chore(mod): tidy (#1415)

* fix(rpc): fix nil layer transmit

Closes #1400

* added tests

.github/workflows/publish-chart.yaml

@@ -9,6 +9,8 @@ env:
   HELM_REP: helm-charts
   GH_OWNER: aquasecurity
   CHART_DIR: helm/trivy
+  KIND_VERSION: "v0.11.1"
+  KIND_IMAGE: "kindest/node:v1.21.1@sha256:69860bda5563ac81e3c0057d654b5253219618a22ec3a346306239bba8cfa1a6"  
 jobs:
   release:
     runs-on: ubuntu-20.04
@@ -21,6 +23,26 @@ jobs:
         uses: azure/setup-helm@v1
         with:
           version: v3.5.0
+      - name: Set up python
+        uses: actions/setup-python@v2
+        with:
+          python-version: 3.7
+      - name: Setup Chart Linting
+        id: lint
+        uses: helm/chart-testing-action@v2.1.0
+      - name: Setup Kubernetes cluster (KIND)
+        uses: engineerd/setup-kind@v0.5.0
+        with:
+          version: ${{ env.KIND_VERSION }}
+          image: ${{ env.KIND_IMAGE }}
+      - name: Run chart-testing (w/Ingress)
+        run: ct lint-and-install --validate-maintainers=false --charts helm/trivy
+
+      - name: Run chart-testing (Ingress)
+        run: |
+          sed -i -e '97s,false,'true',g' ./helm/trivy/values.yaml
+          ct lint-and-install --validate-maintainers=false --charts helm/trivy
+
       - name: Install chart-releaser
         run: |
           wget https://github.com/helm/chart-releaser/releases/download/v1.1.1/chart-releaser_1.1.1_linux_amd64.tar.gz

.github/workflows/release.yaml

@@ -57,11 +57,10 @@ jobs:
           username: ${{ secrets.ECR_ACCESS_KEY_ID }}
           password: ${{ secrets.ECR_SECRET_ACCESS_KEY }}
       - name: Generate SBOM
-        uses: CycloneDX/gh-gomod-generate-sbom@v0.3.0
+        uses: CycloneDX/gh-gomod-generate-sbom@v1
         with:
-          json: true
-          output: bom.json
-          version: ^v0
+          args: mod -licenses -json -output bom.json
+          version: ^v1
       - name: Release
         uses: goreleaser/goreleaser-action@v2
         with:

contrib/install.sh

@@ -182,11 +182,11 @@ log_tag() {
 }
 log_debug() {
   log_priority 7 || return 0
-  echoerr "$(log_prefix)" "$(log_tag 7)" "$@"
+  echo "$(log_prefix)" "$(log_tag 7)" "$@"
 }
 log_info() {
   log_priority 6 || return 0
-  echoerr "$(log_prefix)" "$(log_tag 6)" "$@"
+  echo "$(log_prefix)" "$(log_tag 6)" "$@"
 }
 log_err() {
   log_priority 3 || return 0

contrib/sarif.tpl

@@ -1,6 +1,7 @@
 {
   "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
   "version": "2.1.0",
+  {{- $rules := makeRuleMap }}
   "runs": [
     {
       "tool": {
@@ -14,42 +15,39 @@
         {{- range $result := . }}
             {{- $vulnerabilityType := .Type }}
             {{- range .Vulnerabilities -}}
-              {{- if $t_first -}}
-                {{- $t_first = false -}}
-              {{ else -}}
-                ,
-              {{- end }}
-            {
-              "id": {{ printf "%s: %s-%s %s" $result.Target .PkgName .InstalledVersion .VulnerabilityID | toJson }},
-              "name": "{{ toSarifRuleName $vulnerabilityType }}",
-              "shortDescription": {
-                "text": {{ printf "%v Package: %v" .VulnerabilityID .PkgName | printf "%q" }}
-              },
-              "fullDescription": {
-                "text": {{ endWithPeriod (escapeString .Title) | printf "%q" }}
-              },
-              "defaultConfiguration": {
-                "level": "{{ toSarifErrorLevel .Vulnerability.Severity }}"
-              }
-              {{- with $help_uri := .PrimaryURL -}}
-              ,
-              {{ $help_uri | printf "\"helpUri\": %q," -}}
-              {{- else -}}
-              ,
-              {{- end }}
-              "help": {
-                "text": {{ printf "Vulnerability %v\nSeverity: %v\nPackage: %v\nInstalled Version: %v\nFixed Version: %v\nLink: [%v](%v)" .VulnerabilityID .Vulnerability.Severity .PkgName .InstalledVersion .FixedVersion .VulnerabilityID .PrimaryURL | printf "%q"}},
-                "markdown": {{ printf "**Vulnerability %v**\n| Severity | Package | Installed Version | Fixed Version | Link |\n| --- | --- | --- | --- | --- |\n|%v|%v|%v|%v|[%v](%v)|\n" .VulnerabilityID .Vulnerability.Severity .PkgName .InstalledVersion .FixedVersion .VulnerabilityID .PrimaryURL | printf "%q"}}
-              },
-              "properties": {
-                "tags": [
-                  "vulnerability",
-                  "{{ .Vulnerability.Severity }}",
-                  {{ .PkgName | printf "%q" }}
-                ],
-                "precision": "very-high"
-              }
-            }
+                {{- if indexRule $rules .VulnerabilityID -}}
+                  {{- if $t_first -}}
+                    {{- $t_first = false -}}
+                  {{ else -}}
+                    ,
+                  {{- end }}
+                {
+                  "id": {{ .VulnerabilityID | toJson }},
+                  "name": "{{ toSarifRuleName $vulnerabilityType }}",
+                  "shortDescription": {
+                    "text": {{ .VulnerabilityID | toJson }}
+                  },
+                  "fullDescription": {
+                    "text": {{ endWithPeriod (escapeString .Title) | printf "%q" }}
+                  },
+                  "defaultConfiguration": {
+                    "level": "{{ toSarifErrorLevel .Vulnerability.Severity }}"
+                  }
+                  {{- with $help_uri := .PrimaryURL -}}
+                  ,
+                  {{ $help_uri | printf "\"helpUri\": %q," -}}
+                  {{- else -}}
+                  ,
+                  {{- end }}
+                  "properties": {
+                    "tags": [
+                      "vulnerability",
+                      "{{ .Vulnerability.Severity }}"
+                    ],
+                    "precision": "very-high"
+                  }
+                }
+                {{- end -}}
             {{- end -}}
          {{- end -}}
           ]
@@ -66,8 +64,8 @@
             ,
           {{- end }}
         {
-          "ruleId": {{ printf "%s: %s-%s %s" $result.Target .PkgName .InstalledVersion .VulnerabilityID | toJson }},
-          "ruleIndex": {{ $index }},
+          "ruleId": {{ .VulnerabilityID | toJson }},
+          "ruleIndex": {{ index $rules .VulnerabilityID }},
           "level": "{{ toSarifErrorLevel $vulnerability.Vulnerability.Severity }}",
           "message": {
             "text": {{ endWithPeriod (escapeString $vulnerability.Description) | printf "%q" }}
@@ -77,6 +75,9 @@
               "artifactLocation": {
                 "uri": "{{ toPathUri $filePath }}",
                 "uriBaseId": "ROOTPATH"
+              },
+              "region" : {
+                "startLine": 1
               }
             }
           }]
@@ -87,7 +88,7 @@
       "columnKind": "utf16CodeUnits",
       "originalUriBaseIds": {
         "ROOTPATH": {
-          "uri": "/"
+          "uri": "file:///"
         }
       }
     }

docs/advanced/community/references.md

@@ -0,0 +1,19 @@
+# External References
+There are external blogs and evaluations.
+
+## Blogs
+- [the vulnerability remediation lifecycle of Alpine containers][alpine]
+- [Continuous Container Vulnerability Testing with Trivy][semaphore]
+- [Open Source CVE Scanner Round-Up: Clair vs Anchore vs Trivy][round-up]
+- [Docker Image Security: Static Analysis Tool Comparison – Anchore Engine vs Clair vs Trivy][tool-comparison]
+
+## Links
+- [Research Spike: evaluate Trivy for scanning running containers][gitlab]
+- [Istio evaluates scanners][istio]
+
+[alpine]: https://ariadne.space/2021/06/08/the-vulnerability-remediation-lifecycle-of-alpine-containers/
+[semaphore]: https://semaphoreci.com/blog/continuous-container-vulnerability-testing-with-trivy
+[round-up]: https://boxboat.com/2020/04/24/image-scanning-tech-compared/
+[tool-comparison]: https://www.a10o.net/devsecops/docker-image-security-static-analysis-tool-comparison-anchore-engine-vs-clair-vs-trivy/
+[gitlab]: https://gitlab.com/gitlab-org/gitlab/-/issues/270888
+[istio]: https://github.com/istio/release-builder/pull/687#issuecomment-874938417

docs/advanced/community/tools.md

@@ -0,0 +1,29 @@
+# Community Tools
+The open source community has been hard at work developing new tools for Trivy. You can check out some of them here.
+
+Have you created a tool that’s not listed? Add the name and description of your integration and open a pull request in the GitHub repository to get your change merged.
+
+## GitHub Actions
+
+| Actions                                    | Description                                                                      |
+| ------------------------------------------ | -------------------------------------------------------------------------------- |
+| [gitrivy][gitrivy]                         | GitHub Issue + Trivy                                                             |
+| [trivy-github-issues][trivy-github-issues] | GitHub Actions for creating GitHub Issues according to the Trivy scanning result |
+
+## CircleCI
+
+| Orb                                      | Description                               |
+| -----------------------------------------| ----------------------------------------- |
+| [fifteen5/trivy-orb][fifteen5/trivy-orb] | Orb for running Trivy, a security scanner |
+
+## Others
+
+| Name                                     | Description                               |
+| -----------------------------------------| ----------------------------------------- |
+| [Trivy Vulnerability Explorer][explorer] | Explore trivy vulnerability reports in your browser and create .trivyignore files interactively. Can be integrated in your CI/CD tooling with deep links.   |
+
+
+[trivy-github-issues]: https://github.com/marketplace/actions/trivy-github-issues
+[fifteen5/trivy-orb]: https://circleci.com/developer/orbs/orb/fifteen5/trivy-orb
+[gitrivy]: https://github.com/marketplace/actions/trivy-action
+[explorer]: https://dbsystel.github.io/trivy-vulnerability-explorer/

docs/advanced/integrations/bitbucket.md

@@ -0,0 +1,5 @@
+# Bitbucket Pipelines
+
+See [trivy-pipe][trivy-pipe] for the details.
+
+[trivy-pipe]: https://github.com/aquasecurity/trivy-pipe

docs/getting-started/further.md

@@ -18,13 +18,6 @@
 - [Find Image Vulnerabilities Using GitHub and Aqua Security Trivy Action][actions2]
 - [Using Trivy to Discover Vulnerabilities in VS Code Projects][vscode]
 
-## External Blogs/Links
-- [the vulnerability remediation lifecycle of Alpine containers][alpine]
-- [Open Source CVE Scanner Round-Up: Clair vs Anchore vs Trivy][round-up]
-- [Docker Image Security: Static Analysis Tool Comparison – Anchore Engine vs Clair vs Trivy][tool-comparison]
-- [Research Spike: evaluate Trivy for scanning running containers][gitlab]
-- [Istio evaluates scanners][istio]
-
 [intro]: https://www.youtube.com/watch?v=AzOBGm7XxOA
 [cncf]: https://www.youtube.com/watch?v=XnYxX9uueoQ
 [server]: https://www.youtube.com/watch?v=tNQ-VlahtYM
@@ -37,9 +30,3 @@
 [actions]: https://blog.aquasec.com/devsecops-with-trivy-github-actions
 [actions2]: https://blog.aquasec.com/github-vulnerability-scanner-trivy
 [vscode]: https://blog.aquasec.com/trivy-open-source-vulnerability-scanner-vs-code
-
-[alpine]: https://ariadne.space/2021/06/08/the-vulnerability-remediation-lifecycle-of-alpine-containers/
-[round-up]: https://boxboat.com/2020/04/24/image-scanning-tech-compared/
-[tool-comparison]: https://www.a10o.net/devsecops/docker-image-security-static-analysis-tool-comparison-anchore-engine-vs-clair-vs-trivy/
-[gitlab]: https://gitlab.com/gitlab-org/gitlab/-/issues/270888
-[istio]: https://github.com/istio/release-builder/pull/687#issuecomment-874938417

docs/misconfiguration/comparison/cfsec.md

@@ -0,0 +1,25 @@
+# vs cfsec
+[cfsec][cfsec] uses static analysis of your CloudFormation templates to spot potential security issues.
+Trivy uses cfsec internally to scan both JSON and YAML configuration files, but Trivy doesn't support some features provided by cfsec.
+This section describes the differences between Trivy and cfsec.
+
+| Feature                     | Trivy                                   | cfsec                |
+| --------------------------- | --------------------------------------- | -------------------- |
+| Built-in Policies           | :material-check:                        | :material-check:     |
+| Custom Policies             | Rego[^1]                                | :material-close:     |
+| Policy Metadata[^2]         | :material-check:                        | :material-check:     |
+| Show Successes              | :material-check:                        | :material-check:     |
+| Disable Policies            | :material-check:                        | :material-check:     |
+| Show Issue Lines            | :material-close:                        | :material-check:     |
+| View Statistics             | :material-close:                        | :material-check:     |
+| Filtering by Severity       | :material-check:                        | :material-close:     |
+| Supported Formats           | Dockerfile, JSON, YAML, Terraform, etc. | CloudFormation JSON and YAML       |
+
+[^1]: CloudFormation files are not supported
+[^2]: To enrich the results such as ID, Title, Description, Severity, etc.
+
+cfsec is designed for CloudFormation.
+People who use only want to scan their CloudFormation templates should use cfsec.
+People who want to scan a wide range of configuration files should use Trivy.
+
+[cfsec]: https://github.com/aquasecurity/cfsec

docs/misconfiguration/comparison/tfsec.md

@@ -23,4 +23,4 @@ tfsec is designed for Terraform.
 People who use only Terraform should use tfsec.
 People who want to scan a wide range of configuration files should use Trivy.
 
