chore(deps): bump google.golang.org/protobuf from 1.32.0 to 1.33.0 (#6321)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

.github/CODEOWNERS

@@ -1,15 +1,22 @@
 # Global
 *   @knqyf263
 
+# SBOM/Vulnerability scanning
+pkg/dependency/  @knqyf263 @DmitriyLewen
+pkg/fanal/       @knqyf263 @DmitriyLewen
+pkg/sbom/        @knqyf263 @DmitriyLewen
+pkg/scanner/     @knqyf263 @DmitriyLewen
+
 # Misconfiguration scanning
-docs/docs/scanner/misconfiguration  @knqyf263 @simar7
-docs/docs/target/aws.md             @knqyf263 @simar7
-pkg/fanal/analyzer/config           @knqyf263 @simar7
-pkg/cloud                           @knqyf263 @simar7
+docs/docs/scanner/misconfiguration/  @simar7 @nikpivkin
+docs/docs/target/aws.md              @simar7 @nikpivkin
+pkg/fanal/analyzer/config/           @simar7 @nikpivkin
+pkg/cloud/                           @simar7 @nikpivkin
+pkg/iac/                             @simar7 @nikpivkin
 
 # Helm chart
 helm/trivy/ @chen-keinan
 
 # Kubernetes scanning
-pkg/k8s/                @josedonizetti @chen-keinan @knqyf263
-docs/docs/kubernetes/   @josedonizetti @chen-keinan @knqyf263
+pkg/k8s/                         @chen-keinan
+docs/docs/target/kubernetes.md   @chen-keinan

.github/workflows/canary.yaml

@@ -25,35 +25,35 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Restore Trivy binaries from cache
-        uses: actions/cache@v3.3.2
+        uses: actions/cache@v4.0.0
         with:
           path: dist/
           key: ${{ runner.os }}-bins-${{github.workflow}}-${{github.sha}}
 
         # Upload artifacts
       - name: Upload artifacts (trivy_Linux-64bit)
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: trivy_Linux-64bit
           path: dist/trivy_*_Linux-64bit.tar.gz
           if-no-files-found: error
 
       - name: Upload artifacts (trivy_Linux-ARM64)
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: trivy_Linux-ARM64
           path: dist/trivy_*_Linux-ARM64.tar.gz
           if-no-files-found: error
 
       - name: Upload artifacts (trivy_macOS-64bit)
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: trivy_macOS-64bit
           path: dist/trivy_*_macOS-64bit.tar.gz
           if-no-files-found: error
 
       - name: Upload artifacts (trivy_macOS-ARM64)
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: trivy_macOS-ARM64
           path: dist/trivy_*_macOS-ARM64.tar.gz

.github/workflows/publish-chart.yaml

@@ -37,7 +37,7 @@ jobs:
         id: lint
         uses: helm/chart-testing-action@e6669bcd63d7cb57cb4380c33043eebe5d111992
       - name: Setup Kubernetes cluster (KIND)
-        uses: helm/kind-action@dda0770415bac9fc20092cacbc54aa298604d140
+        uses: helm/kind-action@99576bfa6ddf9a8e612d83b513da5a75875caced
         with:
           version: ${{ env.KIND_VERSION }}
           image: ${{ env.KIND_IMAGE }}

.github/workflows/release.yaml

@@ -24,7 +24,7 @@ jobs:
           fetch-depth: 0
 
       - name: Restore Trivy binaries from cache
-        uses: actions/cache@v3.3.2
+        uses: actions/cache@v4.0.0
         with:
           path: dist/
           key: ${{ runner.os }}-bins-${{github.workflow}}-${{github.sha}}

.github/workflows/reusable-release.yaml

@@ -27,16 +27,16 @@ jobs:
       contents: read  # Not required for public repositories, but for clarity
     steps:
       - name: Maximize build space
-        uses: easimon/maximize-build-space@v9
+        uses: easimon/maximize-build-space@v10
         with:
-          root-reserve-mb: 35840 # The Go cache (`~/.cache/go-build` and `~/go/pkg`) requires a lot of storage space.
+          root-reserve-mb: 32768 # The Go cache (`~/.cache/go-build` and `~/go/pkg`) requires a lot of storage space.
           remove-android: 'true'
           remove-docker-images: 'true'
           remove-dotnet: 'true'
           remove-haskell: 'true'
 
       - name: Cosign install
-        uses: sigstore/cosign-installer@9614fae9e5c5eddabb09f90a270fcb487c9f7149
+        uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4
 
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v3
@@ -121,7 +121,7 @@ jobs:
             public.ecr.aws/aquasecurity/trivy:canary
 
       - name: Cache Trivy binaries
-        uses: actions/cache@v3.3.2
+        uses: actions/cache@v4.0.0
         with:
           path: dist/
           # use 'github.sha' to create a unique cache folder for each run.

.github/workflows/semantic-pr.yaml

@@ -100,4 +100,5 @@ jobs:
             helm
             report
             db
+            parser
             deps

.github/workflows/test.yaml

@@ -15,6 +15,16 @@ jobs:
       matrix:
         operating-system: [ubuntu-latest, windows-latest, macos-latest]
     steps:
+      - name: Maximize build space
+        uses: easimon/maximize-build-space@v10
+        with:
+          root-reserve-mb: 32768 # The golangci-lint uses a lot of space.
+          remove-android: "true"
+          remove-docker-images: "true"
+          remove-dotnet: "true"
+          remove-haskell: "true"
+        if: matrix.operating-system == 'ubuntu-latest'
+
       - uses: actions/checkout@v4.1.1
 
       - name: Set up Go
@@ -33,7 +43,7 @@ jobs:
 
       - name: Lint
         id: lint
-        uses: golangci/golangci-lint-action@v3.7.0
+        uses: golangci/golangci-lint-action@v4.0.0
         with:
           version: v1.54
           args: --deadline=30m --out-format=line-number
@@ -89,9 +99,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Maximize build space
-        uses: easimon/maximize-build-space@v9
+        uses: easimon/maximize-build-space@v10
         with:
-          root-reserve-mb: 35840 # The Go cache (`~/.cache/go-build` and `~/go/pkg`) requires a lot of storage space.
+          root-reserve-mb: 32768 # The Go cache (`~/.cache/go-build` and `~/go/pkg`) requires a lot of storage space.
           remove-android: "true"
           remove-docker-images: "true"
           remove-dotnet: "true"
@@ -140,9 +150,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Maximize build space
-        uses: easimon/maximize-build-space@v9
+        uses: easimon/maximize-build-space@v10
         with:
-          root-reserve-mb: 35840 # The Go cache (`~/.cache/go-build` and `~/go/pkg`) requires a lot of storage space.
+          root-reserve-mb: 32768 # The Go cache (`~/.cache/go-build` and `~/go/pkg`) requires a lot of storage space.
           remove-android: 'true'
           remove-docker-images: 'true'
           remove-dotnet: 'true'
@@ -173,9 +183,9 @@ jobs:
       DOCKER_CLI_EXPERIMENTAL: "enabled"
     steps:
     - name: Maximize build space
-      uses: easimon/maximize-build-space@v9
+      uses: easimon/maximize-build-space@v10
       with:
-        root-reserve-mb: 35840 # The Go cache (`~/.cache/go-build` and `~/go/pkg`) requires a lot of storage space.
+        root-reserve-mb: 32768 # The Go cache (`~/.cache/go-build` and `~/go/pkg`) requires a lot of storage space.
         remove-android: 'true'
         remove-docker-images: 'true'
         remove-dotnet: 'true'

.golangci.yaml

@@ -19,6 +19,7 @@ linters-settings:
     locale: US
     ignore-words:
       - licence
+      - optimise
   gosec:
     excludes:
       - G101

Dockerfile

@@ -1,4 +1,4 @@
-FROM alpine:3.19.0
+FROM alpine:3.19.1
 RUN apk --no-cache add ca-certificates git
 COPY trivy /usr/local/bin/trivy
 COPY contrib/*.tpl contrib/

Dockerfile.canary

@@ -1,4 +1,4 @@
-FROM alpine:3.19.0
+FROM alpine:3.19.1
 RUN apk --no-cache add ca-certificates git
 
 # binaries were created with GoReleaser

contrib/example_policy/basic.rego

@@ -56,3 +56,21 @@ ignore {
 	# https://cwe.mitre.org/data/definitions/352.html
 	input.CweIDs[_] == "CWE-352"
 }
+
+# Ignore a license
+ignore {
+    input.PkgName == "alpine-baselayout"
+    input.Name == "GPL-2.0"
+}
+
+# Ignore loose file license
+ignore {
+	input.Name == "AGPL-3.0"
+	input.FilePath == "/usr/share/grafana/LICENSE"
+}
+
+# Ignore secret
+ignore {
+	input.RuleID == "aws-access-key-id"
+	input.Match == "AWS_ACCESS_KEY_ID=\"********************\""
+}

docs/community/contribute/pr.md

@@ -178,6 +178,7 @@ others:
 - helm
 - report
 - db
+- parser
 - deps
 
 The `<scope>` can be empty (e.g. if the change is a global or difficult to assign to a single component), in which case the parentheses are omitted.

docs/community/principles.md

@@ -0,0 +1,53 @@
+# Trivy Project Principles
+This document outlines the guiding principles and governance framework for the Trivy project.
+
+## Core Principles
+Trivy is a security scanner focused on static analysis and designed with simplicity and security at its core.
+All new proposals to the project must adhere to the following principles.
+
+### Static Analysis (No Runtime Required)
+Trivy operates without requiring container or VM image startups, eliminating the need for Docker or similar runtimes, except for scanning images stored within a container runtime.
+This approach enhances security and efficiency by minimizing dependencies.
+
+### External Dependency Free (Single Binary)
+Operating as a single binary, Trivy is independent of external environments and avoids executing external OS commands or processes.
+If specific functionality, like Maven's, is needed, Trivy opts for internal reimplementations or processing outputs of the tool without direct execution of external tools.
+
+This approach obviously requires more effort but significantly reduces security risks associated with executing OS commands and dependency errors due to external environment versions.
+Simplifying the scanner's use by making it operational immediately upon binary download facilitates easier initiation of scans.
+
+### No Setup Required
+Trivy must be ready to use immediately after installation.
+It's unacceptable for Trivy not to function without setting up a database or writing configuration files by default.
+Such setups should only be necessary for users requiring specific customizations.
+
+Security often isn't a top priority for many organizations and can be easily deferred.
+Trivy aims to lower the barrier to entry by simplifying the setup process, making it easier for users to start securing their projects.
+
+### Security Focus
+Trivy prioritizes the identification of security issues, excluding features unrelated to security, such as performance metrics or content listings of container images.
+It can, however, produce and output intermediate representations like SBOMs for comprehensive security assessments.
+
+Trivy serves as a tool with opinions on security, used to warn users about potential issues.
+
+### Detecting Unintended States
+Trivy is designed to detect unintended vulnerable states in projects, such as the use of vulnerable versions of dependencies or misconfigurations in Infrastructure as Code (IaC) that may unintentionally expose servers to the internet.
+The focus is on identifying developer mistakes or undesirable states, not on detecting intentional attacks, such as malicious images and malware.
+
+## Out of Scope Features
+Aqua Security offers a premium version with several features not available in the open-source Trivy project. 
+While detailed information can be found [here][trivy-aqua], it's beneficial to highlight specific functionalities frequently inquired about:
+
+### Runtime Security
+As mentioned in [the Core Principles](#static-analysis-no-runtime-required), Trivy is a static analysis security scanner, making runtime security outside its scope.
+Runtime security needs are addressed by [Tracee][tracee] or [the commercial version of Aqua Security]().
+
+### Intentional Attacks
+As mentioned in [the Core Principles](#detecting-unintended-states), detection of intentional attacks, such as malware or malicious container images, is not covered by Trivy and is supported in [the commercial version][aqua].
+
+### User Interface
+Trivy primarily operates via CLI for displaying results, with a richer UI available in [the commercial version][aqua].
+
+[trivy-aqua]: https://github.com/aquasecurity/resources/blob/main/trivy-aqua.md
+[tracee]: https://github.com/aquasecurity/tracee
+[aqua]: https://www.aquasec.com/

docs/docs/configuration/db.md

@@ -54,18 +54,28 @@ $ trivy image --download-db-only
 $ trivy image --db-repository registry.gitlab.com/gitlab-org/security-products/dependencies/trivy-db
 ```
 
+!!!note
+    Trivy automatically adds the `trivy-db` schema version as a tag if the tag is not used:
+
+    `trivy-db-registry:latest` => `trivy-db-registry:latest`, but `trivy-db-registry` => `trivy-db-registry:2`.
+
 ## Java Index Database
 The same options are also available for the Java index DB, which is used for scanning Java applications.
 Skipping an update can be done by using the `--skip-java-db-update` option, while `--download-java-db-only` can be used to only download the Java index DB.
 
+!!! Note
+    In [Client/Server](../references/modes/client-server.md) mode, `Java index DB` is currently only used on the `client` side.
+
 Downloading the Java index DB from an external OCI registry can be done by using the `--java-db-repository` option.
 
 ```
 $ trivy image --java-db-repository registry.gitlab.com/gitlab-org/security-products/dependencies/trivy-java-db --download-java-db-only
 ```
 
-!!! Note
-    In [Client/Server](../references/modes/client-server.md) mode, `Java index DB` is currently only used on the `client` side.
+!!!note
+    Trivy automatically adds the `trivy-java-db` schema version as a tag if the tag is not used:
+
+    `java-db-registry:latest` => `java-db-registry:latest`, but `java-db-registry` => `java-db-registry:1`.
 
 ## Remove DBs
 The `--reset` flag removes all caches and databases.

docs/docs/configuration/filtering.md

@@ -1,81 +1,34 @@
 # Filtering
 Trivy provides various methods for filtering the results.
 
+```mermaid
+flowchart LR
+  Issues("Detected\nIssues") --> Severity
 
-## By Status
-
-|     Scanner      | Supported |
-|:----------------:|:---------:|
-|  Vulnerability   |     ✓     |
-| Misconfiguration |           |
-|      Secret      |           |
-|     License      |           |
-
-Trivy supports the following vulnerability statuses:
-
-- `unknown`
-- `not_affected`: this package is not affected by this vulnerability on this platform
-- `affected`: this package is affected by this vulnerability on this platform, but there is no patch released yet
-- `fixed`: this vulnerability is fixed on this platform
-- `under_investigation`: it is currently unknown whether or not this vulnerability affects this package on this platform, and it is under investigation
-- `will_not_fix`: this package is affected by this vulnerability on this platform, but there is currently no intention to fix it (this would primarily be for flaws that are of Low or Moderate impact that pose no significant risk to customers)
-- `fix_deferred`: this package is affected by this vulnerability on this platform, and may be fixed in the future
-- `end_of_life`: this package has been identified to contain the impacted component, but analysis to determine whether it is affected or not by this vulnerability was not performed
-
-Note that vulnerabilities with the `unknown`, `not_affected` or `under_investigation` status are not detected.
-These are only defined for comprehensiveness, and you will not have the opportunity to specify these statuses.
-
-Some statuses are supported in limited distributions.
-
-|     OS     | Fixed | Affected | Under Investigation | Will Not Fix | Fix Deferred | End of Life |
-|:----------:|:-----:|:--------:|:-------------------:|:------------:|:------------:|:-----------:|
-|   Debian   |   ✓   |    ✓     |                     |              |      ✓       |      ✓      |
-|    RHEL    |   ✓   |    ✓     |          ✓          |      ✓       |      ✓       |      ✓      |
-| Other OSes |   ✓   |    ✓     |                     |              |              |             |
-
-
-To ignore vulnerabilities with specific statuses, use the `--ignore-status <list_of_statuses>` option.
-
-
-```bash
-$ trivy image --ignore-status affected,fixed ruby:2.4.0
+  subgraph Filtering
+    subgraph Prioritization
+        direction TB
+        Severity("By Severity") --> Status("By Status")
+    end
+    subgraph Suppression
+        Status --> Ignore("By Finding IDs")
+        Ignore --> Rego("By Rego")
+        Rego --> VEX("By VEX")
+    end
+  end
+  VEX --> Results
 ```
 
-<details>
-<summary>Result</summary>
+Similar to the functionality of filtering results, you can also limit the sub-targets for each scanner.
+For information on these settings, please refer to the scanner-specific documentation ([vulnerability](../scanner/vulnerability.md) , [misconfiguration](../scanner/misconfiguration/index.md), etc.).
 
-```
-2019-05-16T12:50:14.786+0900    INFO    Detecting Debian vulnerabilities...
+## Prioritization
+You can filter the results by 
 
-ruby:2.4.0 (debian 8.7)
-=======================
-Total: 527 (UNKNOWN: 0, LOW: 276, MEDIUM: 83, HIGH: 158, CRITICAL: 10)
+- [Severity](#by-severity)
+- [Status](#by-status)
 
-┌─────────────────────────────┬──────────────────┬──────────┬──────────────┬────────────────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
-│           Library           │  Vulnerability   │ Severity │    Status    │     Installed Version      │ Fixed Version │                            Title                             │
-├─────────────────────────────┼──────────────────┼──────────┼──────────────┼────────────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
-│ binutils                    │ CVE-2014-9939    │ CRITICAL │ will_not_fix │ 2.25-5                     │               │ binutils: buffer overflow in ihex.c                          │
-│                             │                  │          │              │                            │               │ https://avd.aquasec.com/nvd/cve-2014-9939                    │
-│                             ├──────────────────┤          │              │                            ├───────────────┼──────────────────────────────────────────────────────────────┤
-│                             │ CVE-2017-6969    │          │              │                            │               │ binutils: Heap-based buffer over-read in readelf when        │
-│                             │                  │          │              │                            │               │ processing corrupt RL78 binaries                             │
-│                             │                  │          │              │                            │               │ https://avd.aquasec.com/nvd/cve-2017-6969                    │
-│                             ├──────────────────┤          │              │                            ├───────────────┼──────────────────────────────────────────────────────────────┤
-...
-```
-
-</details>
-
-!!! tip
-    To skip all unfixed vulnerabilities, you can use the `--ignore-unfixed` flag .
-    It is a shorthand of `--ignore-status affected,will_not_fix,fix_deferred,end_of_life`.
-    It displays "fixed" vulnerabilities only.
-
-```bash
-$ trivy image --ignore-unfixed ruby:2.4.0
-```
-
-## By Severity
+### By Severity
 
 |     Scanner      | Supported |
 |:----------------:|:---------:|
@@ -202,11 +155,122 @@ See https://avd.aquasec.com/misconfig/avd-aws-0081
 ```
 </details>
 
-## By Finding IDs
+### By Status
+
+|     Scanner      | Supported |
+|:----------------:|:---------:|
+|  Vulnerability   |     ✓     |
+| Misconfiguration |           |
+|      Secret      |           |
+|     License      |           |
+
+Trivy supports the following vulnerability statuses:
+
+- `unknown`
+- `not_affected`: this package is not affected by this vulnerability on this platform
+- `affected`: this package is affected by this vulnerability on this platform, but there is no patch released yet
+- `fixed`: this vulnerability is fixed on this platform
+- `under_investigation`: it is currently unknown whether or not this vulnerability affects this package on this platform, and it is under investigation
+- `will_not_fix`: this package is affected by this vulnerability on this platform, but there is currently no intention to fix it (this would primarily be for flaws that are of Low or Moderate impact that pose no significant risk to customers)
+- `fix_deferred`: this package is affected by this vulnerability on this platform, and may be fixed in the future
+- `end_of_life`: this package has been identified to contain the impacted component, but analysis to determine whether it is affected or not by this vulnerability was not performed
+
+Note that vulnerabilities with the `unknown`, `not_affected` or `under_investigation` status are not detected.
+These are only defined for comprehensiveness, and you will not have the opportunity to specify these statuses.
+
+Some statuses are supported in limited distributions.
+
+|     OS     | Fixed | Affected | Under Investigation | Will Not Fix | Fix Deferred | End of Life |
+|:----------:|:-----:|:--------:|:-------------------:|:------------:|:------------:|:-----------:|
+|   Debian   |   ✓   |    ✓     |                     |              |      ✓       |      ✓      |
+|    RHEL    |   ✓   |    ✓     |          ✓          |      ✓       |      ✓       |      ✓      |
+| Other OSes |   ✓   |    ✓     |                     |              |              |             |
+
+
+To ignore vulnerabilities with specific statuses, use the `--ignore-status <list_of_statuses>` option.
+
+
+```bash
+$ trivy image --ignore-status affected,fixed ruby:2.4.0
+```
+
+<details>
+<summary>Result</summary>
+
+```
+2019-05-16T12:50:14.786+0900    INFO    Detecting Debian vulnerabilities...
+
+ruby:2.4.0 (debian 8.7)
+=======================
+Total: 527 (UNKNOWN: 0, LOW: 276, MEDIUM: 83, HIGH: 158, CRITICAL: 10)
+
+┌─────────────────────────────┬──────────────────┬──────────┬──────────────┬────────────────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
+│           Library           │  Vulnerability   │ Severity │    Status    │     Installed Version      │ Fixed Version │                            Title                             │
+├─────────────────────────────┼──────────────────┼──────────┼──────────────┼────────────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
+│ binutils                    │ CVE-2014-9939    │ CRITICAL │ will_not_fix │ 2.25-5                     │               │ binutils: buffer overflow in ihex.c                          │
+│                             │                  │          │              │                            │               │ https://avd.aquasec.com/nvd/cve-2014-9939                    │
+│                             ├──────────────────┤          │              │                            ├───────────────┼──────────────────────────────────────────────────────────────┤
+│                             │ CVE-2017-6969    │          │              │                            │               │ binutils: Heap-based buffer over-read in readelf when        │
+│                             │                  │          │              │                            │               │ processing corrupt RL78 binaries                             │
+│                             │                  │          │              │                            │               │ https://avd.aquasec.com/nvd/cve-2017-6969                    │
+│                             ├──────────────────┤          │              │                            ├───────────────┼──────────────────────────────────────────────────────────────┤
+...
+```
+
+</details>
+
+!!! tip
+    To skip all unfixed vulnerabilities, you can use the `--ignore-unfixed` flag .
+    It is a shorthand of `--ignore-status affected,will_not_fix,fix_deferred,end_of_life`.
+    It displays "fixed" vulnerabilities only.
+
+```bash
+$ trivy image --ignore-unfixed ruby:2.4.0
+```
+
+## Suppression
+You can filter the results by
+
+- [Finding IDs](#by-finding-ids)
+- [Rego](#by-rego)
+- [Vulnerability Exploitability Exchange (VEX)](#by-vulnerability-exploitability-exchange-vex)
+
+To show the suppressed results, use the `--show-suppressed` flag.
+
+```bash
+$ trivy image --vex debian11.csaf.vex --ignorefile .trivyignore.yaml --show-suppressed debian:11
+...
+
+Suppressed Vulnerabilities (Total: 9)
+
+┌───────────────┬───────────────┬──────────┬──────────────┬─────────────────────────────────────────────┬───────────────────┐
+│    Library    │ Vulnerability │ Severity │    Status    │                  Statement                  │      Source       │
+├───────────────┼───────────────┼──────────┼──────────────┼─────────────────────────────────────────────┼───────────────────┤
+│ libdb5.3      │ CVE-2019-8457 │ CRITICAL │ not_affected │ vulnerable_code_not_in_execute_path         │ CSAF VEX          │
+├───────────────┼───────────────┼──────────┼──────────────┼─────────────────────────────────────────────┼───────────────────┤
+│ bsdutils      │ CVE-2022-0563 │ LOW      │ ignored      │ Accept the risk                             │ .trivyignore.yaml │
+├───────────────┤               │          │              │                                             │                   │
+│ libblkid1     │               │          │              │                                             │                   │
+├───────────────┤               │          │              │                                             │                   │
+│ libmount1     │               │          │              │                                             │                   │
+├───────────────┤               │          │              │                                             │                   │
+│ libsmartcols1 │               │          │              │                                             │                   │
+├───────────────┤               │          │              │                                             │                   │
+│ libuuid1      │               │          │              │                                             │                   │
+├───────────────┤               │          │              │                                             │                   │
+│ mount         │               │          │              │                                             │                   │
+├───────────────┼───────────────┤          │              ├─────────────────────────────────────────────┤                   │
+│ tar           │ CVE-2005-2541 │          │              │ The vulnerable configuration is not enabled │                   │
+├───────────────┼───────────────┤          │              ├─────────────────────────────────────────────┤                   │
+│ util-linux    │ CVE-2022-0563 │          │              │ Accept the risk                             │                   │
+└───────────────┴───────────────┴──────────┴──────────────┴─────────────────────────────────────────────┴───────────────────┘
+```
+
+### By Finding IDs
 
 Trivy supports the [.trivyignore](#trivyignore) and [.trivyignore.yaml](#trivyignoreyaml) ignore files.
 
-### .trivyignore
+#### .trivyignore
 
 |     Scanner      | Supported |
 |:----------------:|:---------:|
@@ -254,7 +318,7 @@ Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
 
 </details>
 
-### .trivyignore.yaml
+#### .trivyignore.yaml
 
 |     Scanner      | Supported |
 |:----------------:|:---------:|
@@ -271,12 +335,13 @@ For the `.trivyignore.yaml` file, you can set ignored IDs separately for `vulner
 
 Available fields:
 
-| Field      | Required | Type                | Description                                                                                                |
-|------------|:--------:|---------------------|------------------------------------------------------------------------------------------------------------|
-| id         |    ✓     | string              | The identifier of the vulnerability, misconfiguration, secret, or license[^1].                             |
-| paths      |          | string array        | The list of file paths to be ignored. If `paths` is not set, the ignore finding is applied to all files.   |
-| expired_at |          | date (`yyyy-mm-dd`) | The expiration date of the ignore finding. If `expired_at` is not set, the ignore finding is always valid. |
-| statement  |          | string              | The reason for ignoring the finding. (This field is not used for filtering.)                               |
+| Field      | Required | Type                | Description                                                                                                                                                             |
+|------------|:--------:|---------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| id         |    ✓     | string              | The identifier of the vulnerability, misconfiguration, secret, or license[^1].                                                                                          |
+| paths[^2]  |          | string array        | The list of file paths to ignore. If `paths` is not set, the ignore finding is applied to all files.                                                                    |
+| purls      |          | string array        | The list of PURLs to ignore packages. If `purls` is not set, the ignore finding is applied to all packages. This field is currently available only for vulnerabilities. |
+| expired_at |          | date (`yyyy-mm-dd`) | The expiration date of the ignore finding. If `expired_at` is not set, the ignore finding is always valid.                                                              |
+| statement  |          | string              | The reason for ignoring the finding. (This field is not used for filtering.)                                                                                            |
 
 ```bash
 $ cat .trivyignore.yaml
@@ -288,6 +353,8 @@ vulnerabilities:
   - id: CVE-2023-2650
   - id: CVE-2023-3446
   - id: CVE-2023-3817
+    purls:
+      - "pkg:deb/debian/libssl1.1"
   - id: CVE-2023-29491
     expired_at: 2023-09-01
 
@@ -339,83 +406,14 @@ Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
 
 </details>
 
-
-## By Vulnerability Target
-|     Scanner      | Supported |
-|:----------------:|:---------:|
-|  Vulnerability   |     ✓     |
-| Misconfiguration |           |
-|      Secret      |           |
-|     License      |           |
-
-Use `--vuln-type` option.
-
-```bash
-$ trivy image --vuln-type os ruby:2.4.0
-```
-
-Available values:
-
-- library
-- os
-
-<details>
-<summary>Result</summary>
-
-```bash
-2019-05-22T19:36:50.530+0200    INFO    Updating vulnerability database...
-2019-05-22T19:36:51.681+0200    INFO    Detecting Alpine vulnerabilities...
-2019-05-22T19:36:51.685+0200    INFO    Updating npm Security DB...
-2019-05-22T19:36:52.389+0200    INFO    Detecting npm vulnerabilities...
-2019-05-22T19:36:52.390+0200    INFO    Updating pipenv Security DB...
-2019-05-22T19:36:53.406+0200    INFO    Detecting pipenv vulnerabilities...
-
-ruby:2.4.0 (debian 8.7)
-=======================
-Total: 7 (UNKNOWN: 0, LOW: 1, MEDIUM: 1, HIGH: 3, CRITICAL: 2)
-
-+---------+------------------+----------+-------------------+---------------+----------------------------------+
-| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |              TITLE               |
-+---------+------------------+----------+-------------------+---------------+----------------------------------+
-| curl    | CVE-2018-14618   | CRITICAL | 7.61.0-r0         | 7.61.1-r0     | curl: NTLM password overflow     |
-|         |                  |          |                   |               | via integer overflow             |
-+         +------------------+----------+                   +---------------+----------------------------------+
-|         | CVE-2018-16839   | HIGH     |                   | 7.61.1-r1     | curl: Integer overflow leading   |
-|         |                  |          |                   |               | to heap-based buffer overflow in |
-|         |                  |          |                   |               | Curl_sasl_create_plain_message() |
-+---------+------------------+----------+-------------------+---------------+----------------------------------+
-| git     | CVE-2018-17456   | HIGH     | 2.15.2-r0         | 2.15.3-r0     | git: arbitrary code execution    |
-|         |                  |          |                   |               | via .gitmodules                  |
-+         +------------------+          +                   +               +----------------------------------+
-|         | CVE-2018-19486   |          |                   |               | git: Improper handling of        |
-|         |                  |          |                   |               | PATH allows for commands to be   |
-|         |                  |          |                   |               | executed from...                 |
-+---------+------------------+----------+-------------------+---------------+----------------------------------+
-| libssh2 | CVE-2019-3855    | CRITICAL | 1.8.0-r2          | 1.8.1-r0      | libssh2: Integer overflow in     |
-|         |                  |          |                   |               | transport read resulting in      |
-|         |                  |          |                   |               | out of bounds write...           |
-+---------+------------------+----------+-------------------+---------------+----------------------------------+
-| sqlite  | CVE-2018-20346   | MEDIUM   | 3.21.0-r1         | 3.25.3-r0     | CVE-2018-20505 CVE-2018-20506    |
-|         |                  |          |                   |               | sqlite: Multiple flaws in        |
-|         |                  |          |                   |               | sqlite which can be triggered    |
-|         |                  |          |                   |               | via...                           |
-+---------+------------------+----------+-------------------+---------------+----------------------------------+
-| tar     | CVE-2018-20482   | LOW      | 1.29-r1           | 1.31-r0       | tar: Infinite read loop in       |
-|         |                  |          |                   |               | sparse_dump_region function in   |
-|         |                  |          |                   |               | sparse.c                         |
-+---------+------------------+----------+-------------------+---------------+----------------------------------+
-```
-
-</details>
-
-## By Rego
+### By Rego
 
 |     Scanner      | Supported |
 |:----------------:|:---------:|
 |  Vulnerability   |     ✓     |
 | Misconfiguration |     ✓     |
-|      Secret      |           |
-|     License      |           |
+|      Secret      |     ✓     |
+|     License      |     ✓     |
 
