release: v0.56.0 [main] (#7447 )

fix(misconf): not to warn about missing selectors of libraries (#7638 )
Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io>
2025-12-08 13:50:49 -08:00 · 2024-10-03 04:55:35 +00:00 · 2024-10-03 04:27:25 +00:00 · 2024-10-02 11:44:17 +00:00 · 2024-10-02 10:06:14 +00:00 · 2024-10-02 07:51:30 +00:00
622 changed files with 25792 additions and 9836 deletions
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@@ -15,8 +15,8 @@ pkg/cloud/                           @simar7 @nikpivkin
 pkg/iac/                             @simar7 @nikpivkin

 # Helm chart
-helm/trivy/ @chen-keinan
+helm/trivy/ @afdesk

 # Kubernetes scanning
-pkg/k8s/                         @chen-keinan
-docs/docs/target/kubernetes.md   @chen-keinan
+pkg/k8s/                         @afdesk
+docs/docs/target/kubernetes.md   @afdesk
--- a/.github/workflows/auto-update-labels.yaml
+++ b/.github/workflows/auto-update-labels.yaml
@@ -20,6 +20,7 @@ jobs:
        with:
          # cf. https://github.com/aquasecurity/trivy/pull/6711
          go-version: ${{ env.GO_VERSION }}
+          cache: false

      - name: Install aqua tools
        uses: aquaproj/aqua-installer@v3.0.1
--- a/.github/workflows/bypass-test.yaml
+++ b/.github/workflows/bypass-test.yaml
@@ -22,12 +22,12 @@ jobs:
    runs-on: ${{ matrix.operating-system }}
    strategy:
      matrix:
-        operating-system: [ubuntu-latest-m, windows-latest, macos-latest]
+        operating-system: [ubuntu-latest, windows-latest, macos-latest]
    steps:
      - run: 'echo "No test required"'

  integration:
    name: Integration Test
-    runs-on: ubuntu-latest-m
+    runs-on: ubuntu-latest
    steps:
      - run: 'echo "No test required"'
--- a/.github/workflows/cache-test-images.yaml
+++ b/.github/workflows/cache-test-images.yaml
@@ -0,0 +1,86 @@
+name: Cache test images
+on:
+  schedule:
+    - cron: "0 0 * * *" # Run this workflow every day at 00:00 to avoid cache deletion.
+  workflow_dispatch:
+
+jobs:
+  test-images:
+    name: Cache test images
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out code into the Go module directory
+        uses: actions/checkout@v4.1.6
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+          cache: false
+
+      - name: Install tools
+        uses: aquaproj/aqua-installer@v3.0.1
+        with:
+          aqua_version: v1.25.0
+
+      - name: Generate image list digest
+        if: github.ref_name == 'main'
+        id: image-digest
+        run: |
+          IMAGE_LIST=$(skopeo list-tags docker://ghcr.io/aquasecurity/trivy-test-images)
+          DIGEST=$(echo "$IMAGE_LIST" | sha256sum | cut -d' ' -f1)
+          echo "digest=$DIGEST" >> $GITHUB_OUTPUT
+
+      ## We need to work with test image cache only for main branch
+      - name: Restore and save test images cache
+        if: github.ref_name == 'main'
+        uses: actions/cache@v4
+        with:
+          path: integration/testdata/fixtures/images
+          key: cache-test-images-${{ steps.image-digest.outputs.digest }}
+          restore-keys:
+            cache-test-images-
+
+      - name: Download test images
+        if: github.ref_name == 'main'
+        run: mage test:fixtureContainerImages
+
+  test-vm-images:
+    name: Cache test VM images
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out code into the Go module directory
+        uses: actions/checkout@v4.1.6
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+          cache: false
+
+      - name: Install tools
+        uses: aquaproj/aqua-installer@v3.0.1
+        with:
+          aqua_version: v1.25.0
+
+      - name: Generate image list digest
+        if: github.ref_name == 'main'
+        id: image-digest
+        run: |
+          IMAGE_LIST=$(skopeo list-tags docker://ghcr.io/aquasecurity/trivy-test-vm-images)
+          DIGEST=$(echo "$IMAGE_LIST" | sha256sum | cut -d' ' -f1)
+          echo "digest=$DIGEST" >> $GITHUB_OUTPUT
+
+      ## We need to work with test VM image cache only for main branch
+      - name: Restore and save test VM images cache
+        if: github.ref_name == 'main'
+        uses: actions/cache@v4
+        with:
+          path: integration/testdata/fixtures/vm-images
+          key: cache-test-vm-images-${{ steps.image-digest.outputs.digest }}
+          restore-keys:
+            cache-test-vm-images-
+
+      - name: Download test VM images
+        if: github.ref_name == 'main'
+        run: mage test:fixtureVMImages
--- a/.github/workflows/reusable-release.yaml
+++ b/.github/workflows/reusable-release.yaml
@@ -91,7 +91,7 @@ jobs:
      - name: GoReleaser
        uses: goreleaser/goreleaser-action@v6
        with:
-          version: v2.0.0
+          version: v2.1.0
          args: release -f=${{ inputs.goreleaser_config}} ${{ inputs.goreleaser_options}}
        env:
          GITHUB_TOKEN: ${{ secrets.ORG_REPO_TOKEN }}
@@ -108,7 +108,7 @@ jobs:
      # because GoReleaser Free doesn't support pushing images with the `--snapshot` flag.
      - name: Build and push
        if: ${{ inputs.goreleaser_config == 'goreleaser-canary.yml' }}
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@v6
        with:
          platforms: linux/amd64, linux/arm64
          file: ./Dockerfile.canary # path to Dockerfile
--- a/.github/workflows/roadmap.yaml
+++ b/.github/workflows/roadmap.yaml
@@ -11,7 +11,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      # 'kind/feature' AND 'priority/backlog' labels -> 'Backlog' column
-      - uses: actions/add-to-project@v1.0.1 # add new issue to project
+      - uses: actions/add-to-project@v1.0.2 # add new issue to project
        with:
          project-url: https://github.com/orgs/aquasecurity/projects/25
          github-token: ${{ secrets.ORG_PROJECT_TOKEN }}
@@ -28,7 +28,7 @@ jobs:
          field-values: Backlog

      # 'kind/feature' AND 'priority/important-longterm' labels -> 'Important (long-term)' column
-      - uses: actions/add-to-project@v1.0.1 # add new issue to project
+      - uses: actions/add-to-project@v1.0.2 # add new issue to project
        with:
          project-url: https://github.com/orgs/aquasecurity/projects/25
          github-token: ${{ secrets.ORG_PROJECT_TOKEN }}
@@ -45,7 +45,7 @@ jobs:
          field-values: Important (long-term)

      # 'kind/feature' AND 'priority/important-soon' labels -> 'Important (soon)' column
-      - uses: actions/add-to-project@v1.0.1 # add new issue to project
+      - uses: actions/add-to-project@v1.0.2 # add new issue to project
        with:
          project-url: https://github.com/orgs/aquasecurity/projects/25
          github-token: ${{ secrets.ORG_PROJECT_TOKEN }}
@@ -62,7 +62,7 @@ jobs:
          field-values: Important (soon)

      # 'kind/feature' AND 'priority/critical-urgent' labels -> 'Urgent' column
-      - uses: actions/add-to-project@v1.0.1 # add new issue to project
+      - uses: actions/add-to-project@v1.0.2 # add new issue to project
        with:
          project-url: https://github.com/orgs/aquasecurity/projects/25
          github-token: ${{ secrets.ORG_PROJECT_TOKEN }}
--- a/.github/workflows/test.yaml
+++ b/.github/workflows/test.yaml
@@ -8,6 +8,8 @@ on:
      - 'LICENSE'
      - '.release-please-manifest.json' ## don't run tests for release-please PRs
  merge_group:
+  workflow_dispatch:
+
 env:
  GO_VERSION: '1.22'
 jobs:
@@ -16,7 +18,7 @@ jobs:
    runs-on: ${{ matrix.operating-system }}
    strategy:
      matrix:
-        operating-system: [ubuntu-latest-m, windows-latest, macos-latest]
+        operating-system: [ubuntu-latest, windows-latest, macos-latest]
    steps:
      - uses: actions/checkout@v4.1.6

@@ -24,6 +26,8 @@ jobs:
        uses: actions/setup-go@v5
        with:
          go-version: ${{ env.GO_VERSION }}
+          cache: false
+
      - name: go mod tidy
        run: |
          go mod tidy
@@ -31,15 +35,15 @@ jobs:
            echo "Run 'go mod tidy' and push it"
            exit 1
          fi
-        if: matrix.operating-system == 'ubuntu-latest-m'
+        if: matrix.operating-system == 'ubuntu-latest'

      - name: Lint
        id: lint
        uses: golangci/golangci-lint-action@v6.0.1
        with:
-          version: v1.58
+          version: v1.59
          args: --verbose --out-format=line-number
-        if: matrix.operating-system == 'ubuntu-latest-m'
+        if: matrix.operating-system == 'ubuntu-latest'

      - name: Check if linter failed
        run: |
@@ -60,14 +64,14 @@ jobs:
            echo "Run 'mage docs:generate' and push it"
            exit 1
          fi
-        if: matrix.operating-system == 'ubuntu-latest-m'
+        if: matrix.operating-system == 'ubuntu-latest'

      - name: Run unit tests
        run: mage test:unit

  integration:
    name: Integration Test
-    runs-on: ubuntu-latest-m
+    runs-on: ubuntu-latest
    steps:
      - name: Check out code into the Go module directory
        uses: actions/checkout@v4.1.6
@@ -76,18 +80,34 @@ jobs:
        uses: actions/setup-go@v5
        with:
          go-version: ${{ env.GO_VERSION }}
+          cache: false

      - name: Install tools
        uses: aquaproj/aqua-installer@v3.0.1
        with:
          aqua_version: v1.25.0

+      - name: Generate image list digest
+        id: image-digest
+        run: |
+          IMAGE_LIST=$(skopeo list-tags docker://ghcr.io/aquasecurity/trivy-test-images)
+          DIGEST=$(echo "$IMAGE_LIST" | sha256sum | cut -d' ' -f1)
+          echo "digest=$DIGEST" >> $GITHUB_OUTPUT
+
+      - name: Restore test images from cache
+        uses: actions/cache/restore@v4
+        with:
+          path: integration/testdata/fixtures/images
+          key: cache-test-images-${{ steps.image-digest.outputs.digest }}
+          restore-keys:
+            cache-test-images-
+
      - name: Run integration tests
        run: mage test:integration

  k8s-integration:
    name: K8s Integration Test
-    runs-on: ubuntu-latest-m
+    runs-on: ubuntu-latest
    steps:
      - name: Check out code into the Go module directory
        uses: actions/checkout@v4.1.6
@@ -96,6 +116,7 @@ jobs:
        uses: actions/setup-go@v5
        with:
          go-version: ${{ env.GO_VERSION }}
+          cache: false

      - name: Install tools
        uses: aquaproj/aqua-installer@v3.0.1
@@ -116,12 +137,28 @@ jobs:
        uses: actions/setup-go@v5
        with:
          go-version: ${{ env.GO_VERSION }}
+          cache: false

      - name: Install tools
        uses: aquaproj/aqua-installer@v3.0.1
        with:
          aqua_version: v1.25.0

+      - name: Generate image list digest
+        id: image-digest
+        run: |
+          IMAGE_LIST=$(skopeo list-tags docker://ghcr.io/aquasecurity/trivy-test-images)
+          DIGEST=$(echo "$IMAGE_LIST" | sha256sum | cut -d' ' -f1)
+          echo "digest=$DIGEST" >> $GITHUB_OUTPUT
+
+      - name: Restore test images from cache
+        uses: actions/cache/restore@v4
+        with:
+          path: integration/testdata/fixtures/images
+          key: cache-test-images-${{ steps.image-digest.outputs.digest }}
+          restore-keys:
+            cache-test-images-
+
      - name: Run module integration tests
        shell: bash
        run: |
@@ -129,7 +166,7 @@ jobs:

  vm-test:
    name: VM Integration Test
-    runs-on: ubuntu-latest-m
+    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4.1.6
@@ -138,10 +175,28 @@ jobs:
        uses: actions/setup-go@v5
        with:
          go-version: ${{ env.GO_VERSION }}
+          cache: false
+
      - name: Install tools
        uses: aquaproj/aqua-installer@v3.0.1
        with:
          aqua_version: v1.25.0
+
+      - name: Generate image list digest
+        id: image-digest
+        run: |
+          IMAGE_LIST=$(skopeo list-tags docker://ghcr.io/aquasecurity/trivy-test-vm-images)
+          DIGEST=$(echo "$IMAGE_LIST" | sha256sum | cut -d' ' -f1)
+          echo "digest=$DIGEST" >> $GITHUB_OUTPUT
+
+      - name: Restore test VM images from cache
+        uses: actions/cache/restore@v4
+        with:
+          path: integration/testdata/fixtures/vm-images
+          key: cache-test-vm-images-${{ steps.image-digest.outputs.digest }}
+          restore-keys:
+            cache-test-vm-images-
+
      - name: Run vm integration tests
        run: |
          mage test:vm
@@ -151,7 +206,7 @@ jobs:
    runs-on: ${{ matrix.operating-system }}
    strategy:
      matrix:
-        operating-system: [ubuntu-latest-m, windows-latest, macos-latest]
+        operating-system: [ubuntu-latest, windows-latest, macos-latest]
    env:
      DOCKER_CLI_EXPERIMENTAL: "enabled"
    steps:
@@ -162,6 +217,7 @@ jobs:
      uses: actions/setup-go@v5
      with:
        go-version: ${{ env.GO_VERSION }}
+        cache: false

    - name: Determine GoReleaser ID
      id: goreleaser_id
@@ -178,5 +234,5 @@ jobs:
    - name: Run GoReleaser
      uses: goreleaser/goreleaser-action@v6
      with:
-        version: v2.0.0
+        version: v2.1.0
        args: build --snapshot --clean --timeout 90m ${{ steps.goreleaser_id.outputs.id }}
--- a/.gitignore
+++ b/.gitignore
@@ -39,3 +39,6 @@ dist
 # Signing
 gpg.key
 cmd/trivy/trivy
+
+# RPM
+*.rpm
--- a/.release-please-manifest.json
+++ b/.release-please-manifest.json
@@ -1 +1 @@
-{".":"0.53.0"}
+{".":"0.56.0"}
--- a/.vex/oci.openvex.json
+++ b/.vex/oci.openvex.json
@@ -0,0 +1,244 @@
+{
+  "@context": "https://openvex.dev/ns/v0.2.0",
+  "@id": "https://openvex.dev/docs/public/vex-8e30ed756ae8e4196af93bf43edf68360f396a98c0268787453a3443b26e7d6c",
+  "author": "Aqua Security",
+  "timestamp": "2024-07-10T12:17:44.60495+04:00",
+  "version": 1,
+  "statements": [
+    {
+      "vulnerability": {
+        "name": "CVE-2023-42363"
+      },
+      "products": [
+        {
+          "@id": "pkg:oci/trivy?repository_url=index.docker.io%2Faquasec%2Ftrivy",
+          "subcomponents": [
+            {"@id": "pkg:apk/alpine/busybox"},
+            {"@id": "pkg:apk/alpine/busybox-binsh"},
+            {"@id": "pkg:apk/alpine/ssl_client"}
+          ]
+        },
+        {
+          "@id": "pkg:oci/trivy?repository_url=public.ecr.aws%2Faquasecurity%2Ftrivy",
+          "subcomponents": [
+            {"@id": "pkg:apk/alpine/busybox"},
+            {"@id": "pkg:apk/alpine/busybox-binsh"},
+            {"@id": "pkg:apk/alpine/ssl_client"}
+          ]
+        },
+        {
+          "@id": "pkg:oci/trivy?repository_url=ghcr.io/aquasecurity/trivy",
+          "subcomponents": [
+            {"@id": "pkg:apk/alpine/busybox"},
+            {"@id": "pkg:apk/alpine/busybox-binsh"},
+            {"@id": "pkg:apk/alpine/ssl_client"}
+          ]
+        }
+      ],
+      "status": "not_affected",
+      "justification": "vulnerable_code_cannot_be_controlled_by_adversary",
+      "impact_statement": "awk is not used"
+    },
+    {
+      "vulnerability": {
+        "name": "CVE-2023-42364"
+      },
+      "products": [
+        {
+          "@id": "pkg:oci/trivy?repository_url=index.docker.io%2Faquasec%2Ftrivy",
+          "subcomponents": [
+            {"@id": "pkg:apk/alpine/busybox"},
+            {"@id": "pkg:apk/alpine/busybox-binsh"},
+            {"@id": "pkg:apk/alpine/ssl_client"}
+          ]
+        },
+        {
+          "@id": "pkg:oci/trivy?repository_url=public.ecr.aws%2Faquasecurity%2Ftrivy",
+          "subcomponents": [
+            {"@id": "pkg:apk/alpine/busybox"},
+            {"@id": "pkg:apk/alpine/busybox-binsh"},
+            {"@id": "pkg:apk/alpine/ssl_client"}
+          ]
+        },
+        {
+          "@id": "pkg:oci/trivy?repository_url=ghcr.io/aquasecurity/trivy",
+          "subcomponents": [
+            {"@id": "pkg:apk/alpine/busybox"},
+            {"@id": "pkg:apk/alpine/busybox-binsh"},
+            {"@id": "pkg:apk/alpine/ssl_client"}
+          ]
+        }
+      ],
+      "status": "not_affected",
+      "justification": "vulnerable_code_cannot_be_controlled_by_adversary",
+      "impact_statement": "awk is not used"
+    },
+    {
+      "vulnerability": {
+        "name": "CVE-2023-42365"
+      },
+      "products": [
+        {
+          "@id": "pkg:oci/trivy?repository_url=index.docker.io%2Faquasec%2Ftrivy",
+          "subcomponents": [
+            {"@id": "pkg:apk/alpine/busybox"},
+            {"@id": "pkg:apk/alpine/busybox-binsh"},
+            {"@id": "pkg:apk/alpine/ssl_client"}
+          ]
+        },
+        {
+          "@id": "pkg:oci/trivy?repository_url=public.ecr.aws%2Faquasecurity%2Ftrivy",
+          "subcomponents": [
+            {"@id": "pkg:apk/alpine/busybox"},
+            {"@id": "pkg:apk/alpine/busybox-binsh"},
+            {"@id": "pkg:apk/alpine/ssl_client"}
+          ]
+        },
+        {
+          "@id": "pkg:oci/trivy?repository_url=ghcr.io/aquasecurity/trivy",
+          "subcomponents": [
+            {"@id": "pkg:apk/alpine/busybox"},
+            {"@id": "pkg:apk/alpine/busybox-binsh"},
+            {"@id": "pkg:apk/alpine/ssl_client"}
+          ]
+        }
+      ],
+      "status": "not_affected",
+      "justification": "vulnerable_code_cannot_be_controlled_by_adversary",
+      "impact_statement": "awk is not used"
+    },
+    {
+      "vulnerability": {
+        "name": "CVE-2023-42366"
+      },
+      "products": [
+        {
+          "@id": "pkg:oci/trivy?repository_url=index.docker.io%2Faquasec%2Ftrivy",
+          "subcomponents": [
+            {"@id": "pkg:apk/alpine/busybox"},
+            {"@id": "pkg:apk/alpine/busybox-binsh"},
+            {"@id": "pkg:apk/alpine/ssl_client"}
+          ]
+        },
+        {
+          "@id": "pkg:oci/trivy?repository_url=public.ecr.aws%2Faquasecurity%2Ftrivy",
+          "subcomponents": [
+            {"@id": "pkg:apk/alpine/busybox"},
+            {"@id": "pkg:apk/alpine/busybox-binsh"},
+            {"@id": "pkg:apk/alpine/ssl_client"}
+          ]
+        },
+        {
+          "@id": "pkg:oci/trivy?repository_url=ghcr.io/aquasecurity/trivy",
+          "subcomponents": [
+            {"@id": "pkg:apk/alpine/busybox"},
+            {"@id": "pkg:apk/alpine/busybox-binsh"},
+            {"@id": "pkg:apk/alpine/ssl_client"}
+          ]
+        }
+      ],
+      "status": "not_affected",
+      "justification": "vulnerable_code_cannot_be_controlled_by_adversary",
+      "impact_statement": "awk is not used"
+    },
+    {
+      "vulnerability": {
+        "name": "CVE-2024-4741"
+      },
+      "products": [
+        {
+          "@id": "pkg:oci/trivy?repository_url=index.docker.io%2Faquasec%2Ftrivy",
+          "subcomponents": [
+            {"@id": "pkg:apk/alpine/libcrypto3"},
+            {"@id": "pkg:apk/alpine/libssl3"},
+            {"@id": "pkg:apk/alpine/ssl_client"}
+          ]
+        },
+        {
+          "@id": "pkg:oci/trivy?repository_url=public.ecr.aws%2Faquasecurity%2Ftrivy",
+          "subcomponents": [
+            {"@id": "pkg:apk/alpine/libcrypto3"},
+            {"@id": "pkg:apk/alpine/libssl3"},
+            {"@id": "pkg:apk/alpine/ssl_client"}
+          ]
+        },
+        {
+          "@id": "pkg:oci/trivy?repository_url=ghcr.io/aquasecurity/trivy",
+          "subcomponents": [
+            {"@id": "pkg:apk/alpine/libcrypto3"},
+            {"@id": "pkg:apk/alpine/libssl3"},
+            {"@id": "pkg:apk/alpine/ssl_client"}
+          ]
+        }
+      ],
+      "status": "not_affected",
+      "justification": "vulnerable_code_cannot_be_controlled_by_adversary",
+      "impact_statement": "openssl is not used"
+    },
+    {
+      "vulnerability": {
+        "name": "CVE-2024-5535"
+      },
+      "products": [
+        {
+          "@id": "pkg:oci/trivy?repository_url=index.docker.io%2Faquasec%2Ftrivy",
+          "subcomponents": [
+            {"@id": "pkg:apk/alpine/libcrypto3"},
+            {"@id": "pkg:apk/alpine/libssl3"},
+            {"@id": "pkg:apk/alpine/ssl_client"}
+          ]
+        },
+        {
+          "@id": "pkg:oci/trivy?repository_url=public.ecr.aws%2Faquasecurity%2Ftrivy",
+          "subcomponents": [
+            {"@id": "pkg:apk/alpine/libcrypto3"},
+            {"@id": "pkg:apk/alpine/libssl3"},
+            {"@id": "pkg:apk/alpine/ssl_client"}
+          ]
+        },
+        {
+          "@id": "pkg:oci/trivy?repository_url=ghcr.io/aquasecurity/trivy",
+          "subcomponents": [
+            {"@id": "pkg:apk/alpine/libcrypto3"},
+            {"@id": "pkg:apk/alpine/libssl3"},
+            {"@id": "pkg:apk/alpine/ssl_client"}
+          ]
+        }
+      ],
+      "status": "not_affected",
+      "justification": "vulnerable_code_cannot_be_controlled_by_adversary",
+      "impact_statement": "openssl is not used"
+    },
+    {
+      "vulnerability": {
+        "name": "CVE-2024-6119"
+      },
+      "products": [
+        {
+          "@id": "pkg:oci/trivy?repository_url=index.docker.io%2Faquasec%2Ftrivy",
+          "subcomponents": [
+            {"@id": "pkg:apk/alpine/libcrypto3"},
+            {"@id": "pkg:apk/alpine/libssl3"}
+          ]
+        },
+        {
+          "@id": "pkg:oci/trivy?repository_url=public.ecr.aws%2Faquasecurity%2Ftrivy",
+          "subcomponents": [
+            {"@id": "pkg:apk/alpine/libcrypto3"},
+            {"@id": "pkg:apk/alpine/libssl3"}
+          ]
+        },
+        {
+          "@id": "pkg:oci/trivy?repository_url=ghcr.io/aquasecurity/trivy",
+          "subcomponents": [
+            {"@id": "pkg:apk/alpine/libcrypto3"},
+            {"@id": "pkg:apk/alpine/libssl3"}
+          ]
+        }
+      ],
+      "status": "not_affected",
+      "justification": "vulnerable_code_cannot_be_controlled_by_adversary",
+      "impact_statement": "openssl is not used"
+    }
+  ]
+}
--- a/.vex/trivy.openvex.json
+++ b/.vex/trivy.openvex.json
@@ -0,0 +1,545 @@
+{
+  "@context": "https://openvex.dev/ns/v0.2.0",
+  "@id": "aquasecurity/trivy:613fd55abbc2857b5ca28b07a26f3cd4c8b0ddc4c8a97c57497a2d4c4880d7fc",
+  "author": "Aqua Security",
+  "timestamp": "2024-07-09T11:38:00.115697+04:00",
+  "version": 1,
+  "tooling": "https://github.com/aquasecurity/trivy/tree/main/magefiles/vex.go",
+  "statements": [
+    {
+      "vulnerability": {
+        "@id": "https://pkg.go.dev/vuln/GO-2024-2575",
+        "name": "GO-2024-2575",
+        "description": "Helm's Missing YAML Content Leads To Panic in helm.sh/helm/v3",
+        "aliases": [
+          "CVE-2024-26147",
+          "GHSA-r53h-jv2g-vpx6"
+        ]
+      },
+      "products": [
+        {
+          "@id": "pkg:golang/github.com/aquasecurity/trivy",
+          "identifiers": {
+            "purl": "pkg:golang/github.com/aquasecurity/trivy"
+          },
+          "subcomponents": [
+            {
+              "@id": "pkg:golang/helm.sh/helm/v3",
+              "identifiers": {
+                "purl": "pkg:golang/helm.sh/helm/v3"
+              }
+            }
+          ]
+        }
+      ],
+      "status": "not_affected",
+      "justification": "vulnerable_code_not_in_execute_path",
+      "impact_statement": "Govulncheck determined that the vulnerable code isn't called"
+    },
+    {
+      "vulnerability": {
+        "@id": "https://pkg.go.dev/vuln/GO-2023-1765",
+        "name": "GO-2023-1765",
+        "description": "Leaked shared secret and weak blinding in github.com/cloudflare/circl",
+        "aliases": [
+          "CVE-2023-1732",
+          "GHSA-2q89-485c-9j2x"
+        ]
+      },
+      "products": [
+        {
+          "@id": "pkg:golang/github.com/aquasecurity/trivy",
+          "identifiers": {
+            "purl": "pkg:golang/github.com/aquasecurity/trivy"
+          },
+          "subcomponents": [
+            {
+              "@id": "pkg:golang/github.com/cloudflare/circl",
+              "identifiers": {
+                "purl": "pkg:golang/github.com/cloudflare/circl"
+              }
+            }
+          ]
+        }
+      ],
+      "status": "not_affected",
+      "justification": "vulnerable_code_not_present",
+      "impact_statement": "Govulncheck determined that the vulnerable code isn't called"
+    },
+    {
+      "vulnerability": {
+        "@id": "https://pkg.go.dev/vuln/GO-2024-2512",
+        "name": "GO-2024-2512",
+        "description": "Classic builder cache poisoning in github.com/docker/docker",
+        "aliases": [
+          "CVE-2024-24557",
+          "GHSA-xw73-rw38-6vjc"
+        ]
+      },
+      "products": [
+        {
+          "@id": "pkg:golang/github.com/aquasecurity/trivy",
+          "identifiers": {
+            "purl": "pkg:golang/github.com/aquasecurity/trivy"
+          },
+          "subcomponents": [
+            {
+              "@id": "pkg:golang/github.com/docker/docker",
+              "identifiers": {
+                "purl": "pkg:golang/github.com/docker/docker"
+              }
+            }
+          ]
+        }
+      ],
+      "status": "not_affected",
+      "justification": "vulnerable_code_not_present",
+      "impact_statement": "Govulncheck determined that the vulnerable code isn't called"
+    },
+    {
+      "vulnerability": {
+        "@id": "https://pkg.go.dev/vuln/GO-2024-2453",
+        "name": "GO-2024-2453",
+        "description": "Timing side channel in github.com/cloudflare/circl",
+        "aliases": [
+          "GHSA-9763-4f94-gfch"
+        ]
+      },
+      "products": [
+        {
+          "@id": "pkg:golang/github.com/aquasecurity/trivy",
+          "identifiers": {
+            "purl": "pkg:golang/github.com/aquasecurity/trivy"
+          },
+          "subcomponents": [
+            {
+              "@id": "pkg:golang/github.com/cloudflare/circl",
+              "identifiers": {
+                "purl": "pkg:golang/github.com/cloudflare/circl"
+              }
+            }
+          ]
+        }
+      ],
+      "status": "not_affected",
+      "justification": "vulnerable_code_not_present",
+      "impact_statement": "Govulncheck determined that the vulnerable code isn't called"
+    },
+    {
+      "vulnerability": {
+        "@id": "https://pkg.go.dev/vuln/GO-2023-2048",
+        "name": "GO-2023-2048",
+        "description": "Paths outside of the rootfs could be produced on Windows in github.com/cyphar/filepath-securejoin",
+        "aliases": [
+          "GHSA-6xv5-86q9-7xr8"
+        ]
+      },
+      "products": [
+        {
+          "@id": "pkg:golang/github.com/aquasecurity/trivy",
+          "identifiers": {
+            "purl": "pkg:golang/github.com/aquasecurity/trivy"
+          },
+          "subcomponents": [
+            {
+              "@id": "pkg:golang/github.com/cyphar/filepath-securejoin",
+              "identifiers": {
+                "purl": "pkg:golang/github.com/cyphar/filepath-securejoin"
+              }
+            }
+          ]
+        }
+      ],
+      "status": "not_affected",
+      "justification": "vulnerable_code_not_in_execute_path",
+      "impact_statement": "Govulncheck determined that the vulnerable code isn't called"
+    },
+    {
+      "vulnerability": {
+        "@id": "https://pkg.go.dev/vuln/GO-2024-2497",
+        "name": "GO-2024-2497",
+        "description": "Privilege escalation in github.com/moby/buildkit",
+        "aliases": [
+          "CVE-2024-23653",
+          "GHSA-wr6v-9f75-vh2g"
+        ]
+      },
+      "products": [
+        {
+          "@id": "pkg:golang/github.com/aquasecurity/trivy",
+          "identifiers": {
+            "purl": "pkg:golang/github.com/aquasecurity/trivy"
+          },
+          "subcomponents": [
+            {
+              "@id": "pkg:golang/github.com/moby/buildkit",
+              "identifiers": {
+                "purl": "pkg:golang/github.com/moby/buildkit"
+              }
+            }
+          ]
+        }
+      ],
+      "status": "not_affected",
+      "justification": "vulnerable_code_not_present",
+      "impact_statement": "Govulncheck determined that the vulnerable code isn't called"
+    },
+    {
+      "vulnerability": {
+        "@id": "https://pkg.go.dev/vuln/GO-2023-2102",
+        "name": "GO-2023-2102",
+        "description": "HTTP/2 rapid reset can cause excessive work in net/http",
+        "aliases": [
+          "CVE-2023-39325",
+          "GHSA-4374-p667-p6c8"
+        ]
+      },
+      "products": [
+        {
+          "@id": "pkg:golang/github.com/aquasecurity/trivy",
+          "identifiers": {
+            "purl": "pkg:golang/github.com/aquasecurity/trivy"
+          },
+          "subcomponents": [
+            {
+              "@id": "pkg:golang/golang.org/x/net",
+              "identifiers": {
+                "purl": "pkg:golang/golang.org/x/net"
+              }
+            }
+          ]
+        }
+      ],
+      "status": "not_affected",
+      "justification": "vulnerable_code_not_in_execute_path",
+      "impact_statement": "Govulncheck determined that the vulnerable code isn't called"
+    },
+    {
+      "vulnerability": {
+        "@id": "https://pkg.go.dev/vuln/GO-2024-2493",
+        "name": "GO-2024-2493",
+        "description": "Host system file access in github.com/moby/buildkit",
+        "aliases": [
+          "CVE-2024-23651",
+          "GHSA-m3r6-h7wv-7xxv"
+        ]
+      },
+      "products": [
+        {
+          "@id": "pkg:golang/github.com/aquasecurity/trivy",
+          "identifiers": {
+            "purl": "pkg:golang/github.com/aquasecurity/trivy"
+          },
+          "subcomponents": [
+            {
+              "@id": "pkg:golang/github.com/moby/buildkit",
+              "identifiers": {
+                "purl": "pkg:golang/github.com/moby/buildkit"
+              }
+            }
+          ]
+        }
+      ],
+      "status": "not_affected",
+      "justification": "vulnerable_code_not_present",
+      "impact_statement": "Govulncheck determined that the vulnerable code isn't called"
+    },
+    {
+      "vulnerability": {
+        "@id": "https://pkg.go.dev/vuln/GO-2024-2491",
+        "name": "GO-2024-2491",
+        "description": "Container breakout through process.cwd trickery and leaked fds in github.com/opencontainers/runc",
+        "aliases": [
+          "CVE-2024-21626",
+          "GHSA-xr7r-f8xq-vfvv"
+        ]
+      },
+      "products": [
+        {
+          "@id": "pkg:golang/github.com/aquasecurity/trivy",
+          "identifiers": {
+            "purl": "pkg:golang/github.com/aquasecurity/trivy"
+          },
+          "subcomponents": [
+            {
+              "@id": "pkg:golang/github.com/opencontainers/runc",
+              "identifiers": {
+                "purl": "pkg:golang/github.com/opencontainers/runc"
+              }
+            }
+          ]
+        }
+      ],
+      "status": "not_affected",
+      "justification": "vulnerable_code_not_present",
+      "impact_statement": "Govulncheck determined that the vulnerable code isn't called"
+    },
+    {
+      "vulnerability": {
+        "@id": "https://pkg.go.dev/vuln/GO-2024-2494",
+        "name": "GO-2024-2494",
+        "description": "Host system modification in github.com/moby/buildkit",
+        "aliases": [
+          "CVE-2024-23652",
+          "GHSA-4v98-7qmw-rqr8"
+        ]
+      },
+      "products": [
+        {
+          "@id": "pkg:golang/github.com/aquasecurity/trivy",
+          "identifiers": {
+            "purl": "pkg:golang/github.com/aquasecurity/trivy"
+          },
+          "subcomponents": [
+            {
+              "@id": "pkg:golang/github.com/moby/buildkit",
+              "identifiers": {
+                "purl": "pkg:golang/github.com/moby/buildkit"
+              }
+            }
+          ]
+        }
+      ],
+      "status": "not_affected",
+      "justification": "vulnerable_code_not_present",
+      "impact_statement": "Govulncheck determined that the vulnerable code isn't called"
+    },
+    {
+      "vulnerability": {
+        "@id": "https://pkg.go.dev/vuln/GO-2023-2412",
+        "name": "GO-2023-2412",
+        "description": "RAPL accessibility in github.com/containerd/containerd",
+        "aliases": [
+          "GHSA-7ww5-4wqc-m92c"
+        ]
+      },
+      "products": [
+        {
+          "@id": "pkg:golang/github.com/aquasecurity/trivy",
+          "identifiers": {
+            "purl": "pkg:golang/github.com/aquasecurity/trivy"
+          },
+          "subcomponents": [
+            {
+              "@id": "pkg:golang/github.com/containerd/containerd",
+              "identifiers": {
+                "purl": "pkg:golang/github.com/containerd/containerd"
+              }
+            }
+          ]
+        }
+      ],
+      "status": "not_affected",
+      "justification": "vulnerable_code_not_present",
+      "impact_statement": "Govulncheck determined that the vulnerable code isn't called"
+    },
+    {
+      "vulnerability": {
+        "@id": "https://pkg.go.dev/vuln/GO-2023-1988",
+        "name": "GO-2023-1988",
+        "description": "Improper rendering of text nodes in golang.org/x/net/html",
+        "aliases": [
+          "CVE-2023-3978",
+          "GHSA-2wrh-6pvc-2jm9"
+        ]
+      },
+      "products": [
+        {
+          "@id": "pkg:golang/github.com/aquasecurity/trivy",
+          "identifiers": {
+            "purl": "pkg:golang/github.com/aquasecurity/trivy"
+          },
+          "subcomponents": [
+            {
+              "@id": "pkg:golang/golang.org/x/net",
+              "identifiers": {
+                "purl": "pkg:golang/golang.org/x/net"
+              }
+            }
+          ]
+        }
+      ],
+      "status": "not_affected",
+      "justification": "vulnerable_code_not_in_execute_path",
+      "impact_statement": "Govulncheck determined that the vulnerable code isn't called"
+    },
+    {
+      "vulnerability": {
+        "@id": "https://pkg.go.dev/vuln/GO-2024-2492",
+        "name": "GO-2024-2492",
+        "description": "Panic in github.com/moby/buildkit",
+        "aliases": [
+          "CVE-2024-23650",
+          "GHSA-9p26-698r-w4hx"
+        ]
+      },
+      "products": [
+        {
+          "@id": "pkg:golang/github.com/aquasecurity/trivy",
+          "identifiers": {
+            "purl": "pkg:golang/github.com/aquasecurity/trivy"
+          },
+          "subcomponents": [
+            {
+              "@id": "pkg:golang/github.com/moby/buildkit",
+              "identifiers": {
+                "purl": "pkg:golang/github.com/moby/buildkit"
+              }
+            }
+          ]
+        }
+      ],
+      "status": "not_affected",
+      "justification": "vulnerable_code_not_present",
+      "impact_statement": "Govulncheck determined that the vulnerable code isn't called"
+    },
+    {
+      "vulnerability": {
+        "@id": "https://pkg.go.dev/vuln/GO-2022-0646",
+        "name": "GO-2022-0646",
+        "description": "Use of risky cryptographic algorithm in github.com/aws/aws-sdk-go",
+        "aliases": [
+          "CVE-2020-8911",
+          "CVE-2020-8912",
+          "GHSA-7f33-f4f5-xwgw",
+          "GHSA-f5pg-7wfw-84q9"
+        ]
+      },
+      "products": [
+        {
+          "@id": "pkg:golang/github.com/aquasecurity/trivy",
+          "identifiers": {
+            "purl": "pkg:golang/github.com/aquasecurity/trivy"
+          },
+          "subcomponents": [
+            {
+              "@id": "pkg:golang/github.com/aws/aws-sdk-go",
+              "identifiers": {
+                "purl": "pkg:golang/github.com/aws/aws-sdk-go"
+              }
+            }
+          ]
+        }
+      ],
+      "status": "not_affected",
+      "justification": "vulnerable_code_not_present",
+      "impact_statement": "Govulncheck determined that the vulnerable code isn't called"
+    },
+    {
+      "vulnerability": {
+        "@id": "https://pkg.go.dev/vuln/GO-2023-2153",
+        "name": "GO-2023-2153",
+        "description": "Denial of service from HTTP/2 Rapid Reset in google.golang.org/grpc",
+        "aliases": [
+          "GHSA-m425-mq94-257g"
+        ]
+      },
+      "products": [
+        {
+          "@id": "pkg:golang/github.com/aquasecurity/trivy",
+          "identifiers": {
+            "purl": "pkg:golang/github.com/aquasecurity/trivy"
+          },
+          "subcomponents": [
+            {
+              "@id": "pkg:golang/google.golang.org/grpc",
+              "identifiers": {
+                "purl": "pkg:golang/google.golang.org/grpc"
+              }
+            }
+          ]
+        }
+      ],
+      "status": "not_affected",
+      "justification": "vulnerable_code_not_in_execute_path",
+      "impact_statement": "Govulncheck determined that the vulnerable code isn't called"
+    },
+    {
+      "vulnerability": {
+        "@id": "https://pkg.go.dev/vuln/GO-2024-3105",
+        "name": "GO-2024-3105",
+        "description": "Stack exhaustion in all Parse functions in go/parser",
+        "aliases": [
+          "CVE-2024-34155"
+        ]
+      },
+      "products": [
+        {
+          "@id": "pkg:golang/github.com/aquasecurity/trivy",
+          "identifiers": {
+            "purl": "pkg:golang/github.com/aquasecurity/trivy"
+          },
+          "subcomponents": [
+            {
+              "@id": "pkg:golang/stdlib",
+              "identifiers": {
+                "purl": "pkg:golang/stdlib"
+              }
+            }
+          ]
+        }
+      ],
+      "status": "not_affected",
+      "justification": "vulnerable_code_not_in_execute_path",
+      "impact_statement": "Govulncheck determined that the vulnerable code isn't called"
+    },
+    {
+      "vulnerability": {
+        "@id": "https://pkg.go.dev/vuln/GO-2024-3106",
+        "name": "GO-2024-3106",
+        "description": "Stack exhaustion in Decoder.Decode in encoding/gob",
+        "aliases": [
+          "CVE-2024-34156"
+        ]
+      },
+      "products": [
+        {
+          "@id": "pkg:golang/github.com/aquasecurity/trivy",
+          "identifiers": {
+            "purl": "pkg:golang/github.com/aquasecurity/trivy"
+          },
+          "subcomponents": [
+            {
+              "@id": "pkg:golang/stdlib",
+              "identifiers": {
+                "purl": "pkg:golang/stdlib"
+              }
+            }
+          ]
+        }
+      ],
+      "status": "not_affected",
+      "justification": "vulnerable_code_not_in_execute_path",
+      "impact_statement": "Govulncheck incorrectly marks this vulnerability as affected. The vulnerable code isn't called. See https://github.com/aquasecurity/trivy/issues/7478"
+    },
+    {
+      "vulnerability": {
+        "@id": "https://pkg.go.dev/vuln/GO-2024-3107",
+        "name": "GO-2024-3107",
+        "description": "Stack exhaustion in Parse in go/build/constraint",
+        "aliases": [
+          "CVE-2024-34158"
+        ]
+      },
+      "products": [
+        {
+          "@id": "pkg:golang/github.com/aquasecurity/trivy",
+          "identifiers": {
+            "purl": "pkg:golang/github.com/aquasecurity/trivy"
+          },
+          "subcomponents": [
+            {
+              "@id": "pkg:golang/stdlib",
+              "identifiers": {
+                "purl": "pkg:golang/stdlib"
+              }
+            }
+          ]
+        }
+      ],
+      "status": "not_affected",
+      "justification": "vulnerable_code_not_in_execute_path",
+      "impact_statement": "Govulncheck determined that the vulnerable code isn't called"
+    }
+  ]
+}
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,158 @@
 # Changelog