-[tfsec]: https://github.com/tfsec/tfsec
+[tfsec]: https://github.com/aquasecurity/tfsec

docs/misconfiguration/iac.md

@@ -2,7 +2,7 @@
 
 ## Quick start
 
-Simply specify a directory containing IaC files such as Terraform and Dockerfile.
+Simply specify a directory containing IaC files such as Terraform, CloudFormation and Dockerfile.
 
 ``` bash
 $ trivy config [YOUR_IaC_DIRECTORY]
@@ -37,7 +37,7 @@ Trivy will automatically fetch the managed policies and will keep them up-to-dat
 The specified directory can contain mixed types of IaC files.
 Trivy automatically detects config types and applies relevant policies.
 
-For example, the following example holds IaC files for Terraform, Kubernetes, and Dockerfile in the same directory.
+For example, the following example holds IaC files for Terraform, CloudFormation, Kubernetes, and Dockerfile in the same directory.
 
 ``` bash
 $ ls iac/
@@ -149,8 +149,14 @@ You can see the config type next to each file name.
     ===================
     Tests: 23 (SUCCESSES: 14, FAILURES: 9, EXCEPTIONS: 0)
     Failures: 9 (HIGH: 6, CRITICAL: 1)
-    
+
     ...
+
+    bucket.yaml (cloudformation)
+    ============================
+    Tests: 9 (SUCCESSES: 3, FAILURES: 6, EXCEPTIONS: 0)
+    Failures: 6 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 4, CRITICAL: 0)
+
     ```
 
 ## Example

docs/misconfiguration/policy/builtin.md

@@ -4,17 +4,18 @@
 
 Built-in policies are mainly written in [Rego][rego].
 Those policies are managed under [AppShield repository][appshield].
-Only Terraform's policies are currently powered by [tfsec][tfsec].
+Terraform policies are currently powered by [tfsec][tfsec] and CloudFormation policies are powered by [cfsec][cfsec].
 
 | Config type    | Source                        |
 | ---------------| ----------------------------- |
 | Kubernetes     | [AppShield][kubernetes]       |
 | Dockerfile     | [AppShield][docker]           |
 | Terraform      | [tfsec][tfsec-checks]         |
+| CloudFormation | [cfsec][cfsec-checks]         |
 
-For suggestions or issues regarding policy content, please open an issue under [AppShield][appshield] or [tfsec][tfsec] repository.
+For suggestions or issues regarding policy content, please open an issue under [AppShield][appshield], [tfsec][tfsec] or [cfsec][cfsec] repository.
 
-CloudFormation and Ansible are coming soon.
+Ansible are coming soon.
 
 ## Policy Distribution
 AppShield policies are distributed as an OPA bundle on [GitHub Container Registry][ghcr] (GHCR).
@@ -29,7 +30,9 @@ Trivy checks for updates to OPA bundle on GHCR every 24 hours and pulls it if th
 [kubernetes]: https://github.com/aquasecurity/appshield/tree/master/kubernetes
 [docker]: https://github.com/aquasecurity/appshield/tree/master/docker
 [tfsec-checks]: https://tfsec.dev/docs/aws/home/
-[tfsec]: https://github.com/tfsec/tfsec
+[tfsec]: https://github.com/aquasecurity/tfsec
+[cfsec-checks]: https://cfsec.dev/
+[cfsec]: https://github.com/aquasecurity/cfsec
 [ghcr]: https://github.com/aquasecurity/appshield/pkgs/container/appshield
 
 [dockerfile-bestpractice]: https://docs.docker.com/develop/develop-images/dockerfile_best-practices/

examples/misconf/mixed/configs/bucket.yaml

@@ -0,0 +1,24 @@
+---
+AWSTemplateFormatVersion: "2010-09-09"
+Description: An example Stack for a bucket
+Parameters:
+  BucketName: 
+    Type: String
+    Default: naughty-bucket
+  EncryptBucket:
+    Type: Boolean
+    Default: false
+Resources:
+  S3Bucket:
+    Type: 'AWS::S3::Bucket'
+    Properties:
+      BucketName:
+        Ref: BucketName
+      PublicAccessBlockConfiguration:
+        BlockPublicAcls: false
+        BlockPublicPolicy: false
+        IgnorePublicAcls: true
+        RestrictPublicBuckets: false
+      BucketEncryption:
+        ServerSideEncryptionConfiguration:
+        - BucketKeyEnabled: !Ref EncryptBucket

go.mod

@@ -7,8 +7,8 @@ require (
 	github.com/Masterminds/sprig v2.22.0+incompatible
 	github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46
 	github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986
-	github.com/aquasecurity/fanal v0.0.0-20211014152324-29fbacfbfca4
-	github.com/aquasecurity/go-dep-parser v0.0.0-20211013074621-eb58e8565220
+	github.com/aquasecurity/fanal v0.0.0-20211111090223-628ff1de3ee1
+	github.com/aquasecurity/go-dep-parser v0.0.0-20211110174639-8257534ffed3
 	github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce
 	github.com/aquasecurity/go-npm-version v0.0.0-20201110091526-0b796d180798
 	github.com/aquasecurity/go-pep440-version v0.0.0-20210121094942-22b2f8951d46
@@ -17,8 +17,9 @@ require (
 	github.com/caarlos0/env/v6 v6.0.0
 	github.com/cenkalti/backoff v2.2.1+incompatible
 	github.com/cheggaaa/pb/v3 v3.0.3
-	github.com/containerd/containerd v1.5.4 // indirect
-	github.com/docker/docker v20.10.8+incompatible
+	github.com/containerd/containerd v1.5.7 // indirect
+	github.com/docker/cli v20.10.9+incompatible // indirect
+	github.com/docker/docker v20.10.10+incompatible
 	github.com/docker/go-connections v0.4.0
 	github.com/fatih/color v1.10.0
 	github.com/go-redis/redis/v8 v8.11.4
@@ -32,11 +33,10 @@ require (
 	github.com/knqyf263/go-apk-version v0.0.0-20200609155635-041fdbb8563f
 	github.com/knqyf263/go-deb-version v0.0.0-20190517075300-09fca494f03d
 	github.com/knqyf263/go-rpm-version v0.0.0-20170716094938-74609b86c936
-	github.com/kylelemons/godebug v1.1.0
 	github.com/masahiro331/go-mvn-version v0.0.0-20210429150710-d3157d602a08
 	github.com/mitchellh/copystructure v1.1.1 // indirect
 	github.com/olekukonko/tablewriter v0.0.5
-	github.com/open-policy-agent/opa v0.32.0
+	github.com/open-policy-agent/opa v0.34.0
 	github.com/spf13/afero v1.6.0
 	github.com/stretchr/objx v0.3.0 // indirect
 	github.com/stretchr/testify v1.7.0

go.sum

@@ -144,8 +144,8 @@ github.com/Microsoft/hcsshim v0.8.10/go.mod h1:g5uw8EV2mAlzqe94tfNBNdr89fnbD/n3H
 github.com/Microsoft/hcsshim v0.8.14/go.mod h1:NtVKoYxQuTLx6gEq0L96c9Ju4JbRJ4nY2ow3VK6a9Lg=
 github.com/Microsoft/hcsshim v0.8.15/go.mod h1:x38A4YbHbdxJtc0sF6oIz+RG0npwSCAvn69iY6URG00=
 github.com/Microsoft/hcsshim v0.8.16/go.mod h1:o5/SZqmR7x9JNKsW3pu+nqHm0MF8vbA+VxGOoXdC600=
-github.com/Microsoft/hcsshim v0.8.18 h1:cYnKADiM1869gvBpos3YCteeT6sZLB48lB5dmMMs8Tg=
-github.com/Microsoft/hcsshim v0.8.18/go.mod h1:+w2gRZ5ReXQhFOrvSQeNfhrYB/dg3oDwTOcER2fw4I4=
+github.com/Microsoft/hcsshim v0.8.21 h1:btRfUDThBE5IKcvI8O8jOiIkujUsAMBSRsYDYmEi6oM=
+github.com/Microsoft/hcsshim v0.8.21/go.mod h1:+w2gRZ5ReXQhFOrvSQeNfhrYB/dg3oDwTOcER2fw4I4=
 github.com/Microsoft/hcsshim/test v0.0.0-20200826032352-301c83a30e7c/go.mod h1:30A5igQ91GEmhYJF8TaRP79pMBOYynRsyOByfVV0dU4=
 github.com/Microsoft/hcsshim/test v0.0.0-20201218223536-d3e5debf77da/go.mod h1:5hlzMzRKMLyo42nCZ9oml8AdTlq/0cvIaBv6tK1RehU=
 github.com/Microsoft/hcsshim/test v0.0.0-20210227013316-43a75bb4edd3/go.mod h1:mw7qgWloBUl75W/gVH3cQszUg1+gUITj7D6NY7ywVnY=
@@ -181,8 +181,8 @@ github.com/alecthomas/units v0.0.0-20190924025748-f65c72e2690d/go.mod h1:rBZYJk5
 github.com/alexflint/go-filemutex v0.0.0-20171022225611-72bdc8eae2ae/go.mod h1:CgnQgUtFrFz9mxFNtED3jI5tLDjKlOM+oUF/sTk6ps0=
 github.com/alicebob/gopher-json v0.0.0-20200520072559-a9ecdc9d1d3a h1:HbKu58rmZpUGpz5+4FfNmIU+FmZg2P3Xaj2v2bfNWmk=
 github.com/alicebob/gopher-json v0.0.0-20200520072559-a9ecdc9d1d3a/go.mod h1:SGnFV6hVsYE877CKEZ6tDNTjaSXYUk6QqoIK6PrAtcc=
-github.com/alicebob/miniredis/v2 v2.15.1 h1:Fw+ixAJPmKhCLBqDwHlTDqxUxp0xjEwXczEpt1B6r7k=
-github.com/alicebob/miniredis/v2 v2.15.1/go.mod h1:gquAfGbzn92jvtrSC69+6zZnwSODVXVpYDRaGhWaL6I=
+github.com/alicebob/miniredis/v2 v2.16.0 h1:ALkyFg7bSTEd1Mkrb4ppq4fnwjklA59dVtIehXCUZkU=
+github.com/alicebob/miniredis/v2 v2.16.0/go.mod h1:gquAfGbzn92jvtrSC69+6zZnwSODVXVpYDRaGhWaL6I=
 github.com/anmitsu/go-shlex v0.0.0-20161002113705-648efa622239 h1:kFOfPq6dUM1hTo4JG6LR5AXSUEsOjtdm0kw0FtQtMJA=
 github.com/anmitsu/go-shlex v0.0.0-20161002113705-648efa622239/go.mod h1:2FmKhYUyUczH0OGQWaF5ceTx0UBShxjsH6f8oGKYe2c=
 github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY=
@@ -202,10 +202,14 @@ github.com/apparentlymart/go-textseg/v13 v13.0.0 h1:Y+KvPE1NYz0xl601PVImeQfFyEy6
 github.com/apparentlymart/go-textseg/v13 v13.0.0/go.mod h1:ZK2fH7c4NqDTLtiYLvIkEghdlcqw7yxLeM89kiTRPUo=
 github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986 h1:2a30xLN2sUZcMXl50hg+PJCIDdJgIvIbVcKqLJ/ZrtM=
 github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986/go.mod h1:NT+jyeCzXk6vXR5MTkdn4z64TgGfE5HMLC8qfj5unl8=
-github.com/aquasecurity/fanal v0.0.0-20211014152324-29fbacfbfca4 h1:RrAmWx9s6pfVPGCsCJ2Chn5D2b7XLp1Y3b4V3+tAPBw=
-github.com/aquasecurity/fanal v0.0.0-20211014152324-29fbacfbfca4/go.mod h1:NCL58z+VfrTEM1JSGSbPNm069n3JSdb5cHRntnS069c=
-github.com/aquasecurity/go-dep-parser v0.0.0-20211013074621-eb58e8565220 h1:4ck6/2PNmzcNPUgFT3gCq6oVFB/Do/qiasRuBL9xGDI=
-github.com/aquasecurity/go-dep-parser v0.0.0-20211013074621-eb58e8565220/go.mod h1:Zc7Eo6tFl9l4XcqsWeabD7jHnXRBK/LdgZuu9GTSVLU=
+github.com/aquasecurity/cfsec v0.0.12 h1:6zvaJ34qKbElT5CyeMDre5WxtphPCt+XXKqz0Atj14s=
+github.com/aquasecurity/cfsec v0.0.12/go.mod h1:26CqZRuXnPWAEqN2duORHQAPfz8Fh5FjVE+AT0wu78k=
+github.com/aquasecurity/defsec v0.0.30 h1:7GSGUUH0xeWRlyLeksdYz+PLZqQu6taICzapGvdlu4c=
+github.com/aquasecurity/defsec v0.0.30/go.mod h1:E53TX/xJkcgpJyF5GPSat3Z+cZiLyvSNBdJAyfdl3fc=
+github.com/aquasecurity/fanal v0.0.0-20211111090223-628ff1de3ee1 h1:DcI5huCvagGpr76rSSlCdVswddg2EhJwFvd4mz1th6M=
+github.com/aquasecurity/fanal v0.0.0-20211111090223-628ff1de3ee1/go.mod h1:7ccP6Dl7W77nc1rX+T+beH5IHPTDwoFqE2bW9nnEFTY=
+github.com/aquasecurity/go-dep-parser v0.0.0-20211110174639-8257534ffed3 h1:zYNhYU4HUqJq+Lqhwf68gvd+v0cKqM2XOmggtHYLkoU=
+github.com/aquasecurity/go-dep-parser v0.0.0-20211110174639-8257534ffed3/go.mod h1:Zc7Eo6tFl9l4XcqsWeabD7jHnXRBK/LdgZuu9GTSVLU=
 github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce h1:QgBRgJvtEOBtUXilDb1MLi1p1MWoyFDXAu5DEUl5nwM=