 !!! warning "EXPERIMENTAL"
     This feature might change without preserving backwards compatibility.
@@ -460,7 +458,8 @@ trivy image -f json centos:7
 ...
 ```
 
-Each individual vulnerability (under `Results.Vulnerabilities`) or Misconfiguration (under `Results.Misconfigurations`) is evaluated for exclusion or inclusion by the `ignore` rule.
+Each individual Vulnerability, Misconfiguration, License and Secret (under `Results.Vulnerabilities`, `Results.Misconfigurations`, 
+`Results.Licenses`, `Results.Secrets`) is evaluated for exclusion or inclusion by the `ignore` rule.
 
 The following is a Rego ignore policy that filters out every vulnerability with a specific CWE ID (as seen in the JSON example above):
 
@@ -483,39 +482,16 @@ More info about the helper functions are in the library [here](https://github.co
 
 You can find more example policies [here](https://github.com/aquasecurity/trivy/tree/{{ git.tag }}/pkg/result/module.go)
 
-## By Inline Comments
-
+### By Vulnerability Exploitability Exchange (VEX)
 |     Scanner      | Supported |
 |:----------------:|:---------:|
-|  Vulnerability   |           |
-| Misconfiguration |     ✓     |
+|  Vulnerability   |     ✓     |
+| Misconfiguration |           |
 |      Secret      |           |
 |     License      |           |
 
-Some configuration file formats (e.g. Terraform) support inline comments.
+Please refer to the [VEX documentation](../supply-chain/vex.md) for the details.
 
-In cases where trivy can detect comments of a specific format immediately adjacent to resource definitions, it is possible to filter/ignore findings from a single point of resource definition (in contrast to `.trivyignore`, which has a directory-wide scope on all of the files scanned).
 
-The format for these comments is `trivy:ignore:<Vulnerability ID>` immediately following the format-specific line-comment token. You can add multiple ignores on the same comment line.
-
-For example, to filter a Vulnerability ID "AVD-GCP-0051" in a Terraform HCL file:
-
-```terraform
-#trivy:ignore:AVD-GCP-0051
-resource "google_container_cluster" "one_off_test" {
-  name     = var.cluster_name
-  location = var.region
-}
-```
-
-For example, to filter vulnerabilities "AVD-GCP-0051" and "AVD-GCP-0053" in a Terraform HCL file:
-
-```terraform
-#trivy:ignore:AVD-GCP-0051 trivy:ignore:AVD-GCP-0053
-resource "google_container_cluster" "one_off_test" {
-  name     = var.cluster_name
-  location = var.region
-}
-```
-
-[^1]: license name is used as id for `.trivyignore.yaml` files
+[^1]: license name is used as id for `.trivyignore.yaml` files.
+[^2]: This doesn't work for os package licenses (e.g. apk, dpkg, rpm). For projects which manage dependencies through a dependency file (e.g. go.mod, yarn.lock) `path` should point to that particular file.

docs/docs/configuration/reporting.md

@@ -63,6 +63,7 @@ The following languages are currently supported:
 | Go       | [go.mod][go-mod]                           |
 | PHP      | [composer.lock][composer-lock]             |
 | Java     | [pom.xml][pom-xml]                         |
+|          | [*gradle.lockfile][gradle-lockfile]        |
 | Dart     | [pubspec.lock][pubspec-lock]               |
 
 This tree is the reverse of the dependency graph.
@@ -445,5 +446,6 @@ $ trivy convert --format table --severity CRITICAL result.json
 [go-mod]: ../coverage/language/golang.md#go-modules
 [composer-lock]: ../coverage/language/php.md#composer
 [pom-xml]: ../coverage/language/java.md#pomxml
+[gradle-lockfile]: ../coverage/language/java.md#gradlelock
 [pubspec-lock]: ../coverage/language/dart.md#dart
 [cargo-binaries]: ../coverage/language/rust.md#binaries

docs/docs/coverage/iac/terraform.md

@@ -8,18 +8,23 @@ Trivy supports the scanners listed in the table below.
 
 It supports the following formats:
 
-|  Format   | Supported |
-|:---------:|:---------:|
-|   JSON    |     ✓     |
-|    HCL    |     ✓     |
-| Plan JSON |     ✓     |
-
-Trivy can scan the results of `terraform plan`.
-You can scan by passing the file generated as shown below to Trivy:
+|     Format    | Supported |
+|:-------------:|:---------:|
+|     JSON      |     ✓     |
+|      HCL      |     ✓     |
+| Plan Snapshot |     ✓     |
+|   Plan JSON   |     ✓     |
 
+Trivy can scan Terraform Plan files (snapshots) or their JSON representations. To create a Terraform Plan and scan it, run the following command:
+```bash
+terraform plan --out tfplan
+trivy conf tfplan
 ```
-$ terraform plan --out tfplan.binary
-$ terraform show -json tfplan.binary > tfplan.json
+
+To scan a Terraform Plan representation in JSON format, run the following command:
+```bash
+terraform show -json tfplan > tfplan.json
+trivy conf tfplan.json
 ```
 
 ## Misconfiguration

docs/docs/coverage/language/java.md

@@ -3,11 +3,11 @@ Trivy supports three types of Java scanning: `JAR/WAR/PAR/EAR`, `pom.xml` and `*
 
 Each artifact supports the following scanners:
 
-| Artifact         | SBOM  | Vulnerability | License |
-| ---------------- | :---: | :-----------: | :-----: |
-| JAR/WAR/PAR/EAR  |   ✓   |       ✓       |    -    |
-| pom.xml          |   ✓   |       ✓       |    ✓    |
-| *gradle.lockfile |   ✓   |       ✓       |    -    |
+| Artifact         | SBOM | Vulnerability | License |
+|------------------|:----:|:-------------:|:-------:|
+| JAR/WAR/PAR/EAR  |  ✓   |       ✓       |    -    |
+| pom.xml          |  ✓   |       ✓       |    ✓    |
+| *gradle.lockfile |  ✓   |       ✓       |    ✓    |
 
 The following table provides an outline of the features Trivy offers.
 
@@ -15,7 +15,7 @@ The following table provides an outline of the features Trivy offers.
 |------------------|:---------------------:|:----------------:|:------------------------------------:|:--------:|
 | JAR/WAR/PAR/EAR  |     Trivy Java DB     |     Include      |                  -                   |    -     |
 | pom.xml          | Maven repository [^1] |     Exclude      |                  ✓                   |  ✓[^7]   |
-| *gradle.lockfile |           -           |     Exclude      |                  -                   |    -     |
+| *gradle.lockfile |           -           |     Exclude      |                  ✓                   |    ✓     |
 
 These may be enabled or disabled depending on the target.
 See [here](./index.md) for the detail.
@@ -55,12 +55,33 @@ The vulnerability database will be downloaded anyway.
 !!! Warning
     Trivy may skip some dependencies (that were not found on your local machine) when the `--offline-scan` flag is passed.
 
-## Gradle.lock
-`gradle.lock` files contain all necessary information about used dependencies.
-Trivy simply parses the file, extract dependencies, and finds vulnerabilities for them.
-It doesn't require the internet access.
 
-[^1]: https://github.com/aquasecurity/trivy-java-db
+### maven-invoker-plugin
+Typically, the integration tests directory (`**/[src|target]/it/*/pom.xml`) of [maven-invoker-plugin][maven-invoker-plugin] doesn't contain actual `pom.xml` files and should be skipped to avoid noise.
+
+Trivy marks dependencies from these files as the development dependencies and skip them by default.
+If you need to show them, use the `--include-dev-deps` flag.
+
+
+## Gradle.lock
+`gradle.lock` files only contain information about used dependencies.
+
+!!!note
+    All necessary files are checked locally. Gradle file scanning doesn't require internet access.
+
+### Dependency-tree
+!!! warning "EXPERIMENTAL"
+    This feature might change without preserving backwards compatibility.
+Trivy finds child dependencies from `*.pom` files in the cache[^8] directory.
+
+But there is no reliable way to determine direct dependencies (even using other files).
+Therefore, we mark all dependencies as indirect to use logic to guess direct dependencies and build a dependency tree.
+
+### Licenses
+Trity also can detect licenses for dependencies.
+
+Make sure that you have cache[^8] directory to find licenses from `*.pom` dependency files.
+
 [^1]: Uses maven repository to get information about dependencies. Internet access required.
 [^2]: It means `*.jar`, `*.war`, `*.par` and `*.ear` file
 [^3]: `ArtifactID`, `GroupID` and `Version`
@@ -68,5 +89,7 @@ It doesn't require the internet access.
 [^5]: When you use dependency path in `relativePath` field in pom.xml file
 [^6]: `/Users/<username>/.m2/repository` (for Linux and Mac) and `C:/Users/<username>/.m2/repository` (for Windows) by default
 [^7]: To avoid confusion, Trivy only finds locations for direct dependencies from the base pom.xml file.
+[^8]: The supported directories are `$GRADLE_USER_HOME/caches` and `$HOME/.gradle/caches` (`%HOMEPATH%\.gradle\caches` for Windows).
 
-[dependency-graph]: ../../configuration/reporting.md#show-origins-of-vulnerable-dependencies
+[dependency-graph]: ../../configuration/reporting.md#show-origins-of-vulnerable-dependencies
+[maven-invoker-plugin]: https://maven.apache.org/plugins/maven-invoker-plugin/usage.html

docs/docs/references/configuration/cli/trivy.md

@@ -53,7 +53,7 @@ trivy [global flags] command [flags] target
 * [trivy plugin](trivy_plugin.md)	 - Manage plugins
 * [trivy repository](trivy_repository.md)	 - Scan a repository
 * [trivy rootfs](trivy_rootfs.md)	 - Scan rootfs
-* [trivy sbom](trivy_sbom.md)	 - Scan SBOM for vulnerabilities
+* [trivy sbom](trivy_sbom.md)	 - Scan SBOM for vulnerabilities and licenses
 * [trivy server](trivy_server.md)	 - Server mode
 * [trivy version](trivy_version.md)	 - Print the version
 * [trivy vm](trivy_vm.md)	 - [EXPERIMENTAL] Scan a virtual machine image

docs/docs/references/configuration/cli/trivy_aws.md

@@ -86,7 +86,7 @@ trivy aws [flags]
       --include-non-failures              include successes and exceptions, available with '--scanners misconfig'
       --list-all-pkgs                     enabling the option will output all packages regardless of vulnerability
       --max-cache-age duration            The maximum age of the cloud cache. Cached data will be requeried from the cloud provider if it is older than this. (default 24h0m0s)
-      --misconfig-scanners strings        comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan])
+      --misconfig-scanners strings        comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot])
   -o, --output string                     output file name
       --output-plugin-arg string          [EXPERIMENTAL] output plugin arguments
       --policy-bundle-repository string   OCI registry URL to retrieve policy bundle from (default "ghcr.io/aquasecurity/trivy-policies:0")

docs/docs/references/configuration/cli/trivy_config.md

@@ -29,7 +29,7 @@ trivy config [flags] DIR
       --ignorefile string                 specify .trivyignore file (default ".trivyignore")
       --include-non-failures              include successes and exceptions, available with '--scanners misconfig'
       --k8s-version string                specify k8s version to validate outdated api by it (example: 1.21.0)
-      --misconfig-scanners strings        comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan])
+      --misconfig-scanners strings        comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot])
       --module-dir string                 specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules")
   -o, --output string                     output file name
       --output-plugin-arg string          [EXPERIMENTAL] output plugin arguments

docs/docs/references/configuration/cli/trivy_convert.md

@@ -31,6 +31,7 @@ trivy convert [flags] RESULT_JSON
       --output-plugin-arg string   [EXPERIMENTAL] output plugin arguments
       --report string              specify a report format for the output (all,summary) (default "all")
   -s, --severity strings           severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
+      --show-suppressed            [EXPERIMENTAL] show suppressed vulnerabilities
   -t, --template string            output template
 ```
 

docs/docs/references/configuration/cli/trivy_filesystem.md

@@ -27,7 +27,7 @@ trivy filesystem [flags] PATH
       --config-data strings               specify paths from which data for the Rego policies will be recursively loaded
       --config-policy strings             specify the paths to the Rego policy files or to the directories containing them, applying config files
       --custom-headers strings            custom headers in client mode
-      --db-repository string              OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db")
+      --db-repository string              OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db:2")
       --dependency-tree                   [EXPERIMENTAL] show dependency origin tree of vulnerable packages
       --download-db-only                  download/update vulnerability database but don't run a scan
       --download-java-db-only             download/update Java index database but don't run a scan
@@ -47,11 +47,11 @@ trivy filesystem [flags] PATH
       --ignorefile string                 specify .trivyignore file (default ".trivyignore")
       --include-dev-deps                  include development dependencies in the report (supported: npm, yarn)
       --include-non-failures              include successes and exceptions, available with '--scanners misconfig'
-      --java-db-repository string         OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db")
+      --java-db-repository string         OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db:1")
       --license-confidence-level float    specify license classifier's confidence level (default 0.9)
       --license-full                      eagerly look for licenses in source code headers and license files
       --list-all-pkgs                     enabling the option will output all packages regardless of vulnerability
-      --misconfig-scanners strings        comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan])
+      --misconfig-scanners strings        comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot])
       --module-dir string                 specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules")
       --no-progress                       suppress progress bar
       --offline-scan                      do not issue API requests to identify dependencies
@@ -75,6 +75,7 @@ trivy filesystem [flags] PATH
       --secret-config string              specify a path to config file for secret scanning (default "trivy-secret.yaml")
       --server string                     server address in client mode
   -s, --severity strings                  severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
+      --show-suppressed                   [EXPERIMENTAL] show suppressed vulnerabilities
       --skip-db-update                    skip updating vulnerability database
       --skip-dirs strings                 specify the directories or glob patterns to skip
       --skip-files strings                specify the files or glob patterns to skip

docs/docs/references/configuration/cli/trivy_image.md

@@ -41,7 +41,7 @@ trivy image [flags] IMAGE_NAME
       --config-data strings               specify paths from which data for the Rego policies will be recursively loaded
       --config-policy strings             specify the paths to the Rego policy files or to the directories containing them, applying config files
       --custom-headers strings            custom headers in client mode
-      --db-repository string              OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db")
+      --db-repository string              OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db:2")
       --dependency-tree                   [EXPERIMENTAL] show dependency origin tree of vulnerable packages
       --docker-host string                unix domain socket path to use for docker scanning
       --download-db-only                  download/update vulnerability database but don't run a scan
@@ -65,11 +65,11 @@ trivy image [flags] IMAGE_NAME
       --image-src strings                 image source(s) to use, in priority order (docker,containerd,podman,remote) (default [docker,containerd,podman,remote])
       --include-non-failures              include successes and exceptions, available with '--scanners misconfig'
       --input string                      input file path instead of image name
-      --java-db-repository string         OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db")
+      --java-db-repository string         OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db:1")
       --license-confidence-level float    specify license classifier's confidence level (default 0.9)
       --license-full                      eagerly look for licenses in source code headers and license files
       --list-all-pkgs                     enabling the option will output all packages regardless of vulnerability
-      --misconfig-scanners strings        comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan])
+      --misconfig-scanners strings        comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot])
       --module-dir string                 specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules")
       --no-progress                       suppress progress bar
       --offline-scan                      do not issue API requests to identify dependencies
@@ -78,6 +78,7 @@ trivy image [flags] IMAGE_NAME
       --parallel int                      number of goroutines enabled for parallel scanning, set 0 to auto-detect parallelism (default 5)
       --password strings                  password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
       --platform string                   set platform in the form os/arch if image is multi-platform capable
+      --podman-host string                unix podman socket path to use for podman scanning
       --policy-bundle-repository string   OCI registry URL to retrieve policy bundle from (default "ghcr.io/aquasecurity/trivy-policies:0")
       --policy-namespaces strings         Rego namespaces
       --redis-ca string                   redis ca file location, if using redis as cache backend
@@ -95,6 +96,7 @@ trivy image [flags] IMAGE_NAME
       --secret-config string              specify a path to config file for secret scanning (default "trivy-secret.yaml")
       --server string                     server address in client mode
   -s, --severity strings                  severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
+      --show-suppressed                   [EXPERIMENTAL] show suppressed vulnerabilities
       --skip-db-update                    skip updating vulnerability database
       --skip-dirs strings                 specify the directories or glob patterns to skip
       --skip-files strings                specify the files or glob patterns to skip

docs/docs/references/configuration/cli/trivy_kubernetes.md

@@ -37,7 +37,7 @@ trivy kubernetes [flags] { cluster | all | specific resources like kubectl. eg:
       --config-data strings               specify paths from which data for the Rego policies will be recursively loaded
       --config-policy strings             specify the paths to the Rego policy files or to the directories containing them, applying config files
       --context string                    specify a context to scan
-      --db-repository string              OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db")
+      --db-repository string              OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db:2")
       --dependency-tree                   [EXPERIMENTAL] show dependency origin tree of vulnerable packages
       --download-db-only                  download/update vulnerability database but don't run a scan
       --download-java-db-only             download/update Java index database but don't run a scan
@@ -57,11 +57,11 @@ trivy kubernetes [flags] { cluster | all | specific resources like kubectl. eg:
       --ignorefile string                 specify .trivyignore file (default ".trivyignore")
       --image-src strings                 image source(s) to use, in priority order (docker,containerd,podman,remote) (default [docker,containerd,podman,remote])
       --include-non-failures              include successes and exceptions, available with '--scanners misconfig'
-      --java-db-repository string         OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db")
+      --java-db-repository string         OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db:1")
       --k8s-version string                specify k8s version to validate outdated api by it (example: 1.21.0)
       --kubeconfig string                 specify the kubeconfig file path to use
       --list-all-pkgs                     enabling the option will output all packages regardless of vulnerability
-      --misconfig-scanners strings        comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan])
+      --misconfig-scanners strings        comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot])
   -n, --namespace string                  specify a namespace to scan
       --no-progress                       suppress progress bar
       --node-collector-imageref string    indicate the image reference for the node-collector scan job (default "ghcr.io/aquasecurity/node-collector:0.0.9")
@@ -87,6 +87,7 @@ trivy kubernetes [flags] { cluster | all | specific resources like kubectl. eg:
       --scanners strings                  comma-separated list of what security issues to detect (vuln,misconfig,secret,rbac) (default [vuln,misconfig,secret,rbac])
       --secret-config string              specify a path to config file for secret scanning (default "trivy-secret.yaml")
   -s, --severity strings                  severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
+      --show-suppressed                   [EXPERIMENTAL] show suppressed vulnerabilities
       --skip-db-update                    skip updating vulnerability database
       --skip-dirs strings                 specify the directories or glob patterns to skip
       --skip-files strings                specify the files or glob patterns to skip

docs/docs/references/configuration/cli/trivy_repository.md

@@ -27,7 +27,7 @@ trivy repository [flags] (REPO_PATH | REPO_URL)
       --config-data strings               specify paths from which data for the Rego policies will be recursively loaded
       --config-policy strings             specify the paths to the Rego policy files or to the directories containing them, applying config files
       --custom-headers strings            custom headers in client mode
-      --db-repository string              OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db")
+      --db-repository string              OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db:2")
       --dependency-tree                   [EXPERIMENTAL] show dependency origin tree of vulnerable packages
       --download-db-only                  download/update vulnerability database but don't run a scan
       --download-java-db-only             download/update Java index database but don't run a scan
@@ -47,11 +47,11 @@ trivy repository [flags] (REPO_PATH | REPO_URL)
       --ignorefile string                 specify .trivyignore file (default ".trivyignore")
       --include-dev-deps                  include development dependencies in the report (supported: npm, yarn)
       --include-non-failures              include successes and exceptions, available with '--scanners misconfig'
-      --java-db-repository string         OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db")
+      --java-db-repository string         OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db:1")
       --license-confidence-level float    specify license classifier's confidence level (default 0.9)
       --license-full                      eagerly look for licenses in source code headers and license files
       --list-all-pkgs                     enabling the option will output all packages regardless of vulnerability
-      --misconfig-scanners strings        comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan])
+      --misconfig-scanners strings        comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot])
       --module-dir string                 specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules")
       --no-progress                       suppress progress bar
       --offline-scan                      do not issue API requests to identify dependencies
@@ -74,6 +74,7 @@ trivy repository [flags] (REPO_PATH | REPO_URL)
       --secret-config string              specify a path to config file for secret scanning (default "trivy-secret.yaml")
       --server string                     server address in client mode
   -s, --severity strings                  severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
+      --show-suppressed                   [EXPERIMENTAL] show suppressed vulnerabilities
       --skip-db-update                    skip updating vulnerability database
       --skip-dirs strings                 specify the directories or glob patterns to skip
       --skip-files strings                specify the files or glob patterns to skip

docs/docs/references/configuration/cli/trivy_rootfs.md

@@ -29,7 +29,7 @@ trivy rootfs [flags] ROOTDIR
       --config-data strings               specify paths from which data for the Rego policies will be recursively loaded
       --config-policy strings             specify the paths to the Rego policy files or to the directories containing them, applying config files
       --custom-headers strings            custom headers in client mode
-      --db-repository string              OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db")
+      --db-repository string              OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db:2")
       --dependency-tree                   [EXPERIMENTAL] show dependency origin tree of vulnerable packages
       --download-db-only                  download/update vulnerability database but don't run a scan
       --download-java-db-only             download/update Java index database but don't run a scan
@@ -49,11 +49,11 @@ trivy rootfs [flags] ROOTDIR
       --ignored-licenses strings          specify a list of license to ignore
       --ignorefile string                 specify .trivyignore file (default ".trivyignore")
       --include-non-failures              include successes and exceptions, available with '--scanners misconfig'
-      --java-db-repository string         OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db")
+      --java-db-repository string         OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db:1")
       --license-confidence-level float    specify license classifier's confidence level (default 0.9)
       --license-full                      eagerly look for licenses in source code headers and license files
       --list-all-pkgs                     enabling the option will output all packages regardless of vulnerability
-      --misconfig-scanners strings        comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan])
+      --misconfig-scanners strings        comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot])
       --module-dir string                 specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules")
       --no-progress                       suppress progress bar
       --offline-scan                      do not issue API requests to identify dependencies
@@ -76,6 +76,7 @@ trivy rootfs [flags] ROOTDIR
       --secret-config string              specify a path to config file for secret scanning (default "trivy-secret.yaml")
       --server string                     server address in client mode
   -s, --severity strings                  severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
+      --show-suppressed                   [EXPERIMENTAL] show suppressed vulnerabilities
       --skip-db-update                    skip updating vulnerability database
       --skip-dirs strings                 specify the directories or glob patterns to skip
       --skip-files strings                specify the files or glob patterns to skip

docs/docs/references/configuration/cli/trivy_sbom.md

@@ -1,6 +1,6 @@
 ## trivy sbom
 
-Scan SBOM for vulnerabilities
+Scan SBOM for vulnerabilities and licenses
 
 ```
 trivy sbom [flags] SBOM_PATH
@@ -25,7 +25,7 @@ trivy sbom [flags] SBOM_PATH
       --clear-cache                 clear image caches without scanning
       --compliance string           compliance report to generate
       --custom-headers strings      custom headers in client mode
-      --db-repository string        OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db")
+      --db-repository string        OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db:2")
       --download-db-only            download/update vulnerability database but don't run a scan
       --download-java-db-only       download/update Java index database but don't run a scan
       --exit-code int               specify exit code when any security issues are found
@@ -36,8 +36,9 @@ trivy sbom [flags] SBOM_PATH
       --ignore-policy string        specify the Rego file path to evaluate each vulnerability
       --ignore-status strings       comma-separated list of vulnerability status to ignore (unknown,not_affected,affected,fixed,under_investigation,will_not_fix,fix_deferred,end_of_life)
       --ignore-unfixed              display only fixed vulnerabilities
+      --ignored-licenses strings    specify a list of license to ignore
       --ignorefile string           specify .trivyignore file (default ".trivyignore")
-      --java-db-repository string   OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db")
+      --java-db-repository string   OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db:1")
       --list-all-pkgs               enabling the option will output all packages regardless of vulnerability
       --no-progress                 suppress progress bar
       --offline-scan                do not issue API requests to identify dependencies
@@ -50,8 +51,10 @@ trivy sbom [flags] SBOM_PATH
       --rekor-url string            [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
       --reset                       remove all caches and database
       --sbom-sources strings        [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
+      --scanners strings            comma-separated list of what security issues to detect (vuln,license) (default [vuln])
       --server string               server address in client mode
   -s, --severity strings            severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
+      --show-suppressed             [EXPERIMENTAL] show suppressed vulnerabilities
       --skip-db-update              skip updating vulnerability database
       --skip-dirs strings           specify the directories or glob patterns to skip
       --skip-files strings          specify the files or glob patterns to skip

docs/docs/references/configuration/cli/trivy_server.md

@@ -23,7 +23,7 @@ trivy server [flags]
       --cache-backend string     cache backend (e.g. redis://localhost:6379) (default "fs")
       --cache-ttl duration       cache TTL when using redis as cache backend
       --clear-cache              clear image caches without scanning
-      --db-repository string     OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db")
+      --db-repository string     OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db:2")
       --download-db-only         download/update vulnerability database but don't run a scan
       --enable-modules strings   [EXPERIMENTAL] module names to enable
   -h, --help                     help for server

docs/docs/references/configuration/cli/trivy_vm.md

@@ -26,7 +26,7 @@ trivy vm [flags] VM_IMAGE
       --clear-cache                       clear image caches without scanning
       --compliance string                 compliance report to generate
       --custom-headers strings            custom headers in client mode
-      --db-repository string              OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db")
+      --db-repository string              OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db:2")
       --dependency-tree                   [EXPERIMENTAL] show dependency origin tree of vulnerable packages
       --download-db-only                  download/update vulnerability database but don't run a scan
       --download-java-db-only             download/update Java index database but don't run a scan
@@ -45,9 +45,9 @@ trivy vm [flags] VM_IMAGE
       --ignore-unfixed                    display only fixed vulnerabilities
       --ignorefile string                 specify .trivyignore file (default ".trivyignore")
       --include-non-failures              include successes and exceptions, available with '--scanners misconfig'
-      --java-db-repository string         OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db")
+      --java-db-repository string         OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db:1")
       --list-all-pkgs                     enabling the option will output all packages regardless of vulnerability
-      --misconfig-scanners strings        comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan])
+      --misconfig-scanners strings        comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot])
       --module-dir string                 specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules")
       --no-progress                       suppress progress bar
       --offline-scan                      do not issue API requests to identify dependencies
@@ -67,6 +67,7 @@ trivy vm [flags] VM_IMAGE
       --secret-config string              specify a path to config file for secret scanning (default "trivy-secret.yaml")
       --server string                     server address in client mode
   -s, --severity strings                  severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
+      --show-suppressed                   [EXPERIMENTAL] show suppressed vulnerabilities
       --skip-db-update                    skip updating vulnerability database
       --skip-dirs strings                 specify the directories or glob patterns to skip
       --skip-files strings                specify the files or glob patterns to skip

docs/docs/references/configuration/config-file.md

@@ -203,6 +203,11 @@ image:
     # Same as '--docker-host'
     # Default is empty
     host: 
+  
+  podman:
+    # Same as '--podman-host'
+    # Default is empty
+    host: 
 ```
 
 ## Vulnerability Options

docs/docs/scanner/license.md

@@ -30,10 +30,10 @@ To configure the confidence level, you can use `--license-confidence-level`. Thi
 
 Currently, the standard license scanning doesn't support filesystem and repository scanning.
 
-|   License scanning    | Image | Rootfs | Filesystem | Repository |
-| :-------------------: | :---: | :----: | :--------: | :--------: |
-|       Standard        |   ✅   |   ✅    |     -      |     -      |
-| Full (--license-full) |   ✅   |   ✅    |     ✅      |     ✅      |
+|   License scanning    | Image | Rootfs | Filesystem | Repository | SBOM |
+|:---------------------:|:-----:|:------:|:----------:|:----------:|:----:|
+|       Standard        |   ✅   |   ✅    |     -      |     -      |  ✅   |
+| Full (--license-full) |   ✅   |   ✅    |     ✅      |     ✅      |  -   |
 
 License checking classifies the identified licenses and map the classification to severity.
 

docs/docs/scanner/misconfiguration/custom/index.md

@@ -27,7 +27,7 @@ In the above general file formats, Trivy automatically identifies the following
 - CloudFormation (JSON/YAML)
 - Kubernetes (JSON/YAML)
 - Helm (YAML)
-- Terraform Plan (JSON)
+- Terraform Plan (JSON/Snapshot)
 
 This is useful for filtering inputs, as described below.
 

docs/docs/scanner/misconfiguration/index.md

@@ -6,7 +6,7 @@ In addition to built-in policies, you can write your own custom policies, as you
 
 Simply specify a directory containing IaC files such as Terraform, CloudFormation, Azure ARM templates, Helm Charts and Dockerfile.
 
-``` bash
+```bash
 $ trivy config [YOUR_IaC_DIRECTORY]
 ```
 
@@ -316,15 +316,17 @@ This section describes misconfiguration-specific configuration.
 Other common options are documented [here](../../configuration/index.md).
 
 ### Enabling a subset of misconfiguration scanners
-It's possible to only enable certain misconfiguration scanners if you prefer. You can do so by passing the `--misconfig-scanners` option.
+It's possible to only enable certain misconfiguration scanners if you prefer.
+You can do so by passing the `--misconfig-scanners` option.
 This flag takes a comma-separated list of configuration scanner types.
+
 ```bash
 trivy config --misconfig-scanners=terraform,dockerfile .
 ```
 
 Will only scan for misconfigurations that pertain to Terraform and Dockerfiles.
 
-### Pass custom policies
+### Passing custom policies
 You can pass policy files or directories including your custom policies through `--policy` option.
 This can be repeated for specifying multiple files or directories.
 
@@ -338,7 +340,7 @@ For more details, see [Custom Policies](./custom/index.md).
 !!! tip
 You also need to specify `--namespaces` option.
 
-### Pass custom data
+### Passing custom data
 You can pass directories including your custom data through `--data` option.
 This can be repeated for specifying multiple directories.
 
@@ -349,7 +351,7 @@ trivy conf --policy ./policy --data ./data --namespaces user ./configs
 
 For more details, see [Custom Data](./custom/data.md).
 
-### Pass namespaces
+### Passing namespaces
 By default, Trivy evaluates policies defined in `builtin.*`.
 If you want to evaluate custom policies in other packages, you have to specify package prefixes through `--namespaces` option.
 This can be repeated for specifying multiple packages.
@@ -358,4 +360,167 @@ This can be repeated for specifying multiple packages.
 trivy conf --policy ./policy --namespaces main --namespaces user ./configs
 ```
 
+### Private terraform registries
+Trivy can download terraform code from private registries.
+To pass credentials you must use the `TF_TOKEN_` environment variables.
+You cannot use a `.terraformrc` or `terraform.rc` file, these are not supported by trivy yet.
+
+From the terraform [docs](https://developer.hashicorp.com/terraform/cli/config/config-file#environment-variable-credentials):
+
+> Environment variable names should have the prefix TF_TOKEN_ added to the domain name, with periods encoded as underscores.
+> For example, the value of a variable named `TF_TOKEN_app_terraform_io` will be used as a bearer authorization token when the CLI makes service requests to the hostname `app.terraform.io`.
+>
+> You must convert domain names containing non-ASCII characters to their punycode equivalent with an ACE prefix.
+> For example, token credentials for `例えば.com` must be set in a variable called `TF_TOKEN_xn--r8j3dr99h_com`.
+>
+> Hyphens are also valid within host names but usually invalid as variable names and may be encoded as double underscores.
+> For example, you can set a token for the domain name café.fr as TF_TOKEN_xn--caf-dma_fr or TF_TOKEN_xn____caf__dma_fr.
+
+If multiple variables evaluate to the same hostname, Trivy will choose the environment variable name where the dashes have not been encoded as double underscores.
+
+
+### Skipping resources by inline comments
+
+Trivy supports ignoring misconfigured resources by inline comments for Terraform configuration files only.
+
+In cases where Trivy can detect comments of a specific format immediately adjacent to resource definitions, it is possible to ignore findings from a single source of resource definition (in contrast to `.trivyignore`, which has a directory-wide scope on all of the files scanned). The format for these comments is `trivy:ignore:<rule>` immediately following the format-specific line-comment [token](https://developer.hashicorp.com/terraform/language/syntax/configuration#comments).
+
+The ignore rule must contain one of the possible check IDs that can be found in its metadata: ID, short code or alias. The `id` from the metadata is not case-sensitive, so you can specify, for example, `AVD-AWS-0089` or `avd-aws-0089`.
+
+For example, to ignore a misconfiguration ID `AVD-GCP-0051` in a Terraform HCL file:
+
+```terraform
+#trivy:ignore:AVD-GCP-0051
+resource "google_container_cluster" "example" {
+  name     = var.cluster_name
+  location = var.region
+}
+```
+
+You can add multiple ignores on the same comment line:
+```terraform
+#trivy:ignore:AVD-GCP-0051 trivy:ignore:AVD-GCP-0053
+resource "google_container_cluster" "example" {
+  name     = var.cluster_name
+  location = var.region
+}
+```
+
+You can also specify a long ID, which is formed as follows: `<provider>-<service>-<short-code>`.
+
+As an example, consider the following check metadata:
+
+```yaml
+# custom:
+  # id: AVD-AWS-0089
+  # avd_id: AVD-AWS-0089
+  # provider: aws
+  # service: s3
+  # severity: LOW
+  # short_code: enable-logging
+```
+
+Long ID would look like the following: `aws-s3-enable-logging`.
+
+#### Expiration Date
+
+You can specify the expiration date of the ignore rule in `yyyy-mm-dd` format. This is a useful feature when you want to make sure that an ignored issue is not forgotten and worth revisiting in the future. For example:
+```tf
+#trivy:ignore:aws-s3-enable-logging:exp:2024-03-10
+resource "aws_s3_bucket" "example" {
+  bucket = "test"
+}
+```
+
+The `aws-s3-enable-logging` check will be ignored until `2024-03-10` until the ignore rule expires.
+
+#### Ignoring by attributes
+
+You can ignore a resource by its attribute value. This is useful when using the `for-each` meta-argument. For example:
+
+```tf
+locals {
+  ports = ["3306", "5432"]
+}
+
+#trivy:ignore:aws-ec2-no-public-ingress-sgr[from_port=3306]
+resource "aws_security_group_rule" "example" {
+  for_each                 = toset(local.ports)
+  type                     = "ingress"
+  from_port                = each.key
+  to_port                  = each.key
+  protocol                 = "TCP"
+  cidr_blocks              = ["0.0.0.0/0"]
+  security_group_id        = aws_security_group.example.id
+  source_security_group_id = aws_security_group.example.id
+}
+```
+
+The `aws-ec2-no-public-ingress-sgr` check will be ignored only for the `aws_security_group_rule` resource with port number `5432`. It is important to note that the ignore rule should not enclose the attribute value in quotes, despite the fact that the port is represented as a string.
+
+If you want to ignore multiple resources on different attributes, you can specify multiple ignore rules:
+
+```tf
+#trivy:ignore:aws-ec2-no-public-ingress-sgr[from_port=3306]
+#trivy:ignore:aws-ec2-no-public-ingress-sgr[from_port=5432]
+```
+
+You can also ignore a resource on multiple attributes:
+```tf
+locals {
+  rules = {
+    first = {
+      port = 1000
+      type = "ingress"
+    },
+    second = {
+      port = 1000
+      type = "egress"
+    }
+  }
+}
+
+#trivy:ignore:aws-ec2-no-public-ingress-sgr[from_port=1000,type=egress]
+resource "aws_security_group_rule" "example" {
+  for_each = { for k, v in local.rules : k => v }
+
+  type                     = each.value.type
+  from_port                = each.value.port
+  to_port                  = each.value.port
+  protocol                 = "TCP"
+  cidr_blocks              = ["0.0.0.0/0"]
+  security_group_id        = aws_security_group.example.id
+  source_security_group_id = aws_security_group.example.id
+}
+```
+
+!!! note
+    Currently nested attributes are not supported. For example you will not be able to reference the `each.key` attribute.
+
+#### Ignoring module issues
+
+Issues in third-party modules cannot be ignored using the method described above, because you may not have access to modify the module source code. In such a situation you can add ignore rules above the module block, for example:
+
+```tf
+#trivy:ignore:aws-s3-enable-logging
+module "s3_bucket" {
+  source = "terraform-aws-modules/s3-bucket/aws"
+
+  bucket = "my-s3-bucket"
+}
+```
+
+An example of ignoring checks for a specific bucket in a module:
+```tf
+locals {
+  bucket = ["test1", "test2"]
+}
+
+#trivy:ignore:*[bucket=test1]
+module "s3_bucket" {
+  for_each = toset(local.bucket)
+  source   = "terraform-aws-modules/s3-bucket/aws"
+  bucket   = each.value
+}
+```
 [custom]: custom/index.md

docs/docs/scanner/vulnerability.md

@@ -152,6 +152,76 @@ The default is `ghcr.io/aquasecurity/trivy-java-db`.
 If authentication is required, you need to run `docker login YOUR_REGISTRY`.
 Currently, specifying a username and password is not supported.
 
