bump up version (#1007)

* Add proxyjump func

* Run go mod tidy

* Run make fmt

.github/FUNDING.yml

@@ -0,0 +1,3 @@
+# These are supported funding model platforms
+
+github: kotakanbe

.github/workflows/golangci.yml

@@ -0,0 +1,28 @@
+name: golangci-lint
+on:
+  push:
+    tags:
+      - v*
+    branches:
+      - master
+  pull_request:
+jobs:
+  golangci:
+    name: lint
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - name: golangci-lint
+        uses: golangci/golangci-lint-action@v1
+        with:
+          # Required: the version of golangci-lint is required and must be specified without patch version: we always use the latest patch version.
+          version: v1.26
+          
+          # Optional: working directory, useful for monorepos
+          # working-directory: somedir
+
+          # Optional: golangci-lint command line arguments.
+          # args: --issues-exit-code=0
+
+          # Optional: show only new issues if it's a pull request. The default value is `false`.
+          # only-new-issues: true

.github/workflows/goreleaser.yml

@@ -0,0 +1,31 @@
+name: goreleaser
+
+on:
+  push:
+    tags:
+      - '*'
+
+jobs:
+  goreleaser:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v2
+      -
+        name: Unshallow
+        run: git fetch --prune --unshallow
+      -
+        name: Set up Go
+        uses: actions/setup-go@v2
+        with:
+          go-version: 1.14
+      -
+        name: Run GoReleaser
+        uses: goreleaser/goreleaser-action@v2
+        with:
+          version: latest
+          args: release --rm-dist
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+

.github/workflows/test.yml

@@ -0,0 +1,21 @@
+name: Test
+
+on: [pull_request]
+
+jobs:
+  build:
+    name: Build
+    runs-on: ubuntu-latest
+    steps:
+
+    - name: Set up Go 1.x
+      uses: actions/setup-go@v2
+      with:
+        go-version: 1.14.x
+      id: go
+
+    - name: Check out code into the Go module directory
+      uses: actions/checkout@v2
+
+    - name: Test
+      run: make test

.github/workflows/tidy.yml

@@ -0,0 +1,22 @@
+name: go-mod-tidy-pr
+
+on:
+  schedule:
+    - cron: "0 0 * * 1" # Weekly build
+
+jobs:
+  go-mod-tidy-pr:
+    name: go-mod-tidy-pr
+
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v2
+
+      - name: Run go-mod-tidy-pr
+        uses: sue445/go-mod-tidy-pr@master
+        with:
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          git_user_name: kotakanbe
+          git_user_email: kotakanbe@gmail.com
+          go_version: 1.14.x

.gitignore

@@ -15,4 +15,4 @@ results/
 !setup/docker/*
 .DS_Store
 dist/
-.idea
+.idea

.golangci.yml

@@ -0,0 +1,17 @@
+name: golang-ci
+
+linters-settings:
+  errcheck:
+    #exclude: /path/to/file.txt
+
+linters:
+  disable-all: true
+  enable:
+    - goimports
+    - golint
+    - govet
+    - misspell
+    - errcheck
+    - staticcheck
+    - prealloc
+    - ineffassign