 github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce/go.mod h1:HXgVzOPvXhVGLJs4ZKO817idqr/xhwsTcj17CLYY74s=
 github.com/aquasecurity/go-npm-version v0.0.0-20201110091526-0b796d180798 h1:eveqE9ivrt30CJ7dOajOfBavhZ4zPqHcZe/4tKp0alc=
@@ -217,8 +221,9 @@ github.com/aquasecurity/go-version v0.0.0-20210121072130-637058cfe492 h1:rcEG5HI
 github.com/aquasecurity/go-version v0.0.0-20210121072130-637058cfe492/go.mod h1:9Beu8XsUNNfzml7WBf3QmyPToP1wm1Gj/Vc5UJKqTzU=
 github.com/aquasecurity/testdocker v0.0.0-20210911155206-e1e85f5a1516 h1:moQmzbpLo5dxHQCyEhqzizsDSNrNhn/7uRTCZzo4A1o=
 github.com/aquasecurity/testdocker v0.0.0-20210911155206-e1e85f5a1516/go.mod h1:gTd97VdQ0rg8Mkiic3rPgNOQdprZ7feTAhiD5mGQjgM=
-github.com/aquasecurity/tfsec v0.58.11 h1:JDcjZz73PXOdNznaohonB1uluZD/gJI/TW8Iukjbn9E=
-github.com/aquasecurity/tfsec v0.58.11/go.mod h1:RcgH8QFJSE+p7Sf/WAF7chGTL/xULi7muiNdqIsUkOE=
+github.com/aquasecurity/tfsec v0.58.14/go.mod h1:RcgH8QFJSE+p7Sf/WAF7chGTL/xULi7muiNdqIsUkOE=
+github.com/aquasecurity/tfsec v0.59.0 h1:HATgpKbiUEWnJ8PU3CJpHMJCEhVgJG9E32m7uEp44oo=
+github.com/aquasecurity/tfsec v0.59.0/go.mod h1:MR3uDlWu+fBTisFndR+NwjSGt06RBhkE++JzKRJ0Ggs=
 github.com/aquasecurity/trivy-db v0.0.0-20210916043317-726b7b72a47b h1:RaS93vlHzgreZk3CYqcNgoqukwbsBEYhAiE6qmhLwB0=
 github.com/aquasecurity/trivy-db v0.0.0-20210916043317-726b7b72a47b/go.mod h1:5h8GV7Qxp/SMJ4awWHs0KRxwVkKzcwOnRkORWOnCXRU=
 github.com/aquasecurity/vuln-list-update v0.0.0-20191016075347-3d158c2bf9a2/go.mod h1:6NhOP0CjZJL27bZZcaHECtzWdwDDm2g6yCY0QgXEGQQ=
@@ -241,8 +246,8 @@ github.com/aws/aws-sdk-go v1.20.6/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN
 github.com/aws/aws-sdk-go v1.25.11/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo=
 github.com/aws/aws-sdk-go v1.27.1/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo=
 github.com/aws/aws-sdk-go v1.31.6/go.mod h1:5zCpMtNQVjRREroY7sYe8lOMRSxkhG6MZveU8YkpAk0=
-github.com/aws/aws-sdk-go v1.41.0 h1:XUzHLFWQVhmFtmKTodnAo5QdooPQfpVfilCxIV3aLoE=
-github.com/aws/aws-sdk-go v1.41.0/go.mod h1:585smgzpB/KqRA+K3y/NL/oYRqQvpNJYvLm+LY1U59Q=
+github.com/aws/aws-sdk-go v1.42.0 h1:BMZws0t8NAhHFsfnT3B40IwD13jVDG5KerlRksctVIw=
+github.com/aws/aws-sdk-go v1.42.0/go.mod h1:585smgzpB/KqRA+K3y/NL/oYRqQvpNJYvLm+LY1U59Q=
 github.com/aybabtme/rgbterm v0.0.0-20170906152045-cc83f3b3ce59/go.mod h1:q/89r3U2H7sSsE2t6Kca0lfwTK8JdoNGS/yzM/4iH5I=
 github.com/benbjohnson/clock v1.1.0 h1:Q92kusRqC1XV2MjkWETPvjJVqKetz1OzxZB7mHJLju8=
 github.com/benbjohnson/clock v1.1.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA=
@@ -254,6 +259,7 @@ github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d h1:xDfNPAt8lFiC1U
 github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d/go.mod h1:6QX/PXZ00z/TKoufEY6K/a0k6AhaJrQKdFe6OfVXsa4=
 github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs=
 github.com/bitly/go-simplejson v0.5.0/go.mod h1:cXHtHw4XUPsvGaxgjIAn8PhEWG9NfngEKAMDJEczWVA=
+github.com/bits-and-blooms/bitset v1.2.0/go.mod h1:gIdJ4wp64HaoK2YrL1Q5/N7Y16edYb8uY+O0FJTyyDA=
 github.com/bketelsen/crypt v0.0.3-0.20200106085610-5cbc8cc4026c/go.mod h1:MKsuJmJgSg28kpZDP6UIiPt0e0Oz0kqKNGyRaWEPv84=
 github.com/bketelsen/crypt v0.0.4/go.mod h1:aI6NrJ0pMGgvZKL1iVgXLnfIFJtfV+bKCoqOes/6LfM=
 github.com/blakesmith/ar v0.0.0-20190502131153-809d4375e1fb/go.mod h1:PkYb9DJNAwrSvRx5DYA+gUcOIgTGVMNkfSCbZM8cWpI=
@@ -275,8 +281,8 @@ github.com/buger/jsonparser v0.0.0-20180808090653-f4dd9f5a6b44/go.mod h1:bbYlZJ7
 github.com/bugsnag/bugsnag-go v0.0.0-20141110184014-b1d153021fcd/go.mod h1:2oa8nejYd4cQ/b0hMIopN0lCRxU0bueqREvZLWFrtK8=
 github.com/bugsnag/osext v0.0.0-20130617224835-0dd3f918b21b/go.mod h1:obH5gd0BsqsP2LwDJ9aOkm/6J86V6lyAXCoQWGw3K50=
 github.com/bugsnag/panicwrap v0.0.0-20151223152923-e2c28503fcd0/go.mod h1:D/8v3kj0zr8ZAKg1AQ6crr+5VwKN5eIywRkfhyM/+dE=
-github.com/bytecodealliance/wasmtime-go v0.29.0 h1:NEME96y0YKAUjOkTw5/2w1OZ9TLy9FJ+Q7SWW4L/X0o=
-github.com/bytecodealliance/wasmtime-go v0.29.0/go.mod h1:q320gUxqyI8yB+ZqRuaJOEnGkAnHh6WtJjMaT2CW4wI=
+github.com/bytecodealliance/wasmtime-go v0.30.0 h1:WfYpr4WdqInt8m5/HvYinf+HrSEAIhItKIcth+qb1h4=
+github.com/bytecodealliance/wasmtime-go v0.30.0/go.mod h1:q320gUxqyI8yB+ZqRuaJOEnGkAnHh6WtJjMaT2CW4wI=
 github.com/caarlos0/ctrlc v1.0.0/go.mod h1:CdXpj4rmq0q/1Eb44M9zi2nKB0QraNKuRGYGrrHhcQw=
 github.com/caarlos0/env/v6 v6.0.0 h1:NZt6FAoB8ieKO5lEwRdwCzYxWFx7ZYF2R7UcoyaWtyc=
 github.com/caarlos0/env/v6 v6.0.0/go.mod h1:+wdyOmtjoZIW2GJOc2OYa5NoOFuWD/bIpWqm30NgtRk=
@@ -292,6 +298,7 @@ github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XL
 github.com/cespare/xxhash/v2 v2.1.2 h1:YRXhKfTDauu4ajMg1TPgFO5jnlC2HCbmLXMcTG5cbYE=
 github.com/cespare/xxhash/v2 v2.1.2/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/checkpoint-restore/go-criu/v4 v4.1.0/go.mod h1:xUQBLp4RLc5zJtWY++yjOoMoB5lihDt7fai+75m+rGw=
+github.com/checkpoint-restore/go-criu/v5 v5.0.0/go.mod h1:cfwC0EG7HMUenopBsUf9d89JlCLQIfgVcNsNN0t6T2M=
 github.com/cheggaaa/pb v1.0.27 h1:wIkZHkNfC7R6GI5w7l/PdAdzXzlrbcI3p8OAlnkTsnc=
 github.com/cheggaaa/pb v1.0.27/go.mod h1:pQciLPpbU0oxA0h+VJYYLxO+XeDQb5pZijXscXHm81s=
 github.com/cheggaaa/pb/v3 v3.0.3 h1:8WApbyUmgMOz7WIxJVNK0IRDcRfAmTxcEdi0TuxjdP4=
@@ -303,6 +310,7 @@ github.com/cilium/ebpf v0.0.0-20200110133405-4032b1d8aae3/go.mod h1:MA5e5Lr8slmE
 github.com/cilium/ebpf v0.0.0-20200702112145-1c8d4c9ef775/go.mod h1:7cR51M8ViRLIdUjrmSXlK9pkrsDlLHbO8jiB8X8JnOc=
 github.com/cilium/ebpf v0.2.0/go.mod h1:To2CFviqOWL/M0gIMsvSMlqe7em/l1ALkX1PyjrX2Qs=
 github.com/cilium/ebpf v0.4.0/go.mod h1:4tRaxcgiL706VnOzHOdBlY8IEAIdxINsQBcU4xJJXRs=
+github.com/cilium/ebpf v0.6.2/go.mod h1:4tRaxcgiL706VnOzHOdBlY8IEAIdxINsQBcU4xJJXRs=
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
 github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
 github.com/cncf/udpa/go v0.0.0-20200629203442-efcf912fb354/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
@@ -346,8 +354,8 @@ github.com/containerd/containerd v1.5.0-beta.4/go.mod h1:GmdgZd2zA2GYIBZ0w09Zvgq
 github.com/containerd/containerd v1.5.0-rc.0/go.mod h1:V/IXoMqNGgBlabz3tHD2TWDoTJseu1FGOKuoA4nNb2s=
 github.com/containerd/containerd v1.5.1/go.mod h1:0DOxVqwDy2iZvrZp2JUx/E+hS0UNTVn7dJnIOwtYR4g=
 github.com/containerd/containerd v1.5.2/go.mod h1:0DOxVqwDy2iZvrZp2JUx/E+hS0UNTVn7dJnIOwtYR4g=
-github.com/containerd/containerd v1.5.4 h1:uPF0og3ByFzDnaStfiQj3fVGTEtaSNyU+bW7GR/nqGA=
-github.com/containerd/containerd v1.5.4/go.mod h1:sx18RgvW6ABJ4iYUw7Q5x7bgFOAB9B6G7+yO0XBc4zw=
+github.com/containerd/containerd v1.5.7 h1:rQyoYtj4KddB3bxG6SAqd4+08gePNyJjRqvOIfV3rkM=
+github.com/containerd/containerd v1.5.7/go.mod h1:gyvv6+ugqY25TiXxcZC3L5yOeYgEw0QMhscqVp1AR9c=
 github.com/containerd/continuity v0.0.0-20190426062206-aaeac12a7ffc/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y=
 github.com/containerd/continuity v0.0.0-20190815185530-f2a389ac0a02/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y=
 github.com/containerd/continuity v0.0.0-20191127005431-f65d91d395eb/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y=
@@ -442,8 +450,8 @@ github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/denverdino/aliyungo v0.0.0-20190125010748-a747050bb1ba/go.mod h1:dV8lFg6daOBZbT6/BDGIz6Y3WFGn8juu6G+CQ6LHtl0=
 github.com/devigned/tab v0.1.1/go.mod h1:XG9mPq0dFghrYvoBF3xdRrJzSTX1b7IQrvaL9mzjeJY=
-github.com/dgraph-io/badger/v3 v3.2103.1 h1:zaX53IRg7ycxVlkd5pYdCeFp1FynD6qBGQoQql3R3Hk=
-github.com/dgraph-io/badger/v3 v3.2103.1/go.mod h1:dULbq6ehJ5K0cGW/1TQ9iSfUk0gbSiToDWmWmTsJ53E=
+github.com/dgraph-io/badger/v3 v3.2103.2 h1:dpyM5eCJAtQCBcMCZcT4UBZchuTJgCywerHHgmxfxM8=
+github.com/dgraph-io/badger/v3 v3.2103.2/go.mod h1:RHo4/GmYcKKh5Lxu63wLEMHJ70Pac2JqZRYGhlyAo2M=
 github.com/dgraph-io/ristretto v0.1.0 h1:Jv3CGQHp9OjuMBSne1485aDpUkTKEcUqF+jm/LuerPI=
 github.com/dgraph-io/ristretto v0.1.0/go.mod h1:fux0lOrBhrVCJd3lcTHsIJhq1T2rokOu6v9Vcb3Q9ug=
 github.com/dgrijalva/jwt-go v0.0.0-20170104182250-a601269ab70c/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ=
@@ -458,8 +466,9 @@ github.com/dnaeon/go-vcr v1.0.1/go.mod h1:aBB1+wY4s93YsC3HHjMBMrwTj2R9FHDzUr9KyG
 github.com/docker/cli v0.0.0-20190925022749-754388324470/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
 github.com/docker/cli v0.0.0-20191017083524-a8ff7f821017/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
 github.com/docker/cli v20.10.0-beta1.0.20201029214301-1d20b15adc38+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
-github.com/docker/cli v20.10.7+incompatible h1:pv/3NqibQKphWZiAskMzdz8w0PRbtTaEB+f6NwdU7Is=
 github.com/docker/cli v20.10.7+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
+github.com/docker/cli v20.10.9+incompatible h1:OJ7YkwQA+k2Oi51lmCojpjiygKpi76P7bg91b2eJxYU=
+github.com/docker/cli v20.10.9+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
 github.com/docker/distribution v0.0.0-20190905152932-14b96e55d84c/go.mod h1:0+TTO4EOBfRPhZXAeF1Vu+W3hHZ8eLp8PgKVZlcvtFY=
 github.com/docker/distribution v2.6.0-rc.1.0.20180327202408-83389a148052+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
 github.com/docker/distribution v2.7.1-0.20190205005809-0d3efadf0154+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
@@ -472,8 +481,8 @@ github.com/docker/docker v1.4.2-0.20190924003213-a8608b5b67c7/go.mod h1:eEKB0N0r
 github.com/docker/docker v17.12.0-ce-rc1.0.20200730172259-9f28837c1d93+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
 github.com/docker/docker v20.10.0-beta1.0.20201110211921-af34b94a78a1+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
 github.com/docker/docker v20.10.7+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
-github.com/docker/docker v20.10.8+incompatible h1:RVqD337BgQicVCzYrrlhLDWhq6OAD2PJDUg2LsEUvKM=
-github.com/docker/docker v20.10.8+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
+github.com/docker/docker v20.10.10+incompatible h1:GKkP0T7U4ks6X3lmmHKC2QDprnpRJor2Z5a8m62R9ZM=