+## [0.56.0](https://github.com/aquasecurity/trivy/compare/v0.55.0...v0.56.0) (2024-10-03)
+
+
+### Features
+
+* **java:** add empty versions if `pom.xml` dependency versions can't be detected ([#7520](https://github.com/aquasecurity/trivy/issues/7520)) ([b836232](https://github.com/aquasecurity/trivy/commit/b8362321adb2af220830c5de31c29978423d47da))
+* **license:** improve license normalization ([#7131](https://github.com/aquasecurity/trivy/issues/7131)) ([6472e3c](https://github.com/aquasecurity/trivy/commit/6472e3c9da2a8e7ba41598a45c80df8f18e57d4c))
+* **misconf:** add ability to disable checks by ID ([#7536](https://github.com/aquasecurity/trivy/issues/7536)) ([ef0a27d](https://github.com/aquasecurity/trivy/commit/ef0a27d515ff80762bf1959d44a8bde017ae06ec))
+* **misconf:** Register checks only when needed ([#7435](https://github.com/aquasecurity/trivy/issues/7435)) ([f768d3a](https://github.com/aquasecurity/trivy/commit/f768d3a767a99a86b0372f19d9f49a2de35dbe59))
+* **misconf:** Support `--skip-*` for all included modules  ([#7579](https://github.com/aquasecurity/trivy/issues/7579)) ([c0e8da3](https://github.com/aquasecurity/trivy/commit/c0e8da3828e9d3a0b30d1f6568037db8dc827765))
+* **secret:** enhance secret scanning for python binary files ([#7223](https://github.com/aquasecurity/trivy/issues/7223)) ([60725f8](https://github.com/aquasecurity/trivy/commit/60725f879ba014c5c57583db6afc290b78facae8))
+* support multiple DB repositories for vulnerability and Java DB ([#7605](https://github.com/aquasecurity/trivy/issues/7605)) ([3562529](https://github.com/aquasecurity/trivy/commit/3562529ddfb26d301311ed450c192e17011353df))
+* support RPM archives ([#7628](https://github.com/aquasecurity/trivy/issues/7628)) ([69bf7e0](https://github.com/aquasecurity/trivy/commit/69bf7e00ea5ab483692db830fdded26a31f03183))
+* **suse:** added SUSE Linux Enterprise Micro support ([#7294](https://github.com/aquasecurity/trivy/issues/7294)) ([efdb68d](https://github.com/aquasecurity/trivy/commit/efdb68d3b9ddf9dfaf45ea5855b31c43a4366bab))
+
+
+### Bug Fixes
+
+* allow access to '..' in mapfs ([#7575](https://github.com/aquasecurity/trivy/issues/7575)) ([a8fbe46](https://github.com/aquasecurity/trivy/commit/a8fbe46119adbd89f827a75c75b9e97d392f1842))
+* **db:** check `DownloadedAt` for `trivy-java-db` ([#7592](https://github.com/aquasecurity/trivy/issues/7592)) ([13ef3e7](https://github.com/aquasecurity/trivy/commit/13ef3e7d62ba2bcb3a04d7b44f79b1299674b480))
+* **java:** use `dependencyManagement` from root/child pom's for dependencies from parents ([#7497](https://github.com/aquasecurity/trivy/issues/7497)) ([5442949](https://github.com/aquasecurity/trivy/commit/54429497e7d6a87eac236771d4efb8a5a7faaac5))
+* **license:** stop spliting a long license text ([#7336](https://github.com/aquasecurity/trivy/issues/7336)) ([4926da7](https://github.com/aquasecurity/trivy/commit/4926da79de901fba73819d71845ec0355b68ae0f))
+* **misconf:** Disable deprecated checks by default ([#7632](https://github.com/aquasecurity/trivy/issues/7632)) ([82e2adc](https://github.com/aquasecurity/trivy/commit/82e2adc6f8e68d0cc0021031170c2adb60d213ba))
+* **misconf:** disable DS016 check for image history analyzer ([#7540](https://github.com/aquasecurity/trivy/issues/7540)) ([de40df9](https://github.com/aquasecurity/trivy/commit/de40df9408d6d856a3ad384ec9f086edce3aa382))
+* **misconf:** escape all special sequences ([#7558](https://github.com/aquasecurity/trivy/issues/7558)) ([ea0cf03](https://github.com/aquasecurity/trivy/commit/ea0cf0379aff0348fde87356dab37947800fc1b6))
+* **misconf:** Fix logging typo ([#7473](https://github.com/aquasecurity/trivy/issues/7473)) ([56db43c](https://github.com/aquasecurity/trivy/commit/56db43c24f4f6be92891be85faaf9492cad516ac))
+* **misconf:** Fixed scope for China Cloud ([#7560](https://github.com/aquasecurity/trivy/issues/7560)) ([37d549e](https://github.com/aquasecurity/trivy/commit/37d549e5b86a1c5dce6710fbfd2310aec9abe949))
+* **misconf:** not to warn about missing selectors of libraries ([#7638](https://github.com/aquasecurity/trivy/issues/7638)) ([fcaea74](https://github.com/aquasecurity/trivy/commit/fcaea740808d5784c120e5c5d65f5f94e1d931d4))
+* **oracle:** Update EOL date for Oracle 7 ([#7480](https://github.com/aquasecurity/trivy/issues/7480)) ([dd0a64a](https://github.com/aquasecurity/trivy/commit/dd0a64a1cf0cd76e6f81e3ff55fa6ccb95ce3c3d))
+* **report:** change a receiver of MarshalJSON ([#7483](https://github.com/aquasecurity/trivy/issues/7483)) ([927c6e0](https://github.com/aquasecurity/trivy/commit/927c6e0c9d4d4a3f1be00f0f661c1d18325d9440))
+* **report:** fix error with unmarshal of `ExperimentalModifiedFindings` ([#7463](https://github.com/aquasecurity/trivy/issues/7463)) ([7ff9aff](https://github.com/aquasecurity/trivy/commit/7ff9aff2739b2eee4a98175b98914795e4077060))
+* **sbom:** export bom-ref when converting a package to a component ([#7340](https://github.com/aquasecurity/trivy/issues/7340)) ([5dd94eb](https://github.com/aquasecurity/trivy/commit/5dd94ebc1ffe3f1df511dee6381f92a5daefadf2))
+* **sbom:** parse type `framework` as `library` when unmarshalling `CycloneDX` files ([#7527](https://github.com/aquasecurity/trivy/issues/7527)) ([aeb7039](https://github.com/aquasecurity/trivy/commit/aeb7039d7ce090e243d29f0bf16c9e4e24252a01))
+* **secret:** change grafana token regex to find them without unquoted ([#7627](https://github.com/aquasecurity/trivy/issues/7627)) ([3e1fa21](https://github.com/aquasecurity/trivy/commit/3e1fa2100074e840bacdd65947425b08750b7d9a))
+
+
+### Performance Improvements
+
+* **misconf:** use port ranges instead of enumeration ([#7549](https://github.com/aquasecurity/trivy/issues/7549)) ([1f9fc13](https://github.com/aquasecurity/trivy/commit/1f9fc13da4a1e7c76c978e4f8e119bfd61a0480e))
+
+
+### Reverts
+
+* **java:** stop supporting of `test` scope for `pom.xml` files ([#7488](https://github.com/aquasecurity/trivy/issues/7488)) ([b0222fe](https://github.com/aquasecurity/trivy/commit/b0222feeb586ec59904bb321fda8f3f22496d07b))
+
+## [0.55.0](https://github.com/aquasecurity/trivy/compare/v0.54.0...v0.55.0) (2024-09-03)
+
+
+### ⚠ BREAKING CHANGES
+
+* **cli:** delete deprecated SBOM flags ([#7266](https://github.com/aquasecurity/trivy/issues/7266))
+
+### Features
+
+* **cli:** delete deprecated SBOM flags ([#7266](https://github.com/aquasecurity/trivy/issues/7266)) ([7024572](https://github.com/aquasecurity/trivy/commit/70245721372720027b7089bd61c693df48add865))
+* **go:** use `toolchain` as `stdlib` version for `go.mod` files ([#7163](https://github.com/aquasecurity/trivy/issues/7163)) ([2d80769](https://github.com/aquasecurity/trivy/commit/2d80769c34b118851640411fff9dac0b3e353e82))
+* **java:** add `test` scope support for `pom.xml` files ([#7414](https://github.com/aquasecurity/trivy/issues/7414)) ([2d97700](https://github.com/aquasecurity/trivy/commit/2d97700d10665142d2f66d7910202bec82116209))
+* **misconf:** Add support for using spec from on-disk bundle ([#7179](https://github.com/aquasecurity/trivy/issues/7179)) ([be86126](https://github.com/aquasecurity/trivy/commit/be861265cafc89787fda09c59b2ef175e3d04204))
+* **misconf:** ignore duplicate checks ([#7317](https://github.com/aquasecurity/trivy/issues/7317)) ([9ef05fc](https://github.com/aquasecurity/trivy/commit/9ef05fc6b171a264516a025b0b0bcbbc8cff10bc))
+* **misconf:** iterator argument support for dynamic blocks ([#7236](https://github.com/aquasecurity/trivy/issues/7236)) ([fe92072](https://github.com/aquasecurity/trivy/commit/fe9207255a4f7f984ec1447f8a9219ae60e560c4))
+* **misconf:** port and protocol support for EC2 networks ([#7146](https://github.com/aquasecurity/trivy/issues/7146)) ([98e136e](https://github.com/aquasecurity/trivy/commit/98e136eb7baa2b66f4233d96875c1490144e1594))
+* **misconf:** scanning support for YAML and JSON ([#7311](https://github.com/aquasecurity/trivy/issues/7311)) ([efdbd8f](https://github.com/aquasecurity/trivy/commit/efdbd8f19ab0ab0c3b48293d43e51c81b7b03b89))
+* **misconf:** support for ignore by nested attributes ([#7205](https://github.com/aquasecurity/trivy/issues/7205)) ([44e4686](https://github.com/aquasecurity/trivy/commit/44e468603d44b077cc4606327fb3e7d7ca435e05))
+* **misconf:** support for policy and bucket grants ([#7284](https://github.com/aquasecurity/trivy/issues/7284)) ([a817fae](https://github.com/aquasecurity/trivy/commit/a817fae85b7272b391b737ec86673a7cab722bae))
+* **misconf:** variable support for Terraform Plan ([#7228](https://github.com/aquasecurity/trivy/issues/7228)) ([db2c955](https://github.com/aquasecurity/trivy/commit/db2c95598da098ca610825089eb4ab63b789b215))
+* **python:** use minimum version for pip packages ([#7348](https://github.com/aquasecurity/trivy/issues/7348)) ([e9b43f8](https://github.com/aquasecurity/trivy/commit/e9b43f81e67789b067352fcb6aa55bc9478bc518))
+* **report:** export modified findings in JSON ([#7383](https://github.com/aquasecurity/trivy/issues/7383)) ([7aea79d](https://github.com/aquasecurity/trivy/commit/7aea79dd93cfb61453766dbbb2e3fc0fbd317852))
+* **sbom:** set User-Agent header on requests to Rekor ([#7396](https://github.com/aquasecurity/trivy/issues/7396)) ([af1d257](https://github.com/aquasecurity/trivy/commit/af1d257730422d238871beb674767f8f83c5d06a))
+* **server:** add internal `--path-prefix` flag for client/server mode ([#7321](https://github.com/aquasecurity/trivy/issues/7321)) ([24a4563](https://github.com/aquasecurity/trivy/commit/24a45636867b893ff54c5ce07197f3b5c6db1d9b))
+* **server:** Make Trivy Server Multiplexer Exported ([#7389](https://github.com/aquasecurity/trivy/issues/7389)) ([4c6e8ca](https://github.com/aquasecurity/trivy/commit/4c6e8ca9cc9591799907cc73075f2d740e303b8f))
+* **vm:** Support direct filesystem ([#7058](https://github.com/aquasecurity/trivy/issues/7058)) ([45b3f34](https://github.com/aquasecurity/trivy/commit/45b3f344042bcd90ca63ab696b69bff0e9ab4e36))
+* **vm:** support the Ext2/Ext3 filesystems ([#6983](https://github.com/aquasecurity/trivy/issues/6983)) ([35c60f0](https://github.com/aquasecurity/trivy/commit/35c60f030fa48de8d8e57958e5ba379814126831))
+* **vuln:** Add `--detection-priority` flag for accuracy tuning ([#7288](https://github.com/aquasecurity/trivy/issues/7288)) ([fd8348d](https://github.com/aquasecurity/trivy/commit/fd8348d610f20c6c33da81cd7b0e7d5504ce26be))
+
+
+### Bug Fixes
+
+* **aws:** handle ECR repositories in different regions ([#6217](https://github.com/aquasecurity/trivy/issues/6217)) ([feaef96](https://github.com/aquasecurity/trivy/commit/feaef9699df5d8ca399770e701a59d7c0ff979a3))
+* **flag:** incorrect behavior for deprected flag `--clear-cache` ([#7281](https://github.com/aquasecurity/trivy/issues/7281)) ([2a0e529](https://github.com/aquasecurity/trivy/commit/2a0e529c36057b572119815af59c28e4790034ca))
+* **helm:** explicitly define `kind` and `apiVersion` of `volumeClaimTemplate` element ([#7362](https://github.com/aquasecurity/trivy/issues/7362)) ([da4ebfa](https://github.com/aquasecurity/trivy/commit/da4ebfa1a741f3f8b0b43289b4028afe763f7d43))
+* **java:** Return error when trying to find a remote pom to avoid segfault ([#7275](https://github.com/aquasecurity/trivy/issues/7275)) ([49d5270](https://github.com/aquasecurity/trivy/commit/49d5270163e305f88fedcf50412973736e69dc69))
+* **license:** add license handling to JUnit template ([#7409](https://github.com/aquasecurity/trivy/issues/7409)) ([f80183c](https://github.com/aquasecurity/trivy/commit/f80183c1139b21bb95bc64e216358f4a76001a65))
+* logger initialization before flags parsing ([#7372](https://github.com/aquasecurity/trivy/issues/7372)) ([c929290](https://github.com/aquasecurity/trivy/commit/c929290c3c0e4e91337264d69e75ccb60522bc65))
+* **misconf:** change default TLS values for the Azure storage account ([#7345](https://github.com/aquasecurity/trivy/issues/7345)) ([aadb090](https://github.com/aquasecurity/trivy/commit/aadb09078843250c66087f46db9a2aa48094a118))
+* **misconf:** do not filter Terraform plan JSON by name ([#7406](https://github.com/aquasecurity/trivy/issues/7406)) ([9d7264a](https://github.com/aquasecurity/trivy/commit/9d7264af8e85bcc0dba600b8366d0470d455251c))
+* **misconf:** do not recreate filesystem map ([#7416](https://github.com/aquasecurity/trivy/issues/7416)) ([3a5d091](https://github.com/aquasecurity/trivy/commit/3a5d091759564496992a83fb2015a21c84a22213))
+* **misconf:** do not register Rego libs in checks registry ([#7420](https://github.com/aquasecurity/trivy/issues/7420)) ([a5aa63e](https://github.com/aquasecurity/trivy/commit/a5aa63eff7e229744090f9ad300c1bec3259397e))
+* **misconf:** do not set default value for default_cache_behavior ([#7234](https://github.com/aquasecurity/trivy/issues/7234)) ([f0ed5e4](https://github.com/aquasecurity/trivy/commit/f0ed5e4ced7e60af35c88d5d084aa4b7237f4973))
+* **misconf:** fix infer type for null value ([#7424](https://github.com/aquasecurity/trivy/issues/7424)) ([0cac3ac](https://github.com/aquasecurity/trivy/commit/0cac3ac7075017628a21a7990941df04cbc16dbe))
+* **misconf:** init frameworks before updating them ([#7376](https://github.com/aquasecurity/trivy/issues/7376)) ([b65b32d](https://github.com/aquasecurity/trivy/commit/b65b32ddfa6fc62ac81ad9fa580e1f5a327864f5))
+* **misconf:** load only submodule if it is specified in source ([#7112](https://github.com/aquasecurity/trivy/issues/7112)) ([a4180bd](https://github.com/aquasecurity/trivy/commit/a4180bddd43d86e479edf0afe0c362021d071482))
+* **misconf:** support deprecating for Go checks ([#7377](https://github.com/aquasecurity/trivy/issues/7377)) ([2a6c7ab](https://github.com/aquasecurity/trivy/commit/2a6c7ab3b338ce4a8f99d6ac3508c2531dcbe812))
+* **misconf:** use module to log when metadata retrieval fails ([#7405](https://github.com/aquasecurity/trivy/issues/7405)) ([0799770](https://github.com/aquasecurity/trivy/commit/0799770b8827a8276ad0d6d9ac7e0381c286757c))
+* **misconf:** wrap Azure PortRange in iac types ([#7357](https://github.com/aquasecurity/trivy/issues/7357)) ([c5c62d5](https://github.com/aquasecurity/trivy/commit/c5c62d5ff05420321f9cdbfb93e2591e0866a342))
+* **nodejs:** check all `importers` to detect dev deps from pnpm-lock.yaml file ([#7387](https://github.com/aquasecurity/trivy/issues/7387)) ([fd9ed3a](https://github.com/aquasecurity/trivy/commit/fd9ed3a330bc66e229bcbdc262dc296a3bf01f54))
+* **plugin:** do not call GitHub content API for releases and tags ([#7274](https://github.com/aquasecurity/trivy/issues/7274)) ([b3ee6da](https://github.com/aquasecurity/trivy/commit/b3ee6dac269bd7847674f3ce985a5ff7f8f0ba38))
+* **report:** escape `Message` field in `asff.tpl` template ([#7401](https://github.com/aquasecurity/trivy/issues/7401)) ([dd9733e](https://github.com/aquasecurity/trivy/commit/dd9733e950d3127aa2ac90c45ec7e2b88a2b47ca))
+* safely check if the directory exists ([#7353](https://github.com/aquasecurity/trivy/issues/7353)) ([05a8297](https://github.com/aquasecurity/trivy/commit/05a829715f99cd90b122c64cd2f40157854e467b))
+* **sbom:** use `NOASSERTION` for licenses fields in SPDX formats ([#7403](https://github.com/aquasecurity/trivy/issues/7403)) ([c96dcdd](https://github.com/aquasecurity/trivy/commit/c96dcdd440a14cdd1b01ac473b2c15e4698e387b))
+* **secret:** use `.eyJ` keyword for JWT secret ([#7410](https://github.com/aquasecurity/trivy/issues/7410)) ([bf64003](https://github.com/aquasecurity/trivy/commit/bf64003ac8b209f34b88f228918a96d4f9dac5e0))
+* **secret:** use only line with secret for long secret lines ([#7412](https://github.com/aquasecurity/trivy/issues/7412)) ([391448a](https://github.com/aquasecurity/trivy/commit/391448aba9fcb0a4138225e5ab305e4e6707c603))
+* **terraform:** add aws_region name to presets ([#7184](https://github.com/aquasecurity/trivy/issues/7184)) ([bb2e26a](https://github.com/aquasecurity/trivy/commit/bb2e26a0ab707b718f6a890cbc87e2492298b6e5))
+
+
+### Performance Improvements
+
+* **misconf:** do not convert contents of a YAML file to string ([#7292](https://github.com/aquasecurity/trivy/issues/7292)) ([85dadf5](https://github.com/aquasecurity/trivy/commit/85dadf56265647c000191561db10b08a4948c140))
+* **misconf:** optimize work with context ([#6968](https://github.com/aquasecurity/trivy/issues/6968)) ([2b6d8d9](https://github.com/aquasecurity/trivy/commit/2b6d8d9227fb6ecc9386a14333964c23c0370a52))
+* **misconf:** use json.Valid to check validity of JSON ([#7308](https://github.com/aquasecurity/trivy/issues/7308)) ([c766831](https://github.com/aquasecurity/trivy/commit/c766831069e188226efafeec184e41498685ed85))
+
+## [0.54.0](https://github.com/aquasecurity/trivy/compare/v0.53.0...v0.54.0) (2024-07-30)
+
+
+### Features
+
+* add `log.FilePath()` function for logger ([#7080](https://github.com/aquasecurity/trivy/issues/7080)) ([1f5f348](https://github.com/aquasecurity/trivy/commit/1f5f34895823fae81bf521fc939bee743a50e304))
+* add openSUSE tumbleweed detection and scanning ([#6965](https://github.com/aquasecurity/trivy/issues/6965)) ([17b5dbf](https://github.com/aquasecurity/trivy/commit/17b5dbfa12180414b87859c6c46bfe6cc5ecf7ba))
+* **cli:** rename `--vuln-type` flag to `--pkg-types` flag ([#7104](https://github.com/aquasecurity/trivy/issues/7104)) ([7cbdb0a](https://github.com/aquasecurity/trivy/commit/7cbdb0a0b5dff33e506e1c1f3119951fa241b432))
+* **mariner:** Add support for Azure Linux ([#7186](https://github.com/aquasecurity/trivy/issues/7186)) ([5cbc452](https://github.com/aquasecurity/trivy/commit/5cbc452a09822d1bf300ead88f0d613d4cf0349a))
+* **misconf:** enabled China configuration for ACRs ([#7156](https://github.com/aquasecurity/trivy/issues/7156)) ([d1ec89d](https://github.com/aquasecurity/trivy/commit/d1ec89d1db4b039f0e31076ccd1ca969fb15628e))
+* **nodejs:** add license parser to pnpm analyser ([#7036](https://github.com/aquasecurity/trivy/issues/7036)) ([03ac93d](https://github.com/aquasecurity/trivy/commit/03ac93dc208f1b40896f3fa11fa1d45293176dca))
+* **sbom:** add image labels into `SPDX` and `CycloneDX` reports ([#7257](https://github.com/aquasecurity/trivy/issues/7257)) ([4a2f492](https://github.com/aquasecurity/trivy/commit/4a2f492c6e685ff577fb96a7006cd0c43755baf4))
+* **sbom:** add vulnerability support for SPDX formats ([#7213](https://github.com/aquasecurity/trivy/issues/7213)) ([efb1f69](https://github.com/aquasecurity/trivy/commit/efb1f6938321eec3529ef4fea6608261f6771ae0))
+* share build-in rules ([#7207](https://github.com/aquasecurity/trivy/issues/7207)) ([bff317c](https://github.com/aquasecurity/trivy/commit/bff317c77bf4a5f615a80d9875d129213bd52f6d))
+* **vex:** retrieve VEX attestations from OCI registries ([#7249](https://github.com/aquasecurity/trivy/issues/7249)) ([c2fd2e0](https://github.com/aquasecurity/trivy/commit/c2fd2e0d89567a0ccd996dda8790f3c3305ea6f7))
+* **vex:** VEX Repository support ([#7206](https://github.com/aquasecurity/trivy/issues/7206)) ([88ba460](https://github.com/aquasecurity/trivy/commit/88ba46047c93e6046292523ae701de774dfdc4dc))
+* **vuln:** add `--pkg-relationships` ([#7237](https://github.com/aquasecurity/trivy/issues/7237)) ([5c37361](https://github.com/aquasecurity/trivy/commit/5c37361600d922db27dd594b2a80c010a19b3a6e))
+
+
+### Bug Fixes
+
+* Add dependencyManagement exclusions to the child exclusions ([#6969](https://github.com/aquasecurity/trivy/issues/6969)) ([dc68a66](https://github.com/aquasecurity/trivy/commit/dc68a662a701980d6529f61a65006f1e4728a3e5))
+* add missing platform and type to spec ([#7149](https://github.com/aquasecurity/trivy/issues/7149)) ([c8a7abd](https://github.com/aquasecurity/trivy/commit/c8a7abd3b508975fcf10c254d13d1a2cd42da657))
+* **cli:** error on missing config file ([#7154](https://github.com/aquasecurity/trivy/issues/7154)) ([7fa5e7d](https://github.com/aquasecurity/trivy/commit/7fa5e7d0ab67f20d434b2922725988695e32e6af))
+* close file when failed to open gzip ([#7164](https://github.com/aquasecurity/trivy/issues/7164)) ([2a577a7](https://github.com/aquasecurity/trivy/commit/2a577a7bae37e5731dceaea8740683573b6b70a5))
+* **dotnet:** don't include non-runtime libraries into report for `*.deps.json` files ([#7039](https://github.com/aquasecurity/trivy/issues/7039)) ([5bc662b](https://github.com/aquasecurity/trivy/commit/5bc662be9a8f072599f90abfd3b400c8ab055ed6))
+* **dotnet:** show `nuget package dir not found` log only when checking `nuget` packages ([#7194](https://github.com/aquasecurity/trivy/issues/7194)) ([d76feba](https://github.com/aquasecurity/trivy/commit/d76febaee107c645e864da0f4d74a8f6ae4ad232))
+* ignore nodes when listing permission is not allowed ([#7107](https://github.com/aquasecurity/trivy/issues/7107)) ([25f8143](https://github.com/aquasecurity/trivy/commit/25f8143f120965c636c5ea8386398b211b082398))
+* **java:** avoid panic if deps from `pom` in `it` dir are not found ([#7245](https://github.com/aquasecurity/trivy/issues/7245)) ([4e54a7e](https://github.com/aquasecurity/trivy/commit/4e54a7e84c33c1be80c52c6db78c634bc3911715))
+* **java:** use `go-mvn-version` to remove `Package` duplicates ([#7088](https://github.com/aquasecurity/trivy/issues/7088)) ([a7a304d](https://github.com/aquasecurity/trivy/commit/a7a304d53e1ce230f881c28c4f35885774cf3b9a))
+* **misconf:** do not evaluate TF when a load error occurs ([#7109](https://github.com/aquasecurity/trivy/issues/7109)) ([f27c236](https://github.com/aquasecurity/trivy/commit/f27c236d6e155cb366aeef619b6ea96d20fb93da))
+* **nodejs:** detect direct dependencies when using `latest` version for files `yarn.lock` + `package.json` ([#7110](https://github.com/aquasecurity/trivy/issues/7110)) ([54bb8bd](https://github.com/aquasecurity/trivy/commit/54bb8bdfb934d114b5570005853bf4bc0d40c609))
+* **report:** hide empty table when all secrets/license/misconfigs are ignored ([#7171](https://github.com/aquasecurity/trivy/issues/7171)) ([c3036de](https://github.com/aquasecurity/trivy/commit/c3036de6d7719323d306a9666ccc8d928d936f9a))
+* **secret:** skip regular strings contain secret patterns ([#7182](https://github.com/aquasecurity/trivy/issues/7182)) ([174b1e3](https://github.com/aquasecurity/trivy/commit/174b1e3515a6394cf8d523216d6267c1aefb820a))
+* **secret:** trim excessively long lines ([#7192](https://github.com/aquasecurity/trivy/issues/7192)) ([92b13be](https://github.com/aquasecurity/trivy/commit/92b13be668bd20f8e9dac2f0cb8e5a2708b9b3b5))
+* **secret:** update length of `hugging-face-access-token` ([#7216](https://github.com/aquasecurity/trivy/issues/7216)) ([8c87194](https://github.com/aquasecurity/trivy/commit/8c87194f0a6b194bc5d340c8a65bd99a3132d973))
+* **server:** pass license categories to options ([#7203](https://github.com/aquasecurity/trivy/issues/7203)) ([9d52018](https://github.com/aquasecurity/trivy/commit/9d5201808da89607ae43570bdf1f335b482a6b79))
+
+
+### Performance Improvements
+
+* **debian:** use `bytes.Index` in `emptyLineSplit` to cut allocation ([#7065](https://github.com/aquasecurity/trivy/issues/7065)) ([acbec05](https://github.com/aquasecurity/trivy/commit/acbec053c985388a26d899e73b4b7f5a6d1fa210))
+
 ## [0.53.0](https://github.com/aquasecurity/trivy/compare/v0.52.0...v0.53.0) (2024-07-01)


--- a/2
+++ b/2
@@ -1,4 +1,4 @@
-FROM alpine:3.20.0
+FROM alpine:3.20.3
 RUN apk --no-cache add ca-certificates git
 COPY trivy /usr/local/bin/trivy
 COPY contrib/*.tpl contrib/
--- a/contrib/asff.tpl
+++ b/contrib/asff.tpl
@@ -108,7 +108,7 @@
                    "Region": "{{ env "AWS_REGION" }}",
                    "Details": {
                        "Other": {
-                            "Message": "{{ .Message }}",
+                            "Message": "{{ escapeString .Message }}",
                            "Filename": "{{ $target }}",
                            "StartLine": "{{ .CauseMetadata.StartLine }}",
                            "EndLine": "{{ .CauseMetadata.EndLine }}"
--- a/contrib/junit.tpl
+++ b/contrib/junit.tpl
@@ -33,5 +33,16 @@
        </testcase>
    {{- end }}
    </testsuite>
+
+{{- if .Licenses }}
+    {{- $licenses := len .Licenses }}
+    <testsuite tests="{{ $licenses }}" failures="{{ $licenses }}" name="{{ .Target }}" time="0">{{ range .Licenses }}
+        <testcase classname="{{ .PkgName }}" name="[{{ .Severity }}] {{ .Name }}">
+            <failure/>
+        </testcase>
+    {{- end }}
+    </testsuite>
+{{- end }}
+
 {{- end }}
 </testsuites>
--- a/docs/community/contribute/pr.md
+++ b/docs/community/contribute/pr.md
@@ -1,7 +1,6 @@
 Thank you for taking interest in contributing to Trivy!

-1. Every Pull Request should have an associated bug or feature issue unless you are fixing a trivial documentation issue.
-1. Please add the associated Issue link in the PR description.
+1. Every Pull Request should have an associated GitHub issue link in the PR description. Note that issues are created by Trivy maintainers based on feedback provided in a GitHub discussion. Please refer to the [issue](./issue.md) and [discussion](./discussion.md) pages for explanation about this process. If you think your change is trivial enough, you can skip the issue and instead add justification and explanation in the PR description.
 1. Your PR is more likely to be accepted if it focuses on just one change.
 1. There's no need to add or tag reviewers.
 1. If a reviewer commented on your code or asked for changes, please remember to respond with comment. Do not mark discussion as resolved. It's up to reviewer to mark it resolved (in case if suggested fix addresses problem properly). PRs with unresolved issues should not be merged (even if the comment is unclear or requires no action from your side).
@@ -122,7 +121,7 @@ os:
 - redhat
 - alma
 - rocky
- mariner
+- azure
 - oracle
 - debian
 - ubuntu
--- a/docs/community/maintainer/release-flow.md
+++ b/docs/community/maintainer/release-flow.md
@@ -16,9 +16,10 @@ For detailed behavior, please refer to [the GitHub Actions configuration][workfl
 The release flow consists of the following main steps:

 1. Creating the release PR (automatically or manually)
-1. Drafting the release notes
+1. Drafting the release notes in GitHub Discussions
 1. Merging the release PR
-1. Updating the release notes
+1. Updating the release notes in GitHub Discussions
+1. Navigating to the release notes in GitHub Releases page

 ### Automatic Release PR Creation
 When a releasable commit (a commit with `feat` or `fix` prefix) is merged, a release PR is automatically created.
@@ -57,6 +58,23 @@ When the PR is merged, a tag is automatically created, and [GoReleaser][goreleas
 If the release completes without errors, a page for the release notes is created in GitHub Discussions (e.g., https://github.com/aquasecurity/trivy/discussions/6622).
 Copy the draft release notes, adjust the formatting, and finalize the release notes.

+### Navigating to the Release Notes
+To navigate to the release highlights and summary in GitHub Discussions, place a link in the GitHub Releases page as below:
+
+```
+## ⚡Release highlights and summary⚡
+
+👉 https://github.com/aquasecurity/trivy/discussions/6838
+
+## Changelog
+https://github.com/aquasecurity/trivy/blob/main/CHANGELOG.md#0520-2024-06-03
+```
+
+Replace URLs with appropriate ones.
+
+Example: https://github.com/aquasecurity/trivy/releases/tag/v0.52.0
+
+
 The release is now complete.

 [conventional-commits]: https://www.conventionalcommits.org/en/v1.0.0/
--- a/docs/docs/advanced/air-gap.md
+++ b/docs/docs/advanced/air-gap.md
@@ -1,142 +1,162 @@
-# Air-Gapped Environment
+# Advanced Network Scenarios

-Trivy can be used in air-gapped environments. Note that an allowlist is [here][allowlist].
+Trivy needs to connect to the internet occasionally in order to download relevant content. This document explains the network connectivity requirements of Trivy and setting up Trivy in particular scenarios.

-## Air-Gapped Environment for vulnerabilities
+## Network requirements

-### Download the vulnerability database
-At first, you need to download the vulnerability database for use in air-gapped environments.
+Trivy's databases are distributed as OCI images via GitHub Container registry (GHCR):

-=== "Trivy"
+- <https://ghcr.io/aquasecurity/trivy-db>
+- <https://ghcr.io/aquasecurity/trivy-java-db>
+- <https://ghcr.io/aquasecurity/trivy-checks>

-    ```
-    TRIVY_TEMP_DIR=$(mktemp -d)
-    trivy --cache-dir $TRIVY_TEMP_DIR image --download-db-only
-    tar -cf ./db.tar.gz -C $TRIVY_TEMP_DIR/db metadata.json trivy.db
-    rm -rf $TRIVY_TEMP_DIR
-    ```
+The following hosts are required in order to fetch them:

-=== "oras >= v0.13.0"
-    Please follow [oras installation instruction][oras].
+- `ghcr.io`
+- `pkg-containers.githubusercontent.com`

-    Download `db.tar.gz`:
+The databases are pulled by Trivy using the [OCI Distribution](https://github.com/opencontainers/distribution-spec) specification, which is a simple HTTPS-based protocol.

-    ```
-    $ oras pull ghcr.io/aquasecurity/trivy-db:2
-    ```
+[VEX Hub](https://github.com/aquasecurity/vexhub) is distributed from GitHub over HTTPS.
+The following hosts are required in order to fetch it:

-=== "oras < v0.13.0"
-    Please follow [oras installation instruction][oras].
+- `api.github.com`
+- `codeload.github.com`

-    Download `db.tar.gz`:
+## Running Trivy in air-gapped environment

-    ```
-    $ oras pull -a ghcr.io/aquasecurity/trivy-db:2
-    ```
+An air-gapped environment refers to situations where the network connectivity from the machine Trivy runs on is blocked or restricted.

-### Download the Java index database[^1]
-Java users also need to download the Java index database for use in air-gapped environments.
+In an air-gapped environment it is your responsibility to update the Trivy databases on a regular basis. 

-!!! note
-    You container image may contain JAR files even though you don't use Java directly.
-    In that case, you also need to download the Java index database.
+## Offline Mode

-=== "Trivy"
+By default, Trivy will attempt to download latest databases. If it fails, the scan might fail. To avoid this behavior, you can tell Trivy to not attempt to download database files:

-    ```
-    TRIVY_TEMP_DIR=$(mktemp -d)
-    trivy --cache-dir $TRIVY_TEMP_DIR image --download-java-db-only
-    tar -cf ./javadb.tar.gz -C $TRIVY_TEMP_DIR/java-db metadata.json trivy-java.db
-    rm -rf $TRIVY_TEMP_DIR
-    ```
-=== "oras >= v0.13.0"
-    Please follow [oras installation instruction][oras].
+- `--skip-db-update` to skip updating the main vulnerability database.
+- `--skip-java-db-update` to skip updating the Java vulnerability database.
+- `--skip-check-update` to skip updating the misconfiguration database.

