chore(deps): bump github.com/aquasecurity/trivy from 0.25.4 to 0.27.0 (#1451)

* chore(deps): bump github.com/aquasecurity/trivy from 0.25.4 to 0.27.0

Bumps [github.com/aquasecurity/trivy](https://github.com/aquasecurity/trivy) from 0.25.4 to 0.27.0.
- [Release notes](https://github.com/aquasecurity/trivy/releases)
- [Changelog](https://github.com/aquasecurity/trivy/blob/main/goreleaser.yml)
- [Commits](https://github.com/aquasecurity/trivy/compare/v0.25.4...v0.27.0)

---
updated-dependencies:
- dependency-name: github.com/aquasecurity/trivy
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* fix(library): support go.mod scan

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: MaineK00n <mainek00n.1229@gmail.com>

contrib/trivy/pkg/converter.go

@@ -4,8 +4,6 @@ import (
 	"sort"
 	"time"
 
-	ftypes "github.com/aquasecurity/fanal/types"
-
 	"github.com/aquasecurity/fanal/analyzer/os"
 	"github.com/aquasecurity/trivy/pkg/types"
 
@@ -79,8 +77,8 @@ func Convert(results types.Results) (result *models.ScanResult, err error) {
 					LastModified:  lastModified,
 				}},
 			}
-			// do onlyIif image type is Vuln
-			if IsTrivySupportedOS(trivyResult.Type) {
+			// do only if image type is Vuln
+			if isTrivySupportedOS(trivyResult.Type) {
 				pkgs[vuln.PkgName] = models.Package{
 					Name:    vuln.PkgName,
 					Version: vuln.InstalledVersion,
@@ -178,51 +176,25 @@ func Convert(results types.Results) (result *models.ScanResult, err error) {
 	return scanResult, nil
 }
 
-// IsTrivySupportedOS :
-func IsTrivySupportedOS(family string) bool {
-	supportedFamilies := map[string]interface{}{
-		os.RedHat:             struct{}{},
-		os.Debian:             struct{}{},
-		os.Ubuntu:             struct{}{},
-		os.CentOS:             struct{}{},
-		os.Rocky:              struct{}{},
-		os.Alma:               struct{}{},
-		os.Fedora:             struct{}{},
-		os.Amazon:             struct{}{},
-		os.Oracle:             struct{}{},
-		os.Windows:            struct{}{},
-		os.OpenSUSE:           struct{}{},
-		os.OpenSUSELeap:       struct{}{},
-		os.OpenSUSETumbleweed: struct{}{},
-		os.SLES:               struct{}{},
-		os.Photon:             struct{}{},
-		os.Alpine:             struct{}{},
-		// os.Fedora:             struct{}{}, not supported yet
+func isTrivySupportedOS(family string) bool {
+	supportedFamilies := map[string]struct{}{
+		os.RedHat:             {},
+		os.Debian:             {},
+		os.Ubuntu:             {},
+		os.CentOS:             {},
+		os.Rocky:              {},
+		os.Alma:               {},
+		os.Fedora:             {},
+		os.Amazon:             {},
+		os.Oracle:             {},
+		os.Windows:            {},
+		os.OpenSUSE:           {},
+		os.OpenSUSELeap:       {},
+		os.OpenSUSETumbleweed: {},
+		os.SLES:               {},
+		os.Photon:             {},
+		os.Alpine:             {},
 	}
 	_, ok := supportedFamilies[family]
 	return ok
 }
-
-// IsTrivySupportedLib :
-func IsTrivySupportedLib(typestr string) bool {
-	supportedLibs := map[string]interface{}{
-		ftypes.Bundler:   struct{}{},
-		ftypes.GemSpec:   struct{}{},
-		ftypes.Cargo:     struct{}{},
-		ftypes.Composer:  struct{}{},
-		ftypes.Npm:       struct{}{},
-		ftypes.NuGet:     struct{}{},
-		ftypes.Pip:       struct{}{},
-		ftypes.Pipenv:    struct{}{},
-		ftypes.Poetry:    struct{}{},
-		ftypes.PythonPkg: struct{}{},
-		ftypes.NodePkg:   struct{}{},
-		ftypes.Yarn:      struct{}{},
-		ftypes.Jar:       struct{}{},
-		ftypes.Pom:       struct{}{},
-		ftypes.GoBinary:  struct{}{},
-		ftypes.GoMod:     struct{}{},
-	}
-	_, ok := supportedLibs[typestr]
-	return ok
-}