+github.com/docker/docker v20.10.10+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
 github.com/docker/docker-credential-helpers v0.6.3 h1:zI2p9+1NQYdnG6sMU26EX4aVGlqbInSQxQXLvzJ4RPQ=
 github.com/docker/docker-credential-helpers v0.6.3/go.mod h1:WRaJzqw3CTB9bk10avuGsjVBZsD05qeibJ1/TYlvc0Y=
 github.com/docker/go-connections v0.4.0 h1:El9xVISelRB7BuFusrZozjnkIM5YnzCViNKohAFqRJQ=
@@ -523,8 +532,9 @@ github.com/fortytw2/leaktest v1.3.0 h1:u8491cBMTQ8ft8aeV+adlcytMZylmA5nnwwkRZjI8
 github.com/fortytw2/leaktest v1.3.0/go.mod h1:jDsjWgpAGjm2CA7WthBh/CdZYEPF31XHquHwclZch5g=
 github.com/frankban/quicktest v1.11.3/go.mod h1:wRf/ReqHper53s+kmmSZizM8NamnL3IM0I9ntUbOk+k=
 github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
-github.com/fsnotify/fsnotify v1.4.9 h1:hsms1Qyu0jgnwNXIxa+/V/PDsU6CfLf6CNO8H7IWoS4=
 github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ=
+github.com/fsnotify/fsnotify v1.5.1 h1:mZcQUHVQUQWoPXXtuf9yuEXKudkV2sx1E06UadKWpgI=
+github.com/fsnotify/fsnotify v1.5.1/go.mod h1:T3375wBYaZdLLcVNkcVbzGHY7f1l/uK5T5Ai1i3InKU=
 github.com/fullsailor/pkcs7 v0.0.0-20190404230743-d7302db945fa/go.mod h1:KnogPXtdwXqoenmZCw6S+25EAm2MkxbG0deNDu4cbSA=
 github.com/garyburd/redigo v0.0.0-20150301180006-535138d7bcd7/go.mod h1:NR3MbYisc3/PwhQ00EMzDiPmrwpPxAn5GI05/YaO1SY=
 github.com/gdamore/encoding v1.0.0/go.mod h1:alR0ol34c49FCSBLjhosxzcPHQbf2trDkoo5dl+VrEg=
@@ -700,7 +710,6 @@ github.com/google/btree v0.0.0-20180124185431-e89373fe6b4a/go.mod h1:lNA+9X1NB3Z
 github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
 github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
 github.com/google/crfs v0.0.0-20191108021818-71d77da419c9/go.mod h1:etGhoOqfwPkooV6aqoX3eBGQOJblqdoc9XvWOeuxpPw=
-github.com/google/flatbuffers v1.12.0/go.mod h1:1AeVuKshWv4vARoZatz6mlQ0JxURH0Kv5+zNeJKJCa8=
 github.com/google/flatbuffers v1.12.1 h1:MVlul7pQNoDzWRLTw5imwYsl+usrS1TXG2H4jg6ImGw=
 github.com/google/flatbuffers v1.12.1/go.mod h1:1AeVuKshWv4vARoZatz6mlQ0JxURH0Kv5+zNeJKJCa8=
 github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
@@ -964,6 +973,8 @@ github.com/leodido/go-urn v1.2.0 h1:hpXL4XnriNwQ/ABnpepYM/1vCLWNDfUNts8dX3xTG6Y=
 github.com/leodido/go-urn v1.2.0/go.mod h1:+8+nEpDfqqsY+g338gtMEUOtuK+4dEMhiQEgxpxOKII=
 github.com/liamg/clinch v1.5.6/go.mod h1:IXM+nLBuZ5sOQAYYf9+G51nkaA0WY9cszxE5nPXexhE=
 github.com/liamg/gifwrap v0.0.6/go.mod h1:oW1r2vIWLYyxW+U0io7YbpPSDIJ79FTlZ+hPnXFLW6E=
+github.com/liamg/jfather v0.0.2 h1:OXKKl9ZAAu9VqIs0D9kgiBTr6lXqlmvc72o/e/VPnHk=
+github.com/liamg/jfather v0.0.2/go.mod h1:xXBGiBoiZ6tmHhfy5Jzw8sugzajwYdi6VosIpB3/cPM=
 github.com/liamg/tml v0.3.0/go.mod h1:0h4EAV/zBOsqI91EWONedjRpO8O0itjGJVd+wG5eC+E=
 github.com/liamg/tml v0.4.0/go.mod h1:0h4EAV/zBOsqI91EWONedjRpO8O0itjGJVd+wG5eC+E=
 github.com/lib/pq v1.0.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo=
@@ -1118,8 +1129,8 @@ github.com/onsi/gomega v1.10.3/go.mod h1:V9xEwhxec5O8UDM77eCW8vLymOMltsqPVYWrpDs
 github.com/onsi/gomega v1.16.0 h1:6gjqkI8iiRHMvdccRJM8rVKjCWk6ZIm6FTm3ddIe4/c=
 github.com/onsi/gomega v1.16.0/go.mod h1:HnhC7FXeEQY45zxNK3PPoIUhzk/80Xly9PcubAlGdZY=
 github.com/op/go-logging v0.0.0-20160315200505-970db520ece7/go.mod h1:HzydrMdWErDVzsI23lYNej1Htcns9BCg93Dk0bBINWk=
-github.com/open-policy-agent/opa v0.32.0 h1:AwGxE6FqZ3jJ8udsiU+7YszncmiCnJhPwi/uJUVqVSs=
-github.com/open-policy-agent/opa v0.32.0/go.mod h1:5sJdtc+1/U8zy/j30njpQl6u9rM4MzTOhG9EW1uOmsY=
+github.com/open-policy-agent/opa v0.34.0 h1:obGIZ8DSgFQ2SDt3jJwFCzcgJxthoEKQALQ1QJdUxt0=
+github.com/open-policy-agent/opa v0.34.0/go.mod h1:buysXn+6zB/b+6JgLkP4WgKZ9+UgUtFAgtemYGrL9Ik=
 github.com/opencontainers/go-digest v0.0.0-20170106003457-a6d0ee40d420/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s=
 github.com/opencontainers/go-digest v0.0.0-20180430190053-c9281466c8b2/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s=
 github.com/opencontainers/go-digest v1.0.0-rc1/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s=
@@ -1136,17 +1147,20 @@ github.com/opencontainers/runc v1.0.0-rc10/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2r
 github.com/opencontainers/runc v1.0.0-rc8.0.20190926000215-3e425f80a8c9/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rmF59PVA73FjuZG0U=
 github.com/opencontainers/runc v1.0.0-rc9/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rmF59PVA73FjuZG0U=
 github.com/opencontainers/runc v1.0.0-rc92/go.mod h1:X1zlU4p7wOlX4+WRCz+hvlRv8phdL7UqbYD+vQwNMmE=
-github.com/opencontainers/runc v1.0.0-rc93 h1:x2UMpOOVf3kQ8arv/EsDGwim8PTNqzL1/EYDr/+scOM=
 github.com/opencontainers/runc v1.0.0-rc93/go.mod h1:3NOsor4w32B2tC0Zbl8Knk4Wg84SM2ImC1fxBuqJ/H0=
+github.com/opencontainers/runc v1.0.2 h1:opHZMaswlyxz1OuGpBE53Dwe4/xF7EZTY0A2L/FpCOg=
+github.com/opencontainers/runc v1.0.2/go.mod h1:aTaHFFwQXuA71CiyxOdFFIorAoemI04suvGRQFzWTD0=
 github.com/opencontainers/runtime-spec v0.1.2-0.20190507144316-5b71a03e2700/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
 github.com/opencontainers/runtime-spec v1.0.1/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
 github.com/opencontainers/runtime-spec v1.0.2-0.20190207185410-29686dbc5559/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
 github.com/opencontainers/runtime-spec v1.0.2/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
 github.com/opencontainers/runtime-spec v1.0.3-0.20200728170252-4d89ac9fbff6/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
 github.com/opencontainers/runtime-spec v1.0.3-0.20200929063507-e6143ca7d51d/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
+github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
 github.com/opencontainers/runtime-tools v0.0.0-20181011054405-1d69bd0f9c39/go.mod h1:r3f7wjNzSs2extwzU3Y+6pKfobzPh+kKFJ3ofN+3nfs=
 github.com/opencontainers/selinux v1.6.0/go.mod h1:VVGKuOLlE7v4PJyT6h7mNWvq1rzqiriPsEqVhc+svHE=
 github.com/opencontainers/selinux v1.8.0/go.mod h1:RScLhm78qiWa2gbVCcGkC7tCGdgk3ogry1nUQF8Evvo=
+github.com/opencontainers/selinux v1.8.2/go.mod h1:MUIHuUEvKB1wtJjQdOyYRgOnLD2xAPP8dBsCoU0KuF8=
 github.com/opentracing-contrib/go-stdlib v1.0.0/go.mod h1:qtI1ogk+2JhVPIXVc6q+NHziSmy2W5GbdQZFUHADCBU=
 github.com/opentracing/opentracing-go v1.1.0/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o=
 github.com/opentracing/opentracing-go v1.2.0/go.mod h1:GxEUsuufX4nBwe+T+Wl9TAgYrxe9dPLANfrWvHYVTgc=
@@ -1155,6 +1169,7 @@ github.com/openzipkin/zipkin-go v0.1.3/go.mod h1:NtoC/o8u3JlF1lSlyPNswIbeQH9bJTm
 github.com/openzipkin/zipkin-go v0.1.6/go.mod h1:QgAqvLzwWbR/WpD4A3cGpPtJrZXNIiJc5AZX7/PBEpw=
 github.com/owenrumney/go-sarif v1.0.10/go.mod h1:sgJM0ZaZ28jT8t8Iq3/mUCFBW9cX09EobIBXYOhiYBc=
 github.com/owenrumney/go-sarif v1.0.11/go.mod h1:hTBFbxU7GuVRUvwMx+eStp9M/Oun4xHCS3vqpPvket8=
+github.com/owenrumney/go-sarif v1.0.12/go.mod h1:Jk5smXU9QuCqTdh4N3PehnG+azzrf0XcQ267ZwAG8Ho=
 github.com/owenrumney/squealer v0.2.28 h1:LYsqUHal+5QlANjbZ+h44SN5kIZSfHCWKUzBAS1KwB0=
 github.com/owenrumney/squealer v0.2.28/go.mod h1:wwVPzhjiUBILIdDtnzGSEcapXczIj/tONP+ZJ49IhPY=
 github.com/parnurzeal/gorequest v0.2.16/go.mod h1:3Kh2QUMJoqw3icWAecsyzkpY7UzRfDhbRdTjtNwNiUE=
@@ -1424,8 +1439,9 @@ github.com/zclconf/go-cty v1.6.1/go.mod h1:VDR4+I79ubFBGm1uJac1226K5yANQFHeauxPB
 github.com/zclconf/go-cty v1.8.0/go.mod h1:vVKLxnk3puL4qRAv72AO+W99LUD4da90g3uUAzyuvAk=
 github.com/zclconf/go-cty v1.8.3/go.mod h1:vVKLxnk3puL4qRAv72AO+W99LUD4da90g3uUAzyuvAk=
 github.com/zclconf/go-cty v1.8.4/go.mod h1:vVKLxnk3puL4qRAv72AO+W99LUD4da90g3uUAzyuvAk=
-github.com/zclconf/go-cty v1.9.1 h1:viqrgQwFl5UpSxc046qblj78wZXVDFnSOufaOTER+cc=
 github.com/zclconf/go-cty v1.9.1/go.mod h1:vVKLxnk3puL4qRAv72AO+W99LUD4da90g3uUAzyuvAk=
+github.com/zclconf/go-cty v1.10.0 h1:mp9ZXQeIcN8kAwuqorjH+Q+njbJKjLrvB2yIh4q7U+0=
+github.com/zclconf/go-cty v1.10.0/go.mod h1:vVKLxnk3puL4qRAv72AO+W99LUD4da90g3uUAzyuvAk=
 github.com/zclconf/go-cty-debug v0.0.0-20191215020915-b22d67c1ba0b/go.mod h1:ZRKQfBXbGkpdV6QMzT3rU1kSTAnfu1dO8dPKjYprgj8=
 github.com/zclconf/go-cty-yaml v1.0.2 h1:dNyg4QLTrv2IfJpm7Wtxi55ed5gLGOlPrZ6kMd51hY0=
 github.com/zclconf/go-cty-yaml v1.0.2/go.mod h1:IP3Ylp0wQpYm50IHK8OZWKMu6sPJIUgKa8XhiVHura0=
@@ -1741,12 +1757,14 @@ golang.org/x/sys v0.0.0-20210324051608-47abb6519492/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210403161142-5e06dd20ab57/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210426230700-d19ff857e887/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210502180810-71e4cd670f79/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210514084401-e8d321eab015/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210603081109-ebe580a85c40/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210603125802-9665404d3644/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210823070655-63515b42dcdf h1:2ucpDCmfkl8Bd/FsLtiD653Wf96cW37s+iGx93zsu4k=
 golang.org/x/sys v0.0.0-20210823070655-63515b42dcdf/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=

goreleaser.yml

@@ -20,6 +20,7 @@ builds:
       - arm
       - arm64
       - ppc64le
+      - s390x
     goarm:
       - 7
     ignore:

helm/trivy/Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v2
 name: trivy
-version: 0.4.5
-appVersion: "0.18.3"
+version: 0.4.7
+appVersion: "0.21.0"
 description: Trivy helm chart
 keywords:
   - scanner

helm/trivy/templates/ingress.yaml

@@ -1,9 +1,11 @@
 {{- if .Values.ingress.enabled -}}
 {{- $fullName := include "trivy.fullname" . -}}
-{{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" -}}
+{{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }}
 apiVersion: networking.k8s.io/v1
-{{- else if .Capabilities.APIVersions.Has "networking.k8s.io/v1beta1/Ingress" -}}
+{{- else if .Capabilities.APIVersions.Has "networking.k8s.io/v1beta1" }}
 apiVersion: networking.k8s.io/v1beta1
+{{- else }}
+apiVersion: extensions/v1beta1
 {{- end }}
 kind: Ingress
 metadata:
@@ -34,8 +36,8 @@ spec:
     - host: {{ .host | quote }}