.goreleaser.yml

@@ -6,7 +6,8 @@ release:
     owner: future-architect
     name: vuls
 builds:
-- goos:
+- id: vuls
+  goos:
   - linux
   goarch:
   - amd64
@@ -15,10 +16,51 @@ builds:
       - -a
   ldflags: -s -w -X main.version={{.Version}} -X main.revision={{.Commit}} 
   binary: vuls
-archive:
+
+- id: trivy-to-vuls
+  goos:
+  - linux
+  goarch:
+  - amd64
+  main: ./contrib/trivy/cmd/main.go
+  binary: trivy-to-vuls
+
+- id: future-vuls
+  goos:
+  - linux
+  goarch:
+  - amd64
+  main: ./contrib/future-vuls/cmd/main.go
+  binary: future-vuls
+archives:
+
+- id: vuls
+  name_template: '{{ .Binary }}_{{.Version}}_{{ .Os }}_{{ .Arch }}{{ if .Arm }}v{{ .Arm }}{{ end }}'
+  builds:
+  - vuls
+  format: tar.gz
+  files:
+  - LICENSE
+  - NOTICE
+  - README*
+  - CHANGELOG.md
+
+- id: trivy-to-vuls
+  name_template: '{{ .Binary }}_{{.Version}}_{{ .Os }}_{{ .Arch }}{{ if .Arm }}v{{ .Arm }}{{ end }}'
+  builds:
+  - trivy-to-vuls
+  format: tar.gz
+  files:
+  - LICENSE
+  - NOTICE
+  - README*
+  - CHANGELOG.md
+- id: future-vuls
+  name_template: '{{ .Binary }}_{{.Version}}_{{ .Os }}_{{ .Arch }}{{ if .Arm }}v{{ .Arm }}{{ end }}'
+  builds:
+
+  - future-vuls
   format: tar.gz
-  name_template: '{{ .Binary }}_{{.Version}}_{{ .Os }}_{{ .Arch }}{{ if .Arm }}v{{
-    .Arm }}{{ end }}'
   files:
   - LICENSE
   - NOTICE

.travis.yml

@@ -1,7 +0,0 @@
-language: go
-
-go:
-  - "1.13.x"
-
-after_success:
-  - test -n "$TRAVIS_TAG" && curl -sL https://git.io/goreleaser | bash

Dockerfile

@@ -11,7 +11,7 @@ COPY . $GOPATH/src/$REPOSITORY
 RUN cd $GOPATH/src/$REPOSITORY && make install
 
 
-FROM alpine:3.7
+FROM alpine:3.11
 
 MAINTAINER hikachan sadayuki-matsuno
 

GNUmakefile

@@ -66,3 +66,10 @@ cov:
 clean:
 	echo $(PKGS) | xargs go clean || exit;
 
+# trivy-to-vuls
+build-trivy-to-vuls: pretest fmt
+	$(GO) build -o trivy-to-vuls contrib/trivy/cmd/*.go
+
+# future-vuls
+build-future-vuls: pretest fmt
+	$(GO) build -o future-vuls contrib/future-vuls/cmd/*.go

README.md

@@ -136,14 +136,16 @@ Vuls uses multiple vulnerability databases
 
 ### **Static** Analysis
 
-Vuls v0.8.0 can scan Docker images using [knqyf263/trivy](https://github.com/knqyf263/trivy).
-Following Registry supported.
+**Image scan function is no longer supported from Vuls v0.9.5. Use Trivy directry**
 
-- ECR
-- GCR
-- Local Image
+~~Vuls v0.8.0 can scan Docker images using [knqyf263/trivy](https://github.com/knqyf263/trivy).
+Following Registry supported.~~
 
-For details, see [Scan docker image](https://vuls.io/docs/en/tutorial-scan-docker-image.html)
+- ~~ECR~~
+- ~~GCR~~
+- ~~Local Image~~
+
+~~For details, see [Scan docker image](https://vuls.io/docs/en/tutorial-scan-docker-image.html)~~  
 
 ### Scan vulnerabilities of non-OS-packages
 

cache/bolt_test.go

@@ -46,7 +46,7 @@ func TestSetupBolt(t *testing.T) {
 		t.Errorf("Failed to open bolt: %s", err)
 	}
 
-	db.View(func(tx *bolt.Tx) error {
+	_ = db.View(func(tx *bolt.Tx) error {
 		bkt := tx.Bucket([]byte(metabucket))
 		if bkt == nil {
 			t.Errorf("Meta bucket nof found")
@@ -87,7 +87,7 @@ func TestEnsureBuckets(t *testing.T) {
 	if err != nil {
 		t.Errorf("Failed to open bolt: %s", err)
 	}
-	db.View(func(tx *bolt.Tx) error {
+	_ = db.View(func(tx *bolt.Tx) error {
 		bkt := tx.Bucket([]byte(servername))
 		if bkt == nil {
 			t.Errorf("Meta bucket nof found")

