trivy read them during scans. This is suitable for individual use or small teams.
+2. [.trivyignore](../../configuration/filtering.md#trivyignore): For simpler cases, using a .trivyignore file might be sufficient to suppress specific vulnerabilities.
+3. [Custom repositories](#hosting-custom-repositories): For large organizations wanting to share VEX information for internally used software across different departments, setting up a custom VEX repository might be the best approach.
+
+## Hosting Custom Repositories
+
+While the principle is to store VEX documents for OSS packages in the source repository, it's possible to create a custom repository if that's difficult.
+
+There are various use cases for providing custom repositories:
+
+- A Pull Request to add a VEX document upstream was not merged
+- Consolidating VEX documents output by SAST tools
+- Publishing vendor-specific VEX documents that differ from OSS maintainer statements
+- Creating a private VEX repository to publish common VEX for your company
+
+In these cases, you can create a repository that complies with [the VEX Repository Specification][vex-repo] to make it available for use with Trivy.
+
+[vex-repo]: https://github.com/aquasecurity/vex-repo-spec
+[vexhub]: https://github.com/aquasecurity/vexhub
+[trivy-vex]: https://github.com/aquasecurity/trivy/blob/b76a7250912cfc028cfef743f0f98cd81b39f8aa/.vex/trivy.openvex.json
+[purl]: https://github.com/package-url/purl-spec

docs/docs/target/container_image.md

@@ -436,14 +436,14 @@ The following reports are available out of the box:
 
 | Compliance                             | Version | Name for command | More info                                                                                   |
 |----------------------------------------|---------|------------------|---------------------------------------------------------------------------------------------|
-| CIS Docker Community Edition Benchmark | 1.1.0   | `docker-cis`     | [Link](https://www.aquasec.com/cloud-native-academy/docker-container/docker-cis-benchmark/) |
+| CIS Docker Community Edition Benchmark | 1.1.0   | `docker-cis-1.6.0`     | [Link](https://www.aquasec.com/cloud-native-academy/docker-container/docker-cis-benchmark/) |
 
 ### Examples
 
 Scan a container image configuration and generate a compliance summary report:
 
 ```
-$ trivy image --compliance docker-cis [YOUR_IMAGE_NAME]
+trivy image --compliance docker-cis-1.6.0 [YOUR_IMAGE_NAME]
 ```
 
 !!! note

docs/docs/target/kubernetes.md

@@ -355,12 +355,14 @@ For an overview of Trivy's Compliance feature, including working with custom com
 
 The following reports are available out of the box:
 
-| Compliance                                   | Name for command     | More info                                                                                                           |
-|----------------------------------------------|----------------------|---------------------------------------------------------------------------------------------------------------------|
-| NSA, CISA Kubernetes Hardening Guidance v1.2 | `k8s-nsa`            | [Link](https://media.defense.gov/2022/Aug/29/2003066362/-1/-1/0/CTR_KUBERNETES_HARDENING_GUIDANCE_1.2_20220829.PDF) |
-| CIS Benchmark for Kubernetes v1.23           | `k8s-cis`            | [Link](https://www.cisecurity.org/benchmark/kubernetes)                                                             |
-| Pod Security Standards, Baseline             | `k8s-pss-baseline`   | [Link](https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline)                               |
-| Pod  Security Standards, Restricted          | `k8s-pss-restricted` | [Link](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted)                             |
+| Compliance                                   | Name for command         | More info                                                                                                           |
+|----------------------------------------------|--------------------------|---------------------------------------------------------------------------------------------------------------------|
+| NSA, CISA Kubernetes Hardening Guidance v1.0 | `k8s-nsa-1.0`            | [Link](https://media.defense.gov/2022/Aug/29/2003066362/-1/-1/0/CTR_KUBERNETES_HARDENING_GUIDANCE_1.2_20220829.PDF) |
+| CIS Benchmark for Kubernetes v1.23           | `k8s-cis-1.23`           | [Link](https://www.cisecurity.org/benchmark/kubernetes)                                                             |
+| CIS Benchmark for RKE2 v1.24                 | `rke2-cis-1.24`          | [Link](https://www.cisecurity.org/benchmark/kubernetes)                                                             |
+| CIS Benchmark for EKS v1.4                   | `eks-cis-1.4`            | [Link](https://www.cisecurity.org/benchmark/kubernetes)                                                             |
+| Pod Security Standards, Baseline             | `k8s-pss-baseline-0.1`   | [Link](https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline)                               |
+| Pod  Security Standards, Restricted          | `k8s-pss-restricted-0.1` | [Link](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted)                             |
 
 Examples:
 
@@ -376,7 +378,7 @@ Get the detailed report for checks:
 
 ```
 
-trivy k8s --compliance=k8s-cis --report all
+trivy k8s --compliance=k8s-cis-1.23 --report all
 
 ```
 
@@ -384,7 +386,7 @@ Get summary report in JSON format:
 
 ```
 
-trivy k8s --compliance=k8s-cis --report summary --format json
+trivy k8s --compliance=k8s-cis-1.23 --report summary --format json
 
 ```
 
@@ -392,7 +394,7 @@ Get detailed report in JSON format:
 
 ```
 
-trivy k8s --compliance=k8s-cis --report all --format json
+trivy k8s --compliance=k8s-cis-1.23 --report all --format json
 
 ```
 

docs/ecosystem/prod.md

@@ -29,3 +29,11 @@ You can use Kyverno to ensure and enforce that deployed workloads' images are sc
 Trivy is integrated into Zora as a vulnerability scanner plugin.
 
 👉 Get it at: <https://zora-docs.undistro.io/latest/plugins/trivy/>
+
+## Helmper (Community)
+
+[Helmper](https://christoffernissen.github.io/helmper/) is a go program that reads Helm Charts from remote OCI registries and pushes the Helm Charts and the Helm Charts container images to your OCI registries with optional OS level vulnerability patching
+
+Trivy is integrated into Helmper as a vulnerability scanner in combination with Copacetic to fix detected vulnerabilities.
+
+👉 Get it at: <https://github.com/ChristofferNissen/helmper>

docs/ecosystem/reporting.md

@@ -30,3 +30,9 @@ Trivy-Streamlit is a Streamlit application that allows you to quickly parse the
 This project is a web application that allows to load a Trivy report in json format and displays the vulnerabilities of a single target in an interactive data table.
 
 👉 Get it at: <https://github.com/dbsystel/trivy-vulnerability-explorer>
+
+## plopsec.com (Community)
+
+This project is a web application designed to help you visualize Trivy image scan reports. It enriches the data with additional exploitability metrics from EPSS, Metasploit, and Exploit-DB, updated daily.
+
+👉 Get it at: <https://plopsec.com> | <https://github.com/pl0psec/plopsec.com>

docs/getting-started/installation.md

@@ -61,7 +61,7 @@ brew install trivy
 Arch Linux Package Repository.
 
 ```bash
-pacman -S trivy
+sudo pacman -S trivy
 ```
 
 References: 
@@ -163,17 +163,17 @@ The plugin used by both tools is developped [here](https://github.com/zufardhiya
 
 ### Download Binary
 
-1. Download the file for your operating system/architecture from [GitHub Release assets](https://github.com/aquasecurity/trivy/releases/tag/{{ git.tag }}) (`curl -LO https://url.to/trivy.tar.gz`).  
+1. Download the file for your operating system/architecture from [GitHub Release assets](https://github.com/aquasecurity/trivy/releases/tag/{{ git.tag }}).  
 2. Unpack the downloaded archive (`tar -xzf ./trivy.tar.gz`).
-3. Put the binary somewhere in your `$PATH` (e.g `mv ./trivy /usr/local/bin/`).
-4. Make sure the binary has execution bit turned on (`chmod +x ./trivy`).
+3. Make sure the binary has execution bit turned on (`chmod +x ./trivy`).
+4. Put the binary somewhere in your `$PATH` (e.g `sudo mv ./trivy /usr/local/bin/`).
 
 ### Install Script
 
 The process above can be automated by the following script:
 
 ```bash
-curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin {{ git.tag }}
+curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sudo sh -s -- -b /usr/local/bin {{ git.tag }}
 ```
 
 ### Install from source

docs/tutorials/integrations/gitlab-ci.md

@@ -85,8 +85,6 @@ container_scanning:
     FULL_IMAGE_NAME: $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG
   script:
     - trivy --version
-    # cache cleanup is needed when scanning images with the same tags, it does not remove the database
-    - time trivy image --clear-cache
     # update vulnerabilities db
     - time trivy image --download-db-only
     # Builds report and puts it in the default workdir $CI_PROJECT_DIR, so `artifacts:` can take it from there