-    Download `javadb.tar.gz`:
-
-    ```
-    $ oras pull ghcr.io/aquasecurity/trivy-java-db:1
-    ```
-
-=== "oras < v0.13.0"
-    Please follow [oras installation instruction][oras].
-
-    Download `javadb.tar.gz`:
-
-    ```
-    $ oras pull -a ghcr.io/aquasecurity/trivy-java-db:1
-    ```
-
-
-### Transfer the DB files into the air-gapped environment
-The way of transfer depends on the environment.
-
-=== "Vulnerability db"
-    ```
-    $ rsync -av -e ssh /path/to/db.tar.gz [user]@[host]:dst
-    ```
-
-=== "Java index db[^1]"
-    ```
-    $ rsync -av -e ssh /path/to/javadb.tar.gz [user]@[host]:dst
-    ```
-
-### Put the DB files in Trivy's cache directory
-You have to know where to put the DB files. The following command shows the default cache directory.
-
-```
-$ ssh user@host
-$ trivy -h | grep cache
-   --cache-dir value  cache directory (default: "/home/myuser/.cache/trivy") [$TRIVY_CACHE_DIR]
-```
-=== "Vulnerability db"
-    Put the DB file in the cache directory + `/db`.
-    
-    ```
-    $ mkdir -p /home/myuser/.cache/trivy/db
-    $ cd /home/myuser/.cache/trivy/db
-    $ tar xvf /path/to/db.tar.gz -C /home/myuser/.cache/trivy/db
-    x trivy.db
-    x metadata.json
-    $ rm /path/to/db.tar.gz
-    ```
-
-=== "Java index db[^1]"
-    Put the DB file in the cache directory + `/java-db`.
-
-    ```
-    $ mkdir -p /home/myuser/.cache/trivy/java-db
-    $ cd /home/myuser/.cache/trivy/java-db
-    $ tar xvf /path/to/javadb.tar.gz -C /home/myuser/.cache/trivy/java-db
-    x trivy-java.db
-    x metadata.json
-    $ rm /path/to/javadb.tar.gz
-    ```
-
-
-
-In an air-gapped environment it is your responsibility to update the Trivy databases on a regular basis, so that the scanner can detect recently-identified vulnerabilities. 
-
-### Run Trivy with the specific flags.
-In an air-gapped environment, you have to specify `--skip-db-update` and `--skip-java-db-update`[^1] so that Trivy doesn't attempt to download the latest database files.
-In addition, if you want to scan `pom.xml` dependencies, you need to specify `--offline-scan` since Trivy tries to issue API requests for scanning Java applications by default.
-
-```
-$ trivy image --skip-db-update --skip-java-db-update --offline-scan alpine:3.12
+```shell
+trivy image --skip-db-update --skip-java-db-update --offline-scan --skip-check-update myimage
 ```

-## Air-Gapped Environment for misconfigurations
+## Self-Hosting

-No special measures are required to detect misconfigurations in an air-gapped environment.
+### OCI Databases

-### Run Trivy with `--skip-check-update` option
-In an air-gapped environment, specify `--skip-check-update` so that Trivy doesn't attempt to download the latest misconfiguration checks.
+You can host the databases on your own local OCI registry. 

-```
-$ trivy conf --skip-policy-update /path/to/conf
+First, make a copy of the databases in a container registry that is accessible to Trivy. The databases are in:
+
+- `ghcr.io/aquasecurity/trivy-db:2`
+- `ghcr.io/aquasecurity/trivy-java-db:1`
+- `ghcr.io/aquasecurity/trivy-checks:0`
+
+Then, tell Trivy to use the local registry:
+
+```shell
+trivy image \
+    --db-repository myregistry.local/trivy-db \
+    --java-db-repository myregistry.local/trivy-java-db \
+    --checks-bundle-repository myregistry.local/trivy-checks \
+    myimage
 ```

-[allowlist]: ../references/troubleshooting.md
-[oras]: https://oras.land/docs/installation
+#### Authentication

-[^1]: This is only required to scan `jar` files. More information about `Java index db` [here](../coverage/language/java.md)
+If the registry requires authentication, you can configure it as described in the [private registry authentication document](../advanced/private-registries/index.md).
+
+### VEX Hub
+
+You can host a copy of VEX Hub on your own internal server.
+
+First, make a copy of VEX Hub in a location that is accessible to Trivy.
+
+1. Download the [VEX Hub](https://github.com/aquasecurity/vexhub) archive from: <https://github.com/aquasecurity/vexhub/archive/refs/heads/main.zip>.
+1. Download the [VEX Hub Repository Manifest](https://github.com/aquasecurity/vex-repo-spec#2-repository-manifest) file from: <https://github.com/aquasecurity/vexhub/blob/main/vex-repository.json>.
+1. Create or identify an internal HTTP server that can serve the VEX Hub repository in your environment (e.g `https://server.local`).
+1. Make the downloaded archive file available for serving from your server (e.g `https://server.local/main.zip`).
+1. Modify the downloaded manifest file's [Location URL](https://github.com/aquasecurity/vex-repo-spec?tab=readme-ov-file#locations-subfields) field to the URL of the archive file on your server (e.g `url: https://server.local/main.zip`).
+1. Make the manifest file available for serving from your server under the `/.well-known` path  (e.g `https://server.local/.well-known/vex-repository.json`).
+
+Then, tell Trivy to use the local VEX Repository:
+
+1. Locate your [Trivy VEX configuration file](../supply-chain/vex/repo/#configuration-file) by running `trivy vex repo init`. Make the following changes to the file.
+1. Disable the default VEX Hub repo (`enabled: false`)
+1. Add your internal VEX Hub repository as a [custom repository](../supply-chain/vex/repo/#custom-repositories) with the URL pointing to your local server (e.g `url: https://server.local`).
+
+#### Authentication
+
+If your server requires authentication, you can configure it as described in the [VEX Repository Authentication document](../supply-chain/vex/repo/#authentication).
+
+## Manual cache population
+
+You can also download the databases files manually and surgically populate the Trivy cache directory with them.
+
+### Downloading the DB files
+
+On a machine with internet access, pull the database container archive from the public registry into your local workspace:
+
+Note that these examples operate in the current working directory.
+
+=== "Using ORAS"
+This example uses [ORAS](https://oras.land), but you can use any other container registry manipulation tool.
+
+```shell
+oras pull ghcr.io/aquasecurity/trivy-db:2
+```
+
+You should now have a file called `db.tar.gz`. Next, extract it to reveal the db files:
+
+```shell
+tar -xzf db.tar.gz
+```
+
+You should now have 2 new files, `metadata.json` and `trivy.db`. These are the Trivy DB files.
+
+=== "Using Trivy"
+This example uses Trivy to pull the database container archive. The `--cache-dir` flag makes Trivy download the database files into our current working directory. The `--download-db-only` flag tells Trivy to only download the database files, not to scan any images.
+
+```shell
+trivy image --cache-dir . --download-db-only
+```
+
+You should now have 2 new files, `metadata.json` and `trivy.db`. These are the Trivy DB files, copy them over to the air-gapped environment.
+
+### Populating the Trivy Cache
+
+In order to populate the cache, you need to identify the location of the cache directory. If it is under the default location, you can run the following command to find it:
+
+```shell
+trivy -h | grep cache
+```
+
+For the example, we will assume the `TRIVY_CACHE_DIR` variable holds the cache location:
+
+```shell
+TRIVY_CACHE_DIR=/home/user/.cache/trivy
+```
+
+Put the Trivy DB files in the Trivy cache directory under a `db` subdirectory:
+
+```shell
+# ensure cache db directory exists
+mkdir -p ${TRIVY_CACHE_DIR}/db
+# copy the db files
+cp /path/to/trivy.db /path/to/metadata.json ${TRIVY_CACHE_DIR}/db/
+```
+
+### Java DB
+
+For Java DB the process is the same, except for the following:
+
+1. Image location is `ghcr.io/aquasecurity/trivy-java-db:1`
+2. Archive file name is `javadb.tar.gz`
+3. DB file name is `trivy-java.db`
+
+## Misconfigurations scanning
+
+Note that the misconfigurations checks bundle is also embedded in the Trivy binary (at build time), and will be used as a fallback if the external database is not available. This means that you can still scan for misconfigurations in an air-gapped environment using the Checks from the time of the Trivy release you are using.
+
+The misconfiguration scanner can be configured to load checks from a local directory, using the `--config-check` flag. In an air-gapped scenario you can copy the checks library from [Trivy checks repository](https://github.com/aquasecurity/trivy-checks) into a local directory, and load it with this flag. See more in the [Misconfiguration scanner documentation](../scanner/misconfiguration/index.md).
--- a/docs/docs/compliance/contrib-compliance.md
+++ b/docs/docs/compliance/contrib-compliance.md
@@ -35,7 +35,7 @@ Additional information is provided below.

 #### 1. Referencing a check that is already part of Trivy

-Trivy has a comprehensive list of checks as part of its misconfiguration scanning. These can be found in the `trivy-policies/checks` directory ([Link](https://github.com/aquasecurity/trivy-checks/tree/main/checks)). If the check is present, the `AVD_ID` and other information from the check has to be used.
+Trivy has a comprehensive list of checks as part of its misconfiguration scanning. These can be found in the `trivy-checks/checks` directory ([Link](https://github.com/aquasecurity/trivy-checks/tree/main/checks)). If the check is present, the `AVD_ID` and other information from the check has to be used.

 Note: Take a look at the more generic compliance specs that are already available in Trivy. If you are adding new compliance spec to Kubernetes e.g. AWS EKS CIS Benchmarks, chances are high that the check you would like to add to the new spec has already been defined in the general `k8s-ci-v.000.yaml` compliance spec. The same applies for creating specific Cloud Provider Compliance Specs and the [generic compliance specs](https://github.com/aquasecurity/trivy-checks/tree/main/specs/compliance) available. 

--- a/docs/docs/configuration/cache.md
+++ b/docs/docs/configuration/cache.md
@@ -1,10 +1,11 @@
 # Cache
 The cache directory includes 

+- Cache of previous scans (Scan cache).
 - [Vulnerability Database][trivy-db][^1]
 - [Java Index Database][trivy-java-db][^2]
 - [Misconfiguration Checks][misconf-checks][^3]
- Cache of previous scans.
+- [VEX Repositories](../supply-chain/vex/repo.md)
 
 The cache option is common to all scanners.

--- a/docs/docs/configuration/db.md
+++ b/docs/docs/configuration/db.md
@@ -54,11 +54,44 @@ $ trivy image --download-db-only
 $ trivy image --db-repository registry.gitlab.com/gitlab-org/security-products/dependencies/trivy-db
 ```

+The media type of the OCI layer must be `application/vnd.aquasec.trivy.db.layer.v1.tar+gzip`.
+You can reference the OCI manifest of [trivy-db].
+
+<details>
+<summary>Manifest</summary>
+
+```shell
+{
+  "schemaVersion": 2,
+  "mediaType": "application/vnd.oci.image.manifest.v1+json",
+  "config": {
+    "mediaType": "application/vnd.aquasec.trivy.config.v1+json",
+    "digest": "sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a",
+    "size": 2
+  },
+  "layers": [
+    {
+      "mediaType": "application/vnd.aquasec.trivy.db.layer.v1.tar+gzip",
+      "digest": "sha256:29ad6505b8957c7cd4c367e7c705c641a9020d2be256812c5f4cc2fc099f4f02",
+      "size": 55474933,
+      "annotations": {
+        "org.opencontainers.image.title": "db.tar.gz"
+      }
+    }
+  ],
+  "annotations": {
+    "org.opencontainers.image.created": "2024-09-11T06:14:51Z"
+  }
+}
+```
+</details>
+
 !!!note
    Trivy automatically adds the `trivy-db` schema version as a tag if the tag is not used:

    `trivy-db-registry:latest` => `trivy-db-registry:latest`, but `trivy-db-registry` => `trivy-db-registry:2`.

+
 ## Java Index Database
 The same options are also available for the Java index DB, which is used for scanning Java applications.
 Skipping an update can be done by using the `--skip-java-db-update` option, while `--download-java-db-only` can be used to only download the Java index DB.
@@ -72,6 +105,9 @@ Downloading the Java index DB from an external OCI registry can be done by using
 $ trivy image --java-db-repository registry.gitlab.com/gitlab-org/security-products/dependencies/trivy-java-db --download-java-db-only
 ```

+The media type of the OCI layer must be `application/vnd.aquasec.trivy.javadb.layer.v1.tar+gzip`.
+You can reference the OCI manifest of [trivy-java-db].
+
 !!!note
    Trivy automatically adds the `trivy-java-db` schema version as a tag if the tag is not used:

@@ -84,4 +120,7 @@ $ trivy image --java-db-repository registry.gitlab.com/gitlab-org/security-produ
 $ trivy clean --vuln-db --java-db
 2024-06-24T11:42:31+06:00       INFO    Removing vulnerability database...
 2024-06-24T11:42:31+06:00       INFO    Removing Java database...
-```
+```
+
+[trivy-db]: https://github.com/aquasecurity/trivy-db/pkgs/container/trivy-db
+[trivy-java-db]: https://github.com/aquasecurity/trivy-java-db/pkgs/container/trivy-java-db
--- a/docs/docs/configuration/filtering.md
+++ b/docs/docs/configuration/filtering.md
@@ -101,7 +101,7 @@ Total: 1785 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1680, CRITICAL: 105)
 </details>

 ```bash
-trivy conf --severity HIGH,CRITICAL examples/misconf/mixed
+trivy config --severity HIGH,CRITICAL examples/misconf/mixed
 ```

 <details>
@@ -238,7 +238,7 @@ You can filter the results by
 To show the suppressed results, use the `--show-suppressed` flag.

 !!! note
-    This flag is currently available only in the table format.
+    It's exported as `ExperimentalModifiedFindings` in the JSON output.

 ```bash
 $ trivy image --vex debian11.csaf.vex --ignorefile .trivyignore.yaml --show-suppressed debian:11
@@ -493,7 +493,7 @@ You can find more example checks [here](https://github.com/aquasecurity/trivy/tr
 |      Secret      |           |
 |     License      |           |

-Please refer to the [VEX documentation](../supply-chain/vex.md) for the details.
+Please refer to the [VEX documentation](../supply-chain/vex/index.md) for the details.


 [^1]: license name is used as id for `.trivyignore.yaml` files.
--- a/docs/docs/coverage/iac/cloudformation.md
+++ b/docs/docs/coverage/iac/cloudformation.md
@@ -21,7 +21,7 @@ It evaluates properties, functions, and other elements within CloudFormation fil
 You can provide `cf-params` with path to [CloudFormation Parameters] file to Trivy to scan your CloudFormation code with parameters.

 ```bash
-trivy conf --cf-params params.json ./infrastructure/cf
+trivy config --cf-params params.json ./infrastructure/cf
 ```

 You can check a [CloudFormation Parameters Example]
--- a/docs/docs/coverage/iac/helm.md
+++ b/docs/docs/coverage/iac/helm.md
@@ -21,7 +21,7 @@ When override values are passed to the Helm scanner, the values will be used dur
 Overrides can be set inline on the command line

 ```bash
-trivy conf --helm-set securityContext.runAsUser=0 ./charts/mySql
+trivy config --helm-set securityContext.runAsUser=0 ./charts/mySql
 ```

 #### Setting value file overrides
@@ -35,7 +35,7 @@ securityContext:
 ```

 ```bash
-trivy conf --helm-values overrides.yaml ./charts/mySql
+trivy config --helm-values overrides.yaml ./charts/mySql
 ``` 

 #### Setting value as explicit string
@@ -49,7 +49,7 @@ trivy config --helm-set-string name=false ./infrastructure/tf
 Specific override values can come from specific files

 ```bash
-trivy conf --helm-set-file environment=dev.values.yaml ./charts/mySql
+trivy config --helm-set-file environment=dev.values.yaml ./charts/mySql
 ```

 ## Secret
--- a/docs/docs/coverage/iac/index.md
+++ b/docs/docs/coverage/iac/index.md
@@ -8,15 +8,18 @@ Trivy scans Infrastructure as Code (IaC) files for

 ## Supported configurations

-| Config type                         | File patterns                                 |
-|-------------------------------------|-----------------------------------------------|
-| [Kubernetes](kubernetes.md)         | \*.yml, \*.yaml, \*.json                      |
-| [Docker](docker.md)                 | Dockerfile, Containerfile                     |
-| [Terraform](terraform.md)           | \*.tf, \*.tf.json, \*.tfvars                  |
-| [Terraform Plan](terraform.md)      | tfplan, \*.tfplan, \*.tfplan.json, \*.tf.json |
-| [CloudFormation](cloudformation.md) | \*.yml, \*.yaml, \*.json                      |
-| [Azure ARM Template](azure-arm.md)  | \*.json                                       |
-| [Helm](helm.md)                     | \*.yaml, \*.tpl, \*.tar.gz, etc.              |
+| Config type                         | File patterns                    |
+|-------------------------------------|----------------------------------|
+| [Kubernetes](kubernetes.md)         | \*.yml, \*.yaml, \*.json         |
+| [Docker](docker.md)                 | Dockerfile, Containerfile        |
+| [Terraform](terraform.md)           | \*.tf, \*.tf.json, \*.tfvars     |
+| [Terraform Plan](terraform.md)      | tfplan, \*.tfplan, \*.json       |
+| [CloudFormation](cloudformation.md) | \*.yml, \*.yaml, \*.json         |
+| [Azure ARM Template](azure-arm.md)  | \*.json                          |
+| [Helm](helm.md)                     | \*.yaml, \*.tpl, \*.tar.gz, etc. |
+| [YAML][json-and-yaml]               | \*.yaml, \*.yml                  |
+| [JSON][json-and-yaml]               | \*.json                          |

 [misconf]: ../../scanner/misconfiguration/index.md
 [secret]: ../../scanner/secret.md
+[json-and-yaml]: ../../scanner/misconfiguration/index.md#scan-arbitrary-json-and-yaml-configurations
--- a/docs/docs/coverage/iac/terraform.md
+++ b/docs/docs/coverage/iac/terraform.md
@@ -18,13 +18,13 @@ It supports the following formats:
 Trivy can scan Terraform Plan files (snapshots) or their JSON representations. To create a Terraform Plan and scan it, run the following command:
 ```bash
 terraform plan --out tfplan
-trivy conf tfplan
+trivy config tfplan
 ```

 To scan a Terraform Plan representation in JSON format, run the following command:
 ```bash
 terraform show -json tfplan > tfplan.json
-trivy conf tfplan.json
+trivy config tfplan.json
 ```

 ## Misconfiguration
@@ -35,7 +35,7 @@ It also evaluates variables, imports, and other elements within Terraform files
 You can provide `tf-vars` files to Trivy to override default values specified in the Terraform HCL code.

 ```bash
-trivy conf --tf-vars dev.terraform.tfvars ./infrastructure/tf
+trivy config --tf-vars dev.terraform.tfvars ./infrastructure/tf
 ```

 ### Exclude Downloaded Terraform Modules
@@ -43,8 +43,37 @@ By default, downloaded modules are also scanned.
 If you don't want to scan them, you can use the `--tf-exclude-downloaded-modules` flag.

 ```bash
-trivy conf --tf-exclude-downloaded-modules ./configs
+trivy config --tf-exclude-downloaded-modules ./configs
 ```

 ## Secret
-The secret scan is performed on plain text files, with no special treatment for Terraform.
+The secret scan is performed on plain text files, with no special treatment for Terraform.
+
+## Limitations
+
+### Terraform Plan JSON
+
+#### For each and count objects in expression
+
+The plan created by Terraform does not provide complete information about references in expressions that use `each` or `count` objects. For this reason, in some situations it is not possible to establish references between resources that are needed for checks when detecting misconfigurations. An example of such a configuration is:
+
+```hcl
+locals {
+  buckets = toset(["test"])
+}
+
+resource "aws_s3_bucket" "this" {
+  for_each = local.buckets
+  bucket = each.key
+}
+
+resource "aws_s3_bucket_acl" "this" {
+  for_each = local.buckets
+  bucket = aws_s3_bucket.this[each.key].id
+  acl    = "private"
+}
+```
+
+With this configuration, the plan will not contain information about which attribute of the `aws_s3_bucket` resource is referenced by the `aws_s3_bucket_acl` resource.
+
+See more [here](https://github.com/hashicorp/terraform/issues/30826).
--- a/docs/docs/coverage/language/dart.md
+++ b/docs/docs/coverage/language/dart.md
@@ -11,9 +11,9 @@ The following scanners are supported.
 The following table provides an outline of the features Trivy offers.


-| Package manager         | File         | Transitive dependencies | Dev dependencies | [Dependency graph][dependency-graph] | Position |
-|-------------------------|--------------|:-----------------------:|:----------------:|:------------------------------------:|:--------:|
-| [Dart][dart-repository] | pubspec.lock |            ✓            |     Included     |                  ✓                   |    -     |
+| Package manager         | File         | Transitive dependencies | Dev dependencies | [Dependency graph][dependency-graph] | Position | [Detection Priority][detection-priority] |
+|-------------------------|--------------|:-----------------------:|:----------------:|:------------------------------------:|:--------:|:----------------------------------------:|
+| [Dart][dart-repository] | pubspec.lock |            ✓            |     Included     |                  ✓                   |    -     |                    ✓                     |

 ## Dart
 In order to detect dependencies, Trivy searches for `pubspec.lock`.
@@ -22,11 +22,13 @@ Trivy marks indirect dependencies, but `pubspec.lock` file doesn't have options
 So Trivy includes all dependencies in report.

 ### SDK dependencies
-Dart uses version `0.0.0` for SDK dependencies (e.g. Flutter). It is not possible to accurately determine the versions of these dependencies.
+Dart uses version `0.0.0` for SDK dependencies (e.g. Flutter).
+It is not possible to accurately determine the versions of these dependencies.
+Trivy just treats them as `0.0.0`.

-Therefore, we use the first version of the constraint for the SDK.
+If [--detection-priority comprehensive][detection-priority] is passed, Trivy uses the minimum version of the constraint for the SDK.
+For example, in the following case, the version of `flutter` would be `3.3.0`:

-For example in this case the version of `flutter` should be `3.3.0`:
 ```yaml
 flutter:
  dependency: "direct main"
@@ -40,6 +42,7 @@ sdks:

 ### Dependency tree
 To build `dependency tree` Trivy parses [cache directory][cache-directory]. Currently supported default directories and `PUB_CACHE` environment (absolute path only).
+
 !!! note
    Make sure the cache directory contains all the dependencies installed in your application. To download missing dependencies, use `dart pub get` command.     

@@ -47,3 +50,4 @@ To build `dependency tree` Trivy parses [cache directory][cache-directory]. Curr
 [dart-repository]: https://pub.dev/
 [dependency-graph]: ../../configuration/reporting.md#show-origins-of-vulnerable-dependencies
 [cache-directory]: https://dart.dev/tools/pub/glossary#system-cache
+[detection-priority]: ../../scanner/vulnerability.md#detection-priority
--- a/docs/docs/coverage/language/dotnet.md
+++ b/docs/docs/coverage/language/dotnet.md
@@ -21,6 +21,9 @@ The following table provides an outline of the features Trivy offers.
 ## *.deps.json
 Trivy parses `*.deps.json` files. Trivy currently excludes dev dependencies from the report.

+!!! note
+    Trivy only includes runtime dependencies in the report.
+
 ## packages.config
 Trivy only finds dependency names and versions from `packages.config` files. To build dependency graph, it is better to use `packages.lock.json` files.

--- a/docs/docs/coverage/language/golang.md
+++ b/docs/docs/coverage/language/golang.md
@@ -1,32 +1,31 @@
 # Go

-## Data Sources
-The data sources are listed [here](../../scanner/vulnerability.md#data-sources-1).
-Trivy uses Go Vulnerability Database for standard packages, such as `net/http`, and uses GitHub Advisory Database for third-party packages.
-
-## Features
+## Overview
 Trivy supports two types of Go scanning, Go Modules and binaries built by Go.

 The following scanners are supported.

-| Artifact | SBOM  | Vulnerability | License |
-| -------- | :---: | :-----------: | :-----: |
-| Modules  |   ✓   |       ✓       |  ✓[^2]  |
-| Binaries |   ✓   |       ✓       |    -    |
+| Artifact | SBOM | Vulnerability |    License    |
+|----------|:----:|:-------------:|:-------------:|
+| Modules  |  ✓   |       ✓       | [✓](#license) |
+| Binaries |  ✓   |       ✓       |       -       |

 The table below provides an outline of the features Trivy offers.

-| Artifact | Offline[^1] | Dev dependencies | [Dependency graph][dependency-graph] | Stdlib |
-|----------|:-----------:|:-----------------|:------------------------------------:|:------:|
-| Modules  |      ✅      | Include          |                ✅[^2]                 |   -    |
-| Binaries |      ✅      | Exclude          |                  -                   | ✅[^4]  |
+| Artifact | Offline[^1] | Dev dependencies | [Dependency graph][dependency-graph] |          Stdlib          | [Detection Priority][detection-priority] |
+|----------|:-----------:|:-----------------|:------------------------------------:|:------------------------:|:----------------------------------------:|
+| Modules  |      ✅      | Include          |        [✅](#dependency-graph)        |  [✅](#standard-library)  |          [✅](#standard-library)          |
+| Binaries |      ✅      | Exclude          |                  -                   | [✅](#standard-library-1) |                Not needed                |

 !!! note
-    Trivy scans only dependencies of the Go project.
-    Let's say you scan the Docker binary, Trivy doesn't detect vulnerabilities of Docker itself.
-    Also, when you scan go.mod in Kubernetes, the Kubernetes vulnerabilities will not be found.
+    When scanning Go projects (go.mod or binaries built with Go), Trivy scans only dependencies of the project, and does not detect vulnerabilities of application itself. 
+    For example, when scanning the Docker project (Docker's source code with go.mod or the Docker binary), Trivy might find vulnerabilities in Go modules that Docker depends on, but won't find vulnerabilities of Docker itself. Moreover, when scanning the Trivy project, which happens to use Docker, Docker's vulnerabilities might be detected as dependencies of Trivy.

-### Go Modules
+## Data Sources
+The data sources are listed [here](../../scanner/vulnerability.md#data-sources-1).
+Trivy uses Go Vulnerability Database for [standard library](https://pkg.go.dev/std) and uses GitHub Advisory Database for other Go modules.
+
+## Go Module
 Depending on Go versions, the required files are different.

 | Version | Required files | Offline |
@@ -42,7 +41,7 @@ Go 1.17+ holds actually needed indirect dependencies in `go.mod`, and it reduces
 If you want to have better detection, please consider updating the Go version in your project.

 !!! note
-    The Go version doesn't mean your CLI version, but the Go version in your go.mod.
+    The Go version doesn't mean your Go tool version, but the Go version in your go.mod.

    ```
    module github.com/aquasecurity/trivy
@@ -61,15 +60,37 @@ If you want to have better detection, please consider updating the Go version in
    $ go mod tidy -go=1.18
    ```

-To identify licenses and dependency relationships, you need to download modules to local cache beforehand,
-such as `go mod download`, `go mod tidy`, etc.
+### Main Module
+Trivy scans only dependencies of the project, and does not detect vulnerabilities of the main module. 
+For example, when scanning the Docker project (Docker's source code with go.mod), Trivy might find vulnerabilities in Go modules that Docker depends on, but won't find vulnerabilities of Docker itself.
+Moreover, when scanning the Trivy project, which happens to use Docker, Docker's vulnerabilities might be detected as dependencies of Trivy.
+
+### Standard Library
+Detecting the version of Go used in the project can be tricky.
+The go.mod file include hints that allows Trivy to guess the Go version but it eventually depends on the Go tool version in the build environment.
+Since this strategy is not fully deterministic and accurate, it is enabled only in [--detection-priority comprehensive][detection-priority] mode.
+When enabled, Trivy detects stdlib version as the minimum between the `go` and the `toolchain` directives in the `go.mod` file.
+To obtain reproducible scan results Trivy doesn't check the locally installed version of `Go`.
+
+!!! note
+    Trivy detects `stdlib` only for `Go` 1.21 or higher.
+
+    The version from the `go` line (for `Go` 1.20 or early) is not a minimum required version.
+    For details, see [this](https://go.googlesource.com/proposal/+/master/design/57001-gotoolchain.md).
+
+It possibly produces false positives.
+See [the caveat](#stdlib-vulnerabilities) for details.
+
+### License
+To identify licenses, you need to download modules to local cache beforehand, such as `go mod download`, `go mod tidy`, etc.
 Trivy traverses `$GOPATH/pkg/mod` and collects those extra information.

-### Go binaries
-Trivy scans binaries built by Go, which include [module information](https://tip.golang.org/doc/go1.18#go-version).
-If there is a Go binary in your container image, Trivy automatically finds and scans it.
+### Dependency Graph
+Same as licenses, you need to download modules to local cache beforehand.

-Also, you can scan your local binaries.
+## Go Binary
+Trivy scans Go binaries when it encounters them during scans such as container images or file systems. 
+When scanning binaries built by Go, Trivy finds dependencies and Go version information as [embedded in the binary by Go tool at build time](https://tip.golang.org/doc/go1.18#go-version).

 ```
 $ trivy rootfs ./your_binary
@@ -78,20 +99,34 @@ $ trivy rootfs ./your_binary
 !!! note
    It doesn't work with UPX-compressed binaries.

-#### Empty versions
-There are times when Go uses the `(devel)` version for modules/dependencies.
+### Main Module
+Go binaries installed using the `go install` command contains correct (semver) version for the main module and therefor are detected by Trivy.
+In other cases, Go uses the `(devel)` version[^2].
+In this case, Trivy will attempt to parse any `-ldflags` as it's a common practice to pass versions this way.
+If unsuccessful, the version will be empty[^3].

- Only Go binaries installed using the `go install` command contain correct (semver) version for the main module. 
-  In other cases, Go uses the `(devel)` version[^3].
- Dependencies replaced with local ones use the `(devel)` versions.
+### Standard Library
+Trivy detects the Go version used to compile the binary and detects its vulnerabilities in the standard libraries.
+It possibly produces false positives.
+See [the caveat](#stdlib-vulnerabilities) for details.

-In the first case, Trivy will attempt to parse any `-ldflags` as a secondary source, and will leave the version
-empty if it cannot do so[^5]. For the second case, the version of such packages is empty.
+## Caveats
+
+### Stdlib Vulnerabilities
+Trivy does not know if or how you use stdlib functions, therefore it is possible that stdlib vulnerabilities are not applicable to your use case.
+There are a few ways to mitigate this:
+
+1. Analyze vulnerability reachability using a tool such as [govulncheck](https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck). This will ensure that reported vulnerabilities are applicable to your project.
+2. Suppress non-applicable vulnerabilities using either [ignore file](../../configuration/filtering.md) for self-use or [VEX Hub](../../supply-chain/vex/repo.md) for public use.
+
+### Empty Version
+As described in the [Main Module](#main-module-1) section, the main module of Go binaries might have an empty version.
+Also, dependencies replaced with local ones will have an empty version.

 [^1]: It doesn't require the Internet access.
-[^2]: Need to download modules to local cache beforehand
-[^3]: See https://github.com/aquasecurity/trivy/issues/1837#issuecomment-1832523477
-[^4]: Identify the Go version used to compile the binary and detect its vulnerabilities
-[^5]: See https://github.com/golang/go/issues/63432#issuecomment-1751610604
+[^2]: See https://github.com/aquasecurity/trivy/issues/1837#issuecomment-1832523477
+[^3]: See https://github.com/golang/go/issues/63432#issuecomment-1751610604

 [dependency-graph]: ../../configuration/reporting.md#show-origins-of-vulnerable-dependencies
+[toolchain]: https://go.dev/doc/toolchain
+[detection-priority]: ../../scanner/vulnerability.md#detection-priority
--- a/docs/docs/coverage/language/java.md
+++ b/docs/docs/coverage/language/java.md
@@ -12,12 +12,12 @@ Each artifact supports the following scanners:

 The following table provides an outline of the features Trivy offers.

-| Artifact         |    Internet access    | Dev dependencies | [Dependency graph][dependency-graph] | Position |
-|------------------|:---------------------:|:----------------:|:------------------------------------:|:--------:|
-| JAR/WAR/PAR/EAR  |     Trivy Java DB     |     Include      |                  -                   |    -     |
-| pom.xml          | Maven repository [^1] |     Exclude      |                  ✓                   |  ✓[^7]   |
-| *gradle.lockfile |           -           |     Exclude      |                  ✓                   |    ✓     |
-| *.sbt.lock       |          -            |     Exclude      |                  -                   |    ✓     |
+| Artifact         |    Internet access    | Dev dependencies | [Dependency graph][dependency-graph] | Position | [Detection Priority][detection-priority] |
+|------------------|:---------------------:|:----------------:|:------------------------------------:|:--------:|:----------------------------------------:|
+| JAR/WAR/PAR/EAR  |     Trivy Java DB     |     Include      |                  -                   |    -     |                Not needed                |
+| pom.xml          | Maven repository [^1] |     Exclude      |                  ✓                   |  ✓[^7]   |                    -                     |
+| *gradle.lockfile |           -           |     Exclude      |                  ✓                   |    ✓     |                Not needed                |
+| *.sbt.lock       |           -           |     Exclude      |                  -                   |    ✓     |                Not needed                |

 These may be enabled or disabled depending on the target.
 See [here](./index.md) for the detail.
@@ -69,6 +69,16 @@ The vulnerability database will be downloaded anyway.
 !!! Warning
    Trivy may skip some dependencies (that were not found on your local machine) when the `--offline-scan` flag is passed.

+### empty dependency version
+There are cases when Trivy cannot determine the version of dependencies:
+
+- Unable to determine the version from the parent because the parent is not reachable;
+- The dependency uses a [hard requirement][version-requirement] with more than one version.
+
+In these cases, Trivy uses an empty version for the dependency.
+
+!!! Warning
+    Trivy doesn't detect child dependencies for dependencies without a version.

 ### maven-invoker-plugin
 Typically, the integration tests directory (`**/[src|target]/it/*/pom.xml`) of [maven-invoker-plugin][maven-invoker-plugin] doesn't contain actual `pom.xml` files and should be skipped to avoid noise.
@@ -119,3 +129,5 @@ Make sure that you have cache[^8] directory to find licenses from `*.pom` depend
 [maven-central]: https://repo.maven.apache.org/maven2/
 [maven-pom-repos]: https://maven.apache.org/settings.html#repositories
 [sbt-dependency-lock]: https://stringbean.github.io/sbt-dependency-lock
+[detection-priority]: ../../scanner/vulnerability.md#detection-priority
+[version-requirement]: https://maven.apache.org/pom.html#dependency-version-requirement-specification
--- a/docs/docs/coverage/language/nodejs.md
+++ b/docs/docs/coverage/language/nodejs.md
@@ -8,7 +8,7 @@ The following scanners are supported.
 |----------|:----:|:-------------:|:-------:|
 | npm      |  ✓   |       ✓       |    ✓    |
 | Yarn     |  ✓   |       ✓       |    ✓    |
-| pnpm     |  ✓   |       ✓       |    -    |
+| pnpm     |  ✓   |       ✓       |    ✓    |
 | Bun      |  ✓   |       ✓       |    ✓    |

 The following table provides an outline of the features Trivy offers.
@@ -54,6 +54,7 @@ By default, Trivy doesn't report development dependencies. Use the `--include-de

 ### pnpm
 Trivy parses `pnpm-lock.yaml`, then finds production dependencies and builds a [tree][dependency-graph] of dependencies with vulnerabilities.
+To identify licenses, you need to download dependencies to `node_modules` beforehand. Trivy analyzes `node_modules` for licenses.

 #### lock file v9 version
 Trivy supports `Dev` field for `pnpm-lock.yaml` v9 or later. Use the `--include-dev-deps` flag to include the developer's dependencies in the result.
--- a/docs/docs/coverage/language/python.md
+++ b/docs/docs/coverage/language/python.md
@@ -21,11 +21,11 @@ The following scanners are supported for Python packages.

 The following table provides an outline of the features Trivy offers.

-| Package manager | File             | Transitive dependencies | Dev dependencies | [Dependency graph][dependency-graph] | Position |
-|-----------------|------------------|:-----------------------:|:----------------:|:------------------------------------:|:--------:|
-| pip             | requirements.txt |            -            |     Include      |                  -                   |    ✓     |
-| Pipenv          | Pipfile.lock     |            ✓            |     Include      |                  -                   |    ✓     |
-| Poetry          | poetry.lock      |            ✓            |     Exclude      |                  ✓                   |    -     |
+| Package manager | File             | Transitive dependencies | Dev dependencies | [Dependency graph][dependency-graph] | Position | [Detection Priority][detection-priority] |
+|-----------------|------------------|:-----------------------:|:----------------:|:------------------------------------:|:--------:|:----------------------------------------:|
+| pip             | requirements.txt |            -            |     Include      |                  -                   |    ✓     |                    ✓                     |
+| Pipenv          | Pipfile.lock     |            ✓            |     Include      |                  -                   |    ✓     |                Not needed                |
+| Poetry          | poetry.lock      |            ✓            |     Exclude      |                  ✓                   |    -     |                Not needed                |


 | Packaging | Dependency graph |
@@ -42,8 +42,17 @@ Trivy parses your files generated by package managers in filesystem/repository s
 ### pip