go.mod

@@ -7,9 +7,9 @@ require (
 	github.com/BurntSushi/toml v1.1.0
 	github.com/Ullaakut/nmap/v2 v2.1.2-0.20210406060955-59a52fe80a4f
 	github.com/VividCortex/ewma v1.2.0 // indirect
-	github.com/aquasecurity/fanal v0.0.0-20220406084015-9cc93a8482b8
-	github.com/aquasecurity/go-dep-parser v0.0.0-20220406074731-71021a481237
-	github.com/aquasecurity/trivy v0.25.4
+	github.com/aquasecurity/fanal v0.0.0-20220424145104-2e3e0044128c
+	github.com/aquasecurity/go-dep-parser v0.0.0-20220412145205-d0501f906d90
+	github.com/aquasecurity/trivy v0.27.0
 	github.com/aquasecurity/trivy-db v0.0.0-20220327074450-74195d9604b2
 	github.com/asaskevich/govalidator v0.0.0-20210307081110-f21760c49a8d
 	github.com/aws/aws-sdk-go v1.43.31
@@ -148,7 +148,8 @@ require (
 	go.uber.org/multierr v1.6.0 // indirect
 	go.uber.org/zap v1.21.0 // indirect
 	golang.org/x/crypto v0.0.0-20220411220226-7b82a4e95df4 // indirect
-	golang.org/x/exp v0.0.0-20220321124402-2d6d886f8a82 // indirect
+	golang.org/x/exp v0.0.0-20220407100705-7b9b53b0aca4 // indirect
+	golang.org/x/mod v0.6.0-dev.0.20211013180041-c96bc1413d57 // indirect
 	golang.org/x/net v0.0.0-20220412020605-290c469a71a5 // indirect
 	golang.org/x/sys v0.0.0-20220412211240-33da011f77ad // indirect
 	golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 // indirect