+## Configuration
+This section describes vulnerability-specific configuration.
+Other common options are documented [here](../configuration/index.md).
+
+### Enabling a subset of package types
+It's possible to only enable certain package types if you prefer.
+You can do so by passing the `--vuln-type` option.
+This flag takes a comma-separated list of package types.
+
+Available values:
+
+- os
+    - Scan OS packages managed by the OS package manager (e.g. `dpkg`, `yum`, `apk`).
+- library
+    - Scan language-specific packages (e.g. packages installed by `pip`, `npm`, or `gem`).
+
+```bash
+$ trivy image --vuln-type os ruby:2.4.0
+```
+
+
+<details>
+<summary>Result</summary>
+
+```bash
+2019-05-22T19:36:50.530+0200    INFO    Updating vulnerability database...
+2019-05-22T19:36:51.681+0200    INFO    Detecting Alpine vulnerabilities...
+2019-05-22T19:36:51.685+0200    INFO    Updating npm Security DB...
+2019-05-22T19:36:52.389+0200    INFO    Detecting npm vulnerabilities...
+2019-05-22T19:36:52.390+0200    INFO    Updating pipenv Security DB...
+2019-05-22T19:36:53.406+0200    INFO    Detecting pipenv vulnerabilities...
+
+ruby:2.4.0 (debian 8.7)
+=======================
+Total: 7 (UNKNOWN: 0, LOW: 1, MEDIUM: 1, HIGH: 3, CRITICAL: 2)
+
++---------+------------------+----------+-------------------+---------------+----------------------------------+
+| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |              TITLE               |
++---------+------------------+----------+-------------------+---------------+----------------------------------+
+| curl    | CVE-2018-14618   | CRITICAL | 7.61.0-r0         | 7.61.1-r0     | curl: NTLM password overflow     |
+|         |                  |          |                   |               | via integer overflow             |
++         +------------------+----------+                   +---------------+----------------------------------+
+|         | CVE-2018-16839   | HIGH     |                   | 7.61.1-r1     | curl: Integer overflow leading   |
+|         |                  |          |                   |               | to heap-based buffer overflow in |
+|         |                  |          |                   |               | Curl_sasl_create_plain_message() |
++---------+------------------+----------+-------------------+---------------+----------------------------------+
+| git     | CVE-2018-17456   | HIGH     | 2.15.2-r0         | 2.15.3-r0     | git: arbitrary code execution    |
+|         |                  |          |                   |               | via .gitmodules                  |
++         +------------------+          +                   +               +----------------------------------+
+|         | CVE-2018-19486   |          |                   |               | git: Improper handling of        |
+|         |                  |          |                   |               | PATH allows for commands to be   |
+|         |                  |          |                   |               | executed from...                 |
++---------+------------------+----------+-------------------+---------------+----------------------------------+
+| libssh2 | CVE-2019-3855    | CRITICAL | 1.8.0-r2          | 1.8.1-r0      | libssh2: Integer overflow in     |
+|         |                  |          |                   |               | transport read resulting in      |
+|         |                  |          |                   |               | out of bounds write...           |
++---------+------------------+----------+-------------------+---------------+----------------------------------+
+| sqlite  | CVE-2018-20346   | MEDIUM   | 3.21.0-r1         | 3.25.3-r0     | CVE-2018-20505 CVE-2018-20506    |
+|         |                  |          |                   |               | sqlite: Multiple flaws in        |
+|         |                  |          |                   |               | sqlite which can be triggered    |
+|         |                  |          |                   |               | via...                           |
++---------+------------------+----------+-------------------+---------------+----------------------------------+
+| tar     | CVE-2018-20482   | LOW      | 1.29-r1           | 1.31-r0       | tar: Infinite read loop in       |
+|         |                  |          |                   |               | sparse_dump_region function in   |
+|         |                  |          |                   |               | sparse.c                         |
++---------+------------------+----------+-------------------+---------------+----------------------------------+
+```
+
+</details>
+
 [^1]: https://github.com/GoogleContainerTools/distroless
 
 [nvd-CVE-2023-0464]: https://nvd.nist.gov/vuln/detail/CVE-2023-0464

docs/docs/target/container_image.md

@@ -500,3 +500,10 @@ You can configure Docker daemon socket with `DOCKER_HOST` or `--docker-host`.
 ```shell
 $ trivy image --docker-host tcp://127.0.0.1:2375 YOUR_IMAGE
 ```
+
+### Configure Podman daemon socket to connect to.
+You can configure Podman daemon socket with `--podman-host`.
+
+```shell
+$ trivy image --podman-host /run/user/1000/podman/podman.sock YOUR_IMAGE
+```

docs/docs/target/sbom.md

@@ -1,6 +1,6 @@
 # SBOM scanning
 
-Trivy can take the following SBOM formats as an input and scan for vulnerabilities.
+Trivy can take the following SBOM formats as an input and scan for vulnerabilities and licenses.
 
 - CycloneDX
 - SPDX
@@ -17,6 +17,9 @@ $ trivy sbom /path/to/sbom_file
 
 ```
 
+By default, vulnerability scan in SBOM is executed. You can use `--scanners vuln,license` 
+command property to select also license scan, or `--scanners license` alone.
+
 !!! note
     Passing SBOMs generated by tool other than Trivy may result in inaccurate detection
     because Trivy relies on custom properties in SBOM for accurate scanning.
@@ -117,6 +120,11 @@ Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 2)
 
 To read more about KBOM, see the [documentation for Kubernetes scanning](./kubernetes.md#KBOM).
 
+The supported Kubernetes distributions for core components vulnerability scanning are:
+
+- [Kubernetes upstream](https://github.com/kubernetes/kubernetes)
+- [Rancher rke2](https://github.com/rancher/rke2)
+
 ```sh
 
 $ trivy k8s --format cyclonedx cluster -o kbom.json

docs/ecosystem/cicd.md

@@ -79,3 +79,11 @@ You can use Trivy Resource in Concourse for scanning containers and introducing
 It has capabilities to fail the pipeline, create issues, alert communication channels (using respective resources) based on Trivy scan output.
 
 👉 Get it at: <https://github.com/Comcast/trivy-resource/>
+
+
+## SecObserve GitHub actions and GitLab templates (Community)
+[SecObserve GitHub actions and GitLab templates](https://github.com/MaibornWolff/secobserve_actions_templates) run various vulnerability scanners, providing uniform methods and parameters for launching the tools.
+
+The Trivy integration supports scanning Docker images and local filesystems for vulnerabilities as well as scanning IaC files for misconfigurations.
+
+👉 Get it at: <https://github.com/MaibornWolff/secobserve_actions_templates>

docs/ecosystem/reporting.md

@@ -1,21 +1,32 @@
 # Reporting
 
-## SonarQube (Community)
-A Trivy plugin that converts JSON report to SonarQube [generic issues format](https://docs.sonarqube.org/9.6/analyzing-source-code/importing-external-issues/generic-issue-import-format/).
-
-👉 Get it at: <https://github.com/umax/trivy-plugin-sonarqube>
-
 ## DefectDojo (Community)
 DefectDojo can parse Trivy JSON reports. The parser supports deduplication and auto-close features.
 
 👉 Get it at: <https://github.com/DefectDojo/django-DefectDojo>
 
+## SecObserve (Community)
+SecObserve can parse Trivy results as CycloneDX reports and provides an unified overview of vulnerabilities from different sources. Vulnerabilities can be evaluated with manual and rule based assessments.
+
+👉 Get it at: <https://github.com/MaibornWolff/SecObserve>
+
 ## Scan2html (Community)
 A Trivy plugin that scans and outputs the results to an interactive html file.
 
 👉 Get it at: <https://github.com/fatihtokus/scan2html>
 
+## SonarQube (Community)
+A Trivy plugin that converts JSON report to SonarQube [generic issues format](https://docs.sonarqube.org/9.6/analyzing-source-code/importing-external-issues/generic-issue-import-format/).
+
+👉 Get it at: <https://github.com/umax/trivy-plugin-sonarqube>
+
 ## Trivy-Streamlit (Community)
 Trivy-Streamlit is a Streamlit application that allows you to quickly parse the results from a Trivy JSON report.
 
 👉 Get it at: <https://github.com/mfreeman451/trivy-streamlit>
+
+## Trivy-Vulnerability-Explorer (Community)
+
+This project is a web application that allows to load a Trivy report in json format and displays the vulnerabilities of a single target in an interactive data table.
+
+👉 Get it at: <https://github.com/dbsystel/trivy-vulnerability-explorer>

docs/getting-started/installation.md

@@ -112,6 +112,14 @@ Nix package manager for Linux and MacOS.
 References: 
 -  <https://github.com/NixOS/nixpkgs/blob/master/pkgs/tools/admin/trivy/default.nix>
 
+### FreeBSD (Official)
+
+[Pkg](https://freebsd.org) for FreeBSD.
+
+```bash
+pkg install trivy
+```
+
 ## Install from GitHub Release (Official)
 
 ### Download Binary

docs/index.md

@@ -126,7 +126,7 @@ Contact us about any matter by opening a GitHub Discussion [here][discussions]
 
 [Ecosystem]: ./ecosystem/index.md
 [Installation]: getting-started/installation.md
-[pronunciation]: #how-to-pronounce-the-name-trivy
+[pronunciation]: getting-started/faq.md#how-to-pronounce-the-name-trivy
 [Scanning Coverage]: ./docs/coverage/index.md
 
 [aquasec]: https://aquasec.com

docs/tutorials/integrations/gitlab-ci.md

@@ -41,7 +41,7 @@ trivy:
     # Build image
     - docker build -t $IMAGE .
     # Build report
-    - ./trivy image --exit-code 0 --format template --template "@contrib/gitlab.tpl" -o gl-container-scanning-report.json $IMAGE
+    - ./trivy image --exit-code 0 --format template --template "@/contrib/gitlab.tpl" -o gl-container-scanning-report.json $IMAGE
     # Print report
     - ./trivy image --exit-code 0 --severity HIGH $IMAGE
     # Fail on severe vulnerabilities
@@ -148,9 +148,9 @@ trivy:
     # Build image
     - docker build -t $IMAGE .
     # Image report
-    - ./trivy image --exit-code 0 --format template --template "@contrib/gitlab-codequality.tpl" -o gl-codeclimate-image.json $IMAGE
+    - ./trivy image --exit-code 0 --format template --template "@/contrib/gitlab-codequality.tpl" -o gl-codeclimate-image.json $IMAGE
     # Filesystem report
-    - ./trivy filesystem --scanners misconfig,vuln --exit-code 0 --format template --template "@contrib/gitlab-codequality.tpl" -o gl-codeclimate-fs.json .
+    - ./trivy filesystem --scanners misconfig,vuln --exit-code 0 --format template --template "@/contrib/gitlab-codequality.tpl" -o gl-codeclimate-fs.json .
     # Combine report
     - apk update && apk add jq
     - jq -s 'add' gl-codeclimate-image.json gl-codeclimate-fs.json > gl-codeclimate.json

docs/tutorials/misconfiguration/custom-checks.md

@@ -0,0 +1,111 @@
+# Custom Checks with Rego
+
+Trivy can scan configuration files for common security issues (a.k.a IaC misconfiguration scanning). In addition to a comprehensive built in database of checks, you can add your own custom checks. Checks are written in [Rego](https://www.openpolicyagent.org/docs/latest/policy-language/) language and the full documentation for checks and customizing them is available [here](https://aquasecurity.github.io/trivy/latest/docs/scanner/misconfiguration/custom/). 
+
+This tutorial will walk you through writing a custom check in Rego that checks for an issue in a Dockerfile.
+
+When you are writing a check, it's important to understand the input to the check. This will be the IaC file that you are scanning; for example, a Kubernetes YAML resource definition, or an AWS JSON CloudFormation, or in our case a Dockerfile.
+
+Since Rego is primarily tailored to query JSON objects, all incoming configuration files needs to be first converted to structured objects, which is available to the Rego code as the input variable. This is nothing that users have to do manually in Trivy. Instead, Rego makes it possible to pass in custom Schemas that detail how files are converted. Once Rego has access to a custom Schema, it will know in which format to access configuration files such as a Dockerfile. 
+
+[Here you can find the schemas](https://github.com/aquasecurity/defsec/tree/master/pkg/rego/schemas) that define how different configuration files are converted to JSON by Trivy.
+This tutorial will make use of the [dockerfile.json schema](https://github.com/aquasecurity/defsec/tree/master/pkg/rego/schemas). The schema will need to be parsed into your custom check. 
+
+Users can also use the [Schema Explorer](https://aquasecurity.github.io/trivy-schemas/) to view the structure of the data provided to Rego.
+
+## Create a Rego file and Specify Trivy metadata
+
+First, create a new `.rego` file e.g. a `docker-check.rego` file:
+```
+touch docker-check.rego
+```
+
+Next, we need to specify metadata about the check. This is information that helps Trivy load and process the check.
+
+```
+# METADATA
+# title: Verify Image
+# description: Verify Image is allowed to be used and in the right format
+# schemas:
+#   - input: schema["dockerfile"]
+# custom:
+#   id: ID001
+#   severity: MEDIUM
+#   input:
+#     selector: 
+#     - type: dockerfile
+```
+
+Important: The `METADATA` has to be defined on top of the file.
+
+More information on the different fields in the metadata can be found in the [Trivy documentation.](https://aquasecurity.github.io/trivy/latest/docs/scanner/misconfiguration/custom/)
+
+## Package and imports
+
+```
+package custom.dockerfile.ID001
+
+import future.keywords.in
+```
+
+Every rego check has a package name. In our case, we will call it `custom.dockerfile.ID001` to avoid confusion between custom checks and built-in checks. The group name `dockerfile` has no effect on the package name. Note that each package has to contain only one check. However, we can pass multiple checks into our Trivy scan. 
+The first keyword of the package, in this case `custom`, will be reused in the `trivy` command as the `--namespace`.
+
+## Allowed data
+
+The check that we are setting up compares the container images used in the Dockerfile with a list of white-listed container images. Thus, we need to add the images that are allowed to be used in the Dockerfile to our check. In our case, we will store them in an array of arrays:
+
+```
+allowed_images :=  {
+    ["node:21-alpine3.19", "as", "build-deps"],
+    ["nginx:1.2"]
+}
+```
+
+## Select the images that are used in the Dockerfile
+
+Next, we need to iterate over the different commands in our Dockerfile and identify the commands that provide the base container images:
+
+```
+deny[msg] {
+    input.Stages[m].Commands[l].Cmd == "from"
+    val := input.Stages[m].Commands[l].Value
+    not val in allowed_images
+    msg := sprintf("The container image '%s' used in the Dockerfile is not allowed", val)
+}
+```
+
+Let's look at the check line by line:
+
+1. The rule should always be `deny` in the Trivy Rego checks
+2. `input.Stages[m].Commands[l].Cmd` `input` allows us to access the different commands in the Dockerfile. We need to access the commands that use "FROM". Every command will be converted to lowercase.
+3. `val := input.Stages[m].Commands[l].Value` accesses the value of the `FROM` command and stores it in `val`
+4. `not val in allowed_images` checks whether val is not part of our allowed images list; this part of the check relies on the import statement
+5. In case our check fails, the `msg` will be printed with the image name used in `val` 
+
+Note that Rego
+
+* uses `AND` automatically to combine conditions in this check
+* automatically iterates through the array of commands in the Dockefile and allowed images 
+
+## Run the check in a Trivy misconfiguration scan
+
+Ensure that you have Trivy installed and run the following command:
+
+```bash
+trivy fs --scanners misconf --policy ./docker-check.rego --namespaces custom ./Dockerfile
+```
+
+Please replace:
+
+* `./docker-check.rego` with the file path to your check
+* `custom` should be replaced with your package name if different
+* `./Dockerfile` is the path to the Dockerfile that should be scanned
+
+**Note**:  If you define custom packages, you have to specify the package prefix via `--namespaces` option. In our case, we called the custom package `custom`.
+
+## Resources
+
+* [Rego provides a long list of courses](https://academy.styra.com/collections) that can be useful in writing more complex checks
+* [The Rego documentation provides detailed information on the different types, iterations etc.](https://www.openpolicyagent.org/docs/latest/)
+* Have a look at the [built-in checks](https://github.com/aquasecurity/trivy-policies/tree/main/checks) for Trivy for inspiration on how to write custom checks.

docs/tutorials/misconfiguration/terraform.md

@@ -104,22 +104,7 @@ The `trivy config` command is a sub-command of the `trivy fs` command. You can l
 
 ## Scanning Terraform Plan files
 
-Instead of scanning your different Terraform resources individually, you could also scan your terraform plan output before it is deployed for misconfiguration. This will give you insights into any misconfiguration of your resources as they would become deployed. [Here](https://aquasecurity.github.io/trivy/latest/docs/scanner/misconfiguration/custom/examples/#terraform-plan) is the link to the documentation.
-
-First, create a terraform plan and save it to a file:
-```
-terraform plan --out tfplan.binary
-```
-
-Next, convert the file into json format:
-```
-terraform show -json tfplan.binary > tfplan.json
-```
-
-Lastly, scan the file with the `trivy config` command:
-```
-trivy config ./tfplan.json
-```
+Instead of scanning your different Terraform resources individually, you could also scan your Terraform Plan file before it is deployed for misconfiguration. This will give you insights into any misconfiguration of your resources as they would become deployed. [Here](https://aquasecurity.github.io/trivy/latest/docs/coverage/iac/terraform/#terraform) is the link to the documentation.
 
 Note that you need to be able to create a terraform init and plan without any errors. 
 

go.mod

@@ -11,10 +11,8 @@ require (
 	github.com/GoogleCloudPlatform/docker-credential-gcr v2.0.5+incompatible
 	github.com/Masterminds/sprig/v3 v3.2.3
 	github.com/NYTimes/gziphandler v1.1.1
-	github.com/alicebob/miniredis/v2 v2.31.0
+	github.com/alicebob/miniredis/v2 v2.31.1
 	github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986
-	github.com/aquasecurity/defsec v0.94.1
-	github.com/aquasecurity/go-dep-parser v0.0.0-20240131191227-2779e24d07b5
 	github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce
 	github.com/aquasecurity/go-npm-version v0.0.0-20201110091526-0b796d180798
 	github.com/aquasecurity/go-pep440-version v0.0.0-20210121094942-22b2f8951d46
@@ -23,40 +21,41 @@ require (
 	github.com/aquasecurity/table v1.8.0
 	github.com/aquasecurity/testdocker v0.0.0-20230111101738-e741bda259da
 	github.com/aquasecurity/tml v0.6.1
-	github.com/aquasecurity/trivy-aws v0.7.1
+	github.com/aquasecurity/trivy-aws v0.8.0
 	github.com/aquasecurity/trivy-db v0.0.0-20231005141211-4fc651f7ac8d
-	github.com/aquasecurity/trivy-iac v0.8.0
 	github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48
-	github.com/aquasecurity/trivy-kubernetes v0.6.3-0.20240118072219-c433b06f98e1
-	github.com/aquasecurity/trivy-policies v0.8.0
-	github.com/aws/aws-sdk-go-v2 v1.24.1
-	github.com/aws/aws-sdk-go-v2/config v1.26.3
-	github.com/aws/aws-sdk-go-v2/credentials v1.16.14
-	github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.15.11
-	github.com/aws/aws-sdk-go-v2/service/ec2 v1.142.0
+	github.com/aquasecurity/trivy-kubernetes v0.6.3
+	github.com/aquasecurity/trivy-policies v0.10.0
+	github.com/aws/aws-sdk-go-v2 v1.25.2
+	github.com/aws/aws-sdk-go-v2/config v1.27.4
+	github.com/aws/aws-sdk-go-v2/credentials v1.17.4
+	github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.15.15
+	github.com/aws/aws-sdk-go-v2/service/ec2 v1.149.1
 	github.com/aws/aws-sdk-go-v2/service/ecr v1.24.6
-	github.com/aws/aws-sdk-go-v2/service/s3 v1.48.0
-	github.com/aws/aws-sdk-go-v2/service/sts v1.26.7
+	github.com/aws/aws-sdk-go-v2/service/s3 v1.51.1
+	github.com/aws/aws-sdk-go-v2/service/sts v1.28.1
+	github.com/bitnami/go-version v0.0.0-20231130084017-bb00604d650c
 	github.com/bmatcuk/doublestar/v4 v4.6.1
 	github.com/cenkalti/backoff v2.2.1+incompatible
 	github.com/cheggaaa/pb/v3 v3.1.4
-	github.com/containerd/containerd v1.7.11
+	github.com/containerd/containerd v1.7.13
 	github.com/csaf-poc/csaf_distribution/v3 v3.0.0
-	github.com/docker/docker v24.0.7+incompatible
-	github.com/docker/go-connections v0.4.0
-	github.com/fatih/color v1.15.0
+	github.com/docker/docker v25.0.3+incompatible
+	github.com/docker/go-connections v0.5.0
+	github.com/fatih/color v1.16.0
 	github.com/go-git/go-git/v5 v5.11.0
-	github.com/go-openapi/runtime v0.26.0
-	github.com/go-openapi/strfmt v0.21.7
+	github.com/go-openapi/runtime v0.27.1
+	github.com/go-openapi/strfmt v0.22.0
 	github.com/go-redis/redis/v8 v8.11.5
 	github.com/golang-jwt/jwt v3.2.2+incompatible
 	github.com/golang/protobuf v1.5.3
-	github.com/google/go-containerregistry v0.17.0
+	github.com/google/go-containerregistry v0.19.0
 	github.com/google/licenseclassifier/v2 v2.0.0
-	github.com/google/uuid v1.5.0
+	github.com/google/uuid v1.6.0
 	github.com/google/wire v0.5.0
 	github.com/hashicorp/go-getter v1.7.3
 	github.com/hashicorp/go-multierror v1.1.1
+	github.com/hashicorp/go-retryablehttp v0.7.5
 	github.com/hashicorp/golang-lru/v2 v2.0.6
 	github.com/in-toto/in-toto-golang v0.9.0
 	github.com/knqyf263/go-apk-version v0.0.0-20200609155635-041fdbb8563f
@@ -65,8 +64,9 @@ require (
 	github.com/knqyf263/go-rpmdb v0.0.0-20231008124120-ac49267ab4e1
 	github.com/knqyf263/nested v0.0.1
 	github.com/kylelemons/godebug v1.1.0
+	github.com/liamg/jfather v0.0.7
 	github.com/magefile/mage v1.15.0
-	github.com/mailru/easyjson v0.7.7
+	github.com/mailru/easyjson v0.7.7 // indirect
 	github.com/masahiro331/go-disk v0.0.0-20220919035250-c8da316f91ac
 	github.com/masahiro331/go-ebs-file v0.0.0-20240112135404-d5fbb1d46323
 	github.com/masahiro331/go-ext4-filesystem v0.0.0-20231208112839-4339555a0cd4
@@ -74,12 +74,13 @@ require (
 	github.com/masahiro331/go-vmdk-parser v0.0.0-20221225061455-612096e4bbbd
 	github.com/masahiro331/go-xfs-filesystem v0.0.0-20230608043311-a335f4599b70
 	github.com/mattn/go-shellwords v1.0.12
+	github.com/microsoft/go-rustaudit v0.0.0-20220808201409-204dfee52032
 	github.com/mitchellh/hashstructure/v2 v2.0.2
 	github.com/mitchellh/mapstructure v1.5.0
-	github.com/moby/buildkit v0.11.6
-	github.com/open-policy-agent/opa v0.60.0
+	github.com/moby/buildkit v0.12.5
+	github.com/open-policy-agent/opa v0.62.0
 	github.com/opencontainers/go-digest v1.0.0
-	github.com/opencontainers/image-spec v1.1.0-rc5
+	github.com/opencontainers/image-spec v1.1.0-rc6
 	github.com/openvex/go-vex v0.2.5
 	github.com/owenrumney/go-sarif/v2 v2.3.0
 	github.com/package-url/packageurl-go v0.1.2
@@ -91,40 +92,60 @@ require (
 	github.com/sirupsen/logrus v1.9.3
 	github.com/sosedoff/gitkit v0.4.0
 	github.com/spdx/tools-golang v0.5.4-0.20231108154018-0c0f394b5e1a // v0.5.3 with necessary changes. Can be upgraded to version 0.5.4 after release.
-	github.com/spf13/cast v1.5.1
+	github.com/spf13/cast v1.6.0
 	github.com/spf13/cobra v1.8.0
 	github.com/spf13/pflag v1.0.5
-	github.com/spf13/viper v1.16.0
+	github.com/spf13/viper v1.18.2
 	github.com/stretchr/testify v1.8.4
-	github.com/testcontainers/testcontainers-go v0.27.0
+	github.com/testcontainers/testcontainers-go v0.28.0
 	github.com/testcontainers/testcontainers-go/modules/localstack v0.26.0
-	github.com/tetratelabs/wazero v1.2.1
+	github.com/tetratelabs/wazero v1.7.0
 	github.com/twitchtv/twirp v8.1.2+incompatible
 	github.com/xeipuuv/gojsonschema v1.2.0
 	github.com/xlab/treeprint v1.2.0
 	go.etcd.io/bbolt v1.3.8
-	go.uber.org/zap v1.26.0
+	go.uber.org/zap v1.27.0
 	golang.org/x/exp v0.0.0-20231110203233-9a3e6036ecaa
-	golang.org/x/mod v0.14.0
+	golang.org/x/mod v0.15.0
+	golang.org/x/net v0.21.0
 	golang.org/x/sync v0.6.0
-	golang.org/x/term v0.16.0
+	golang.org/x/term v0.17.0
 	golang.org/x/text v0.14.0
 	golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2
-	google.golang.org/protobuf v1.32.0
+	google.golang.org/protobuf v1.33.0
 	gopkg.in/yaml.v3 v3.0.1
-	k8s.io/api v0.29.0
+	k8s.io/api v0.29.1
 	k8s.io/utils v0.0.0-20231127182322-b307cd553661
 	modernc.org/sqlite v1.28.0
 )
 