 #### Dependency detection
-Trivy only parses [version specifiers](https://packaging.python.org/en/latest/specifications/version-specifiers/#id4) with `==` comparison operator and without `.*`.
-To convert unsupported version specifiers - use the `pip  freeze` command.
+By default, Trivy only parses [version specifiers](https://packaging.python.org/en/latest/specifications/version-specifiers/#id5) with `==` comparison operator and without `.*`.
+
+Using the [--detection-priority comprehensive](#detection-priority) option ensures that the tool establishes a minimum version, which is particularly useful in scenarios where identifying the exact version is challenging. 
+In such case Trivy parses specifiers `>=`,`~=` and a trailing `.*`.
+
+```
+keyring >= 4.1.1            # Minimum version 4.1.1
+Mopidy-Dirble ~= 1.1        # Minimum version 1.1
+python-gitlab==2.0.*        # Minimum version 2.0.0
+```
+Also, there is a way to convert unsupported version specifiers - use the `pip  freeze` command.

 ```bash
 $ cat requirements.txt 
@@ -119,7 +128,7 @@ License detection is not supported for `Poetry`.

 ## Packaging
 Trivy parses the manifest files of installed packages in container image scanning and so on.
-See [here](https://packaging.python.org/en/latest/discussions/wheel-vs-egg/) for the detail.
+See [here](https://packaging.python.org/en/latest/discussions/package-formats/) for the detail.

 ### Egg
 Trivy looks for `*.egg-info`, `*.egg-info/PKG-INFO`, `*.egg` and `EGG-INFO/PKG-INFO` to identify Python packages.
@@ -130,3 +139,4 @@ Trivy looks for `.dist-info/META-DATA` to identify Python packages.
 [^1]: Trivy checks `python`, `python3`, `python2` and `python.exe` file names.

 [dependency-graph]: ../../configuration/reporting.md#show-origins-of-vulnerable-dependencies
+[detection-priority]: ../../scanner/vulnerability.md#detection-priority
--- a/docs/docs/coverage/os/cbl-mariner.md
+++ b/docs/docs/coverage/os/cbl-mariner.md
@@ -1,4 +1,7 @@
-# CBL-Mariner
+# Azure Linux (CBL-Mariner)
+
+*CBL-Mariner was rebranded to Azure Linux for version 3.0 onwards.*
+
 Trivy supports the following scanners for OS packages.

 | Version          | SBOM  | Vulnerability | License |
@@ -7,6 +10,8 @@ Trivy supports the following scanners for OS packages.
 | 1.0 (Distroless) |   ✔   |       ✔       |         |
 | 2.0              |   ✔   |       ✔       |    ✔    |
 | 2.0 (Distroless) |   ✔   |       ✔       |         |
+| 3.0              |   ✔   |       ✔       |    ✔    |
+| 3.0 (Distroless) |   ✔   |       ✔       |         |


 The following table provides an outline of the targets Trivy supports.
@@ -15,6 +20,7 @@ The following table provides an outline of the targets Trivy supports.
 | ------- | :-------------: | :-------------: | :----------: |
 | 1.0     |        ✔        |        ✔        | amd64, arm64 |
 | 2.0     |        ✔        |        ✔        | amd64, arm64 |
+| 3.0     |        ✔        |        ✔        | amd64, arm64 |

 The table below outlines the features offered by Trivy.

@@ -24,22 +30,22 @@ The table below outlines the features offered by Trivy.
 | [Dependency graph][dependency-graph] |     ✓     |

 ## SBOM
-Trivy detects packages that have been installed through package managers such as `dnf` and `yum`.
+Trivy detects packages that have been installed through package managers such as `tdnf`, `dnf` and `yum`.

 ## Vulnerability
-CBL-Mariner offers its own security advisories, and these are utilized when scanning CBL-Mariner for vulnerabilities.
+Azure Linux offers its own security advisories, and these are utilized when scanning Azure Linux for vulnerabilities.

 ### Data Source
 See [here](../../scanner/vulnerability.md#data-sources).

 ### Fixed Version
-Trivy takes fixed versions from [CBL-Mariner OVAL][oval].
+Trivy takes fixed versions from [Azure Linux OVAL][oval].

 ### Severity
-Trivy calculates the severity of an issue based on the severity provided in [CBL-Mariner OVAL][oval].
+Trivy calculates the severity of an issue based on the severity provided in [Azure Linux OVAL][oval].

 ### Status
-Trivy supports the following [vulnerability statuses] for CBL-Mariner.
+Trivy supports the following [vulnerability statuses] for Azure Linux.

 |       Status        | Supported |
 | :-----------------: | :-------: |
@@ -55,12 +61,11 @@ Trivy supports the following [vulnerability statuses] for CBL-Mariner.
 Trivy identifies licenses by examining the metadata of RPM packages.

 !!! note
-    License detection is not supported for CBL-Mariner Distroless.
+    License detection is not supported for Azure Linux Distroless images.


 [dependency-graph]: ../../configuration/reporting.md#show-origins-of-vulnerable-dependencies
-[cbl-mariner]: https://github.com/microsoft/CBL-Mariner

-[oval]: https://github.com/microsoft/CBL-MarinerVulnerabilityData/
+[oval]: https://github.com/microsoft/AzureLinuxVulnerabilityData/

 [vulnerability statuses]: ../../configuration/filtering.md#by-status
--- a/docs/docs/coverage/os/index.md
+++ b/docs/docs/coverage/os/index.md
@@ -9,31 +9,33 @@ Trivy supports operating systems for

 ## Supported OS

-| OS                                   | Supported Versions                  | Package Managers |
-|--------------------------------------|-------------------------------------|------------------|
-| [Alpine Linux](alpine.md)            | 2.2 - 2.7, 3.0 - 3.20, edge         | apk              |
-| [Wolfi Linux](wolfi.md)              | (n/a)                               | apk              |
-| [Chainguard](chainguard.md)          | (n/a)                               | apk              |
-| [Red Hat Enterprise Linux](rhel.md)  | 6, 7, 8                             | dnf/yum/rpm      |
-| [CentOS](centos.md)[^1]              | 6, 7, 8                             | dnf/yum/rpm      |
-| [AlmaLinux](alma.md)                 | 8, 9                                | dnf/yum/rpm      |
-| [Rocky Linux](rocky.md)              | 8, 9                                | dnf/yum/rpm      |
-| [Oracle Linux](oracle.md)            | 5, 6, 7, 8                          | dnf/yum/rpm      |
-| [CBL-Mariner](cbl-mariner.md)        | 1.0, 2.0                            | dnf/yum/rpm      |
-| [Amazon Linux](amazon.md)            | 1, 2, 2023                          | dnf/yum/rpm      |
-| [openSUSE Leap](suse.md)             | 42, 15                              | zypper/rpm       |
-| [SUSE Enterprise Linux](suse.md)     | 11, 12, 15                          | zypper/rpm       |
-| [Photon OS](photon.md)               | 1.0, 2.0, 3.0, 4.0                  | tndf/yum/rpm     |
-| [Debian GNU/Linux](debian.md)        | 7, 8, 9, 10, 11, 12                 | apt/dpkg         |
-| [Ubuntu](ubuntu.md)                  | All versions supported by Canonical | apt/dpkg         |
-| [OSs with installed Conda](conda.md) | -                                   | conda            |
+| OS                                    | Supported Versions                  | Package Managers |
+|---------------------------------------|-------------------------------------|------------------|
+| [Alpine Linux](alpine.md)             | 2.2 - 2.7, 3.0 - 3.20, edge         | apk              |
+| [Wolfi Linux](wolfi.md)               | (n/a)                               | apk              |
+| [Chainguard](chainguard.md)           | (n/a)                               | apk              |
+| [Red Hat Enterprise Linux](rhel.md)   | 6, 7, 8                             | dnf/yum/rpm      |
+| [CentOS](centos.md)[^1]               | 6, 7, 8                             | dnf/yum/rpm      |
+| [AlmaLinux](alma.md)                  | 8, 9                                | dnf/yum/rpm      |
+| [Rocky Linux](rocky.md)               | 8, 9                                | dnf/yum/rpm      |
+| [Oracle Linux](oracle.md)             | 5, 6, 7, 8                          | dnf/yum/rpm      |
+| [Azure Linux (CBL-Mariner)](azure.md) | 1.0, 2.0, 3.0                       | tdnf/dnf/yum/rpm |
+| [Amazon Linux](amazon.md)             | 1, 2, 2023                          | dnf/yum/rpm      |
+| [openSUSE Leap](suse.md)              | 42, 15                              | zypper/rpm       |
+| [openSUSE Tumbleweed](suse.md)        | (n/a)                               | zypper/rpm       |
+| [SUSE Linux Enterprise](suse.md)      | 11, 12, 15                          | zypper/rpm       |
+| [SUSE Linux Enterprise Micro](suse.md)| 5, 6                                | zypper/rpm       |
+| [Photon OS](photon.md)                | 1.0, 2.0, 3.0, 4.0                  | tndf/yum/rpm     |
+| [Debian GNU/Linux](debian.md)         | 7, 8, 9, 10, 11, 12                 | apt/dpkg         |
+| [Ubuntu](ubuntu.md)                   | All versions supported by Canonical | apt/dpkg         |
+| [OSs with installed Conda](../others/conda.md)  | -                                   | conda            |

 ## Supported container images

 | Container image                               | Supported Versions                  | Package Managers |
 |-----------------------------------------------|-------------------------------------|------------------|
 | [Google Distroless](google-distroless.md)[^2] | Any                                 | apt/dpkg         |
-| [Bitnami](bitnami.md)                         | Any                                 | -                |
+| [Bitnami](../others/bitnami.md)                         | Any                                 | -                |

 Each page gives more details.

--- a/docs/docs/coverage/os/suse.md
+++ b/docs/docs/coverage/os/suse.md
@@ -2,7 +2,9 @@
 Trivy supports the following distributions:

 - openSUSE Leap
- SUSE Enterprise Linux (SLE)
+- openSUSE Tumbleweed
+- SUSE Linux Enterprise (SLE)
+- SUSE Linux Enterprise Micro

 Please see [here](index.md#supported-os) for supported versions.

@@ -35,6 +37,6 @@ Trivy identifies licenses by examining the metadata of RPM packages.


 [dependency-graph]: ../../configuration/reporting.md#show-origins-of-vulnerable-dependencies
-[cvrf]: http://ftp.suse.com/pub/projects/security/cvrf/
+[cvrf]: https://ftp.suse.com/pub/projects/security/cvrf/

-[vulnerability statuses]: ../../configuration/filtering.md#by-status
+[vulnerability statuses]: ../../configuration/filtering.md#by-status
--- a/docs/docs/coverage/others/bitnami.md
+++ b/docs/docs/coverage/others/bitnami.md
@@ -4,8 +4,8 @@
    Scanning results may be inaccurate.

 While it is not an OS, this page describes the details of the [container images provided by Bitnami](https://github.com/bitnami/containers).
-Bitnami images are based on [Debian](debian.md).
-Please see [the Debian page](debian.md) for OS packages.
+Bitnami images are based on [Debian](../os/debian.md).
+Please see [the Debian page](../os/debian.md) for OS packages.

 Trivy supports the following scanners for Bitnami packages.

--- a/docs/docs/coverage/others/conda.md
+++ b/docs/docs/coverage/others/conda.md
@@ -8,6 +8,9 @@ Trivy supports the following scanners for Conda packages.
 | Vulnerability |     -     |
 |    License    |     ✓     |

+| Package manager | File            | Transitive dependencies | Dev dependencies | [Dependency graph][dependency-graph] | Position | [Detection Priority][detection-priority] |
+|-----------------|-----------------|:-----------------------:|:----------------:|:------------------------------------:|:--------:|:----------------------------------------:|
+| Conda           | environment.yml |            -            |     Include      |                  -                   |    ✓     |                    -                     |


 ## `<package>.json`
@@ -41,3 +44,5 @@ To correctly define licenses, make sure your `environment.yml`[^1] contains `pre
 [environment.yml]: https://conda.io/projects/conda/en/latest/user-guide/tasks/manage-environments.html#sharing-an-environment
 [env-version-range]: https://docs.conda.io/projects/conda-build/en/latest/resources/package-spec.html#examples-of-package-specs
 [prefix]: https://conda.io/projects/conda/en/latest/user-guide/tasks/manage-environments.html#specifying-a-location-for-an-environment
+[dependency-graph]: ../../configuration/reporting.md#show-origins-of-vulnerable-dependencies
+[detection-priority]: ../../scanner/vulnerability.md#detection-priority
--- a/docs/docs/coverage/others/rpm.md
+++ b/docs/docs/coverage/others/rpm.md
@@ -0,0 +1,42 @@
+# RPM Archives
+
+!!! warning "EXPERIMENTAL"
+    This feature might change without preserving backwards compatibility.
+
+Trivy supports the following scanners for RPM archives.
+
+|    Scanner    | Supported |
+|:-------------:|:---------:|
+|     SBOM      |     ✓     |
+| Vulnerability |   ✓[^1]   |
+|    License    |     ✓     |
+
+The table below outlines the features offered by Trivy.
+
+## SBOM
+Trivy analyzes RPM archives matching `*.rpm`.
+This feature is currently disabled by default but can be enabled with an environment variable, `TRIVY_EXPERIMENTAL_RPM_ARCHIVE`.
+
+```shell
+TRIVY_EXPERIMENTAL_RPM_ARCHIVE=true trivy fs ./rpms --format cyclonedx --output rpms.cdx.json
+```
+
+!!! note
+    Currently, it works with `--format cyclonedx`, `--format spdx` or `--format spdx-json`.
+
+
+## Vulnerability
+Since RPM files don't have OS information, you need to generate SBOM, fill in the OS information manually and then scan the SBOM for vulnerabilities.
+
+For example:
+
+```shell
+$ TRIVY_EXPERIMENTAL_RPM_ARCHIVE=true trivy fs ./rpms -f cyclonedx -o rpms.cdx.json
+$ jq '(.components[] | select(.type == "operating-system")) |= (.name = "redhat" | .version = "7.9")' rpms.cdx.json > rpms-res.cdx.json
+$ trivy sbom ./rpms-res.cdx.json
+```
+
+## License
+If licenses are included in the RPM archive, Trivy extracts it.
+
+[^1]: Need to generate SBOM first and add OS information to that SBOM
--- a/docs/docs/references/configuration/cli/trivy.md
+++ b/docs/docs/references/configuration/cli/trivy.md
@@ -56,5 +56,6 @@ trivy [global flags] command [flags] target
 * [trivy sbom](trivy_sbom.md)	 - Scan SBOM for vulnerabilities and licenses
 * [trivy server](trivy_server.md)	 - Server mode
 * [trivy version](trivy_version.md)	 - Print the version
+* [trivy vex](trivy_vex.md)	 - [EXPERIMENTAL] VEX utilities
 * [trivy vm](trivy_vm.md)	 - [EXPERIMENTAL] Scan a virtual machine image

--- a/docs/docs/references/configuration/cli/trivy_clean.md
+++ b/docs/docs/references/configuration/cli/trivy_clean.md
@@ -28,6 +28,7 @@ trivy clean [flags]
  -h, --help            help for clean
      --java-db         remove Java database
      --scan-cache      remove scan cache (container and VM image analysis results)
+      --vex-repo        remove VEX repositories
      --vuln-db         remove vulnerability database
 ```

--- a/docs/docs/references/configuration/cli/trivy_config.md
+++ b/docs/docs/references/configuration/cli/trivy_config.md
@@ -13,10 +13,11 @@ trivy config [flags] DIR
      --cache-ttl duration                cache TTL when using redis as cache backend
      --cf-params strings                 specify paths to override the CloudFormation parameters files
      --check-namespaces strings          Rego namespaces
-      --checks-bundle-repository string   OCI registry URL to retrieve checks bundle from (default "ghcr.io/aquasecurity/trivy-checks:0")
+      --checks-bundle-repository string   OCI registry URL to retrieve checks bundle from (default "ghcr.io/aquasecurity/trivy-checks:1")
      --compliance string                 compliance report to generate
      --config-check strings              specify the paths to the Rego check files or to the directories containing them, applying config files
      --config-data strings               specify paths from which data for the Rego checks will be recursively loaded
+      --config-file-schemas strings       specify paths to JSON configuration file schemas to determine that a file matches some configuration and pass the schema to Rego checks for type checking
      --enable-modules strings            [EXPERIMENTAL] module names to enable
      --exit-code int                     specify exit code when any security issues are found
      --file-patterns strings             specify config file patterns
--- a/docs/docs/references/configuration/cli/trivy_filesystem.md
+++ b/docs/docs/references/configuration/cli/trivy_filesystem.md
@@ -23,13 +23,18 @@ trivy filesystem [flags] PATH
      --cache-ttl duration                cache TTL when using redis as cache backend
      --cf-params strings                 specify paths to override the CloudFormation parameters files
      --check-namespaces strings          Rego namespaces
-      --checks-bundle-repository string   OCI registry URL to retrieve checks bundle from (default "ghcr.io/aquasecurity/trivy-checks:0")
+      --checks-bundle-repository string   OCI registry URL to retrieve checks bundle from (default "ghcr.io/aquasecurity/trivy-checks:1")
      --compliance string                 compliance report to generate
      --config-check strings              specify the paths to the Rego check files or to the directories containing them, applying config files
      --config-data strings               specify paths from which data for the Rego checks will be recursively loaded
+      --config-file-schemas strings       specify paths to JSON configuration file schemas to determine that a file matches some configuration and pass the schema to Rego checks for type checking
      --custom-headers strings            custom headers in client mode
-      --db-repository string              OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db:2")
+      --db-repository strings             OCI repository(ies) to retrieve trivy-db in order of priority (default [ghcr.io/aquasecurity/trivy-db:2])
      --dependency-tree                   [EXPERIMENTAL] show dependency origin tree of vulnerable packages
+      --detection-priority string         specify the detection priority:
+                                            - "precise": Prioritizes precise by minimizing false positives.
+                                            - "comprehensive": Aims to detect more security findings at the cost of potential false positives.
+                                           (precise,comprehensive) (default "precise")
      --download-db-only                  download/update vulnerability database but don't run a scan
      --download-java-db-only             download/update Java index database but don't run a scan
      --enable-modules strings            [EXPERIMENTAL] module names to enable
@@ -51,7 +56,7 @@ trivy filesystem [flags] PATH
      --include-deprecated-checks         include deprecated checks
      --include-dev-deps                  include development dependencies in the report (supported: npm, yarn)
      --include-non-failures              include successes and exceptions, available with '--scanners misconfig'
-      --java-db-repository string         OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db:1")
+      --java-db-repository strings        OCI repository(ies) to retrieve trivy-java-db in order of priority (default [ghcr.io/aquasecurity/trivy-java-db:1])
      --license-confidence-level float    specify license classifier's confidence level (default 0.9)
      --license-full                      eagerly look for licenses in source code headers and license files
      --list-all-pkgs                     output all packages in the JSON report regardless of vulnerability
@@ -63,6 +68,8 @@ trivy filesystem [flags] PATH
      --output-plugin-arg string          [EXPERIMENTAL] output plugin arguments
      --parallel int                      number of goroutines enabled for parallel scanning, set 0 to auto-detect parallelism (default 5)
      --password strings                  password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
+      --pkg-relationships strings         list of package relationships (unknown,root,direct,indirect) (default [unknown,root,direct,indirect])
+      --pkg-types strings                 list of package types (os,library) (default [os,library])
      --redis-ca string                   redis ca file location, if using redis as cache backend
      --redis-cert string                 redis certificate file location, if using redis as cache backend
      --redis-key string                  redis key file location, if using redis as cache backend
@@ -81,6 +88,7 @@ trivy filesystem [flags] PATH
      --skip-dirs strings                 specify the directories or glob patterns to skip
      --skip-files strings                specify the files or glob patterns to skip
      --skip-java-db-update               skip updating Java index database
+      --skip-vex-repo-update              [EXPERIMENTAL] Skip VEX Repository update
  -t, --template string                   output template
      --tf-exclude-downloaded-modules     exclude misconfigurations for downloaded terraform modules
      --tf-vars strings                   specify paths to override the Terraform tfvars files
@@ -88,8 +96,7 @@ trivy filesystem [flags] PATH
      --token-header string               specify a header name for token in client/server mode (default "Trivy-Token")
      --trace                             enable more verbose trace output for custom queries
      --username strings                  username. Comma-separated usernames allowed.
-      --vex string                        [EXPERIMENTAL] file path to VEX
-      --vuln-type strings                 comma-separated list of vulnerability types (os,library) (default [os,library])
+      --vex strings                       [EXPERIMENTAL] VEX sources ("repo", "oci" or file path)
 ```

 ### Options inherited from parent commands
--- a/docs/docs/references/configuration/cli/trivy_image.md
+++ b/docs/docs/references/configuration/cli/trivy_image.md
@@ -37,13 +37,18 @@ trivy image [flags] IMAGE_NAME
      --cache-backend string              [EXPERIMENTAL] cache backend (e.g. redis://localhost:6379) (default "fs")
      --cache-ttl duration                cache TTL when using redis as cache backend
      --check-namespaces strings          Rego namespaces
-      --checks-bundle-repository string   OCI registry URL to retrieve checks bundle from (default "ghcr.io/aquasecurity/trivy-checks:0")
+      --checks-bundle-repository string   OCI registry URL to retrieve checks bundle from (default "ghcr.io/aquasecurity/trivy-checks:1")
      --compliance string                 compliance report to generate (docker-cis-1.6.0)
      --config-check strings              specify the paths to the Rego check files or to the directories containing them, applying config files
      --config-data strings               specify paths from which data for the Rego checks will be recursively loaded
+      --config-file-schemas strings       specify paths to JSON configuration file schemas to determine that a file matches some configuration and pass the schema to Rego checks for type checking
      --custom-headers strings            custom headers in client mode
-      --db-repository string              OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db:2")
+      --db-repository strings             OCI repository(ies) to retrieve trivy-db in order of priority (default [ghcr.io/aquasecurity/trivy-db:2])
      --dependency-tree                   [EXPERIMENTAL] show dependency origin tree of vulnerable packages
+      --detection-priority string         specify the detection priority:
+                                            - "precise": Prioritizes precise by minimizing false positives.
+                                            - "comprehensive": Aims to detect more security findings at the cost of potential false positives.
+                                           (precise,comprehensive) (default "precise")
      --docker-host string                unix domain socket path to use for docker scanning
      --download-db-only                  download/update vulnerability database but don't run a scan
      --download-java-db-only             download/update Java index database but don't run a scan
@@ -69,7 +74,7 @@ trivy image [flags] IMAGE_NAME
      --include-deprecated-checks         include deprecated checks
      --include-non-failures              include successes and exceptions, available with '--scanners misconfig'
      --input string                      input file path instead of image name
-      --java-db-repository string         OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db:1")
+      --java-db-repository strings        OCI repository(ies) to retrieve trivy-java-db in order of priority (default [ghcr.io/aquasecurity/trivy-java-db:1])
      --license-confidence-level float    specify license classifier's confidence level (default 0.9)
      --license-full                      eagerly look for licenses in source code headers and license files
      --list-all-pkgs                     output all packages in the JSON report regardless of vulnerability
@@ -81,6 +86,8 @@ trivy image [flags] IMAGE_NAME
      --output-plugin-arg string          [EXPERIMENTAL] output plugin arguments
      --parallel int                      number of goroutines enabled for parallel scanning, set 0 to auto-detect parallelism (default 5)
      --password strings                  password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
+      --pkg-relationships strings         list of package relationships (unknown,root,direct,indirect) (default [unknown,root,direct,indirect])
+      --pkg-types strings                 list of package types (os,library) (default [os,library])
      --platform string                   set platform in the form os/arch if image is multi-platform capable
      --podman-host string                unix podman socket path to use for podman scanning
      --redis-ca string                   redis ca file location, if using redis as cache backend
@@ -102,14 +109,14 @@ trivy image [flags] IMAGE_NAME
      --skip-dirs strings                 specify the directories or glob patterns to skip
      --skip-files strings                specify the files or glob patterns to skip
      --skip-java-db-update               skip updating Java index database
+      --skip-vex-repo-update              [EXPERIMENTAL] Skip VEX Repository update
  -t, --template string                   output template
      --tf-exclude-downloaded-modules     exclude misconfigurations for downloaded terraform modules
      --token string                      for authentication in client/server mode
      --token-header string               specify a header name for token in client/server mode (default "Trivy-Token")
      --trace                             enable more verbose trace output for custom queries
      --username strings                  username. Comma-separated usernames allowed.
-      --vex string                        [EXPERIMENTAL] file path to VEX
-      --vuln-type strings                 comma-separated list of vulnerability types (os,library) (default [os,library])
+      --vex strings                       [EXPERIMENTAL] VEX sources ("repo", "oci" or file path)
 ```

 ### Options inherited from parent commands
--- a/docs/docs/references/configuration/cli/trivy_kubernetes.md
+++ b/docs/docs/references/configuration/cli/trivy_kubernetes.md
@@ -33,12 +33,17 @@ trivy kubernetes [flags] [CONTEXT]
      --cache-backend string              [EXPERIMENTAL] cache backend (e.g. redis://localhost:6379) (default "fs")
      --cache-ttl duration                cache TTL when using redis as cache backend
      --check-namespaces strings          Rego namespaces
-      --checks-bundle-repository string   OCI registry URL to retrieve checks bundle from (default "ghcr.io/aquasecurity/trivy-checks:0")
+      --checks-bundle-repository string   OCI registry URL to retrieve checks bundle from (default "ghcr.io/aquasecurity/trivy-checks:1")
      --compliance string                 compliance report to generate (k8s-nsa-1.0,k8s-cis-1.23,eks-cis-1.4,rke2-cis-1.24,k8s-pss-baseline-0.1,k8s-pss-restricted-0.1)
      --config-check strings              specify the paths to the Rego check files or to the directories containing them, applying config files
      --config-data strings               specify paths from which data for the Rego checks will be recursively loaded
-      --db-repository string              OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db:2")
+      --config-file-schemas strings       specify paths to JSON configuration file schemas to determine that a file matches some configuration and pass the schema to Rego checks for type checking
+      --db-repository strings             OCI repository(ies) to retrieve trivy-db in order of priority (default [ghcr.io/aquasecurity/trivy-db:2])
      --dependency-tree                   [EXPERIMENTAL] show dependency origin tree of vulnerable packages
+      --detection-priority string         specify the detection priority:
+                                            - "precise": Prioritizes precise by minimizing false positives.
+                                            - "comprehensive": Aims to detect more security findings at the cost of potential false positives.
+                                           (precise,comprehensive) (default "precise")
      --disable-node-collector            When the flag is activated, the node-collector job will not be executed, thus skipping misconfiguration findings on the node.
      --download-db-only                  download/update vulnerability database but don't run a scan
      --download-java-db-only             download/update Java index database but don't run a scan
@@ -65,7 +70,7 @@ trivy kubernetes [flags] [CONTEXT]
      --include-kinds strings             indicate the kinds included in scanning (example: node)
      --include-namespaces strings        indicate the namespaces included in scanning (example: kube-system)
      --include-non-failures              include successes and exceptions, available with '--scanners misconfig'
-      --java-db-repository string         OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db:1")
+      --java-db-repository strings        OCI repository(ies) to retrieve trivy-java-db in order of priority (default [ghcr.io/aquasecurity/trivy-java-db:1])
      --k8s-version string                specify k8s version to validate outdated api by it (example: 1.21.0)
      --kubeconfig string                 specify the kubeconfig file path to use
      --list-all-pkgs                     output all packages in the JSON report regardless of vulnerability
@@ -78,6 +83,8 @@ trivy kubernetes [flags] [CONTEXT]
      --output-plugin-arg string          [EXPERIMENTAL] output plugin arguments
      --parallel int                      number of goroutines enabled for parallel scanning, set 0 to auto-detect parallelism (default 5)
      --password strings                  password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
+      --pkg-relationships strings         list of package relationships (unknown,root,direct,indirect) (default [unknown,root,direct,indirect])
+      --pkg-types strings                 list of package types (os,library) (default [os,library])
      --qps float                         specify the maximum QPS to the master from this client (default 5)
      --redis-ca string                   redis ca file location, if using redis as cache backend
      --redis-cert string                 redis certificate file location, if using redis as cache backend
@@ -97,13 +104,13 @@ trivy kubernetes [flags] [CONTEXT]
      --skip-files strings                specify the files or glob patterns to skip
      --skip-images                       skip the downloading and scanning of images (vulnerabilities and secrets) in the cluster resources
      --skip-java-db-update               skip updating Java index database
+      --skip-vex-repo-update              [EXPERIMENTAL] Skip VEX Repository update
  -t, --template string                   output template
      --tf-exclude-downloaded-modules     exclude misconfigurations for downloaded terraform modules
      --tolerations strings               specify node-collector job tolerations (example: key1=value1:NoExecute,key2=value2:NoSchedule)
      --trace                             enable more verbose trace output for custom queries
      --username strings                  username. Comma-separated usernames allowed.
-      --vex string                        [EXPERIMENTAL] file path to VEX
-      --vuln-type strings                 comma-separated list of vulnerability types (os,library) (default [os,library])
+      --vex strings                       [EXPERIMENTAL] VEX sources ("repo", "oci" or file path)
 ```

 ### Options inherited from parent commands
--- a/docs/docs/references/configuration/cli/trivy_repository.md
+++ b/docs/docs/references/configuration/cli/trivy_repository.md
@@ -23,13 +23,18 @@ trivy repository [flags] (REPO_PATH | REPO_URL)
      --cache-ttl duration                cache TTL when using redis as cache backend
      --cf-params strings                 specify paths to override the CloudFormation parameters files
      --check-namespaces strings          Rego namespaces
-      --checks-bundle-repository string   OCI registry URL to retrieve checks bundle from (default "ghcr.io/aquasecurity/trivy-checks:0")
+      --checks-bundle-repository string   OCI registry URL to retrieve checks bundle from (default "ghcr.io/aquasecurity/trivy-checks:1")
      --commit string                     pass the commit hash to be scanned
      --config-check strings              specify the paths to the Rego check files or to the directories containing them, applying config files
      --config-data strings               specify paths from which data for the Rego checks will be recursively loaded
+      --config-file-schemas strings       specify paths to JSON configuration file schemas to determine that a file matches some configuration and pass the schema to Rego checks for type checking
      --custom-headers strings            custom headers in client mode
-      --db-repository string              OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db:2")
+      --db-repository strings             OCI repository(ies) to retrieve trivy-db in order of priority (default [ghcr.io/aquasecurity/trivy-db:2])
      --dependency-tree                   [EXPERIMENTAL] show dependency origin tree of vulnerable packages
+      --detection-priority string         specify the detection priority:
+                                            - "precise": Prioritizes precise by minimizing false positives.
+                                            - "comprehensive": Aims to detect more security findings at the cost of potential false positives.
+                                           (precise,comprehensive) (default "precise")
      --download-db-only                  download/update vulnerability database but don't run a scan
      --download-java-db-only             download/update Java index database but don't run a scan
      --enable-modules strings            [EXPERIMENTAL] module names to enable
@@ -51,7 +56,7 @@ trivy repository [flags] (REPO_PATH | REPO_URL)
      --include-deprecated-checks         include deprecated checks
      --include-dev-deps                  include development dependencies in the report (supported: npm, yarn)
      --include-non-failures              include successes and exceptions, available with '--scanners misconfig'
-      --java-db-repository string         OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db:1")
+      --java-db-repository strings        OCI repository(ies) to retrieve trivy-java-db in order of priority (default [ghcr.io/aquasecurity/trivy-java-db:1])
      --license-confidence-level float    specify license classifier's confidence level (default 0.9)
      --license-full                      eagerly look for licenses in source code headers and license files
      --list-all-pkgs                     output all packages in the JSON report regardless of vulnerability
@@ -63,6 +68,8 @@ trivy repository [flags] (REPO_PATH | REPO_URL)
      --output-plugin-arg string          [EXPERIMENTAL] output plugin arguments
      --parallel int                      number of goroutines enabled for parallel scanning, set 0 to auto-detect parallelism (default 5)
      --password strings                  password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
+      --pkg-relationships strings         list of package relationships (unknown,root,direct,indirect) (default [unknown,root,direct,indirect])
+      --pkg-types strings                 list of package types (os,library) (default [os,library])
      --redis-ca string                   redis ca file location, if using redis as cache backend
      --redis-cert string                 redis certificate file location, if using redis as cache backend
      --redis-key string                  redis key file location, if using redis as cache backend
@@ -80,6 +87,7 @@ trivy repository [flags] (REPO_PATH | REPO_URL)
      --skip-dirs strings                 specify the directories or glob patterns to skip
      --skip-files strings                specify the files or glob patterns to skip
      --skip-java-db-update               skip updating Java index database
+      --skip-vex-repo-update              [EXPERIMENTAL] Skip VEX Repository update
      --tag string                        pass the tag name to be scanned
  -t, --template string                   output template
      --tf-exclude-downloaded-modules     exclude misconfigurations for downloaded terraform modules
@@ -88,8 +96,7 @@ trivy repository [flags] (REPO_PATH | REPO_URL)
      --token-header string               specify a header name for token in client/server mode (default "Trivy-Token")
      --trace                             enable more verbose trace output for custom queries
      --username strings                  username. Comma-separated usernames allowed.
-      --vex string                        [EXPERIMENTAL] file path to VEX
-      --vuln-type strings                 comma-separated list of vulnerability types (os,library) (default [os,library])
+      --vex strings                       [EXPERIMENTAL] VEX sources ("repo", "oci" or file path)
 ```

 ### Options inherited from parent commands
--- a/docs/docs/references/configuration/cli/trivy_rootfs.md
+++ b/docs/docs/references/configuration/cli/trivy_rootfs.md
@@ -26,12 +26,17 @@ trivy rootfs [flags] ROOTDIR
      --cache-ttl duration                cache TTL when using redis as cache backend
      --cf-params strings                 specify paths to override the CloudFormation parameters files
      --check-namespaces strings          Rego namespaces
-      --checks-bundle-repository string   OCI registry URL to retrieve checks bundle from (default "ghcr.io/aquasecurity/trivy-checks:0")
+      --checks-bundle-repository string   OCI registry URL to retrieve checks bundle from (default "ghcr.io/aquasecurity/trivy-checks:1")
      --config-check strings              specify the paths to the Rego check files or to the directories containing them, applying config files
      --config-data strings               specify paths from which data for the Rego checks will be recursively loaded
+      --config-file-schemas strings       specify paths to JSON configuration file schemas to determine that a file matches some configuration and pass the schema to Rego checks for type checking
      --custom-headers strings            custom headers in client mode
-      --db-repository string              OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db:2")
+      --db-repository strings             OCI repository(ies) to retrieve trivy-db in order of priority (default [ghcr.io/aquasecurity/trivy-db:2])
      --dependency-tree                   [EXPERIMENTAL] show dependency origin tree of vulnerable packages
+      --detection-priority string         specify the detection priority:
+                                            - "precise": Prioritizes precise by minimizing false positives.
+                                            - "comprehensive": Aims to detect more security findings at the cost of potential false positives.
+                                           (precise,comprehensive) (default "precise")
      --download-db-only                  download/update vulnerability database but don't run a scan
      --download-java-db-only             download/update Java index database but don't run a scan
      --enable-modules strings            [EXPERIMENTAL] module names to enable
@@ -53,7 +58,7 @@ trivy rootfs [flags] ROOTDIR
      --ignorefile string                 specify .trivyignore file (default ".trivyignore")
      --include-deprecated-checks         include deprecated checks
      --include-non-failures              include successes and exceptions, available with '--scanners misconfig'
-      --java-db-repository string         OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db:1")
+      --java-db-repository strings        OCI repository(ies) to retrieve trivy-java-db in order of priority (default [ghcr.io/aquasecurity/trivy-java-db:1])
      --license-confidence-level float    specify license classifier's confidence level (default 0.9)
      --license-full                      eagerly look for licenses in source code headers and license files
      --list-all-pkgs                     output all packages in the JSON report regardless of vulnerability
@@ -65,6 +70,8 @@ trivy rootfs [flags] ROOTDIR
      --output-plugin-arg string          [EXPERIMENTAL] output plugin arguments
      --parallel int                      number of goroutines enabled for parallel scanning, set 0 to auto-detect parallelism (default 5)
      --password strings                  password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
+      --pkg-relationships strings         list of package relationships (unknown,root,direct,indirect) (default [unknown,root,direct,indirect])
+      --pkg-types strings                 list of package types (os,library) (default [os,library])
      --redis-ca string                   redis ca file location, if using redis as cache backend
      --redis-cert string                 redis certificate file location, if using redis as cache backend
      --redis-key string                  redis key file location, if using redis as cache backend
@@ -82,6 +89,7 @@ trivy rootfs [flags] ROOTDIR
      --skip-dirs strings                 specify the directories or glob patterns to skip
      --skip-files strings                specify the files or glob patterns to skip
      --skip-java-db-update               skip updating Java index database
+      --skip-vex-repo-update              [EXPERIMENTAL] Skip VEX Repository update
  -t, --template string                   output template
      --tf-exclude-downloaded-modules     exclude misconfigurations for downloaded terraform modules
      --tf-vars strings                   specify paths to override the Terraform tfvars files
@@ -89,8 +97,7 @@ trivy rootfs [flags] ROOTDIR
      --token-header string               specify a header name for token in client/server mode (default "Trivy-Token")
      --trace                             enable more verbose trace output for custom queries
      --username strings                  username. Comma-separated usernames allowed.
-      --vex string                        [EXPERIMENTAL] file path to VEX
-      --vuln-type strings                 comma-separated list of vulnerability types (os,library) (default [os,library])
+      --vex strings                       [EXPERIMENTAL] VEX sources ("repo", "oci" or file path)
 ```

 ### Options inherited from parent commands
--- a/docs/docs/references/configuration/cli/trivy_sbom.md
+++ b/docs/docs/references/configuration/cli/trivy_sbom.md
@@ -20,48 +20,54 @@ trivy sbom [flags] SBOM_PATH
 ### Options

 ```
-      --cache-backend string        [EXPERIMENTAL] cache backend (e.g. redis://localhost:6379) (default "memory")
-      --cache-ttl duration          cache TTL when using redis as cache backend
-      --compliance string           compliance report to generate
-      --custom-headers strings      custom headers in client mode
-      --db-repository string        OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db:2")
-      --download-db-only            download/update vulnerability database but don't run a scan
-      --download-java-db-only       download/update Java index database but don't run a scan
-      --exit-code int               specify exit code when any security issues are found
-      --exit-on-eol int             exit with the specified code when the OS reaches end of service/life
-      --file-patterns strings       specify config file patterns
-  -f, --format string               format (table,json,template,sarif,cyclonedx,spdx,spdx-json,github,cosign-vuln) (default "table")
-  -h, --help                        help for sbom
-      --ignore-policy string        specify the Rego file path to evaluate each vulnerability
-      --ignore-status strings       comma-separated list of vulnerability status to ignore (unknown,not_affected,affected,fixed,under_investigation,will_not_fix,fix_deferred,end_of_life)
-      --ignore-unfixed              display only fixed vulnerabilities
-      --ignored-licenses strings    specify a list of license to ignore
-      --ignorefile string           specify .trivyignore file (default ".trivyignore")
-      --java-db-repository string   OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db:1")
-      --list-all-pkgs               output all packages in the JSON report regardless of vulnerability
-      --no-progress                 suppress progress bar
-      --offline-scan                do not issue API requests to identify dependencies
-  -o, --output string               output file name
-      --output-plugin-arg string    [EXPERIMENTAL] output plugin arguments
-      --redis-ca string             redis ca file location, if using redis as cache backend
-      --redis-cert string           redis certificate file location, if using redis as cache backend
-      --redis-key string            redis key file location, if using redis as cache backend
-      --redis-tls                   enable redis TLS with public certificates, if using redis as cache backend
-      --rekor-url string            [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
-      --sbom-sources strings        [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
-      --scanners strings            comma-separated list of what security issues to detect (vuln,license) (default [vuln])
-      --server string               server address in client mode
-  -s, --severity strings            severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
-      --show-suppressed             [EXPERIMENTAL] show suppressed vulnerabilities
-      --skip-db-update              skip updating vulnerability database
-      --skip-dirs strings           specify the directories or glob patterns to skip
-      --skip-files strings          specify the files or glob patterns to skip
-      --skip-java-db-update         skip updating Java index database
-  -t, --template string             output template
-      --token string                for authentication in client/server mode
-      --token-header string         specify a header name for token in client/server mode (default "Trivy-Token")
-      --vex string                  [EXPERIMENTAL] file path to VEX
-      --vuln-type strings           comma-separated list of vulnerability types (os,library) (default [os,library])
+      --cache-backend string         [EXPERIMENTAL] cache backend (e.g. redis://localhost:6379) (default "memory")
+      --cache-ttl duration           cache TTL when using redis as cache backend
+      --compliance string            compliance report to generate
+      --custom-headers strings       custom headers in client mode
+      --db-repository strings        OCI repository(ies) to retrieve trivy-db in order of priority (default [ghcr.io/aquasecurity/trivy-db:2])
+      --detection-priority string    specify the detection priority:
+                                       - "precise": Prioritizes precise by minimizing false positives.
+                                       - "comprehensive": Aims to detect more security findings at the cost of potential false positives.
+                                      (precise,comprehensive) (default "precise")
+      --download-db-only             download/update vulnerability database but don't run a scan
+      --download-java-db-only        download/update Java index database but don't run a scan
+      --exit-code int                specify exit code when any security issues are found
+      --exit-on-eol int              exit with the specified code when the OS reaches end of service/life
+      --file-patterns strings        specify config file patterns
+  -f, --format string                format (table,json,template,sarif,cyclonedx,spdx,spdx-json,github,cosign-vuln) (default "table")
+  -h, --help                         help for sbom
+      --ignore-policy string         specify the Rego file path to evaluate each vulnerability
+      --ignore-status strings        comma-separated list of vulnerability status to ignore (unknown,not_affected,affected,fixed,under_investigation,will_not_fix,fix_deferred,end_of_life)
+      --ignore-unfixed               display only fixed vulnerabilities
+      --ignored-licenses strings     specify a list of license to ignore
+      --ignorefile string            specify .trivyignore file (default ".trivyignore")
+      --java-db-repository strings   OCI repository(ies) to retrieve trivy-java-db in order of priority (default [ghcr.io/aquasecurity/trivy-java-db:1])
+      --list-all-pkgs                output all packages in the JSON report regardless of vulnerability
+      --no-progress                  suppress progress bar
+      --offline-scan                 do not issue API requests to identify dependencies
+  -o, --output string                output file name
+      --output-plugin-arg string     [EXPERIMENTAL] output plugin arguments
+      --pkg-relationships strings    list of package relationships (unknown,root,direct,indirect) (default [unknown,root,direct,indirect])
+      --pkg-types strings            list of package types (os,library) (default [os,library])
+      --redis-ca string              redis ca file location, if using redis as cache backend
+      --redis-cert string            redis certificate file location, if using redis as cache backend
+      --redis-key string             redis key file location, if using redis as cache backend
+      --redis-tls                    enable redis TLS with public certificates, if using redis as cache backend
+      --rekor-url string             [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
+      --sbom-sources strings         [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
+      --scanners strings             comma-separated list of what security issues to detect (vuln,license) (default [vuln])
+      --server string                server address in client mode
+  -s, --severity strings             severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
+      --show-suppressed              [EXPERIMENTAL] show suppressed vulnerabilities
+      --skip-db-update               skip updating vulnerability database
+      --skip-dirs strings            specify the directories or glob patterns to skip
+      --skip-files strings           specify the files or glob patterns to skip
+      --skip-java-db-update          skip updating Java index database
+      --skip-vex-repo-update         [EXPERIMENTAL] Skip VEX Repository update
+  -t, --template string              output template
+      --token string                 for authentication in client/server mode
+      --token-header string          specify a header name for token in client/server mode (default "Trivy-Token")
+      --vex strings                  [EXPERIMENTAL] VEX sources ("repo", "oci" or file path)
 ```

 ### Options inherited from parent commands
--- a/docs/docs/references/configuration/cli/trivy_server.md
+++ b/docs/docs/references/configuration/cli/trivy_server.md
@@ -22,7 +22,7 @@ trivy server [flags]
 ```
      --cache-backend string     [EXPERIMENTAL] cache backend (e.g. redis://localhost:6379) (default "fs")
      --cache-ttl duration       cache TTL when using redis as cache backend
-      --db-repository string     OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db:2")
+      --db-repository strings    OCI repository(ies) to retrieve trivy-db in order of priority (default [ghcr.io/aquasecurity/trivy-db:2])
      --download-db-only         download/update vulnerability database but don't run a scan
      --enable-modules strings   [EXPERIMENTAL] module names to enable
  -h, --help                     help for server
--- a/docs/docs/references/configuration/cli/trivy_vex.md
+++ b/docs/docs/references/configuration/cli/trivy_vex.md
@@ -0,0 +1,28 @@
+## trivy vex
+
+[EXPERIMENTAL] VEX utilities
+
+### Options
+
+```
+  -h, --help   help for vex
+```
+
+### Options inherited from parent commands
+
+```
+      --cache-dir string          cache directory (default "/path/to/cache")
+  -c, --config string             config path (default "trivy.yaml")
+  -d, --debug                     debug mode
+      --generate-default-config   write the default config to trivy-default.yaml
+      --insecure                  allow insecure server connections
+  -q, --quiet                     suppress progress bar and log output
+      --timeout duration          timeout (default 5m0s)
+  -v, --version                   show version
+```
+
+### SEE ALSO
+
+* [trivy](trivy.md)	 - Unified security scanner
+* [trivy vex repo](trivy_vex_repo.md)	 - Manage VEX repositories
+
--- a/docs/docs/references/configuration/cli/trivy_vex_repo.md
+++ b/docs/docs/references/configuration/cli/trivy_vex_repo.md
@@ -0,0 +1,44 @@
+## trivy vex repo
+
+Manage VEX repositories
+
+### Examples
+
+```
+  # Initialize the configuration file
+  $ trivy vex repo init
+
+  # List VEX repositories
+  $ trivy vex repo list
+
+  # Download the VEX repositories
+  $ trivy vex repo download
+
+```
+
+### Options
+
+```
+  -h, --help   help for repo
+```
+
+### Options inherited from parent commands
+
+```
+      --cache-dir string          cache directory (default "/path/to/cache")
+  -c, --config string             config path (default "trivy.yaml")
+  -d, --debug                     debug mode
+      --generate-default-config   write the default config to trivy-default.yaml
+      --insecure                  allow insecure server connections
+  -q, --quiet                     suppress progress bar and log output
+      --timeout duration          timeout (default 5m0s)
+  -v, --version                   show version
+```
+
+### SEE ALSO
+
+* [trivy vex](trivy_vex.md)	 - [EXPERIMENTAL] VEX utilities
+* [trivy vex repo download](trivy_vex_repo_download.md)	 - Download the VEX repositories
+* [trivy vex repo init](trivy_vex_repo_init.md)	 - Initialize a configuration file
+* [trivy vex repo list](trivy_vex_repo_list.md)	 - List VEX repositories
+
--- a/docs/docs/references/configuration/cli/trivy_vex_repo_download.md
+++ b/docs/docs/references/configuration/cli/trivy_vex_repo_download.md
@@ -0,0 +1,35 @@
+## trivy vex repo download
+
+Download the VEX repositories
+
+### Synopsis
+
+Downloads enabled VEX repositories. If specific repository names are provided as arguments, only those repositories will be downloaded. Otherwise, all enabled repositories are downloaded.
+
+```
+trivy vex repo download [REPO_NAMES] [flags]
+```
+
+### Options
+
+```
+  -h, --help   help for download
+```
+
+### Options inherited from parent commands
+
+```
+      --cache-dir string          cache directory (default "/path/to/cache")
+  -c, --config string             config path (default "trivy.yaml")
+  -d, --debug                     debug mode
+      --generate-default-config   write the default config to trivy-default.yaml
+      --insecure                  allow insecure server connections
+  -q, --quiet                     suppress progress bar and log output
+      --timeout duration          timeout (default 5m0s)
+  -v, --version                   show version
+```
+
+### SEE ALSO
+
+* [trivy vex repo](trivy_vex_repo.md)	 - Manage VEX repositories
+
--- a/docs/docs/references/configuration/cli/trivy_vex_repo_init.md
+++ b/docs/docs/references/configuration/cli/trivy_vex_repo_init.md
@@ -0,0 +1,31 @@
+## trivy vex repo init
+
+Initialize a configuration file
+
+```
+trivy vex repo init [flags]
+```
+
+### Options
+
+```
+  -h, --help   help for init
+```
+
+### Options inherited from parent commands
+
+```
+      --cache-dir string          cache directory (default "/path/to/cache")
+  -c, --config string             config path (default "trivy.yaml")
+  -d, --debug                     debug mode
+      --generate-default-config   write the default config to trivy-default.yaml
+      --insecure                  allow insecure server connections
+  -q, --quiet                     suppress progress bar and log output
+      --timeout duration          timeout (default 5m0s)
+  -v, --version                   show version
+```
+
+### SEE ALSO
+
+* [trivy vex repo](trivy_vex_repo.md)	 - Manage VEX repositories
+
--- a/docs/docs/references/configuration/cli/trivy_vex_repo_list.md
+++ b/docs/docs/references/configuration/cli/trivy_vex_repo_list.md
@@ -0,0 +1,31 @@
+## trivy vex repo list
+
+List VEX repositories
+
+```
+trivy vex repo list [flags]
+```
+
+### Options
+
+```
+  -h, --help   help for list
+```
+
+### Options inherited from parent commands
+
+```
+      --cache-dir string          cache directory (default "/path/to/cache")
+  -c, --config string             config path (default "trivy.yaml")
+  -d, --debug                     debug mode
+      --generate-default-config   write the default config to trivy-default.yaml
+      --insecure                  allow insecure server connections
+  -q, --quiet                     suppress progress bar and log output
+      --timeout duration          timeout (default 5m0s)
+  -v, --version                   show version
+```
+
+### SEE ALSO
+
+* [trivy vex repo](trivy_vex_repo.md)	 - Manage VEX repositories
+
--- a/docs/docs/references/configuration/cli/trivy_vm.md
+++ b/docs/docs/references/configuration/cli/trivy_vm.md
@@ -23,11 +23,16 @@ trivy vm [flags] VM_IMAGE
      --aws-region string                 AWS region to scan
      --cache-backend string              [EXPERIMENTAL] cache backend (e.g. redis://localhost:6379) (default "fs")
      --cache-ttl duration                cache TTL when using redis as cache backend
-      --checks-bundle-repository string   OCI registry URL to retrieve checks bundle from (default "ghcr.io/aquasecurity/trivy-checks:0")
+      --checks-bundle-repository string   OCI registry URL to retrieve checks bundle from (default "ghcr.io/aquasecurity/trivy-checks:1")
      --compliance string                 compliance report to generate
+      --config-file-schemas strings       specify paths to JSON configuration file schemas to determine that a file matches some configuration and pass the schema to Rego checks for type checking
      --custom-headers strings            custom headers in client mode
-      --db-repository string              OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db:2")
+      --db-repository strings             OCI repository(ies) to retrieve trivy-db in order of priority (default [ghcr.io/aquasecurity/trivy-db:2])
      --dependency-tree                   [EXPERIMENTAL] show dependency origin tree of vulnerable packages
+      --detection-priority string         specify the detection priority:
+                                            - "precise": Prioritizes precise by minimizing false positives.
+                                            - "comprehensive": Aims to detect more security findings at the cost of potential false positives.
+                                           (precise,comprehensive) (default "precise")
      --download-db-only                  download/update vulnerability database but don't run a scan
      --download-java-db-only             download/update Java index database but don't run a scan
      --enable-modules strings            [EXPERIMENTAL] module names to enable
@@ -47,7 +52,7 @@ trivy vm [flags] VM_IMAGE
      --ignore-unfixed                    display only fixed vulnerabilities
      --ignorefile string                 specify .trivyignore file (default ".trivyignore")
      --include-non-failures              include successes and exceptions, available with '--scanners misconfig'
-      --java-db-repository string         OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db:1")
+      --java-db-repository strings        OCI repository(ies) to retrieve trivy-java-db in order of priority (default [ghcr.io/aquasecurity/trivy-java-db:1])
      --list-all-pkgs                     output all packages in the JSON report regardless of vulnerability
      --misconfig-scanners strings        comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot])
      --module-dir string                 specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules")
@@ -56,6 +61,8 @@ trivy vm [flags] VM_IMAGE
  -o, --output string                     output file name
      --output-plugin-arg string          [EXPERIMENTAL] output plugin arguments
      --parallel int                      number of goroutines enabled for parallel scanning, set 0 to auto-detect parallelism (default 5)
+      --pkg-relationships strings         list of package relationships (unknown,root,direct,indirect) (default [unknown,root,direct,indirect])
+      --pkg-types strings                 list of package types (os,library) (default [os,library])
      --redis-ca string                   redis ca file location, if using redis as cache backend
      --redis-cert string                 redis certificate file location, if using redis as cache backend
      --redis-key string                  redis key file location, if using redis as cache backend
@@ -71,12 +78,12 @@ trivy vm [flags] VM_IMAGE
      --skip-dirs strings                 specify the directories or glob patterns to skip
      --skip-files strings                specify the files or glob patterns to skip
      --skip-java-db-update               skip updating Java index database
+      --skip-vex-repo-update              [EXPERIMENTAL] Skip VEX Repository update
  -t, --template string                   output template
      --tf-exclude-downloaded-modules     exclude misconfigurations for downloaded terraform modules
      --token string                      for authentication in client/server mode
      --token-header string               specify a header name for token in client/server mode (default "Trivy-Token")
-      --vex string                        [EXPERIMENTAL] file path to VEX
-      --vuln-type strings                 comma-separated list of vulnerability types (os,library) (default [os,library])
+      --vex strings                       [EXPERIMENTAL] VEX sources ("repo", "oci" or file path)
 ```

 ### Options inherited from parent commands
--- a/docs/docs/references/configuration/config-file.md
+++ b/docs/docs/references/configuration/config-file.md
--- a/docs/docs/references/modes/client-server.md
+++ b/docs/docs/references/modes/client-server.md
@@ -2,9 +2,22 @@

 Trivy has client/server mode. Trivy server has vulnerability database and Trivy client doesn't have to download vulnerability database. It is useful if you want to scan images or files at multiple locations and do not want to download the database at every location.

-|   Client/Server Mode  | Image | Rootfs | Filesystem | Repository | Config | AWS | K8s |
-|:---------------------:|:-----:|:------:|:----------:|:----------:|:------:|:---:|:---:|
-|       Supported       |   ✅  |   ✅     |     ✅     |     ✅     |  ✅    | X   |  X  |
+| Client/Server Mode | Image | Rootfs | Filesystem | Repository | Config | K8s |
+|:------------------:|:-----:|:------:|:----------:|:----------:|:------:|:---:|
+|     Supported      |   ✅   |   ✅    |     ✅      |     ✅      |   -    |  -  |
+
+Some scanners run on the client side, even in client/server mode.
+
+|     Scanner      | Run on Client or Server |
+|:----------------:|:-----------------------:|
+|  Vulnerability   |         Server          |
+| Misconfiguration |       Client[^1]        |
+|      Secret      |       Client[^2]        |
+|     License      |         Server          |
+
+!!! note
+    Scanning of misconfigurations and licenses is performed on the client side (as in standalone mode).
+    Otherwise, the client would need to send files to the server that may contain sensitive information.

 ## Server
 At first, you need to launch Trivy server. It downloads vulnerability database automatically and continue to fetch the latest DB in the background.
@@ -338,3 +351,5 @@ Returns the `200 OK` status if the request was successful.

 ![architecture](../../../imgs/client-server.png)

+[^1]: The checks bundle is also downloaded on the client side.
+[^2]: The scan result with masked secrets is sent to the server
--- a/docs/docs/references/troubleshooting.md
+++ b/docs/docs/references/troubleshooting.md
@@ -203,10 +203,7 @@ Trivy v0.23.0 or later requires Trivy DB v2. Please update your local database o
 !!! error
    FATAL failed to download vulnerability DB

-If trivy is running behind corporate firewall, you have to add the following urls to your allowlist.
-
- ghcr.io
- pkg-containers.githubusercontent.com
+If Trivy is running behind corporate firewall, refer to the necessary connectivity requirements as described [here][network].

 ### Denied

@@ -271,4 +268,5 @@ $ trivy clean --all
 ```