go.sum

@@ -155,10 +155,10 @@ github.com/apache/thrift v0.12.0/go.mod h1:cp2SuWMxlEZw2r+iP2GNCdIi4C1qmUzdZFSVb
 github.com/apache/thrift v0.13.0/go.mod h1:cp2SuWMxlEZw2r+iP2GNCdIi4C1qmUzdZFSVb+bacwQ=
 github.com/apparentlymart/go-textseg/v13 v13.0.0 h1:Y+KvPE1NYz0xl601PVImeQfFyEy6iT90AvPUL1NNfNw=
 github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986 h1:2a30xLN2sUZcMXl50hg+PJCIDdJgIvIbVcKqLJ/ZrtM=
-github.com/aquasecurity/fanal v0.0.0-20220406084015-9cc93a8482b8 h1:upNoF0Y/HkO0I/ODEoZvlaYmpYl2YVkVuP70QBuI6uc=
-github.com/aquasecurity/fanal v0.0.0-20220406084015-9cc93a8482b8/go.mod h1:Yw8qKVnr4d9bz/nhozrnTAebVrXgpUD6jgXYinm85P0=
-github.com/aquasecurity/go-dep-parser v0.0.0-20220406074731-71021a481237 h1:FX5MaNimz5xK6LYbp+mI23i2m6OmoKaHAEgRVehLDs8=
-github.com/aquasecurity/go-dep-parser v0.0.0-20220406074731-71021a481237/go.mod h1:MewgJXyrz9PgCHh8zunRNY4BY72ltNYWeTYAt1paaLc=
+github.com/aquasecurity/fanal v0.0.0-20220424145104-2e3e0044128c h1:g4st9d5J5Fee8G/ksjiPySe9u2FilJm0gW7D3kHHNCI=
+github.com/aquasecurity/fanal v0.0.0-20220424145104-2e3e0044128c/go.mod h1:ERVBQQj3NWY8A9T6SJnO/69t9b34yHwMmpwsExQJX6M=
+github.com/aquasecurity/go-dep-parser v0.0.0-20220412145205-d0501f906d90 h1:uZcI5qV7J1pzOc6W49l7iEey/KtEVlaqsNU5l65vZLk=
+github.com/aquasecurity/go-dep-parser v0.0.0-20220412145205-d0501f906d90/go.mod h1:rK/5BoRt8/D7xXydoVVeBaQuk6zDJ6W+FWz/RqFuJxI=
 github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce h1:QgBRgJvtEOBtUXilDb1MLi1p1MWoyFDXAu5DEUl5nwM=
 github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce/go.mod h1:HXgVzOPvXhVGLJs4ZKO817idqr/xhwsTcj17CLYY74s=
 github.com/aquasecurity/go-npm-version v0.0.0-20201110091526-0b796d180798 h1:eveqE9ivrt30CJ7dOajOfBavhZ4zPqHcZe/4tKp0alc=
@@ -168,8 +168,8 @@ github.com/aquasecurity/go-pep440-version v0.0.0-20210121094942-22b2f8951d46/go.
 github.com/aquasecurity/go-version v0.0.0-20201107203531-5e48ac5d022a/go.mod h1:9Beu8XsUNNfzml7WBf3QmyPToP1wm1Gj/Vc5UJKqTzU=
 github.com/aquasecurity/go-version v0.0.0-20210121072130-637058cfe492 h1:rcEG5HI490FF0a7zuvxOxen52ddygCfNVjP0XOCMl+M=
 github.com/aquasecurity/go-version v0.0.0-20210121072130-637058cfe492/go.mod h1:9Beu8XsUNNfzml7WBf3QmyPToP1wm1Gj/Vc5UJKqTzU=
-github.com/aquasecurity/trivy v0.25.4 h1:w5ND1lhm/8I44of4bz3/9RfiCHtcD5Nc3iynhg7zxm0=
-github.com/aquasecurity/trivy v0.25.4/go.mod h1:OXiGFBkWSrr6tLWY8g6CnjzBIf4tLmiUrQ2Goj6n9FU=
+github.com/aquasecurity/trivy v0.27.0 h1:r6XDq1hqCro9ygbsmpsBzX/4+ncvrN5BzifSHb8ohsU=
+github.com/aquasecurity/trivy v0.27.0/go.mod h1:ROApV3kFKJH7Tj6lopM6jQGtxDu8Emnds9k2yBM/iYQ=
 github.com/aquasecurity/trivy-db v0.0.0-20220327074450-74195d9604b2 h1:q2Gza4V8uO5C1COzC2HeTbQgJIrmC6dTWaXZ8ujiWu0=
 github.com/aquasecurity/trivy-db v0.0.0-20220327074450-74195d9604b2/go.mod h1:EwiQRdzVq6k7cKOMjkss8LjWMt2FUW7NaYwE7HfZZvk=
 github.com/armon/circbuf v0.0.0-20150827004946-bbbad097214e/go.mod h1:3U/XgcO3hCbHZ8TKRvWD2dDTCfh9M9ya+I9JpbB7O8o=
@@ -1106,6 +1106,7 @@ github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQD
 github.com/ryanuber/columnize v0.0.0-20160712163229-9b3edd62028f/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts=
 github.com/safchain/ethtool v0.0.0-20190326074333-42ed695e3de8/go.mod h1:Z0q5wiBQGYcxhMZ6gUqHn6pYNLypFAvaL3UvgZLR0U4=
 github.com/sagikazarmark/crypt v0.3.0/go.mod h1:uD/D+6UF4SrIR1uGEv7bBNkNqLGqUr43MRiaGWX1Nig=
+github.com/samber/lo v1.15.0 h1:oCv6DoDkpUyfHxJdWJSzClCO/V/1Si9TjWFH1OZWf6I=
 github.com/samuel/go-zookeeper v0.0.0-20190923202752-2cc03de413da/go.mod h1:gi+0XIa01GRL2eRQVjQkKGqKF3SF9vZR/HnPullcV2E=
 github.com/satori/go.uuid v1.2.0/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdhQKdks0=
 github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529/go.mod h1:DxrIzT+xaE7yg65j358z/aeFdxmN0P9QXhEzd20vsDc=
@@ -1336,8 +1337,8 @@ golang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u0
 golang.org/x/exp v0.0.0-20200119233911-0405dc783f0a/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4=
 golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EHIKF9dgMWnmCNThgcyBT1FY9mM=
 golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU=
-golang.org/x/exp v0.0.0-20220321124402-2d6d886f8a82 h1:P3h2IfqHFILVjDaCKXyuKMprdEyIbrbKevbf2EB6lQI=
-golang.org/x/exp v0.0.0-20220321124402-2d6d886f8a82/go.mod h1:lgLbSvA5ygNOMpwM/9anMpWVlVJ7Z+cHWq/eFuinpGE=
+golang.org/x/exp v0.0.0-20220407100705-7b9b53b0aca4 h1:K3x+yU+fbot38x5bQbU2QqUAVyYLEktdNH2GxZLnM3U=
+golang.org/x/exp v0.0.0-20220407100705-7b9b53b0aca4/go.mod h1:lgLbSvA5ygNOMpwM/9anMpWVlVJ7Z+cHWq/eFuinpGE=
 golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js=
 golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
 golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
@@ -1366,6 +1367,7 @@ golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.5.0/go.mod h1:5OXOZSfqPIIbmVBIIKWRFfZjPR0E5r58TLhUjH0a2Ro=
 golang.org/x/mod v0.5.1/go.mod h1:5OXOZSfqPIIbmVBIIKWRFfZjPR0E5r58TLhUjH0a2Ro=
 golang.org/x/mod v0.6.0-dev.0.20211013180041-c96bc1413d57 h1:LQmS1nU0twXLA96Kt7U9qtHJEbBk3z6Q0V4UXjZkpr4=
+golang.org/x/mod v0.6.0-dev.0.20211013180041-c96bc1413d57/go.mod h1:3p9vT2HGsQu2K1YbXdKPJLVgG5VJdoTa1poYQBtP1AY=
 golang.org/x/net v0.0.0-20180218175443-cbe0f9307d01/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=

models/library.go

@@ -3,13 +3,14 @@ package models
 import (
 	"path/filepath"
 