commands/configtest.go

@@ -36,7 +36,7 @@ func (*ConfigtestCmd) Usage() string {
 			[-log-dir=/path/to/log]
 			[-ask-key-password]
 			[-timeout=300]
-			[-ssh-external]
+			[-ssh-config]
 			[-containers-only]
 			[-http-proxy=http://192.168.0.1:8080]
 			[-debug]
@@ -69,7 +69,7 @@ func (p *ConfigtestCmd) SetFlags(f *flag.FlagSet) {
 		"Use Native Go implementation of SSH. Default: Use the external command")
 
 	f.BoolVar(&c.Conf.SSHConfig, "ssh-config", false,
-		"Use SSH options specified in ssh_config preferentially")
+		"[Deprecated] Use SSH options specified in ssh_config preferentially")
 
 	f.BoolVar(&c.Conf.ContainersOnly, "containers-only", false,
 		"Test containers only. Default: Test both of hosts and containers")
@@ -108,6 +108,16 @@ func (p *ConfigtestCmd) Execute(_ context.Context, f *flag.FlagSet, _ ...interfa
 		return subcommands.ExitUsageError
 	}
 
+	if c.Conf.SSHConfig {
+		msg := []string{
+			"-ssh-config is deprecated",
+			"If you update Vuls and get this error, there may be incompatible changes in config.toml",
+			"Please check config.toml template : https://vuls.io/docs/en/usage-settings.html",
+		}
+		util.Log.Errorf("%s", strings.Join(msg, "\n"))
+		return subcommands.ExitUsageError
+	}
+
 	var servernames []string
 	if 0 < len(f.Args()) {
 		servernames = f.Args()

commands/discover.go

@@ -187,6 +187,7 @@ sqlite3Path = "/path/to/go-exploitdb.sqlite3"
 host                = "{{$ip}}"
 #port               = "22"
 #user               = "root"
+#sshConfigPath		= "/home/username/.ssh/config"
 #keyPath            = "/home/username/.ssh/id_rsa"
 #scanMode           = ["fast", "fast-root", "deep", "offline"]
 #type               = "pseudo"

commands/report.go

@@ -6,6 +6,7 @@ import (
 	"os"
 	"path/filepath"
 
+	"github.com/aquasecurity/trivy/pkg/utils"
 	c "github.com/future-architect/vuls/config"
 	"github.com/future-architect/vuls/exploit"
 	"github.com/future-architect/vuls/gost"
@@ -45,6 +46,7 @@ func (*ReportCmd) Usage() string {
 		[-refresh-cve]
 		[-cvss-over=7]
 		[-diff]
+		[-wp-ignore-inactive]
 		[-ignore-unscored-cves]
 		[-ignore-unfixed]
 		[-ignore-github-dismissed]
@@ -71,6 +73,7 @@ func (*ReportCmd) Usage() string {
 		[-debug]
 		[-debug-sql]
 		[-quiet]
+		[-no-progress]
 		[-pipe]
 		[-cvedb-type=sqlite3|mysql|postgres|redis|http]
 		[-cvedb-sqlite3-path=/path/to/cve.sqlite3]
@@ -85,6 +88,7 @@ func (*ReportCmd) Usage() string {
 		[-exploitdb-sqlite3-path=/path/to/exploitdb.sqlite3]
 		[-exploitdb-url=http://127.0.0.1:1326 or DB connection string]
 		[-http="http://vuls-report-server"]
+		[-trivy-cachedb-dir=/path/to/dir]
 