-require github.com/bitnami/go-version v0.0.0-20231130084017-bb00604d650c
+require (
+	github.com/alecthomas/chroma v0.10.0
+	github.com/antchfx/htmlquery v1.3.0
+	github.com/apparentlymart/go-cidr v1.1.0
+	github.com/aws/smithy-go v1.20.1
+	github.com/hashicorp/go-uuid v1.0.3
+	github.com/hashicorp/go-version v1.6.0
+	github.com/hashicorp/hc-install v0.6.3
+	github.com/hashicorp/hcl/v2 v2.19.1
+	github.com/hashicorp/terraform-exec v0.20.0
+	github.com/liamg/iamgo v0.0.9
+	github.com/liamg/memoryfs v1.6.0
+	github.com/mitchellh/go-homedir v1.1.0
+	github.com/olekukonko/tablewriter v0.0.5
+	github.com/owenrumney/squealer v1.2.2
+	github.com/zclconf/go-cty v1.14.1
+	github.com/zclconf/go-cty-yaml v1.0.3
+	golang.org/x/crypto v0.19.0
+	helm.sh/helm/v3 v3.14.2
+)
 
 require (
-	cloud.google.com/go v0.110.8 // indirect
-	cloud.google.com/go/compute v1.23.0 // indirect
+	cloud.google.com/go v0.112.0 // indirect
+	cloud.google.com/go/compute v1.23.3 // indirect
 	cloud.google.com/go/compute/metadata v0.2.3 // indirect
-	cloud.google.com/go/iam v1.1.2 // indirect
-	cloud.google.com/go/storage v1.31.0 // indirect
+	cloud.google.com/go/iam v1.1.5 // indirect
+	cloud.google.com/go/storage v1.36.0 // indirect
 	dario.cat/mergo v1.0.0 // indirect
 	github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24 // indirect
 	github.com/AdamKorcz/go-118-fuzz-build v0.0.0-20230306123547-8075edf89bb0 // indirect
@@ -141,30 +162,27 @@ require (
 	github.com/Intevation/jsonpath v0.2.1 // indirect
 	github.com/MakeNowJust/heredoc v1.0.0 // indirect
 	github.com/Masterminds/goutils v1.1.1 // indirect
-	github.com/Masterminds/semver v1.5.0 // indirect
 	github.com/Masterminds/semver/v3 v3.2.1 // indirect
 	github.com/Masterminds/squirrel v1.5.4 // indirect
 	github.com/Microsoft/go-winio v0.6.1 // indirect
 	github.com/Microsoft/hcsshim v0.11.4 // indirect
 	github.com/OneOfOne/xxhash v1.2.8 // indirect
-	github.com/ProtonMail/go-crypto v0.0.0-20230923063757-afb1ddc0824c // indirect
+	github.com/ProtonMail/go-crypto v1.1.0-alpha.0 // indirect
 	github.com/VividCortex/ewma v1.2.0 // indirect
 	github.com/agext/levenshtein v1.2.3 // indirect
 	github.com/agnivade/levenshtein v1.1.1 // indirect
-	github.com/alecthomas/chroma v0.10.0 // indirect
 	github.com/alicebob/gopher-json v0.0.0-20200520072559-a9ecdc9d1d3a // indirect
 	github.com/anchore/go-struct-converter v0.0.0-20221118182256-c68fdcfa2092 // indirect
-	github.com/apparentlymart/go-cidr v1.1.0 // indirect
-	github.com/apparentlymart/go-textseg/v13 v13.0.0 // indirect
+	github.com/antchfx/xpath v1.2.3 // indirect
 	github.com/apparentlymart/go-textseg/v15 v15.0.0 // indirect
 	github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
 	github.com/aws/aws-sdk-go v1.49.21 // indirect
-	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.5.4 // indirect
-	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.14.11 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/configsources v1.2.10 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.5.10 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/ini v1.7.2 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/v4a v1.2.10 // indirect
+	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.1 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.15.2 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.2 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.2 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.2 // indirect
 	github.com/aws/aws-sdk-go-v2/service/accessanalyzer v1.26.7 // indirect
 	github.com/aws/aws-sdk-go-v2/service/apigateway v1.21.6 // indirect
 	github.com/aws/aws-sdk-go-v2/service/apigatewayv2 v1.18.6 // indirect
@@ -174,22 +192,22 @@ require (
 	github.com/aws/aws-sdk-go-v2/service/cloudwatch v1.32.2 // indirect
 	github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs v1.30.1 // indirect
 	github.com/aws/aws-sdk-go-v2/service/codebuild v1.26.5 // indirect
-	github.com/aws/aws-sdk-go-v2/service/docdb v1.29.6 // indirect
+	github.com/aws/aws-sdk-go-v2/service/docdb v1.33.1 // indirect
 	github.com/aws/aws-sdk-go-v2/service/dynamodb v1.26.8 // indirect
 	github.com/aws/aws-sdk-go-v2/service/ebs v1.21.7 // indirect
 	github.com/aws/aws-sdk-go-v2/service/ecs v1.35.6 // indirect
-	github.com/aws/aws-sdk-go-v2/service/efs v1.26.5 // indirect
-	github.com/aws/aws-sdk-go-v2/service/eks v1.37.0 // indirect
+	github.com/aws/aws-sdk-go-v2/service/efs v1.28.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/eks v1.41.0 // indirect
 	github.com/aws/aws-sdk-go-v2/service/elasticache v1.34.6 // indirect
 	github.com/aws/aws-sdk-go-v2/service/elasticloadbalancingv2 v1.26.6 // indirect
 	github.com/aws/aws-sdk-go-v2/service/elasticsearchservice v1.25.0 // indirect
 	github.com/aws/aws-sdk-go-v2/service/emr v1.36.0 // indirect
 	github.com/aws/aws-sdk-go-v2/service/iam v1.28.7 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.10.4 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.2.10 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.3.2 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/endpoint-discovery v1.8.11 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.10.10 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.16.10 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.2 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.17.2 // indirect
 	github.com/aws/aws-sdk-go-v2/service/kafka v1.28.5 // indirect
 	github.com/aws/aws-sdk-go-v2/service/kinesis v1.24.6 // indirect
 	github.com/aws/aws-sdk-go-v2/service/kms v1.27.7 // indirect
@@ -201,10 +219,9 @@ require (
 	github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.26.0 // indirect
 	github.com/aws/aws-sdk-go-v2/service/sns v1.26.6 // indirect
 	github.com/aws/aws-sdk-go-v2/service/sqs v1.29.6 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sso v1.18.6 // indirect
-	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.21.6 // indirect
-	github.com/aws/aws-sdk-go-v2/service/workspaces v1.35.6 // indirect
-	github.com/aws/smithy-go v1.19.0 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.20.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.23.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/workspaces v1.38.1 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d // indirect
 	github.com/briandowns/spinner v1.23.0 // indirect
@@ -218,16 +235,16 @@ require (
 	github.com/containerd/log v0.1.0 // indirect
 	github.com/containerd/stargz-snapshotter/estargz v0.14.3 // indirect
 	github.com/containerd/ttrpc v1.2.2 // indirect
-	github.com/containerd/typeurl v1.0.2 // indirect
 	github.com/containerd/typeurl/v2 v2.1.1 // indirect
 	github.com/cpuguy83/dockercfg v0.3.1 // indirect
 	github.com/cpuguy83/go-md2man/v2 v2.0.3 // indirect
 	github.com/cyphar/filepath-securejoin v0.2.4 // indirect
-	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect
+	github.com/distribution/reference v0.5.0 // indirect
 	github.com/dlclark/regexp2 v1.4.0 // indirect
-	github.com/docker/cli v24.0.6+incompatible // indirect
-	github.com/docker/distribution v2.8.2+incompatible // indirect
+	github.com/docker/cli v25.0.1+incompatible // indirect
+	github.com/docker/distribution v2.8.3+incompatible // indirect
 	github.com/docker/docker-credential-helpers v0.7.0 // indirect
 	github.com/docker/go-events v0.0.0-20190806004212-e31b211e4f1c // indirect
 	github.com/docker/go-metrics v0.0.1 // indirect
@@ -247,14 +264,14 @@ require (
 	github.com/go-ini/ini v1.67.0 // indirect
 	github.com/go-logr/logr v1.4.1 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
-	github.com/go-openapi/analysis v0.21.4 // indirect
-	github.com/go-openapi/errors v0.20.4 // indirect
-	github.com/go-openapi/jsonpointer v0.19.6 // indirect
-	github.com/go-openapi/jsonreference v0.20.2 // indirect
-	github.com/go-openapi/loads v0.21.2 // indirect
-	github.com/go-openapi/spec v0.20.9 // indirect
-	github.com/go-openapi/swag v0.22.4 // indirect
-	github.com/go-openapi/validate v0.22.1 // indirect
+	github.com/go-openapi/analysis v0.21.5 // indirect
+	github.com/go-openapi/errors v0.21.0 // indirect
+	github.com/go-openapi/jsonpointer v0.20.1 // indirect
+	github.com/go-openapi/jsonreference v0.20.3 // indirect
+	github.com/go-openapi/loads v0.21.3 // indirect
+	github.com/go-openapi/spec v0.20.12 // indirect
+	github.com/go-openapi/swag v0.22.5 // indirect
+	github.com/go-openapi/validate v0.22.4 // indirect
 	github.com/go-sql-driver/mysql v1.7.1 // indirect
 	github.com/go-test/deep v1.1.0 // indirect
 	github.com/gobwas/glob v0.2.3 // indirect
@@ -265,14 +282,13 @@ require (
 	github.com/golang-jwt/jwt/v5 v5.0.0 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/google/btree v1.1.2 // indirect
-	github.com/google/flatbuffers v2.0.8+incompatible // indirect
 	github.com/google/gnostic-models v0.6.8 // indirect
 	github.com/google/go-cmp v0.6.0 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
 	github.com/google/pprof v0.0.0-20230406165453-00490a63f317 // indirect
-	github.com/google/s2a-go v0.1.5 // indirect
+	github.com/google/s2a-go v0.1.7 // indirect
 	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
-	github.com/googleapis/enterprise-certificate-proxy v0.2.5 // indirect
+	github.com/googleapis/enterprise-certificate-proxy v0.3.2 // indirect
 	github.com/googleapis/gax-go/v2 v2.12.0 // indirect
 	github.com/gorilla/mux v1.8.1 // indirect
 	github.com/gorilla/websocket v1.5.0 // indirect
@@ -281,11 +297,9 @@ require (
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
 	github.com/hashicorp/go-safetemp v1.0.0 // indirect
-	github.com/hashicorp/go-uuid v1.0.3 // indirect
-	github.com/hashicorp/go-version v1.6.0 // indirect
 	github.com/hashicorp/golang-lru v0.6.0 // indirect
 	github.com/hashicorp/hcl v1.0.0 // indirect
-	github.com/hashicorp/hcl/v2 v2.19.1 // indirect
+	github.com/hashicorp/terraform-json v0.19.0 // indirect
 	github.com/huandu/xstrings v1.4.0 // indirect
 	github.com/imdario/mergo v0.3.15 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
@@ -296,24 +310,17 @@ require (
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 // indirect
 	github.com/kevinburke/ssh_config v1.2.0 // indirect
-	github.com/klauspost/compress v1.16.6 // indirect
+	github.com/klauspost/compress v1.17.2 // indirect
 	github.com/lann/builder v0.0.0-20180802200727-47ae307949d0 // indirect
 	github.com/lann/ps v0.0.0-20150810152359-62de8c46ede0 // indirect
-	github.com/liamg/iamgo v0.0.9 // indirect
-	github.com/liamg/jfather v0.0.7 // indirect
-	github.com/liamg/memoryfs v1.6.0 // indirect
 	github.com/lib/pq v1.10.9 // indirect
 	github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de // indirect
 	github.com/lunixbochs/struc v0.0.0-20200707160740-784aaebc1d40 // indirect
 	github.com/magiconair/properties v1.8.7 // indirect
 	github.com/mattn/go-colorable v0.1.13 // indirect
-	github.com/mattn/go-isatty v0.0.19 // indirect
+	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/mattn/go-runewidth v0.0.14 // indirect
-	github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect
-	github.com/microsoft/go-rustaudit v0.0.0-20220808201409-204dfee52032 // indirect
-	github.com/miekg/dns v1.1.53 // indirect
 	github.com/mitchellh/copystructure v1.2.0 // indirect
-	github.com/mitchellh/go-homedir v1.1.0 // indirect
 	github.com/mitchellh/go-testing-interface v1.14.1 // indirect
 	github.com/mitchellh/go-wordwrap v1.0.1 // indirect
 	github.com/mitchellh/reflectwalk v1.0.2 // indirect
@@ -323,6 +330,7 @@ require (
 	github.com/moby/sys/mountinfo v0.6.2 // indirect
 	github.com/moby/sys/sequential v0.5.0 // indirect
 	github.com/moby/sys/signal v0.7.0 // indirect
+	github.com/moby/sys/user v0.1.0 // indirect
 	github.com/moby/term v0.5.0 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
@@ -331,36 +339,35 @@ require (
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f // indirect
 	github.com/oklog/ulid v1.3.1 // indirect
-	github.com/olekukonko/tablewriter v0.0.5 // indirect
-	github.com/opencontainers/runc v1.1.12 // indirect
-	github.com/opencontainers/runtime-spec v1.1.0-rc.1 // indirect
+	github.com/opencontainers/runtime-spec v1.1.0 // indirect
 	github.com/opencontainers/selinux v1.11.0 // indirect
 	github.com/opentracing/opentracing-go v1.2.0 // indirect
-	github.com/owenrumney/squealer v1.2.1 // indirect
-	github.com/pelletier/go-toml/v2 v2.0.8 // indirect
+	github.com/pelletier/go-toml/v2 v2.1.0 // indirect
 	github.com/peterbourgon/diskv v2.0.1+incompatible // indirect
 	github.com/pjbgf/sha1cd v0.3.0 // indirect
 	github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
-	github.com/pmezard/go-difflib v1.0.0 // indirect
-	github.com/prometheus/client_golang v1.16.0 // indirect
-	github.com/prometheus/client_model v0.4.0 // indirect
-	github.com/prometheus/common v0.44.0 // indirect
-	github.com/prometheus/procfs v0.10.1 // indirect
+	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
+	github.com/prometheus/client_golang v1.19.0 // indirect
+	github.com/prometheus/client_model v0.5.0 // indirect
+	github.com/prometheus/common v0.48.0 // indirect
+	github.com/prometheus/procfs v0.12.0 // indirect
 	github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 // indirect
 	github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec // indirect
 	github.com/rivo/uniseg v0.2.0 // indirect
 	github.com/rubenv/sql-migrate v1.5.2 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
+	github.com/sagikazarmark/locafero v0.4.0 // indirect
+	github.com/sagikazarmark/slog-shim v0.1.0 // indirect
 	github.com/santhosh-tekuri/jsonschema/v5 v5.3.1 // indirect
 	github.com/sergi/go-diff v1.3.1 // indirect
 	github.com/shibumi/go-pathspec v1.3.0 // indirect
 	github.com/shopspring/decimal v1.3.1 // indirect
 	github.com/skeema/knownhosts v1.2.1 // indirect
-	github.com/spf13/afero v1.9.5 // indirect
-	github.com/spf13/jwalterweatherman v1.1.0 // indirect
+	github.com/sourcegraph/conc v0.3.0 // indirect
+	github.com/spf13/afero v1.11.0 // indirect
 	github.com/stretchr/objx v0.5.0 // indirect
-	github.com/subosito/gotenv v1.4.2 // indirect
+	github.com/subosito/gotenv v1.6.0 // indirect
 	github.com/tchap/go-patricia/v2 v2.3.1 // indirect
 	github.com/ulikunitz/xz v0.5.11 // indirect
 	github.com/vbatts/tar-split v0.11.3 // indirect
@@ -369,38 +376,34 @@ require (
 	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
 	github.com/yashtewari/glob-intersection v0.2.0 // indirect
 	github.com/yuin/gopher-lua v1.1.0 // indirect
-	github.com/zclconf/go-cty v1.13.0 // indirect
-	github.com/zclconf/go-cty-yaml v1.0.3 // indirect
-	go.mongodb.org/mongo-driver v1.11.3 // indirect
+	go.mongodb.org/mongo-driver v1.13.1 // indirect
 	go.opencensus.io v0.24.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.46.1 // indirect
 	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.46.1 // indirect
-	go.opentelemetry.io/otel v1.21.0 // indirect
-	go.opentelemetry.io/otel/metric v1.21.0 // indirect
-	go.opentelemetry.io/otel/sdk v1.21.0 // indirect
-	go.opentelemetry.io/otel/trace v1.21.0 // indirect
+	go.opentelemetry.io/otel v1.23.1 // indirect
+	go.opentelemetry.io/otel/metric v1.23.1 // indirect
+	go.opentelemetry.io/otel/sdk v1.23.1 // indirect
+	go.opentelemetry.io/otel/trace v1.23.1 // indirect
+	go.opentelemetry.io/proto/otlp v1.1.0 // indirect
 	go.starlark.net v0.0.0-20230525235612-a134d8f9ddca // indirect
-	go.uber.org/goleak v1.3.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
-	golang.org/x/crypto v0.18.0 // indirect
-	golang.org/x/net v0.20.0 // indirect
-	golang.org/x/oauth2 v0.13.0 // indirect
-	golang.org/x/sys v0.16.0 // indirect
+	golang.org/x/oauth2 v0.16.0 // indirect
+	golang.org/x/sys v0.17.0 // indirect
 	golang.org/x/time v0.5.0 // indirect
-	golang.org/x/tools v0.15.0 // indirect
-	google.golang.org/api v0.138.0 // indirect
+	golang.org/x/tools v0.16.1 // indirect
+	google.golang.org/api v0.155.0 // indirect
 	google.golang.org/appengine v1.6.8 // indirect
-	google.golang.org/genproto v0.0.0-20231002182017-d307bd883b97 // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20231002182017-d307bd883b97 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20231002182017-d307bd883b97 // indirect
-	google.golang.org/grpc v1.60.1 // indirect
+	google.golang.org/genproto v0.0.0-20240123012728-ef4313101c80 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20240123012728-ef4313101c80 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20240123012728-ef4313101c80 // indirect
+	google.golang.org/grpc v1.62.0 // indirect
 	gopkg.in/cheggaaa/pb.v1 v1.0.28 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
-	helm.sh/helm/v3 v3.14.0 // indirect
 	k8s.io/apiextensions-apiserver v0.29.0 // indirect
-	k8s.io/apimachinery v0.29.0 // indirect
+	k8s.io/apimachinery v0.29.1 // indirect
 	k8s.io/apiserver v0.29.0 // indirect
 	k8s.io/cli-runtime v0.29.0 // indirect
 	k8s.io/client-go v0.29.0 // indirect
@@ -417,7 +420,7 @@ require (
 	modernc.org/opt v0.1.3 // indirect
 	modernc.org/strutil v1.1.3 // indirect
 	modernc.org/token v1.1.0 // indirect
-	oras.land/oras-go v1.2.4 // indirect
+	oras.land/oras-go v1.2.5 // indirect
 	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
 	sigs.k8s.io/kustomize/api v0.13.5-0.20230601165947-6ce0bf390ce3 // indirect
 	sigs.k8s.io/kustomize/kyaml v0.14.3-0.20230601165947-6ce0bf390ce3 // indirect
@@ -425,10 +428,6 @@ require (
 	sigs.k8s.io/yaml v1.4.0 // indirect
 )
 
-// oras 1.2.2 is incompatible with github.com/docker/docker v24.0.2
-// cf. https://github.com/oras-project/oras-go/pull/527
-replace oras.land/oras-go => oras.land/oras-go v1.2.4-0.20230801060855-932dd06d38af
-
 // testcontainers-go has a bug with versions v0.25.0 and v0.26.0
 // ref: https://github.com/testcontainers/testcontainers-go/issues/1782
 replace github.com/testcontainers/testcontainers-go => github.com/testcontainers/testcontainers-go v0.23.0

integration/aws_cloud_test.go

@@ -4,16 +4,13 @@ package integration
 
 import (
 	"context"
-	"fmt"
 	"testing"
 	"time"
 
-	dockercontainer "github.com/docker/docker/api/types/container"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
-	"github.com/testcontainers/testcontainers-go"
-	"github.com/testcontainers/testcontainers-go/modules/localstack"
 
+	"github.com/aquasecurity/trivy/internal/testutil"
 	awscommands "github.com/aquasecurity/trivy/pkg/cloud/aws/commands"
 	"github.com/aquasecurity/trivy/pkg/flag"
 )
@@ -53,7 +50,8 @@ func TestAwsCommandRun(t *testing.T) {
 
 	ctx := context.Background()
 
-	localstackC, addr := setupLocalStack(t, ctx)
+	localstackC, addr, err := testutil.SetupLocalStack(ctx, "2.2.0")
+	require.NoError(t, err)
 	defer localstackC.Terminate(ctx)
 
 	for _, tt := range tests {
@@ -78,32 +76,3 @@ func TestAwsCommandRun(t *testing.T) {
 	}
 
 }
-
-func setupLocalStack(t *testing.T, ctx context.Context) (*localstack.LocalStackContainer, string) {
-	t.Helper()
-	t.Setenv("TESTCONTAINERS_RYUK_DISABLED", "true")
-	container, err := localstack.RunContainer(ctx, testcontainers.CustomizeRequest(
-		testcontainers.GenericContainerRequest{
-			ContainerRequest: testcontainers.ContainerRequest{
-				Image: "localstack/localstack:2.2.0",
-				HostConfigModifier: func(hostConfig *dockercontainer.HostConfig) {
-					hostConfig.AutoRemove = true
-				},
-			},
-		},
-	))
-	require.NoError(t, err)
-
-	p, err := container.MappedPort(ctx, "4566/tcp")
-	require.NoError(t, err)
-
-	provider, err := testcontainers.NewDockerProvider()
-	require.NoError(t, err)
-	defer provider.Close()
-
-	host, err := provider.DaemonHost(ctx)
-	require.NoError(t, err)
-
-	return container, fmt.Sprintf("http://%s:%d", host, p.Int())
-
-}

integration/docker_engine_test.go

@@ -245,7 +245,10 @@ func TestDockerEngine(t *testing.T) {
 				// load image into docker engine
 				res, err := cli.ImageLoad(ctx, testfile, true)
 				require.NoError(t, err, tt.name)
-				io.Copy(io.Discard, res.Body)
+				if _, err := io.Copy(io.Discard, res.Body); err != nil {
+					require.NoError(t, err, tt.name)
+				}
+				defer res.Body.Close()
 
 				// tag our image to something unique
 				err = cli.ImageTag(ctx, tt.imageTag, tt.input)
@@ -253,15 +256,14 @@ func TestDockerEngine(t *testing.T) {
 
 				// cleanup
 				t.Cleanup(func() {
-					_, err = cli.ImageRemove(ctx, tt.input, api.ImageRemoveOptions{
+					_, _ = cli.ImageRemove(ctx, tt.input, api.ImageRemoveOptions{
 						Force:         true,
 						PruneChildren: true,
 					})
-					_, err = cli.ImageRemove(ctx, tt.imageTag, api.ImageRemoveOptions{
+					_, _ = cli.ImageRemove(ctx, tt.imageTag, api.ImageRemoveOptions{
 						Force:         true,
 						PruneChildren: true,
 					})
-					assert.NoError(t, err, tt.name)
 				})
 			}
 

integration/k8s_test.go

@@ -21,11 +21,15 @@ import (
 // "mage test:k8s" will run this test.
 
 func TestK8s(t *testing.T) {
+	// Set up testing DB
+	cacheDir := initDB(t)
 	t.Run("misconfig and vulnerability scan", func(t *testing.T) {
 		// Set up the output file
 		outputFile := filepath.Join(t.TempDir(), "output.json")
 
 		osArgs := []string{
+			"--cache-dir",
+			cacheDir,
 			"k8s",
 			"cluster",
 			"--report",

integration/sbom_test.go

@@ -6,11 +6,11 @@ import (
 	"path/filepath"
 	"testing"
 
+	ftypes "github.com/aquasecurity/trivy/pkg/fanal/types"
 	v1 "github.com/google/go-containerregistry/pkg/v1"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 
-	ftypes "github.com/aquasecurity/trivy/pkg/fanal/types"
 	"github.com/aquasecurity/trivy/pkg/types"
 )
 
@@ -19,6 +19,7 @@ func TestSBOM(t *testing.T) {
 		input        string
 		format       string
 		artifactType string
+		scanners     string
 	}
 	tests := []struct {
 		name     string
@@ -150,6 +151,16 @@ func TestSBOM(t *testing.T) {
 				},
 			},
 		},
+		{
+			name: "license check cyclonedx json",
+			args: args{
+				input:        "testdata/fixtures/sbom/license-cyclonedx.json",
+				format:       "json",
+				artifactType: "cyclonedx",
+				scanners:     "license",
+			},
+			golden: "testdata/license-cyclonedx.json.golden",
+		},
 	}
 
 	// Set up testing DB
@@ -157,6 +168,11 @@ func TestSBOM(t *testing.T) {
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
+			scanners := "vuln"
+			if tt.args.scanners != "" {
+				scanners = tt.args.scanners
+			}
+
 			osArgs := []string{
 				"--cache-dir",
 				cacheDir,
@@ -165,6 +181,8 @@ func TestSBOM(t *testing.T) {
 				"--skip-db-update",
 				"--format",
 				tt.args.format,
+				"--scanners",
+				scanners,
 			}
 
 			// Set up the output file
@@ -223,5 +241,10 @@ func compareSBOMReports(t *testing.T, wantFile, gotFile string, overrideWant typ
 	}
 
 	got := readReport(t, gotFile)
+	// when running on Windows FS
+	got.ArtifactName = filepath.ToSlash(filepath.Clean(got.ArtifactName))
+	for i, result := range got.Results {
+		got.Results[i].Target = filepath.ToSlash(filepath.Clean(result.Target))
+	}
 	assert.Equal(t, want, got)
 }

integration/testdata/conda-cyclonedx.json.golden

@@ -2,7 +2,7 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.5",
-  "serialNumber": "urn:uuid:3ff14136-e09f-4df9-80ea-000000000001",
+  "serialNumber": "urn:uuid:3ff14136-e09f-4df9-80ea-000000000004",
   "version": 1,
   "metadata": {
     "timestamp": "2021-08-25T12:20:30+00:00",
@@ -17,7 +17,7 @@
       ]
     },
     "component": {
-      "bom-ref": "3ff14136-e09f-4df9-80ea-000000000002",
+      "bom-ref": "3ff14136-e09f-4df9-80ea-000000000001",
       "type": "application",
       "name": "testdata/fixtures/repo/conda",
       "properties": [
@@ -30,7 +30,7 @@
   },
   "components": [
     {
-      "bom-ref": "pkg:conda/openssl@1.1.1q?file_path=miniconda3%2Fenvs%2Ftestenv%2Fconda-meta%2Fopenssl-1.1.1q-h7f8727e_0.json",
+      "bom-ref": "pkg:conda/openssl@1.1.1q",
       "type": "library",
       "name": "openssl",
       "version": "1.1.1q",
@@ -54,7 +54,7 @@
       ]
     },
     {
-      "bom-ref": "pkg:conda/pip@22.2.2?file_path=miniconda3%2Fenvs%2Ftestenv%2Fconda-meta%2Fpip-22.2.2-py38h06a4308_0.json",
+      "bom-ref": "pkg:conda/pip@22.2.2",
       "type": "library",
       "name": "pip",
       "version": "22.2.2",
@@ -80,18 +80,18 @@
   ],
   "dependencies": [
     {
-      "ref": "3ff14136-e09f-4df9-80ea-000000000002",
+      "ref": "3ff14136-e09f-4df9-80ea-000000000001",
       "dependsOn": [
-        "pkg:conda/openssl@1.1.1q?file_path=miniconda3%2Fenvs%2Ftestenv%2Fconda-meta%2Fopenssl-1.1.1q-h7f8727e_0.json",
-        "pkg:conda/pip@22.2.2?file_path=miniconda3%2Fenvs%2Ftestenv%2Fconda-meta%2Fpip-22.2.2-py38h06a4308_0.json"
+        "pkg:conda/openssl@1.1.1q",
+        "pkg:conda/pip@22.2.2"
       ]
     },
     {
-      "ref": "pkg:conda/openssl@1.1.1q?file_path=miniconda3%2Fenvs%2Ftestenv%2Fconda-meta%2Fopenssl-1.1.1q-h7f8727e_0.json",
+      "ref": "pkg:conda/openssl@1.1.1q",
       "dependsOn": []
     },
     {
-      "ref": "pkg:conda/pip@22.2.2?file_path=miniconda3%2Fenvs%2Ftestenv%2Fconda-meta%2Fpip-22.2.2-py38h06a4308_0.json",
+      "ref": "pkg:conda/pip@22.2.2",
       "dependsOn": []
     }
   ],

integration/testdata/conda-spdx.json.golden

@@ -3,7 +3,7 @@
   "dataLicense": "CC0-1.0",
   "SPDXID": "SPDXRef-DOCUMENT",
   "name": "testdata/fixtures/repo/conda",
-  "documentNamespace": "http://aquasecurity.github.io/trivy/filesystem/testdata/fixtures/repo/conda-3ff14136-e09f-4df9-80ea-000000000001",
+  "documentNamespace": "http://aquasecurity.github.io/trivy/filesystem/testdata/fixtures/repo/conda-3ff14136-e09f-4df9-80ea-000000000004",
   "creationInfo": {
     "creators": [
       "Organization: aquasecurity",
@@ -12,17 +12,9 @@
     "created": "2021-08-25T12:20:30Z"
   },
   "packages": [
-    {
-      "name": "conda-pkg",
-      "SPDXID": "SPDXRef-Application-ee5ef1aa4ac89125",
-      "downloadLocation": "NONE",
-      "filesAnalyzed": false,
-      "sourceInfo": "Conda",
-      "primaryPackagePurpose": "APPLICATION"
-    },
     {
       "name": "openssl",
-      "SPDXID": "SPDXRef-Package-20b95c21bfbf9fc4",
+      "SPDXID": "SPDXRef-Package-b8061a5279413d55",
       "versionInfo": "1.1.1q",
       "supplier": "NOASSERTION",
       "downloadLocation": "NONE",
@@ -39,11 +31,14 @@
           "referenceLocator": "pkg:conda/openssl@1.1.1q"
         }
       ],
+      "attributionTexts": [
+        "PkgType: conda-pkg"
+      ],
       "primaryPackagePurpose": "LIBRARY"
     },
     {
       "name": "pip",
-      "SPDXID": "SPDXRef-Package-11a429ec3bd01d80",
+      "SPDXID": "SPDXRef-Package-84198b3828050c11",
       "versionInfo": "22.2.2",
       "supplier": "NOASSERTION",
       "downloadLocation": "NONE",
@@ -60,6 +55,9 @@
           "referenceLocator": "pkg:conda/pip@22.2.2"
         }
       ],
+      "attributionTexts": [
+        "PkgType: conda-pkg"
+      ],
       "primaryPackagePurpose": "LIBRARY"
     },
     {
@@ -105,28 +103,23 @@
     },
     {
       "spdxElementId": "SPDXRef-Filesystem-2e2426fd0f2580ef",
-      "relatedSpdxElement": "SPDXRef-Application-ee5ef1aa4ac89125",
+      "relatedSpdxElement": "SPDXRef-Package-84198b3828050c11",
       "relationshipType": "CONTAINS"
     },
     {
-      "spdxElementId": "SPDXRef-Application-ee5ef1aa4ac89125",
-      "relatedSpdxElement": "SPDXRef-Package-20b95c21bfbf9fc4",
+      "spdxElementId": "SPDXRef-Filesystem-2e2426fd0f2580ef",
+      "relatedSpdxElement": "SPDXRef-Package-b8061a5279413d55",
       "relationshipType": "CONTAINS"
     },
     {
-      "spdxElementId": "SPDXRef-Package-20b95c21bfbf9fc4",
-      "relatedSpdxElement": "SPDXRef-File-600e5e0110a84891",
-      "relationshipType": "CONTAINS"
-    },
-    {
-      "spdxElementId": "SPDXRef-Application-ee5ef1aa4ac89125",
-      "relatedSpdxElement": "SPDXRef-Package-11a429ec3bd01d80",
-      "relationshipType": "CONTAINS"
-    },
-    {
-      "spdxElementId": "SPDXRef-Package-11a429ec3bd01d80",
+      "spdxElementId": "SPDXRef-Package-84198b3828050c11",
       "relatedSpdxElement": "SPDXRef-File-7eb62e2a3edddc0a",
       "relationshipType": "CONTAINS"
+    },
+    {
+      "spdxElementId": "SPDXRef-Package-b8061a5279413d55",
+      "relatedSpdxElement": "SPDXRef-File-600e5e0110a84891",
+      "relationshipType": "CONTAINS"
     }
   ]
 }

integration/testdata/dockerfile-custom-policies.json.golden

@@ -21,7 +21,7 @@
       "Class": "config",
       "Type": "dockerfile",
       "MisconfSummary": {
-        "Successes": 26,
+        "Successes": 27,
         "Failures": 2,
         "Exceptions": 0
       },

integration/testdata/dockerfile-namespace-exception.json.golden

@@ -23,7 +23,7 @@
       "MisconfSummary": {
         "Successes": 0,
         "Failures": 0,
-        "Exceptions": 26
+        "Exceptions": 27
       }
     }
   ]

integration/testdata/dockerfile-rule-exception.json.golden

@@ -21,7 +21,7 @@
       "Class": "config",
       "Type": "dockerfile",
       "MisconfSummary": {
-        "Successes": 25,
+        "Successes": 26,
         "Failures": 1,
         "Exceptions": 0
       },

integration/testdata/dockerfile.json.golden

@@ -21,7 +21,7 @@
       "Class": "config",
       "Type": "dockerfile",
       "MisconfSummary": {
-        "Successes": 25,
+        "Successes": 26,
         "Failures": 1,
         "Exceptions": 0
       },