+	ftypes "github.com/aquasecurity/fanal/types"
 	"github.com/aquasecurity/trivy-db/pkg/db"
 	trivyDBTypes "github.com/aquasecurity/trivy-db/pkg/types"
 	"github.com/aquasecurity/trivy/pkg/detector/library"
-	"github.com/future-architect/vuls/logging"
-
 	"github.com/aquasecurity/trivy/pkg/types"
 	"golang.org/x/xerrors"
+
+	"github.com/future-architect/vuls/logging"
 )
 
 // LibraryScanners is an array of LibraryScanner
@@ -132,32 +133,53 @@ func getCveContents(cveID string, vul trivyDBTypes.Vulnerability) (contents map[
 
 // LibraryMap is filename and library type
 var LibraryMap = map[string]string{
-	"package-lock.json":  "node",
-	"yarn.lock":          "node",
-	"Gemfile.lock":       "ruby",
-	"Cargo.lock":         "rust",
-	"composer.lock":      "php",
-	"requirements.txt":   "python",
-	"Pipfile.lock":       "python",
-	"poetry.lock":        "python",
-	"packages.lock.json": ".net",
-	"packages.config":    ".net",
-	"go.sum":             "gomod",
-	"pom.xml":            "java",
-	"*.jar":              "java",
-	"*.war":              "java",
-	"*.ear":              "java",
-	"*.par":              "java",
+	ftypes.NpmPkgLock:      "node",
+	ftypes.YarnLock:        "node",
+	ftypes.GemfileLock:     "ruby",
+	ftypes.CargoLock:       "rust",
+	ftypes.ComposerLock:    "php",
+	ftypes.PipRequirements: "python",
+	ftypes.PipfileLock:     "python",
+	ftypes.PoetryLock:      "python",
+	ftypes.NuGetPkgsLock:   ".net",
+	ftypes.NuGetPkgsConfig: ".net",
+	ftypes.GoMod:           "gomod",
+	ftypes.GoSum:           "gomod",
+	ftypes.MavenPom:        "java",
+	"*.jar":                "java",
+	"*.war":                "java",
+	"*.ear":                "java",
+	"*.par":                "java",
 }
 
 // GetLibraryKey returns target library key
 func (s LibraryScanner) GetLibraryKey() string {
-	fileName := filepath.Base(s.LockfilePath)
 	switch s.Type {
-	case "jar", "war", "ear", "par":
+	case ftypes.Bundler, ftypes.GemSpec:
+		return "ruby"
+	case ftypes.Cargo:
+		return "rust"
+	case ftypes.Composer:
+		return "php"
+	case ftypes.GoBinary, ftypes.GoModule:
+		return "gomod"
+	case ftypes.Jar, ftypes.Pom:
 		return "java"
+	case ftypes.Npm, ftypes.Yarn, ftypes.NodePkg, ftypes.JavaScript:
+		return "node"
+	case ftypes.NuGet:
+		return ".net"
+	case ftypes.Pipenv, ftypes.Poetry, ftypes.Pip, ftypes.PythonPkg:
+		return "python"
+	default:
+		filename := filepath.Base(s.LockfilePath)
+		switch filepath.Ext(filename) {
+		case ".jar", ".war", ".ear", ".par":
+			return "java"
+		default:
+			return LibraryMap[filename]
+		}
 	}
-	return LibraryMap[fileName]
 }
 
 // LibraryFixedIn has library fixed information

scanner/base.go

@@ -686,6 +686,7 @@ func AnalyzeLibraries(ctx context.Context, libFilemap map[string]LibFile, isOffl
 		analyzer.TypeJSON,
 		analyzer.TypeDockerfile,
 		analyzer.TypeHCL,
+		analyzer.TypeSecret,
 	}
 	anal := analyzer.NewAnalyzerGroup(analyzer.GroupBuiltin, disabledAnalyzers)
 
@@ -701,6 +702,7 @@ func AnalyzeLibraries(ctx context.Context, libFilemap map[string]LibFile, isOffl
 			path,
 			&DummyFileInfo{size: int64(len(f.Contents)), filemode: f.Filemode},
 			func() (dio.ReadSeekCloserAt, error) { return dio.NopCloser(bytes.NewReader(f.Contents)), nil },
+			nil,
 			analyzer.AnalysisOptions{Offline: isOffline},
 		); err != nil {
 			return nil, xerrors.Errorf("Failed to get libs. err: %w", err)