 		[RFC3339 datetime format under results dir]
 `
@@ -95,8 +99,8 @@ func (p *ReportCmd) SetFlags(f *flag.FlagSet) {
 	f.StringVar(&c.Conf.Lang, "lang", "en", "[en|ja]")
 	f.BoolVar(&c.Conf.Debug, "debug", false, "debug mode")
 	f.BoolVar(&c.Conf.DebugSQL, "debug-sql", false, "SQL debug mode")
-
 	f.BoolVar(&c.Conf.Quiet, "quiet", false, "Quiet mode. No output on stdout")
+	f.BoolVar(&c.Conf.NoProgress, "no-progress", false, "Suppress progress bar")
 
 	wd, _ := os.Getwd()
 	defaultConfPath := filepath.Join(wd, "config.toml")
@@ -117,6 +121,9 @@ func (p *ReportCmd) SetFlags(f *flag.FlagSet) {
 	f.BoolVar(&c.Conf.Diff, "diff", false,
 		"Difference between previous result and current result ")
 
+	f.BoolVar(&c.Conf.WpIgnoreInactive, "wp-ignore-inactive", false,
+		"ignore inactive on wordpress's plugin and theme")
+
 	f.BoolVar(&c.Conf.IgnoreUnscoredCves, "ignore-unscored-cves", false,
 		"Don't report the unscored CVEs")
 
@@ -187,6 +194,8 @@ func (p *ReportCmd) SetFlags(f *flag.FlagSet) {
 
 	f.StringVar(&p.httpConf.URL, "http", "", "-to-http http://vuls-report")
 
+	f.StringVar(&c.Conf.TrivyCacheDBDir, "trivy-cachedb-dir",
+		utils.DefaultCacheDir(), "/path/to/dir")
 }
 
 // Execute execute

commands/scan.go

@@ -41,7 +41,6 @@ func (*ScanCmd) Usage() string {
 		[-ssh-native-insecure]
 		[-ssh-config]
 		[-containers-only]
-		[-images-only]
 		[-libs-only]
 		[-wordpress-only]
 		[-skip-broken]
@@ -81,14 +80,11 @@ func (p *ScanCmd) SetFlags(f *flag.FlagSet) {
 		"Use Native Go implementation of SSH. Default: Use the external command")
 
 	f.BoolVar(&c.Conf.SSHConfig, "ssh-config", false,
-		"Use SSH options specified in ssh_config preferentially")
+		"[Deprecated] Use SSH options specified in ssh_config preferentially")
 
 	f.BoolVar(&c.Conf.ContainersOnly, "containers-only", false,
 		"Scan running containers only. Default: Scan both of hosts and running containers")
 
-	f.BoolVar(&c.Conf.ImagesOnly, "images-only", false,
-		"Scan container images only. Default: Scan both of hosts and images")
-
 	f.BoolVar(&c.Conf.LibsOnly, "libs-only", false,
 		"Scan libraries (lock files) specified in config.toml only.")
 
@@ -150,6 +146,16 @@ func (p *ScanCmd) Execute(_ context.Context, f *flag.FlagSet, _ ...interface{})
 		return subcommands.ExitUsageError
 	}
 
+	if c.Conf.SSHConfig {
+		msg := []string{
+			"-ssh-config is deprecated",
+			"If you update Vuls and get this error, there may be incompatible changes in config.toml",
+			"Please check config.toml template : https://vuls.io/docs/en/usage-settings.html",
+		}
+		util.Log.Errorf("%s", strings.Join(msg, "\n"))
+		return subcommands.ExitUsageError
+	}
+
 	util.Log.Info("Start scanning")
 	util.Log.Infof("config: %s", p.configPath)
 

commands/tui.go

@@ -6,6 +6,7 @@ import (
 	"os"
 	"path/filepath"
 
+	"github.com/aquasecurity/trivy/pkg/utils"
 	c "github.com/future-architect/vuls/config"
 	"github.com/future-architect/vuls/exploit"
 	"github.com/future-architect/vuls/gost"
@@ -46,6 +47,8 @@ func (*TuiCmd) Usage() string {
 		[-log-dir=/path/to/log]
 		[-debug]
 		[-debug-sql]
+		[-quiet]
+		[-no-progress]
 		[-pipe]
 		[-cvedb-type=sqlite3|mysql|postgres|redis|http]
 		[-cvedb-sqlite3-path=/path/to/cve.sqlite3]
@@ -59,6 +62,7 @@ func (*TuiCmd) Usage() string {
 		[-exploitdb-type=sqlite3|mysql|redis|http]
 		[-exploitdb-sqlite3-path=/path/to/exploitdb.sqlite3]
 		[-exploitdb-url=http://127.0.0.1:1326 or DB connection string]
+		[-trivy-cachedb-dir=/path/to/dir]
 