integration/testdata/dockerfile_file_pattern.json.golden

@@ -21,7 +21,7 @@
       "Class": "config",
       "Type": "dockerfile",
       "MisconfSummary": {
-        "Successes": 25,
+        "Successes": 26,
         "Failures": 1,
         "Exceptions": 0
       },

integration/testdata/fixtures/sbom/license-cyclonedx.json

@@ -0,0 +1,125 @@
+{
+  "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.5",
+  "serialNumber": "urn:uuid:c09512e3-47e7-4eff-8f76-5d7ae72b26a5",
+  "version": 1,
+  "metadata": {
+    "timestamp": "2024-03-10T14:57:31+00:00",
+    "tools": {
+      "components": [
+        {
+          "type": "application",
+          "group": "aquasecurity",
+          "name": "trivy",
+          "version": "dev"
+        }
+      ]
+    },
+    "component": {
+      "bom-ref": "acc9d4aa-4158-4969-a497-637e114fde0c",
+      "type": "application",
+      "name": "C:/Users/bedla.czech/IdeaProjects/sbom-demo",
+      "properties": [
+        {
+          "name": "aquasecurity:trivy:SchemaVersion",
+          "value": "2"
+        }
+      ]
+    }
+  },
+  "components": [
+    {
+      "bom-ref": "eb56cd49-da98-4b08-bfc8-9880fb063cf1",
+      "type": "application",
+      "name": "pom.xml",
+      "properties": [
+        {
+          "name": "aquasecurity:trivy:Class",
+          "value": "lang-pkgs"
+        },
+        {
+          "name": "aquasecurity:trivy:Type",
+          "value": "pom"
+        }
+      ]
+    },
+    {
+      "bom-ref": "pkg:maven/org.eclipse.sisu/org.eclipse.sisu.plexus@0.3.0.M1",
+      "type": "library",
+      "group": "org.eclipse.sisu",
+      "name": "org.eclipse.sisu.plexus",
+      "version": "0.3.0.M1",
+      "licenses": [
+        {
+          "license": {
+            "name": "EPL-1.0"
+          }
+        }
+      ],
+      "purl": "pkg:maven/org.eclipse.sisu/org.eclipse.sisu.plexus@0.3.0.M1",
+      "properties": [
+        {
+          "name": "aquasecurity:trivy:PkgID",
+          "value": "org.eclipse.sisu:org.eclipse.sisu.plexus:0.3.0.M1"
+        },
+        {
+          "name": "aquasecurity:trivy:PkgType",
+          "value": "pom"
+        }
+      ]
+    },
+    {
+      "bom-ref": "pkg:maven/org.ow2.asm/asm@9.5",
+      "type": "library",
+      "group": "org.ow2.asm",
+      "name": "asm",
+      "version": "9.5",
+      "licenses": [
+        {
+          "license": {
+            "name": "BSD-3-Clause"
+          }
+        }
+      ],
+      "purl": "pkg:maven/org.ow2.asm/asm@9.5",
+      "properties": [
+        {
+          "name": "aquasecurity:trivy:PkgID",
+          "value": "org.ow2.asm:asm:9.5"
+        },
+        {
+          "name": "aquasecurity:trivy:PkgType",
+          "value": "pom"
+        }
+      ]
+    },
+    {
+      "bom-ref": "pkg:maven/org.slf4j/slf4j-api@2.0.11",
+      "type": "library",
+      "group": "org.slf4j",
+      "name": "slf4j-api",
+      "version": "2.0.11",
+      "licenses": [
+        {
+          "license": {
+            "name": "MIT License"
+          }
+        }
+      ],
+      "purl": "pkg:maven/org.slf4j/slf4j-api@2.0.11",
+      "properties": [
+        {
+          "name": "aquasecurity:trivy:PkgID",
+          "value": "org.slf4j:slf4j-api:2.0.11"
+        },
+        {
+          "name": "aquasecurity:trivy:PkgType",
+          "value": "pom"
+        }
+      ]
+    }
+  ],
+  "dependencies": [],
+  "vulnerabilities": []
+}

integration/testdata/fixtures/sbom/minikube-kbom.json

@@ -51,17 +51,7 @@
     {
       "bom-ref": "a62abb1f-cb38-4fde-90f3-2bda3b87ddb2",
       "type": "application",
-      "name": "node-core-components",
-      "properties": [
-        {
-          "name": "aquasecurity:trivy:Class",
-          "value": "lang-pkgs"
-        },
-        {
-          "name": "aquasecurity:trivy:Type",
-          "value": "golang"
-        }
-      ]
+      "name": "node-core-components"
     },
     {
       "bom-ref": "a6350ac3-52f6-4c5f-a3e3-184b9a634bef",

integration/testdata/fluentd-multiple-lockfiles.cdx.json.golden

@@ -2,7 +2,7 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.5",
-  "serialNumber": "urn:uuid:3ff14136-e09f-4df9-80ea-000000000001",
+  "serialNumber": "urn:uuid:3ff14136-e09f-4df9-80ea-000000000163",
   "version": 1,
   "metadata": {
     "timestamp": "2021-08-25T12:20:30+00:00",
@@ -17,13 +17,33 @@
       ]
     },
     "component": {
-      "bom-ref": "3ff14136-e09f-4df9-80ea-000000000002",
+      "bom-ref": "3ff14136-e09f-4df9-80ea-000000000001",
       "type": "container",
       "name": "testdata/fixtures/images/fluentd-multiple-lockfiles.tar.gz",
       "properties": [
         {
           "name": "aquasecurity:trivy:DiffID",
-          "value": "sha256:831c5620387fb9efec59fc82a42b948546c6be601e3ab34a87108ecf852aa15f,sha256:02874b2b269dea8dde0f7edb4c9906904dfe38a09de1a214f20c650cfb15c60e,sha256:3752e1f6fd759c795c13aff2c93c081529366e27635ba6621e849b0f9cfc77f0,sha256:75e43d55939745950bc3f8fad56c5834617c4339f0f54755e69a0dd5372624e9,sha256:788c00e2cfc8f2a018ae4344ccf0b2c226ebd756d7effd1ce50eea1a4252cd89,sha256:25165eb51d15842f870f97873e0a58409d5e860e6108e3dd829bd10e484c0065"
+          "value": "sha256:02874b2b269dea8dde0f7edb4c9906904dfe38a09de1a214f20c650cfb15c60e"
+        },
+        {
+          "name": "aquasecurity:trivy:DiffID",
+          "value": "sha256:25165eb51d15842f870f97873e0a58409d5e860e6108e3dd829bd10e484c0065"
+        },
+        {
+          "name": "aquasecurity:trivy:DiffID",
+          "value": "sha256:3752e1f6fd759c795c13aff2c93c081529366e27635ba6621e849b0f9cfc77f0"
+        },
+        {
+          "name": "aquasecurity:trivy:DiffID",
+          "value": "sha256:75e43d55939745950bc3f8fad56c5834617c4339f0f54755e69a0dd5372624e9"
+        },
+        {
+          "name": "aquasecurity:trivy:DiffID",
+          "value": "sha256:788c00e2cfc8f2a018ae4344ccf0b2c226ebd756d7effd1ce50eea1a4252cd89"
+        },
+        {
+          "name": "aquasecurity:trivy:DiffID",
+          "value": "sha256:831c5620387fb9efec59fc82a42b948546c6be601e3ab34a87108ecf852aa15f"
         },
         {
           "name": "aquasecurity:trivy:ImageID",
@@ -38,7 +58,7 @@
   },
   "components": [
     {
-      "bom-ref": "3ff14136-e09f-4df9-80ea-000000000003",
+      "bom-ref": "3ff14136-e09f-4df9-80ea-000000000002",
       "type": "operating-system",
       "name": "debian",
       "version": "10.2",
@@ -266,7 +286,7 @@
       "bom-ref": "pkg:deb/debian/bsdutils@2.33.1-0.1?arch=amd64&distro=debian-10.2&epoch=1",
       "type": "library",
       "name": "bsdutils",
-      "version": "2.33.1-0.1",
+      "version": "1:2.33.1-0.1",
       "licenses": [
         {
           "license": {
@@ -608,7 +628,7 @@
       "bom-ref": "pkg:deb/debian/diffutils@3.7-3?arch=amd64&distro=debian-10.2&epoch=1",
       "type": "library",
       "name": "diffutils",
-      "version": "3.7-3",
+      "version": "1:3.7-3",
       "licenses": [
         {
           "license": {
@@ -1318,7 +1338,7 @@
       "bom-ref": "pkg:deb/debian/libattr1@2.4.48-4?arch=amd64&distro=debian-10.2&epoch=1",
       "type": "library",
       "name": "libattr1",
-      "version": "2.4.48-4",
+      "version": "1:2.4.48-4",
       "licenses": [
         {
           "license": {
@@ -1376,7 +1396,7 @@
       "bom-ref": "pkg:deb/debian/libaudit-common@2.8.4-3?arch=all&distro=debian-10.2&epoch=1",
       "type": "library",
       "name": "libaudit-common",
-      "version": "2.8.4-3",
+      "version": "1:2.8.4-3",
       "licenses": [
         {
           "license": {
@@ -1434,7 +1454,7 @@
       "bom-ref": "pkg:deb/debian/libaudit1@2.8.4-3?arch=amd64&distro=debian-10.2&epoch=1",
       "type": "library",
       "name": "libaudit1",
-      "version": "2.8.4-3",
+      "version": "1:2.8.4-3",
       "licenses": [
         {
           "license": {
@@ -2071,7 +2091,7 @@
       "bom-ref": "pkg:deb/debian/libgcc1@8.3.0-6?arch=amd64&distro=debian-10.2&epoch=1",
       "type": "library",
       "name": "libgcc1",
-      "version": "8.3.0-6",
+      "version": "1:8.3.0-6",
       "purl": "pkg:deb/debian/libgcc1@8.3.0-6?arch=amd64&distro=debian-10.2&epoch=1",
       "properties": [
         {
@@ -2265,7 +2285,7 @@
       "bom-ref": "pkg:deb/debian/libgmp10@6.1.2%2Bdfsg-4?arch=amd64&distro=debian-10.2&epoch=2",
       "type": "library",
       "name": "libgmp10",
-      "version": "6.1.2+dfsg-4",
+      "version": "2:6.1.2+dfsg-4",
       "licenses": [
         {
           "license": {
@@ -3266,7 +3286,7 @@
       "bom-ref": "pkg:deb/debian/libpcre3@8.39-12?arch=amd64&distro=debian-10.2&epoch=2",
       "type": "library",
       "name": "libpcre3",
-      "version": "8.39-12",
+      "version": "2:8.39-12",
       "purl": "pkg:deb/debian/libpcre3@8.39-12?arch=amd64&distro=debian-10.2&epoch=2",
       "properties": [
         {
@@ -4430,7 +4450,7 @@
       "bom-ref": "pkg:deb/debian/login@4.5-1.1?arch=amd64&distro=debian-10.2&epoch=1",
       "type": "library",
       "name": "login",
-      "version": "4.5-1.1",
+      "version": "1:4.5-1.1",
       "licenses": [
         {
           "license": {
@@ -4722,7 +4742,7 @@
       "bom-ref": "pkg:deb/debian/passwd@4.5-1.1?arch=amd64&distro=debian-10.2&epoch=1",
       "type": "library",
       "name": "passwd",
-      "version": "4.5-1.1",
+      "version": "1:4.5-1.1",
       "licenses": [
         {
           "license": {
@@ -5318,7 +5338,7 @@
       "bom-ref": "pkg:deb/debian/ruby@2.5.1?arch=amd64&distro=debian-10.2&epoch=1",
       "type": "library",
       "name": "ruby",
-      "version": "2.5.1",
+      "version": "1:2.5.1",
       "licenses": [
         {
           "license": {
@@ -5670,7 +5690,7 @@
       "bom-ref": "pkg:deb/debian/zlib1g@1.2.11.dfsg-1?arch=amd64&distro=debian-10.2&epoch=1",
       "type": "library",
       "name": "zlib1g",
-      "version": "1.2.11.dfsg-1",
+      "version": "1:1.2.11.dfsg-1",
       "licenses": [
         {
           "license": {
@@ -5715,7 +5735,7 @@
       ]
     },
     {
-      "bom-ref": "pkg:gem/activesupport@6.0.2.1?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Factivesupport-6.0.2.1.gemspec",
+      "bom-ref": "pkg:gem/activesupport@6.0.2.1",
       "type": "library",
       "name": "activesupport",
       "version": "6.0.2.1",
@@ -5747,7 +5767,7 @@
       ]
     },
     {
-      "bom-ref": "pkg:gem/addressable@2.7.0?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Faddressable-2.7.0.gemspec",
+      "bom-ref": "pkg:gem/addressable@2.7.0",
       "type": "library",
       "name": "addressable",
       "version": "2.7.0",
@@ -5779,7 +5799,7 @@
       ]
     },
     {
-      "bom-ref": "pkg:gem/concurrent-ruby@1.1.6?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Fconcurrent-ruby-1.1.6.gemspec",
+      "bom-ref": "pkg:gem/concurrent-ruby@1.1.6",
       "type": "library",
       "name": "concurrent-ruby",
       "version": "1.1.6",
@@ -5811,7 +5831,7 @@
       ]
     },
     {
-      "bom-ref": "pkg:gem/cool.io@1.6.0?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Fcool.io-1.6.0.gemspec",
+      "bom-ref": "pkg:gem/cool.io@1.6.0",
       "type": "library",
       "name": "cool.io",
       "version": "1.6.0",
@@ -5836,7 +5856,7 @@
       ]
     },
     {
-      "bom-ref": "pkg:gem/dig_rb@1.0.1?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Fdig_rb-1.0.1.gemspec",
+      "bom-ref": "pkg:gem/dig_rb@1.0.1",
       "type": "library",
       "name": "dig_rb",
       "version": "1.0.1",
@@ -5868,7 +5888,7 @@
       ]
     },
     {
-      "bom-ref": "pkg:gem/domain_name@0.5.20190701?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Fdomain_name-0.5.20190701.gemspec",
+      "bom-ref": "pkg:gem/domain_name@0.5.20190701",
       "type": "library",
       "name": "domain_name",
       "version": "0.5.20190701",
@@ -5910,7 +5930,7 @@
       ]
     },
     {
-      "bom-ref": "pkg:gem/elasticsearch-api@7.5.0?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Felasticsearch-api-7.5.0.gemspec",
+      "bom-ref": "pkg:gem/elasticsearch-api@7.5.0",
       "type": "library",
       "name": "elasticsearch-api",
       "version": "7.5.0",
@@ -5942,7 +5962,7 @@
       ]
     },
     {
-      "bom-ref": "pkg:gem/elasticsearch-transport@7.5.0?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Felasticsearch-transport-7.5.0.gemspec",
+      "bom-ref": "pkg:gem/elasticsearch-transport@7.5.0",
       "type": "library",
       "name": "elasticsearch-transport",
       "version": "7.5.0",
@@ -5974,7 +5994,7 @@
       ]
     },
     {
-      "bom-ref": "pkg:gem/elasticsearch@7.5.0?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Felasticsearch-7.5.0.gemspec",
+      "bom-ref": "pkg:gem/elasticsearch@7.5.0",
       "type": "library",
       "name": "elasticsearch",
       "version": "7.5.0",
@@ -6006,7 +6026,7 @@
       ]
     },
     {
-      "bom-ref": "pkg:gem/excon@0.72.0?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Fexcon-0.72.0.gemspec",
+      "bom-ref": "pkg:gem/excon@0.72.0",
       "type": "library",
       "name": "excon",
       "version": "0.72.0",
@@ -6038,7 +6058,7 @@
       ]
     },
     {
-      "bom-ref": "pkg:gem/faraday@0.17.3?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Ffaraday-0.17.3.gemspec",
+      "bom-ref": "pkg:gem/faraday@0.17.3",
       "type": "library",
       "name": "faraday",
       "version": "0.17.3",
@@ -6070,7 +6090,7 @@
       ]
     },
     {
-      "bom-ref": "pkg:gem/ffi-compiler@1.0.1?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Fffi-compiler-1.0.1.gemspec",
+      "bom-ref": "pkg:gem/ffi-compiler@1.0.1",
       "type": "library",
       "name": "ffi-compiler",
       "version": "1.0.1",
@@ -6102,7 +6122,7 @@
       ]
     },
     {
-      "bom-ref": "pkg:gem/ffi@1.12.2?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Fffi-1.12.2.gemspec",
+      "bom-ref": "pkg:gem/ffi@1.12.2",
       "type": "library",
       "name": "ffi",
       "version": "1.12.2",
@@ -6134,7 +6154,7 @@
       ]
     },
     {
-      "bom-ref": "pkg:gem/fluent-plugin-concat@2.4.0?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Ffluent-plugin-concat-2.4.0.gemspec",
+      "bom-ref": "pkg:gem/fluent-plugin-concat@2.4.0",
       "type": "library",
       "name": "fluent-plugin-concat",
       "version": "2.4.0",
@@ -6166,7 +6186,7 @@
       ]
     },
     {
-      "bom-ref": "pkg:gem/fluent-plugin-detect-exceptions@0.0.13?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Ffluent-plugin-detect-exceptions-0.0.13.gemspec",
+      "bom-ref": "pkg:gem/fluent-plugin-detect-exceptions@0.0.13",
       "type": "library",
       "name": "fluent-plugin-detect-exceptions",
       "version": "0.0.13",
@@ -6198,7 +6218,7 @@
       ]
     },
     {
-      "bom-ref": "pkg:gem/fluent-plugin-elasticsearch@3.8.0?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Ffluent-plugin-elasticsearch-3.8.0.gemspec",
+      "bom-ref": "pkg:gem/fluent-plugin-elasticsearch@3.8.0",
       "type": "library",
       "name": "fluent-plugin-elasticsearch",
       "version": "3.8.0",
@@ -6230,7 +6250,7 @@
       ]
     },
     {
-      "bom-ref": "pkg:gem/fluent-plugin-kubernetes_metadata_filter@2.4.1?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Ffluent-plugin-kubernetes_metadata_filter-2.4.1.gemspec",
+      "bom-ref": "pkg:gem/fluent-plugin-kubernetes_metadata_filter@2.4.1",
       "type": "library",
       "name": "fluent-plugin-kubernetes_metadata_filter",
       "version": "2.4.1",
@@ -6262,7 +6282,7 @@
       ]
     },
     {
-      "bom-ref": "pkg:gem/fluent-plugin-multi-format-parser@1.0.0?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Ffluent-plugin-multi-format-parser-1.0.0.gemspec",
+      "bom-ref": "pkg:gem/fluent-plugin-multi-format-parser@1.0.0",
       "type": "library",
       "name": "fluent-plugin-multi-format-parser",
       "version": "1.0.0",
@@ -6294,7 +6314,7 @@
       ]
     },
     {
-      "bom-ref": "pkg:gem/fluent-plugin-prometheus@1.7.0?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Ffluent-plugin-prometheus-1.7.0.gemspec",
+      "bom-ref": "pkg:gem/fluent-plugin-prometheus@1.7.0",
       "type": "library",
       "name": "fluent-plugin-prometheus",
       "version": "1.7.0",
@@ -6326,7 +6346,7 @@
       ]
     },
     {
-      "bom-ref": "pkg:gem/fluent-plugin-systemd@1.0.2?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Ffluent-plugin-systemd-1.0.2.gemspec",
+      "bom-ref": "pkg:gem/fluent-plugin-systemd@1.0.2",
       "type": "library",
       "name": "fluent-plugin-systemd",
       "version": "1.0.2",
@@ -6358,7 +6378,7 @@
       ]
     },
     {
-      "bom-ref": "pkg:gem/fluentd@1.8.0?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Ffluentd-1.8.0.gemspec",
+      "bom-ref": "pkg:gem/fluentd@1.8.0",
       "type": "library",
       "name": "fluentd",
       "version": "1.8.0",
@@ -6390,7 +6410,7 @@
       ]
     },
     {
-      "bom-ref": "pkg:gem/http-accept@1.7.0?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Fhttp-accept-1.7.0.gemspec",
+      "bom-ref": "pkg:gem/http-accept@1.7.0",
       "type": "library",
       "name": "http-accept",
       "version": "1.7.0",
@@ -6415,7 +6435,7 @@
       ]
     },
     {
-      "bom-ref": "pkg:gem/http-cookie@1.0.3?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Fhttp-cookie-1.0.3.gemspec",
+      "bom-ref": "pkg:gem/http-cookie@1.0.3",
       "type": "library",
       "name": "http-cookie",
       "version": "1.0.3",
@@ -6447,7 +6467,7 @@
       ]
     },
     {
-      "bom-ref": "pkg:gem/http-form_data@2.2.0?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Fhttp-form_data-2.2.0.gemspec",
+      "bom-ref": "pkg:gem/http-form_data@2.2.0",
       "type": "library",
       "name": "http-form_data",
       "version": "2.2.0",
@@ -6479,7 +6499,7 @@
       ]
     },
     {
-      "bom-ref": "pkg:gem/http-parser@1.2.1?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Fhttp-parser-1.2.1.gemspec",
+      "bom-ref": "pkg:gem/http-parser@1.2.1",
       "type": "library",
       "name": "http-parser",
       "version": "1.2.1",
@@ -6511,7 +6531,7 @@
       ]
     },
     {
-      "bom-ref": "pkg:gem/http@4.3.0?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Fhttp-4.3.0.gemspec",
+      "bom-ref": "pkg:gem/http@4.3.0",
       "type": "library",
       "name": "http",
       "version": "4.3.0",
@@ -6543,7 +6563,7 @@
       ]
     },
     {
-      "bom-ref": "pkg:gem/http_parser.rb@0.6.0?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Fhttp_parser.rb-0.6.0.gemspec",
+      "bom-ref": "pkg:gem/http_parser.rb@0.6.0",
       "type": "library",
       "name": "http_parser.rb",
       "version": "0.6.0",
@@ -6575,7 +6595,7 @@
       ]
     },
     {
-      "bom-ref": "pkg:gem/i18n@1.8.2?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Fi18n-1.8.2.gemspec",
+      "bom-ref": "pkg:gem/i18n@1.8.2",
       "type": "library",
       "name": "i18n",
       "version": "1.8.2",
@@ -6607,7 +6627,7 @@
       ]
     },
     {
-      "bom-ref": "pkg:gem/kubeclient@4.6.0?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Fkubeclient-4.6.0.gemspec",
+      "bom-ref": "pkg:gem/kubeclient@4.6.0",
       "type": "library",
       "name": "kubeclient",
       "version": "4.6.0",
@@ -6639,7 +6659,7 @@
       ]
     },
     {
-      "bom-ref": "pkg:gem/lru_redux@1.1.0?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Flru_redux-1.1.0.gemspec",
+      "bom-ref": "pkg:gem/lru_redux@1.1.0",
       "type": "library",
       "name": "lru_redux",
       "version": "1.1.0",
@@ -6671,7 +6691,7 @@
       ]
     },
     {
-      "bom-ref": "pkg:gem/mime-types-data@3.2019.1009?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Fmime-types-data-3.2019.1009.gemspec",
+      "bom-ref": "pkg:gem/mime-types-data@3.2019.1009",
       "type": "library",
       "name": "mime-types-data",
       "version": "3.2019.1009",
@@ -6703,7 +6723,7 @@
       ]
     },
     {
-      "bom-ref": "pkg:gem/mime-types@3.3.1?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Fmime-types-3.3.1.gemspec",
+      "bom-ref": "pkg:gem/mime-types@3.3.1",
       "type": "library",
       "name": "mime-types",
       "version": "3.3.1",
@@ -6735,7 +6755,7 @@
       ]
     },
     {
-      "bom-ref": "pkg:gem/minitest@5.14.0?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Fminitest-5.14.0.gemspec",
+      "bom-ref": "pkg:gem/minitest@5.14.0",
       "type": "library",
       "name": "minitest",
       "version": "5.14.0",
@@ -6767,7 +6787,7 @@
       ]
     },
     {
-      "bom-ref": "pkg:gem/msgpack@1.3.3?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Fmsgpack-1.3.3.gemspec",
+      "bom-ref": "pkg:gem/msgpack@1.3.3",
       "type": "library",
       "name": "msgpack",
       "version": "1.3.3",
@@ -6799,7 +6819,7 @@
       ]
     },
     {
-      "bom-ref": "pkg:gem/multi_json@1.14.1?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Fmulti_json-1.14.1.gemspec",
+      "bom-ref": "pkg:gem/multi_json@1.14.1",
       "type": "library",
       "name": "multi_json",
       "version": "1.14.1",
@@ -6831,7 +6851,7 @@
       ]
     },
     {
-      "bom-ref": "pkg:gem/multipart-post@2.1.1?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Fmultipart-post-2.1.1.gemspec",
+      "bom-ref": "pkg:gem/multipart-post@2.1.1",
       "type": "library",
       "name": "multipart-post",
       "version": "2.1.1",
@@ -6863,7 +6883,7 @@
       ]
     },
     {
-      "bom-ref": "pkg:gem/netrc@0.11.0?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Fnetrc-0.11.0.gemspec",
+      "bom-ref": "pkg:gem/netrc@0.11.0",
       "type": "library",
       "name": "netrc",
       "version": "0.11.0",
@@ -6895,7 +6915,7 @@
       ]
     },
     {
-      "bom-ref": "pkg:gem/oj@3.10.0?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Foj-3.10.0.gemspec",
+      "bom-ref": "pkg:gem/oj@3.10.0",
       "type": "library",
       "name": "oj",
       "version": "3.10.0",
@@ -6927,7 +6947,7 @@
       ]
     },
     {
-      "bom-ref": "pkg:gem/prometheus-client@0.9.0?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Fprometheus-client-0.9.0.gemspec",
+      "bom-ref": "pkg:gem/prometheus-client@0.9.0",
       "type": "library",
       "name": "prometheus-client",
       "version": "0.9.0",
@@ -6959,7 +6979,7 @@
       ]
     },
     {
-      "bom-ref": "pkg:gem/public_suffix@4.0.3?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Fpublic_suffix-4.0.3.gemspec",
+      "bom-ref": "pkg:gem/public_suffix@4.0.3",
       "type": "library",
       "name": "public_suffix",
       "version": "4.0.3",
@@ -6991,7 +7011,7 @@
       ]
     },
     {
-      "bom-ref": "pkg:gem/quantile@0.2.1?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Fquantile-0.2.1.gemspec",
+      "bom-ref": "pkg:gem/quantile@0.2.1",
       "type": "library",
       "name": "quantile",
       "version": "0.2.1",
@@ -7023,7 +7043,7 @@
       ]
     },
     {
-      "bom-ref": "pkg:gem/rake@13.0.1?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Frake-13.0.1.gemspec",
+      "bom-ref": "pkg:gem/rake@13.0.1",
       "type": "library",
       "name": "rake",
       "version": "13.0.1",
@@ -7055,7 +7075,7 @@
       ]
     },
     {
-      "bom-ref": "pkg:gem/recursive-open-struct@1.1.0?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Frecursive-open-struct-1.1.0.gemspec",
+      "bom-ref": "pkg:gem/recursive-open-struct@1.1.0",
       "type": "library",
       "name": "recursive-open-struct",
       "version": "1.1.0",
@@ -7087,7 +7107,7 @@
       ]
     },
     {
-      "bom-ref": "pkg:gem/rest-client@2.1.0?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Frest-client-2.1.0.gemspec",
+      "bom-ref": "pkg:gem/rest-client@2.1.0",
       "type": "library",
       "name": "rest-client",
       "version": "2.1.0",
@@ -7119,7 +7139,7 @@
       ]
     },
     {
-      "bom-ref": "pkg:gem/serverengine@2.2.1?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Fserverengine-2.2.1.gemspec",
+      "bom-ref": "pkg:gem/serverengine@2.2.1",
       "type": "library",
       "name": "serverengine",
       "version": "2.2.1",
@@ -7151,7 +7171,7 @@
       ]
     },
     {
-      "bom-ref": "pkg:gem/sigdump@0.2.4?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Fsigdump-0.2.4.gemspec",
+      "bom-ref": "pkg:gem/sigdump@0.2.4",
       "type": "library",
       "name": "sigdump",
       "version": "0.2.4",
@@ -7183,7 +7203,7 @@
       ]
     },
     {
-      "bom-ref": "pkg:gem/strptime@0.2.3?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Fstrptime-0.2.3.gemspec",
+      "bom-ref": "pkg:gem/strptime@0.2.3",
       "type": "library",
       "name": "strptime",
       "version": "0.2.3",
@@ -7215,7 +7235,7 @@
       ]
     },
     {
-      "bom-ref": "pkg:gem/systemd-journal@1.3.3?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Fsystemd-journal-1.3.3.gemspec",
+      "bom-ref": "pkg:gem/systemd-journal@1.3.3",
       "type": "library",
       "name": "systemd-journal",
       "version": "1.3.3",
@@ -7247,7 +7267,7 @@
       ]
     },
     {
-      "bom-ref": "pkg:gem/thread_safe@0.3.6?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Fthread_safe-0.3.6.gemspec",
+      "bom-ref": "pkg:gem/thread_safe@0.3.6",
       "type": "library",
       "name": "thread_safe",
       "version": "0.3.6",
@@ -7279,7 +7299,7 @@
       ]
     },
     {
-      "bom-ref": "pkg:gem/tzinfo-data@1.2019.3?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Ftzinfo-data-1.2019.3.gemspec",
+      "bom-ref": "pkg:gem/tzinfo-data@1.2019.3",
       "type": "library",
       "name": "tzinfo-data",
       "version": "1.2019.3",
@@ -7311,7 +7331,7 @@
       ]
     },
     {
-      "bom-ref": "pkg:gem/tzinfo@1.2.6?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Ftzinfo-1.2.6.gemspec",
+      "bom-ref": "pkg:gem/tzinfo@1.2.6",
       "type": "library",
       "name": "tzinfo",
       "version": "1.2.6",
@@ -7343,7 +7363,7 @@
       ]
     },
     {
-      "bom-ref": "pkg:gem/unf@0.1.4?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Funf-0.1.4.gemspec",
+      "bom-ref": "pkg:gem/unf@0.1.4",
       "type": "library",
       "name": "unf",
       "version": "0.1.4",
@@ -7375,7 +7395,7 @@
       ]
     },
     {
-      "bom-ref": "pkg:gem/unf_ext@0.0.7.6?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Funf_ext-0.0.7.6.gemspec",
+      "bom-ref": "pkg:gem/unf_ext@0.0.7.6",
       "type": "library",
       "name": "unf_ext",
       "version": "0.0.7.6",
@@ -7407,7 +7427,7 @@
       ]
     },
     {
-      "bom-ref": "pkg:gem/yajl-ruby@1.4.1?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Fyajl-ruby-1.4.1.gemspec",
+      "bom-ref": "pkg:gem/yajl-ruby@1.4.1",
       "type": "library",
       "name": "yajl-ruby",
       "version": "1.4.1",
@@ -7439,7 +7459,7 @@
       ]
     },
     {
-      "bom-ref": "pkg:gem/zeitwerk@2.3.0?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Fzeitwerk-2.3.0.gemspec",
+      "bom-ref": "pkg:gem/zeitwerk@2.3.0",
       "type": "library",
       "name": "zeitwerk",
       "version": "2.3.0",
@@ -7473,68 +7493,68 @@
   ],
   "dependencies": [
     {
-      "ref": "3ff14136-e09f-4df9-80ea-000000000002",
+      "ref": "3ff14136-e09f-4df9-80ea-000000000001",
       "dependsOn": [
-        "3ff14136-e09f-4df9-80ea-000000000003",
-        "pkg:gem/activesupport@6.0.2.1?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Factivesupport-6.0.2.1.gemspec",
-        "pkg:gem/addressable@2.7.0?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Faddressable-2.7.0.gemspec",
-        "pkg:gem/concurrent-ruby@1.1.6?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Fconcurrent-ruby-1.1.6.gemspec",
-        "pkg:gem/cool.io@1.6.0?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Fcool.io-1.6.0.gemspec",
-        "pkg:gem/dig_rb@1.0.1?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Fdig_rb-1.0.1.gemspec",
-        "pkg:gem/domain_name@0.5.20190701?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Fdomain_name-0.5.20190701.gemspec",
-        "pkg:gem/elasticsearch-api@7.5.0?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Felasticsearch-api-7.5.0.gemspec",
-        "pkg:gem/elasticsearch-transport@7.5.0?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Felasticsearch-transport-7.5.0.gemspec",
-        "pkg:gem/elasticsearch@7.5.0?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Felasticsearch-7.5.0.gemspec",
-        "pkg:gem/excon@0.72.0?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Fexcon-0.72.0.gemspec",
-        "pkg:gem/faraday@0.17.3?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Ffaraday-0.17.3.gemspec",
-        "pkg:gem/ffi-compiler@1.0.1?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Fffi-compiler-1.0.1.gemspec",
-        "pkg:gem/ffi@1.12.2?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Fffi-1.12.2.gemspec",
-        "pkg:gem/fluent-plugin-concat@2.4.0?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Ffluent-plugin-concat-2.4.0.gemspec",
-        "pkg:gem/fluent-plugin-detect-exceptions@0.0.13?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Ffluent-plugin-detect-exceptions-0.0.13.gemspec",
-        "pkg:gem/fluent-plugin-elasticsearch@3.8.0?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Ffluent-plugin-elasticsearch-3.8.0.gemspec",
-        "pkg:gem/fluent-plugin-kubernetes_metadata_filter@2.4.1?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Ffluent-plugin-kubernetes_metadata_filter-2.4.1.gemspec",
-        "pkg:gem/fluent-plugin-multi-format-parser@1.0.0?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Ffluent-plugin-multi-format-parser-1.0.0.gemspec",
-        "pkg:gem/fluent-plugin-prometheus@1.7.0?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Ffluent-plugin-prometheus-1.7.0.gemspec",
-        "pkg:gem/fluent-plugin-systemd@1.0.2?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Ffluent-plugin-systemd-1.0.2.gemspec",
-        "pkg:gem/fluentd@1.8.0?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Ffluentd-1.8.0.gemspec",
-        "pkg:gem/http-accept@1.7.0?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Fhttp-accept-1.7.0.gemspec",
-        "pkg:gem/http-cookie@1.0.3?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Fhttp-cookie-1.0.3.gemspec",
-        "pkg:gem/http-form_data@2.2.0?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Fhttp-form_data-2.2.0.gemspec",
-        "pkg:gem/http-parser@1.2.1?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Fhttp-parser-1.2.1.gemspec",
-        "pkg:gem/http@4.3.0?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Fhttp-4.3.0.gemspec",
-        "pkg:gem/http_parser.rb@0.6.0?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Fhttp_parser.rb-0.6.0.gemspec",
-        "pkg:gem/i18n@1.8.2?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Fi18n-1.8.2.gemspec",
-        "pkg:gem/kubeclient@4.6.0?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Fkubeclient-4.6.0.gemspec",
-        "pkg:gem/lru_redux@1.1.0?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Flru_redux-1.1.0.gemspec",
-        "pkg:gem/mime-types-data@3.2019.1009?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Fmime-types-data-3.2019.1009.gemspec",
-        "pkg:gem/mime-types@3.3.1?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Fmime-types-3.3.1.gemspec",
-        "pkg:gem/minitest@5.14.0?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Fminitest-5.14.0.gemspec",
-        "pkg:gem/msgpack@1.3.3?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Fmsgpack-1.3.3.gemspec",
-        "pkg:gem/multi_json@1.14.1?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Fmulti_json-1.14.1.gemspec",
-        "pkg:gem/multipart-post@2.1.1?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Fmultipart-post-2.1.1.gemspec",
-        "pkg:gem/netrc@0.11.0?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Fnetrc-0.11.0.gemspec",
-        "pkg:gem/oj@3.10.0?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Foj-3.10.0.gemspec",
-        "pkg:gem/prometheus-client@0.9.0?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Fprometheus-client-0.9.0.gemspec",
-        "pkg:gem/public_suffix@4.0.3?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Fpublic_suffix-4.0.3.gemspec",
-        "pkg:gem/quantile@0.2.1?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Fquantile-0.2.1.gemspec",
-        "pkg:gem/rake@13.0.1?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Frake-13.0.1.gemspec",
-        "pkg:gem/recursive-open-struct@1.1.0?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Frecursive-open-struct-1.1.0.gemspec",
-        "pkg:gem/rest-client@2.1.0?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Frest-client-2.1.0.gemspec",
-        "pkg:gem/serverengine@2.2.1?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Fserverengine-2.2.1.gemspec",
-        "pkg:gem/sigdump@0.2.4?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Fsigdump-0.2.4.gemspec",
-        "pkg:gem/strptime@0.2.3?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Fstrptime-0.2.3.gemspec",
-        "pkg:gem/systemd-journal@1.3.3?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Fsystemd-journal-1.3.3.gemspec",
-        "pkg:gem/thread_safe@0.3.6?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Fthread_safe-0.3.6.gemspec",
-        "pkg:gem/tzinfo-data@1.2019.3?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Ftzinfo-data-1.2019.3.gemspec",
-        "pkg:gem/tzinfo@1.2.6?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Ftzinfo-1.2.6.gemspec",
-        "pkg:gem/unf@0.1.4?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Funf-0.1.4.gemspec",
-        "pkg:gem/unf_ext@0.0.7.6?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Funf_ext-0.0.7.6.gemspec",
-        "pkg:gem/yajl-ruby@1.4.1?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Fyajl-ruby-1.4.1.gemspec",
-        "pkg:gem/zeitwerk@2.3.0?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Fzeitwerk-2.3.0.gemspec"
+        "3ff14136-e09f-4df9-80ea-000000000002",
+        "pkg:gem/activesupport@6.0.2.1",
+        "pkg:gem/addressable@2.7.0",
+        "pkg:gem/concurrent-ruby@1.1.6",
+        "pkg:gem/cool.io@1.6.0",
+        "pkg:gem/dig_rb@1.0.1",
+        "pkg:gem/domain_name@0.5.20190701",
+        "pkg:gem/elasticsearch-api@7.5.0",
+        "pkg:gem/elasticsearch-transport@7.5.0",
+        "pkg:gem/elasticsearch@7.5.0",
+        "pkg:gem/excon@0.72.0",
+        "pkg:gem/faraday@0.17.3",
+        "pkg:gem/ffi-compiler@1.0.1",
+        "pkg:gem/ffi@1.12.2",
+        "pkg:gem/fluent-plugin-concat@2.4.0",
+        "pkg:gem/fluent-plugin-detect-exceptions@0.0.13",
+        "pkg:gem/fluent-plugin-elasticsearch@3.8.0",
+        "pkg:gem/fluent-plugin-kubernetes_metadata_filter@2.4.1",
+        "pkg:gem/fluent-plugin-multi-format-parser@1.0.0",
+        "pkg:gem/fluent-plugin-prometheus@1.7.0",
+        "pkg:gem/fluent-plugin-systemd@1.0.2",
+        "pkg:gem/fluentd@1.8.0",
+        "pkg:gem/http-accept@1.7.0",
+        "pkg:gem/http-cookie@1.0.3",
+        "pkg:gem/http-form_data@2.2.0",
+        "pkg:gem/http-parser@1.2.1",
+        "pkg:gem/http@4.3.0",
+        "pkg:gem/http_parser.rb@0.6.0",
+        "pkg:gem/i18n@1.8.2",
+        "pkg:gem/kubeclient@4.6.0",
+        "pkg:gem/lru_redux@1.1.0",
+        "pkg:gem/mime-types-data@3.2019.1009",
+        "pkg:gem/mime-types@3.3.1",
+        "pkg:gem/minitest@5.14.0",
+        "pkg:gem/msgpack@1.3.3",
+        "pkg:gem/multi_json@1.14.1",
+        "pkg:gem/multipart-post@2.1.1",
+        "pkg:gem/netrc@0.11.0",
+        "pkg:gem/oj@3.10.0",
+        "pkg:gem/prometheus-client@0.9.0",
+        "pkg:gem/public_suffix@4.0.3",
+        "pkg:gem/quantile@0.2.1",
+        "pkg:gem/rake@13.0.1",
+        "pkg:gem/recursive-open-struct@1.1.0",
+        "pkg:gem/rest-client@2.1.0",
+        "pkg:gem/serverengine@2.2.1",
+        "pkg:gem/sigdump@0.2.4",
+        "pkg:gem/strptime@0.2.3",
+        "pkg:gem/systemd-journal@1.3.3",
+        "pkg:gem/thread_safe@0.3.6",
+        "pkg:gem/tzinfo-data@1.2019.3",
+        "pkg:gem/tzinfo@1.2.6",
+        "pkg:gem/unf@0.1.4",
+        "pkg:gem/unf_ext@0.0.7.6",
+        "pkg:gem/yajl-ruby@1.4.1",
+        "pkg:gem/zeitwerk@2.3.0"
       ]
     },
     {
-      "ref": "3ff14136-e09f-4df9-80ea-000000000003",
+      "ref": "3ff14136-e09f-4df9-80ea-000000000002",
       "dependsOn": [
         "pkg:deb/debian/adduser@3.118?arch=all&distro=debian-10.2",
         "pkg:deb/debian/apt@1.8.2?arch=amd64&distro=debian-10.2",
@@ -8324,223 +8344,223 @@
       ]
     },
     {
-      "ref": "pkg:gem/activesupport@6.0.2.1?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Factivesupport-6.0.2.1.gemspec",
+      "ref": "pkg:gem/activesupport@6.0.2.1",
       "dependsOn": []
     },
     {
-      "ref": "pkg:gem/addressable@2.7.0?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Faddressable-2.7.0.gemspec",
+      "ref": "pkg:gem/addressable@2.7.0",
       "dependsOn": []
     },
     {
-      "ref": "pkg:gem/concurrent-ruby@1.1.6?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Fconcurrent-ruby-1.1.6.gemspec",
+      "ref": "pkg:gem/concurrent-ruby@1.1.6",
       "dependsOn": []
     },
     {
-      "ref": "pkg:gem/cool.io@1.6.0?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Fcool.io-1.6.0.gemspec",
+      "ref": "pkg:gem/cool.io@1.6.0",
       "dependsOn": []
     },
     {
-      "ref": "pkg:gem/dig_rb@1.0.1?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Fdig_rb-1.0.1.gemspec",
+      "ref": "pkg:gem/dig_rb@1.0.1",
       "dependsOn": []
     },
     {
-      "ref": "pkg:gem/domain_name@0.5.20190701?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Fdomain_name-0.5.20190701.gemspec",
+      "ref": "pkg:gem/domain_name@0.5.20190701",
       "dependsOn": []
     },
     {
-      "ref": "pkg:gem/elasticsearch-api@7.5.0?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Felasticsearch-api-7.5.0.gemspec",
+      "ref": "pkg:gem/elasticsearch-api@7.5.0",
       "dependsOn": []
     },
     {
-      "ref": "pkg:gem/elasticsearch-transport@7.5.0?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Felasticsearch-transport-7.5.0.gemspec",
+      "ref": "pkg:gem/elasticsearch-transport@7.5.0",
       "dependsOn": []
     },
     {
-      "ref": "pkg:gem/elasticsearch@7.5.0?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Felasticsearch-7.5.0.gemspec",
+      "ref": "pkg:gem/elasticsearch@7.5.0",
       "dependsOn": []
     },
     {
-      "ref": "pkg:gem/excon@0.72.0?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Fexcon-0.72.0.gemspec",
+      "ref": "pkg:gem/excon@0.72.0",
       "dependsOn": []
     },
     {
-      "ref": "pkg:gem/faraday@0.17.3?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Ffaraday-0.17.3.gemspec",
+      "ref": "pkg:gem/faraday@0.17.3",
       "dependsOn": []
     },
     {
-      "ref": "pkg:gem/ffi-compiler@1.0.1?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Fffi-compiler-1.0.1.gemspec",
+      "ref": "pkg:gem/ffi-compiler@1.0.1",
       "dependsOn": []
     },
     {
-      "ref": "pkg:gem/ffi@1.12.2?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Fffi-1.12.2.gemspec",
+      "ref": "pkg:gem/ffi@1.12.2",
       "dependsOn": []
     },
     {
-      "ref": "pkg:gem/fluent-plugin-concat@2.4.0?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Ffluent-plugin-concat-2.4.0.gemspec",
+      "ref": "pkg:gem/fluent-plugin-concat@2.4.0",
       "dependsOn": []
     },
     {
-      "ref": "pkg:gem/fluent-plugin-detect-exceptions@0.0.13?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Ffluent-plugin-detect-exceptions-0.0.13.gemspec",
+      "ref": "pkg:gem/fluent-plugin-detect-exceptions@0.0.13",
       "dependsOn": []
     },
     {
-      "ref": "pkg:gem/fluent-plugin-elasticsearch@3.8.0?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Ffluent-plugin-elasticsearch-3.8.0.gemspec",
+      "ref": "pkg:gem/fluent-plugin-elasticsearch@3.8.0",
       "dependsOn": []
     },
     {
-      "ref": "pkg:gem/fluent-plugin-kubernetes_metadata_filter@2.4.1?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Ffluent-plugin-kubernetes_metadata_filter-2.4.1.gemspec",
+      "ref": "pkg:gem/fluent-plugin-kubernetes_metadata_filter@2.4.1",
       "dependsOn": []
     },
     {
-      "ref": "pkg:gem/fluent-plugin-multi-format-parser@1.0.0?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Ffluent-plugin-multi-format-parser-1.0.0.gemspec",
+      "ref": "pkg:gem/fluent-plugin-multi-format-parser@1.0.0",
       "dependsOn": []
     },
     {
-      "ref": "pkg:gem/fluent-plugin-prometheus@1.7.0?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Ffluent-plugin-prometheus-1.7.0.gemspec",
+      "ref": "pkg:gem/fluent-plugin-prometheus@1.7.0",
       "dependsOn": []
     },
     {
-      "ref": "pkg:gem/fluent-plugin-systemd@1.0.2?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Ffluent-plugin-systemd-1.0.2.gemspec",
+      "ref": "pkg:gem/fluent-plugin-systemd@1.0.2",
       "dependsOn": []
     },
     {
-      "ref": "pkg:gem/fluentd@1.8.0?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Ffluentd-1.8.0.gemspec",
+      "ref": "pkg:gem/fluentd@1.8.0",
       "dependsOn": []
     },
     {
-      "ref": "pkg:gem/http-accept@1.7.0?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Fhttp-accept-1.7.0.gemspec",
+      "ref": "pkg:gem/http-accept@1.7.0",
       "dependsOn": []
     },
     {
-      "ref": "pkg:gem/http-cookie@1.0.3?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Fhttp-cookie-1.0.3.gemspec",
+      "ref": "pkg:gem/http-cookie@1.0.3",
       "dependsOn": []
     },
     {
-      "ref": "pkg:gem/http-form_data@2.2.0?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Fhttp-form_data-2.2.0.gemspec",
+      "ref": "pkg:gem/http-form_data@2.2.0",
       "dependsOn": []
     },
     {
-      "ref": "pkg:gem/http-parser@1.2.1?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Fhttp-parser-1.2.1.gemspec",
+      "ref": "pkg:gem/http-parser@1.2.1",
       "dependsOn": []
     },
     {
-      "ref": "pkg:gem/http@4.3.0?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Fhttp-4.3.0.gemspec",
+      "ref": "pkg:gem/http@4.3.0",
       "dependsOn": []
     },
     {
-      "ref": "pkg:gem/http_parser.rb@0.6.0?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Fhttp_parser.rb-0.6.0.gemspec",
+      "ref": "pkg:gem/http_parser.rb@0.6.0",
       "dependsOn": []
     },
     {
-      "ref": "pkg:gem/i18n@1.8.2?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Fi18n-1.8.2.gemspec",
+      "ref": "pkg:gem/i18n@1.8.2",
       "dependsOn": []
     },
     {
-      "ref": "pkg:gem/kubeclient@4.6.0?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Fkubeclient-4.6.0.gemspec",
+      "ref": "pkg:gem/kubeclient@4.6.0",
       "dependsOn": []
     },
     {
-      "ref": "pkg:gem/lru_redux@1.1.0?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Flru_redux-1.1.0.gemspec",
+      "ref": "pkg:gem/lru_redux@1.1.0",
       "dependsOn": []
     },
     {
-      "ref": "pkg:gem/mime-types-data@3.2019.1009?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Fmime-types-data-3.2019.1009.gemspec",
+      "ref": "pkg:gem/mime-types-data@3.2019.1009",
       "dependsOn": []
     },
     {
-      "ref": "pkg:gem/mime-types@3.3.1?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Fmime-types-3.3.1.gemspec",
+      "ref": "pkg:gem/mime-types@3.3.1",
       "dependsOn": []
     },
     {
-      "ref": "pkg:gem/minitest@5.14.0?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Fminitest-5.14.0.gemspec",
+      "ref": "pkg:gem/minitest@5.14.0",
       "dependsOn": []
     },
     {
-      "ref": "pkg:gem/msgpack@1.3.3?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Fmsgpack-1.3.3.gemspec",
+      "ref": "pkg:gem/msgpack@1.3.3",
       "dependsOn": []
     },
     {
-      "ref": "pkg:gem/multi_json@1.14.1?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Fmulti_json-1.14.1.gemspec",
+      "ref": "pkg:gem/multi_json@1.14.1",
       "dependsOn": []
     },
     {
-      "ref": "pkg:gem/multipart-post@2.1.1?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Fmultipart-post-2.1.1.gemspec",
+      "ref": "pkg:gem/multipart-post@2.1.1",
       "dependsOn": []
     },
     {
-      "ref": "pkg:gem/netrc@0.11.0?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Fnetrc-0.11.0.gemspec",
+      "ref": "pkg:gem/netrc@0.11.0",
       "dependsOn": []
     },
     {
-      "ref": "pkg:gem/oj@3.10.0?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Foj-3.10.0.gemspec",
+      "ref": "pkg:gem/oj@3.10.0",
       "dependsOn": []
     },
     {
-      "ref": "pkg:gem/prometheus-client@0.9.0?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Fprometheus-client-0.9.0.gemspec",
+      "ref": "pkg:gem/prometheus-client@0.9.0",
       "dependsOn": []
     },
     {
-      "ref": "pkg:gem/public_suffix@4.0.3?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Fpublic_suffix-4.0.3.gemspec",
+      "ref": "pkg:gem/public_suffix@4.0.3",
       "dependsOn": []
     },
     {
-      "ref": "pkg:gem/quantile@0.2.1?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Fquantile-0.2.1.gemspec",
+      "ref": "pkg:gem/quantile@0.2.1",
       "dependsOn": []
     },
     {
-      "ref": "pkg:gem/rake@13.0.1?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Frake-13.0.1.gemspec",
+      "ref": "pkg:gem/rake@13.0.1",
       "dependsOn": []
     },
     {
-      "ref": "pkg:gem/recursive-open-struct@1.1.0?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Frecursive-open-struct-1.1.0.gemspec",
+      "ref": "pkg:gem/recursive-open-struct@1.1.0",
       "dependsOn": []
     },
     {
-      "ref": "pkg:gem/rest-client@2.1.0?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Frest-client-2.1.0.gemspec",
+      "ref": "pkg:gem/rest-client@2.1.0",
       "dependsOn": []
     },
     {
-      "ref": "pkg:gem/serverengine@2.2.1?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Fserverengine-2.2.1.gemspec",
+      "ref": "pkg:gem/serverengine@2.2.1",
       "dependsOn": []
     },
     {
-      "ref": "pkg:gem/sigdump@0.2.4?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Fsigdump-0.2.4.gemspec",
+      "ref": "pkg:gem/sigdump@0.2.4",
       "dependsOn": []
     },
     {
-      "ref": "pkg:gem/strptime@0.2.3?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Fstrptime-0.2.3.gemspec",
+      "ref": "pkg:gem/strptime@0.2.3",
       "dependsOn": []
     },
     {
-      "ref": "pkg:gem/systemd-journal@1.3.3?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Fsystemd-journal-1.3.3.gemspec",
+      "ref": "pkg:gem/systemd-journal@1.3.3",
       "dependsOn": []
     },
     {
-      "ref": "pkg:gem/thread_safe@0.3.6?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Fthread_safe-0.3.6.gemspec",
+      "ref": "pkg:gem/thread_safe@0.3.6",
       "dependsOn": []
     },
     {
-      "ref": "pkg:gem/tzinfo-data@1.2019.3?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Ftzinfo-data-1.2019.3.gemspec",
+      "ref": "pkg:gem/tzinfo-data@1.2019.3",
       "dependsOn": []
     },
     {
-      "ref": "pkg:gem/tzinfo@1.2.6?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Ftzinfo-1.2.6.gemspec",
+      "ref": "pkg:gem/tzinfo@1.2.6",
       "dependsOn": []
     },
     {
-      "ref": "pkg:gem/unf@0.1.4?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Funf-0.1.4.gemspec",
+      "ref": "pkg:gem/unf@0.1.4",
       "dependsOn": []
     },
     {
-      "ref": "pkg:gem/unf_ext@0.0.7.6?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Funf_ext-0.0.7.6.gemspec",
+      "ref": "pkg:gem/unf_ext@0.0.7.6",
       "dependsOn": []
     },
     {
-      "ref": "pkg:gem/yajl-ruby@1.4.1?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Fyajl-ruby-1.4.1.gemspec",
+      "ref": "pkg:gem/yajl-ruby@1.4.1",
       "dependsOn": []
     },
     {
-      "ref": "pkg:gem/zeitwerk@2.3.0?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Fzeitwerk-2.3.0.gemspec",
+      "ref": "pkg:gem/zeitwerk@2.3.0",
       "dependsOn": []
     }
   ],