       http:
         paths:
-          {{- if $.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" -}}
           - path: {{ $.Values.ingress.path }}
+        {{- if $.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }}
             pathType: {{ $.Values.ingress.pathType }}
             backend:
               service:
@@ -43,7 +45,6 @@ spec:
                 port:
                   number: {{ $.Values.service.port -}}
           {{- else }}
-          - path: {{ $.Values.ingress.path }}
             backend:
               serviceName: {{ $fullName }}
               servicePort: {{ $.Values.service.port -}}

helm/trivy/values.yaml

@@ -4,7 +4,7 @@ fullnameOverride: ""
 image:
   registry: docker.io
   repository: aquasec/trivy
-  tag: 0.18.3
+  tag: 0.21.0
   pullPolicy: IfNotPresent
   pullSecret: ""
 
@@ -85,7 +85,7 @@ trivy:
   cache:
     redis:
       enabled: false
-      url: "" # e.g. redis://redis.redis.svc:6379
+      url: ""  # e.g. redis://redis.redis.svc:6379
 
 service:
   # type Kubernetes service type

integration/testdata/alpine-310.sarif.golden

@@ -10,219 +10,95 @@
           "fullName": "Trivy Vulnerability Scanner",
           "version": "0.15.0",
           "rules": [
-            {
-              "id": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2): libcrypto1.1-1.1.1c-r0 CVE-2019-1549",
-              "name": "OS Package Vulnerability (Alpine)",
-              "shortDescription": {
-                "text": "CVE-2019-1549 Package: libcrypto1.1"
-              },
-              "fullDescription": {
-                "text": "openssl: information disclosure in fork()."
-              },
-              "defaultConfiguration": {
-                "level": "warning"
-              },
-              "helpUri": "https://avd.aquasec.com/nvd/cve-2019-1549",
-              "help": {
-                "text": "Vulnerability CVE-2019-1549\nSeverity: MEDIUM\nPackage: libcrypto1.1\nInstalled Version: 1.1.1c-r0\nFixed Version: 1.1.1d-r0\nLink: [CVE-2019-1549](https://avd.aquasec.com/nvd/cve-2019-1549)",
-                "markdown": "**Vulnerability CVE-2019-1549**\n| Severity | Package | Installed Version | Fixed Version | Link |\n| --- | --- | --- | --- | --- |\n|MEDIUM|libcrypto1.1|1.1.1c-r0|1.1.1d-r0|[CVE-2019-1549](https://avd.aquasec.com/nvd/cve-2019-1549)|\n"
-              },
-              "properties": {
-                "tags": [
-                  "vulnerability",
-                  "MEDIUM",
-                  "libcrypto1.1"
-                ],
-                "precision": "very-high"
-              }
-            },
-            {
-              "id": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2): libcrypto1.1-1.1.1c-r0 CVE-2019-1551",
-              "name": "OS Package Vulnerability (Alpine)",
-              "shortDescription": {
-                "text": "CVE-2019-1551 Package: libcrypto1.1"
-              },
-              "fullDescription": {
-                "text": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64."
-              },
-              "defaultConfiguration": {
-                "level": "warning"
-              },
-              "helpUri": "https://avd.aquasec.com/nvd/cve-2019-1551",
-              "help": {
-                "text": "Vulnerability CVE-2019-1551\nSeverity: MEDIUM\nPackage: libcrypto1.1\nInstalled Version: 1.1.1c-r0\nFixed Version: 1.1.1d-r2\nLink: [CVE-2019-1551](https://avd.aquasec.com/nvd/cve-2019-1551)",
-                "markdown": "**Vulnerability CVE-2019-1551**\n| Severity | Package | Installed Version | Fixed Version | Link |\n| --- | --- | --- | --- | --- |\n|MEDIUM|libcrypto1.1|1.1.1c-r0|1.1.1d-r2|[CVE-2019-1551](https://avd.aquasec.com/nvd/cve-2019-1551)|\n"
-              },
-              "properties": {
-                "tags": [
-                  "vulnerability",
-                  "MEDIUM",
-                  "libcrypto1.1"
-                ],
-                "precision": "very-high"
-              }
-            },
-            {
-              "id": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2): libcrypto1.1-1.1.1c-r0 CVE-2019-1563",
-              "name": "OS Package Vulnerability (Alpine)",
-              "shortDescription": {
-                "text": "CVE-2019-1563 Package: libcrypto1.1"
-              },
-              "fullDescription": {
-                "text": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey."
-              },
-              "defaultConfiguration": {
-                "level": "warning"
-              },
-              "helpUri": "https://avd.aquasec.com/nvd/cve-2019-1563",
-              "help": {
-                "text": "Vulnerability CVE-2019-1563\nSeverity: MEDIUM\nPackage: libcrypto1.1\nInstalled Version: 1.1.1c-r0\nFixed Version: 1.1.1d-r0\nLink: [CVE-2019-1563](https://avd.aquasec.com/nvd/cve-2019-1563)",
-                "markdown": "**Vulnerability CVE-2019-1563**\n| Severity | Package | Installed Version | Fixed Version | Link |\n| --- | --- | --- | --- | --- |\n|MEDIUM|libcrypto1.1|1.1.1c-r0|1.1.1d-r0|[CVE-2019-1563](https://avd.aquasec.com/nvd/cve-2019-1563)|\n"
-              },
-              "properties": {
-                "tags": [
-                  "vulnerability",
-                  "MEDIUM",
-                  "libcrypto1.1"
-                ],
-                "precision": "very-high"
-              }
-            },
-            {
-              "id": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2): libcrypto1.1-1.1.1c-r0 CVE-2019-1547",
-              "name": "OS Package Vulnerability (Alpine)",
-              "shortDescription": {
-                "text": "CVE-2019-1547 Package: libcrypto1.1"
-              },
-              "fullDescription": {
-                "text": "openssl: side-channel weak encryption vulnerability."
-              },
-              "defaultConfiguration": {
-                "level": "note"
-              },
-              "helpUri": "https://avd.aquasec.com/nvd/cve-2019-1547",
-              "help": {
-                "text": "Vulnerability CVE-2019-1547\nSeverity: LOW\nPackage: libcrypto1.1\nInstalled Version: 1.1.1c-r0\nFixed Version: 1.1.1d-r0\nLink: [CVE-2019-1547](https://avd.aquasec.com/nvd/cve-2019-1547)",
-                "markdown": "**Vulnerability CVE-2019-1547**\n| Severity | Package | Installed Version | Fixed Version | Link |\n| --- | --- | --- | --- | --- |\n|LOW|libcrypto1.1|1.1.1c-r0|1.1.1d-r0|[CVE-2019-1547](https://avd.aquasec.com/nvd/cve-2019-1547)|\n"
-              },
-              "properties": {
-                "tags": [
-                  "vulnerability",
-                  "LOW",
-                  "libcrypto1.1"
-                ],
-                "precision": "very-high"
-              }
-            },
-            {
-              "id": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2): libssl1.1-1.1.1c-r0 CVE-2019-1549",
-              "name": "OS Package Vulnerability (Alpine)",
-              "shortDescription": {
-                "text": "CVE-2019-1549 Package: libssl1.1"
-              },
-              "fullDescription": {
-                "text": "openssl: information disclosure in fork()."
-              },
-              "defaultConfiguration": {
-                "level": "warning"
-              },
-              "helpUri": "https://avd.aquasec.com/nvd/cve-2019-1549",
-              "help": {
-                "text": "Vulnerability CVE-2019-1549\nSeverity: MEDIUM\nPackage: libssl1.1\nInstalled Version: 1.1.1c-r0\nFixed Version: 1.1.1d-r0\nLink: [CVE-2019-1549](https://avd.aquasec.com/nvd/cve-2019-1549)",
-                "markdown": "**Vulnerability CVE-2019-1549**\n| Severity | Package | Installed Version | Fixed Version | Link |\n| --- | --- | --- | --- | --- |\n|MEDIUM|libssl1.1|1.1.1c-r0|1.1.1d-r0|[CVE-2019-1549](https://avd.aquasec.com/nvd/cve-2019-1549)|\n"
-              },
-              "properties": {
-                "tags": [
-                  "vulnerability",
-                  "MEDIUM",
-                  "libssl1.1"
-                ],
-                "precision": "very-high"
-              }
-            },
-            {
-              "id": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2): libssl1.1-1.1.1c-r0 CVE-2019-1551",
-              "name": "OS Package Vulnerability (Alpine)",
-              "shortDescription": {
-                "text": "CVE-2019-1551 Package: libssl1.1"
-              },
-              "fullDescription": {
-                "text": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64."
-              },
-              "defaultConfiguration": {
-                "level": "warning"
-              },
-              "helpUri": "https://avd.aquasec.com/nvd/cve-2019-1551",
-              "help": {
-                "text": "Vulnerability CVE-2019-1551\nSeverity: MEDIUM\nPackage: libssl1.1\nInstalled Version: 1.1.1c-r0\nFixed Version: 1.1.1d-r2\nLink: [CVE-2019-1551](https://avd.aquasec.com/nvd/cve-2019-1551)",
-                "markdown": "**Vulnerability CVE-2019-1551**\n| Severity | Package | Installed Version | Fixed Version | Link |\n| --- | --- | --- | --- | --- |\n|MEDIUM|libssl1.1|1.1.1c-r0|1.1.1d-r2|[CVE-2019-1551](https://avd.aquasec.com/nvd/cve-2019-1551)|\n"
-              },
-              "properties": {
-                "tags": [
-                  "vulnerability",
-                  "MEDIUM",
-                  "libssl1.1"
-                ],
-                "precision": "very-high"
-              }
-            },
-            {
-              "id": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2): libssl1.1-1.1.1c-r0 CVE-2019-1563",
-              "name": "OS Package Vulnerability (Alpine)",
-              "shortDescription": {
-                "text": "CVE-2019-1563 Package: libssl1.1"
-              },
-              "fullDescription": {
-                "text": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey."