 [air-gapped]: ../advanced/air-gap.md
+[network]: ../advanced/air-gap.md#network-requirements
 [redis-cache]: ../../vulnerability/examples/cache/#cache-backend
--- a/docs/docs/scanner/misconfiguration/check/builtin.md
+++ b/docs/docs/scanner/misconfiguration/check/builtin.md
@@ -1,21 +1,20 @@
 # Built-in Checks 

-## Check Sources
-Built-in checks are mainly written in [Rego][rego] and Go.
-Those checks are managed under [trivy-checks repository][trivy-checks].
+## Checks Sources
+Trivy has an extensive library of misconfiguration checks that is maintained at <https://github.com/aquasecurity/trivy-checks>.  
+Trivy checks are mainly written in [Rego][rego], while some checks are written in Go.  
 See [here](../../../coverage/iac/index.md) for the list of supported config types.

-For suggestions or issues regarding policy content, please open an issue under the [trivy-checks][trivy-checks] repository.
+## Checks Bundle
+When performing a misconfiguration scan, Trivy will automatically download the relevant Checks bundle. The bundle is cached locally and Trivy will reuse it for subsequent scans on the same machine. Trivy takes care of updating the cache automatically, so normally users can be oblivious to it.

-## Check Distribution
-Trivy checks are distributed as an OPA bundle on [GitHub Container Registry][ghcr] (GHCR).
-When misconfiguration detection is enabled, Trivy pulls the OPA bundle from GHCR as an OCI artifact and stores it in the cache.
-Those checks are then loaded into Trivy OPA engine and used for detecting misconfigurations.
-If Trivy is unable to pull down newer checks, it will use the embedded set of checks as a fallback. This is also the case in air-gap environments where `--skip-policy-update` might be passed.
-
-## Update Interval
+## Checks Distribution
+Trivy checks are distributed as an [OPA bundle](opa-bundle) hosted in the following GitHub Container Registry: <https://ghcr.io/aquasecurity/trivy-checks>.  
 Trivy checks for updates to OPA bundle on GHCR every 24 hours and pulls it if there are any updates.

+### External connectivity
+Trivy needs to connect to the internet to download the bundle. If you are running Trivy in an air-gapped environment, or an tightly controlled network, please refer to the [Advanced Network Scenarios document](../../../advanced/air-gap.md).  
+The Checks bundle is also embedded in the Trivy binary (at build time), and will be used as a fallback if Trivy is unable to download the bundle. This means that you can still scan for misconfigurations in an air-gapped environment using the Checks from the time of the Trivy release you are using.
+
 [rego]: https://www.openpolicyagent.org/docs/latest/policy-language/
-[trivy-checks]: https://github.com/aquasecurity/trivy-checks
-[ghcr]: https://github.com/aquasecurity/trivy-checks/pkgs/container/trivy-checks
+[opa-bundle]: https://www.openpolicyagent.org/docs/latest/management-bundles/
--- a/docs/docs/scanner/misconfiguration/custom/data.md
+++ b/docs/docs/scanner/misconfiguration/custom/data.md
@@ -1,15 +1,14 @@
 # Custom Data

-Custom checks may require additional data in order to determine an answer.
+Custom checks may require additional data in order to make a resolution. You can pass arbitrary data files to Trivy to be used when evaluating rego checks using the `--data` flag. 
+Trivy recursively searches the specified data paths for JSON (`*.json`) and YAML (`*.yaml`) files.

-For example, an allowed list of resources that can be created. 
-Instead of hardcoding this information inside your policy, Trivy allows passing paths to data files with the `--data` flag.
+For example, consider an allowed list of resources that can be created. 
+Instead of hardcoding this information inside your policy, you can maintain the list in a separate file.

-Given the following yaml file:
+Example data file:

-```bash
-$ cd examples/misconf/custom-data
-$ cat data/ports.yaml                                                                                                                                                                      [~/src/github.com/aquasecurity/trivy/examples/misconf/custom-data]
+```yaml
 services:
  ports:
    - "20"
@@ -19,7 +18,7 @@ services:
    - "23/tcp"
 ```

-This can be imported into your policy:
+Example usage in a Rego check:

 ```rego
 import data.services
@@ -27,9 +26,8 @@ import data.services
 ports := services.ports
 ```

-Then, you need to pass data paths through `--data` option.
-Trivy recursively searches the specified paths for JSON (`*.json`) and YAML (`*.yaml`) files.
+Example loading the data file:

 ```bash
-$ trivy conf --policy ./policy --data data --namespaces user ./configs
-```
+trivy config --config-check ./checks --data ./data --namespaces user ./configs
+```
--- a/docs/docs/scanner/misconfiguration/custom/debug.md
+++ b/docs/docs/scanner/misconfiguration/custom/debug.md
@@ -7,7 +7,7 @@ This will output a large trace from Open Policy Agent like the following:
    Only failed checks show traces. If you want to debug a passed check, you need to make it fail on purpose.

 ```shell
-$ trivy conf --trace configs/
+$ trivy config --trace configs/
 2022-05-16T13:47:58.853+0100	INFO	Detected config files: 1

 Dockerfile (dockerfile)
--- a/docs/docs/scanner/misconfiguration/custom/index.md
+++ b/docs/docs/scanner/misconfiguration/custom/index.md
@@ -2,10 +2,10 @@

 ## Overview
 You can write custom checks in [Rego][rego].
-Once you finish writing custom checks, you can pass the policy files or the directory where those policies are stored with `--policy` option.
+Once you finish writing custom checks, you can pass the check files or the directory where those checks are stored with --config-check` option.

 ``` bash
-trivy conf --policy /path/to/policy.rego --policy /path/to/custom_policies --namespaces user /path/to/config_dir
+trivy config --config-check /path/to/policy.rego --config-check /path/to/custom_checks --namespaces user /path/to/config_dir
 ```

 As for `--namespaces` option, the detail is described as below.
@@ -93,7 +93,7 @@ By default, only `builtin.*` packages will be evaluated.
 If you define custom packages, you have to specify the package prefix via `--namespaces` option. By default, Trivy only runs in its own namespace, unless specified by the user. Note that the custom namespace does not have to be `user` as in this example. It could be anything user-defined.

 ``` bash
-trivy conf --policy /path/to/custom_policies --namespaces user /path/to/config_dir
+trivy config --config-check /path/to/custom_checks --namespaces user /path/to/config_dir
 ```

 In this case, `user.*` will be evaluated.
@@ -135,7 +135,7 @@ correct and do not reference incorrect properties/values.

 #### custom.avd_id and custom.id

-The AVD_ID can be used to link the check to the Aqua Vulnerability Database (AVD) entry. For example, the `avd_id` `AVD-AWS-0176` is the ID of the check in the [AWS Vulnerability Database](https://avd.aquasec.com/). If you are [contributing your check to trivy-policies](../../../../community/contribute/checks/overview.md), you need to generate an ID using `make id` in the [trivy-checks](https://github.com/aquasecurity/trivy-checks) repository. The output of the command will provide you the next free IDs for the different providers in Trivy.
+The AVD_ID can be used to link the check to the Aqua Vulnerability Database (AVD) entry. For example, the `avd_id` `AVD-AWS-0176` is the ID of the check in the [AWS Vulnerability Database](https://avd.aquasec.com/). If you are [contributing your check to trivy-checks](../../../../community/contribute/checks/overview.md), you need to generate an ID using `make id` in the [trivy-checks](https://github.com/aquasecurity/trivy-checks) repository. The output of the command will provide you the next free IDs for the different providers in Trivy.

 The ID is based on the AVD_ID. For instance if the `avd_id` is `AVD-AWS-0176`, the ID is `ID0176`.

--- a/docs/docs/scanner/misconfiguration/custom/schema.md
+++ b/docs/docs/scanner/misconfiguration/custom/schema.md
@@ -1,7 +1,7 @@
 # Input Schema

 ## Overview
-Policies can be defined with custom schemas that allow inputs to be verified against them. Adding a policy schema
+Checks can be defined with custom schemas that allow inputs to be verified against them. Adding a policy schema
 enables Trivy to show more detailed error messages when an invalid input is encountered.

 In Trivy we have been able to define a schema for a [Dockerfile](https://github.com/aquasecurity/trivy/tree/main/pkg/iac/rego/schemas)
--- a/docs/docs/scanner/misconfiguration/index.md
+++ b/docs/docs/scanner/misconfiguration/index.md
@@ -101,13 +101,13 @@ For example, the following example holds IaC files for Terraform, CloudFormation
 ``` bash
 $ ls iac/
 Dockerfile  deployment.yaml  main.tf mysql-8.8.26.tar
-$ trivy conf --severity HIGH,CRITICAL ./iac
+$ trivy config --severity HIGH,CRITICAL ./iac
 ```

 <details>
 <summary>Result</summary>

-```
+```bash
 2022-06-06T11:01:21.142+0100	INFO	Detected config files: 8

 Dockerfile (dockerfile)
@@ -315,6 +315,9 @@ Failures: 2 (MEDIUM: 2, HIGH: 0, CRITICAL: 0)
 This section describes misconfiguration-specific configuration.
 Other common options are documented [here](../../configuration/index.md).

+### External connectivity
+Trivy needs to connect to the internet to download the checks bundle. If you are running Trivy in an air-gapped environment, or an tightly controlled network, please refer to the [Advanced Network Scenarios document](../../advanced/air-gap.md).
+
 ### Enabling a subset of misconfiguration scanners
 It's possible to only enable certain misconfiguration scanners if you prefer.
 You can do so by passing the `--misconfig-scanners` option.
@@ -326,19 +329,86 @@ trivy config --misconfig-scanners=terraform,dockerfile .

 Will only scan for misconfigurations that pertain to Terraform and Dockerfiles.

-### Passing custom checks
-You can pass policy files or directories including your custom checks through `--policy` option.
+### Loading custom checks
+You can load check files or directories including your custom checks using the `--config-check` flag.
 This can be repeated for specifying multiple files or directories.

 ```bash
-cd examplex/misconf/
-trivy conf --policy custom-policy/policy --policy combine/policy --policy policy.rego --namespaces user misconf/mixed
+trivy config --config-check custom-policy/policy --config-check combine/policy --config-check policy.rego --namespaces user myapp
 ```

-For more details, see [Custom Checks](./custom/index.md).
+You can load checks bundle as OCI Image from a Container Registry using the `--checks-bundle-repository` flag.
+
+```bash
+trivy config --checks-bundle-repository myregistry.local/mychecks --namespaces user myapp
+```
+
+
+### Scan arbitrary JSON and YAML configurations
+By default, scanning JSON and YAML configurations is disabled, since Trivy does not contain built-in checks for these configurations. To enable it, pass the `json` or `yaml` to `--misconfig-scanners`. See [Enabling a subset of misconfiguration scanners](#enabling-a-subset-of-misconfiguration-scanners) for more information. Trivy will pass each file as is to the checks input.
+
+
+!!! example
+```bash
+$ cat iac/serverless.yaml
+service: serverless-rest-api-with-pynamodb
+
+frameworkVersion: ">=2.24.0"
+
+plugins:
+  - serverless-python-requirements
+...
+
+$ cat serverless.rego
+# METADATA
+# title: Serverless Framework service name not starting with "aws-"
+# description: Ensure that Serverless Framework service names start with "aws-"
+# schemas:
+#   - input: schema["serverless-schema"]
+# custom:
+#   id: SF001
+#   severity: LOW
+package user.serverless001
+
+deny[res] {
+    not startswith(input.service, "aws-")
+    res := result.new(
+        sprintf("Service name %q is not allowed", [input.service]),
+        input.service
+    )
+}
+
+$ trivy config --misconfig-scanners=json,yaml --config-check ./serverless.rego --check-namespaces user ./iac
+serverless.yaml (yaml)
+
+Tests: 4 (SUCCESSES: 3, FAILURES: 1, EXCEPTIONS: 0)
+Failures: 1 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
+
+LOW: Service name "serverless-rest-api-with-pynamodb" is not allowed
+═════════════════════════════════════════════════════════════════════════════════════════════════════════
+Ensure that Serverless Framework service names start with "aws-"
+```
+
+!!! note
+    In the case above, the custom check specified has a metadata annotation for the input schema `input: schema["serverless-schema"]`. This allows Trivy to type check the input IaC files provided.
+
+Optionally, you can also pass schemas using the `config-file-schemas` flag. Trivy will use these schemas for file filtering and type checking in Rego checks.
+
+!!! example
+```bash
+$ trivy config --misconfig-scanners=json,yaml --config-check ./serverless.rego --check-namespaces user --config-file-schemas ./serverless-schema.json ./iac
+```
+
+If the `--config-file-schemas` flag is specified Trivy ensures that each input IaC config file being scanned is type-checked against the schema. If the input file does not match any of the passed schemas, it will be ignored. 
+
+If the schema is specified in the check metadata and is in the directory specified in the `--config-check` argument, it will be automatically loaded as specified [here](./custom/schema.md#custom-checks-with-custom-schemas), and will only be used for type checking in Rego.
+
+!!! note
+    If a user specifies the `--config-file-schemas` flag, all input IaC config files are ensured that they pass type-checking. It is not required to pass an input schema in case type checking is not required. This is helpful for scenarios where you simply want to write a Rego check and pass in IaC input for it. Such a use case could include scanning for a new service which Trivy might not support just yet.

 !!! tip
-You also need to specify `--namespaces` option.
+    It is also possible to specify multiple input schemas with `--config-file-schema` flag as it can accept a comma seperated list of file paths or a directory as input. In the case of multiple schemas being specified, all of them will be evaluated against all the input files.
+

 ### Passing custom data
 You can pass directories including your custom data through `--data` option.
@@ -346,7 +416,7 @@ This can be repeated for specifying multiple directories.

 ```bash
 cd examples/misconf/custom-data
-trivy conf --policy ./policy --data ./data --namespaces user ./configs
+trivy config --config-check ./my-check --data ./data --namespaces user ./configs
 ```

 For more details, see [Custom Data](./custom/data.md).
@@ -357,15 +427,15 @@ If you want to evaluate custom checks in other packages, you have to specify pac
 This can be repeated for specifying multiple packages.

 ``` bash
-trivy conf --policy ./policy --namespaces main --namespaces user ./configs
+trivy config --config-check ./my-check --namespaces main --namespaces user ./configs
 ```

-### Private terraform registries
-Trivy can download terraform code from private registries.
+### Private Terraform registries
+Trivy can download Terraform code from private registries.
 To pass credentials you must use the `TF_TOKEN_` environment variables.
 You cannot use a `.terraformrc` or `terraform.rc` file, these are not supported by trivy yet.

-From the terraform [docs](https://developer.hashicorp.com/terraform/cli/config/config-file#environment-variable-credentials):
+From the Terraform [docs](https://developer.hashicorp.com/terraform/cli/config/config-file#environment-variable-credentials):

 > Environment variable names should have the prefix TF_TOKEN_ added to the domain name, with periods encoded as underscores.
 > For example, the value of a variable named `TF_TOKEN_app_terraform_io` will be used as a bearer authorization token when the CLI makes service requests to the hostname `app.terraform.io`.
@@ -476,7 +546,7 @@ If you want to ignore multiple resources on different attributes, you can specif
 #trivy:ignore:aws-ec2-no-public-ingress-sgr[from_port=5432]
 ```

-You can also ignore a resource on multiple attributes:
+You can also ignore a resource on multiple attributes in the same rule:
 ```tf
 locals {
  rules = {
@@ -505,10 +575,7 @@ resource "aws_security_group_rule" "example" {
 }
 ```

-Checks can also be ignored by nested attributes, but certain restrictions apply:
-
- You cannot access an individual block using indexes, for example when working with dynamic blocks.
- Special variables like [each](https://developer.hashicorp.com/terraform/language/meta-arguments/for_each#the-each-object) and [count](https://developer.hashicorp.com/terraform/language/meta-arguments/count#the-count-object) cannot be accessed.
+Checks can also be ignored by nested attributes:

 ```tf
 #trivy:ignore:*[logging_config.prefix=myprefix]
--- a/docs/docs/scanner/secret.md
+++ b/docs/docs/scanner/secret.md
@@ -3,7 +3,9 @@
 Trivy scans any container image, filesystem and git repository to detect exposed secrets like passwords, api keys, and tokens.
 Secret scanning is enabled by default.

-Trivy will scan every plaintext file, according to builtin rules or configuration. There are plenty of builtin rules:
+Trivy will scan every plaintext file, according to builtin rules or configuration. Also, Trivy can detect secrets in compiled Python files (`.pyc`).
+
+There are plenty of builtin rules:

 - AWS access key
 - GCP service account
--- a/docs/docs/scanner/vulnerability.md
+++ b/docs/docs/scanner/vulnerability.md
@@ -19,22 +19,22 @@ See [here](../coverage/os/index.md#supported-os) for the supported OSes.

 ### Data Sources

-| OS            | Source                                                       |
-| ------------- | ------------------------------------------------------------ |
-| Arch Linux    | [Vulnerable Issues][arch]                                    |
-| Alpine Linux  | [secdb][alpine]                                              |
-| Wolfi Linux   | [secdb][wolfi]                                               |
-| Chainguard    | [secdb][chainguard]                                          |
-| Amazon Linux  | [Amazon Linux Security Center][amazon]                       |
-| Debian        | [Security Bug Tracker][debian-tracker] / [OVAL][debian-oval] |
-| Ubuntu        | [Ubuntu CVE Tracker][ubuntu]                                 |
-| RHEL/CentOS   | [OVAL][rhel-oval] / [Security Data][rhel-api]                |
-| AlmaLinux     | [AlmaLinux Product Errata][alma]                             |
-| Rocky Linux   | [Rocky Linux UpdateInfo][rocky]                              |
-| Oracle Linux  | [OVAL][oracle]                                               |
-| CBL-Mariner   | [OVAL][mariner]                                              |
-| OpenSUSE/SLES | [CVRF][suse]                                                 |
-| Photon OS     | [Photon Security Advisory][photon]                           |
+| OS                        | Source                                                       |
+|---------------------------|--------------------------------------------------------------|
+| Arch Linux                | [Vulnerable Issues][arch]                                    |
+| Alpine Linux              | [secdb][alpine]                                              |
+| Wolfi Linux               | [secdb][wolfi]                                               |
+| Chainguard                | [secdb][chainguard]                                          |
+| Amazon Linux              | [Amazon Linux Security Center][amazon]                       |
+| Debian                    | [Security Bug Tracker][debian-tracker] / [OVAL][debian-oval] |
+| Ubuntu                    | [Ubuntu CVE Tracker][ubuntu]                                 |
+| RHEL/CentOS               | [OVAL][rhel-oval] / [Security Data][rhel-api]                |
+| AlmaLinux                 | [AlmaLinux Product Errata][alma]                             |
+| Rocky Linux               | [Rocky Linux UpdateInfo][rocky]                              |
+| Oracle Linux              | [OVAL][oracle]                                               |
+| Azure Linux (CBL-Mariner) | [OVAL][azure]                                                |
+| OpenSUSE/SLES             | [CVRF][suse]                                                 |
+| Photon OS                 | [Photon Security Advisory][photon]                           |

 #### Data Source Selection
 Trivy **only** consumes security advisories from the sources listed in the above table.
@@ -158,53 +158,79 @@ Trivy can detect vulnerabilities in Kubernetes clusters and components by scanni

 [^1]: Some manual triage and correction has been made.

-## Database
-Trivy downloads [the vulnerability database](https://github.com/aquasecurity/trivy-db) every 6 hours.
-Trivy uses two types of databases for vulnerability detection:
-
- Vulnerability Database
- Java Index Database
-
-This page provides detailed information about these databases.
-
-### Vulnerability Database
-Trivy utilizes a database containing vulnerability information.
-This database is built every six hours on [GitHub](https://github.com/aquasecurity/trivy-db) and is distributed via [GitHub Container registry (GHCR)](https://ghcr.io/aquasecurity/trivy-db).
-The database is cached and updated as needed.
-As Trivy updates the database automatically during execution, users don't need to be concerned about it.
+## Databases
+Trivy utilizes several databases containing information relevant for vulnerability scanning.  
+When performing a vulnerability scan, Trivy will automatically downloads the relevant databases. The databases are cached locally and Trivy will reuse them for subsequent scans on the same machine. Trivy takes care of updating the databases cache automatically, so normally users can be oblivious to it.

 For CLI flags related to the database, please refer to [this page](../configuration/db.md).

-#### Private Hosting
-If you host the database on your own OCI registry, you can specify a different repository with the `--db-repository` flag.
-The default is `ghcr.io/aquasecurity/trivy-db`.
-
-```shell
-$ trivy image --db-repository YOUR_REPO YOUR_IMAGE
-```
-
-If authentication is required, it can be configured in the same way as for private images.
-Please refer to [the documentation](../advanced/private-registries/index.md) for more details.
+### Vulnerability Database
+This is Trivy's main database which contains vulnerability information, as collected from the datasources mentioned above.  
+It is built every six hours on [GitHub](https://github.com/aquasecurity/trivy-db).  

 ### Java Index Database
-This database is only downloaded when scanning JAR files so that Trivy can identify the groupId, artifactId, and version of JAR files.
-It is built once a day on [GitHub](https://github.com/aquasecurity/trivy-java-db) and distributed via [GitHub Container registry (GHCR)](https://ghcr.io/aquasecurity/trivy-java-db).
-Like the vulnerability database, it is automatically downloaded and updated when needed, so users don't need to worry about it.
+When scanning JAR files, Trivy relies on a dedicated database for identifying the groupId, artifactId, and version of the scanned JAR files. This database is only used when scanning JAR files, however your scanned artifacts might contain JAR files that you're not aware of.  
+This database is built once a day on [GitHub](https://github.com/aquasecurity/trivy-java-db).  

-#### Private Hosting
-If you host the database on your own OCI registry, you can specify a different repository with the `--java-db-repository` flag.
-The default is `ghcr.io/aquasecurity/trivy-java-db`.
+### External connectivity
+Trivy needs to connect to the internet to download the databases. If you are running Trivy in an air-gapped environment, or an tightly controlled network, please refer to the [Advanced Network Scenarios document](../advanced/air-gap.md).

-If authentication is required, you need to run `docker login YOUR_REGISTRY`.
-Currently, specifying a username and password is not supported.
+## Detection Behavior
+Trivy prioritizes precision in vulnerability detection, aiming to minimize false positives while potentially accepting some false negatives.
+This approach is particularly relevant in two key areas:
+
+- Handling Software Installed via OS Packages
+- Handling Packages with Unspecified Versions
+
+### Handling Software Installed via OS Packages
+For files installed by OS package managers, such as `apt`, Trivy exclusively uses advisories from the OS vendor.
+This means that even if a JAR file is present in a container image, if it was installed via an OS package manager (e.g., `apt`), Trivy will not analyze the JAR file itself and use upstream security advisories.
+
+For example, consider the Python `requests` package in Red Hat Universal Base Image 8:
+
+```bash
+[root@987ee49dc93d /]# head -n 3 /usr/lib/python3.6/site-packages/requests-2.20.0-py3.6.egg-info/PKG-INFO
+Metadata-Version: 2.1
+Name: requests
+Version: 2.20.0
+```
+
+Version 2.20.0 is installed, and this package is installed by `dnf`.
+
+```bash
+[root@987ee49dc93d /]# rpm -ql python3-requests | grep PKG-INFO
+/usr/lib/python3.6/site-packages/requests-2.20.0-py3.6.egg-info/PKG-INFO
+```
+
+At first glance, this might seem vulnerable to [CVE-2023-32681], which affects versions of requests prior to v2.31.0.
+However, Red Hat backported the fix to v2.20.0-3 in [RHSA-2023:4520], and the package is not vulnerable.
+
+- Upstream (PyPI [requests]): Fixed in v2.31.0
+- Red Hat (`python-requests`): Backported fix applied in v2.20.0-3 (RHSA-2023:4520)
+
+If Trivy were to detect CVE-2023-32681 in this case, it would be a false positive.
+This illustrates why using the correct security advisory is crucial to avoid false detections.
+To minimize false positives, Trivy trusts the OS vendor's advisory for software installed via OS package managers and does not use upstream advisories for these packages.
+
+However, this approach may lead to false negatives if the OS vendor's advisories are delayed or missing.
+In such cases, using [--detection-priority comprehensive](#detection-priority) allows Trivy to consider upstream advisories (e.g., [GitHub Advisory Database][ghsa]), potentially increasing false positives but reducing false negatives.
+
+### Handling Packages with Unspecified Versions
+When a package version cannot be uniquely determined (e.g., `package-a: ">=3.0"`), Trivy typically skips vulnerability detection for that package to avoid false positives.
+If a lock file is present with fixed versions, Trivy will use those for detection.
+
+To detect potential vulnerabilities even with unspecified versions, use [--detection-priority comprehensive](#detection-priority).
+This option makes Trivy use the minimum version in the specified range for vulnerability detection.
+While this may increase false positives if the actual version used is not the minimum, it helps reduce false negatives.

 ## Configuration
 This section describes vulnerability-specific configuration.
 Other common options are documented [here](../configuration/index.md).

-### Enabling a subset of package types
+### Enabling a Subset of Package Types
+
 It's possible to only enable certain package types if you prefer.
-You can do so by passing the `--vuln-type` option.
+You can do so by passing the `--pkg-types` option.
 This flag takes a comma-separated list of package types.

 Available values:
@@ -215,7 +241,7 @@ Available values:
    - Scan language-specific packages (e.g. packages installed by `pip`, `npm`, or `gem`).