integration/testdata/fluentd-multiple-lockfiles.json.golden

@@ -27,6 +27,7 @@
       "Vulnerabilities": [
         {
           "VulnerabilityID": "CVE-2019-18276",
+          "PkgID": "bash@5.0-4",
           "PkgName": "bash",
           "PkgIdentifier": {
             "PURL": "pkg:deb/debian/bash@5.0-4?distro=debian-10.2",
@@ -90,6 +91,7 @@
           "VendorIDs": [
             "DSA-4613-1"
           ],
+          "PkgID": "libidn2-0@2.0.5-1",
           "PkgName": "libidn2-0",
           "PkgIdentifier": {
             "PURL": "pkg:deb/debian/libidn2-0@2.0.5-1?distro=debian-10.2",
@@ -158,6 +160,7 @@
       "Vulnerabilities": [
         {
           "VulnerabilityID": "CVE-2020-8165",
+          "PkgID": "activesupport@6.0.2.1",
           "PkgName": "activesupport",
           "PkgPath": "var/lib/gems/2.5.0/specifications/activesupport-6.0.2.1.gemspec",
           "PkgIdentifier": {

integration/testdata/gradle.json.golden

@@ -23,6 +23,7 @@
       "Vulnerabilities": [
         {
           "VulnerabilityID": "CVE-2020-9548",
+          "PkgID": "com.fasterxml.jackson.core:jackson-databind:2.9.1",
           "PkgName": "com.fasterxml.jackson.core:jackson-databind",
           "PkgIdentifier": {
             "PURL": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.1"
@@ -87,6 +88,7 @@
         },
         {
           "VulnerabilityID": "CVE-2021-20190",
+          "PkgID": "com.fasterxml.jackson.core:jackson-databind:2.9.1",
           "PkgName": "com.fasterxml.jackson.core:jackson-databind",
           "PkgIdentifier": {
             "PURL": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.1"

integration/testdata/helm.json.golden

@@ -791,7 +791,7 @@
           "AVDID": "AVD-KSV-0104",
           "Title": "Seccomp policies disabled",
           "Description": "A program inside the container can bypass Seccomp protection policies.",
-          "Message": "container nginx of deployment nginx-deployment in default namespace should specify a seccomp profile",
+          "Message": "container \"nginx\" of deployment \"nginx-deployment\" in \"default\" namespace should specify a seccomp profile",
           "Namespace": "builtin.kubernetes.KSV104",
           "Query": "data.builtin.kubernetes.KSV104.deny",
           "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards",

integration/testdata/helm_testchart.json.golden

@@ -288,7 +288,7 @@
           "AVDID": "AVD-KSV-0104",
           "Title": "Seccomp policies disabled",
           "Description": "A program inside the container can bypass Seccomp protection policies.",
-          "Message": "container testchart of deployment testchart in default namespace should specify a seccomp profile",
+          "Message": "container \"testchart\" of deployment \"testchart\" in \"default\" namespace should specify a seccomp profile",
           "Namespace": "builtin.kubernetes.KSV104",
           "Query": "data.builtin.kubernetes.KSV104.deny",
           "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards",

integration/testdata/helm_testchart.overridden.json.golden

@@ -416,7 +416,7 @@
           "AVDID": "AVD-KSV-0104",
           "Title": "Seccomp policies disabled",
           "Description": "A program inside the container can bypass Seccomp protection policies.",
-          "Message": "container testchart of deployment testchart in default namespace should specify a seccomp profile",
+          "Message": "container \"testchart\" of deployment \"testchart\" in \"default\" namespace should specify a seccomp profile",
           "Namespace": "builtin.kubernetes.KSV104",
           "Query": "data.builtin.kubernetes.KSV104.deny",
           "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards",

integration/testdata/license-cyclonedx.json.golden

@@ -0,0 +1,65 @@
+{
+  "SchemaVersion": 2,
+  "CreatedAt": "2021-08-25T12:20:30.000000005Z",
+  "ArtifactName": "testdata/fixtures/sbom/license-cyclonedx.json",
+  "ArtifactType": "cyclonedx",
+  "Metadata": {
+    "ImageConfig": {
+      "architecture": "",
+      "created": "0001-01-01T00:00:00Z",
+      "os": "",
+      "rootfs": {
+        "type": "",
+        "diff_ids": null
+      },
+      "config": {}
+    }
+  },
+  "Results": [
+    {
+      "Target": "OS Packages",
+      "Class": "license"
+    },
+    {
+      "Target": "pom.xml",
+      "Class": "license"
+    },
+    {
+      "Target": "Java",
+      "Class": "license",
+      "Licenses": [
+        {
+          "Severity": "MEDIUM",
+          "Category": "reciprocal",
+          "PkgName": "org.eclipse.sisu:org.eclipse.sisu.plexus",
+          "FilePath": "",
+          "Name": "EPL-1.0",
+          "Confidence": 1,
+          "Link": ""
+        },
+        {
+          "Severity": "LOW",
+          "Category": "notice",
+          "PkgName": "org.ow2.asm:asm",
+          "FilePath": "",
+          "Name": "BSD-3-Clause",
+          "Confidence": 1,
+          "Link": ""
+        },
+        {
+          "Severity": "UNKNOWN",
+          "Category": "unknown",
+          "PkgName": "org.slf4j:slf4j-api",
+          "FilePath": "",
+          "Name": "MIT License",
+          "Confidence": 1,
+          "Link": ""
+        }
+      ]
+    },
+    {
+      "Target": "Loose File License(s)",
+      "Class": "license-file"
+    }
+  ]
+}

integration/testdata/minikube-kbom.json.golden

@@ -32,6 +32,7 @@
       "Vulnerabilities": [
         {
           "VulnerabilityID": "CVE-2023-2431",
+          "PkgID": "k8s.io/kubelet@1.27.0",
           "PkgName": "k8s.io/kubelet",
           "PkgIdentifier": {
             "PURL": "pkg:k8s/k8s.io%2Fkubelet@1.27.0",

integration/testdata/pom-cyclonedx.json.golden

@@ -2,7 +2,7 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.5",
-  "serialNumber": "urn:uuid:3ff14136-e09f-4df9-80ea-000000000001",
+  "serialNumber": "urn:uuid:3ff14136-e09f-4df9-80ea-000000000005",
   "version": 1,
   "metadata": {
     "timestamp": "2021-08-25T12:20:30+00:00",
@@ -17,7 +17,7 @@
       ]
     },
     "component": {
-      "bom-ref": "3ff14136-e09f-4df9-80ea-000000000002",
+      "bom-ref": "3ff14136-e09f-4df9-80ea-000000000001",
       "type": "application",
       "name": "testdata/fixtures/repo/pom",
       "properties": [
@@ -30,7 +30,7 @@
   },
   "components": [
     {
-      "bom-ref": "3ff14136-e09f-4df9-80ea-000000000003",
+      "bom-ref": "3ff14136-e09f-4df9-80ea-000000000002",
       "type": "application",
       "name": "pom.xml",
       "properties": [
@@ -83,13 +83,13 @@
   ],
   "dependencies": [
     {
-      "ref": "3ff14136-e09f-4df9-80ea-000000000002",
+      "ref": "3ff14136-e09f-4df9-80ea-000000000001",
       "dependsOn": [
-        "3ff14136-e09f-4df9-80ea-000000000003"
+        "3ff14136-e09f-4df9-80ea-000000000002"
       ]
     },
     {
-      "ref": "3ff14136-e09f-4df9-80ea-000000000003",
+      "ref": "3ff14136-e09f-4df9-80ea-000000000002",
       "dependsOn": [
         "pkg:maven/com.example/log4shell@1.0-SNAPSHOT",
         "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.1"

internal/testutil/localstack.go

@@ -0,0 +1,51 @@
+package testutil
+
+import (
+	"context"
+	"fmt"
+	"os"
+
+	dockercontainer "github.com/docker/docker/api/types/container"
+	"github.com/testcontainers/testcontainers-go"
+	"github.com/testcontainers/testcontainers-go/modules/localstack"
+)
+
+func SetupLocalStack(ctx context.Context, version string) (*localstack.LocalStackContainer, string, error) {
+
+	if err := os.Setenv("TESTCONTAINERS_RYUK_DISABLED", "true"); err != nil {
+		return nil, "", err
+	}
+
+	container, err := localstack.RunContainer(ctx, testcontainers.CustomizeRequest(
+		testcontainers.GenericContainerRequest{
+			ContainerRequest: testcontainers.ContainerRequest{
+				Image: "localstack/localstack:" + version,
+				HostConfigModifier: func(hostConfig *dockercontainer.HostConfig) {
+					hostConfig.AutoRemove = true
+				},
+			},
+		},
+	))
+	if err != nil {
+		return nil, "", err
+	}
+
+	p, err := container.MappedPort(ctx, "4566/tcp")
+	if err != nil {
+		return nil, "", err
+	}
+
+	provider, err := testcontainers.NewDockerProvider()
+	if err != nil {
+		return nil, "", err
+	}
+	defer provider.Close()
+
+	host, err := provider.DaemonHost(ctx)
+	if err != nil {
+		return nil, "", err
+	}
+
+	return container, fmt.Sprintf("http://%s:%d", host, p.Int()), nil
+
+}