-              },
-              "defaultConfiguration": {
-                "level": "warning"
-              },
-              "helpUri": "https://avd.aquasec.com/nvd/cve-2019-1563",
-              "help": {
-                "text": "Vulnerability CVE-2019-1563\nSeverity: MEDIUM\nPackage: libssl1.1\nInstalled Version: 1.1.1c-r0\nFixed Version: 1.1.1d-r0\nLink: [CVE-2019-1563](https://avd.aquasec.com/nvd/cve-2019-1563)",
-                "markdown": "**Vulnerability CVE-2019-1563**\n| Severity | Package | Installed Version | Fixed Version | Link |\n| --- | --- | --- | --- | --- |\n|MEDIUM|libssl1.1|1.1.1c-r0|1.1.1d-r0|[CVE-2019-1563](https://avd.aquasec.com/nvd/cve-2019-1563)|\n"
-              },
-              "properties": {
-                "tags": [
-                  "vulnerability",
-                  "MEDIUM",
-                  "libssl1.1"
-                ],
-                "precision": "very-high"
-              }
-            },
-            {
-              "id": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2): libssl1.1-1.1.1c-r0 CVE-2019-1547",
-              "name": "OS Package Vulnerability (Alpine)",
-              "shortDescription": {
-                "text": "CVE-2019-1547 Package: libssl1.1"
-              },
-              "fullDescription": {
-                "text": "openssl: side-channel weak encryption vulnerability."
-              },
-              "defaultConfiguration": {
-                "level": "note"
-              },
-              "helpUri": "https://avd.aquasec.com/nvd/cve-2019-1547",
-              "help": {
-                "text": "Vulnerability CVE-2019-1547\nSeverity: LOW\nPackage: libssl1.1\nInstalled Version: 1.1.1c-r0\nFixed Version: 1.1.1d-r0\nLink: [CVE-2019-1547](https://avd.aquasec.com/nvd/cve-2019-1547)",
-                "markdown": "**Vulnerability CVE-2019-1547**\n| Severity | Package | Installed Version | Fixed Version | Link |\n| --- | --- | --- | --- | --- |\n|LOW|libssl1.1|1.1.1c-r0|1.1.1d-r0|[CVE-2019-1547](https://avd.aquasec.com/nvd/cve-2019-1547)|\n"
-              },
-              "properties": {
-                "tags": [
-                  "vulnerability",
-                  "LOW",
-                  "libssl1.1"
-                ],
-                "precision": "very-high"
-              }
-            }]
+                {
+                  "id": "CVE-2019-1549",
+                  "name": "OsPackageVulnerability",
+                  "shortDescription": {
+                    "text": "CVE-2019-1549"
+                  },
+                  "fullDescription": {
+                    "text": "openssl: information disclosure in fork()."
+                  },
+                  "defaultConfiguration": {
+                    "level": "warning"
+                  },
+                  "helpUri": "https://avd.aquasec.com/nvd/cve-2019-1549",
+                  "properties": {
+                    "tags": [
+                      "vulnerability",
+                      "MEDIUM"
+                    ],
+                    "precision": "very-high"
+                  }
+                },
+                {
+                  "id": "CVE-2019-1551",
+                  "name": "OsPackageVulnerability",
+                  "shortDescription": {
+                    "text": "CVE-2019-1551"
+                  },
+                  "fullDescription": {
+                    "text": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64."
+                  },
+                  "defaultConfiguration": {
+                    "level": "warning"
+                  },
+                  "helpUri": "https://avd.aquasec.com/nvd/cve-2019-1551",
+                  "properties": {
+                    "tags": [
+                      "vulnerability",
+                      "MEDIUM"
+                    ],
+                    "precision": "very-high"
+                  }
+                },
+                {
+                  "id": "CVE-2019-1563",
+                  "name": "OsPackageVulnerability",
+                  "shortDescription": {
+                    "text": "CVE-2019-1563"
+                  },
+                  "fullDescription": {
+                    "text": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey."
+                  },
+                  "defaultConfiguration": {
+                    "level": "warning"
+                  },
+                  "helpUri": "https://avd.aquasec.com/nvd/cve-2019-1563",
+                  "properties": {
+                    "tags": [
+                      "vulnerability",
+                      "MEDIUM"
+                    ],
+                    "precision": "very-high"
+                  }
+                },
+                {
+                  "id": "CVE-2019-1547",
+                  "name": "OsPackageVulnerability",
+                  "shortDescription": {
+                    "text": "CVE-2019-1547"
+                  },
+                  "fullDescription": {
+                    "text": "openssl: side-channel weak encryption vulnerability."
+                  },
+                  "defaultConfiguration": {
+                    "level": "note"
+                  },
+                  "helpUri": "https://avd.aquasec.com/nvd/cve-2019-1547",
+                  "properties": {
+                    "tags": [
+                      "vulnerability",
+                      "LOW"
+                    ],
+                    "precision": "very-high"
+                  }
+                }]
         }
       },
       "results": [
         {
-          "ruleId": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2): libcrypto1.1-1.1.1c-r0 CVE-2019-1549",
+          "ruleId": "CVE-2019-1549",
           "ruleIndex": 0,
           "level": "warning",
           "message": {
@@ -233,12 +109,15 @@
               "artifactLocation": {
                 "uri": "testdata/fixtures/images/alpine-310.tar.gz",
                 "uriBaseId": "ROOTPATH"
+              },
+              "region" : {
+                "startLine": 1
               }
             }
           }]
         },
         {
-          "ruleId": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2): libcrypto1.1-1.1.1c-r0 CVE-2019-1551",
+          "ruleId": "CVE-2019-1551",
           "ruleIndex": 1,
           "level": "warning",
           "message": {
@@ -249,12 +128,15 @@
               "artifactLocation": {
                 "uri": "testdata/fixtures/images/alpine-310.tar.gz",
                 "uriBaseId": "ROOTPATH"
+              },
+              "region" : {
+                "startLine": 1
               }
             }
           }]
         },
         {
-          "ruleId": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2): libcrypto1.1-1.1.1c-r0 CVE-2019-1563",
+          "ruleId": "CVE-2019-1563",
           "ruleIndex": 2,
           "level": "warning",
           "message": {
@@ -265,12 +147,15 @@
               "artifactLocation": {
                 "uri": "testdata/fixtures/images/alpine-310.tar.gz",
                 "uriBaseId": "ROOTPATH"
+              },
+              "region" : {
+                "startLine": 1
               }
             }
           }]
         },
         {
-          "ruleId": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2): libcrypto1.1-1.1.1c-r0 CVE-2019-1547",
+          "ruleId": "CVE-2019-1547",
           "ruleIndex": 3,
           "level": "note",
           "message": {
@@ -281,13 +166,16 @@
               "artifactLocation": {
                 "uri": "testdata/fixtures/images/alpine-310.tar.gz",
                 "uriBaseId": "ROOTPATH"
+              },
+              "region" : {
+                "startLine": 1
               }
             }
           }]
         },
         {
-          "ruleId": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2): libssl1.1-1.1.1c-r0 CVE-2019-1549",
-          "ruleIndex": 4,
+          "ruleId": "CVE-2019-1549",
+          "ruleIndex": 0,
           "level": "warning",
           "message": {
             "text": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c)."
@@ -297,13 +185,16 @@
               "artifactLocation": {
                 "uri": "testdata/fixtures/images/alpine-310.tar.gz",
                 "uriBaseId": "ROOTPATH"
+              },
+              "region" : {
+                "startLine": 1
               }
             }
           }]
         },
         {
-          "ruleId": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2): libssl1.1-1.1.1c-r0 CVE-2019-1551",
-          "ruleIndex": 5,
+          "ruleId": "CVE-2019-1551",
+          "ruleIndex": 1,
           "level": "warning",
           "message": {
             "text": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t)."
@@ -313,13 +204,16 @@
               "artifactLocation": {
                 "uri": "testdata/fixtures/images/alpine-310.tar.gz",
                 "uriBaseId": "ROOTPATH"
+              },
+              "region" : {
+                "startLine": 1
               }
             }
           }]
         },
         {
-          "ruleId": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2): libssl1.1-1.1.1c-r0 CVE-2019-1563",
-          "ruleIndex": 6,
+          "ruleId": "CVE-2019-1563",
+          "ruleIndex": 2,
           "level": "warning",
           "message": {
             "text": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s)."
@@ -329,13 +223,16 @@
               "artifactLocation": {
                 "uri": "testdata/fixtures/images/alpine-310.tar.gz",
                 "uriBaseId": "ROOTPATH"
+              },
+              "region" : {
+                "startLine": 1
               }
             }
           }]
         },
         {
-          "ruleId": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2): libssl1.1-1.1.1c-r0 CVE-2019-1547",
-          "ruleIndex": 7,