go.mod

@@ -2,51 +2,48 @@ module github.com/aquasecurity/trivy
 
 go 1.22.0
 
-toolchain go1.22.2
+toolchain go1.22.4
 
 require (
 	github.com/Azure/azure-sdk-for-go v68.0.0+incompatible
-	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.11.1
-	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.5.2
+	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.13.0
+	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.7.0
 	github.com/BurntSushi/toml v1.4.0
-	github.com/CycloneDX/cyclonedx-go v0.8.0
+	github.com/CycloneDX/cyclonedx-go v0.9.0
 	github.com/GoogleCloudPlatform/docker-credential-gcr v2.0.5+incompatible
 	github.com/Masterminds/sprig/v3 v3.2.3
 	github.com/NYTimes/gziphandler v1.1.1
 	github.com/alecthomas/chroma v0.10.0
-	github.com/alicebob/miniredis/v2 v2.32.1
-	github.com/antchfx/htmlquery v1.3.1
+	github.com/alicebob/miniredis/v2 v2.33.0
+	github.com/antchfx/htmlquery v1.3.2
 	github.com/apparentlymart/go-cidr v1.1.0
 	github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986
 	github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce
 	github.com/aquasecurity/go-npm-version v0.0.0-20201110091526-0b796d180798
 	github.com/aquasecurity/go-pep440-version v0.0.0-20210121094942-22b2f8951d46
-	github.com/aquasecurity/go-version v0.0.0-20210121072130-637058cfe492
-	github.com/aquasecurity/loading v0.0.5
+	github.com/aquasecurity/go-version v0.0.0-20240603093900-cf8a8d29271d
 	github.com/aquasecurity/table v1.8.0
-	github.com/aquasecurity/testdocker v0.0.0-20240419073403-90bd43849334
+	github.com/aquasecurity/testdocker v0.0.0-20240730042311-4642e94c7fc8
 	github.com/aquasecurity/tml v0.6.1
-	github.com/aquasecurity/trivy-aws v0.9.0
-	github.com/aquasecurity/trivy-checks v0.11.0
-	github.com/aquasecurity/trivy-db v0.0.0-20231005141211-4fc651f7ac8d
+	github.com/aquasecurity/trivy-checks v0.13.0
+	github.com/aquasecurity/trivy-db v0.0.0-20240718084044-d23a6ca8ba04
 	github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48
-	github.com/aquasecurity/trivy-kubernetes v0.6.7-0.20240516051533-4c5a4aad13b7
-	github.com/aws/aws-sdk-go-v2 v1.27.0
-	github.com/aws/aws-sdk-go-v2/config v1.27.15
-	github.com/aws/aws-sdk-go-v2/credentials v1.17.15
-	github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.16.20
-	github.com/aws/aws-sdk-go-v2/service/ec2 v1.161.3
-	github.com/aws/aws-sdk-go-v2/service/ecr v1.28.2
-	github.com/aws/aws-sdk-go-v2/service/s3 v1.54.2
-	github.com/aws/aws-sdk-go-v2/service/sts v1.28.9
-	github.com/aws/smithy-go v1.20.2
+	github.com/aquasecurity/trivy-kubernetes v0.6.7-0.20240707095038-0300bc49b68b
+	github.com/aws/aws-sdk-go-v2 v1.30.3
+	github.com/aws/aws-sdk-go-v2/config v1.27.27
+	github.com/aws/aws-sdk-go-v2/credentials v1.17.27
+	github.com/aws/aws-sdk-go-v2/service/ec2 v1.172.0
+	github.com/aws/aws-sdk-go-v2/service/ecr v1.30.3
+	github.com/aws/aws-sdk-go-v2/service/s3 v1.58.2
+	github.com/aws/aws-sdk-go-v2/service/sts v1.30.3 // indirect
+	github.com/aws/smithy-go v1.20.3
 	github.com/bitnami/go-version v0.0.0-20231130084017-bb00604d650c
 	github.com/bmatcuk/doublestar/v4 v4.6.1
 	github.com/cenkalti/backoff/v4 v4.3.0
 	github.com/cheggaaa/pb/v3 v3.1.5
-	github.com/containerd/containerd v1.7.17
+	github.com/containerd/containerd v1.7.20
 	github.com/csaf-poc/csaf_distribution/v3 v3.0.0
-	github.com/docker/docker v26.1.3+incompatible
+	github.com/docker/docker v27.1.1+incompatible
 	github.com/docker/go-connections v0.5.0
 	github.com/fatih/color v1.17.0
 	github.com/go-git/go-git/v5 v5.12.0
@@ -54,18 +51,19 @@ require (
 	github.com/go-openapi/strfmt v0.23.0
 	github.com/go-redis/redis/v8 v8.11.5
 	github.com/golang-jwt/jwt/v5 v5.2.1
-	github.com/google/go-containerregistry v0.19.1
+	github.com/google/go-containerregistry v0.20.1
+	github.com/google/go-github/v62 v62.0.0
 	github.com/google/licenseclassifier/v2 v2.0.0
 	github.com/google/uuid v1.6.0
 	github.com/google/wire v0.6.0
-	github.com/hashicorp/go-getter v1.7.4
+	github.com/hashicorp/go-getter v1.7.5
 	github.com/hashicorp/go-multierror v1.1.1
-	github.com/hashicorp/go-retryablehttp v0.7.6
+	github.com/hashicorp/go-retryablehttp v0.7.7
 	github.com/hashicorp/go-uuid v1.0.3
 	github.com/hashicorp/go-version v1.7.0
 	github.com/hashicorp/golang-lru/v2 v2.0.7
 	github.com/hashicorp/hc-install v0.7.0
-	github.com/hashicorp/hcl/v2 v2.20.1
+	github.com/hashicorp/hcl/v2 v2.21.0
 	github.com/hashicorp/terraform-exec v0.21.0
 	github.com/in-toto/in-toto-golang v0.9.0
 	github.com/knqyf263/go-apk-version v0.0.0-20200609155635-041fdbb8563f
@@ -89,62 +87,63 @@ require (
 	github.com/mitchellh/go-homedir v1.1.0
 	github.com/mitchellh/hashstructure/v2 v2.0.2
 	github.com/mitchellh/mapstructure v1.5.0
-	github.com/moby/buildkit v0.13.2
-	github.com/open-policy-agent/opa v0.64.1
+	github.com/moby/buildkit v0.15.1
+	github.com/open-policy-agent/opa v0.66.0
 	github.com/opencontainers/go-digest v1.0.0
 	github.com/opencontainers/image-spec v1.1.0
+	github.com/openvex/discovery v0.1.0
 	github.com/openvex/go-vex v0.2.5
-	github.com/owenrumney/go-sarif/v2 v2.3.1
-	github.com/owenrumney/squealer v1.2.2
+	github.com/owenrumney/go-sarif/v2 v2.3.3
+	github.com/owenrumney/squealer v1.2.3
 	github.com/package-url/packageurl-go v0.1.3
 	github.com/quasilyte/go-ruleguard/dsl v0.3.22
-	github.com/samber/lo v1.39.0
+	github.com/samber/lo v1.46.0
 	github.com/secure-systems-lab/go-securesystemslib v0.8.0
 	github.com/sigstore/rekor v1.3.6
 	github.com/sirupsen/logrus v1.9.3
 	github.com/sosedoff/gitkit v0.4.0
-	github.com/spdx/tools-golang v0.5.4 // v0.5.3 with necessary changes. Can be upgraded to version 0.5.4 after release.
+	github.com/spdx/tools-golang v0.5.5 // v0.5.3 with necessary changes. Can be upgraded to version 0.5.4 after release.
 	github.com/spf13/cast v1.6.0
-	github.com/spf13/cobra v1.8.0
+	github.com/spf13/cobra v1.8.1
 	github.com/spf13/pflag v1.0.5
-	github.com/spf13/viper v1.18.2
+	github.com/spf13/viper v1.19.0
 	github.com/stretchr/testify v1.9.0
-	github.com/testcontainers/testcontainers-go v0.31.0
-	github.com/testcontainers/testcontainers-go/modules/localstack v0.31.0
-	github.com/tetratelabs/wazero v1.7.2
+	github.com/testcontainers/testcontainers-go v0.32.0
+	github.com/testcontainers/testcontainers-go/modules/localstack v0.32.0
+	github.com/tetratelabs/wazero v1.7.3
 	github.com/twitchtv/twirp v8.1.3+incompatible
 	github.com/xeipuuv/gojsonschema v1.2.0
 	github.com/xlab/treeprint v1.2.0
-	github.com/zclconf/go-cty v1.14.4
+	github.com/zclconf/go-cty v1.15.0
 	github.com/zclconf/go-cty-yaml v1.0.3
 	go.etcd.io/bbolt v1.3.10
-	golang.org/x/crypto v0.23.0
-	golang.org/x/exp v0.0.0-20231110203233-9a3e6036ecaa
-	golang.org/x/mod v0.17.0
-	golang.org/x/net v0.25.0
+	golang.org/x/crypto v0.25.0
+	golang.org/x/exp v0.0.0-20231110203233-9a3e6036ecaa // indirect
+	golang.org/x/mod v0.19.0
+	golang.org/x/net v0.27.0
 	golang.org/x/sync v0.7.0
-	golang.org/x/term v0.20.0
-	golang.org/x/text v0.15.0
+	golang.org/x/term v0.22.0
+	golang.org/x/text v0.16.0
+	golang.org/x/vuln v1.1.3
 	golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028
-	google.golang.org/protobuf v1.34.1
+	google.golang.org/protobuf v1.34.2
 	gopkg.in/yaml.v3 v3.0.1
-	helm.sh/helm/v3 v3.15.1
-	k8s.io/api v0.30.1
+	helm.sh/helm/v3 v3.15.3
+	k8s.io/api v0.30.3
 	k8s.io/utils v0.0.0-20231127182322-b307cd553661
-	modernc.org/sqlite v1.29.10
+	modernc.org/sqlite v1.31.1
 	sigs.k8s.io/yaml v1.4.0
 )
 