 ```bash
-$ trivy image --vuln-type os ruby:2.4.0
+$ trivy image --pkg-types os ruby:2.4.0
 ```


@@ -268,6 +294,64 @@ Total: 7 (UNKNOWN: 0, LOW: 1, MEDIUM: 1, HIGH: 3, CRITICAL: 2)

 </details>

+!!! info
+    This flag filters the packages themselves, so it also affects the `--list-all-pkgs` option and SBOM generation.
+
+### Filtering by Package Relationships
+
+
+Trivy supports filtering vulnerabilities based on the relationship of packages within a project.
+This is achieved through the `--pkg-relationships` flag.
+This feature allows you to focus on vulnerabilities in specific types of dependencies, such as only those in direct dependencies.
+
+In Trivy, there are four types of package relationships:
+
+1. `root`: The root package being scanned
+2. `direct`: Direct dependencies of the root package
+3. `indirect`: Transitive dependencies
+4. `unknown`: Packages whose relationship cannot be determined
+
+The available relationships may vary depending on the ecosystem.
+To see which relationships are supported for a particular project, you can use the JSON output format and check the `Relationship` field:
+
+```
+$ trivy repo -f json --list-all-pkgs /path/to/project
+```
+
+To scan only the root package and its direct dependencies, you can use the flag as follows:
+
+```
+$ trivy repo --pkg-relationships root,direct /path/to/project
+```
+
+By default, all relationships are included in the scan.
+
+!!! info
+    This flag filters the packages themselves, so it also affects the `--list-all-pkgs` option and SBOM generation.
+
+!!! warning
+    As it may not provide a complete package list, `--pkg-relationships` cannot be used with `--dependency-tree`, `--vex` or SBOM generation.
+
+### Detection Priority
+
+Trivy provides a `--detection-priority` flag to control the balance between false positives and false negatives in vulnerability detection.
+This concept is similar to the relationship between [precision and recall][precision-recall] in machine learning evaluation.
+
+```bash
+$ trivy image --detection-priority {precise|comprehensive} alpine:3.15
+```
+
+- `precise`: This mode prioritizes reducing false positives. It results in less noisy vulnerability reports but may miss some potential vulnerabilities.
+- `comprehensive`: This mode aims to detect more vulnerabilities, potentially including some that might be false positives.
+  It provides broader coverage but may increase the noise in the results.
+
+The default value is `precise`. Also refer to the [detection behavior](#detection-behavior) section for more information.
+
+Regardless of the chosen mode, user review of detected vulnerabilities is crucial:
+
+- `precise`: Review thoroughly, considering potential missed vulnerabilities.
+- `comprehensive`: Carefully investigate each reported vulnerability due to increased false positive possibility.
+
 [^1]: https://github.com/GoogleContainerTools/distroless

 [nvd-CVE-2023-0464]: https://nvd.nist.gov/vuln/detail/CVE-2023-0464
@@ -288,7 +372,7 @@ Total: 7 (UNKNOWN: 0, LOW: 1, MEDIUM: 1, HIGH: 3, CRITICAL: 2)
 [oracle]: https://linux.oracle.com/security/oval/
 [suse]: http://ftp.suse.com/pub/projects/security/cvrf/
 [photon]: https://packages.vmware.com/photon/photon_cve_metadata/
-[mariner]: https://github.com/microsoft/CBL-MarinerVulnerabilityData/
+[azure]: https://github.com/microsoft/AzureLinuxVulnerabilityData/

 [php-ghsa]: https://github.com/advisories?query=ecosystem%3Acomposer
 [python-ghsa]: https://github.com/advisories?query=ecosystem%3Apip
@@ -313,3 +397,9 @@ Total: 7 (UNKNOWN: 0, LOW: 1, MEDIUM: 1, HIGH: 3, CRITICAL: 2)
 [nvd]: https://nvd.nist.gov/vuln

 [k8s-cve]: https://kubernetes.io/docs/reference/issues-security/official-cve-feed/
+
+[CVE-2023-32681]: https://nvd.nist.gov/vuln/detail/CVE-2023-32681
+[RHSA-2023:4520]: https://access.redhat.com/errata/RHSA-2023:4520 
+[ghsa]: https://github.com/advisories
+[requests]: https://pypi.org/project/requests/
+[precision-recall]: https://developers.google.com/machine-learning/crash-course/classification/precision-and-recall
--- a/docs/docs/supply-chain/sbom.md
+++ b/docs/docs/supply-chain/sbom.md
@@ -743,7 +743,7 @@ Trivy searches for SBOM files in container images with the following extensions:
 - `.cdx`
 - `.cdx.json`

-In addition, Trivy automatically detects SBOM files in [Bitnami images](https://github.com/bitnami/containers), [see here](../coverage/os/bitnami.md) for more details.
+In addition, Trivy automatically detects SBOM files in [Bitnami images](https://github.com/bitnami/containers), [see here](../coverage/others/bitnami.md) for more details.

 It is enabled in the following targets.

--- a/docs/docs/supply-chain/vex/file.md
+++ b/docs/docs/supply-chain/vex/file.md
@@ -1,11 +1,11 @@
-# Vulnerability Exploitability Exchange (VEX)
+# Local VEX Files

 !!! warning "EXPERIMENTAL"
    This feature might change without preserving backwards compatibility.

-Trivy supports filtering detected vulnerabilities using [the Vulnerability Exploitability Exchange (VEX)](https://www.ntia.gov/files/ntia/publications/vex_one-page_summary.pdf), a standardized format for sharing and exchanging information about vulnerabilities.
-By providing VEX during scanning, it is possible to filter vulnerabilities based on their status.
-Currently, Trivy supports the following three formats:
+In addition to [VEX repositories](./repo.md), Trivy also supports the use of local VEX files for vulnerability filtering.
+This method is useful when you have specific VEX documents that you want to apply to your scans.
+Currently, Trivy supports the following formats:

 - [CycloneDX](https://cyclonedx.org/capabilities/vex/)
 - [OpenVEX](https://github.com/openvex/spec)
--- a/docs/docs/supply-chain/vex/index.md
+++ b/docs/docs/supply-chain/vex/index.md
@@ -0,0 +1,35 @@
+# Vulnerability Exploitability Exchange (VEX)
+
+!!! warning "EXPERIMENTAL"
+    This feature might change without preserving backwards compatibility.
+
+Trivy supports filtering detected vulnerabilities using the [Vulnerability Exploitability eXchange (VEX)](https://www.ntia.gov/files/ntia/publications/vex_one-page_summary.pdf), a standardized format for sharing and exchanging information about vulnerabilities.
+By providing VEX during scanning, it is possible to filter vulnerabilities based on their status.
+
+## VEX Usage Methods
+
+Trivy currently supports two methods for utilizing VEX:
+
+1. [VEX Repository](./repo.md)
+2. [Local VEX Files](./file.md)
+3. [VEX Attestation](./oci.md)
+
+### Enabling VEX
+To enable VEX, use the `--vex` option.
+You can specify the method to use:
+
+- To enable the VEX Repository: `--vex repo`
+- To use a local VEX file: `--vex /path/to/vex-document.json`
+- To enable VEX attestation discovery in OCI registry: `--vex oci`
+
+```bash
+$ trivy image ghcr.io/aquasecurity/trivy:0.52.0 --vex repo
+```
+
+You can enable these methods simultaneously.
+The order of specification determines the priority:
+
+- `--vex repo --vex /path/to/vex-document.json`: VEX Repository has priority
+- `--vex /path/to/vex-document.json --vex repo`: Local file has priority
+
+For detailed information on each method, please refer to each page.
--- a/docs/docs/supply-chain/vex/oci.md
+++ b/docs/docs/supply-chain/vex/oci.md
@@ -0,0 +1,121 @@
+# Discover VEX Attestation in OCI Registry
+
+!!! warning "EXPERIMENTAL"
+    This feature might change without preserving backwards compatibility.
+
+Trivy can discover VEX attestations for container images.
+This feature allows you to automatically use VEX during container image scanning.
+
+## How It Works
+
+Trivy can automatically discover and utilize VEX attestations for container images during scanning by using the `--vex oci` flag.
+This process enhances vulnerability detection results by incorporating the information from the VEX attestation.
+
+To use this feature, follow these three steps:
+
+1. Create a VEX document
+2. Generate and upload a VEX attestation to an OCI registry
+3. Use the VEX attestation with Trivy
+
+Steps 1 and 2 are not necessary if you are trying to scan a third-party container image and already have VEX attestation attached.
+
+Let's go through each step in detail.
+
+!!! note
+    In the following examples, the `cosign` command will write an attestation to a target OCI registry, so you must have permission to write.
+    If you want to avoid writing an OCI registry and only want to see an attestation, add the `--no-upload` option to the cosign command.
+
+### Step 1: Create a VEX Document
+
+Currently, Trivy does not have a built-in feature to create VEX documents, so you need to create them manually.
+You can refer to the [OpenVEX section](./file.md#openvex) for guidance on creating VEX files.
+
+For container image vulnerabilities, the product ID should be the OCI type in the [PURL][purl] format.
+For example:
+
+```
+pkg:oci/trivy?repository_url=ghcr.io/aquasecurity/trivy
+```
+
+This product ID applies the VEX statement to all tags of the `ghcr.io/aquasecurity/trivy` container image.
+If you want to declare a statement for a specific digest only, you can use:
+
+```
+pkg:oci/trivy@sha256:5bd5ab35814f86783561603ebb35d5d5d99006dcdcd5c3f828ea1afb4c12d159?repository_url=ghcr.io/aquasecurity/trivy
+```
+
+!!! note
+    Using an image tag, like `pkg:oci/trivy?repository_url=ghcr.io/aquasecurity/trivy&tag=0.50.0`, is not supported in the product ID at the moment.
+
+Next, specify vulnerable packages as subcomponents, such as `pkg:apk/alpine/busybox`.
+You can also include the package version and other [qualifiers][qualifiers] (e.g., `arch`) to limit statements, like `pkg:apk/alpine/busybox@1.36.1-r29?arch=x86`.
+
+Lastly, include the vulnerability IDs.
+
+Here's an example VEX document:
+
+```json
+{
+  "@context": "https://openvex.dev/ns/v0.2.0",
+  "@id": "https://openvex.dev/docs/public/vex-2e67563e128250cbcb3e98930df948dd053e43271d70dc50cfa22d57e03fe96f",
+  "author": "Aqua Security",
+  "timestamp": "2024-07-30T19:07:16.853479631-06:00",
+  "version": 1,
+  "statements": [
+    {
+      "vulnerability": {
+        "name": "CVE-2023-42363"
+      },
+      "products": [
+        {
+          "@id": "pkg:oci/trivy?repository_url=ghcr.io/aquasecurity/trivy",
+          "subcomponents": [
+            {"@id": "pkg:apk/alpine/busybox"},
+            {"@id": "pkg:apk/alpine/busybox-binsh"}
+          ]
+        }
+      ],
+      "status": "not_affected",
+      "justification": "vulnerable_code_cannot_be_controlled_by_adversary",
+      "impact_statement": "awk is not used"
+    }
+  ]
+}
+```
+
+You can also refer to [Trivy's example](https://github.com/aquasecurity/trivy/blob/4e54a7e84c33c1be80c52c6db78c634bc3911715/.vex/oci.openvex.json) for more inspiration.
+
+### Step 2: Generate and Upload a VEX Attestation to an OCI Registry
+
+You can use the [Cosign command](https://docs.sigstore.dev/verifying/attestation/) to generate and upload the VEX attestation.
+Cosign offers methods both with and without keys.
+For detailed instructions, please refer to the Cosign documentation.
+
+To generate and attach a VEX attestation to your image, use the following command:
+
+```
+$ cosign attest --predicate oci.openvex.json --type openvex <IMAGE>
+```
+
+Note that this command attaches the attestation only to the specified image tag.
+If needed, repeat the process for other tags and digests.
+
+### Step 3: Use VEX Attestation with Trivy
+
+Once you've attached the VEX attestation to the container image, Trivy can automatically discover and use it during scanning.
+Simply add the `--vex oci` flag when scanning a container image:
+
+```
+$ trivy image --vex oci <IMAGE>
+```
+
+To see which vulnerabilities were filtered by the VEX attestation, use the `--show-suppressed` flag:
+
+```
+$ trivy image --vex oci --show-suppressed <IMAGE>
+```
+
+The `<IMAGE>` specified in these commands must be the same as the one to which you attached the VEX attestation.
+
+[purl]: https://github.com/package-url/purl-spec
+[qualifiers]: https://github.com/package-url/purl-spec/blob/master/PURL-TYPES.rst
--- a/docs/docs/supply-chain/vex/repo.md
+++ b/docs/docs/supply-chain/vex/repo.md
@@ -0,0 +1,210 @@
+# VEX Repository
+
+!!! warning "EXPERIMENTAL"
+    This feature might change without preserving backwards compatibility.
+
+## Using VEX Repository
+
+Trivy can download and utilize VEX documents from repositories that comply with [the VEX Repository Specification][vex-repo].
+While it's planned to be enabled by default in the future, currently it can be activated by explicitly specifying `--vex repo`.
+
+```
+$ trivy image ghcr.io/aquasecurity/trivy:0.52.0 --vex repo
+2024-07-20T11:22:58+04:00       INFO    [vex] The default repository config has been created    
+file_path="/Users/teppei/.trivy/vex/repository.yaml"
+2024-07-20T11:23:23+04:00       INFO    [vex] Updating repository...    repo="default" url="https://github.com/aquasecurity/vexhub"
+```
+
+During scanning, Trivy generates PURLs for discovered packages and searches for matching PURLs in the VEX Repository.
+If a match is found, the corresponding VEX is utilized.
+
+### Configuration File
+
+#### Default Configuration
+
+When `--vex repo` is specified for the first time, a default configuration file is created at `$HOME/.trivy/vex/repository.yaml`.
+The home directory can be configured through environment variable `$XDG_DATA_HOME`.
+
+You can also create the configuration file in advance using the `trivy vex repo init` command and edit it.
+
+The default configuration file looks like this:
+
+```yaml
+repositories:
+  - name: default
+    url: https://github.com/aquasecurity/vexhub
+    enabled: true
+    username: ""
+    password: ""
+    token: ""
+```
+
+By default, [VEX Hub][vexhub] managed by Aqua Security is used.
+VEX Hub primarily trusts VEX documents published by the package maintainers.
+
+#### Show Configuration
+You can see the config file path and the configured repositories with `trivy vex repo list`:
+
+```bash
+$ trivy vex repo list
+VEX Repositories (config: /home/username/.trivy/vex/repository.yaml)
+
+- Name: default
+  URL: https://github.com/aquasecurity/vexhub
+  Status: Enabled
+```
+
+#### Custom Repositories
+
+If you want to trust VEX documents published by other organizations or use your own VEX repository, you can specify a custom repository that complies with [the VEX Repository Specification][vex-repo].
+You can add a custom repository as below:
+
+```yaml
+- name: custom
+  url: https://example.com/custom-repo
+  enabled: true
+```
+
+
+#### Authentication
+
+For private repositories:
+
+- `username`/`password` can be used for Basic authentication
+- `token` can be used for Bearer authentication
+
+```yaml
+- name: custom
+  url: https://example.com/custom-repo
+  enabled: true
+  token: "my-token"
+```
+
+#### Repository Priority
+
+The priority of VEX repositories is determined by their order in the configuration file.
+You can add repositories with higher priority than the default or even remove the default VEX Hub.
+
+```yaml
+- name: repo1
+  url: https://example.com/repo1
+- name: repo2
+  url: https://example.com/repo2
+```
+
+In this configuration, when Trivy detects a vulnerability in a package, it generates a PURL for that package and searches for matching VEX documents in the configured repositories.
+The search process follows this order:
+
+1. Trivy first looks for a VEX document matching the package's PURL in `repo1`.
+2. If no matching VEX document is found in `repo1`, Trivy then searches in `repo2`.
+3. This process continues through all configured repositories until a match is found.
+ 
+If a matching VEX document is found in any repository (e.g., `repo1`), the search stops, and Trivy uses that VEX document.
+Subsequent repositories (e.g., `repo2`) are not checked for that specific vulnerability and package combination.
+
+It's important to note that the first matching VEX document found determines the final status of the vulnerability.
+For example, if `repo1` states that a package is "Affected" by a vulnerability, this status will be used even if `repo2` states that the same package is "Not Affected" for the same vulnerability.
+The "Affected" status from the higher-priority repository (`repo1`) takes precedence, and Trivy will consider the package as affected by the vulnerability.
+
+### Repository Updates
+
+VEX repositories are automatically updated during scanning.
+Updates are performed based on the update frequency specified by the repository.
+
+To disable auto-update, pass `--skip-vex-repo-update`.
+
+```shell
+$ trivy image ghcr.io/aquasecurity/trivy:0.50.0 --vex repo --skip-vex-repo-update
+```
+
+To download VEX repositories in advance without scanning, use `trivy vex repo download`.
+
+The cache can be cleared with `trivy clean --vex-repo`.
+
+### Displaying Filtered Vulnerabilities
+
+To see which vulnerabilities were filtered and why, use the `--show-suppressed` option:
+
+```shell
+$ trivy image ghcr.io/aquasecurity/trivy:0.50.0 --vex repo --show-suppressed
+...
+
+Suppressed Vulnerabilities (Total: 4)
+=====================================
+┌───────────────┬────────────────┬──────────┬──────────────┬───────────────────────────────────────────────────┬──────────────────────────────────────────┐
+│    Library    │ Vulnerability  │ Severity │    Status    │                     Statement                     │                  Source                  │
+├───────────────┼────────────────┼──────────┼──────────────┼───────────────────────────────────────────────────┼──────────────────────────────────────────┤
+│ busybox       │ CVE-2023-42364 │ MEDIUM   │ not_affected │ vulnerable_code_cannot_be_controlled_by_adversary │ VEX Repository: default                  │
+│               │                │          │              │                                                   │ (https://github.com/aquasecurity/vexhub) │
+│               ├────────────────┤          │              │                                                   │                                          │
+│               │ CVE-2023-42365 │          │              │                                                   │                                          │
+│               │                │          │              │                                                   │                                          │
+├───────────────┼────────────────┤          │              │                                                   │                                          │
+│ busybox-binsh │ CVE-2023-42364 │          │              │                                                   │                                          │
+│               │                │          │              │                                                   │                                          │
+│               ├────────────────┤          │              │                                                   │                                          │
+│               │ CVE-2023-42365 │          │              │                                                   │                                          │
+│               │                │          │              │                                                   │                                          │
+└───────────────┴────────────────┴──────────┴──────────────┴───────────────────────────────────────────────────┴──────────────────────────────────────────┘
+
+```
+
+## Publishing VEX Documents
+
+### For OSS Projects
+
+As an OSS developer or maintainer, you may encounter vulnerabilities in the packages your project depends on.
+These vulnerabilities might be discovered through your own scans or reported by third parties using your OSS project.
+
+While Trivy strives to minimize false positives, it doesn't perform code graph analysis, which means it can't evaluate exploitability at the code level.
+Consequently, Trivy may report vulnerabilities even in cases where:
+
+1. The vulnerable function in a dependency is never called in your project.
+2. The vulnerable code cannot be controlled by an attacker in the context of your project.
+
+If you're confident that a reported vulnerability in a dependency doesn't affect your OSS project or container image, you can publish a VEX document to reduce noise in Trivy scans.
+To assess exploitability, you have several options:
+
+1. Manual assessment: As a maintainer, you can read the source code and determine if the vulnerability is exploitable in your project's context.
+2. Automated assessment: You can use SAST (Static Application Security Testing) tools or similar tools to analyze the code and determine exploitability.
+
+By publishing VEX documents in the source repository, Trivy can automatically utilize them through VEX Hub.
+The main steps are:
+
+1. Generate a VEX document
+2. Commit the VEX document to the `.vex/` directory in the source repository (e.g., [Trivy's VEX][trivy-vex])
+3. Register your project's [PURL][purl] in VEX Hub
+
+Step 3 is only necessary once.
+After that, updating the VEX file in your repository will automatically be fetched by VEX Hub and utilized by Trivy.
+See the [VEX Hub repository][vexhub] for more information.
+
+If you want to issue a VEX for an OSS project that you don't maintain, consider first proposing the VEX publication to the original repository.
+Many OSS maintainers are open to contributions that improve the security posture of their projects.
+However, if your proposal is not accepted, or if you want to issue a VEX with statements that differ from the maintainer's judgment, you may want to consider creating a [custom repository](#hosting-custom-repositories).
+
+### For Private Projects
+
+If you're working on private software or personal projects, you have several options:
+
+1. [Local VEX files](./file.md): You can create local VEX files and have Trivy read them during scans. This is suitable for individual use or small teams.
+2. [.trivyignore](../../configuration/filtering.md#trivyignore): For simpler cases, using a .trivyignore file might be sufficient to suppress specific vulnerabilities.
+3. [Custom repositories](#hosting-custom-repositories): For large organizations wanting to share VEX information for internally used software across different departments, setting up a custom VEX repository might be the best approach.
+
+## Hosting Custom Repositories
+
+While the principle is to store VEX documents for OSS packages in the source repository, it's possible to create a custom repository if that's difficult.
+
+There are various use cases for providing custom repositories:
+
+- A Pull Request to add a VEX document upstream was not merged
+- Consolidating VEX documents output by SAST tools
+- Publishing vendor-specific VEX documents that differ from OSS maintainer statements
+- Creating a private VEX repository to publish common VEX for your company
+
+In these cases, you can create a repository that complies with [the VEX Repository Specification][vex-repo] to make it available for use with Trivy.
+
+[vex-repo]: https://github.com/aquasecurity/vex-repo-spec
+[vexhub]: https://github.com/aquasecurity/vexhub
+[trivy-vex]: https://github.com/aquasecurity/trivy/blob/b76a7250912cfc028cfef743f0f98cd81b39f8aa/.vex/trivy.openvex.json
+[purl]: https://github.com/package-url/purl-spec
--- a/docs/docs/target/vm.md
+++ b/docs/docs/target/vm.md
@@ -230,7 +230,7 @@ Reference: [VMware Virtual Disk Format 1.1.pdf][vmdk]
 |-------------------|:-------:|
 | XFS               |    ✔    |
 | EXT4              |    ✔    |
-| EXT2/3            |         |
+| EXT2/3            |    ✔    |
 | ZFS               |         |


--- a/docs/ecosystem/reporting.md
+++ b/docs/ecosystem/reporting.md
@@ -30,3 +30,9 @@ Trivy-Streamlit is a Streamlit application that allows you to quickly parse the
 This project is a web application that allows to load a Trivy report in json format and displays the vulnerabilities of a single target in an interactive data table.

 👉 Get it at: <https://github.com/dbsystel/trivy-vulnerability-explorer>
+
+## plopsec.com (Community)
+
+This project is a web application designed to help you visualize Trivy image scan reports. It enriches the data with additional exploitability metrics from EPSS, Metasploit, and Exploit-DB, updated daily.
+
+👉 Get it at: <https://plopsec.com> | <https://github.com/pl0psec/plopsec.com>
--- a/docs/tutorials/misconfiguration/custom-checks.md
+++ b/docs/tutorials/misconfiguration/custom-checks.md
@@ -93,7 +93,7 @@ Note that Rego
 Ensure that you have Trivy installed and run the following command:

 ```bash
-trivy fs --scanners misconf --policy ./docker-check.rego --namespaces custom ./Dockerfile
+trivy fs --scanners misconf --config-check ./docker-check.rego --namespaces custom ./Dockerfile
 ```

 Please replace:
--- a/docs/tutorials/misconfiguration/terraform.md
+++ b/docs/tutorials/misconfiguration/terraform.md
@@ -86,7 +86,7 @@ trivy config --severity CRITICAL, MEDIUM terraform-infra
 You can pass terraform values to Trivy to override default values found in the Terraform HCL code. More information are provided [in the documentation.](https://aquasecurity.github.io/trivy/latest/docs/coverage/iac/terraform/#value-overrides) 