internal/testutil/util.go

@@ -0,0 +1,114 @@
+package testutil
+
+import (
+	"encoding/json"
+	"io/fs"
+	"path/filepath"
+	"strings"
+	"testing"
+
+	"github.com/liamg/memoryfs"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/aquasecurity/trivy/pkg/iac/scan"
+)
+
+func AssertRuleFound(t *testing.T, ruleID string, results scan.Results, message string, args ...interface{}) {
+	found := ruleIDInResults(ruleID, results.GetFailed())
+	assert.True(t, found, append([]interface{}{message}, args...)...)
+	for _, result := range results.GetFailed() {
+		if result.Rule().LongID() == ruleID {
+			m := result.Metadata()
+			meta := &m
+			for meta != nil {
+				assert.NotNil(t, meta.Range(), 0)
+				assert.Greater(t, meta.Range().GetStartLine(), 0)
+				assert.Greater(t, meta.Range().GetEndLine(), 0)
+				meta = meta.Parent()
+			}
+		}
+	}
+}
+
+func AssertRuleNotFound(t *testing.T, ruleID string, results scan.Results, message string, args ...interface{}) {
+	found := ruleIDInResults(ruleID, results.GetFailed())
+	assert.False(t, found, append([]interface{}{message}, args...)...)
+}
+
+func ruleIDInResults(ruleID string, results scan.Results) bool {
+	for _, res := range results {
+		if res.Rule().LongID() == ruleID {
+			return true
+		}
+	}
+	return false
+}
+
+func CreateFS(t *testing.T, files map[string]string) fs.FS {
+	memfs := memoryfs.New()
+	for name, content := range files {
+		name := strings.TrimPrefix(name, "/")
+		err := memfs.MkdirAll(filepath.Dir(name), 0o700)
+		require.NoError(t, err)
+		err = memfs.WriteFile(name, []byte(content), 0o644)
+		require.NoError(t, err)
+	}
+	return memfs
+}
+
+func AssertDefsecEqual(t *testing.T, expected, actual interface{}) {
+	expectedJson, err := json.MarshalIndent(expected, "", "\t")
+	require.NoError(t, err)
+	actualJson, err := json.MarshalIndent(actual, "", "\t")
+	require.NoError(t, err)
+
+	if expectedJson[0] == '[' {
+		var expectedSlice []map[string]interface{}
+		require.NoError(t, json.Unmarshal(expectedJson, &expectedSlice))
+		var actualSlice []map[string]interface{}
+		require.NoError(t, json.Unmarshal(actualJson, &actualSlice))
+		expectedSlice = purgeMetadataSlice(expectedSlice)
+		actualSlice = purgeMetadataSlice(actualSlice)
+		assert.Equal(t, expectedSlice, actualSlice, "defsec adapted and expected values do not match")
+	} else {
+		var expectedMap map[string]interface{}
+		require.NoError(t, json.Unmarshal(expectedJson, &expectedMap))
+		var actualMap map[string]interface{}
+		require.NoError(t, json.Unmarshal(actualJson, &actualMap))
+		expectedMap = purgeMetadata(expectedMap)
+		actualMap = purgeMetadata(actualMap)
+		assert.Equal(t, expectedMap, actualMap, "defsec adapted and expected values do not match")
+	}
+}
+
+func purgeMetadata(input map[string]interface{}) map[string]interface{} {
+	for k, v := range input {
+		if k == "metadata" || k == "Metadata" {
+			delete(input, k)
+			continue
+		}
+		if v, ok := v.(map[string]interface{}); ok {
+			input[k] = purgeMetadata(v)
+		}
+		if v, ok := v.([]interface{}); ok {
+			if len(v) > 0 {
+				if _, ok := v[0].(map[string]interface{}); ok {
+					maps := make([]map[string]interface{}, len(v))
+					for i := range v {
+						maps[i] = v[i].(map[string]interface{})
+					}
+					input[k] = purgeMetadataSlice(maps)
+				}
+			}
+		}
+	}
+	return input
+}
+
+func purgeMetadataSlice(input []map[string]interface{}) []map[string]interface{} {
+	for i := range input {
+		input[i] = purgeMetadata(input[i])
+	}
+	return input
+}

magefiles/cloud_actions.go

@@ -0,0 +1,271 @@
+//go:build mage_cloudactions
+
+package main
+
+import (
+	"bufio"
+	"context"
+	"errors"
+	"fmt"
+	"os"
+	"path/filepath"
+	"sort"
+	"strings"
+	"sync"
+	"time"
+
+	"github.com/antchfx/htmlquery"
+	"github.com/aquasecurity/trivy/pkg/log"
+	"golang.org/x/net/html"
+	"golang.org/x/sync/errgroup"
+)
+
+const (
+	serviceAuthURL             = "https://docs.aws.amazon.com/service-authorization/latest/reference/"
+	serviceActionReferencesURL = "https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html"
+	targetFile                 = "pkg/iac/providers/aws/iam/actions.go"
+	defaultParallel            = 10
+)
+
+func parseServiceURLs(doc *html.Node) ([]string, error) {
+	nodes, err := htmlquery.QueryAll(doc, `//div[@class="highlights"]/ul/li/a/@href`)
+	if err != nil {
+		return nil, fmt.Errorf("failed to search nodes: %w\n", err)
+	}
+
+	res := make([]string, 0, len(nodes))
+
+	for _, node := range nodes {
+		// <a href="./list_awsaccountmanagement.html">AWS Account Management</a>
+		if node.FirstChild != nil {
+			res = append(res, serviceAuthURL+node.FirstChild.Data[2:])
+		}
+	}
+
+	return res, nil
+}
+
+func parseActions(url string) ([]string, error) {
+
+	doc, err := htmlquery.LoadURL(url)
+	if err != nil {
+		return nil, err
+	}
+
+	servicePrefix, err := parseServicePrefix(doc)
+	if err != nil {
+		return nil, err
+	}
+
+	actions, err := parseServiceActions(doc)
+	if err != nil {
+		return nil, err
+	}
+
+	res := make([]string, 0, len(actions))
+
+	for _, act := range actions {
+		res = append(res, servicePrefix+":"+act)
+	}
+
+	fmt.Printf("Parsing of %q actions is completed\n", servicePrefix)
+
+	return res, nil
+}
+
+func parseServiceActions(doc *html.Node) ([]string, error) {
+	table, err := htmlquery.Query(doc, `//div[@class="table-container"]/div/table/tbody`)
+	if table == nil {
+		return nil, errors.New("actions table not found")
+	}
+	if err != nil {
+		return nil, fmt.Errorf("failed to query tables: %w\n", err)
+	}
+
+	var actions []string
+
+	var f func(*html.Node)
+	f = func(n *html.Node) {
+		for _, tr := range findSubtags(n, "tr") {
+			var action string
+			for k, td := range findSubtags(tr, "td") {
+				// first column - action
+				if k == 0 {
+					if a := findSubtag(td, "a"); a != nil && a.FirstChild != nil {
+						action = a.FirstChild.Data
+					}
+
+					// fourth column - resource type
+					// If the column is empty, then the action does not support resource-level permissions
+					// and you must specify all resources ("*") in your policy
+				} else if action != "" && k == 3 && td.FirstChild == nil {
+					actions = append(actions, action)
+				}
+			}
+		}
+		for c := n.FirstChild; c != nil; c = c.NextSibling {
+			f(c)
+		}
+	}
+	f(table)
+
+	return actions, err
+}
+
+func findSubtag(n *html.Node, tagName string) *html.Node {
+	for c := n.FirstChild; c != nil; c = c.NextSibling {
+		if c.Type == html.ElementNode && c.Data == tagName {
+			return c
+		}
+	}
+
+	return nil
+}
+
+func findSubtags(n *html.Node, tagName string) []*html.Node {
+	var result []*html.Node
+	for c := n.FirstChild; c != nil; c = c.NextSibling {
+		if c.Type == html.ElementNode && c.Data == tagName {
+			result = append(result, c)
+		}
+	}
+	return result
+}
+
+func parseServicePrefix(doc *html.Node) (string, error) {
+	nodes, err := htmlquery.QueryAll(doc, `//div[@id="main-col-body"]/p/descendant-or-self::*/text()`)
+	if err != nil {
+		return "", fmt.Errorf("failed to query paragraph: %w\n", err)
+	}
+
+	var sb strings.Builder
+	for _, node := range nodes {
+		sb.WriteString(node.Data)
+	}
+
+	p := sb.String()
+	sb.Reset()
+
+	idx := strings.Index(p, "service prefix: ")
+	if idx == -1 {
+		return "", fmt.Errorf("failed extract service prefix from text: %s\n", p)
+	}
+	idx += len("service prefix: ")
+
+	if len(p)-1 <= idx {
+		return "", fmt.Errorf("failed to parse service prefix from text: %s\n", p)
+	}
+
+	var parsed bool
+	for _, r := range p[idx:] {
+		if r == ')' {
+			parsed = true
+			break
+		}
+		sb.WriteRune(r)
+	}
+
+	if !parsed {
+		return "", fmt.Errorf("failed to parse service prefix from text: %s\n", p)
+	}
+
+	return sb.String(), nil
+}
+
+func generateFile(path string, actions []string) error {
+
+	f, err := os.Create(path)
+	if err != nil {
+		return fmt.Errorf("failed to create file: %w\n", err)
+	}
+	defer f.Close()
+
+	w := bufio.NewWriter(f)
+	_, _ = w.WriteString(
+		`// Code generated by mage genallowedactions DO NOT EDIT.
+
+package iam
+
+var allowedActionsForResourceWildcardsMap = map[string]struct{}{
+`,
+	)
+
+	for _, action := range actions {
+		_, _ = w.WriteString("\t\"" + action + "\": {},\n")
+	}
+	_, _ = w.WriteString("}")
+
+	return w.Flush()
+}
+
+func main() {
+	if err := GenAllowedActions(); err != nil {
+		log.Fatal(err)
+	}
+}
+
+// GenAllowedActions generates the list of valid actions for wildcard support
+func GenAllowedActions() error {
+	log.Logger.Info("Start parsing actions")
+	startTime := time.Now()
+	defer func() {
+		log.Logger.Infof("Parsing is completed. Duration %fs\n", time.Since(startTime).Seconds())
+	}()
+
+	doc, err := htmlquery.LoadURL(serviceActionReferencesURL)
+	if err != nil {
+		return fmt.Errorf("failed to retrieve action references: %w\n", err)
+	}
+	urls, err := parseServiceURLs(doc)
+	if err != nil {
+		return err
+	}
+
+	g, ctx := errgroup.WithContext(context.TODO())
+	g.SetLimit(defaultParallel)
+
+	// actions may be the same for services of different versions,
+	// e.g. Elastic Load Balancing and Elastic Load Balancing V2
+	actionsSet := make(map[string]struct{})
+
+	var mu sync.Mutex
+
+	for _, url := range urls {
+		url := url
+		if ctx.Err() != nil {
+			break
+		}
+		g.Go(func() error {
+			serviceActions, err := parseActions(url)
+			if err != nil {
+				return fmt.Errorf("failed to parse actions from %q: %w\n", url, err)
+			}
+
+			mu.Lock()
+			for _, act := range serviceActions {
+				actionsSet[act] = struct{}{}
+			}
+			mu.Unlock()
+
+			return nil
+		})
+	}
+
+	if err := g.Wait(); err != nil {
+		return err
+	}
+
+	actions := make([]string, 0, len(actionsSet))
+
+	for act := range actionsSet {
+		actions = append(actions, act)
+	}
+
+	sort.Strings(actions)
+
+	path := filepath.FromSlash(targetFile)
+	if err := generateFile(path, actions); err != nil {
+		return fmt.Errorf("failed to generate file: %w\n", err)
+	}
+	return nil
+}

magefiles/cloud_actions_test.go

@@ -0,0 +1,100 @@
+//go:build mage_cloudactions
+
+package main
+
+import (
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/antchfx/htmlquery"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestParseActionTableURLs(t *testing.T) {
+
+	doc, err := htmlquery.LoadDoc(filepath.Join("testdata", "reference_policies_actions-resources-contextkeys.html"))
+	require.NoError(t, err)
+
+	urls, err := parseServiceURLs(doc)
+	require.NoError(t, err)
+
+	expected := []string{
+		"https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsaccountmanagement.html",
+		"https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsactivate.html",
+		"https://docs.aws.amazon.com/service-authorization/latest/reference/list_alexaforbusiness.html",
+		"https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonmediaimport.html",
+		"https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsamplify.html",
+		"https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsamplifyadmin.html",
+		"https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsamplifyuibuilder.html",
+	}
+	assert.Equal(t, expected, urls)
+}
+
+func TestParseServicePrefix(t *testing.T) {
+
+	doc, err := htmlquery.LoadDoc(filepath.Join("testdata", "list_amazoncloudwatch.html"))
+	require.NoError(t, err)
+
+	servicePrefix, err := parseServicePrefix(doc)
+	require.NoError(t, err)
+
+	assert.Equal(t, "cloudwatch", servicePrefix)
+}
+
+func TestParseActionsFromTable(t *testing.T) {
+
+	doc, err := htmlquery.LoadDoc(filepath.Join("testdata", "list_amazoncloudwatch.html"))
+	require.NoError(t, err)
+
+	actions, err := parseServiceActions(doc)
+	require.NoError(t, err)
+
+	expected := []string{
+		"DeleteAnomalyDetector",
+		"DescribeAlarmsForMetric",
+		"DescribeAnomalyDetectors",
+		"DescribeInsightRules",
+		"GetMetricData",
+		"GetMetricStatistics",
+		"GetMetricWidgetImage",
+		"Link",
+		"ListDashboards",
+		"ListManagedInsightRules",
+		"ListMetricStreams",
+		"ListMetrics",
+		"PutAnomalyDetector",
+		"PutManagedInsightRules",
+		"PutMetricData",
+	}
+
+	assert.Equal(t, expected, actions)
+}
+
+func TestGenerateFile(t *testing.T) {
+	tmpDir := t.TempDir()
+
+	actions := []string{
+		"account:DisableRegion",
+		"account:EnableRegion",
+		"account:ListRegions",
+	}
+	path := filepath.Join(tmpDir, "test.go")
+	require.NoError(t, generateFile(path, actions))
+
+	expected := `// Code generated by mage genallowedactions DO NOT EDIT.
+
+package iam
+
+var allowedActionsForResourceWildcardsMap = map[string]struct{}{
+	"account:DisableRegion": {},
+	"account:EnableRegion": {},
+	"account:ListRegions": {},
+}`
+
+	b, err := os.ReadFile(path)
+	require.NoError(t, err)
+
+	assert.Equal(t, expected, string(b))
+}

magefiles/magefile.go

@@ -1,6 +1,7 @@
 package main
 
 import (
+	"context"
 	"errors"
 	"fmt"
 	"io/fs"
@@ -76,14 +77,6 @@ func (Tool) Labeler() error {
 	return sh.Run("go", "install", "github.com/knqyf263/labeler@latest")
 }
 
-// EasyJSON installs easyjson
-func (Tool) EasyJSON() error {
-	if exists(filepath.Join(GOBIN, "easyjson")) {
-		return nil
-	}
-	return sh.Run("go", "install", "github.com/mailru/easyjson/...@v0.7.7")
-}
-
 // Kind installs kind cluster
 func (Tool) Kind() error {
 	return sh.RunWithV(ENV, "go", "install", "sigs.k8s.io/kind@v0.19.0")
@@ -163,12 +156,6 @@ func Yacc() error {
 	return sh.Run("go", "generate", "./pkg/licensing/expression/...")
 }
 
-// Easyjson generates JSON marshaler/unmarshaler for TinyGo/WebAssembly as TinyGo doesn't support encoding/json.
-func Easyjson() error {
-	mg.Deps(Tool{}.EasyJSON)
-	return sh.Run("easyjson", "./pkg/module/serialize/types.go")
-}
-
 type Test mg.Namespace
 
 // FixtureContainerImages downloads and extracts required images
@@ -181,6 +168,11 @@ func (Test) FixtureVMImages() error {
 	return fixtureVMImages()
 }
 
+// FixtureTerraformPlanSnapshots generates Terraform Plan files in test folders
+func (Test) FixtureTerraformPlanSnapshots() error {
+	return fixtureTerraformPlanSnapshots(context.TODO())
+}
+
 // GenerateModules compiles WASM modules for unit tests
 func (Test) GenerateModules() error {
 	pattern := filepath.Join("pkg", "module", "testdata", "*", "*.go")
@@ -425,3 +417,19 @@ func installed(cmd string) bool {
 	_, err := exec.LookPath(cmd)
 	return err == nil
 }
+
+type Schema mg.Namespace
+
+func (Schema) Generate() error {
+	return sh.RunWith(ENV, "go", "run", "-tags=mage_schema", "./magefiles", "--", "generate")
+}
+
+func (Schema) Verify() error {
+	return sh.RunWith(ENV, "go", "run", "-tags=mage_schema", "./magefiles", "--", "verify")
+}
+
+type CloudActions mg.Namespace
+
+func (CloudActions) Generate() error {
+	return sh.RunWith(ENV, "go", "run", "-tags=mage_cloudactions", "./magefiles")
+}

magefiles/schema.go

@@ -0,0 +1,72 @@
+//go:build mage_schema
+
+package main
+
+import (
+	"bytes"
+	"encoding/json"
+	"fmt"
+	"log"
+	"os"
+
+	"github.com/aquasecurity/trivy/pkg/iac/rego/schemas"
+)
+
+const (
+	schemaPath = "pkg/iac/rego/schemas/cloud.json"
+)
+
+func main() {
+	if len(os.Args) < 3 {
+		log.Fatalf("invalid schema command args: %s", os.Args)
+	}
+
+	switch os.Args[2] {
+	case "generate":
+		if err := GenSchema(); err != nil {
+			log.Fatalf(err.Error())
+		}
+		log.Println("schema generated")
+	case "verify":
+		if err := VerifySchema(); err != nil {
+			log.Fatalf(err.Error())
+		}
+		log.Println("schema valid")
+	}
+}
+
+// GenSchema generates the Trivy IaC schema
+func GenSchema() error {
+	schema, err := schemas.Build()
+	if err != nil {
+		return err
+	}
+	data, err := json.MarshalIndent(schema, "", "  ")
+	if err != nil {
+		return err
+	}
+	if err := os.WriteFile(schemaPath, data, 0600); err != nil {
+		return err
+	}
+	return nil
+}
+
+// VerifySchema verifies a generated schema for validity
+func VerifySchema() error {
+	schema, err := schemas.Build()
+	if err != nil {
+		return err
+	}
+	data, err := json.MarshalIndent(schema, "", "  ")
+	if err != nil {
+		return err
+	}
+	existing, err := os.ReadFile(schemaPath)
+	if err != nil {
+		return err
+	}
+	if !bytes.Equal(data, existing) {
+		return fmt.Errorf("schema is out of date:\n\nplease run 'mage schema:generate' and commit the changes\n")
+	}
+	return nil
+}

magefiles/terraformplan.go

@@ -0,0 +1,140 @@
+package main
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"log"
+	"os"
+	"path/filepath"
+	"strings"
+
+	hversion "github.com/hashicorp/go-version" //nolint:gomodguard // hc-install uses hashicorp/go-version
+	"github.com/hashicorp/hc-install/product"
+	"github.com/hashicorp/hc-install/releases"
+	"github.com/hashicorp/terraform-exec/tfexec"
+	"golang.org/x/sync/errgroup"
+
+	"github.com/aquasecurity/trivy/internal/testutil"
+)
+
+const (
+	terraformVersion       = "1.7.3"
+	terraformParallelLimit = 5
+
+	tfplanFile = "tfplan"
+)
+
+func fixtureTerraformPlanSnapshots(ctx context.Context) error {
+	localstackC, addr, err := testutil.SetupLocalStack(ctx, "3.1.0")
+	if err != nil {
+		return err
+	}
+	defer localstackC.Terminate(ctx)
+
+	envs := []struct {
+		key string
+		val string
+	}{
+		{"AWS_DEFAULT_REGION", "us-east-1"},
+		{"AWS_ACCESS_KEY_ID", "test"},
+		{"AWS_SECRET_ACCESS_KEY", "test"},
+		{"AWS_ENDPOINT_URL", addr},
+	}
+
+	for _, env := range envs {
+		if err := os.Setenv(env.key, env.val); err != nil {
+			return err
+		}
+	}
+
+	dirs := []string{
+		"pkg/fanal/artifact/local/testdata/misconfig/terraformplan/snapshots",
+		"pkg/iac/scanners/terraformplan/snapshot/testdata",
+	}
+
+	var workingDirs []string
+
+	for _, dir := range dirs {
+		entries, err := os.ReadDir(filepath.FromSlash(dir))
+		if err != nil {
+			return err
+		}
+
+		for _, entry := range entries {
+			workingDirs = append(workingDirs, filepath.Join(dir, entry.Name()))
+		}
+	}
+
+	installer := &releases.ExactVersion{
+		Product: product.Terraform,
+		Version: hversion.Must(hversion.NewVersion(terraformVersion)),
+	}
+
+	execPath, err := installer.Install(ctx)
+	if err != nil {
+		return fmt.Errorf("failed to install Terraform: %w", err)
+	}
+
+	g, ctx := errgroup.WithContext(ctx)
+	g.SetLimit(terraformParallelLimit)
+
+	for _, workingDir := range workingDirs {
+		workingDir := workingDir
+		g.Go(func() error {
+			if err := os.Remove(tfplanFile); err != nil && !errors.Is(err, os.ErrNotExist) {
+				return err
+			}
+
+			if err := generatePlan(ctx, execPath, workingDir); err != nil {
+				return fmt.Errorf("failed to generate Terraform Plan: %w", err)
+			}
+
+			return nil
+		})
+	}
+
+	return g.Wait()
+}
+
+func generatePlan(ctx context.Context, execPath, workingDir string) error {
+	if err := cleanup(workingDir); err != nil {
+		return err
+	}
+	defer cleanup(workingDir)
+
+	tf, err := tfexec.NewTerraform(workingDir, execPath)
+	if err != nil {
+		return fmt.Errorf("failed to run Terraform: %w", err)
+	}
+
+	prefix := fmt.Sprintf("tfplan:%s:", filepath.Base(workingDir))
+	tf.SetLogger(log.New(os.Stdout, prefix, log.LstdFlags))
+
+	if err = tf.Init(ctx, tfexec.Upgrade(true)); err != nil {
+		return fmt.Errorf("failed to run Init cmd: %w", err)
+	}
+
+	if _, err := tf.Plan(ctx, tfexec.Out(tfplanFile)); err != nil {
+		return fmt.Errorf("failed to run Plan cmd: %w", err)
+	}
+
+	return nil
+}
+
+func cleanup(workingDir string) error {
+	entries, err := os.ReadDir(workingDir)
+	if err != nil {
+		return err
+	}
+
+	for _, entry := range entries {
+		if entry.Name() == "terraform.tfstate" || strings.HasPrefix(entry.Name(), ".terraform") {
+			path := filepath.Join(workingDir, entry.Name())
+			if err := os.RemoveAll(path); err != nil && !errors.Is(err, os.ErrNotExist) {
+				return err
+			}
+		}
+	}
+	return nil
+}

magefiles/testdata/reference_policies_actions-resources-contextkeys.html

@@ -0,0 +1,26 @@
+<div id="main-col-body">
+    <div class="highlights">
+        <h6>Topics</h6>
+        <ul>
+            <li>
+                <a href="./list_awsaccountmanagement.html"
+                    >AWS Account Management</a
+                >
+            </li>
+            <li><a href="./list_awsactivate.html">AWS Activate</a></li>
+            <li>
+                <a href="./list_alexaforbusiness.html">Alexa for Business</a>
+            </li>
+            <li>
+                <a href="./list_amazonmediaimport.html">AmazonMediaImport</a>
+            </li>
+            <li><a href="./list_awsamplify.html">AWS Amplify</a></li>
+            <li><a href="./list_awsamplifyadmin.html">AWS Amplify Admin</a></li>
+            <li>
+                <a href="./list_awsamplifyuibuilder.html"
+                    >AWS Amplify UI Builder</a
+                >
+            </li>
+        </ul>
+    </div>
+</div>

mkdocs.yml

@@ -30,6 +30,7 @@ nav:
           - GitOps: tutorials/kubernetes/gitops.md
       - Misconfiguration:
           - Terraform scanning: tutorials/misconfiguration/terraform.md
+          - Custom Checks with Rego: tutorials/misconfiguration/custom-checks.md
       - Signing:
           - Vulnerability Scan Record Attestation: tutorials/signing/vuln-attestation.md
       - Shell:
@@ -178,6 +179,7 @@ nav:
     - Production and Clouds: ecosystem/prod.md
     - Reporting: ecosystem/reporting.md
   - Contributing:
+      - Principles: community/principles.md
       - How to contribute:
           - Issues: community/contribute/issue.md
           - Discussions: community/contribute/discussion.md
@@ -202,7 +204,11 @@ theme:
 
 markdown_extensions:
   - pymdownx.highlight
-  - pymdownx.superfences
+  - pymdownx.superfences:
+      custom_fences:
+        - name: mermaid
+          class: mermaid
+          format: !!python/name:pymdownx.superfences.fence_code_format
   - admonition
   - footnotes
   - attr_list

pkg/cloud/aws/cache/cache.go

@@ -9,7 +9,7 @@ import (
 	"strings"
 	"time"
 
-	"github.com/aquasecurity/defsec/pkg/state"
+	"github.com/aquasecurity/trivy/pkg/iac/state"
 )
 
 type Cache struct {

pkg/cloud/aws/commands/run_test.go

@@ -3,19 +3,20 @@ package commands
 import (
 	"bytes"
 	"context"
-	"github.com/aquasecurity/trivy/pkg/clock"
 	"os"
 	"path/filepath"
 	"testing"
 	"time"
 
+	"github.com/aquasecurity/trivy/pkg/clock"
+
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 
-	defsecTypes "github.com/aquasecurity/defsec/pkg/types"
 	dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
 	"github.com/aquasecurity/trivy/pkg/compliance/spec"
 	"github.com/aquasecurity/trivy/pkg/flag"
+	iacTypes "github.com/aquasecurity/trivy/pkg/iac/types"
 )
 
 const expectedS3ScanResult = `{
@@ -1002,18 +1003,17 @@ deny {
 				},
 				ReportOptions: flag.ReportOptions{
 					Compliance: spec.ComplianceSpec{
-						Spec: defsecTypes.Spec{
-							// TODO: refactor defsec so that the parsed spec can be passed
+						Spec: iacTypes.Spec{
 							ID:          "@testdata/example-spec.yaml",
 							Title:       "my-custom-spec",
 							Description: "My fancy spec",
 							Version:     "1.2",
-							Controls: []defsecTypes.Control{
+							Controls: []iacTypes.Control{
 								{
 									ID:          "1.1",
 									Name:        "Unencrypted S3 bucket",
 									Description: "S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.",
-									Checks: []defsecTypes.SpecCheck{
+									Checks: []iacTypes.SpecCheck{
 										{ID: "AVD-AWS-0088"},
 									},
 									Severity: "HIGH",

pkg/cloud/aws/scanner/scanner.go

@@ -7,14 +7,14 @@ import (
 
 	"golang.org/x/xerrors"
 
-	"github.com/aquasecurity/defsec/pkg/framework"
-	"github.com/aquasecurity/defsec/pkg/scan"
-	"github.com/aquasecurity/defsec/pkg/scanners/options"
-	"github.com/aquasecurity/defsec/pkg/state"
 	aws "github.com/aquasecurity/trivy-aws/pkg/scanner"
 	"github.com/aquasecurity/trivy/pkg/cloud/aws/cache"
 	"github.com/aquasecurity/trivy/pkg/commands/operation"
 	"github.com/aquasecurity/trivy/pkg/flag"
+	"github.com/aquasecurity/trivy/pkg/iac/framework"
+	"github.com/aquasecurity/trivy/pkg/iac/scan"
+	"github.com/aquasecurity/trivy/pkg/iac/scanners/options"
+	"github.com/aquasecurity/trivy/pkg/iac/state"
 	"github.com/aquasecurity/trivy/pkg/log"
 	"github.com/aquasecurity/trivy/pkg/misconf"
 )

pkg/cloud/report/convert.go

@@ -7,8 +7,8 @@ import (
 
 	"github.com/aws/aws-sdk-go-v2/aws/arn"
 
-	"github.com/aquasecurity/defsec/pkg/scan"
 	ftypes "github.com/aquasecurity/trivy/pkg/fanal/types"
+	"github.com/aquasecurity/trivy/pkg/iac/scan"
 	"github.com/aquasecurity/trivy/pkg/types"
 )
 
@@ -61,12 +61,12 @@ func ConvertResults(results scan.Results, provider string, scoped []string) map[
 					primaryURL = fmt.Sprintf("https://avd.aquasec.com/misconfig/%s", strings.ToLower(result.Rule().AVDID))
 				}
 
-				status := types.StatusFailure
+				status := types.MisconfStatusFailure
 				switch result.Status() {
 				case scan.StatusPassed:
-					status = types.StatusPassed
+					status = types.MisconfStatusPassed
 				case scan.StatusIgnored:
-					status = types.StatusException
+					status = types.MisconfStatusException
 				}
 
 				flat := result.Flatten()

pkg/cloud/report/convert_test.go

@@ -7,9 +7,9 @@ import (
 	"github.com/aws/aws-sdk-go-v2/aws/arn"
 	"github.com/stretchr/testify/assert"
 
-	"github.com/aquasecurity/defsec/pkg/scan"
-	defsecTypes "github.com/aquasecurity/defsec/pkg/types"
 	fanaltypes "github.com/aquasecurity/trivy/pkg/fanal/types"
+	"github.com/aquasecurity/trivy/pkg/iac/scan"
+	iacTypes "github.com/aquasecurity/trivy/pkg/iac/types"
 	"github.com/aquasecurity/trivy/pkg/types"
 )
 
@@ -57,7 +57,7 @@ func Test_ResultConversion(t *testing.T) {
 				var s3Results scan.Results
 				s3Results.Add(
 					"something failed",
-					defsecTypes.NewRemoteMetadata((arn.ARN{
+					iacTypes.NewRemoteMetadata((arn.ARN{
 						Partition: "aws",
 						Service:   "s3",
 						Region:    "us-east-1",
@@ -67,7 +67,7 @@ func Test_ResultConversion(t *testing.T) {
 				)
 				s3Results.Add(
 					"something else failed",
-					defsecTypes.NewRemoteMetadata((arn.ARN{
+					iacTypes.NewRemoteMetadata((arn.ARN{
 						Partition: "aws",
 						Service:   "s3",
 						Region:    "us-east-1",
@@ -77,7 +77,7 @@ func Test_ResultConversion(t *testing.T) {
 				)
 				s3Results.Add(
 					"something else failed again",
-					defsecTypes.NewRemoteMetadata((arn.ARN{
+					iacTypes.NewRemoteMetadata((arn.ARN{
 						Partition: "aws",
 						Service:   "s3",
 						Region:    "us-east-1",
@@ -90,7 +90,7 @@ func Test_ResultConversion(t *testing.T) {
 				var ec2Results scan.Results
 				ec2Results.Add(
 					"instance is bad",
-					defsecTypes.NewRemoteMetadata((arn.ARN{
+					iacTypes.NewRemoteMetadata((arn.ARN{
 						Partition: "aws",
 						Service:   "ec2",
 						Region:    "us-east-1",

pkg/cloud/report/report.go

@@ -9,12 +9,12 @@ import (
 
 	"golang.org/x/xerrors"
 
-	"github.com/aquasecurity/defsec/pkg/scan"
 	"github.com/aquasecurity/tml"
 	"github.com/aquasecurity/trivy/pkg/clock"
 	cr "github.com/aquasecurity/trivy/pkg/compliance/report"
 	ftypes "github.com/aquasecurity/trivy/pkg/fanal/types"
 	"github.com/aquasecurity/trivy/pkg/flag"
+	"github.com/aquasecurity/trivy/pkg/iac/scan"
 	pkgReport "github.com/aquasecurity/trivy/pkg/report"
 	"github.com/aquasecurity/trivy/pkg/result"
 	"github.com/aquasecurity/trivy/pkg/types"

pkg/cloud/report/service_test.go

@@ -3,18 +3,19 @@ package report
 import (
 	"bytes"
 	"context"
-	"github.com/aquasecurity/trivy/pkg/clock"
 	"testing"
 	"time"
 