 require (
 	cloud.google.com/go v0.112.1 // indirect
-	cloud.google.com/go/compute v1.25.1 // indirect
-	cloud.google.com/go/compute/metadata v0.2.3 // indirect
+	cloud.google.com/go/compute/metadata v0.3.0 // indirect
 	cloud.google.com/go/iam v1.1.6 // indirect
 	cloud.google.com/go/storage v1.39.1 // indirect
 	dario.cat/mergo v1.0.0 // indirect
 	github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24 // indirect
 	github.com/AdamKorcz/go-118-fuzz-build v0.0.0-20230306123547-8075edf89bb0 // indirect
-	github.com/Azure/azure-sdk-for-go/sdk/internal v1.5.2 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/internal v1.10.0 // indirect
 	github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 // indirect
 	github.com/Azure/go-autorest v14.2.0+incompatible // indirect
 	github.com/Azure/go-autorest/autorest v0.11.29 // indirect
@@ -168,83 +167,54 @@ require (
 	github.com/agnivade/levenshtein v1.1.1 // indirect
 	github.com/alicebob/gopher-json v0.0.0-20200520072559-a9ecdc9d1d3a // indirect
 	github.com/anchore/go-struct-converter v0.0.0-20221118182256-c68fdcfa2092 // indirect
-	github.com/antchfx/xpath v1.3.0 // indirect
+	github.com/antchfx/xpath v1.3.1 // indirect
 	github.com/apparentlymart/go-textseg/v15 v15.0.0 // indirect
 	github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
-	github.com/aws/aws-sdk-go v1.53.0 // indirect
-	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.2 // indirect
-	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.3 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.7 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.7 // indirect
+	github.com/aws/aws-sdk-go v1.54.6 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.11 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.15 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.15 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.7 // indirect
-	github.com/aws/aws-sdk-go-v2/service/accessanalyzer v1.26.7 // indirect
-	github.com/aws/aws-sdk-go-v2/service/apigateway v1.21.6 // indirect
-	github.com/aws/aws-sdk-go-v2/service/apigatewayv2 v1.18.6 // indirect
-	github.com/aws/aws-sdk-go-v2/service/athena v1.37.3 // indirect
-	github.com/aws/aws-sdk-go-v2/service/cloudfront v1.36.4 // indirect
-	github.com/aws/aws-sdk-go-v2/service/cloudtrail v1.35.6 // indirect
-	github.com/aws/aws-sdk-go-v2/service/cloudwatch v1.32.2 // indirect
-	github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs v1.30.1 // indirect
-	github.com/aws/aws-sdk-go-v2/service/codebuild v1.26.5 // indirect
-	github.com/aws/aws-sdk-go-v2/service/docdb v1.34.4 // indirect
-	github.com/aws/aws-sdk-go-v2/service/dynamodb v1.26.8 // indirect
 	github.com/aws/aws-sdk-go-v2/service/ebs v1.21.7 // indirect
-	github.com/aws/aws-sdk-go-v2/service/ecs v1.35.6 // indirect
-	github.com/aws/aws-sdk-go-v2/service/efs v1.28.1 // indirect
-	github.com/aws/aws-sdk-go-v2/service/eks v1.41.0 // indirect
-	github.com/aws/aws-sdk-go-v2/service/elasticache v1.34.6 // indirect
-	github.com/aws/aws-sdk-go-v2/service/elasticloadbalancingv2 v1.26.6 // indirect
-	github.com/aws/aws-sdk-go-v2/service/elasticsearchservice v1.25.0 // indirect
-	github.com/aws/aws-sdk-go-v2/service/emr v1.36.0 // indirect
-	github.com/aws/aws-sdk-go-v2/service/iam v1.28.7 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.3.9 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/endpoint-discovery v1.8.11 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.9 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.17.7 // indirect
-	github.com/aws/aws-sdk-go-v2/service/kafka v1.28.5 // indirect
-	github.com/aws/aws-sdk-go-v2/service/kinesis v1.24.6 // indirect
-	github.com/aws/aws-sdk-go-v2/service/kms v1.32.1 // indirect
-	github.com/aws/aws-sdk-go-v2/service/lambda v1.49.6 // indirect
-	github.com/aws/aws-sdk-go-v2/service/mq v1.20.6 // indirect
-	github.com/aws/aws-sdk-go-v2/service/neptune v1.28.1 // indirect
-	github.com/aws/aws-sdk-go-v2/service/rds v1.66.1 // indirect
-	github.com/aws/aws-sdk-go-v2/service/redshift v1.39.7 // indirect
-	github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.26.0 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sns v1.26.6 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sqs v1.29.6 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sso v1.20.8 // indirect
-	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.24.2 // indirect
-	github.com/aws/aws-sdk-go-v2/service/workspaces v1.38.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.3 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.17 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.22.4 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.26.4 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d // indirect
+	github.com/blang/semver v3.5.1+incompatible // indirect
 	github.com/briandowns/spinner v1.23.0 // indirect
 	github.com/cespare/xxhash/v2 v2.2.0 // indirect
 	github.com/chai2010/gettext-go v1.0.2 // indirect
 	github.com/cloudflare/circl v1.3.7 // indirect
 	github.com/containerd/cgroups/v3 v3.0.2 // indirect
+	github.com/containerd/containerd/api v1.7.19 // indirect
 	github.com/containerd/continuity v0.4.3 // indirect
 	github.com/containerd/errdefs v0.1.0 // indirect
 	github.com/containerd/fifo v1.1.0 // indirect
 	github.com/containerd/log v0.1.0 // indirect
+	github.com/containerd/platforms v0.2.1 // indirect
 	github.com/containerd/stargz-snapshotter/estargz v0.15.1 // indirect
-	github.com/containerd/ttrpc v1.2.4 // indirect
+	github.com/containerd/ttrpc v1.2.5 // indirect
 	github.com/containerd/typeurl/v2 v2.1.1 // indirect
 	github.com/cpuguy83/dockercfg v0.3.1 // indirect
-	github.com/cpuguy83/go-md2man/v2 v2.0.3 // indirect
+	github.com/cpuguy83/go-md2man/v2 v2.0.4 // indirect
+	github.com/cyberphone/json-canonicalization v0.0.0-20231011164504-785e29786b46 // indirect
 	github.com/cyphar/filepath-securejoin v0.2.4 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect
+	github.com/digitorus/pkcs7 v0.0.0-20230818184609-3a137a874352 // indirect
+	github.com/digitorus/timestamp v0.0.0-20231217203849-220c5c2851b7 // indirect
 	github.com/distribution/reference v0.6.0 // indirect
 	github.com/dlclark/regexp2 v1.4.0 // indirect
-	github.com/docker/cli v25.0.3+incompatible // indirect
+	github.com/docker/cli v27.0.3+incompatible // indirect
 	github.com/docker/distribution v2.8.3+incompatible // indirect
-	github.com/docker/docker-credential-helpers v0.8.0 // indirect
+	github.com/docker/docker-credential-helpers v0.8.2 // indirect
 	github.com/docker/go-events v0.0.0-20190806004212-e31b211e4f1c // indirect
 	github.com/docker/go-metrics v0.0.1 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
 	github.com/docker/libtrust v0.0.0-20160708172513-aabc10ec26b7 // indirect
+	github.com/dsnet/compress v0.0.1 // indirect
 	github.com/dustin/go-humanize v1.0.1 // indirect
 	github.com/emicklei/go-restful/v3 v3.11.0 // indirect
 	github.com/emirpasic/gods v1.18.1 // indirect
@@ -252,12 +222,13 @@ require (
 	github.com/exponent-io/jsonpath v0.0.0-20151013193312-d6023ce2651d // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/fsnotify/fsnotify v1.7.0 // indirect
+	github.com/go-chi/chi v4.1.2+incompatible // indirect
 	github.com/go-errors/errors v1.4.2 // indirect
 	github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
 	github.com/go-git/go-billy/v5 v5.5.0 // indirect
 	github.com/go-gorp/gorp/v3 v3.1.0 // indirect
 	github.com/go-ini/ini v1.67.0 // indirect
-	github.com/go-logr/logr v1.4.1 // indirect
+	github.com/go-logr/logr v1.4.2 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-ole/go-ole v1.3.0 // indirect
 	github.com/go-openapi/analysis v0.23.0 // indirect
@@ -268,7 +239,6 @@ require (
 	github.com/go-openapi/spec v0.21.0 // indirect
 	github.com/go-openapi/swag v0.23.0 // indirect
 	github.com/go-openapi/validate v0.24.0 // indirect
-	github.com/go-test/deep v1.1.0 // indirect
 	github.com/gobwas/glob v0.2.3 // indirect
 	github.com/goccy/go-yaml v1.9.5 // indirect
 	github.com/gofrs/uuid v4.3.1+incompatible // indirect
@@ -276,9 +246,12 @@ require (
 	github.com/golang-jwt/jwt/v4 v4.5.0 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/protobuf v1.5.4 // indirect
+	github.com/golang/snappy v0.0.4 // indirect
 	github.com/google/btree v1.1.2 // indirect
-	github.com/google/gnostic-models v0.6.8 // indirect
+	github.com/google/certificate-transparency-go v1.1.8 // indirect
+	github.com/google/gnostic-models v0.6.9-0.20230804172637-c7be7c783f49 // indirect
 	github.com/google/go-cmp v0.6.0 // indirect
+	github.com/google/go-querystring v1.1.0 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
 	github.com/google/s2a-go v0.1.7 // indirect
 	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
@@ -288,24 +261,27 @@ require (
 	github.com/gorilla/websocket v1.5.0 // indirect
 	github.com/gosuri/uitable v0.0.4 // indirect
 	github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 // indirect
+	github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
 	github.com/hashicorp/go-safetemp v1.0.0 // indirect
 	github.com/hashicorp/golang-lru v0.6.0 // indirect
-	github.com/hashicorp/hcl v1.0.0 // indirect
+	github.com/hashicorp/hcl v1.0.1-vault-5 // indirect
 	github.com/hashicorp/terraform-json v0.22.1 // indirect
 	github.com/huandu/xstrings v1.4.0 // indirect
-	github.com/imdario/mergo v0.3.15 // indirect
+	github.com/imdario/mergo v0.3.16 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
+	github.com/jedisct1/go-minisign v0.0.0-20230811132847-661be99b8267 // indirect
 	github.com/jmespath/go-jmespath v0.4.0 // indirect
 	github.com/jmoiron/sqlx v1.3.5 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/kevinburke/ssh_config v1.2.0 // indirect
-	github.com/klauspost/compress v1.17.7 // indirect
+	github.com/klauspost/compress v1.17.9 // indirect
 	github.com/lann/builder v0.0.0-20180802200727-47ae307949d0 // indirect
 	github.com/lann/ps v0.0.0-20150810152359-62de8c46ede0 // indirect
+	github.com/letsencrypt/boulder v0.0.0-20231026200631-000cd05d5491 // indirect
 	github.com/lib/pq v1.10.9 // indirect
 	github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de // indirect
 	github.com/lufia/plan9stats v0.0.0-20240226150601-1dcf7310316a // indirect
@@ -335,42 +311,52 @@ require (
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f // indirect
 	github.com/ncruces/go-strftime v0.1.9 // indirect
+	github.com/nozzle/throttler v0.0.0-20180817012639-2ea982251481 // indirect
 	github.com/oklog/ulid v1.3.1 // indirect
-	github.com/opencontainers/runtime-spec v1.1.0 // indirect
+	github.com/opencontainers/runtime-spec v1.2.0 // indirect
 	github.com/opencontainers/selinux v1.11.0 // indirect
 	github.com/opentracing/opentracing-go v1.2.0 // indirect
-	github.com/pelletier/go-toml/v2 v2.1.0 // indirect
+	github.com/pelletier/go-toml/v2 v2.2.2 // indirect
 	github.com/peterbourgon/diskv v2.0.1+incompatible // indirect
 	github.com/pjbgf/sha1cd v0.3.0 // indirect
 	github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/power-devops/perfstat v0.0.0-20240221224432-82ca36839d55 // indirect
-	github.com/prometheus/client_golang v1.19.0 // indirect
+	github.com/prometheus/client_golang v1.19.1 // indirect
 	github.com/prometheus/client_model v0.6.1 // indirect
-	github.com/prometheus/common v0.48.0 // indirect
-	github.com/prometheus/procfs v0.12.0 // indirect
+	github.com/prometheus/common v0.51.1 // indirect
+	github.com/prometheus/procfs v0.15.1 // indirect
 	github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 // indirect
 	github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec // indirect
-	github.com/rivo/uniseg v0.2.0 // indirect
+	github.com/rivo/uniseg v0.4.4 // indirect
 	github.com/rubenv/sql-migrate v1.5.2 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
 	github.com/sagikazarmark/locafero v0.4.0 // indirect
 	github.com/sagikazarmark/slog-shim v0.1.0 // indirect
 	github.com/santhosh-tekuri/jsonschema/v5 v5.3.1 // indirect
+	github.com/sassoftware/relic v7.2.1+incompatible // indirect
 	github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3 // indirect
 	github.com/shibumi/go-pathspec v1.3.0 // indirect
 	github.com/shirou/gopsutil/v3 v3.24.2 // indirect
 	github.com/shoenig/go-m1cpu v0.1.6 // indirect
 	github.com/shopspring/decimal v1.3.1 // indirect
+	github.com/sigstore/cosign/v2 v2.2.4 // indirect
+	github.com/sigstore/sigstore v1.8.3 // indirect
+	github.com/sigstore/timestamp-authority v1.2.2 // indirect
 	github.com/skeema/knownhosts v1.2.2 // indirect
 	github.com/sourcegraph/conc v0.3.0 // indirect
 	github.com/spf13/afero v1.11.0 // indirect
 	github.com/stretchr/objx v0.5.2 // indirect
 	github.com/subosito/gotenv v1.6.0 // indirect
+	github.com/syndtr/goleveldb v1.0.1-0.20220721030215-126854af5e6d // indirect
 	github.com/tchap/go-patricia/v2 v2.3.1 // indirect
+	github.com/theupdateframework/go-tuf v0.7.0 // indirect
+	github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect
 	github.com/tklauser/go-sysconf v0.3.13 // indirect
 	github.com/tklauser/numcpus v0.7.0 // indirect
+	github.com/tonistiigi/go-csvvalue v0.0.0-20240710180619-ddb21b71c0b4 // indirect
+	github.com/transparency-dev/merkle v0.0.2 // indirect
 	github.com/ulikunitz/xz v0.5.11 // indirect
 	github.com/vbatts/tar-split v0.11.5 // indirect
 	github.com/xanzy/ssh-agent v0.3.3 // indirect
@@ -384,38 +370,40 @@ require (
 	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.49.0 // indirect
 	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.52.0 // indirect
 	go.opentelemetry.io/otel v1.27.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.27.0 // indirect
 	go.opentelemetry.io/otel/metric v1.27.0 // indirect
 	go.opentelemetry.io/otel/sdk v1.27.0 // indirect
 	go.opentelemetry.io/otel/trace v1.27.0 // indirect
 	go.starlark.net v0.0.0-20230525235612-a134d8f9ddca // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	go.uber.org/zap v1.27.0 // indirect
-	golang.org/x/oauth2 v0.18.0 // indirect
-	golang.org/x/sys v0.20.0 // indirect
+	golang.org/x/oauth2 v0.20.0 // indirect
+	golang.org/x/sys v0.22.0 // indirect
+	golang.org/x/telemetry v0.0.0-20240522233618-39ace7a40ae7 // indirect
 	golang.org/x/time v0.5.0 // indirect
-	golang.org/x/tools v0.19.0 // indirect
+	golang.org/x/tools v0.23.0 // indirect
 	google.golang.org/api v0.172.0 // indirect
-	google.golang.org/appengine v1.6.8 // indirect
 	google.golang.org/genproto v0.0.0-20240311173647-c811ad7063a7 // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20240520151616-dc85e6b867a5 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20240515191416-fc5f0ca64291 // indirect
-	google.golang.org/grpc v1.64.0 // indirect
+	google.golang.org/grpc v1.64.1 // indirect
 	gopkg.in/cheggaaa/pb.v1 v1.0.28 // indirect
+	gopkg.in/go-jose/go-jose.v2 v2.6.3 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	k8s.io/apiextensions-apiserver v0.30.0 // indirect
-	k8s.io/apimachinery v0.30.1 // indirect
+	k8s.io/apimachinery v0.30.3 // indirect
 	k8s.io/apiserver v0.30.0 // indirect
-	k8s.io/cli-runtime v0.30.0 // indirect
-	k8s.io/client-go v0.30.0 // indirect
-	k8s.io/component-base v0.30.0 // indirect
+	k8s.io/cli-runtime v0.30.2 // indirect
+	k8s.io/client-go v0.30.2 // indirect
+	k8s.io/component-base v0.30.1 // indirect
 	k8s.io/klog/v2 v2.120.1 // indirect
 	k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340 // indirect
-	k8s.io/kubectl v0.30.0 // indirect
+	k8s.io/kubectl v0.30.1 // indirect
 	modernc.org/gc/v3 v3.0.0-20240107210532-573471604cb6 // indirect
-	modernc.org/libc v1.49.3 // indirect
+	modernc.org/libc v1.55.3 // indirect
 	modernc.org/mathutil v1.6.0 // indirect
 	modernc.org/memory v1.8.0 // indirect
 	modernc.org/strutil v1.2.0 // indirect
@@ -427,3 +415,6 @@ require (
 	sigs.k8s.io/kustomize/kyaml v0.14.3-0.20230601165947-6ce0bf390ce3 // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect
 )
+
+// cf. https://github.com/openvex/discovery/pull/40
+replace github.com/openvex/discovery => github.com/knqyf263/discovery v0.1.1-0.20240726113521-97873005fd03