+          "ruleId": "CVE-2019-1547",
+          "ruleIndex": 3,
           "level": "note",
           "message": {
             "text": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s)."
@@ -345,6 +242,9 @@
               "artifactLocation": {
                 "uri": "testdata/fixtures/images/alpine-310.tar.gz",
                 "uriBaseId": "ROOTPATH"
+              },
+              "region" : {
+                "startLine": 1
               }
             }
           }]
@@ -352,7 +252,7 @@
       "columnKind": "utf16CodeUnits",
       "originalUriBaseIds": {
         "ROOTPATH": {
-          "uri": "/"
+          "uri": "file:///"
         }
       }
     }

integration/testdata/nodejs.json.golden

@@ -24,7 +24,7 @@
           "VulnerabilityID": "CVE-2019-11358",
           "PkgName": "jquery",
           "InstalledVersion": "3.3.9",
-          "FixedVersion": "3.4.0",
+          "FixedVersion": ">=3.4.0",
           "SeveritySource": "nodejs-security-wg",
           "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-11358",
           "Title": "js-jquery: prototype pollution in object's prototype leading to denial of service or remote code execution or property injection",
@@ -128,7 +128,7 @@
           "VulnerabilityID": "CVE-2018-16487",
           "PkgName": "lodash",
           "InstalledVersion": "4.17.4",
-          "FixedVersion": "4.17.11",
+          "FixedVersion": ">=4.17.11",
           "SeveritySource": "nodejs-security-wg",
           "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2018-16487",
           "Title": "lodash: Prototype pollution in utilities function",
@@ -195,7 +195,7 @@
           "VulnerabilityID": "CVE-2018-3721",
           "PkgName": "lodash",
           "InstalledVersion": "4.17.4",
-          "FixedVersion": "4.17.5",
+          "FixedVersion": ">=4.17.5",
           "SeveritySource": "nodejs-security-wg",
           "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2018-3721",
           "Title": "lodash: Prototype pollution in utilities function",

mkdocs.yml

@@ -66,6 +66,7 @@ nav:
       - Comparison:
           - vs Conftest: misconfiguration/comparison/conftest.md
           - vs tfsec: misconfiguration/comparison/tfsec.md
+          - vs cfsec: misconfiguration/comparison/cfsec.md
   - Advanced:
       - Overview: advanced/index.md
       - Plugins: advanced/plugins.md
@@ -76,6 +77,7 @@ nav:
           - CircleCI: advanced/integrations/circleci.md
           - Travis CI: advanced/integrations/travis-ci.md
           - GitLab CI: advanced/integrations/gitlab-ci.md
+          - Bitbucket Pipelines: advanced/integrations/bitbucket.md
           - AWS CodePipeline: advanced/integrations/aws-codepipeline.md
           - AWS Security Hub: advanced/integrations/aws-security-hub.md
       - Container Image:
@@ -92,6 +94,9 @@ nav:
       - Modes:
           - Standalone: advanced/modes/standalone.md
           - Client/Server: advanced/modes/client-server.md
+      - Community:
+          - Tools: advanced/community/tools.md
+          - References: advanced/community/references.md
       - Maintainer:
           - Help Wanted: advanced/contrib/help-wanted.md
           - Triage: advanced/contrib/triage.md

pkg/detector/library/driver.go

@@ -89,41 +89,34 @@ func (d *Driver) Type() string {
 
 func newRubyGemsDriver() Driver {
 	c := bundler.RubyGemsComparer{}
-	return Aggregate(vulnerability.RubyGems, ghsa.NewAdvisory(ecosystem.Rubygems, c), bundler.NewAdvisory(),
-		NewAdvisory(vulnerability.RubyGems, c))
+	return Aggregate(vulnerability.RubyGems, NewAdvisory(vulnerability.RubyGems, c), bundler.NewAdvisory(), ghsa.NewAdvisory(ecosystem.Rubygems, c))
 }
 
 func newComposerDriver() Driver {
 	c := comparer.GenericComparer{}
-	return Aggregate(vulnerability.Composer, ghsa.NewAdvisory(ecosystem.Composer, c), composer.NewAdvisory(),
-		NewAdvisory(vulnerability.Composer, c))
+	return Aggregate(vulnerability.Composer, NewAdvisory(vulnerability.Composer, c), composer.NewAdvisory(), ghsa.NewAdvisory(ecosystem.Composer, c))
 }
 
 func newCargoDriver() Driver {
-	return Aggregate(vulnerability.Cargo, cargo.NewAdvisory(),
-		NewAdvisory(vulnerability.Cargo, comparer.GenericComparer{}))
+	return Aggregate(vulnerability.Cargo, NewAdvisory(vulnerability.Cargo, comparer.GenericComparer{}), cargo.NewAdvisory())
 }
 
 func newNpmDriver() Driver {
 	c := npm.Comparer{}
-	return Aggregate(vulnerability.Npm, ghsa.NewAdvisory(ecosystem.Npm, c),
-		npm.NewAdvisory(), NewAdvisory(vulnerability.Npm, c))
+	return Aggregate(vulnerability.Npm, NewAdvisory(vulnerability.Npm, c), npm.NewAdvisory(), ghsa.NewAdvisory(ecosystem.Npm, c))
 }
 
 func newPipDriver() Driver {
 	c := comparer.GenericComparer{}
-	return Aggregate(vulnerability.Pip, ghsa.NewAdvisory(ecosystem.Pip, c),
-		python.NewAdvisory(), NewAdvisory(vulnerability.Pip, c))
+	return Aggregate(vulnerability.Pip, NewAdvisory(vulnerability.Pip, c), python.NewAdvisory(), ghsa.NewAdvisory(ecosystem.Pip, c))
 }
 
 func newNugetDriver() Driver {
 	c := comparer.GenericComparer{}
-	return Aggregate(vulnerability.NuGet, ghsa.NewAdvisory(ecosystem.Nuget, c),
-		NewAdvisory(vulnerability.NuGet, c))
+	return Aggregate(vulnerability.NuGet, NewAdvisory(vulnerability.NuGet, c), ghsa.NewAdvisory(ecosystem.Nuget, c))
 }
 
 func newMavenDriver() Driver {
 	c := maven.Comparer{}
-	return Aggregate(vulnerability.Maven, ghsa.NewAdvisory(ecosystem.Maven, c),
-		NewAdvisory(vulnerability.Maven, c))
+	return Aggregate(vulnerability.Maven, NewAdvisory(vulnerability.Maven, c), ghsa.NewAdvisory(ecosystem.Maven, c))
 }

pkg/report/template.go

@@ -46,6 +46,16 @@ func NewTemplateWriter(output io.Writer, outputTemplate string) (*TemplateWriter
 		}
 		return escaped.String()
 	}
+	templateFuncMap["makeRuleMap"] = func() map[string]int {
+		return make(map[string]int)
+	}
+	templateFuncMap["indexRule"] = func(rules map[string]int, vulnerabilityID string) bool {
+		if _, ok := rules[vulnerabilityID]; !ok {
+			rules[vulnerabilityID] = len(rules)
+			return true
+		}
+		return false
+	}
 	templateFuncMap["toSarifErrorLevel"] = toSarifErrorLevel
 	templateFuncMap["toSarifRuleName"] = toSarifRuleName
 	templateFuncMap["endWithPeriod"] = func(input string) string {
@@ -91,19 +101,17 @@ func (tw TemplateWriter) Write(report Report) error {
 }
 
 func toSarifRuleName(vulnerabilityType string) string {
-	var ruleName string
 	switch vulnerabilityType {
 	case vulnerability.Ubuntu, vulnerability.Alpine, vulnerability.RedHat, vulnerability.RedHatOVAL,
 		vulnerability.Debian, vulnerability.DebianOVAL, vulnerability.Fedora, vulnerability.Amazon,
 		vulnerability.OracleOVAL, vulnerability.SuseCVRF, vulnerability.OpenSuseCVRF, vulnerability.Photon,
 		vulnerability.CentOS:
-		ruleName = "OS Package Vulnerability"
+		return "OsPackageVulnerability"
 	case "npm", "yarn", "nuget", "pipenv", "poetry", "bundler", "cargo", "composer":
-		ruleName = "Programming Language Vulnerability"
+		return "ProgrammingLanguageVulnerability"
 	default:
-		ruleName = "Other Vulnerability"
+		return "OtherVulnerability"
 	}
-	return fmt.Sprintf("%s (%s)", ruleName, strings.Title(vulnerabilityType))
 }
 
 func toSarifErrorLevel(severity string) string {

pkg/report/writer_internal_test.go

@@ -14,91 +14,91 @@ func TestReportWriter_toSarifRuleName(t *testing.T) {
 	}{
 		{
 			vulnerabilityType: vulnerability.Ubuntu,
-			sarifRuleName:     "OS Package Vulnerability (Ubuntu)",
+			sarifRuleName:     "OsPackageVulnerability",
 		},
 		{
 			vulnerabilityType: vulnerability.Alpine,
-			sarifRuleName:     "OS Package Vulnerability (Alpine)",
+			sarifRuleName:     "OsPackageVulnerability",
 		},
 		{
 			vulnerabilityType: vulnerability.RedHat,
-			sarifRuleName:     "OS Package Vulnerability (Redhat)",
+			sarifRuleName:     "OsPackageVulnerability",
 		},
 		{
 			vulnerabilityType: vulnerability.RedHatOVAL,
-			sarifRuleName:     "OS Package Vulnerability (Redhat-Oval)",
+			sarifRuleName:     "OsPackageVulnerability",
 		},
 		{
 			vulnerabilityType: vulnerability.Debian,
-			sarifRuleName:     "OS Package Vulnerability (Debian)",
+			sarifRuleName:     "OsPackageVulnerability",
 		},
 		{
 			vulnerabilityType: vulnerability.DebianOVAL,
-			sarifRuleName:     "OS Package Vulnerability (Debian-Oval)",
+			sarifRuleName:     "OsPackageVulnerability",
 		},
 		{
 			vulnerabilityType: vulnerability.Fedora,
-			sarifRuleName:     "OS Package Vulnerability (Fedora)",
+			sarifRuleName:     "OsPackageVulnerability",
 		},
 		{
 			vulnerabilityType: vulnerability.Amazon,
-			sarifRuleName:     "OS Package Vulnerability (Amazon)",
+			sarifRuleName:     "OsPackageVulnerability",
 		},
 		{
 			vulnerabilityType: vulnerability.OracleOVAL,
-			sarifRuleName:     "OS Package Vulnerability (Oracle-Oval)",
+			sarifRuleName:     "OsPackageVulnerability",
 		},
 		{
 			vulnerabilityType: vulnerability.SuseCVRF,
-			sarifRuleName:     "OS Package Vulnerability (Suse-Cvrf)",
+			sarifRuleName:     "OsPackageVulnerability",
 		},
 		{
 			vulnerabilityType: vulnerability.OpenSuseCVRF,
-			sarifRuleName:     "OS Package Vulnerability (Opensuse-Cvrf)",
+			sarifRuleName:     "OsPackageVulnerability",
 		},
 		{
 			vulnerabilityType: vulnerability.Photon,
-			sarifRuleName:     "OS Package Vulnerability (Photon)",
+			sarifRuleName:     "OsPackageVulnerability",
 		},
 		{
 			vulnerabilityType: vulnerability.CentOS,
-			sarifRuleName:     "OS Package Vulnerability (Centos)",
+			sarifRuleName:     "OsPackageVulnerability",
 		},
 		{
 			vulnerabilityType: "npm",
-			sarifRuleName:     "Programming Language Vulnerability (Npm)",
+			sarifRuleName:     "ProgrammingLanguageVulnerability",
 		},
 		{
 			vulnerabilityType: "yarn",
-			sarifRuleName:     "Programming Language Vulnerability (Yarn)",
+			sarifRuleName:     "ProgrammingLanguageVulnerability",
 		},
 		{
 			vulnerabilityType: "nuget",