 `
 }
@@ -68,6 +72,8 @@ func (p *TuiCmd) SetFlags(f *flag.FlagSet) {
 	//  f.StringVar(&p.lang, "lang", "en", "[en|ja]")
 	f.BoolVar(&c.Conf.DebugSQL, "debug-sql", false, "debug SQL")
 	f.BoolVar(&c.Conf.Debug, "debug", false, "debug mode")
+	f.BoolVar(&c.Conf.Quiet, "quiet", false, "Quiet mode. No output on stdout")
+	f.BoolVar(&c.Conf.NoProgress, "no-progress", false, "Suppress progress bar")
 
 	defaultLogDir := util.GetDefaultLogDir()
 	f.StringVar(&c.Conf.LogDir, "log-dir", defaultLogDir, "/path/to/log")
@@ -121,6 +127,8 @@ func (p *TuiCmd) SetFlags(f *flag.FlagSet) {
 	f.StringVar(&p.exploitConf.URL, "exploitdb-url", "",
 		"http://exploit.com:1326 or DB connection string")
 
+	f.StringVar(&c.Conf.TrivyCacheDBDir, "trivy-cachedb-dir",
+		utils.DefaultCacheDir(), "/path/to/dir")
 }
 
 // Execute execute

config/config.go

@@ -10,14 +10,13 @@ import (
 	"strings"
 
 	syslog "github.com/RackSec/srslog"
-	"github.com/aquasecurity/fanal/types"
 	valid "github.com/asaskevich/govalidator"
 	log "github.com/sirupsen/logrus"
 	"golang.org/x/xerrors"
 )
 
 // Version of Vuls
-var Version = "0.9.1"
+var Version = "0.9.8"
 
 // Revision of Git
 var Revision string
@@ -90,6 +89,7 @@ type Config struct {
 	ResultsDir string `json:"resultsDir,omitempty"`
 	Pipe       bool   `json:"pipe,omitempty"`
 	Quiet      bool   `json:"quiet,omitempty"`
+	NoProgress bool   `json:"noProgress,omitempty"`
 
 	Default       ServerInfo            `json:"default,omitempty"`
 	Servers       map[string]ServerInfo `json:"servers,omitempty"`
@@ -103,15 +103,16 @@ type Config struct {
 	SSHConfig bool `json:"sshConfig,omitempty"`
 
 	ContainersOnly bool `json:"containersOnly,omitempty"`
-	ImagesOnly     bool `json:"imagesOnly,omitempty"`
 	LibsOnly       bool `json:"libsOnly,omitempty"`
 	WordPressOnly  bool `json:"wordpressOnly,omitempty"`
 
-	SkipBroken  bool   `json:"skipBroken,omitempty"`
-	CacheDBPath string `json:"cacheDBPath,omitempty"`
-	Vvv         bool   `json:"vvv,omitempty"`
-	UUID        bool   `json:"uuid,omitempty"`
-	DetectIPS   bool   `json:"detectIps,omitempty"`
+	CacheDBPath     string `json:"cacheDBPath,omitempty"`
+	TrivyCacheDBDir string `json:"trivyCacheDBDir,omitempty"`
+
+	SkipBroken bool `json:"skipBroken,omitempty"`
+	Vvv        bool `json:"vvv,omitempty"`
+	UUID       bool `json:"uuid,omitempty"`
+	DetectIPS  bool `json:"detectIps,omitempty"`
 