goreleaser-canary.yml

@@ -1,3 +1,5 @@
+version: 2
+
 project_name: trivy_canary_build
 builds:
   -
@@ -6,7 +8,7 @@ builds:
     ldflags:
       - -s -w
       - "-extldflags '-static'"
-      - -X github.com/aquasecurity/trivy/pkg/version.ver={{.Version}}
+      - -X github.com/aquasecurity/trivy/pkg/version/app.ver={{.Version}}
     env:
       - CGO_ENABLED=0
     goos:

goreleaser.yml

@@ -1,3 +1,5 @@
+version: 2
+
 project_name: trivy
 builds:
   - id: build-linux
@@ -6,7 +8,7 @@ builds:
     ldflags:
       - -s -w
       - "-extldflags '-static'"
-      - -X github.com/aquasecurity/trivy/pkg/version.ver={{.Version}}
+      - -X github.com/aquasecurity/trivy/pkg/version/app.ver={{.Version}}
     env:
       - CGO_ENABLED=0
     goos:
@@ -26,7 +28,7 @@ builds:
     ldflags:
       - -s -w
       - "-extldflags '-static'"
-      - -X github.com/aquasecurity/trivy/pkg/version.ver={{.Version}}
+      - -X github.com/aquasecurity/trivy/pkg/version/app.ver={{.Version}}
     env:
       - CGO_ENABLED=0
     goos:
@@ -41,7 +43,7 @@ builds:
     ldflags:
       - -s -w
       - "-extldflags '-static'"
-      - -X github.com/aquasecurity/trivy/pkg/version.ver={{.Version}}
+      - -X github.com/aquasecurity/trivy/pkg/version/app.ver={{.Version}}
     env:
       - CGO_ENABLED=0
     goos:
@@ -57,7 +59,7 @@ builds:
     ldflags:
       - -s -w
       - "-extldflags '-static'"
-      - -X github.com/aquasecurity/trivy/pkg/version.ver={{.Version}}
+      - -X github.com/aquasecurity/trivy/pkg/version/app.ver={{.Version}}
     env:
       - CGO_ENABLED=0
     goos:

integration/aws_cloud_test.go

@@ -1,78 +0,0 @@
-//go:build integration
-
-package integration
-
-import (
-	"context"
-	"testing"
-	"time"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-
-	"github.com/aquasecurity/trivy/internal/testutil"
-	awscommands "github.com/aquasecurity/trivy/pkg/cloud/aws/commands"
-	"github.com/aquasecurity/trivy/pkg/flag"
-)
-
-func TestAwsCommandRun(t *testing.T) {
-	tests := []struct {
-		name    string
-		options flag.Options
-		envs    map[string]string
-		wantErr string
-	}{
-		{
-			name: "fail without region",
-			options: flag.Options{
-				RegoOptions: flag.RegoOptions{SkipCheckUpdate: true},
-			},
-			envs: map[string]string{
-				"AWS_ACCESS_KEY_ID":     "test",
-				"AWS_SECRET_ACCESS_KEY": "test",
-			},
-			wantErr: "aws region is required",
-		},
-		{
-			name: "fail without creds",
-			envs: map[string]string{
-				"AWS_PROFILE": "non-existent-profile",
-			},
-			options: flag.Options{
-				RegoOptions: flag.RegoOptions{SkipCheckUpdate: true},
-				AWSOptions: flag.AWSOptions{
-					Region: "us-east-1",
-				},
-			},
-			wantErr: "non-existent-profile",
-		},
-	}
-
-	ctx := context.Background()
-
-	localstackC, addr, err := testutil.SetupLocalStack(ctx, "2.2.0")
-	require.NoError(t, err)
-	defer localstackC.Terminate(ctx)
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-
-			tt.options.AWSOptions.Endpoint = addr
-			tt.options.GlobalOptions.Timeout = time.Minute
-
-			for k, v := range tt.envs {
-				t.Setenv(k, v)
-			}
-
-			err := awscommands.Run(context.Background(), tt.options)
-
-			if tt.wantErr != "" {
-				require.Error(t, err)
-				assert.Contains(t, err.Error(), tt.wantErr, tt.name)
-				return
-			}
-			require.NoError(t, err)
-		})
-	}
-
-}

integration/client_server_test.go

@@ -212,6 +212,13 @@ func TestClientServer(t *testing.T) {
 			},
 			golden: "testdata/opensuse-leap-151.json.golden",
 		},
+		{
+			name: "opensuse tumbleweed",
+			args: csArgs{
+				Input: "testdata/fixtures/images/opensuse-tumbleweed.tar.gz",
+			},
+			golden: "testdata/opensuse-tumbleweed.json.golden",
+		},
 		{
 			name: "photon 3.0",
 			args: csArgs{

integration/convert_test.go

@@ -0,0 +1,69 @@
+//go:build integration
+
+package integration
+
+import (
+	"path/filepath"
+	"testing"
+
+	"github.com/aquasecurity/trivy/pkg/types"
+)
+
+func TestConvert(t *testing.T) {
+	type args struct {
+		input    string
+		format   string
+		scanners string
+	}
+	tests := []struct {
+		name     string
+		args     args
+		golden   string
+		override OverrideFunc
+	}{
+		{
+			name: "npm",
+			args: args{
+				input:  "testdata/npm.json.golden",
+				format: "cyclonedx",
+			},
+			golden: "testdata/npm-cyclonedx.json.golden",
+		},
+		{
+			name: "npm without package UID",
+			args: args{
+				input:  "testdata/fixtures/convert/npm.json.golden",
+				format: "cyclonedx",
+			},
+			golden: "testdata/npm-cyclonedx.json.golden",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			osArgs := []string{
+				"convert",
+				"--cache-dir",
+				t.TempDir(),
+				"-q",
+				"--format",
+				tt.args.format,
+			}
+
+			// Set up the output file
+			outputFile := filepath.Join(t.TempDir(), "output.json")
+			if *update {
+				outputFile = tt.golden
+			}
+
+			osArgs = append(osArgs, "--output", outputFile)
+			osArgs = append(osArgs, tt.args.input)
+
+			// Run "trivy convert"
+			runTest(t, osArgs, tt.golden, outputFile, types.Format(tt.args.format), runOptions{
+				fakeUUID: "3ff14136-e09f-4df9-80ea-%012d",
+			})
+		})
+	}
+
+}

integration/docker_engine_test.go

@@ -12,7 +12,7 @@ import (
 
 	"github.com/aquasecurity/trivy/pkg/types"
 
-	api "github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/image"
 	"github.com/docker/docker/client"
 	"github.com/stretchr/testify/require"
 )
@@ -192,6 +192,12 @@ func TestDockerEngine(t *testing.T) {
 			input:    "testdata/fixtures/images/opensuse-leap-151.tar.gz",
 			golden:   "testdata/opensuse-leap-151.json.golden",
 		},
+		{
+			name:     "opensuse tumbleweed",
+			imageTag: "ghcr.io/aquasecurity/trivy-test-images:opensuse-tumbleweed",
+			input:    "testdata/fixtures/images/opensuse-tumbleweed.tar.gz",
+			golden:   "testdata/opensuse-tumbleweed.json.golden",
+		},
 		{
 			name:     "photon 3.0",
 			imageTag: "ghcr.io/aquasecurity/trivy-test-images:photon-30",
@@ -237,7 +243,7 @@ func TestDockerEngine(t *testing.T) {
 				require.NoError(t, err, tt.name)
 
 				// ensure image doesnt already exists
-				_, _ = cli.ImageRemove(ctx, tt.input, api.ImageRemoveOptions{
+				_, _ = cli.ImageRemove(ctx, tt.input, image.RemoveOptions{
 					Force:         true,
 					PruneChildren: true,
 				})
@@ -256,11 +262,11 @@ func TestDockerEngine(t *testing.T) {
 
 				// cleanup
 				t.Cleanup(func() {
-					_, _ = cli.ImageRemove(ctx, tt.input, api.ImageRemoveOptions{
+					_, _ = cli.ImageRemove(ctx, tt.input, image.RemoveOptions{
 						Force:         true,
 						PruneChildren: true,
 					})
-					_, _ = cli.ImageRemove(ctx, tt.imageTag, api.ImageRemoveOptions{
+					_, _ = cli.ImageRemove(ctx, tt.imageTag, image.RemoveOptions{
 						Force:         true,
 						PruneChildren: true,
 					})
@@ -304,7 +310,14 @@ func TestDockerEngine(t *testing.T) {
 			osArgs = append(osArgs, tt.input)
 