 ``` 
-trivy conf --tf-vars terraform.tfvars ./
+trivy config --tf-vars terraform.tfvars ./
 ``` 
 ### Custom Checks 

--- a/go.mod
+++ b/go.mod
@@ -6,16 +6,16 @@ toolchain go1.22.4

 require (
 	github.com/Azure/azure-sdk-for-go v68.0.0+incompatible
-	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.11.1
-	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.6.0
+	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.14.0
+	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.7.0
 	github.com/BurntSushi/toml v1.4.0
-	github.com/CycloneDX/cyclonedx-go v0.9.0
+	github.com/CycloneDX/cyclonedx-go v0.9.1
 	github.com/GoogleCloudPlatform/docker-credential-gcr v2.0.5+incompatible
-	github.com/Masterminds/sprig/v3 v3.2.3
+	github.com/Masterminds/sprig/v3 v3.3.0
 	github.com/NYTimes/gziphandler v1.1.1
 	github.com/alecthomas/chroma v0.10.0
 	github.com/alicebob/miniredis/v2 v2.33.0
-	github.com/antchfx/htmlquery v1.3.1
+	github.com/antchfx/htmlquery v1.3.2
 	github.com/apparentlymart/go-cidr v1.1.0
 	github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986
 	github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce
@@ -23,46 +23,47 @@ require (
 	github.com/aquasecurity/go-pep440-version v0.0.0-20210121094942-22b2f8951d46
 	github.com/aquasecurity/go-version v0.0.0-20240603093900-cf8a8d29271d
 	github.com/aquasecurity/table v1.8.0
-	github.com/aquasecurity/testdocker v0.0.0-20240613070307-2c3868d658ac
+	github.com/aquasecurity/testdocker v0.0.0-20240730042311-4642e94c7fc8
 	github.com/aquasecurity/tml v0.6.1
-	github.com/aquasecurity/trivy-checks v0.13.0
-	github.com/aquasecurity/trivy-db v0.0.0-20231005141211-4fc651f7ac8d
+	github.com/aquasecurity/trivy-checks v1.1.0
+	github.com/aquasecurity/trivy-db v0.0.0-20240910133327-7e0f4d2ed4c1
 	github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48
-	github.com/aquasecurity/trivy-kubernetes v0.6.7-0.20240627095026-cf9d48837f6d
-	github.com/aws/aws-sdk-go-v2 v1.27.2
-	github.com/aws/aws-sdk-go-v2/config v1.27.18
-	github.com/aws/aws-sdk-go-v2/credentials v1.17.18
-	github.com/aws/aws-sdk-go-v2/service/ec2 v1.163.1
-	github.com/aws/aws-sdk-go-v2/service/ecr v1.28.5
-	github.com/aws/aws-sdk-go-v2/service/s3 v1.55.1
-	github.com/aws/aws-sdk-go-v2/service/sts v1.28.12 // indirect
-	github.com/aws/smithy-go v1.20.2
+	github.com/aquasecurity/trivy-kubernetes v0.6.7-0.20240707095038-0300bc49b68b
+	github.com/aws/aws-sdk-go-v2 v1.31.0
+	github.com/aws/aws-sdk-go-v2/config v1.27.38
+	github.com/aws/aws-sdk-go-v2/credentials v1.17.36
+	github.com/aws/aws-sdk-go-v2/service/ec2 v1.179.1
+	github.com/aws/aws-sdk-go-v2/service/ecr v1.35.2
+	github.com/aws/aws-sdk-go-v2/service/s3 v1.63.2
+	github.com/aws/aws-sdk-go-v2/service/sts v1.31.2 // indirect
+	github.com/aws/smithy-go v1.21.0
 	github.com/bitnami/go-version v0.0.0-20231130084017-bb00604d650c
 	github.com/bmatcuk/doublestar/v4 v4.6.1
 	github.com/cenkalti/backoff/v4 v4.3.0
 	github.com/cheggaaa/pb/v3 v3.1.5
-	github.com/containerd/containerd v1.7.17
+	github.com/containerd/containerd v1.7.22
 	github.com/csaf-poc/csaf_distribution/v3 v3.0.0
-	github.com/docker/docker v26.1.3+incompatible
+	github.com/docker/docker v27.3.1+incompatible
 	github.com/docker/go-connections v0.5.0
 	github.com/fatih/color v1.17.0
 	github.com/go-git/go-git/v5 v5.12.0
-	github.com/go-openapi/runtime v0.28.0
-	github.com/go-openapi/strfmt v0.23.0
+	github.com/go-openapi/runtime v0.28.0 // indirect
+	github.com/go-openapi/strfmt v0.23.0 // indirect
 	github.com/go-redis/redis/v8 v8.11.5
 	github.com/golang-jwt/jwt/v5 v5.2.1
-	github.com/google/go-containerregistry v0.19.2
+	github.com/google/go-containerregistry v0.20.2
+	github.com/google/go-github/v62 v62.0.0
 	github.com/google/licenseclassifier/v2 v2.0.0
 	github.com/google/uuid v1.6.0
 	github.com/google/wire v0.6.0
-	github.com/hashicorp/go-getter v1.7.5
+	github.com/hashicorp/go-getter v1.7.6
 	github.com/hashicorp/go-multierror v1.1.1
 	github.com/hashicorp/go-retryablehttp v0.7.7
 	github.com/hashicorp/go-uuid v1.0.3
 	github.com/hashicorp/go-version v1.7.0
 	github.com/hashicorp/golang-lru/v2 v2.0.7
-	github.com/hashicorp/hc-install v0.7.0
-	github.com/hashicorp/hcl/v2 v2.20.1
+	github.com/hashicorp/hc-install v0.9.0
+	github.com/hashicorp/hcl/v2 v2.22.0
 	github.com/hashicorp/terraform-exec v0.21.0
 	github.com/in-toto/in-toto-golang v0.9.0
 	github.com/knqyf263/go-apk-version v0.0.0-20200609155635-041fdbb8563f
@@ -75,60 +76,63 @@ require (
 	github.com/liamg/jfather v0.0.7
 	github.com/liamg/memoryfs v1.6.0
 	github.com/magefile/mage v1.15.0
-	github.com/masahiro331/go-disk v0.0.0-20220919035250-c8da316f91ac
-	github.com/masahiro331/go-ebs-file v0.0.0-20240112135404-d5fbb1d46323
-	github.com/masahiro331/go-ext4-filesystem v0.0.0-20231208112839-4339555a0cd4
+	github.com/masahiro331/go-disk v0.0.0-20240625071113-56c933208fee
+	github.com/masahiro331/go-ebs-file v0.0.0-20240917043618-e6d2bea5c32e
+	github.com/masahiro331/go-ext4-filesystem v0.0.0-20240620024024-ca14e6327bbd
 	github.com/masahiro331/go-mvn-version v0.0.0-20210429150710-d3157d602a08
 	github.com/masahiro331/go-vmdk-parser v0.0.0-20221225061455-612096e4bbbd
-	github.com/masahiro331/go-xfs-filesystem v0.0.0-20230608043311-a335f4599b70
+	github.com/masahiro331/go-xfs-filesystem v0.0.0-20231205045356-1b22259a6c44
 	github.com/mattn/go-shellwords v1.0.12
 	github.com/microsoft/go-rustaudit v0.0.0-20220808201409-204dfee52032
 	github.com/mitchellh/go-homedir v1.1.0
 	github.com/mitchellh/hashstructure/v2 v2.0.2
 	github.com/mitchellh/mapstructure v1.5.0
-	github.com/moby/buildkit v0.13.2
-	github.com/open-policy-agent/opa v0.65.0
+	github.com/moby/buildkit v0.16.0
+	github.com/open-policy-agent/opa v0.68.1-0.20240903211041-76f7038ea2d1
 	github.com/opencontainers/go-digest v1.0.0
 	github.com/opencontainers/image-spec v1.1.0
+	github.com/openvex/discovery v0.1.1-0.20240802171711-7c54efc57553
 	github.com/openvex/go-vex v0.2.5
-	github.com/owenrumney/go-sarif/v2 v2.3.1
-	github.com/owenrumney/squealer v1.2.2
+	github.com/owenrumney/go-sarif/v2 v2.3.3
+	github.com/owenrumney/squealer v1.2.4
 	github.com/package-url/packageurl-go v0.1.3
 	github.com/quasilyte/go-ruleguard/dsl v0.3.22
-	github.com/samber/lo v1.39.0
+	github.com/samber/lo v1.47.0
+	github.com/sassoftware/go-rpmutils v0.4.0
 	github.com/secure-systems-lab/go-securesystemslib v0.8.0
 	github.com/sigstore/rekor v1.3.6
 	github.com/sirupsen/logrus v1.9.3
 	github.com/sosedoff/gitkit v0.4.0
-	github.com/spdx/tools-golang v0.5.4 // v0.5.3 with necessary changes. Can be upgraded to version 0.5.4 after release.
-	github.com/spf13/cast v1.6.0
-	github.com/spf13/cobra v1.8.0
+	github.com/spdx/tools-golang v0.5.5 // v0.5.3 with necessary changes. Can be upgraded to version 0.5.4 after release.
+	github.com/spf13/cast v1.7.0
+	github.com/spf13/cobra v1.8.1
 	github.com/spf13/pflag v1.0.5
 	github.com/spf13/viper v1.19.0
 	github.com/stretchr/testify v1.9.0
-	github.com/testcontainers/testcontainers-go v0.31.0
-	github.com/testcontainers/testcontainers-go/modules/localstack v0.31.0
-	github.com/tetratelabs/wazero v1.7.2
+	github.com/testcontainers/testcontainers-go v0.33.0
+	github.com/testcontainers/testcontainers-go/modules/localstack v0.33.0
+	github.com/tetratelabs/wazero v1.8.0
 	github.com/twitchtv/twirp v8.1.3+incompatible
 	github.com/xeipuuv/gojsonschema v1.2.0
 	github.com/xlab/treeprint v1.2.0
-	github.com/zclconf/go-cty v1.14.4
+	github.com/zclconf/go-cty v1.15.0
 	github.com/zclconf/go-cty-yaml v1.0.3
-	go.etcd.io/bbolt v1.3.10
-	golang.org/x/crypto v0.24.0
+	go.etcd.io/bbolt v1.3.11
+	golang.org/x/crypto v0.27.0
 	golang.org/x/exp v0.0.0-20231110203233-9a3e6036ecaa // indirect
-	golang.org/x/mod v0.17.0
-	golang.org/x/net v0.26.0
-	golang.org/x/sync v0.7.0
-	golang.org/x/term v0.21.0
-	golang.org/x/text v0.16.0
+	golang.org/x/mod v0.21.0
+	golang.org/x/net v0.29.0
+	golang.org/x/sync v0.8.0
+	golang.org/x/term v0.24.0
+	golang.org/x/text v0.18.0
+	golang.org/x/vuln v1.1.3
 	golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028
-	google.golang.org/protobuf v1.34.1
+	google.golang.org/protobuf v1.34.2
 	gopkg.in/yaml.v3 v3.0.1
-	helm.sh/helm/v3 v3.15.1
-	k8s.io/api v0.30.2
-	k8s.io/utils v0.0.0-20231127182322-b307cd553661
-	modernc.org/sqlite v1.30.0
+	helm.sh/helm/v3 v3.16.1
+	k8s.io/api v0.31.0
+	k8s.io/utils v0.0.0-20240711033017-18e509b52bc8
+	modernc.org/sqlite v1.33.1
 	sigs.k8s.io/yaml v1.4.0
 )

@@ -137,10 +141,10 @@ require (
 	cloud.google.com/go/compute/metadata v0.3.0 // indirect
 	cloud.google.com/go/iam v1.1.6 // indirect
 	cloud.google.com/go/storage v1.39.1 // indirect
-	dario.cat/mergo v1.0.0 // indirect
+	dario.cat/mergo v1.0.1 // indirect
 	github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24 // indirect
 	github.com/AdamKorcz/go-118-fuzz-build v0.0.0-20230306123547-8075edf89bb0 // indirect
-	github.com/Azure/azure-sdk-for-go/sdk/internal v1.8.0 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/internal v1.10.0 // indirect
 	github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 // indirect
 	github.com/Azure/go-autorest v14.2.0+incompatible // indirect
 	github.com/Azure/go-autorest/autorest v0.11.29 // indirect
@@ -149,11 +153,12 @@ require (
 	github.com/Azure/go-autorest/logger v0.2.1 // indirect
 	github.com/Azure/go-autorest/tracing v0.6.0 // indirect
 	github.com/AzureAD/microsoft-authentication-library-for-go v1.2.2 // indirect
+	github.com/DataDog/zstd v1.5.5 // indirect
 	github.com/Intevation/gval v1.3.0 // indirect
 	github.com/Intevation/jsonpath v0.2.1 // indirect
 	github.com/MakeNowJust/heredoc v1.0.0 // indirect
 	github.com/Masterminds/goutils v1.1.1 // indirect
-	github.com/Masterminds/semver/v3 v3.2.1 // indirect
+	github.com/Masterminds/semver/v3 v3.3.0 // indirect
 	github.com/Masterminds/squirrel v1.5.4 // indirect
 	github.com/Microsoft/go-winio v0.6.2 // indirect
 	github.com/Microsoft/hcsshim v0.12.0 // indirect
@@ -164,43 +169,50 @@ require (
 	github.com/agnivade/levenshtein v1.1.1 // indirect
 	github.com/alicebob/gopher-json v0.0.0-20200520072559-a9ecdc9d1d3a // indirect
 	github.com/anchore/go-struct-converter v0.0.0-20221118182256-c68fdcfa2092 // indirect
-	github.com/antchfx/xpath v1.3.0 // indirect
+	github.com/antchfx/xpath v1.3.1 // indirect
 	github.com/apparentlymart/go-textseg/v15 v15.0.0 // indirect
 	github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
 	github.com/aws/aws-sdk-go v1.54.6 // indirect
-	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.5 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.9 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.9 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0 // indirect
-	github.com/aws/aws-sdk-go-v2/service/ebs v1.21.7 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.11 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sso v1.20.11 // indirect
-	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.24.5 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.14 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.18 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.18 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ebs v1.22.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.5 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.20 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.23.2 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.27.2 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d // indirect
+	github.com/blang/semver v3.5.1+incompatible // indirect
+	github.com/blang/semver/v4 v4.0.0 // indirect
 	github.com/briandowns/spinner v1.23.0 // indirect
-	github.com/cespare/xxhash/v2 v2.2.0 // indirect
+	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/chai2010/gettext-go v1.0.2 // indirect
-	github.com/cloudflare/circl v1.3.7 // indirect
+	github.com/cloudflare/circl v1.3.8 // indirect
 	github.com/containerd/cgroups/v3 v3.0.2 // indirect
+	github.com/containerd/containerd/api v1.7.19 // indirect
 	github.com/containerd/continuity v0.4.3 // indirect
 	github.com/containerd/errdefs v0.1.0 // indirect
 	github.com/containerd/fifo v1.1.0 // indirect
 	github.com/containerd/log v0.1.0 // indirect
+	github.com/containerd/platforms v0.2.1 // indirect
 	github.com/containerd/stargz-snapshotter/estargz v0.15.1 // indirect
-	github.com/containerd/ttrpc v1.2.4 // indirect
-	github.com/containerd/typeurl/v2 v2.1.1 // indirect
+	github.com/containerd/ttrpc v1.2.5 // indirect
+	github.com/containerd/typeurl/v2 v2.2.0 // indirect
 	github.com/cpuguy83/dockercfg v0.3.1 // indirect
-	github.com/cpuguy83/go-md2man/v2 v2.0.3 // indirect
-	github.com/cyphar/filepath-securejoin v0.2.4 // indirect
+	github.com/cpuguy83/go-md2man/v2 v2.0.4 // indirect
+	github.com/cyberphone/json-canonicalization v0.0.0-20231011164504-785e29786b46 // indirect
+	github.com/cyphar/filepath-securejoin v0.3.1 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect
+	github.com/digitorus/pkcs7 v0.0.0-20230818184609-3a137a874352 // indirect
+	github.com/digitorus/timestamp v0.0.0-20231217203849-220c5c2851b7 // indirect
 	github.com/distribution/reference v0.6.0 // indirect
 	github.com/dlclark/regexp2 v1.4.0 // indirect
-	github.com/docker/cli v25.0.3+incompatible // indirect
+	github.com/docker/cli v27.2.1+incompatible // indirect
 	github.com/docker/distribution v2.8.3+incompatible // indirect
-	github.com/docker/docker-credential-helpers v0.8.0 // indirect
+	github.com/docker/docker-credential-helpers v0.8.2 // indirect
 	github.com/docker/go-events v0.0.0-20190806004212-e31b211e4f1c // indirect
 	github.com/docker/go-metrics v0.0.1 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
@@ -209,10 +221,12 @@ require (
 	github.com/dustin/go-humanize v1.0.1 // indirect
 	github.com/emicklei/go-restful/v3 v3.11.0 // indirect
 	github.com/emirpasic/gods v1.18.1 // indirect
-	github.com/evanphx/json-patch v5.7.0+incompatible // indirect
+	github.com/evanphx/json-patch v5.9.0+incompatible // indirect
 	github.com/exponent-io/jsonpath v0.0.0-20151013193312-d6023ce2651d // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/fsnotify/fsnotify v1.7.0 // indirect
+	github.com/fxamacker/cbor/v2 v2.7.0 // indirect
+	github.com/go-chi/chi v4.1.2+incompatible // indirect
 	github.com/go-errors/errors v1.4.2 // indirect
 	github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
 	github.com/go-git/go-billy/v5 v5.5.0 // indirect
@@ -229,7 +243,6 @@ require (
 	github.com/go-openapi/spec v0.21.0 // indirect
 	github.com/go-openapi/swag v0.23.0 // indirect
 	github.com/go-openapi/validate v0.24.0 // indirect
-	github.com/go-test/deep v1.1.0 // indirect
 	github.com/gobwas/glob v0.2.3 // indirect
 	github.com/goccy/go-yaml v1.9.5 // indirect
 	github.com/gofrs/uuid v4.3.1+incompatible // indirect
@@ -237,9 +250,12 @@ require (
 	github.com/golang-jwt/jwt/v4 v4.5.0 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/protobuf v1.5.4 // indirect
+	github.com/golang/snappy v0.0.4 // indirect
 	github.com/google/btree v1.1.2 // indirect
-	github.com/google/gnostic-models v0.6.8 // indirect
+	github.com/google/certificate-transparency-go v1.1.8 // indirect
+	github.com/google/gnostic-models v0.6.9-0.20230804172637-c7be7c783f49 // indirect
 	github.com/google/go-cmp v0.6.0 // indirect
+	github.com/google/go-querystring v1.1.0 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
 	github.com/google/s2a-go v0.1.7 // indirect
 	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
@@ -249,25 +265,26 @@ require (
 	github.com/gorilla/websocket v1.5.0 // indirect
 	github.com/gosuri/uitable v0.0.4 // indirect
 	github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 // indirect
-	github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
 	github.com/hashicorp/go-safetemp v1.0.0 // indirect
 	github.com/hashicorp/golang-lru v0.6.0 // indirect
-	github.com/hashicorp/hcl v1.0.0 // indirect
+	github.com/hashicorp/hcl v1.0.1-vault-5 // indirect
 	github.com/hashicorp/terraform-json v0.22.1 // indirect
-	github.com/huandu/xstrings v1.4.0 // indirect
-	github.com/imdario/mergo v0.3.15 // indirect
+	github.com/huandu/xstrings v1.5.0 // indirect
+	github.com/imdario/mergo v0.3.16 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
+	github.com/jedisct1/go-minisign v0.0.0-20230811132847-661be99b8267 // indirect
 	github.com/jmespath/go-jmespath v0.4.0 // indirect
-	github.com/jmoiron/sqlx v1.3.5 // indirect
+	github.com/jmoiron/sqlx v1.4.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/kevinburke/ssh_config v1.2.0 // indirect
-	github.com/klauspost/compress v1.17.7 // indirect
+	github.com/klauspost/compress v1.17.9 // indirect
 	github.com/lann/builder v0.0.0-20180802200727-47ae307949d0 // indirect
 	github.com/lann/ps v0.0.0-20150810152359-62de8c46ede0 // indirect
+	github.com/letsencrypt/boulder v0.0.0-20231026200631-000cd05d5491 // indirect
 	github.com/lib/pq v1.10.9 // indirect
 	github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de // indirect
 	github.com/lufia/plan9stats v0.0.0-20240226150601-1dcf7310316a // indirect
@@ -284,11 +301,12 @@ require (
 	github.com/moby/docker-image-spec v1.3.1 // indirect
 	github.com/moby/locker v1.0.1 // indirect
 	github.com/moby/patternmatcher v0.6.0 // indirect
-	github.com/moby/spdystream v0.2.0 // indirect
-	github.com/moby/sys/mountinfo v0.7.1 // indirect
+	github.com/moby/spdystream v0.4.0 // indirect
+	github.com/moby/sys/mountinfo v0.7.2 // indirect
 	github.com/moby/sys/sequential v0.5.0 // indirect
-	github.com/moby/sys/signal v0.7.0 // indirect
-	github.com/moby/sys/user v0.1.0 // indirect
+	github.com/moby/sys/signal v0.7.1 // indirect
+	github.com/moby/sys/user v0.3.0 // indirect
+	github.com/moby/sys/userns v0.1.0 // indirect
 	github.com/moby/term v0.5.0 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
@@ -297,8 +315,9 @@ require (
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f // indirect
 	github.com/ncruces/go-strftime v0.1.9 // indirect
+	github.com/nozzle/throttler v0.0.0-20180817012639-2ea982251481 // indirect
 	github.com/oklog/ulid v1.3.1 // indirect
-	github.com/opencontainers/runtime-spec v1.1.0 // indirect
+	github.com/opencontainers/runtime-spec v1.2.0 // indirect
 	github.com/opencontainers/selinux v1.11.0 // indirect
 	github.com/opentracing/opentracing-go v1.2.0 // indirect
 	github.com/pelletier/go-toml/v2 v2.2.2 // indirect
@@ -308,76 +327,91 @@ require (
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/power-devops/perfstat v0.0.0-20240221224432-82ca36839d55 // indirect
-	github.com/prometheus/client_golang v1.19.1 // indirect
+	github.com/prometheus/client_golang v1.20.2 // indirect
 	github.com/prometheus/client_model v0.6.1 // indirect
-	github.com/prometheus/common v0.48.0 // indirect
-	github.com/prometheus/procfs v0.12.0 // indirect
+	github.com/prometheus/common v0.55.0 // indirect
+	github.com/prometheus/procfs v0.15.1 // indirect
 	github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 // indirect
 	github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec // indirect
-	github.com/rivo/uniseg v0.2.0 // indirect
-	github.com/rubenv/sql-migrate v1.5.2 // indirect
+	github.com/rivo/uniseg v0.4.4 // indirect
+	github.com/rubenv/sql-migrate v1.7.0 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
 	github.com/sagikazarmark/locafero v0.4.0 // indirect
 	github.com/sagikazarmark/slog-shim v0.1.0 // indirect
 	github.com/santhosh-tekuri/jsonschema/v5 v5.3.1 // indirect
+	github.com/sassoftware/relic v7.2.1+incompatible // indirect
 	github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3 // indirect
 	github.com/shibumi/go-pathspec v1.3.0 // indirect
 	github.com/shirou/gopsutil/v3 v3.24.2 // indirect
 	github.com/shoenig/go-m1cpu v0.1.6 // indirect
-	github.com/shopspring/decimal v1.3.1 // indirect
+	github.com/shopspring/decimal v1.4.0 // indirect
+	github.com/sigstore/cosign/v2 v2.2.4 // indirect
+	github.com/sigstore/sigstore v1.8.3 // indirect
+	github.com/sigstore/timestamp-authority v1.2.2 // indirect
 	github.com/skeema/knownhosts v1.2.2 // indirect
 	github.com/sourcegraph/conc v0.3.0 // indirect
 	github.com/spf13/afero v1.11.0 // indirect
 	github.com/stretchr/objx v0.5.2 // indirect
 	github.com/subosito/gotenv v1.6.0 // indirect
+	github.com/syndtr/goleveldb v1.0.1-0.20220721030215-126854af5e6d // indirect
 	github.com/tchap/go-patricia/v2 v2.3.1 // indirect
+	github.com/theupdateframework/go-tuf v0.7.0 // indirect
+	github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect
 	github.com/tklauser/go-sysconf v0.3.13 // indirect
 	github.com/tklauser/numcpus v0.7.0 // indirect
-	github.com/ulikunitz/xz v0.5.11 // indirect
+	github.com/tonistiigi/go-csvvalue v0.0.0-20240710180619-ddb21b71c0b4 // indirect
+	github.com/transparency-dev/merkle v0.0.2 // indirect
+	github.com/ulikunitz/xz v0.5.12 // indirect
 	github.com/vbatts/tar-split v0.11.5 // indirect
+	github.com/vmihailenco/msgpack/v5 v5.3.5 // indirect
+	github.com/vmihailenco/tagparser/v2 v2.0.0 // indirect
+	github.com/x448/float16 v0.8.4 // indirect
 	github.com/xanzy/ssh-agent v0.3.3 // indirect
 	github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
 	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
+	github.com/xi2/xz v0.0.0-20171230120015-48954b6210f8 // indirect
 	github.com/yashtewari/glob-intersection v0.2.0 // indirect
 	github.com/yuin/gopher-lua v1.1.1 // indirect
 	github.com/yusufpapurcu/wmi v1.2.4 // indirect
 	go.mongodb.org/mongo-driver v1.14.0 // indirect
 	go.opencensus.io v0.24.0 // indirect
-	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.49.0 // indirect
-	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.52.0 // indirect
-	go.opentelemetry.io/otel v1.27.0 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.27.0 // indirect
-	go.opentelemetry.io/otel/metric v1.27.0 // indirect
-	go.opentelemetry.io/otel/sdk v1.27.0 // indirect
-	go.opentelemetry.io/otel/trace v1.27.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.53.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0 // indirect
+	go.opentelemetry.io/otel v1.28.0 // indirect
+	go.opentelemetry.io/otel/metric v1.28.0 // indirect
+	go.opentelemetry.io/otel/sdk v1.28.0 // indirect
+	go.opentelemetry.io/otel/trace v1.28.0 // indirect
 	go.starlark.net v0.0.0-20230525235612-a134d8f9ddca // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	go.uber.org/zap v1.27.0 // indirect
-	golang.org/x/oauth2 v0.20.0 // indirect
-	golang.org/x/sys v0.21.0 // indirect
-	golang.org/x/time v0.5.0 // indirect
-	golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d // indirect
+	golang.org/x/oauth2 v0.21.0 // indirect
+	golang.org/x/sys v0.25.0 // indirect
+	golang.org/x/telemetry v0.0.0-20240522233618-39ace7a40ae7 // indirect
+	golang.org/x/time v0.6.0 // indirect
+	golang.org/x/tools v0.24.0 // indirect
 	google.golang.org/api v0.172.0 // indirect
 	google.golang.org/genproto v0.0.0-20240311173647-c811ad7063a7 // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20240520151616-dc85e6b867a5 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20240515191416-fc5f0ca64291 // indirect
-	google.golang.org/grpc v1.64.0 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20240701130421-f6361c86f094 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20240701130421-f6361c86f094 // indirect
+	google.golang.org/grpc v1.66.0 // indirect
 	gopkg.in/cheggaaa/pb.v1 v1.0.28 // indirect
+	gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
+	gopkg.in/go-jose/go-jose.v2 v2.6.3 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
-	k8s.io/apiextensions-apiserver v0.30.0 // indirect
-	k8s.io/apimachinery v0.30.2 // indirect
-	k8s.io/apiserver v0.30.0 // indirect
-	k8s.io/cli-runtime v0.30.2 // indirect
-	k8s.io/client-go v0.30.2 // indirect
-	k8s.io/component-base v0.30.1 // indirect
-	k8s.io/klog/v2 v2.120.1 // indirect
+	k8s.io/apiextensions-apiserver v0.31.0 // indirect
+	k8s.io/apimachinery v0.31.0 // indirect
+	k8s.io/apiserver v0.31.0 // indirect
+	k8s.io/cli-runtime v0.31.0 // indirect
+	k8s.io/client-go v0.31.0 // indirect
+	k8s.io/component-base v0.31.0 // indirect
+	k8s.io/klog/v2 v2.130.1 // indirect
 	k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340 // indirect
-	k8s.io/kubectl v0.30.1 // indirect
+	k8s.io/kubectl v0.31.0 // indirect
 	modernc.org/gc/v3 v3.0.0-20240107210532-573471604cb6 // indirect
-	modernc.org/libc v1.50.9 // indirect
+	modernc.org/libc v1.55.3 // indirect
 	modernc.org/mathutil v1.6.0 // indirect
 	modernc.org/memory v1.8.0 // indirect
 	modernc.org/strutil v1.2.0 // indirect
@@ -385,7 +419,7 @@ require (
 	mvdan.cc/sh/v3 v3.8.0 // indirect
 	oras.land/oras-go v1.2.5 // indirect
 	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
-	sigs.k8s.io/kustomize/api v0.13.5-0.20230601165947-6ce0bf390ce3 // indirect
-	sigs.k8s.io/kustomize/kyaml v0.14.3-0.20230601165947-6ce0bf390ce3 // indirect
+	sigs.k8s.io/kustomize/api v0.17.2 // indirect
+	sigs.k8s.io/kustomize/kyaml v0.17.1 // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect
 )
--- a/go.sum
+++ b/go.sum
--- a/helm/trivy/Chart.yaml
+++ b/helm/trivy/Chart.yaml
@@ -1,7 +1,7 @@
 apiVersion: v2
 name: trivy
-version: 0.7.0
-appVersion: 0.37.2
+version: 0.8.0
+appVersion: 0.55.0
 description: Trivy helm chart
 keywords:
  - scanner
--- a/helm/trivy/templates/statefulset.yaml
+++ b/helm/trivy/templates/statefulset.yaml
@@ -17,7 +17,9 @@ spec:
      app.kubernetes.io/instance: {{ .Release.Name }}
  {{- if .Values.persistence.enabled }}
  volumeClaimTemplates:
-    - metadata:
+    - apiVersion: v1	
+      kind: PersistentVolumeClaim
+      metadata:
        name: data
      spec:
        resources:
--- a/integration/client_server_test.go
+++ b/integration/client_server_test.go
@@ -32,6 +32,7 @@ type csArgs struct {
 	Input             string
 	ClientToken       string
 	ClientTokenHeader string
+	PathPrefix        string
 	ListAllPackages   bool
 	Target            string
 	secretConfig      string
@@ -212,6 +213,20 @@ func TestClientServer(t *testing.T) {
 			},
 			golden: "testdata/opensuse-leap-151.json.golden",
 		},
+		{
+			name: "opensuse tumbleweed",
+			args: csArgs{
+				Input: "testdata/fixtures/images/opensuse-tumbleweed.tar.gz",
+			},
+			golden: "testdata/opensuse-tumbleweed.json.golden",
+		},
+		{
+			name: "sle micro rancher 5.4",
+			args: csArgs{
+				Input: "testdata/fixtures/images/sle-micro-rancher-5.4_ndb.tar.gz",
+			},
+			golden: "testdata/sl-micro-rancher5.4.json.golden",
+		},
 		{
 			name: "photon 3.0",
 			args: csArgs{
@@ -280,7 +295,7 @@ func TestClientServer(t *testing.T) {

 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			osArgs := setupClient(t, tt.args, addr, cacheDir, tt.golden)
+			osArgs := setupClient(t, tt.args, addr, cacheDir)

 			if tt.args.secretConfig != "" {
 				osArgs = append(osArgs, "--secret-config", tt.args.secretConfig)
@@ -400,7 +415,7 @@ func TestClientServerWithFormat(t *testing.T) {
 		t.Run(tt.name, func(t *testing.T) {
 			t.Setenv("AWS_REGION", "test-region")
 			t.Setenv("AWS_ACCOUNT_ID", "123456789012")
-			osArgs := setupClient(t, tt.args, addr, cacheDir, tt.golden)
+			osArgs := setupClient(t, tt.args, addr, cacheDir)

 			runTest(t, osArgs, tt.golden, "", tt.args.Format, runOptions{
 				override: overrideUID,
@@ -428,7 +443,7 @@ func TestClientServerWithCycloneDX(t *testing.T) {
 	addr, cacheDir := setup(t, setupOptions{})
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			osArgs := setupClient(t, tt.args, addr, cacheDir, tt.golden)
+			osArgs := setupClient(t, tt.args, addr, cacheDir)
 			runTest(t, osArgs, tt.golden, "", types.FormatCycloneDX, runOptions{
 				fakeUUID: "3ff14136-e09f-4df9-80ea-%012d",
 			})
@@ -436,7 +451,11 @@ func TestClientServerWithCycloneDX(t *testing.T) {
 	}
 }

-func TestClientServerWithToken(t *testing.T) {
+func TestClientServerWithCustomOptions(t *testing.T) {
+	token := "token"
+	tokenHeader := "Trivy-Token"
+	pathPrefix := "prefix"
+
 	tests := []struct {
 		name    string
 		args    csArgs
@@ -444,11 +463,12 @@ func TestClientServerWithToken(t *testing.T) {
 		wantErr string
 	}{
 		{
-			name: "alpine 3.9 with token",
+			name: "alpine 3.9 with token and prefix",
 			args: csArgs{
 				Input:             "testdata/fixtures/images/alpine-39.tar.gz",
-				ClientToken:       "token",
-				ClientTokenHeader: "Trivy-Token",
+				ClientToken:       token,
+				ClientTokenHeader: tokenHeader,
+				PathPrefix:        pathPrefix,
 			},
 			golden: "testdata/alpine-39.json.golden",
 		},
@@ -457,7 +477,8 @@ func TestClientServerWithToken(t *testing.T) {
 			args: csArgs{
 				Input:             "testdata/fixtures/images/distroless-base.tar.gz",
 				ClientToken:       "invalidtoken",
-				ClientTokenHeader: "Trivy-Token",
+				ClientTokenHeader: tokenHeader,
+				PathPrefix:        pathPrefix,
 			},
 			wantErr: "twirp error unauthenticated: invalid token",
 		},
@@ -465,23 +486,33 @@ func TestClientServerWithToken(t *testing.T) {
 			name: "invalid token header",
 			args: csArgs{
 				Input:             "testdata/fixtures/images/distroless-base.tar.gz",
-				ClientToken:       "token",
+				ClientToken:       token,
 				ClientTokenHeader: "Unknown-Header",
+				PathPrefix:        pathPrefix,
 			},
 			wantErr: "twirp error unauthenticated: invalid token",
 		},
+		{
+			name: "wrong path prefix",
+			args: csArgs{
+				Input:             "testdata/fixtures/images/distroless-base.tar.gz",
+				ClientToken:       token,
+				ClientTokenHeader: tokenHeader,
+				PathPrefix:        "wrong",
+			},
+			wantErr: "HTTP status code 404",
+		},
 	}

-	serverToken := "token"
-	serverTokenHeader := "Trivy-Token"
 	addr, cacheDir := setup(t, setupOptions{
-		token:       serverToken,
-		tokenHeader: serverTokenHeader,
+		token:       token,
+		tokenHeader: tokenHeader,
+		pathPrefix:  pathPrefix,
 	})

 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			osArgs := setupClient(t, tt.args, addr, cacheDir, tt.golden)
+			osArgs := setupClient(t, tt.args, addr, cacheDir)
 			runTest(t, osArgs, tt.golden, "", types.FormatJSON, runOptions{
 				override: overrideUID,
 				wantErr:  tt.wantErr,
@@ -508,7 +539,7 @@ func TestClientServerWithRedis(t *testing.T) {
 	golden := "testdata/alpine-39.json.golden"

 	t.Run("alpine 3.9", func(t *testing.T) {
-		osArgs := setupClient(t, testArgs, addr, cacheDir, golden)
+		osArgs := setupClient(t, testArgs, addr, cacheDir)

 		// Run Trivy client
 		runTest(t, osArgs, golden, "", types.FormatJSON, runOptions{
@@ -520,7 +551,7 @@ func TestClientServerWithRedis(t *testing.T) {
 	require.NoError(t, redisC.Terminate(ctx))

 	t.Run("sad path", func(t *testing.T) {
-		osArgs := setupClient(t, testArgs, addr, cacheDir, golden)
+		osArgs := setupClient(t, testArgs, addr, cacheDir)

 		// Run Trivy client
 		runTest(t, osArgs, "", "", types.FormatJSON, runOptions{
@@ -532,6 +563,7 @@ func TestClientServerWithRedis(t *testing.T) {
 type setupOptions struct {
 	token        string
 	tokenHeader  string
+	pathPrefix   string
 	cacheBackend string
 }

@@ -549,7 +581,7 @@ func setup(t *testing.T, options setupOptions) (string, string) {
 	addr := fmt.Sprintf("localhost:%d", port)

 	go func() {
-		osArgs := setupServer(addr, options.token, options.tokenHeader, cacheDir, options.cacheBackend)
+		osArgs := setupServer(addr, options.token, options.tokenHeader, options.pathPrefix, cacheDir, options.cacheBackend)

 		// Run Trivy server
 		require.NoError(t, execute(osArgs))
@@ -562,22 +594,20 @@ func setup(t *testing.T, options setupOptions) (string, string) {
 	return addr, cacheDir
 }

-func setupServer(addr, token, tokenHeader, cacheDir, cacheBackend string) []string {
+func setupServer(addr, token, tokenHeader, pathPrefix, cacheDir, cacheBackend string) []string {
 	osArgs := []string{
 		"--cache-dir",
 		cacheDir,
 		"server",
-		"--skip-update",
+		"--skip-db-update",
 		"--listen",
 		addr,
 	}
 	if token != "" {
-		osArgs = append(osArgs, []string{
-			"--token",
-			token,
-			"--token-header",
-			tokenHeader,
-		}...)
+		osArgs = append(osArgs, "--token", token, "--token-header", tokenHeader)
+	}
+	if pathPrefix != "" {
+		osArgs = append(osArgs, "--path-prefix", pathPrefix)
 	}
 	if cacheBackend != "" {
 		osArgs = append(osArgs, "--cache-backend", cacheBackend)
@@ -585,14 +615,14 @@ func setupServer(addr, token, tokenHeader, cacheDir, cacheBackend string) []stri
 	return osArgs
 }

-func setupClient(t *testing.T, c csArgs, addr string, cacheDir string, golden string) []string {
+func setupClient(t *testing.T, c csArgs, addr string, cacheDir string) []string {
+	t.Helper()
 	if c.Command == "" {
 		c.Command = "image"
 	}
 	if c.RemoteAddrOption == "" {
 		c.RemoteAddrOption = "--server"
 	}
-	t.Helper()
 	osArgs := []string{
 		"--cache-dir",
 		cacheDir,
@@ -632,6 +662,9 @@ func setupClient(t *testing.T, c csArgs, addr string, cacheDir string, golden st
 	if c.ClientToken != "" {
 		osArgs = append(osArgs, "--token", c.ClientToken, "--token-header", c.ClientTokenHeader)
 	}
+	if c.PathPrefix != "" {
+		osArgs = append(osArgs, "--path-prefix", c.PathPrefix)
+	}
 	if c.Input != "" {
 		osArgs = append(osArgs, "--input", c.Input)
 	}
--- a/integration/convert_test.go
+++ b/integration/convert_test.go
@@ -11,9 +11,11 @@ import (

 func TestConvert(t *testing.T) {
 	type args struct {
-		input    string
-		format   string
-		scanners string
+		input          string
+		format         string
+		scanners       string
+		showSuppressed bool
+		listAllPkgs    bool
 	}
 	tests := []struct {
 		name     string
@@ -37,6 +39,16 @@ func TestConvert(t *testing.T) {
 			},
 			golden: "testdata/npm-cyclonedx.json.golden",
 		},
+		{
+			name: "npm with suppressed vulnerability",
+			args: args{
+				input:          "testdata/fixtures/convert/npm-with-suppressed.json.golden",
+				format:         "json",
+				showSuppressed: true,
+				listAllPkgs:    true,
+			},
+			golden: "testdata/fixtures/convert/npm-with-suppressed.json.golden",
+		},
 	}

 	for _, tt := range tests {
@@ -50,6 +62,14 @@ func TestConvert(t *testing.T) {
 				tt.args.format,
 			}

+			if tt.args.showSuppressed {
+				osArgs = append(osArgs, "--show-suppressed")
+			}
+
+			if tt.args.listAllPkgs {
+				osArgs = append(osArgs, "--list-all-pkgs")
+			}
+
 			// Set up the output file
 			outputFile := filepath.Join(t.TempDir(), "output.json")
 			if *update {
--- a/integration/docker_engine_test.go
+++ b/integration/docker_engine_test.go
@@ -1,19 +1,16 @@
 //go:build integration
-// +build integration

 package integration

 import (
 	"context"
-	"io"
 	"os"
 	"strings"
 	"testing"

+	"github.com/aquasecurity/trivy/internal/testutil"
 	"github.com/aquasecurity/trivy/pkg/types"

-	api "github.com/docker/docker/api/types"
-	"github.com/docker/docker/client"
 	"github.com/stretchr/testify/require"
 )

@@ -23,7 +20,6 @@ func TestDockerEngine(t *testing.T) {
 	}
 	tests := []struct {
 		name          string
-		imageTag      string
 		invalidImage  bool
 		ignoreUnfixed bool
 		ignoreStatus  []string
@@ -34,10 +30,9 @@ func TestDockerEngine(t *testing.T) {
 		wantErr       string
 	}{
 		{
-			name:     "alpine:3.9",
-			imageTag: "ghcr.io/aquasecurity/trivy-test-images:alpine-39",
-			input:    "testdata/fixtures/images/alpine-39.tar.gz",
-			golden:   "testdata/alpine-39.json.golden",
+			name:   "alpine:3.9",
+			input:  "testdata/fixtures/images/alpine-39.tar.gz",
+			golden: "testdata/alpine-39.json.golden",
 		},
 		{
 			name: "alpine:3.9, with high and critical severity",
@@ -45,13 +40,11 @@ func TestDockerEngine(t *testing.T) {
 				"HIGH",
 				"CRITICAL",
 			},
-			imageTag: "ghcr.io/aquasecurity/trivy-test-images:alpine-39",
-			input:    "testdata/fixtures/images/alpine-39.tar.gz",
-			golden:   "testdata/alpine-39-high-critical.json.golden",
+			input:  "testdata/fixtures/images/alpine-39.tar.gz",
+			golden: "testdata/alpine-39-high-critical.json.golden",
 		},
 		{
-			name:     "alpine:3.9, with .trivyignore",
-			imageTag: "ghcr.io/aquasecurity/trivy-test-images:alpine-39",
+			name: "alpine:3.9, with .trivyignore",
 			ignoreIDs: []string{
 				"CVE-2019-1549",
 				"CVE-2019-14697",
@@ -60,155 +53,141 @@ func TestDockerEngine(t *testing.T) {
 			golden: "testdata/alpine-39-ignore-cveids.json.golden",
 		},
 		{
-			name:     "alpine:3.10",
-			imageTag: "ghcr.io/aquasecurity/trivy-test-images:alpine-310",
-			input:    "testdata/fixtures/images/alpine-310.tar.gz",
-			golden:   "testdata/alpine-310.json.golden",
+			name:   "alpine:3.10",
+			input:  "testdata/fixtures/images/alpine-310.tar.gz",
+			golden: "testdata/alpine-310.json.golden",
 		},
 		{
-			name:     "amazonlinux:1",
-			imageTag: "ghcr.io/aquasecurity/trivy-test-images:amazon-1",
-			input:    "testdata/fixtures/images/amazon-1.tar.gz",
-			golden:   "testdata/amazon-1.json.golden",
+			name:   "amazonlinux:1",
+			input:  "testdata/fixtures/images/amazon-1.tar.gz",
+			golden: "testdata/amazon-1.json.golden",
 		},
 		{
-			name:     "amazonlinux:2",
-			imageTag: "ghcr.io/aquasecurity/trivy-test-images:amazon-2",
-			input:    "testdata/fixtures/images/amazon-2.tar.gz",
-			golden:   "testdata/amazon-2.json.golden",
+			name:   "amazonlinux:2",
+			input:  "testdata/fixtures/images/amazon-2.tar.gz",
+			golden: "testdata/amazon-2.json.golden",
 		},
 		{
-			name:     "almalinux 8",
-			imageTag: "ghcr.io/aquasecurity/trivy-test-images:almalinux-8",
-			input:    "testdata/fixtures/images/almalinux-8.tar.gz",
-			golden:   "testdata/almalinux-8.json.golden",
+			name:   "almalinux 8",
+			input:  "testdata/fixtures/images/almalinux-8.tar.gz",
+			golden: "testdata/almalinux-8.json.golden",
 		},
 		{
-			name:     "rocky linux 8",
-			imageTag: "ghcr.io/aquasecurity/trivy-test-images:rockylinux-8",
-			input:    "testdata/fixtures/images/rockylinux-8.tar.gz",
-			golden:   "testdata/rockylinux-8.json.golden",
+			name:   "rocky linux 8",
+			input:  "testdata/fixtures/images/rockylinux-8.tar.gz",
+			golden: "testdata/rockylinux-8.json.golden",
 		},
 		{
-			name:     "centos 6",
-			imageTag: "ghcr.io/aquasecurity/trivy-test-images:centos-6",
-			input:    "testdata/fixtures/images/centos-6.tar.gz",
-			golden:   "testdata/centos-6.json.golden",
+			name:   "centos 6",
+			input:  "testdata/fixtures/images/centos-6.tar.gz",
+			golden: "testdata/centos-6.json.golden",
 		},
 		{
-			name:     "centos 7",
-			imageTag: "ghcr.io/aquasecurity/trivy-test-images:centos-7",
-			input:    "testdata/fixtures/images/centos-7.tar.gz",
-			golden:   "testdata/centos-7.json.golden",
+			name:   "centos 7",
+			input:  "testdata/fixtures/images/centos-7.tar.gz",
+			golden: "testdata/centos-7.json.golden",
 		},
 		{
 			name:          "centos 7, with --ignore-unfixed option",
-			imageTag:      "ghcr.io/aquasecurity/trivy-test-images:centos-7",
 			ignoreUnfixed: true,
 			input:         "testdata/fixtures/images/centos-7.tar.gz",
 			golden:        "testdata/centos-7-ignore-unfixed.json.golden",
 		},
 		{
 			name:         "centos 7, with --ignore-status option",
-			imageTag:     "ghcr.io/aquasecurity/trivy-test-images:centos-7",
 			ignoreStatus: []string{"will_not_fix"},
 			input:        "testdata/fixtures/images/centos-7.tar.gz",
 			golden:       "testdata/centos-7-ignore-unfixed.json.golden",
 		},
 		{
 			name:          "centos 7, with --ignore-unfixed option, with medium severity",
-			imageTag:      "ghcr.io/aquasecurity/trivy-test-images:centos-7",
 			ignoreUnfixed: true,
 			severity:      []string{"MEDIUM"},
 			input:         "testdata/fixtures/images/centos-7.tar.gz",
 			golden:        "testdata/centos-7-medium.json.golden",
 		},
 		{
-			name:     "registry.redhat.io/ubi7",
-			imageTag: "ghcr.io/aquasecurity/trivy-test-images:ubi-7",
-			input:    "testdata/fixtures/images/ubi-7.tar.gz",
-			golden:   "testdata/ubi-7.json.golden",
+			name:   "registry.redhat.io/ubi7",
+			input:  "testdata/fixtures/images/ubi-7.tar.gz",
+			golden: "testdata/ubi-7.json.golden",
 		},
 		{
-			name:     "debian buster/10",
-			imageTag: "ghcr.io/aquasecurity/trivy-test-images:debian-buster",
-			input:    "testdata/fixtures/images/debian-buster.tar.gz",
-			golden:   "testdata/debian-buster.json.golden",
+			name:   "debian buster/10",
+			input:  "testdata/fixtures/images/debian-buster.tar.gz",
+			golden: "testdata/debian-buster.json.golden",
 		},
 		{
 			name:          "debian buster/10, with --ignore-unfixed option",
 			ignoreUnfixed: true,
-			imageTag:      "ghcr.io/aquasecurity/trivy-test-images:debian-buster",
 			input:         "testdata/fixtures/images/debian-buster.tar.gz",
 			golden:        "testdata/debian-buster-ignore-unfixed.json.golden",
 		},
 		{
 			name:         "debian buster/10, with --ignore-status option",
 			ignoreStatus: []string{"affected"},
-			imageTag:     "ghcr.io/aquasecurity/trivy-test-images:debian-buster",
 			input:        "testdata/fixtures/images/debian-buster.tar.gz",
 			golden:       "testdata/debian-buster-ignore-unfixed.json.golden",
 		},
 		{
-			name:     "debian stretch/9",
-			imageTag: "ghcr.io/aquasecurity/trivy-test-images:debian-stretch",
-			input:    "testdata/fixtures/images/debian-stretch.tar.gz",
-			golden:   "testdata/debian-stretch.json.golden",
+			name:   "debian stretch/9",
+			input:  "testdata/fixtures/images/debian-stretch.tar.gz",
+			golden: "testdata/debian-stretch.json.golden",
 		},
 		{
-			name:     "distroless base",
-			imageTag: "ghcr.io/aquasecurity/trivy-test-images:distroless-base",
-			input:    "testdata/fixtures/images/distroless-base.tar.gz",
-			golden:   "testdata/distroless-base.json.golden",
+			name:   "distroless base",
+			input:  "testdata/fixtures/images/distroless-base.tar.gz",
+			golden: "testdata/distroless-base.json.golden",
 		},
 		{
-			name:     "distroless python2.7",
-			imageTag: "ghcr.io/aquasecurity/trivy-test-images:distroless-python27",
-			input:    "testdata/fixtures/images/distroless-python27.tar.gz",
-			golden:   "testdata/distroless-python27.json.golden",
+			name:   "distroless python2.7",
+			input:  "testdata/fixtures/images/distroless-python27.tar.gz",
+			golden: "testdata/distroless-python27.json.golden",
 		},
 		{
-			name:     "oracle linux 8",
-			imageTag: "ghcr.io/aquasecurity/trivy-test-images:oraclelinux-8",
-			input:    "testdata/fixtures/images/oraclelinux-8.tar.gz",
-			golden:   "testdata/oraclelinux-8.json.golden",
+			name:   "oracle linux 8",
+			input:  "testdata/fixtures/images/oraclelinux-8.tar.gz",
+			golden: "testdata/oraclelinux-8.json.golden",
 		},
 		{
-			name:     "ubuntu 18.04",
-			imageTag: "ghcr.io/aquasecurity/trivy-test-images:ubuntu-1804",
-			input:    "testdata/fixtures/images/ubuntu-1804.tar.gz",
-			golden:   "testdata/ubuntu-1804.json.golden",
+			name:   "ubuntu 18.04",
+			input:  "testdata/fixtures/images/ubuntu-1804.tar.gz",
+			golden: "testdata/ubuntu-1804.json.golden",
 		},
 		{
 			name:          "ubuntu 18.04, with --ignore-unfixed option",
-			imageTag:      "ghcr.io/aquasecurity/trivy-test-images:ubuntu-1804",
 			ignoreUnfixed: true,
 			input:         "testdata/fixtures/images/ubuntu-1804.tar.gz",
 			golden:        "testdata/ubuntu-1804-ignore-unfixed.json.golden",
 		},
 		{
-			name:     "opensuse leap 15.1",
-			imageTag: "ghcr.io/aquasecurity/trivy-test-images:opensuse-leap-151",
-			input:    "testdata/fixtures/images/opensuse-leap-151.tar.gz",
-			golden:   "testdata/opensuse-leap-151.json.golden",
+			name:   "opensuse leap 15.1",
+			input:  "testdata/fixtures/images/opensuse-leap-151.tar.gz",
+			golden: "testdata/opensuse-leap-151.json.golden",
 		},
 		{
-			name:     "photon 3.0",
-			imageTag: "ghcr.io/aquasecurity/trivy-test-images:photon-30",
-			input:    "testdata/fixtures/images/photon-30.tar.gz",
-			golden:   "testdata/photon-30.json.golden",
+			name:   "opensuse tumbleweed",
+			input:  "testdata/fixtures/images/opensuse-tumbleweed.tar.gz",
+			golden: "testdata/opensuse-tumbleweed.json.golden",
 		},
 		{
-			name:     "CBL-Mariner 1.0",
-			imageTag: "ghcr.io/aquasecurity/trivy-test-images:mariner-1.0",
-			input:    "testdata/fixtures/images/mariner-1.0.tar.gz",
-			golden:   "testdata/mariner-1.0.json.golden",
+			name:   "sle micro rancher 5.4",
+			input:  "testdata/fixtures/images/sle-micro-rancher-5.4_ndb.tar.gz",
+			golden: "testdata/sl-micro-rancher5.4.json.golden",
 		},
 		{
-			name:     "busybox with Cargo.lock",
-			imageTag: "ghcr.io/aquasecurity/trivy-test-images:busybox-with-lockfile",
-			input:    "testdata/fixtures/images/busybox-with-lockfile.tar.gz",
-			golden:   "testdata/busybox-with-lockfile.json.golden",
+			name:   "photon 3.0",
+			input:  "testdata/fixtures/images/photon-30.tar.gz",
+			golden: "testdata/photon-30.json.golden",
+		},
+		{
+			name:   "CBL-Mariner 1.0",
+			input:  "testdata/fixtures/images/mariner-1.0.tar.gz",
+			golden: "testdata/mariner-1.0.json.golden",
+		},
+		{
+			name:   "busybox with Cargo.lock",
+			input:  "testdata/fixtures/images/busybox-with-lockfile.tar.gz",
+			golden: "testdata/busybox-with-lockfile.json.golden",
 		},
 		{
 			name:         "sad path, invalid image",
@@ -227,44 +206,27 @@ func TestDockerEngine(t *testing.T) {
 	ctx := context.Background()
 	defer ctx.Done()

-	cli, err := client.NewClientWithOpts(client.FromEnv, client.WithAPIVersionNegotiation())
-	require.NoError(t, err)
+	cli := testutil.NewDockerClient(t)

 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			if !tt.invalidImage {
 				testfile, err := os.Open(tt.input)
 				require.NoError(t, err, tt.name)
+				defer testfile.Close()

-				// ensure image doesnt already exists
-				_, _ = cli.ImageRemove(ctx, tt.input, api.ImageRemoveOptions{
-					Force:         true,
-					PruneChildren: true,
-				})
+				// Ensure image doesn't already exist
+				cli.ImageRemove(t, ctx, tt.input)

-				// load image into docker engine
-				res, err := cli.ImageLoad(ctx, testfile, true)
-				require.NoError(t, err, tt.name)
-				if _, err := io.Copy(io.Discard, res.Body); err != nil {
-					require.NoError(t, err, tt.name)
-				}
-				defer res.Body.Close()
+				// Load image into docker engine
+				loadedImage := cli.ImageLoad(t, ctx, tt.input)

-				// tag our image to something unique
-				err = cli.ImageTag(ctx, tt.imageTag, tt.input)
+				// Tag our image to something unique
+				err = cli.ImageTag(ctx, loadedImage, tt.input)
 				require.NoError(t, err, tt.name)

-				// cleanup
-				t.Cleanup(func() {
-					_, _ = cli.ImageRemove(ctx, tt.input, api.ImageRemoveOptions{
-						Force:         true,
-						PruneChildren: true,
-					})
-					_, _ = cli.ImageRemove(ctx, tt.imageTag, api.ImageRemoveOptions{
