Set actually affected package's name only to vulnInfo.PackageNames

report/localfile.go

@@ -58,8 +58,14 @@ func (w LocalFileWriter) Write(rs ...models.ScanResult) (err error) {
 			}
 
 			var b []byte
-			if b, err = json.Marshal(r); err != nil {
-				return fmt.Errorf("Failed to Marshal to JSON: %s", err)
+			if c.Conf.Debug {
+				if b, err = json.MarshalIndent(r, "", "    "); err != nil {
+					return fmt.Errorf("Failed to Marshal to JSON: %s", err)
+				}
+			} else {
+				if b, err = json.Marshal(r); err != nil {
+					return fmt.Errorf("Failed to Marshal to JSON: %s", err)
+				}
 			}
 			if err := writeFile(p, b, 0600); err != nil {
 				return fmt.Errorf("Failed to write JSON. path: %s, err: %s", p, err)

report/util.go

@@ -218,7 +218,6 @@ No CVE-IDs are found in updatable packages.
 		packsVer := []string{}
 		sort.Strings(vuln.PackageNames)
 		for _, name := range vuln.PackageNames {
-			// packages detected by OVAL may not be actually installed
 			if pack, ok := r.Packages[name]; ok {
 				packsVer = append(packsVer, pack.FormatVersionFromTo())
 			}