 			// Run Trivy
-			runTest(t, osArgs, tt.golden, "", types.FormatJSON, runOptions{wantErr: tt.wantErr})
+			runTest(t, osArgs, tt.golden, "", types.FormatJSON, runOptions{
+				wantErr: tt.wantErr,
+				// Container field was removed in Docker Engine v26.0
+				// cf. https://github.com/docker/cli/blob/v26.1.3/docs/deprecated.md#container-and-containerconfig-fields-in-image-inspect
+				override: overrideFuncs(overrideUID, func(t *testing.T, want, _ *types.Report) {
+					want.Metadata.ImageConfig.Container = ""
+				}),
+			})
 		})
 	}
 }

integration/integration_test.go

@@ -26,13 +26,15 @@ import (
 	"github.com/stretchr/testify/require"
 	"github.com/xeipuuv/gojsonschema"
 
-	"github.com/aquasecurity/trivy-db/pkg/db"
 	"github.com/aquasecurity/trivy-db/pkg/metadata"
+	"github.com/aquasecurity/trivy/internal/dbtest"
+	"github.com/aquasecurity/trivy/internal/testutil"
 	"github.com/aquasecurity/trivy/pkg/clock"
 	"github.com/aquasecurity/trivy/pkg/commands"
-	"github.com/aquasecurity/trivy/pkg/dbtest"
+	"github.com/aquasecurity/trivy/pkg/db"
 	"github.com/aquasecurity/trivy/pkg/types"
 	"github.com/aquasecurity/trivy/pkg/uuid"
+	"github.com/aquasecurity/trivy/pkg/vex/repo"
 
 	_ "modernc.org/sqlite"
 )
@@ -55,15 +57,9 @@ func initDB(t *testing.T) string {
 	}
 
 	cacheDir := dbtest.InitDB(t, fixtures)
-	defer db.Close()
+	defer dbtest.Close()
 
-	dbDir := filepath.Dir(db.Path(cacheDir))
-
-	metadataFile := filepath.Join(dbDir, "metadata.json")
-	f, err := os.Create(metadataFile)
-	require.NoError(t, err)
-
-	err = json.NewEncoder(f).Encode(metadata.Metadata{
+	err = metadata.NewClient(db.Dir(cacheDir)).Update(metadata.Metadata{
 		Version:    db.SchemaVersion,
 		NextUpdate: time.Now().Add(24 * time.Hour),
 		UpdatedAt:  time.Now(),
@@ -74,6 +70,43 @@ func initDB(t *testing.T) string {
 	return cacheDir
 }
 
+func initVEXRepository(t *testing.T, homeDir, cacheDir string) {
+	t.Helper()
+
+	// Copy config directory
+	configSrc := "testdata/fixtures/vex/config/repository.yaml"
+	configDst := filepath.Join(homeDir, ".trivy", "vex", "repository.yaml")
+	testutil.CopyFile(t, configSrc, configDst)
+
+	// Copy repository directory
+	repoSrc := "testdata/fixtures/vex/repositories"
+	repoDst := filepath.Join(cacheDir, "vex", "repositories")
+	testutil.CopyDir(t, repoSrc, repoDst)
+
+	// Copy VEX file
+	vexSrc := "testdata/fixtures/vex/file/openvex.json"
+	repoDir := filepath.Join(repoDst, "default")
+	vexDst := filepath.Join(repoDir, "0.1", "openvex.json")
+	testutil.CopyFile(t, vexSrc, vexDst)
+
+	// Write a dummy cache metadata
+	testutil.MustWriteJSON(t, filepath.Join(repoDir, "cache.json"), repo.CacheMetadata{
+		UpdatedAt: time.Now(),
+	})
+
+	// Verify that necessary files exist
+	requiredFiles := []string{
+		configDst,
+		filepath.Join(repoDir, "vex-repository.json"),
+		filepath.Join(repoDir, "0.1", "index.json"),
+		filepath.Join(repoDir, "0.1", "openvex.json"),
+	}
+
+	for _, file := range requiredFiles {
+		require.FileExists(t, file)
+	}
+}
+
 func getFreePort() (int, error) {
 	addr, err := net.ResolveTCPAddr("tcp", "localhost:0")
 	if err != nil {

integration/repo_test.go

@@ -8,9 +8,10 @@ import (
 	"strings"
 	"testing"
 
+	"github.com/stretchr/testify/require"
+
 	"github.com/aquasecurity/trivy/pkg/fanal/artifact"
 	"github.com/aquasecurity/trivy/pkg/types"
-	"github.com/stretchr/testify/require"
 )
 
 // TestRepository tests `trivy repo` with the local code repositories
@@ -32,6 +33,7 @@ func TestRepository(t *testing.T) {
 		format         types.Format
 		includeDevDeps bool
 		parallel       int
+		vex            string
 	}
 	tests := []struct {
 		name     string
@@ -74,6 +76,24 @@ func TestRepository(t *testing.T) {
 			},
 			golden: "testdata/gomod.json.golden",
 		},
+		{
+			name: "gomod with local VEX file",
+			args: args{
+				scanner: types.VulnerabilityScanner,
+				input:   "testdata/fixtures/repo/gomod",
+				vex:     "testdata/fixtures/vex/file/openvex.json",
+			},
+			golden: "testdata/gomod-vex.json.golden",
+		},
+		{
+			name: "gomod with VEX repository",
+			args: args{
+				scanner: types.VulnerabilityScanner,
+				input:   "testdata/fixtures/repo/gomod",
+				vex:     "repo",
+			},
+			golden: "testdata/gomod-vex.json.golden",
+		},
 		{
 			name: "npm",
 			args: args{
@@ -105,8 +125,9 @@ func TestRepository(t *testing.T) {
 		{
 			name: "pnpm",
 			args: args{
-				scanner: types.VulnerabilityScanner,
-				input:   "testdata/fixtures/repo/pnpm",
+				scanner:     types.VulnerabilityScanner,
+				input:       "testdata/fixtures/repo/pnpm",
+				listAllPkgs: true,
 			},
 			golden: "testdata/pnpm.json.golden",
 		},
@@ -153,6 +174,14 @@ func TestRepository(t *testing.T) {
 			},
 			golden: "testdata/gradle.json.golden",
 		},
+		{
+			name: "sbt",
+			args: args{
+				scanner: types.VulnerabilityScanner,
+				input:   "testdata/fixtures/repo/sbt",
+			},
+			golden: "testdata/sbt.json.golden",
+		},
 		{
 			name: "conan",
 			args: args{
@@ -242,6 +271,16 @@ func TestRepository(t *testing.T) {
 			},
 			golden: "testdata/test-repo.json.golden",
 		},
+		{
+			name: "installed.json",
+			args: args{
+				command:     "rootfs",
+				scanner:     types.VulnerabilityScanner,
+				listAllPkgs: true,
+				input:       "testdata/fixtures/repo/composer-vendor",
+			},
+			golden: "testdata/composer.vendor.json.golden",
+		},
 		{
 			name: "dockerfile",
 			args: args{
@@ -418,9 +457,15 @@ func TestRepository(t *testing.T) {
 	// Set up testing DB
 	cacheDir := initDB(t)
 
-	// Set a temp dir so that modules will not be loaded
+	// Set up VEX
+	initVEXRepository(t, cacheDir, cacheDir)
+
+	// Set a temp dir so that the VEX config will be loaded and modules will not be loaded
 	t.Setenv("XDG_DATA_HOME", cacheDir)
 
+	// Disable Go license detection
+	t.Setenv("GOPATH", cacheDir)
+
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			command := "repo"
@@ -513,6 +558,10 @@ func TestRepository(t *testing.T) {
 				osArgs = append(osArgs, "--secret-config", tt.args.secretConfig)
 			}
 
+			if tt.args.vex != "" {
+				osArgs = append(osArgs, "--vex", tt.args.vex)
+			}
+
 			runTest(t, osArgs, tt.golden, "", format, runOptions{
 				fakeUUID: "3ff14136-e09f-4df9-80ea-%012d",
 				override: tt.override,

integration/standalone_tar_test.go

@@ -322,6 +322,14 @@ func TestTar(t *testing.T) {
 			},
 			golden: "testdata/opensuse-leap-151.json.golden",
 		},
+		{
+			name: "opensuse tumbleweed",
+			args: args{
+				Format: types.FormatJSON,
+				Input:  "testdata/fixtures/images/opensuse-tumbleweed.tar.gz",
+			},
+			golden: "testdata/opensuse-tumbleweed.json.golden",
+		},
 		{
 			name: "photon 3.0",
 			args: args{

integration/testdata/alpine-310.sarif.golden

@@ -1,6 +1,6 @@
 {
   "version": "2.1.0",
-  "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
+  "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json",
   "runs": [
     {
       "tool": {
@@ -184,6 +184,7 @@
         }
       },
       "properties": {
+        "imageID": "sha256:961769676411f082461f9ef46626dd7a2d1e2b2a38e6a44364bcbecf51e66dd4",
         "imageName": "testdata/fixtures/images/alpine-310.tar.gz",
         "repoDigests": null,
         "repoTags": null

integration/testdata/composer.vendor.json.golden

@@ -0,0 +1,131 @@
+{
+  "SchemaVersion": 2,
+  "CreatedAt": "2021-08-25T12:20:30.000000005Z",
+  "ArtifactName": "testdata/fixtures/repo/composer-vendor",
+  "ArtifactType": "filesystem",
+  "Metadata": {
+    "ImageConfig": {
+      "architecture": "",
+      "created": "0001-01-01T00:00:00Z",
+      "os": "",
+      "rootfs": {
+        "type": "",
+        "diff_ids": null
+      },
+      "config": {}
+    }
+  },
+  "Results": [
+    {
+      "Target": "installed.json",
+      "Class": "lang-pkgs",
+      "Type": "composer-vendor",
+      "Packages": [
+        {
+          "ID": "guzzlehttp/psr7@1.8.3",
+          "Name": "guzzlehttp/psr7",
+          "Identifier": {
+            "PURL": "pkg:composer/guzzlehttp/psr7@1.8.3",
+            "UID": "25fca97fe23aa7b1"
+          },
+          "Version": "1.8.3",
+          "Licenses": [
+            "MIT"
+          ],
+          "DependsOn": [
+            "psr/http-message@1.1",
+            "ralouphie/getallheaders@3.0.3"
+          ],
+          "Layer": {},
+          "Locations": [
+            {
+              "StartLine": 3,
+              "EndLine": 115
+            }
+          ]
+        },
+        {
+          "ID": "psr/http-message@1.1",
+          "Name": "psr/http-message",
+          "Identifier": {
+            "PURL": "pkg:composer/psr/http-message@1.1",
+            "UID": "299d8ff4461e894"
+          },
+          "Version": "1.1",
+          "Licenses": [
+            "MIT"
+          ],
+          "Layer": {},
+          "Locations": [
+            {
+              "StartLine": 116,
+              "EndLine": 171
+            }
+          ]
+        },
+        {
+          "ID": "ralouphie/getallheaders@3.0.3",
+          "Name": "ralouphie/getallheaders",
+          "Identifier": {
+            "PURL": "pkg:composer/ralouphie/getallheaders@3.0.3",
+            "UID": "c383e94d979a209c"
+          },
+          "Version": "3.0.3",
+          "Licenses": [
+            "MIT"
+          ],
+          "Layer": {},
+          "Locations": [
+            {
+              "StartLine": 172,
+              "EndLine": 218
+            }
+          ]
+        }
+      ],
+      "Vulnerabilities": [
+        {
+          "VulnerabilityID": "CVE-2022-24775",
+          "PkgID": "guzzlehttp/psr7@1.8.3",
+          "PkgName": "guzzlehttp/psr7",
+          "PkgIdentifier": {
+            "PURL": "pkg:composer/guzzlehttp/psr7@1.8.3",
+            "UID": "25fca97fe23aa7b1"
+          },
+          "InstalledVersion": "1.8.3",
+          "FixedVersion": "1.8.4",
+          "Status": "fixed",
+          "Layer": {},
+          "SeveritySource": "ghsa",
+          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-24775",
+          "DataSource": {
+            "ID": "ghsa",
+            "Name": "GitHub Security Advisory Composer",
+            "URL": "https://github.com/advisories?query=type%%3Areviewed+ecosystem%%3Acomposer"
+          },
+          "Title": "Improper Input Validation in guzzlehttp/psr7",
+          "Description": "### Impact\nIn proper header parsing. An attacker could sneak in a new line character and pass untrusted values. \n\n### Patches\nThe issue is patched in 1.8.4 and 2.1.1.\n\n### Workarounds\nThere are no known workarounds.\n",
+          "Severity": "HIGH",
+          "CweIDs": [
+            "CWE-20"
+          ],
+          "VendorSeverity": {
+            "ghsa": 3
+          },
+          "CVSS": {
+            "ghsa": {
+              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
+              "V3Score": 7.5
+            }
+          },
+          "References": [
+            "https://github.com/guzzle/psr7/security/advisories/GHSA-q7rv-6hp3-vh96",
+            "https://nvd.nist.gov/vuln/detail/CVE-2022-24775"
+          ],
+          "PublishedDate": "2022-03-25T19:26:33Z",
+          "LastModifiedDate": "2022-06-14T20:02:29Z"
+        }
+      ]
+    }
+  ]
+}