-						Force:         true,
-						PruneChildren: true,
-					})
-				})
+				// Cleanup
+				t.Cleanup(func() { cli.ImageRemove(t, ctx, tt.input) })
 			}

 			osArgs := []string{
@@ -297,7 +259,7 @@ func TestDockerEngine(t *testing.T) {
 			}
 			if len(tt.ignoreIDs) != 0 {
 				trivyIgnore := ".trivyignore"
-				err = os.WriteFile(trivyIgnore, []byte(strings.Join(tt.ignoreIDs, "\n")), 0444)
+				err := os.WriteFile(trivyIgnore, []byte(strings.Join(tt.ignoreIDs, "\n")), 0444)
 				require.NoError(t, err, "failed to write .trivyignore")
 				defer os.Remove(trivyIgnore)
 			}
@@ -308,7 +270,8 @@ func TestDockerEngine(t *testing.T) {
 				wantErr: tt.wantErr,
 				// Container field was removed in Docker Engine v26.0
 				// cf. https://github.com/docker/cli/blob/v26.1.3/docs/deprecated.md#container-and-containerconfig-fields-in-image-inspect
-				override: overrideFuncs(overrideUID, func(t *testing.T, want, _ *types.Report) {
+				override: overrideFuncs(overrideUID, func(t *testing.T, want, got *types.Report) {
+					got.Metadata.ImageConfig.Container = ""
 					want.Metadata.ImageConfig.Container = ""
 				}),
 			})
--- a/integration/integration_test.go
+++ b/integration/integration_test.go
@@ -26,14 +26,15 @@ import (
 	"github.com/stretchr/testify/require"
 	"github.com/xeipuuv/gojsonschema"

-	"github.com/aquasecurity/trivy-db/pkg/db"
 	"github.com/aquasecurity/trivy-db/pkg/metadata"
-
 	"github.com/aquasecurity/trivy/internal/dbtest"
+	"github.com/aquasecurity/trivy/internal/testutil"
 	"github.com/aquasecurity/trivy/pkg/clock"
 	"github.com/aquasecurity/trivy/pkg/commands"
+	"github.com/aquasecurity/trivy/pkg/db"
 	"github.com/aquasecurity/trivy/pkg/types"
 	"github.com/aquasecurity/trivy/pkg/uuid"
+	"github.com/aquasecurity/trivy/pkg/vex/repo"

 	_ "modernc.org/sqlite"
 )
@@ -56,15 +57,9 @@ func initDB(t *testing.T) string {
 	}

 	cacheDir := dbtest.InitDB(t, fixtures)
-	defer db.Close()
+	defer dbtest.Close()

-	dbDir := filepath.Dir(db.Path(cacheDir))
-
-	metadataFile := filepath.Join(dbDir, "metadata.json")
-	f, err := os.Create(metadataFile)
-	require.NoError(t, err)
-
-	err = json.NewEncoder(f).Encode(metadata.Metadata{
+	err = metadata.NewClient(db.Dir(cacheDir)).Update(metadata.Metadata{
 		Version:    db.SchemaVersion,
 		NextUpdate: time.Now().Add(24 * time.Hour),
 		UpdatedAt:  time.Now(),
@@ -75,6 +70,43 @@ func initDB(t *testing.T) string {
 	return cacheDir
 }

+func initVEXRepository(t *testing.T, homeDir, cacheDir string) {
+	t.Helper()
+
+	// Copy config directory
+	configSrc := "testdata/fixtures/vex/config/repository.yaml"
+	configDst := filepath.Join(homeDir, ".trivy", "vex", "repository.yaml")
+	testutil.CopyFile(t, configSrc, configDst)
+
+	// Copy repository directory
+	repoSrc := "testdata/fixtures/vex/repositories"
+	repoDst := filepath.Join(cacheDir, "vex", "repositories")
+	testutil.CopyDir(t, repoSrc, repoDst)
+
+	// Copy VEX file
+	vexSrc := "testdata/fixtures/vex/file/openvex.json"
+	repoDir := filepath.Join(repoDst, "default")
+	vexDst := filepath.Join(repoDir, "0.1", "openvex.json")
+	testutil.CopyFile(t, vexSrc, vexDst)
+
+	// Write a dummy cache metadata
+	testutil.MustWriteJSON(t, filepath.Join(repoDir, "cache.json"), repo.CacheMetadata{
+		UpdatedAt: time.Now(),
+	})
+
+	// Verify that necessary files exist
+	requiredFiles := []string{
+		configDst,
+		filepath.Join(repoDir, "vex-repository.json"),
+		filepath.Join(repoDir, "0.1", "index.json"),
+		filepath.Join(repoDir, "0.1", "openvex.json"),
+	}
+
+	for _, file := range requiredFiles {
+		require.FileExists(t, file)
+	}
+}
+
 func getFreePort() (int, error) {
 	addr, err := net.ResolveTCPAddr("tcp", "localhost:0")
 	if err != nil {
@@ -154,7 +186,6 @@ func readCycloneDX(t *testing.T, filePath string) *cdx.BOM {
 			return (*bom.Components)[i].Name < (*bom.Components)[j].Name
 		})
 		for i := range *bom.Components {
-			(*bom.Components)[i].BOMRef = ""
 			sort.Slice(*(*bom.Components)[i].Properties, func(ii, jj int) bool {
 				return (*(*bom.Components)[i].Properties)[ii].Name < (*(*bom.Components)[i].Properties)[jj].Name
 			})
--- a/integration/plugin_test.go
+++ b/integration/plugin_test.go
@@ -0,0 +1,111 @@
+//go:build integration
+
+package integration
+
+import (
+	"io"
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+
+	"github.com/aquasecurity/trivy/pkg/utils/fsutils"
+)
+
+func TestPlugin(t *testing.T) {
+	tests := []struct {
+		name       string
+		plugin     string
+		pluginArgs string
+		golden     string
+	}{
+		{
+			name:   "count plugin installed from `index`",
+			plugin: "count@v0.2.0",
+			golden: "testdata/count-0.2.0-plugin.txt.golden",
+		},
+		{
+			name:       "count plugin installed from github archive",
+			plugin:     "https://github.com/aquasecurity/trivy-plugin-count/archive/refs/tags/v0.1.0.zip",
+			pluginArgs: "--published-before=2020-01-01",
+			golden:     "testdata/count-0.1.0-plugin-with-before-flag.txt.golden",
+		},
+	}
+
+	// Set up testing DB
+	cacheDir := initDB(t)
+	tempStdOut := setTempStdout(t)
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// We can overwrite stdout for `_default_Manager` only once.
+			// So we need to clear the temporary stdout file before each test case.
+			clearFile(t, tempStdOut)
+
+			t.Setenv("XDG_DATA_HOME", t.TempDir())
+
+			// Install plugin
+			err := execute([]string{
+				"plugin",
+				"install",
+				tt.plugin,
+			})
+			require.NoError(t, err)
+
+			// Get list of plugins
+			err = execute([]string{
+				"plugin",
+				"list",
+			})
+			require.NoError(t, err)
+
+			// Run Trivy with plugin as output
+			args := []string{
+				"--cache-dir",
+				cacheDir,
+				"fs",
+				"-f",
+				"json",
+				"-o",
+				"plugin=count",
+				"testdata/fixtures/repo/pip",
+			}
+
+			if tt.pluginArgs != "" {
+				args = append(args, "--output-plugin-arg", tt.pluginArgs)
+			}
+
+			err = execute(args)
+
+			if *update {
+				fsutils.CopyFile(tempStdOut.Name(), tt.golden)
+			}
+
+			compareRawFiles(t, tt.golden, tempStdOut.Name())
+		})
+	}
+}
+
+func setTempStdout(t *testing.T) *os.File {
+	tmpFile := filepath.Join(t.TempDir(), "output.txt")
+	f, err := os.Create(tmpFile)
+	require.NoError(t, err)
+
+	// Overwrite Stdout to get output of plugin
+	defaultStdout := os.Stdout
+	os.Stdout = f
+	t.Cleanup(func() {
+		os.Stdout = defaultStdout
+		f.Close()
+	})
+	return f
+}
+
+func clearFile(t *testing.T, file *os.File) {
+	_, err := file.Seek(0, io.SeekStart)
+	require.NoError(t, err)
+
+	_, err = file.Write([]byte{})
+	require.NoError(t, err)
+}
--- a/integration/registry_test.go
+++ b/integration/registry_test.go
@@ -10,7 +10,6 @@ import (
 	"crypto/x509"
 	"encoding/json"
 	"fmt"
-	"github.com/aquasecurity/trivy/pkg/types"
 	"io"
 	"net/http"
 	"net/url"
@@ -18,6 +17,8 @@ import (
 	"path/filepath"
 	"testing"

+	"github.com/aquasecurity/trivy/pkg/types"
+
 	dockercontainer "github.com/docker/docker/api/types/container"
 	"github.com/docker/go-connections/nat"
 	"github.com/google/go-containerregistry/pkg/authn"
@@ -152,32 +153,59 @@ func TestRegistry(t *testing.T) {
 		name      string
 		imageName string
 		imageFile string
+		os        string
 		option    registryOption
 		golden    string
 		wantErr   string
 	}{
 		{
-			name:      "happy path with username/password",
+			name:      "authenticate with username/password",
 			imageName: "alpine:3.10",
 			imageFile: "testdata/fixtures/images/alpine-310.tar.gz",
+			os:        "alpine 3.10.2",
 			option: registryOption{
 				AuthURL:  authURL,
 				Username: authUsername,
 				Password: authPassword,
 			},
-			golden: "testdata/alpine-310-registry.json.golden",
+			golden: "testdata/alpine-310.json.golden",
 		},
 		{
-			name:      "happy path with registry token",
+			name:      "authenticate with registry token",
 			imageName: "alpine:3.10",
 			imageFile: "testdata/fixtures/images/alpine-310.tar.gz",
+			os:        "alpine 3.10.2",
 			option: registryOption{
 				AuthURL:       authURL,
 				Username:      authUsername,
 				Password:      authPassword,
 				RegistryToken: true,
 			},
-			golden: "testdata/alpine-310-registry.json.golden",
+			golden: "testdata/alpine-310.json.golden",
+		},
+		{
+			name:      "amazonlinux 2",
+			imageName: "amazonlinux:2",
+			imageFile: "testdata/fixtures/images/amazon-2.tar.gz",
+			os:        "amazon 2 (Karoo)",
+			option: registryOption{
+				AuthURL:  authURL,
+				Username: authUsername,
+				Password: authPassword,
+			},
+			golden: "testdata/amazon-2.json.golden",
+		},
+		{
+			name:      "debian buster",
+			imageName: "debian:buster",
+			imageFile: "testdata/fixtures/images/debian-buster.tar.gz",
+			os:        "debian 10.1",
+			option: registryOption{
+				AuthURL:  authURL,
+				Username: authUsername,
+				Password: authPassword,
+			},
+			golden: "testdata/debian-buster.json.golden",
 		},
 		{
 			name:      "sad path",
@@ -187,25 +215,25 @@ func TestRegistry(t *testing.T) {
 		},
 	}

-	for _, tc := range tests {
-		t.Run(tc.name, func(t *testing.T) {
-			s := fmt.Sprintf("%s/%s", registryURL.Host, tc.imageName)
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			s := fmt.Sprintf("%s/%s", registryURL.Host, tt.imageName)
 			imageRef, err := name.ParseReference(s)
 			require.NoError(t, err)

 			// Load a test image from the tar file, tag it and push to the test registry.
-			err = replicateImage(imageRef, tc.imageFile, auth)
+			err = replicateImage(imageRef, tt.imageFile, auth)
 			require.NoError(t, err)

-			osArgs, err := scan(t, imageRef, baseDir, tc.golden, tc.option)
+			osArgs, err := scan(t, imageRef, baseDir, tt.option)

 			// Run Trivy
-			runTest(t, osArgs, tc.golden, "", types.FormatJSON, runOptions{
-				wantErr: tc.wantErr,
-				override: overrideFuncs(overrideUID, func(t *testing.T, _, got *types.Report) {
-					got.ArtifactName = tc.imageName
-					for i := range got.Results {
-						got.Results[i].Target = fmt.Sprintf("%s (alpine 3.10.2)", tc.imageName)
+			runTest(t, osArgs, tt.golden, "", types.FormatJSON, runOptions{
+				wantErr: tt.wantErr,
+				override: overrideFuncs(overrideUID, func(t *testing.T, want, got *types.Report) {
+					want.ArtifactName = s
+					for i := range want.Results {
+						want.Results[i].Target = fmt.Sprintf("%s (%s)", s, tt.os)
 					}
 				}),
 			})
@@ -213,7 +241,7 @@ func TestRegistry(t *testing.T) {
 	}
 }

-func scan(t *testing.T, imageRef name.Reference, baseDir, goldenFile string, opt registryOption) ([]string, error) {
+func scan(t *testing.T, imageRef name.Reference, baseDir string, opt registryOption) ([]string, error) {
 	// Set up testing DB
 	cacheDir := initDB(t)

@@ -232,6 +260,8 @@ func scan(t *testing.T, imageRef name.Reference, baseDir, goldenFile string, opt
 		"image",
 		"--format",
 		"json",
+		"--image-src",
+		"remote",
 		"--skip-update",
 		imageRef.Name(),
 	}
--- a/integration/repo_test.go
+++ b/integration/repo_test.go
@@ -8,9 +8,10 @@ import (
 	"strings"
 	"testing"

+	"github.com/stretchr/testify/require"
+
 	"github.com/aquasecurity/trivy/pkg/fanal/artifact"
 	"github.com/aquasecurity/trivy/pkg/types"
-	"github.com/stretchr/testify/require"
 )

 // TestRepository tests `trivy repo` with the local code repositories
@@ -32,6 +33,7 @@ func TestRepository(t *testing.T) {
 		format         types.Format
 		includeDevDeps bool
 		parallel       int
+		vex            string
 	}
 	tests := []struct {
 		name     string
@@ -74,6 +76,24 @@ func TestRepository(t *testing.T) {
 			},
 			golden: "testdata/gomod.json.golden",
 		},
+		{
+			name: "gomod with local VEX file",
+			args: args{
+				scanner: types.VulnerabilityScanner,
+				input:   "testdata/fixtures/repo/gomod",
+				vex:     "testdata/fixtures/vex/file/openvex.json",
+			},
+			golden: "testdata/gomod-vex.json.golden",
+		},
+		{
+			name: "gomod with VEX repository",
+			args: args{
+				scanner: types.VulnerabilityScanner,
+				input:   "testdata/fixtures/repo/gomod",
+				vex:     "repo",
+			},
+			golden: "testdata/gomod-vex.json.golden",
+		},
 		{
 			name: "npm",
 			args: args{
@@ -105,8 +125,9 @@ func TestRepository(t *testing.T) {
 		{
 			name: "pnpm",
 			args: args{
-				scanner: types.VulnerabilityScanner,
-				input:   "testdata/fixtures/repo/pnpm",
+				scanner:     types.VulnerabilityScanner,
+				input:       "testdata/fixtures/repo/pnpm",
+				listAllPkgs: true,
 			},
 			golden: "testdata/pnpm.json.golden",
 		},
@@ -436,9 +457,15 @@ func TestRepository(t *testing.T) {
 	// Set up testing DB
 	cacheDir := initDB(t)

-	// Set a temp dir so that modules will not be loaded
+	// Set up VEX
+	initVEXRepository(t, cacheDir, cacheDir)
+
+	// Set a temp dir so that the VEX config will be loaded and modules will not be loaded
 	t.Setenv("XDG_DATA_HOME", cacheDir)

+	// Disable Go license detection
+	t.Setenv("GOPATH", cacheDir)
+
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			command := "repo"
@@ -531,6 +558,10 @@ func TestRepository(t *testing.T) {
 				osArgs = append(osArgs, "--secret-config", tt.args.secretConfig)
 			}

+			if tt.args.vex != "" {
+				osArgs = append(osArgs, "--vex", tt.args.vex)
+			}
+
 			runTest(t, osArgs, tt.golden, "", format, runOptions{
 				fakeUUID: "3ff14136-e09f-4df9-80ea-%012d",
 				override: tt.override,
--- a/integration/sbom_test.go
+++ b/integration/sbom_test.go
@@ -25,6 +25,7 @@ func TestSBOM(t *testing.T) {
 		name     string
 		args     args
 		golden   string
+		fakeUUID string
 		override OverrideFunc
 	}{
 		{
@@ -57,6 +58,16 @@ func TestSBOM(t *testing.T) {
 			},
 			golden: "testdata/fluentd-multiple-lockfiles.json.golden",
 		},
+		{
+			name: "scan SBOM into SBOM",
+			args: args{
+				input:        "testdata/fixtures/sbom/fluentd-multiple-lockfiles-cyclonedx.json",
+				format:       "cyclonedx",
+				artifactType: "cyclonedx",
+			},
+			fakeUUID: "3ff14136-e09f-4df9-80ea-%012d",
+			golden:   "testdata/fluentd-multiple-lockfiles-short.cdx.json.golden",
+		},
 		{
 			name: "minikube KBOM",
 			args: args{
@@ -165,6 +176,7 @@ func TestSBOM(t *testing.T) {
 			// Run "trivy sbom"
 			runTest(t, osArgs, tt.golden, outputFile, types.Format(tt.args.format), runOptions{
 				override: overrideFuncs(overrideSBOMReport, overrideUID, tt.override),
+				fakeUUID: tt.fakeUUID,
 			})
 		})
 	}
--- a/integration/standalone_tar_test.go
+++ b/integration/standalone_tar_test.go
@@ -8,6 +8,7 @@ import (
 	"strings"
 	"testing"

+	ftypes "github.com/aquasecurity/trivy/pkg/fanal/types"
 	"github.com/aquasecurity/trivy/pkg/types"

 	"github.com/stretchr/testify/require"
@@ -15,13 +16,14 @@ import (

 func TestTar(t *testing.T) {
 	type args struct {
-		IgnoreUnfixed bool
-		Severity      []string
-		IgnoreIDs     []string
-		Format        types.Format
-		Input         string
-		SkipDirs      []string
-		SkipFiles     []string
+		IgnoreUnfixed     bool
+		Severity          []string
+		IgnoreIDs         []string
+		Format            types.Format
+		Input             string
+		SkipDirs          []string
+		SkipFiles         []string
+		DetectionPriority ftypes.DetectionPriority
 	}
 	tests := []struct {
 		name   string
@@ -240,7 +242,7 @@ func TestTar(t *testing.T) {
 			golden: "testdata/centos-7.json.golden",
 		},
 		{
-			name: "centos 7with --ignore-unfixed option",
+			name: "centos 7 with --ignore-unfixed option",
 			args: args{
 				IgnoreUnfixed: true,
 				Format:        types.FormatJSON,
@@ -274,6 +276,15 @@ func TestTar(t *testing.T) {
 			},
 			golden: "testdata/ubi-7.json.golden",
 		},
+		{
+			name: "ubi 7 with comprehensive priority",
+			args: args{
+				Format:            types.FormatJSON,
+				Input:             "testdata/fixtures/images/ubi-7.tar.gz",
+				DetectionPriority: ftypes.PriorityComprehensive,
+			},
+			golden: "testdata/ubi-7-comprehensive.json.golden",
+		},
 		{
 			name: "almalinux 8",
 			args: args{
@@ -322,6 +333,22 @@ func TestTar(t *testing.T) {
 			},
 			golden: "testdata/opensuse-leap-151.json.golden",
 		},
+		{
+			name: "opensuse tumbleweed",
+			args: args{
+				Format: types.FormatJSON,
+				Input:  "testdata/fixtures/images/opensuse-tumbleweed.tar.gz",
+			},
+			golden: "testdata/opensuse-tumbleweed.json.golden",
+		},
+		{
+			name: "sle micro rancher 5.4",
+			args: args{
+				Format: types.FormatJSON,
+				Input: "testdata/fixtures/images/sle-micro-rancher-5.4_ndb.tar.gz",
+			},
+			golden: "testdata/sl-micro-rancher5.4.json.golden",
+		},
 		{
 			name: "photon 3.0",
 			args: args{
@@ -372,7 +399,7 @@ func TestTar(t *testing.T) {
 				"-q",
 				"--format",
 				string(tt.args.Format),
-				"--skip-update",
+				"--skip-db-update",
 			}

 			if tt.args.IgnoreUnfixed {
@@ -403,6 +430,10 @@ func TestTar(t *testing.T) {
 				}
 			}

+			if tt.args.DetectionPriority != "" {
+				osArgs = append(osArgs, "--detection-priority", string(tt.args.DetectionPriority))
+			}
+
 			// Run Trivy
 			runTest(t, osArgs, tt.golden, "", tt.args.Format, runOptions{})
 		})
--- a/integration/testdata/alpine-310-registry.json.golden
+++ b/integration/testdata/alpine-310-registry.json.golden
@@ -1,374 +0,0 @@
-{
-  "SchemaVersion": 2,
-  "CreatedAt": "2021-08-25T12:20:30.000000005Z",
-  "ArtifactName": "alpine:3.10",
-  "ArtifactType": "container_image",
-  "Metadata": {
-    "OS": {
-      "Family": "alpine",
-      "Name": "3.10.2",
-      "EOSL": true
-    },
-    "ImageID": "sha256:961769676411f082461f9ef46626dd7a2d1e2b2a38e6a44364bcbecf51e66dd4",
-    "DiffIDs": [
-      "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
-    ],
-    "RepoTags": [
-      "alpine:3.10"
-    ],
-    "RepoDigests": [
-      "alpine@sha256:b1c5a500182b21d0bfa5a584a8526b56d8be316f89e87d951be04abed2446e60"
-    ],
-    "ImageConfig": {
-      "architecture": "amd64",
-      "container": "0a80155a31551fcc1a36fccbbda79fcd3f0b1c7d270653d00310e6e2217c57e6",
-      "created": "2019-08-20T20:19:55.211423266Z",
-      "docker_version": "18.06.1-ce",
-      "history": [
-        {
-          "created": "2019-08-20T20:19:55.062606894Z",
-          "created_by": "/bin/sh -c #(nop) ADD file:fe64057fbb83dccb960efabbf1cd8777920ef279a7fa8dbca0a8801c651bdf7c in / "
-        },
-        {
-          "created": "2019-08-20T20:19:55.211423266Z",
-          "created_by": "/bin/sh -c #(nop)  CMD [\"/bin/sh\"]",
-          "empty_layer": true
-        }
-      ],
-      "os": "linux",
-      "rootfs": {
-        "type": "layers",
-        "diff_ids": [
-          "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
-        ]
-      },
-      "config": {
-        "Cmd": [
-          "/bin/sh"
-        ],
-        "Env": [
-          "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
-        ],
-        "Image": "sha256:06f4121dff4d0123ce11bd2e44f48da9ba9ddcd23ae376ea1f363f63ea0849b5",
-        "ArgsEscaped": true
-      }
-    }
-  },
-  "Results": [
-    {
-      "Target": "alpine:3.10 (alpine 3.10.2)",
-      "Class": "os-pkgs",
-      "Type": "alpine",
-      "Vulnerabilities": [
-        {
-          "VulnerabilityID": "CVE-2019-1549",
-          "PkgID": "libcrypto1.1@1.1.1c-r0",
-          "PkgName": "libcrypto1.1",
-          "PkgIdentifier": {
-            "PURL": "pkg:apk/alpine/libcrypto1.1@1.1.1c-r0?arch=x86_64\u0026distro=3.10.2"
-          },
-          "InstalledVersion": "1.1.1c-r0",
-          "FixedVersion": "1.1.1d-r0",
-          "Status": "fixed",
-          "Layer": {
-            "Digest": "sha256:9d48c3bd43c520dc2784e868a780e976b207cbf493eaff8c6596eb871cbd9609",
-            "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
-          },
-          "SeveritySource": "nvd",
-          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1549",
-          "DataSource": {
-            "ID": "alpine",
-            "Name": "Alpine Secdb",
-            "URL": "https://secdb.alpinelinux.org/"
-          },
-          "Title": "openssl: information disclosure in fork()",
-          "Description": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
-          "Severity": "MEDIUM",
-          "CweIDs": [
-            "CWE-330"
-          ],
-          "VendorSeverity": {
-            "amazon": 2,
-            "nvd": 2,
-            "oracle-oval": 2,
-            "photon": 2,
-            "redhat": 1,
-            "ubuntu": 1
-          },
-          "CVSS": {
-            "nvd": {
-              "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
-              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
-              "V2Score": 5,
-              "V3Score": 5.3
-            },
-            "redhat": {
-              "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
-              "V3Score": 4.8
-            }
-          },
-          "References": [
-            "https://access.redhat.com/security/cve/CVE-2019-1549",
-            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be",
-            "https://linux.oracle.com/cve/CVE-2019-1549.html",
-            "https://linux.oracle.com/errata/ELSA-2020-1840.html",
-            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/",
-            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/",
-            "https://seclists.org/bugtraq/2019/Oct/1",
-            "https://security.netapp.com/advisory/ntap-20190919-0002/",
-            "https://support.f5.com/csp/article/K44070243",
-            "https://support.f5.com/csp/article/K44070243?utm_source=f5support\u0026amp;utm_medium=RSS",
-            "https://ubuntu.com/security/notices/USN-4376-1",
-            "https://usn.ubuntu.com/4376-1/",
-            "https://www.debian.org/security/2019/dsa-4539",
-            "https://www.openssl.org/news/secadv/20190910.txt",
-            "https://www.oracle.com/security-alerts/cpuapr2020.html",
-            "https://www.oracle.com/security-alerts/cpujan2020.html",
-            "https://www.oracle.com/security-alerts/cpujul2020.html",
-            "https://www.oracle.com/security-alerts/cpuoct2020.html",
-            "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"
-          ],
-          "PublishedDate": "2019-09-10T17:15:00Z",
-          "LastModifiedDate": "2020-10-20T22:15:00Z"
-        },
-        {
-          "VulnerabilityID": "CVE-2019-1551",
-          "PkgID": "libcrypto1.1@1.1.1c-r0",
-          "PkgName": "libcrypto1.1",
-          "PkgIdentifier": {
-            "PURL": "pkg:apk/alpine/libcrypto1.1@1.1.1c-r0?arch=x86_64\u0026distro=3.10.2"
-          },
-          "InstalledVersion": "1.1.1c-r0",
-          "FixedVersion": "1.1.1d-r2",
-          "Status": "fixed",
-          "Layer": {
-            "Digest": "sha256:9d48c3bd43c520dc2784e868a780e976b207cbf493eaff8c6596eb871cbd9609",
-            "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
-          },
-          "SeveritySource": "nvd",
-          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
-          "DataSource": {
-            "ID": "alpine",
-            "Name": "Alpine Secdb",
-            "URL": "https://secdb.alpinelinux.org/"
-          },
-          "Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
-          "Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).",
-          "Severity": "MEDIUM",
-          "CweIDs": [
-            "CWE-200"
-          ],
-          "VendorSeverity": {
-            "amazon": 1,
-            "nvd": 2,
-            "oracle-oval": 1,
-            "photon": 2,
-            "redhat": 1,
-            "ubuntu": 1
-          },
-          "CVSS": {
-            "nvd": {
-              "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
-              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
-              "V2Score": 5,
-              "V3Score": 5.3
-            },
-            "redhat": {
-              "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
-              "V3Score": 4.8
-            }
-          },
-          "References": [
-            "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html",
-            "http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
-            "https://access.redhat.com/security/cve/CVE-2019-1551",
-            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
-            "https://github.com/openssl/openssl/pull/10575",
-            "https://linux.oracle.com/cve/CVE-2019-1551.html",
-            "https://linux.oracle.com/errata/ELSA-2020-4514.html",
-            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/",
-            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/",
-            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/",
-            "https://seclists.org/bugtraq/2019/Dec/39",
-            "https://seclists.org/bugtraq/2019/Dec/46",
-            "https://security.gentoo.org/glsa/202004-10",
-            "https://security.netapp.com/advisory/ntap-20191210-0001/",
-            "https://ubuntu.com/security/notices/USN-4376-1",
-            "https://ubuntu.com/security/notices/USN-4504-1",
-            "https://usn.ubuntu.com/4376-1/",
-            "https://usn.ubuntu.com/4504-1/",
-            "https://www.debian.org/security/2019/dsa-4594",
-            "https://www.debian.org/security/2021/dsa-4855",
-            "https://www.openssl.org/news/secadv/20191206.txt",
-            "https://www.oracle.com/security-alerts/cpuApr2021.html",
-            "https://www.oracle.com/security-alerts/cpujan2021.html",
-            "https://www.oracle.com/security-alerts/cpujul2020.html",
-            "https://www.tenable.com/security/tns-2019-09",
-            "https://www.tenable.com/security/tns-2020-03",
-            "https://www.tenable.com/security/tns-2020-11",
-            "https://www.tenable.com/security/tns-2021-10"
-          ],
-          "PublishedDate": "2019-12-06T18:15:00Z",
-          "LastModifiedDate": "2021-07-21T11:39:00Z"
-        },
-        {
-          "VulnerabilityID": "CVE-2019-1549",
-          "PkgID": "libssl1.1@1.1.1c-r0",
-          "PkgName": "libssl1.1",
-          "PkgIdentifier": {
-            "PURL": "pkg:apk/alpine/libssl1.1@1.1.1c-r0?arch=x86_64\u0026distro=3.10.2"
-          },
-          "InstalledVersion": "1.1.1c-r0",
-          "FixedVersion": "1.1.1d-r0",
-          "Status": "fixed",
-          "Layer": {
-            "Digest": "sha256:9d48c3bd43c520dc2784e868a780e976b207cbf493eaff8c6596eb871cbd9609",
-            "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
-          },
-          "SeveritySource": "nvd",
-          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1549",
-          "DataSource": {
-            "ID": "alpine",
-            "Name": "Alpine Secdb",
-            "URL": "https://secdb.alpinelinux.org/"
-          },
-          "Title": "openssl: information disclosure in fork()",
-          "Description": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
-          "Severity": "MEDIUM",
-          "CweIDs": [
-            "CWE-330"
-          ],
-          "VendorSeverity": {
-            "amazon": 2,
-            "nvd": 2,
-            "oracle-oval": 2,
-            "photon": 2,
-            "redhat": 1,
-            "ubuntu": 1
-          },
-          "CVSS": {
-            "nvd": {
-              "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
-              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
-              "V2Score": 5,
-              "V3Score": 5.3
-            },
-            "redhat": {
-              "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
-              "V3Score": 4.8
-            }
-          },
-          "References": [
-            "https://access.redhat.com/security/cve/CVE-2019-1549",
-            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be",
-            "https://linux.oracle.com/cve/CVE-2019-1549.html",
-            "https://linux.oracle.com/errata/ELSA-2020-1840.html",
-            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/",
-            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/",
-            "https://seclists.org/bugtraq/2019/Oct/1",
-            "https://security.netapp.com/advisory/ntap-20190919-0002/",
-            "https://support.f5.com/csp/article/K44070243",
-            "https://support.f5.com/csp/article/K44070243?utm_source=f5support\u0026amp;utm_medium=RSS",
-            "https://ubuntu.com/security/notices/USN-4376-1",
-            "https://usn.ubuntu.com/4376-1/",
-            "https://www.debian.org/security/2019/dsa-4539",
-            "https://www.openssl.org/news/secadv/20190910.txt",
-            "https://www.oracle.com/security-alerts/cpuapr2020.html",
-            "https://www.oracle.com/security-alerts/cpujan2020.html",
-            "https://www.oracle.com/security-alerts/cpujul2020.html",
-            "https://www.oracle.com/security-alerts/cpuoct2020.html",
-            "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"
-          ],
-          "PublishedDate": "2019-09-10T17:15:00Z",
-          "LastModifiedDate": "2020-10-20T22:15:00Z"
-        },
-        {
-          "VulnerabilityID": "CVE-2019-1551",
-          "PkgID": "libssl1.1@1.1.1c-r0",
-          "PkgName": "libssl1.1",
-          "PkgIdentifier": {
-            "PURL": "pkg:apk/alpine/libssl1.1@1.1.1c-r0?arch=x86_64\u0026distro=3.10.2"
-          },
-          "InstalledVersion": "1.1.1c-r0",
-          "FixedVersion": "1.1.1d-r2",
-          "Status": "fixed",
-          "Layer": {
-            "Digest": "sha256:9d48c3bd43c520dc2784e868a780e976b207cbf493eaff8c6596eb871cbd9609",
-            "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
-          },
-          "SeveritySource": "nvd",
-          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
-          "DataSource": {
-            "ID": "alpine",
-            "Name": "Alpine Secdb",
-            "URL": "https://secdb.alpinelinux.org/"
-          },
-          "Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
-          "Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).",
-          "Severity": "MEDIUM",
-          "CweIDs": [
-            "CWE-200"
-          ],
-          "VendorSeverity": {
-            "amazon": 1,
-            "nvd": 2,
-            "oracle-oval": 1,
-            "photon": 2,
-            "redhat": 1,
-            "ubuntu": 1
-          },
-          "CVSS": {
-            "nvd": {
-              "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
-              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
-              "V2Score": 5,
-              "V3Score": 5.3
-            },
-            "redhat": {
-              "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
-              "V3Score": 4.8
-            }
-          },
-          "References": [
-            "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html",
-            "http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
-            "https://access.redhat.com/security/cve/CVE-2019-1551",
-            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
-            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
-            "https://github.com/openssl/openssl/pull/10575",
-            "https://linux.oracle.com/cve/CVE-2019-1551.html",
-            "https://linux.oracle.com/errata/ELSA-2020-4514.html",
-            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/",
-            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/",
-            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/",
-            "https://seclists.org/bugtraq/2019/Dec/39",
-            "https://seclists.org/bugtraq/2019/Dec/46",
-            "https://security.gentoo.org/glsa/202004-10",
-            "https://security.netapp.com/advisory/ntap-20191210-0001/",
-            "https://ubuntu.com/security/notices/USN-4376-1",
-            "https://ubuntu.com/security/notices/USN-4504-1",
-            "https://usn.ubuntu.com/4376-1/",
-            "https://usn.ubuntu.com/4504-1/",
-            "https://www.debian.org/security/2019/dsa-4594",
-            "https://www.debian.org/security/2021/dsa-4855",
-            "https://www.openssl.org/news/secadv/20191206.txt",
-            "https://www.oracle.com/security-alerts/cpuApr2021.html",
-            "https://www.oracle.com/security-alerts/cpujan2021.html",
-            "https://www.oracle.com/security-alerts/cpujul2020.html",
-            "https://www.tenable.com/security/tns-2019-09",
-            "https://www.tenable.com/security/tns-2020-03",
-            "https://www.tenable.com/security/tns-2020-11",
-            "https://www.tenable.com/security/tns-2021-10"
-          ],
-          "PublishedDate": "2019-12-06T18:15:00Z",
-          "LastModifiedDate": "2021-07-21T11:39:00Z"
-        }
-      ]
-    }
-  ]
-}
--- a/integration/testdata/alpine-310.sarif.golden
+++ b/integration/testdata/alpine-310.sarif.golden
@@ -1,6 +1,6 @@
 {
  "version": "2.1.0",
-  "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
+  "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json",
  "runs": [
    {
      "tool": {
--- a/integration/testdata/alpine-39-high-critical.json.golden
+++ b/integration/testdata/alpine-39-high-critical.json.golden
@@ -106,7 +106,7 @@
          "PkgName": "musl-utils",
          "PkgIdentifier": {
            "PURL": "pkg:apk/alpine/musl-utils@1.1.20-r4?arch=x86_64\u0026distro=3.9.4",
-            "UID": "8c341199f4077fc8"
+            "UID": "a35dd6cab4aabdf1"
          },
          "InstalledVersion": "1.1.20-r4",
          "FixedVersion": "1.1.20-r5",
--- a/integration/testdata/alpine-39.json.golden
+++ b/integration/testdata/alpine-39.json.golden
@@ -418,7 +418,7 @@
          "PkgName": "musl-utils",
          "PkgIdentifier": {
            "PURL": "pkg:apk/alpine/musl-utils@1.1.20-r4?arch=x86_64\u0026distro=3.9.4",
-            "UID": "8c341199f4077fc8"
+            "UID": "a35dd6cab4aabdf1"
          },
          "InstalledVersion": "1.1.20-r4",
          "FixedVersion": "1.1.20-r5",
--- a/integration/testdata/alpine-distroless.json.golden
+++ b/integration/testdata/alpine-distroless.json.golden
@@ -55,7 +55,7 @@
          "PkgName": "git",
          "PkgIdentifier": {
            "PURL": "pkg:apk/alpine/git@2.35.1-r2?arch=x86_64\u0026distro=3.16",
-            "UID": "d44ac4666246b919"
+            "UID": "2999d822f6cae40c"
          },
          "InstalledVersion": "2.35.1-r2",
          "FixedVersion": "2.35.2-r0",
--- a/integration/testdata/conan.json.golden
+++ b/integration/testdata/conan.json.golden
@@ -171,7 +171,36 @@
          "FixedVersion": "8.45",
          "Status": "fixed",
          "Layer": {},
-          "Severity": "UNKNOWN"
+          "SeveritySource": "nvd",
+          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-14155",
+          "Title": "pcre: Integer overflow when parsing callout numeric arguments",
+          "Description": "libpcre in PCRE before 8.44 allows an integer overflow via a large number after a (?C substring.",
+          "Severity": "MEDIUM",
+          "CweIDs": [
+            "CWE-190"
+          ],
+          "VendorSeverity": {
+            "alma": 1,
+            "nvd": 2
+          },
+          "CVSS": {
+            "nvd": {
+              "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
+              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
+              "V2Score": 5,
+              "V3Score": 5.3
+            },
+            "redhat": {
+              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
+              "V3Score": 5.3
+            }
+          },
+          "References": [
+            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14155",
+            "https://nvd.nist.gov/vuln/detail/CVE-2020-14155"
+          ],
+          "PublishedDate": "2020-06-15T17:15:00Z",
+          "LastModifiedDate": "2022-04-28T15:06:00Z"
        }
      ]
    }
--- a/integration/testdata/count-0.1.0-plugin-with-before-flag.txt.golden
+++ b/integration/testdata/count-0.1.0-plugin-with-before-flag.txt.golden
@@ -0,0 +1,5 @@
+Installed Plugins:
+  Name:    count
+  Version: 0.1.0
+
+Number of vulnerabilities: 1
--- a/integration/testdata/count-0.2.0-plugin.txt.golden
+++ b/integration/testdata/count-0.2.0-plugin.txt.golden
@@ -0,0 +1,5 @@
+Installed Plugins:
+  Name:    count
+  Version: 0.2.0
+
+Number of vulnerabilities: 2
--- a/integration/testdata/dotnet.json.golden
+++ b/integration/testdata/dotnet.json.golden
@@ -22,10 +22,11 @@
      "Type": "dotnet-core",
      "Packages": [
        {
+          "ID": "Newtonsoft.Json/9.0.1",
          "Name": "Newtonsoft.Json",
          "Identifier": {
            "PURL": "pkg:nuget/Newtonsoft.Json@9.0.1",
-            "UID": "19955f480b8a6340"
+            "UID": "e678401f5d07418a"
          },
          "Version": "9.0.1",
          "Layer": {},
@@ -40,10 +41,11 @@
      "Vulnerabilities": [
        {
          "VulnerabilityID": "GHSA-5crp-9r3c-p9vr",
+          "PkgID": "Newtonsoft.Json/9.0.1",
          "PkgName": "Newtonsoft.Json",
          "PkgIdentifier": {
            "PURL": "pkg:nuget/Newtonsoft.Json@9.0.1",
-            "UID": "19955f480b8a6340"
+            "UID": "e678401f5d07418a"
          },
          "InstalledVersion": "9.0.1",
          "FixedVersion": "13.0.1",
--- a/integration/testdata/fixtures/convert/npm-with-suppressed.json.golden
+++ b/integration/testdata/fixtures/convert/npm-with-suppressed.json.golden
@@ -0,0 +1,195 @@
+{
+  "SchemaVersion": 2,
+  "CreatedAt": "2024-09-09T13:21:09.230231+06:00",
+  "ArtifactName": "package-lock.json",
+  "ArtifactType": "filesystem",
+  "Metadata": {
+    "ImageConfig": {
+      "architecture": "",
+      "created": "0001-01-01T00:00:00Z",
+      "os": "",
+      "rootfs": {
+        "type": "",
+        "diff_ids": null
+      },
+      "config": {}
+    }
+  },
+  "Results": [
+    {
+      "Target": "package-lock.json",
+      "Class": "lang-pkgs",
+      "Type": "npm",
+      "Packages": [
+        {
+          "ID": "debug@3.0.1",
+          "Name": "debug",
+          "Identifier": {
+            "PURL": "pkg:npm/debug@3.0.1",
+            "UID": "45acc377fa09cc3"
+          },
+          "Version": "3.0.1",
+          "Relationship": "direct",
+          "DependsOn": [
+            "ms@2.0.0"
+          ],
+          "Layer": {},
+          "Locations": [
+            {
+              "StartLine": 11,
+              "EndLine": 19
+            }
+          ]
+        },
+        {
+          "ID": "ms@2.0.0",
+          "Name": "ms",
+          "Identifier": {
+            "PURL": "pkg:npm/ms@2.0.0",
+            "UID": "f51af0181daf2ced"
+          },
+          "Version": "2.0.0",
+          "Indirect": true,
+          "Relationship": "indirect",
+          "Layer": {},
+          "Locations": [
+            {
+              "StartLine": 20,
+              "EndLine": 25
+            }
+          ]
+        }
+      ],
+      "Vulnerabilities": [
+        {
+          "VulnerabilityID": "CVE-2017-20165",
+          "PkgID": "debug@3.0.1",
+          "PkgName": "debug",
+          "PkgIdentifier": {
+            "PURL": "pkg:npm/debug@3.0.1",
+            "UID": "45acc377fa09cc3"
+          },
+          "InstalledVersion": "3.0.1",
+          "FixedVersion": "3.1.0, 2.6.9",
+          "Status": "fixed",
+          "Layer": {},
+          "SeveritySource": "ghsa",
+          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2017-20165",
+          "DataSource": {
+            "ID": "ghsa",
+            "Name": "GitHub Security Advisory npm",
+            "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm"
+          },
+          "Title": "A vulnerability classified as problematic has been found in debug-js d ...",
+          "Description": "A vulnerability classified as problematic has been found in debug-js debug up to 3.0.x. This affects the function useColors of the file src/node.js. The manipulation of the argument str leads to inefficient regular expression complexity. Upgrading to version 3.1.0 is able to address this issue. The identifier of the patch is c38a0166c266a679c8de012d4eaccec3f944e685. It is recommended to upgrade the affected component. The identifier VDB-217665 was assigned to this vulnerability.",
+          "Severity": "HIGH",
+          "CweIDs": [
+            "CWE-1333"
+          ],
+          "VendorSeverity": {
+            "ghsa": 3,
+            "nvd": 3
+          },
+          "CVSS": {
+            "ghsa": {
+              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
+              "V3Score": 7.5
+            },
+            "nvd": {
+              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
+              "V3Score": 7.5
+            }
+          },
+          "References": [
+            "https://github.com/debug-js/debug",
+            "https://github.com/debug-js/debug/commit/c38a0166c266a679c8de012d4eaccec3f944e685",
+            "https://github.com/debug-js/debug/commit/f53962e944a87e6ca9bb622a2a12dffc22a9bb5a",
+            "https://github.com/debug-js/debug/pull/504",
+            "https://github.com/debug-js/debug/releases/tag/2.6.9",
+            "https://github.com/debug-js/debug/releases/tag/3.1.0",
+            "https://nvd.nist.gov/vuln/detail/CVE-2017-20165",
+            "https://vuldb.com/?ctiid.217665",
+            "https://vuldb.com/?id.217665"
+          ],
+          "PublishedDate": "2023-01-09T10:15:10.447Z",
+          "LastModifiedDate": "2024-05-17T01:17:24.28Z"
+        }
+      ],
+      "ExperimentalModifiedFindings": [
+        {
+          "Type": "vulnerability",
+          "Status": "not_affected",
+          "Statement": "vulnerable_code_not_in_execute_path",
+          "Source": "./vex.json",
+          "Finding": {
+            "VulnerabilityID": "CVE-2017-16137",
+            "PkgID": "debug@3.0.1",
+            "PkgName": "debug",
+            "PkgIdentifier": {
+              "PURL": "pkg:npm/debug@3.0.1",
+              "UID": "45acc377fa09cc3"
+            },
+            "InstalledVersion": "3.0.1",
+            "FixedVersion": "2.6.9, 3.1.0, 3.2.7, 4.3.1",
+            "Status": "fixed",
+            "Layer": {},
+            "SeveritySource": "ghsa",
+            "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2017-16137",
+            "DataSource": {
+              "ID": "ghsa",
+              "Name": "GitHub Security Advisory npm",
+              "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm"
+            },
+            "Title": "nodejs-debug: Regular expression Denial of Service",
+            "Description": "The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.",
+            "Severity": "LOW",
+            "CweIDs": [
+              "CWE-400"
+            ],
+            "VendorSeverity": {
+              "ghsa": 1,
+              "nvd": 2,
+              "redhat": 2
+            },
+            "CVSS": {
+              "ghsa": {
+                "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
+                "V3Score": 3.7
+              },
+              "nvd": {
+                "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
+                "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
+                "V2Score": 5,
+                "V3Score": 5.3
+              },
+              "redhat": {
+                "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
+                "V3Score": 5.3
+              }
+            },
+            "References": [
+              "https://access.redhat.com/security/cve/CVE-2017-16137",
+              "https://github.com/debug-js/debug/commit/4e2150207c568adb9ead8f4c4528016081c88020",
+              "https://github.com/debug-js/debug/commit/71169065b5262f9858ac78cc0b688c84a438f290",
+              "https://github.com/debug-js/debug/commit/b6d12fdbc63b483e5c969da33ea6adc09946b5ac",
+              "https://github.com/debug-js/debug/commit/f53962e944a87e6ca9bb622a2a12dffc22a9bb5a",
+              "https://github.com/debug-js/debug/issues/797",
+              "https://github.com/visionmedia/debug",
+              "https://github.com/visionmedia/debug/issues/501",
+              "https://github.com/visionmedia/debug/pull/504",
+              "https://lists.apache.org/thread.html/r8ba4c628fba7181af58817d452119481adce4ba92e889c643e4c7dd3%40%3Ccommits.netbeans.apache.org%3E",
+              "https://lists.apache.org/thread.html/r8ba4c628fba7181af58817d452119481adce4ba92e889c643e4c7dd3@%3Ccommits.netbeans.apache.org%3E",
+              "https://lists.apache.org/thread.html/rb5ac16fad337d1f3bb7079549f97d8166d0ef3082629417c39f12d63%40%3Cnotifications.netbeans.apache.org%3E",
+              "https://lists.apache.org/thread.html/rb5ac16fad337d1f3bb7079549f97d8166d0ef3082629417c39f12d63@%3Cnotifications.netbeans.apache.org%3E",
+              "https://nodesecurity.io/advisories/534",
+              "https://nvd.nist.gov/vuln/detail/CVE-2017-16137",
+              "https://www.cve.org/CVERecord?id=CVE-2017-16137"
+            ],
+            "PublishedDate": "2018-06-07T02:29:03.817Z",
+            "LastModifiedDate": "2023-11-07T02:40:28.13Z"
+          }
+        }
+      ]
+    }
+  ]
+}
--- a/integration/testdata/fixtures/db/opensuse.yaml
+++ b/integration/testdata/fixtures/db/opensuse.yaml
@@ -9,4 +9,11 @@
      pairs:
        - key: "openSUSE-SU-2020:0062-1"
          value:
-            FixedVersion: 1.1.0i-lp151.8.6.1
+            FixedVersion: 1.1.0i-lp151.8.6.1
+- bucket: "openSUSE Tumbleweed"
+  pairs:
+    - bucket: libopenssl3
+      pairs:
+        - key: "openSUSE-SU-2024:13065-1"
+          value:
+            FixedVersion: 3.1.5-9.1 # changed for test
--- a/integration/testdata/fixtures/db/python.yaml
+++ b/integration/testdata/fixtures/db/python.yaml
@@ -14,3 +14,11 @@
              - 0.11.6
            VulnerableVersions:
              - < 0.11.6
+    - bucket: setuptools
+      pairs:
+        - key: CVE-2022-40897
+          value:
+            PatchedVersions:
+              - 65.5.1
+            VulnerableVersions:
+              - < 65.5.1
--- a/integration/testdata/fixtures/db/suse.yaml
+++ b/integration/testdata/fixtures/db/suse.yaml
@@ -0,0 +1,19 @@
+- bucket: "SUSE Linux Enterprise 15-SP3"
+  pairs:
+    - bucket: libopenssl1_1
+      pairs:
+        - key: "SUSE-SU-2022:2251-1"
+          value:
+            FixedVersion: 1.1.1d-150200.11.48.1
+    - bucket: openssl-1_1
+      pairs:
+        - key: "SUSE-SU-2022:2251-1"
+          value:
+            FixedVersion: 1.1.1d-150200.11.48.1
+- bucket: "SUSE Linux Enterprise Micro 5.3"
+  pairs:
+    - bucket: libopenssl1_1
+      pairs:
+        - key: "SUSE-SU-2023:0311-1"
+          value:
+            FixedVersion: 1.1.1l-150400.7.22.1
--- a/Show More
+++ b/Show More