-			sarifRuleName:     "Programming Language Vulnerability (Nuget)",
+			sarifRuleName:     "ProgrammingLanguageVulnerability",
 		},
 		{
 			vulnerabilityType: "pipenv",
-			sarifRuleName:     "Programming Language Vulnerability (Pipenv)",
+			sarifRuleName:     "ProgrammingLanguageVulnerability",
 		},
 		{
 			vulnerabilityType: "poetry",
-			sarifRuleName:     "Programming Language Vulnerability (Poetry)",
+			sarifRuleName:     "ProgrammingLanguageVulnerability",
 		},
 		{
 			vulnerabilityType: "bundler",
-			sarifRuleName:     "Programming Language Vulnerability (Bundler)",
+			sarifRuleName:     "ProgrammingLanguageVulnerability",
 		},
 		{
 			vulnerabilityType: "cargo",
-			sarifRuleName:     "Programming Language Vulnerability (Cargo)",
+			sarifRuleName:     "ProgrammingLanguageVulnerability",
 		},
 		{
 			vulnerabilityType: "composer",
-			sarifRuleName:     "Programming Language Vulnerability (Composer)",
+			sarifRuleName:     "ProgrammingLanguageVulnerability",
 		},
 		{
 			vulnerabilityType: "redis",
-			sarifRuleName:     "Other Vulnerability (Redis)",
+			sarifRuleName:     "OtherVulnerability",
 		},
 	}
 	for _, tc := range tests {

pkg/rpc/convert.go

@@ -269,6 +269,9 @@ func ConvertFromRPCMisconfs(rpcMisconfs []*common.DetectedMisconfiguration) []ty
 
 // ConvertFromRPCLayer converts *common.Layer to fanal.Layer
 func ConvertFromRPCLayer(rpcLayer *common.Layer) ftypes.Layer {
+	if rpcLayer == nil {
+		return ftypes.Layer{}
+	}
 	return ftypes.Layer{
 		Digest: rpcLayer.Digest,
 		DiffID: rpcLayer.DiffId,

pkg/rpc/server/server_test.go

@@ -329,6 +329,18 @@ func TestCacheServer_PutBlob(t *testing.T) {
 											DiffId: "sha256:b2a1a2d80bf0c747a4f6b0ca6af5eef23f043fcdb1ed4f3a3e750aef2dc68079",
 										},
 									},
+									{
+										Name:       "node-minimal",
+										Version:    "17.1.0",
+										Release:    "5.el7",
+										Epoch:      2,
+										Arch:       "x86_64",
+										SrcName:    "node",
+										SrcVersion: "17.1.0",
+										SrcRelease: "5.el7",
+										SrcEpoch:   2,
+										Layer:      nil,
+									},
 								},
 							},
 						},
@@ -398,6 +410,18 @@ func TestCacheServer_PutBlob(t *testing.T) {
 											DiffID: "sha256:b2a1a2d80bf0c747a4f6b0ca6af5eef23f043fcdb1ed4f3a3e750aef2dc68079",
 										},
 									},
+									{
+										Name:       "node-minimal",
+										Version:    "17.1.0",
+										Release:    "5.el7",
+										Epoch:      2,
+										Arch:       "x86_64",
+										SrcName:    "node",
+										SrcVersion: "17.1.0",
+										SrcRelease: "5.el7",
+										SrcEpoch:   2,
+										Layer:      ftypes.Layer{},
+									},
 								},
 							},
 						},

pkg/scanner/local/scan.go

@@ -306,6 +306,11 @@ func toDetectedMisconfiguration(res ftypes.MisconfResult, defaultSeverity dbType
 		Status:      status,
 		Layer:       layer,
 		Traces:      res.Traces,
+		IacMetadata: ftypes.IacMetadata{
+			Resource:  res.Resource,
+			StartLine: res.StartLine,
+			EndLine:   res.EndLine,
+		},
 	}
 }
 

pkg/types/misconfiguration.go

@@ -4,19 +4,20 @@ import ftypes "github.com/aquasecurity/fanal/types"
 
 // DetectedMisconfiguration holds detected misconfigurations
 type DetectedMisconfiguration struct {
-	Type        string        `json:",omitempty"`
-	ID          string        `json:",omitempty"`
-	Title       string        `json:",omitempty"`
-	Description string        `json:",omitempty"`
-	Message     string        `json:",omitempty"`
-	Namespace   string        `json:",omitempty"`
-	Query       string        `json:",omitempty"`
-	Resolution  string        `json:",omitempty"`
-	Severity    string        `json:",omitempty"`
-	PrimaryURL  string        `json:",omitempty"`
-	References  []string      `json:",omitempty"`
-	Status      MisconfStatus `json:",omitempty"`
-	Layer       ftypes.Layer  `json:",omitempty"`
+	Type        string             `json:",omitempty"`
+	ID          string             `json:",omitempty"`
+	Title       string             `json:",omitempty"`
+	Description string             `json:",omitempty"`
+	Message     string             `json:",omitempty"`
+	Namespace   string             `json:",omitempty"`
+	Query       string             `json:",omitempty"`
+	Resolution  string             `json:",omitempty"`
+	Severity    string             `json:",omitempty"`
+	PrimaryURL  string             `json:",omitempty"`
+	References  []string           `json:",omitempty"`
+	Status      MisconfStatus      `json:",omitempty"`
+	Layer       ftypes.Layer       `json:",omitempty"`
+	IacMetadata ftypes.IacMetadata `json:",omitempty"`
 
 	// For debugging
 	Traces []string `json:",omitempty"`

pkg/utils/utils.go

@@ -5,11 +5,6 @@ import (
 	"io"
 	"os"
 	"path/filepath"
-	"strings"
-
-	"golang.org/x/xerrors"
-
-	"github.com/aquasecurity/trivy/pkg/log"
 )
 
 var cacheDir string
@@ -33,47 +28,6 @@ func SetCacheDir(dir string) {
 	cacheDir = dir
 }
 
-// FileWalk walks the directory and performs operations on files defined by walkFn
-func FileWalk(root string, targetFiles map[string]struct{}, walkFn func(r io.Reader, path string) error) error {
-	err := filepath.Walk(root, func(path string, info os.FileInfo, err error) error {
-		if err != nil {
-			return err
-		}
-		if info.IsDir() {
-			return nil
-		}
-
-		rel, err := filepath.Rel(root, path)
-		if err != nil {
-			return xerrors.Errorf("error in filepath rel: %w", err)
-		}
-
-		if _, ok := targetFiles[rel]; !ok {
-			return nil
-		}
-
-		if info.Size() == 0 {
-			log.Logger.Debugf("invalid size: %s", path)
-			return nil
-		}
-
-		f, err := os.Open(path)
-		if err != nil {
-			return xerrors.Errorf("failed to open file: %w", err)
-		}
-		defer f.Close()
-
-		if err = walkFn(f, path); err != nil {
-			return err
-		}
-		return nil
-	})
-	if err != nil {
-		return xerrors.Errorf("error in file walk: %w", err)
-	}
-	return nil
-}
-
 // StringInSlice checks if strings exist in list of strings
 func StringInSlice(a string, list []string) bool {
 	for _, b := range list {
@@ -84,24 +38,6 @@ func StringInSlice(a string, list []string) bool {
 	return false
 }
 
-// FilterTargets filters the target based on prefixPath
-func FilterTargets(prefixPath string, targets map[string]struct{}) (map[string]struct{}, error) {
-	filtered := map[string]struct{}{}
-	for filename := range targets {
-		if strings.HasPrefix(filename, prefixPath) {
-			rel, err := filepath.Rel(prefixPath, filename)
-			if err != nil {
-				return nil, xerrors.Errorf("error in filepath rel: %w", err)
-			}
-			if strings.HasPrefix(rel, ".."+string(filepath.Separator)) {
-				continue
-			}
-			filtered[rel] = struct{}{}
-		}
-	}
-	return filtered, nil
-}
-
 // CopyFile copies the file content from scr to dst
 func CopyFile(src, dst string) (int64, error) {
 	sourceFileStat, err := os.Stat(src)

pkg/utils/utils_test.go

@@ -1,14 +1,9 @@
 package utils
 
 import (
-	"io"
 	"os"
-	"path/filepath"
-	"reflect"
-	"strings"
 	"testing"
 
-	"github.com/kylelemons/godebug/pretty"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
@@ -30,116 +25,6 @@ func write(t *testing.T, name string, content string) {
 	}
 }
 
-func TestFileWalk(t *testing.T) {
-	td, err := os.MkdirTemp("", "walktest")
-	if err != nil {
-		t.Fatal(err)
-	}
-	defer os.RemoveAll(td)
-
-	if err := os.MkdirAll(filepath.Join(td, "dir"), 0755); err != nil {
-		t.Fatal(err)
-	}
-	touch(t, filepath.Join(td, "dir/foo1"))
-	touch(t, filepath.Join(td, "dir/foo2"))
-	write(t, filepath.Join(td, "dir/foo3"), "foo3")
-	write(t, filepath.Join(td, "dir/foo4"), "foo4")
-
-	sawDir := false
-	sawFoo1 := false
-	sawFoo2 := false
-	sawFoo4 := false
-	var contentFoo3 []byte
-	walker := func(r io.Reader, path string) error {
-		if strings.HasSuffix(path, "dir") {
-			sawDir = true
-		}
-		if strings.HasSuffix(path, "foo1") {
-			sawFoo1 = true
-		}
-		if strings.HasSuffix(path, "foo2") {
-			sawFoo2 = true
-		}
-		if strings.HasSuffix(path, "foo3") {
-			contentFoo3, err = io.ReadAll(r)
-			if err != nil {
-				t.Fatal(err)
-			}
-		}
-		if strings.HasSuffix(path, "foo4") {
-			sawFoo4 = true
-		}
-		return nil
-	}
-
-	targetFiles := map[string]struct{}{
-		filepath.Join("dir", "foo2"): {},
-		filepath.Join("dir", "foo3"): {},
-	}
-	err = FileWalk(td, targetFiles, walker)
-	if err != nil {
-		t.Fatal(err)
-	}
-	if sawDir {
-		t.Error("directories must not be passed to walkFn")
-	}
-	if sawFoo1 || sawFoo4 {
-		t.Error("a file not included in targetFiles must not be passed to walkFn")
-	}
-	if sawFoo2 {
-		t.Error("an empty file must not be passed to walkFn")
-	}
-	if string(contentFoo3) != "foo3" {
-		t.Error("The file content is wrong")
-	}
-}
-func TestFilterTargets(t *testing.T) {
-	vectors := map[string]struct {
-		prefix   string
-		targets  map[string]struct{} // Target files
-		expected map[string]struct{}
-		err      error // Expected error to occur
-	}{
-		"normal": {
-			prefix: "dir",
-			targets: map[string]struct{}{
-				filepath.Join("dir", "file1"): {},
-				filepath.Join("dir", "file2"): {},
-				filepath.Join("foo", "bar"):   {},
-			},
-			expected: map[string]struct{}{
-				"file1": {},
-				"file2": {},
-			},
-			err: nil,
-		},
-		"other directory with the same prefix": {
-			prefix: "dir",
-			targets: map[string]struct{}{
-				filepath.Join("dir", "file1"):  {},
-				filepath.Join("dir2", "file2"): {},
-			},
-			expected: map[string]struct{}{
-				"file1": {},
-			},
-			err: nil,
-		},
-	}
-
-	for testName, v := range vectors {
-		t.Run(testName, func(t *testing.T) {
-			actual, err := FilterTargets(v.prefix, v.targets)
-			if err != nil {
-				t.Errorf("err: got %v, want %v", v.err, err)
-			}
-			if !reflect.DeepEqual(actual, v.expected) {
-				t.Errorf("[%s]\n%s", testName, pretty.Compare(v.expected, actual))
-
-			}
-		})
-	}
-}
-
 func TestCopyFile(t *testing.T) {
 	type args struct {
 		src string