+	"github.com/aquasecurity/trivy/pkg/clock"
+
 	"github.com/aws/aws-sdk-go-v2/aws/arn"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 
-	"github.com/aquasecurity/defsec/pkg/scan"
-	defsecTypes "github.com/aquasecurity/defsec/pkg/types"
 	"github.com/aquasecurity/trivy-db/pkg/types"
 	"github.com/aquasecurity/trivy/pkg/flag"
+	"github.com/aquasecurity/trivy/pkg/iac/scan"
+	iacTypes "github.com/aquasecurity/trivy/pkg/iac/types"
 )
 
 func Test_ServiceReport(t *testing.T) {
@@ -364,7 +365,7 @@ func createTestResults() scan.Results {
 	var s3Results scan.Results
 	s3Results.Add(
 		"something failed",
-		defsecTypes.NewRemoteMetadata((arn.ARN{
+		iacTypes.NewRemoteMetadata((arn.ARN{
 			Partition: "aws",
 			Service:   "s3",
 			Region:    "us-east-1",
@@ -374,7 +375,7 @@ func createTestResults() scan.Results {
 	)
 	s3Results.Add(
 		"something else failed",
-		defsecTypes.NewRemoteMetadata((arn.ARN{
+		iacTypes.NewRemoteMetadata((arn.ARN{
 			Partition: "aws",
 			Service:   "s3",
 			Region:    "us-east-1",
@@ -384,7 +385,7 @@ func createTestResults() scan.Results {
 	)
 	s3Results.Add(
 		"something else failed again",
-		defsecTypes.NewRemoteMetadata((arn.ARN{
+		iacTypes.NewRemoteMetadata((arn.ARN{
 			Partition: "aws",
 			Service:   "s3",
 			Region:    "us-east-1",
@@ -393,7 +394,7 @@ func createTestResults() scan.Results {
 		}).String()),
 	)
 	s3Results.AddPassed(
-		defsecTypes.NewRemoteMetadata((arn.ARN{
+		iacTypes.NewRemoteMetadata((arn.ARN{
 			Partition: "aws",
 			Service:   "s3",
 			Region:    "us-east-1",
@@ -406,7 +407,7 @@ func createTestResults() scan.Results {
 	var ec2Results scan.Results
 	ec2Results.Add(
 		"instance is bad",
-		defsecTypes.NewRemoteMetadata((arn.ARN{
+		iacTypes.NewRemoteMetadata((arn.ARN{
 			Partition: "aws",
 			Service:   "ec2",
 			Region:    "us-east-1",

pkg/commands/app.go

@@ -643,6 +643,7 @@ func NewConfigCommand(globalFlags *flag.GlobalFlagGroup) *cobra.Command {
 	reportFlagGroup.DependencyTree = nil // disable '--dependency-tree'
 	reportFlagGroup.ListAllPkgs = nil    // disable '--list-all-pkgs'
 	reportFlagGroup.ExitOnEOL = nil      // disable '--exit-on-eol'
+	reportFlagGroup.ShowSuppressed = nil // disable '--show-suppressed'
 	reportFormat := flag.ReportFormatFlag.Clone()
 	reportFormat.Usage = "specify a compliance report format for the output" // @TODO: support --report summary for non compliance reports
 	reportFlagGroup.ReportFormat = reportFormat
@@ -988,6 +989,7 @@ func NewAWSCommand(globalFlags *flag.GlobalFlagGroup) *cobra.Command {
 	}
 	reportFlagGroup.Compliance = &compliance // override usage as the accepted values differ for each subcommand.
 	reportFlagGroup.ExitOnEOL = nil          // disable '--exit-on-eol'
+	reportFlagGroup.ShowSuppressed = nil     // disable '--show-suppressed'
 
 	awsFlags := &flag.Flags{
 		GlobalFlagGroup:  globalFlags,
@@ -1123,11 +1125,24 @@ func NewSBOMCommand(globalFlags *flag.GlobalFlagGroup) *cobra.Command {
 	reportFlagGroup.DependencyTree = nil // disable '--dependency-tree'
 	reportFlagGroup.ReportFormat = nil   // TODO: support --report summary
 
+	scanners := flag.ScannersFlag.Clone()
+	scanners.Values = xstrings.ToStringSlice(types.Scanners{
+		types.VulnerabilityScanner,
+		types.LicenseScanner,
+	})
+	scanners.Default = xstrings.ToStringSlice(types.Scanners{
+		types.VulnerabilityScanner,
+	})
 	scanFlagGroup := flag.NewScanFlagGroup()
-	scanFlagGroup.Scanners = nil       // disable '--scanners' as it always scans for vulnerabilities
+	scanFlagGroup.Scanners = scanners  // allow only 'vuln' and 'license' options for '--scanners'
 	scanFlagGroup.IncludeDevDeps = nil // disable '--include-dev-deps'
 	scanFlagGroup.Parallel = nil       // disable '--parallel'
 
+	licenseFlagGroup := flag.NewLicenseFlagGroup()
+	// License full-scan and confidence-level are for file content only
+	licenseFlagGroup.LicenseFull = nil
+	licenseFlagGroup.LicenseConfidenceLevel = nil
+
 	sbomFlags := &flag.Flags{
 		GlobalFlagGroup:        globalFlags,
 		CacheFlagGroup:         flag.NewCacheFlagGroup(),
@@ -1137,11 +1152,12 @@ func NewSBOMCommand(globalFlags *flag.GlobalFlagGroup) *cobra.Command {
 		ScanFlagGroup:          scanFlagGroup,
 		SBOMFlagGroup:          flag.NewSBOMFlagGroup(),
 		VulnerabilityFlagGroup: flag.NewVulnerabilityFlagGroup(),
+		LicenseFlagGroup:       licenseFlagGroup,
 	}
 
 	cmd := &cobra.Command{
 		Use:     "sbom [flags] SBOM_PATH",
-		Short:   "Scan SBOM for vulnerabilities",
+		Short:   "Scan SBOM for vulnerabilities and licenses",
 		GroupID: groupScanning,
 		Example: `  # Scan CycloneDX and show the result in tables
   $ trivy sbom /path/to/report.cdx
@@ -1164,9 +1180,6 @@ func NewSBOMCommand(globalFlags *flag.GlobalFlagGroup) *cobra.Command {
 				return xerrors.Errorf("flag error: %w", err)
 			}
 
-			// Scan vulnerabilities
-			options.Scanners = types.Scanners{types.VulnerabilityScanner}
-
 			return artifact.Run(cmd.Context(), options, artifact.TargetSBOM)
 		},
 		SilenceErrors: true,

pkg/commands/artifact/run.go

@@ -514,7 +514,8 @@ func disabledAnalyzers(opts flag.Options) []analyzer.Type {
 		analyzers = append(analyzers, analyzer.TypeHistoryDockerfile)
 	}
 
-	if len(opts.SBOMSources) == 0 {
+	// Skip executable file analysis if Rekor isn't a specified SBOM source.
+	if !slices.Contains(opts.SBOMSources, types.SBOMSourceRekor) {
 		analyzers = append(analyzers, analyzer.TypeExecutable)
 	}
 
@@ -669,6 +670,9 @@ func initScannerConfig(opts flag.Options, cacheClient cache.Cache) (ScannerConfi
 				DockerOptions: ftypes.DockerOptions{
 					Host: opts.DockerHost,
 				},
+				PodmanOptions: ftypes.PodmanOptions{
+					Host: opts.PodmanHost,
+				},
 				ImageSources: opts.ImageSources,
 			},
 

pkg/compliance/report/json_test.go

@@ -26,7 +26,10 @@ func TestJSONWriter_Write(t *testing.T) {
 				Results: types.Results{
 					{
 						Misconfigurations: []types.DetectedMisconfiguration{
-							{AVDID: "AVD-KSV012", Status: types.StatusFailure},
+							{
+								AVDID:  "AVD-KSV012",
+								Status: types.MisconfStatusFailure,
+							},
 						},
 					},
 				},
@@ -38,7 +41,10 @@ func TestJSONWriter_Write(t *testing.T) {
 				Results: types.Results{
 					{
 						Misconfigurations: []types.DetectedMisconfiguration{
-							{AVDID: "AVD-KSV013", Status: types.StatusFailure},
+							{
+								AVDID:  "AVD-KSV013",
+								Status: types.MisconfStatusFailure,
+							},
 						},
 					},
 				},
@@ -69,7 +75,10 @@ func TestJSONWriter_Write(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			buf := new(bytes.Buffer)
-			tr := report.JSONWriter{Report: tt.reportType, Output: buf}
+			tr := report.JSONWriter{
+				Report: tt.reportType,
+				Output: buf,
+			}
 			err := tr.Write(tt.input)
 			require.NoError(t, err)
 

pkg/compliance/report/report.go

@@ -6,9 +6,9 @@ import (
 
 	"golang.org/x/xerrors"
 
-	defsecTypes "github.com/aquasecurity/defsec/pkg/types"
 	dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
 	"github.com/aquasecurity/trivy/pkg/compliance/spec"
+	iacTypes "github.com/aquasecurity/trivy/pkg/iac/types"
 	"github.com/aquasecurity/trivy/pkg/types"
 )
 
@@ -39,7 +39,7 @@ type ControlCheckResult struct {
 	ID            string
 	Name          string
 	Description   string
-	DefaultStatus defsecTypes.ControlStatus `json:",omitempty"`
+	DefaultStatus iacTypes.ControlStatus `json:",omitempty"`
 	Severity      string
 	Results       types.Results
 }
@@ -96,7 +96,7 @@ func (r ComplianceReport) empty() bool {
 }
 
 // buildControlCheckResults create compliance results data
-func buildControlCheckResults(checksMap map[string]types.Results, controls []defsecTypes.Control) []*ControlCheckResult {
+func buildControlCheckResults(checksMap map[string]types.Results, controls []iacTypes.Control) []*ControlCheckResult {
 	var complianceResults []*ControlCheckResult
 	for _, control := range controls {
 		var results types.Results
@@ -116,7 +116,7 @@ func buildControlCheckResults(checksMap map[string]types.Results, controls []def
 }
 
 // buildComplianceReportResults create compliance results data
-func buildComplianceReportResults(checksMap map[string]types.Results, s defsecTypes.Spec) *ComplianceReport {
+func buildComplianceReportResults(checksMap map[string]types.Results, s iacTypes.Spec) *ComplianceReport {
 	controlCheckResult := buildControlCheckResults(checksMap, s.Controls)
 	return &ComplianceReport{
 		ID:               s.ID,

pkg/compliance/report/report_test.go

@@ -6,12 +6,12 @@ import (
 
 	"github.com/stretchr/testify/assert"
 
-	defsecTypes "github.com/aquasecurity/defsec/pkg/types"
 	dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
 	"github.com/aquasecurity/trivy-db/pkg/vulnsrc/vulnerability"
 	"github.com/aquasecurity/trivy/pkg/compliance/report"
 	"github.com/aquasecurity/trivy/pkg/compliance/spec"
 	ftypes "github.com/aquasecurity/trivy/pkg/fanal/types"
+	iacTypes "github.com/aquasecurity/trivy/pkg/iac/types"
 	"github.com/aquasecurity/trivy/pkg/types"
 )
 
@@ -57,13 +57,13 @@ func TestBuildComplianceReport(t *testing.T) {
 										"https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted",
 										"https://avd.aquasec.com/misconfig/ksv001",
 									},
-									Status: types.StatusPassed,
+									Status: types.MisconfStatusPassed,
 								},
 								{
 									Type:   "Kubernetes Security Check",
 									ID:     "KSV002",
 									AVDID:  "AVD-KSV-9999",
-									Status: types.StatusFailure,
+									Status: types.MisconfStatusFailure,
 								},
 							},
 						},
@@ -98,7 +98,7 @@ func TestBuildComplianceReport(t *testing.T) {
 					},
 				},
 				cs: spec.ComplianceSpec{
-					Spec: defsecTypes.Spec{
+					Spec: iacTypes.Spec{
 						ID:          "1234",
 						Title:       "NSA",
 						Description: "National Security Agency - Kubernetes Hardening Guidance",
@@ -106,13 +106,13 @@ func TestBuildComplianceReport(t *testing.T) {
 						RelatedResources: []string{
 							"https://example.com",
 						},
-						Controls: []defsecTypes.Control{
+						Controls: []iacTypes.Control{
 							{
 								ID:          "1.0",
 								Name:        "Non-root containers",
 								Description: "Check that container is not running as root",
 								Severity:    "MEDIUM",
-								Checks: []defsecTypes.SpecCheck{
+								Checks: []iacTypes.SpecCheck{
 									{ID: "AVD-KSV-0001"},
 								},
 							},
@@ -121,7 +121,7 @@ func TestBuildComplianceReport(t *testing.T) {
 								Name:        "Immutable container file systems",
 								Description: "Check that container root file system is immutable",
 								Severity:    "LOW",
-								Checks: []defsecTypes.SpecCheck{
+								Checks: []iacTypes.SpecCheck{
 									{ID: "AVD-KSV-0002"},
 								},
 							},
@@ -130,7 +130,7 @@ func TestBuildComplianceReport(t *testing.T) {
 								Name:        "tzdata - new upstream version",
 								Description: "Bad tzdata package",
 								Severity:    "CRITICAL",
-								Checks: []defsecTypes.SpecCheck{
+								Checks: []iacTypes.SpecCheck{
 									{ID: "DLA-2424-1"},
 								},
 							},
@@ -179,7 +179,7 @@ func TestBuildComplianceReport(t *testing.T) {
 											"https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted",
 											"https://avd.aquasec.com/misconfig/ksv001",
 										},
-										Status: types.StatusPassed,
+										Status: types.MisconfStatusPassed,
 									},
 								},
 							},

pkg/compliance/report/summary_test.go

@@ -32,7 +32,10 @@ func TestBuildSummary(t *testing.T) {
 						Results: types.Results{
 							{
 								Misconfigurations: []types.DetectedMisconfiguration{
-									{AVDID: "AVD-KSV012", Status: types.StatusFailure},
+									{
+										AVDID:  "AVD-KSV012",
+										Status: types.MisconfStatusFailure,
+									},
 								},
 							},
 						},
@@ -44,7 +47,10 @@ func TestBuildSummary(t *testing.T) {
 						Results: types.Results{
 							{
 								Misconfigurations: []types.DetectedMisconfiguration{
-									{AVDID: "AVD-KSV013", Status: types.StatusFailure},
+									{
+										AVDID:  "AVD-KSV013",
+										Status: types.MisconfStatusFailure,
+									},
 								},
 							},
 						},
@@ -86,7 +92,10 @@ func TestBuildSummary(t *testing.T) {
 						Results: types.Results{
 							{
 								Misconfigurations: []types.DetectedMisconfiguration{
-									{AVDID: "AVD-KSV012", Status: types.StatusFailure},
+									{
+										AVDID:  "AVD-KSV012",
+										Status: types.MisconfStatusFailure,
+									},
 								},
 							},
 						},
@@ -98,7 +107,10 @@ func TestBuildSummary(t *testing.T) {
 						Results: types.Results{
 							{
 								Misconfigurations: []types.DetectedMisconfiguration{
-									{AVDID: "AVD-KSV013", Status: types.StatusFailure},
+									{
+										AVDID:  "AVD-KSV013",
+										Status: types.MisconfStatusFailure,
+									},
 								},
 							},
 						},

pkg/compliance/report/table.go

@@ -3,7 +3,6 @@ package report
 import (
 	"context"
 	"io"
-	"sync"
 
 	"golang.org/x/xerrors"
 
@@ -31,9 +30,8 @@ func (tw TableWriter) Write(ctx context.Context, report *ComplianceReport) error
 	switch tw.Report {
 	case allReport:
 		t := pkgReport.Writer{
-			Output:          tw.Output,
-			Severities:      tw.Severities,
-			ShowMessageOnce: &sync.Once{},
+			Output:     tw.Output,
+			Severities: tw.Severities,
 		}
 		for _, cr := range report.Results {
 			r := types.Report{Results: cr.Results}

pkg/compliance/report/table_test.go

@@ -39,7 +39,7 @@ func TestTableWriter_Write(t *testing.T) {
 								Misconfigurations: []types.DetectedMisconfiguration{
 									{
 										AVDID:  "AVD-KSV012",
-										Status: types.StatusFailure,
+										Status: types.MisconfStatusFailure,
 									},
 								},
 							},
@@ -54,7 +54,7 @@ func TestTableWriter_Write(t *testing.T) {
 								Misconfigurations: []types.DetectedMisconfiguration{
 									{
 										AVDID:  "AVD-KSV013",
-										Status: types.StatusFailure,
+										Status: types.MisconfStatusFailure,
 									},
 								},
 							},

pkg/compliance/spec/compliance.go

@@ -9,8 +9,8 @@ import (
 	"golang.org/x/xerrors"
 	"gopkg.in/yaml.v3"
 
-	defsecTypes "github.com/aquasecurity/defsec/pkg/types"
 	sp "github.com/aquasecurity/trivy-policies/pkg/spec"
+	iacTypes "github.com/aquasecurity/trivy/pkg/iac/types"
 	"github.com/aquasecurity/trivy/pkg/types"
 )
 
@@ -18,13 +18,13 @@ type Severity string
 
 // ComplianceSpec represent the compliance specification
 type ComplianceSpec struct {
-	Spec defsecTypes.Spec `yaml:"spec"`
+	Spec iacTypes.Spec `yaml:"spec"`
 }
 
 const (
-	FailStatus defsecTypes.ControlStatus = "FAIL"
-	PassStatus defsecTypes.ControlStatus = "PASS"
-	WarnStatus defsecTypes.ControlStatus = "WARN"
+	FailStatus iacTypes.ControlStatus = "FAIL"
+	PassStatus iacTypes.ControlStatus = "PASS"
+	WarnStatus iacTypes.ControlStatus = "WARN"
 )
 
 // Scanners reads spec control and determines the scanners by check ID prefix

pkg/compliance/spec/compliance_test.go

@@ -6,21 +6,21 @@ import (
 
 	"github.com/stretchr/testify/assert"
 
-	defsecTypes "github.com/aquasecurity/defsec/pkg/types"
 	"github.com/aquasecurity/trivy/pkg/compliance/spec"
+	iacTypes "github.com/aquasecurity/trivy/pkg/iac/types"
 	"github.com/aquasecurity/trivy/pkg/types"
 )
 
 func TestComplianceSpec_Scanners(t *testing.T) {
 	tests := []struct {
 		name    string
-		spec    defsecTypes.Spec
+		spec    iacTypes.Spec
 		want    types.Scanners
 		wantErr assert.ErrorAssertionFunc
 	}{
 		{
 			name: "get config scanner type by check id prefix",
-			spec: defsecTypes.Spec{
+			spec: iacTypes.Spec{
 				ID:          "1234",
 				Title:       "NSA",
 				Description: "National Security Agency - Kubernetes Hardening Guidance",
@@ -28,12 +28,12 @@ func TestComplianceSpec_Scanners(t *testing.T) {
 					"https://example.com",
 				},
 				Version: "1.0",
-				Controls: []defsecTypes.Control{
+				Controls: []iacTypes.Control{
 					{
 						Name:        "Non-root containers",
 						Description: "Check that container is not running as root",
 						ID:          "1.0",
-						Checks: []defsecTypes.SpecCheck{
+						Checks: []iacTypes.SpecCheck{
 							{ID: "AVD-KSV012"},
 						},
 					},
@@ -41,7 +41,7 @@ func TestComplianceSpec_Scanners(t *testing.T) {
 						Name:        "Check that encryption resource has been set",
 						Description: "Control checks whether encryption resource has been set",
 						ID:          "1.1",
-						Checks: []defsecTypes.SpecCheck{
+						Checks: []iacTypes.SpecCheck{
 							{ID: "AVD-1.2.31"},
 							{ID: "AVD-1.2.32"},
 						},
@@ -53,7 +53,7 @@ func TestComplianceSpec_Scanners(t *testing.T) {
 		},
 		{
 			name: "get config and vuln scanners types by check id prefix",
-			spec: defsecTypes.Spec{
+			spec: iacTypes.Spec{
 				ID:          "1234",
 				Title:       "NSA",
 				Description: "National Security Agency - Kubernetes Hardening Guidance",
@@ -61,12 +61,12 @@ func TestComplianceSpec_Scanners(t *testing.T) {
 					"https://example.com",
 				},
 				Version: "1.0",
-				Controls: []defsecTypes.Control{
+				Controls: []iacTypes.Control{
 					{
 						Name:        "Non-root containers",
 						Description: "Check that container is not running as root",
 						ID:          "1.0",
-						Checks: []defsecTypes.SpecCheck{
+						Checks: []iacTypes.SpecCheck{
 							{ID: "AVD-KSV012"},
 						},
 					},
@@ -74,7 +74,7 @@ func TestComplianceSpec_Scanners(t *testing.T) {
 						Name:        "Check that encryption resource has been set",
 						Description: "Control checks whether encryption resource has been set",
 						ID:          "1.1",
-						Checks: []defsecTypes.SpecCheck{
+						Checks: []iacTypes.SpecCheck{
 							{ID: "AVD-1.2.31"},
 							{ID: "AVD-1.2.32"},
 						},
@@ -83,7 +83,7 @@ func TestComplianceSpec_Scanners(t *testing.T) {
 						Name:        "Ensure no critical vulnerabilities",
 						Description: "Control checks whether critical vulnerabilities are not found",
 						ID:          "7.0",
-						Checks: []defsecTypes.SpecCheck{
+						Checks: []iacTypes.SpecCheck{
 							{ID: "CVE-9999-9999"},
 						},
 					},
@@ -97,7 +97,7 @@ func TestComplianceSpec_Scanners(t *testing.T) {
 		},
 		{
 			name: "unknown prefix",
-			spec: defsecTypes.Spec{
+			spec: iacTypes.Spec{
 				ID:          "1234",
 				Title:       "NSA",
 				Description: "National Security Agency - Kubernetes Hardening Guidance",
@@ -105,11 +105,11 @@ func TestComplianceSpec_Scanners(t *testing.T) {
 					"https://example.com",
 				},
 				Version: "1.0",
-				Controls: []defsecTypes.Control{
+				Controls: []iacTypes.Control{
 					{
 						Name: "Unknown",
 						ID:   "1.0",
-						Checks: []defsecTypes.SpecCheck{
+						Checks: []iacTypes.SpecCheck{
 							{ID: "UNKNOWN-001"},
 						},
 					},
@@ -138,12 +138,12 @@ func TestComplianceSpec_Scanners(t *testing.T) {
 func TestComplianceSpec_CheckIDs(t *testing.T) {
 	tests := []struct {
 		name string
-		spec defsecTypes.Spec
+		spec iacTypes.Spec
 		want map[types.Scanner][]string
 	}{
 		{
 			name: "get config scanner type by check id prefix",
-			spec: defsecTypes.Spec{
+			spec: iacTypes.Spec{
 				ID:          "1234",
 				Title:       "NSA",
 				Description: "National Security Agency - Kubernetes Hardening Guidance",
@@ -151,12 +151,12 @@ func TestComplianceSpec_CheckIDs(t *testing.T) {
 					"https://example.com",
 				},
 				Version: "1.0",
-				Controls: []defsecTypes.Control{
+				Controls: []iacTypes.Control{
 					{
 						Name:        "Non-root containers",
 						Description: "Check that container is not running as root",
 						ID:          "1.0",
-						Checks: []defsecTypes.SpecCheck{
+						Checks: []iacTypes.SpecCheck{
 							{ID: "AVD-KSV012"},
 						},
 					},
@@ -164,7 +164,7 @@ func TestComplianceSpec_CheckIDs(t *testing.T) {
 						Name:        "Check that encryption resource has been set",
 						Description: "Control checks whether encryption resource has been set",
 						ID:          "1.1",
-						Checks: []defsecTypes.SpecCheck{
+						Checks: []iacTypes.SpecCheck{
 							{ID: "AVD-1.2.31"},
 							{ID: "AVD-1.2.32"},
 						},
@@ -181,7 +181,7 @@ func TestComplianceSpec_CheckIDs(t *testing.T) {
 		},
 		{
 			name: "get config and vuln scanners types by check id prefix",
-			spec: defsecTypes.Spec{
+			spec: iacTypes.Spec{
 				ID:          "1234",
 				Title:       "NSA",
 				Description: "National Security Agency - Kubernetes Hardening Guidance",
@@ -189,12 +189,12 @@ func TestComplianceSpec_CheckIDs(t *testing.T) {
 					"https://example.com",
 				},
 				Version: "1.0",
-				Controls: []defsecTypes.Control{
+				Controls: []iacTypes.Control{
 					{
 						Name:        "Non-root containers",
 						Description: "Check that container is not running as root",
 						ID:          "1.0",
-						Checks: []defsecTypes.SpecCheck{
+						Checks: []iacTypes.SpecCheck{
 							{ID: "AVD-KSV012"},
 						},
 					},
@@ -202,7 +202,7 @@ func TestComplianceSpec_CheckIDs(t *testing.T) {
 						Name:        "Check that encryption resource has been set",
 						Description: "Control checks whether encryption resource has been set",
 						ID:          "1.1",
-						Checks: []defsecTypes.SpecCheck{
+						Checks: []iacTypes.SpecCheck{
 							{ID: "AVD-1.2.31"},
 							{ID: "AVD-1.2.32"},
 						},
@@ -211,7 +211,7 @@ func TestComplianceSpec_CheckIDs(t *testing.T) {
 						Name:        "Ensure no critical vulnerabilities",
 						Description: "Control checks whether critical vulnerabilities are not found",
 						ID:          "7.0",
-						Checks: []defsecTypes.SpecCheck{
+						Checks: []iacTypes.SpecCheck{
 							{ID: "CVE-9999-9999"},
 						},
 					},

pkg/compliance/spec/custom.go

@@ -4,7 +4,6 @@ import (
 	"github.com/samber/lo"
 
 	dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
-	ftypes "github.com/aquasecurity/trivy/pkg/fanal/types"
 	"github.com/aquasecurity/trivy/pkg/types"
 )
 
@@ -63,8 +62,8 @@ func filterHighSecrets(result types.Result) types.Result {
 }
 
 func filterSecrets(result types.Result, severity dbTypes.Severity) types.Result {
-	filtered := lo.Filter(result.Secrets, func(vuln ftypes.SecretFinding, _ int) bool {
-		return vuln.Severity == severity.String()
+	filtered := lo.Filter(result.Secrets, func(secret types.DetectedSecret, _ int) bool {
+		return secret.Severity == severity.String()
 	})
 	return types.Result{
 		Target:  result.Target,

pkg/compliance/spec/mapper.go

@@ -11,10 +11,10 @@ func MapSpecCheckIDToFilteredResults(result types.Result, checkIDs map[types.Sca
 	mapCheckByID := make(map[string]types.Results)
 	for _, vuln := range result.Vulnerabilities {
 		// Skip irrelevant check IDs
-		if !slices.Contains(checkIDs[types.VulnerabilityScanner], vuln.GetID()) {
+		if !slices.Contains(checkIDs[types.VulnerabilityScanner], vuln.VulnerabilityID) {
 			continue
 		}
-		mapCheckByID[vuln.GetID()] = append(mapCheckByID[vuln.GetID()], types.Result{
+		mapCheckByID[vuln.VulnerabilityID] = append(mapCheckByID[vuln.VulnerabilityID], types.Result{
 			Target:          result.Target,
 			Class:           result.Class,
 			Type:            result.Type,
@@ -23,11 +23,11 @@ func MapSpecCheckIDToFilteredResults(result types.Result, checkIDs map[types.Sca
 	}
 	for _, m := range result.Misconfigurations {
 		// Skip irrelevant check IDs
-		if !slices.Contains(checkIDs[types.MisconfigScanner], m.GetID()) {
+		if !slices.Contains(checkIDs[types.MisconfigScanner], m.AVDID) {
 			continue
 		}
 
-		mapCheckByID[m.GetID()] = append(mapCheckByID[m.GetID()], types.Result{
+		mapCheckByID[m.AVDID] = append(mapCheckByID[m.AVDID], types.Result{
 			Target:            result.Target,
 			Class:             result.Class,
 			Type:              result.Type,
@@ -45,11 +45,11 @@ func MapSpecCheckIDToFilteredResults(result types.Result, checkIDs map[types.Sca
 func misconfigSummary(misconfig types.DetectedMisconfiguration) *types.MisconfSummary {
 	rms := types.MisconfSummary{}
 	switch misconfig.Status {
-	case types.StatusPassed:
+	case types.MisconfStatusPassed:
 		rms.Successes = 1
-	case types.StatusFailure:
+	case types.MisconfStatusFailure:
 		rms.Failures = 1
-	case types.StatusException:
+	case types.MisconfStatusException:
 		rms.Exceptions = 1
 	}
 	return &rms

pkg/compliance/spec/mapper_test.go

@@ -42,15 +42,15 @@ func TestMapSpecCheckIDToFilteredResults(t *testing.T) {
 				Misconfigurations: []types.DetectedMisconfiguration{
 					{
 						AVDID:  "AVD-KSV012",
-						Status: types.StatusFailure,
+						Status: types.MisconfStatusFailure,
 					},
 					{
 						AVDID:  "AVD-KSV013",
-						Status: types.StatusFailure,
+						Status: types.MisconfStatusFailure,
 					},
 					{
 						AVDID:  "AVD-1.2.31",
-						Status: types.StatusFailure,
+						Status: types.MisconfStatusFailure,
 					},
 				},
 			},
@@ -68,7 +68,7 @@ func TestMapSpecCheckIDToFilteredResults(t *testing.T) {
 						Misconfigurations: []types.DetectedMisconfiguration{
 							{
 								AVDID:  "AVD-KSV012",
-								Status: types.StatusFailure,
+								Status: types.MisconfStatusFailure,
 							},
 						},
 					},
@@ -86,7 +86,7 @@ func TestMapSpecCheckIDToFilteredResults(t *testing.T) {
 						Misconfigurations: []types.DetectedMisconfiguration{
 							{
 								AVDID:  "AVD-1.2.31",
-								Status: types.StatusFailure,
+								Status: types.MisconfStatusFailure,
 							},
 						},
 					},
@@ -99,7 +99,7 @@ func TestMapSpecCheckIDToFilteredResults(t *testing.T) {
 			result: types.Result{
 				Target: "target",
 				Class:  types.ClassSecret,
-				Secrets: []ftypes.SecretFinding{
+				Secrets: []types.DetectedSecret{
 					{
 						RuleID:   "aws-access-key-id",
 						Category: secret.CategoryAWS,
@@ -135,7 +135,7 @@ func TestMapSpecCheckIDToFilteredResults(t *testing.T) {
 					{
 						Target: "target",
 						Class:  types.ClassSecret,
-						Secrets: []ftypes.SecretFinding{
+						Secrets: []types.DetectedSecret{
 							{
 								RuleID:   "aws-access-key-id",
 								Category: secret.CategoryAWS,

pkg/db/db.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"strings"
 	"time"
 
 	"github.com/google/go-containerregistry/pkg/v1/remote/transport"
@@ -78,6 +79,12 @@ func NewClient(cacheDir string, quiet bool, opts ...Option) *Client {
 		opt(o)
 	}
 
+	// Add the schema version as a tag if the tag doesn't exist.
+	// This is required for backward compatibility.
+	if !strings.Contains(o.dbRepository, ":") {
+		o.dbRepository = fmt.Sprintf("%s:%d", o.dbRepository, db.SchemaVersion)
+	}
+
 	return &Client{
 		options:  o,
 		cacheDir: cacheDir,
@@ -188,8 +195,7 @@ func (c *Client) initOCIArtifact(opt types.RegistryOptions) (*oci.Artifact, erro
 		return c.artifact, nil
 	}
 
-	repo := fmt.Sprintf("%s:%d", c.dbRepository, db.SchemaVersion)
-	art, err := oci.NewArtifact(repo, c.quiet, opt)
+	art, err := oci.NewArtifact(c.dbRepository, c.quiet, opt)
 	if err != nil {
 		var terr *transport.Error
 		if errors.As(err, &terr) {

pkg/dependency/id.go

@@ -0,0 +1,32 @@
+package dependency
+
+import (
+	"strings"
+
+	"github.com/aquasecurity/trivy/pkg/fanal/types"
+)
+
+// ID returns a unique ID for the given library.
+// The package ID is used to construct the dependency graph.
+// The separator is different for each language type.
+func ID(ltype types.LangType, name, version string) string {
+	if version == "" {
+		return name
+	}
+
+	sep := "@"
+	switch ltype {
+	case types.Conan:
+		sep = "/"
+	case types.GoModule, types.GoBinary:
+		// Return a module ID according the Go way.
+		// Format: <module_name>@v<module_version>
+		// e.g. github.com/aquasecurity/go-dep-parser@v0.0.0-20230130190635-5e31092b0621
+		if !strings.HasPrefix(version, "v") {
+			version = "v" + version
+		}
+	case types.Jar, types.Pom, types.Gradle:
+		sep = ":"
+	}
+	return name + sep + version
+}