integration/testdata/conan.json.golden

@@ -171,7 +171,36 @@
           "FixedVersion": "8.45",
           "Status": "fixed",
           "Layer": {},
-          "Severity": "UNKNOWN"
+          "SeveritySource": "nvd",
+          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-14155",
+          "Title": "pcre: Integer overflow when parsing callout numeric arguments",
+          "Description": "libpcre in PCRE before 8.44 allows an integer overflow via a large number after a (?C substring.",
+          "Severity": "MEDIUM",
+          "CweIDs": [
+            "CWE-190"
+          ],
+          "VendorSeverity": {
+            "alma": 1,
+            "nvd": 2
+          },
+          "CVSS": {
+            "nvd": {
+              "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
+              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
+              "V2Score": 5,
+              "V3Score": 5.3
+            },
+            "redhat": {
+              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
+              "V3Score": 5.3
+            }
+          },
+          "References": [
+            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14155",
+            "https://nvd.nist.gov/vuln/detail/CVE-2020-14155"
+          ],
+          "PublishedDate": "2020-06-15T17:15:00Z",
+          "LastModifiedDate": "2022-04-28T15:06:00Z"
         }
       ]
     }

integration/testdata/conda-cyclonedx.json.golden

@@ -1,7 +1,7 @@
 {
-  "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
+  "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
   "bomFormat": "CycloneDX",
-  "specVersion": "1.5",
+  "specVersion": "1.6",
   "serialNumber": "urn:uuid:3ff14136-e09f-4df9-80ea-000000000004",
   "version": 1,
   "metadata": {

integration/testdata/conda-environment-cyclonedx.json.golden

@@ -1,7 +1,7 @@
 {
-  "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
+  "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
   "bomFormat": "CycloneDX",
-  "specVersion": "1.5",
+  "specVersion": "1.6",
   "serialNumber": "urn:uuid:3ff14136-e09f-4df9-80ea-000000000004",
   "version": 1,
   "metadata": {

integration/testdata/dotnet.json.golden

@@ -22,10 +22,11 @@
       "Type": "dotnet-core",
       "Packages": [
         {
+          "ID": "Newtonsoft.Json/9.0.1",
           "Name": "Newtonsoft.Json",
           "Identifier": {
             "PURL": "pkg:nuget/Newtonsoft.Json@9.0.1",
-            "UID": "19955f480b8a6340"
+            "UID": "e678401f5d07418a"
           },
           "Version": "9.0.1",
           "Layer": {},
@@ -40,10 +41,11 @@
       "Vulnerabilities": [
         {
           "VulnerabilityID": "GHSA-5crp-9r3c-p9vr",
+          "PkgID": "Newtonsoft.Json/9.0.1",
           "PkgName": "Newtonsoft.Json",
           "PkgIdentifier": {
             "PURL": "pkg:nuget/Newtonsoft.Json@9.0.1",
-            "UID": "19955f480b8a6340"
+            "UID": "e678401f5d07418a"
           },
           "InstalledVersion": "9.0.1",
           "FixedVersion": "13.0.1",

integration/testdata/fixtures/convert/npm.json.golden

@@ -0,0 +1,381 @@
+{
+  "SchemaVersion": 2,
+  "CreatedAt": "2021-08-25T12:20:30.000000005Z",
+  "ArtifactName": "testdata/fixtures/repo/npm",
+  "ArtifactType": "repository",
+  "Metadata": {
+    "ImageConfig": {
+      "architecture": "",
+      "created": "0001-01-01T00:00:00Z",
+      "os": "",
+      "rootfs": {
+        "type": "",
+        "diff_ids": null
+      },
+      "config": {}
+    }
+  },
+  "Results": [
+    {
+      "Target": "package-lock.json",
+      "Class": "lang-pkgs",
+      "Type": "npm",
+      "Packages": [
+        {
+          "ID": "asap@2.0.6",
+          "Name": "asap",
+          "Identifier": {
+            "PURL": "pkg:npm/asap@2.0.6"
+          },
+          "Version": "2.0.6",
+          "Layer": {},
+          "Locations": [
+            {
+              "StartLine": 6,
+              "EndLine": 10
+            }
+          ]
+        },
+        {
+          "ID": "jquery@3.3.9",
+          "Name": "jquery",
+          "Identifier": {
+            "PURL": "pkg:npm/jquery@3.3.9"
+          },
+          "Version": "3.3.9",
+          "Licenses": [
+            "MIT"
+          ],
+          "Layer": {},
+          "Locations": [
+            {
+              "StartLine": 11,
+              "EndLine": 15
+            }
+          ]
+        },
+        {
+          "ID": "js-tokens@4.0.0",
+          "Name": "js-tokens",
+          "Identifier": {
+            "PURL": "pkg:npm/js-tokens@4.0.0"
+          },
+          "Version": "4.0.0",
+          "Layer": {},
+          "Locations": [
+            {
+              "StartLine": 16,
+              "EndLine": 20
+            }
+          ]
+        },
+        {
+          "ID": "loose-envify@1.4.0",
+          "Name": "loose-envify",
+          "Identifier": {
+            "PURL": "pkg:npm/loose-envify@1.4.0"
+          },
+          "Version": "1.4.0",
+          "DependsOn": [
+            "js-tokens@4.0.0"
+          ],
+          "Layer": {},
+          "Locations": [
+            {
+              "StartLine": 21,
+              "EndLine": 28
+            }
+          ]
+        },
+        {
+          "ID": "object-assign@4.1.1",
+          "Name": "object-assign",
+          "Identifier": {
+            "PURL": "pkg:npm/object-assign@4.1.1"
+          },
+          "Version": "4.1.1",
+          "Layer": {},
+          "Locations": [
+            {
+              "StartLine": 29,
+              "EndLine": 33
+            }
+          ]
+        },
+        {
+          "ID": "promise@8.0.3",
+          "Name": "promise",
+          "Identifier": {
+            "PURL": "pkg:npm/promise@8.0.3"
+          },
+          "Version": "8.0.3",
+          "Licenses": [
+            "MIT"
+          ],
+          "DependsOn": [
+            "asap@2.0.6"
+          ],
+          "Layer": {},
+          "Locations": [
+            {
+              "StartLine": 34,
+              "EndLine": 41
+            }
+          ]
+        },
+        {
+          "ID": "prop-types@15.7.2",
+          "Name": "prop-types",
+          "Identifier": {
+            "PURL": "pkg:npm/prop-types@15.7.2"
+          },
+          "Version": "15.7.2",
+          "DependsOn": [
+            "loose-envify@1.4.0",
+            "object-assign@4.1.1",
+            "react-is@16.8.6"
+          ],
+          "Layer": {},
+          "Locations": [
+            {
+              "StartLine": 42,
+              "EndLine": 51
+            }
+          ]
+        },
+        {
+          "ID": "react@16.8.6",
+          "Name": "react",
+          "Identifier": {
+            "PURL": "pkg:npm/react@16.8.6"
+          },
+          "Version": "16.8.6",
+          "Licenses": [
+            "MIT"
+          ],
+          "DependsOn": [
+            "loose-envify@1.4.0",
+            "object-assign@4.1.1",
+            "prop-types@15.7.2",
+            "scheduler@0.13.6"
+          ],
+          "Layer": {},
+          "Locations": [
+            {
+              "StartLine": 52,
+              "EndLine": 62
+            }
+          ]
+        },
+        {
+          "ID": "react-is@16.8.6",
+          "Name": "react-is",
+          "Identifier": {
+            "PURL": "pkg:npm/react-is@16.8.6"
+          },
+          "Version": "16.8.6",
+          "Licenses": [
+            "MIT"
+          ],
+          "Layer": {},
+          "Locations": [
+            {
+              "StartLine": 63,
+              "EndLine": 67
+            }
+          ]
+        },
+        {
+          "ID": "redux@4.0.1",
+          "Name": "redux",
+          "Identifier": {
+            "PURL": "pkg:npm/redux@4.0.1"
+          },
+          "Version": "4.0.1",
+          "Licenses": [
+            "MIT"
+          ],
+          "DependsOn": [
+            "loose-envify@1.4.0",
+            "symbol-observable@1.2.0"
+          ],
+          "Layer": {},
+          "Locations": [
+            {
+              "StartLine": 68,
+              "EndLine": 76
+            }
+          ]
+        },
+        {
+          "ID": "scheduler@0.13.6",
+          "Name": "scheduler",
+          "Identifier": {
+            "PURL": "pkg:npm/scheduler@0.13.6"
+          },
+          "Version": "0.13.6",
+          "DependsOn": [
+            "loose-envify@1.4.0",
+            "object-assign@4.1.1"
+          ],
+          "Layer": {},
+          "Locations": [
+            {
+              "StartLine": 77,
+              "EndLine": 85
+            }
+          ]
+        },
+        {
+          "ID": "symbol-observable@1.2.0",
+          "Name": "symbol-observable",
+          "Identifier": {
+            "PURL": "pkg:npm/symbol-observable@1.2.0"
+          },
+          "Version": "1.2.0",
+          "Layer": {},
+          "Locations": [
+            {
+              "StartLine": 86,
+              "EndLine": 90
+            }
+          ]
+        }
+      ],
+      "Vulnerabilities": [
+        {
+          "VulnerabilityID": "CVE-2019-11358",
+          "PkgID": "jquery@3.3.9",
+          "PkgName": "jquery",
+          "PkgIdentifier": {
+            "PURL": "pkg:npm/jquery@3.3.9"
+          },
+          "InstalledVersion": "3.3.9",
+          "FixedVersion": "3.4.0",
+          "Status": "fixed",
+          "Layer": {},
+          "SeveritySource": "ghsa",
+          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-11358",
+          "DataSource": {
+            "ID": "ghsa",
+            "Name": "GitHub Security Advisory Npm",
+            "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm"
+          },
+          "Title": "jquery: Prototype pollution in object's prototype leading to denial of service, remote code execution, or property injection",
+          "Description": "jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.",
+          "Severity": "MEDIUM",
+          "CweIDs": [
+            "CWE-79"
+          ],
+          "VendorSeverity": {
+            "alma": 2,
+            "amazon": 2,
+            "arch-linux": 2,
+            "ghsa": 2,
+            "nodejs-security-wg": 2,
+            "nvd": 2,
+            "oracle-oval": 2,
+            "redhat": 2,
+            "ruby-advisory-db": 2,
+            "ubuntu": 1
+          },
+          "CVSS": {
+            "nvd": {
+              "V2Vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
+              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
+              "V2Score": 4.3,
+              "V3Score": 6.1
+            },
+            "redhat": {
+              "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
+              "V3Score": 5.6
+            }
+          },
+          "References": [
+            "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00006.html",
+            "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00025.html",
+            "http://packetstormsecurity.com/files/152787/dotCMS-5.1.1-Vulnerable-Dependencies.html",
+            "http://packetstormsecurity.com/files/153237/RetireJS-CORS-Issue-Script-Execution.html",
+            "http://packetstormsecurity.com/files/156743/OctoberCMS-Insecure-Dependencies.html",
+            "http://seclists.org/fulldisclosure/2019/May/10",
+            "http://seclists.org/fulldisclosure/2019/May/11",
+            "http://seclists.org/fulldisclosure/2019/May/13",
+            "http://www.openwall.com/lists/oss-security/2019/06/03/2",
+            "http://www.securityfocus.com/bid/108023",
+            "https://access.redhat.com/errata/RHBA-2019:1570",
+            "https://access.redhat.com/errata/RHSA-2019:1456",
+            "https://access.redhat.com/errata/RHSA-2019:2587",
+            "https://access.redhat.com/errata/RHSA-2019:3023",
+            "https://access.redhat.com/errata/RHSA-2019:3024",
+            "https://access.redhat.com/security/cve/CVE-2019-11358",
+            "https://backdropcms.org/security/backdrop-sa-core-2019-009",
+            "https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/",
+            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358",
+            "https://github.com/DanielRuf/snyk-js-jquery-174006?files=1",
+            "https://github.com/advisories/GHSA-6c3j-c64m-qhgq",
+            "https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b",
+            "https://github.com/jquery/jquery/pull/4333",
+            "https://github.com/rails/jquery-rails/blob/master/CHANGELOG.md#434",
+            "https://hackerone.com/reports/454365",
+            "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44601",
+            "https://linux.oracle.com/cve/CVE-2019-11358.html",
+            "https://linux.oracle.com/errata/ELSA-2020-4847.html",
+            "https://lists.apache.org/thread.html/08720ef215ee7ab3386c05a1a90a7d1c852bf0706f176a7816bf65fc@%3Ccommits.airflow.apache.org%3E",
+            "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E",
+            "https://lists.apache.org/thread.html/5928aa293e39d248266472210c50f176cac1535220f2486e6a7fa844@%3Ccommits.airflow.apache.org%3E",
+            "https://lists.apache.org/thread.html/6097cdbd6f0a337bedd9bb5cc441b2d525ff002a96531de367e4259f@%3Ccommits.airflow.apache.org%3E",
+            "https://lists.apache.org/thread.html/88fb0362fd40e5b605ea8149f63241537b8b6fb5bfa315391fc5cbb7@%3Ccommits.airflow.apache.org%3E",
+            "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E",
+            "https://lists.apache.org/thread.html/b736d0784cf02f5a30fbb4c5902762a15ad6d47e17e2c5a17b7d6205@%3Ccommits.airflow.apache.org%3E",
+            "https://lists.apache.org/thread.html/ba79cf1658741e9f146e4c59b50aee56656ea95d841d358d006c18b6@%3Ccommits.roller.apache.org%3E",
+            "https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3E",
+            "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E",
+            "https://lists.apache.org/thread.html/r2041a75d3fc09dec55adfd95d598b38d22715303f65c997c054844c9@%3Cissues.flink.apache.org%3E",
+            "https://lists.apache.org/thread.html/r2baacab6e0acb5a2092eb46ae04fd6c3e8277b4fd79b1ffb7f3254fa@%3Cissues.flink.apache.org%3E",
+            "https://lists.apache.org/thread.html/r38f0d1aa3c923c22977fe7376508f030f22e22c1379fbb155bf29766@%3Cdev.syncope.apache.org%3E",
+            "https://lists.apache.org/thread.html/r41b5bfe009c845f67d4f68948cc9419ac2d62e287804aafd72892b08@%3Cissues.flink.apache.org%3E",
+            "https://lists.apache.org/thread.html/r7aac081cbddb6baa24b75e74abf0929bf309b176755a53e3ed810355@%3Cdev.flink.apache.org%3E",
+            "https://lists.apache.org/thread.html/r7d64895cc4dff84d0becfc572b20c0e4bf9bfa7b10c6f5f73e783734@%3Cdev.storm.apache.org%3E",
+            "https://lists.apache.org/thread.html/r7e8ebccb7c022e41295f6fdb7b971209b83702339f872ddd8cf8bf73@%3Cissues.flink.apache.org%3E",
+            "https://lists.apache.org/thread.html/rac25da84ecdcd36f6de5ad0d255f4e967209bbbebddb285e231da37d@%3Cissues.flink.apache.org%3E",
+            "https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3E",
+            "https://lists.debian.org/debian-lts-announce/2019/05/msg00006.html",
+            "https://lists.debian.org/debian-lts-announce/2019/05/msg00029.html",
+            "https://lists.debian.org/debian-lts-announce/2020/02/msg00024.html",
+            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4UOAZIFCSZ3ENEFOR5IXX6NFAD3HV7FA/",
+            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5IABSKTYZ5JUGL735UKGXL5YPRYOPUYI/",
+            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KYH3OAGR2RTCHRA5NOKX2TES7SNQMWGO/",
+            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QV3PKZC3PQCO3273HAT76PAQZFBEO4KP/",
+            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RLXRX23725JL366CNZGJZ7AQQB7LHQ6F/",
+            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WZW27UCJ5CYFL4KFFFMYMIBNMIU2ALG5/",
+            "https://nvd.nist.gov/vuln/detail/CVE-2019-11358",
+            "https://seclists.org/bugtraq/2019/Apr/32",
+            "https://seclists.org/bugtraq/2019/Jun/12",
+            "https://seclists.org/bugtraq/2019/May/18",
+            "https://security.netapp.com/advisory/ntap-20190919-0001/",
+            "https://snyk.io/vuln/SNYK-JS-JQUERY-174006",
+            "https://www.debian.org/security/2019/dsa-4434",
+            "https://www.debian.org/security/2019/dsa-4460",
+            "https://www.drupal.org/sa-core-2019-006",
+            "https://www.oracle.com//security-alerts/cpujul2021.html",
+            "https://www.oracle.com/security-alerts/cpuApr2021.html",
+            "https://www.oracle.com/security-alerts/cpuapr2020.html",
+            "https://www.oracle.com/security-alerts/cpujan2020.html",
+            "https://www.oracle.com/security-alerts/cpujan2021.html",
+            "https://www.oracle.com/security-alerts/cpujul2020.html",
+            "https://www.oracle.com/security-alerts/cpuoct2020.html",
+            "https://www.oracle.com/security-alerts/cpuoct2021.html",
+            "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html",
+            "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html",
+            "https://www.privacy-wise.com/mitigating-cve-2019-11358-in-old-versions-of-jquery/",
+            "https://www.synology.com/security/advisory/Synology_SA_19_19",
+            "https://www.tenable.com/security/tns-2019-08",
+            "https://www.tenable.com/security/tns-2020-02"
+          ],
+          "PublishedDate": "2019-04-20T00:29:00Z",
+          "LastModifiedDate": "2021-10-20T11:15:00Z"
+        }
+      ]
+    }
+  ]
+}

integration/testdata/fixtures/db/opensuse.yaml

@@ -9,4 +9,11 @@
       pairs:
         - key: "openSUSE-SU-2020:0062-1"
           value:
-            FixedVersion: 1.1.0i-lp151.8.6.1
+            FixedVersion: 1.1.0i-lp151.8.6.1
+- bucket: "openSUSE Tumbleweed"
+  pairs:
+    - bucket: libopenssl3
+      pairs:
+        - key: "openSUSE-SU-2024:13065-1"
+          value:
+            FixedVersion: 3.1.5-9.1 # changed for test

integration/testdata/fixtures/db/vulnerability.yaml

@@ -1340,6 +1340,15 @@
         - https://nvd.nist.gov/vuln/detail/CVE-2022-24775
       PublishedDate: "2022-03-25T19:26:33Z"
       LastModifiedDate: "2022-06-14T20:02:29Z"
+  - key: openSUSE-SU-2024:13065-1
+    value:
+      Title: "libopenssl-3-devel-3.1.1-3.1 on GA media"
+      Description: "These are all security issues fixed in the libopenssl-3-devel-3.1.1-3.1 package on the GA media of openSUSE Tumbleweed."
+      Severity: MEDIUM
+      References:
+        - "https://www.suse.com/security/cve/CVE-2023-2975/"
+        - "https://www.suse.com/security/cve/CVE-2023-3446/"
+        - "https://www.suse.com/support/security/rating/"
   - key: CVE-2022-22965
     value:
       Title: "spring-framework: RCE via Data Binding on JDK 9+"
@@ -1364,7 +1373,7 @@
           V3Vector: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
           V3Score: 8.1
       References:
-        - "https://github.com/advisories/GHSA-36p3-wjmg-h94x",
+        - "https://github.com/advisories/GHSA-36p3-wjmg-h94x"
       PublishedDate: "2022-04-01T23:15:00Z"
       LastModifiedDate: "2022-05-19T14:21:00Z"
   - key: CVE-2020-14155
@@ -1387,7 +1396,7 @@
           V3Vector: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
           V3Score: 5.3
       References:
-        - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14155",
+        - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14155"
         - "https://nvd.nist.gov/vuln/detail/CVE-2020-14155"
       PublishedDate: "2020-06-15T17:15:00Z"
-      LastModifiedDate: "2022-04-28T15:06:00Z"
+      LastModifiedDate: "2022-04-28T15:06:00Z"

integration/testdata/fixtures/repo/composer-vendor/installed.json

@@ -0,0 +1,222 @@
+{
+  "packages": [
+    {
+      "name": "guzzlehttp/psr7",
+      "version": "1.8.3",
+      "version_normalized": "1.8.3.0",
+      "source": {
+        "type": "git",
+        "url": "https://github.com/guzzle/psr7.git",
+        "reference": "1afdd860a2566ed3c2b0b4a3de6e23434a79ec85"
+      },
+      "dist": {
+        "type": "zip",
+        "url": "https://api.github.com/repos/guzzle/psr7/zipball/1afdd860a2566ed3c2b0b4a3de6e23434a79ec85",
+        "reference": "1afdd860a2566ed3c2b0b4a3de6e23434a79ec85",
+        "shasum": ""
+      },
+      "require": {
+        "php": ">=5.4.0",
+        "psr/http-message": "~1.0",
+        "ralouphie/getallheaders": "^2.0.5 || ^3.0.0"
+      },
+      "provide": {
+        "psr/http-message-implementation": "1.0"
+      },
+      "require-dev": {
+        "ext-zlib": "*",
+        "phpunit/phpunit": "~4.8.36 || ^5.7.27 || ^6.5.14 || ^7.5.20 || ^8.5.8 || ^9.3.10"
+      },
+      "suggest": {
+        "laminas/laminas-httphandlerrunner": "Emit PSR-7 responses"
+      },
+      "time": "2021-10-05T13:56:00+00:00",
+      "type": "library",
+      "extra": {
+        "branch-alias": {
+          "dev-master": "1.7-dev"
+        }
+      },
+      "installation-source": "dist",
+      "autoload": {
+        "files": [
+          "src/functions_include.php"
+        ],
+        "psr-4": {
+          "GuzzleHttp\\Psr7\\": "src/"
+        }
+      },
+      "notification-url": "https://packagist.org/downloads/",
+      "license": [
+        "MIT"
+      ],
+      "authors": [
+        {
+          "name": "Graham Campbell",
+          "email": "hello@gjcampbell.co.uk",
+          "homepage": "https://github.com/GrahamCampbell"
+        },
+        {
+          "name": "Michael Dowling",
+          "email": "mtdowling@gmail.com",
+          "homepage": "https://github.com/mtdowling"
+        },
+        {
+          "name": "George Mponos",
+          "email": "gmponos@gmail.com",
+          "homepage": "https://github.com/gmponos"
+        },
+        {
+          "name": "Tobias Nyholm",
+          "email": "tobias.nyholm@gmail.com",
+          "homepage": "https://github.com/Nyholm"
+        },
+        {
+          "name": "Márk Sági-Kazár",
+          "email": "mark.sagikazar@gmail.com",
+          "homepage": "https://github.com/sagikazarmark"
+        },
+        {
+          "name": "Tobias Schultze",
+          "email": "webmaster@tubo-world.de",
+          "homepage": "https://github.com/Tobion"
+        }
+      ],
+      "description": "PSR-7 message implementation that also provides common utility methods",
+      "keywords": [
+        "http",
+        "message",
+        "psr-7",
+        "request",
+        "response",
+        "stream",
+        "uri",
+        "url"
+      ],
+      "support": {
+        "issues": "https://github.com/guzzle/psr7/issues",
+        "source": "https://github.com/guzzle/psr7/tree/1.8.3"
+      },
+      "funding": [
+        {
+          "url": "https://github.com/GrahamCampbell",
+          "type": "github"
+        },
+        {
+          "url": "https://github.com/Nyholm",
+          "type": "github"
+        },
+        {
+          "url": "https://tidelift.com/funding/github/packagist/guzzlehttp/psr7",
+          "type": "tidelift"
+        }
+      ],
+      "install-path": "../guzzlehttp/psr7"
+    },
+    {
+      "name": "psr/http-message",
+      "version": "1.1",
+      "version_normalized": "1.1.0.0",
+      "source": {
+        "type": "git",
+        "url": "https://github.com/php-fig/http-message.git",
+        "reference": "cb6ce4845ce34a8ad9e68117c10ee90a29919eba"
+      },
+      "dist": {
+        "type": "zip",
+        "url": "https://api.github.com/repos/php-fig/http-message/zipball/cb6ce4845ce34a8ad9e68117c10ee90a29919eba",
+        "reference": "cb6ce4845ce34a8ad9e68117c10ee90a29919eba",
+        "shasum": ""
+      },
+      "require": {
+        "php": "^7.2 || ^8.0"
+      },
+      "time": "2023-04-04T09:50:52+00:00",
+      "type": "library",
+      "extra": {
+        "branch-alias": {
+          "dev-master": "1.1.x-dev"
+        }
+      },
+      "installation-source": "dist",
+      "autoload": {
+        "psr-4": {
+          "Psr\\Http\\Message\\": "src/"
+        }
+      },
+      "notification-url": "https://packagist.org/downloads/",
+      "license": [
+        "MIT"
+      ],
+      "authors": [
+        {
+          "name": "PHP-FIG",
+          "homepage": "http://www.php-fig.org/"
+        }
+      ],
+      "description": "Common interface for HTTP messages",
+      "homepage": "https://github.com/php-fig/http-message",
+      "keywords": [
+        "http",
+        "http-message",
+        "psr",
+        "psr-7",
+        "request",
+        "response"
+      ],
+      "support": {
+        "source": "https://github.com/php-fig/http-message/tree/1.1"
+      },
+      "install-path": "../psr/http-message"
+    },
+    {
+      "name": "ralouphie/getallheaders",
+      "version": "3.0.3",
+      "version_normalized": "3.0.3.0",
+      "source": {
+        "type": "git",
+        "url": "https://github.com/ralouphie/getallheaders.git",
+        "reference": "120b605dfeb996808c31b6477290a714d356e822"
+      },
+      "dist": {
+        "type": "zip",
+        "url": "https://api.github.com/repos/ralouphie/getallheaders/zipball/120b605dfeb996808c31b6477290a714d356e822",
+        "reference": "120b605dfeb996808c31b6477290a714d356e822",
+        "shasum": ""
+      },
+      "require": {
+        "php": ">=5.6"
+      },
+      "require-dev": {
+        "php-coveralls/php-coveralls": "^2.1",
+        "phpunit/phpunit": "^5 || ^6.5"
+      },
+      "time": "2019-03-08T08:55:37+00:00",
+      "type": "library",
+      "installation-source": "dist",
+      "autoload": {
+        "files": [
+          "src/getallheaders.php"
+        ]
+      },
+      "notification-url": "https://packagist.org/downloads/",
+      "license": [
+        "MIT"
+      ],
+      "authors": [
+        {
+          "name": "Ralph Khattar",
+          "email": "ralph.khattar@gmail.com"
+        }
+      ],
+      "description": "A polyfill for getallheaders.",
+      "support": {
+        "issues": "https://github.com/ralouphie/getallheaders/issues",
+        "source": "https://github.com/ralouphie/getallheaders/tree/develop"
+      },
+      "install-path": "../ralouphie/getallheaders"
+    }
+  ],
+  "dev": true,
+  "dev-package-names": []
+}

integration/testdata/fixtures/repo/pnpm/node_modules/.pnpm/jquery@3.3.9/node_modules/jquery/package.json

@@ -0,0 +1,108 @@
+{
+  "name": "jquery",
+  "title": "jQuery",
+  "description": "JavaScript library for DOM operations",
+  "version": "3.3.9",
+  "main": "dist/jquery.js",
+  "homepage": "https://jquery.com",
+  "author": {
+    "name": "JS Foundation and other contributors",
+    "url": "https://github.com/jquery/jquery/blob/3.3.1/AUTHORS.txt"
+  },
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/jquery/jquery.git"
+  },
+  "keywords": [
+    "jquery",
+    "javascript",
+    "browser",
+    "library"
+  ],
+  "bugs": {
+    "url": "https://github.com/jquery/jquery/issues"
+  },
+  "license": "MIT",
+  "dependencies": {},
+  "devDependencies": {
+    "babel-core": "7.0.0-beta.0",
+    "babel-plugin-transform-es2015-for-of": "7.0.0-beta.0",
+    "commitplease": "2.7.10",
+    "core-js": "2.4.1",
+    "eslint-config-jquery": "1.0.1",
+    "grunt": "1.0.1",
+    "grunt-babel": "7.0.0",
+    "grunt-cli": "1.2.0",
+    "grunt-compare-size": "0.4.2",
+    "grunt-contrib-uglify": "3.0.1",
+    "grunt-contrib-watch": "1.0.0",
+    "grunt-eslint": "20.0.0",
+    "grunt-git-authors": "3.2.0",
+    "grunt-jsonlint": "1.1.0",
+    "grunt-karma": "2.0.0",
+    "grunt-newer": "1.3.0",
+    "grunt-npmcopy": "0.1.0",
+    "gzip-js": "0.3.2",
+    "husky": "0.14.3",
+    "insight": "0.8.4",
+    "jsdom": "5.6.1",
+    "karma": "1.7.0",
+    "karma-browserstack-launcher": "1.3.0",
+    "karma-chrome-launcher": "2.2.0",
+    "karma-firefox-launcher": "1.0.1",
+    "karma-qunit": "1.2.1",
+    "load-grunt-tasks": "3.5.2",
+    "native-promise-only": "0.8.1",
+    "promises-aplus-tests": "2.1.2",
+    "q": "1.5.0",
+    "qunit-assert-step": "1.0.3",
+    "qunitjs": "1.23.1",
+    "raw-body": "2.2.0",
+    "requirejs": "2.3.3",
+    "sinon": "2.3.7",
+    "sizzle": "2.3.3",
+    "strip-json-comments": "2.0.1",
+    "testswarm": "1.1.0",
+    "uglify-js": "3.3.4"
+  },
+  "scripts": {
+    "build": "npm install && grunt",
+    "start": "grunt watch",
+    "test:browserless": "grunt && grunt test:slow",
+    "test:browser": "grunt && grunt karma:main",
+    "test": "grunt && grunt test:slow && grunt karma:main",
+    "jenkins": "npm run test:browserless",
+    "precommit": "grunt lint:newer qunit_fixture",
+    "commitmsg": "node node_modules/commitplease"
+  },
+  "commitplease": {
+    "nohook": true,
+    "components": [
+      "Docs",
+      "Tests",
+      "Build",
+      "Support",
+      "Release",
+      "Core",
+      "Ajax",
+      "Attributes",
+      "Callbacks",
+      "CSS",
+      "Data",
+      "Deferred",
+      "Deprecated",
+      "Dimensions",
+      "Effects",
+      "Event",
+      "Manipulation",
+      "Offset",
+      "Queue",
+      "Selector",
+      "Serialize",
+      "Traversing",
+      "Wrap"
+    ],
+    "markerPattern": "^((clos|fix|resolv)(e[sd]|ing))|^(refs?)",
+    "ticketPattern": "^((Closes|Fixes) ([a-zA-Z]{2,}-)[0-9]+)|^(Refs? [^#])"
+  }
+}

integration/testdata/fixtures/repo/pnpm/node_modules/.pnpm/lodash@4.17.4/node_modules/lodash/package.json

@@ -0,0 +1,17 @@
+{
+  "name": "lodash",
+  "version": "4.17.4",
+  "description": "Lodash modular utilities.",
+  "keywords": "modules, stdlib, util",
+  "homepage": "https://lodash.com/",
+  "repository": "lodash/lodash",
+  "icon": "https://lodash.com/icon.svg",
+  "license": "MIT",
+  "main": "lodash.js",
+  "author": "John-David Dalton <john.david.dalton@gmail.com> (http://allyoucanleet.com/)",
+  "contributors": [
+    "John-David Dalton <john.david.dalton@gmail.com> (http://allyoucanleet.com/)",
+    "Mathias Bynens <mathias@qiwi.be> (https://mathiasbynens.be/)"
+  ],
+  "scripts": { "test": "echo \"See https://travis-ci.org/lodash/lodash-cli for testing details.\"" }
+}