 	CveDict  GoCveDictConf `json:"cveDict,omitempty"`
 	OvalDict GovalDictConf `json:"ovalDict,omitempty"`
@@ -151,6 +152,7 @@ type Config struct {
 	FormatFullText    bool `json:"formatFullText,omitempty"`
 	GZIP              bool `json:"gzip,omitempty"`
 	Diff              bool `json:"diff,omitempty"`
+	WpIgnoreInactive  bool `json:"wpIgnoreInactive,omitempty"`
 }
 
 // ValidateOnConfigtest validates
@@ -583,7 +585,7 @@ func (c *TelegramConf) Validate() (errs []error) {
 
 // SaasConf is stride config
 type SaasConf struct {
-	GroupID int    `json:"-"`
+	GroupID int64  `json:"-"`
 	Token   string `json:"-"`
 	URL     string `json:"-"`
 }
@@ -1033,7 +1035,9 @@ type ServerInfo struct {
 	ServerName             string                      `toml:"-" json:"serverName,omitempty"`
 	User                   string                      `toml:"user,omitempty" json:"user,omitempty"`
 	Host                   string                      `toml:"host,omitempty" json:"host,omitempty"`
+	JumpServer             []string                    `toml:"jumpServer,omitempty" json:"jumpServer,omitempty"`
 	Port                   string                      `toml:"port,omitempty" json:"port,omitempty"`
+	SSHConfigPath          string                      `toml:"sshConfigPath,omitempty" json:"sshConfigPath,omitempty"`
 	KeyPath                string                      `toml:"keyPath,omitempty" json:"keyPath,omitempty"`
 	KeyPassword            string                      `json:"-,omitempty" toml:"-"`
 	CpeNames               []string                    `toml:"cpeNames,omitempty" json:"cpeNames,omitempty"`
@@ -1047,7 +1051,6 @@ type ServerInfo struct {
 	IgnoreCves             []string                    `toml:"ignoreCves,omitempty" json:"ignoreCves,omitempty"`
 	IgnorePkgsRegexp       []string                    `toml:"ignorePkgsRegexp,omitempty" json:"ignorePkgsRegexp,omitempty"`
 	GitHubRepos            map[string]GitHubConf       `toml:"githubs" json:"githubs,omitempty"` // key: owner/repo
-	Images                 map[string]Image            `toml:"images" json:"images,omitempty"`
 	UUIDs                  map[string]string           `toml:"uuids,omitempty" json:"uuids,omitempty"`
 	Memo                   string                      `toml:"memo,omitempty" json:"memo,omitempty"`
 	Enablerepo             []string                    `toml:"enablerepo,omitempty" json:"enablerepo,omitempty"` // For CentOS, RHEL, Amazon
@@ -1065,7 +1068,6 @@ type ServerInfo struct {
 
 	LogMsgAnsiColor string    `toml:"-" json:"-"` // DebugLog Color
 	Container       Container `toml:"-" json:"-"`
-	Image           Image     `toml:"-" json:"-"`
 	Distro          Distro    `toml:"-" json:"-"`
 	Mode            ScanMode  `toml:"-" json:"-"`
 }
@@ -1087,25 +1089,6 @@ type WordPressConf struct {
 	IgnoreInactive bool   `json:"ignoreInactive,omitempty"`
 }
 
-// Image is a scan container image info
-type Image struct {
-	Name             string             `json:"name"`
-	Tag              string             `json:"tag"`
-	Digest           string             `json:"digest"`
-	DockerOption     types.DockerOption `json:"dockerOption,omitempty"`
-	Cpes             []string           `json:"cpes,omitempty"`
-	OwaspDCXMLPath   string             `json:"owaspDCXMLPath"`
-	IgnorePkgsRegexp []string           `json:"ignorePkgsRegexp,omitempty"`
-	IgnoreCves       []string           `json:"ignoreCves,omitempty"`
-}
-
-func (i *Image) GetFullName() string {
-	if i.Digest != "" {
-		return i.Name + "@" + i.Digest
-	}
-	return i.Name + ":" + i.Tag
-}
-
 // GitHubConf is used for GitHub integration
 type GitHubConf struct {
 	Token string `json:"-"`

config/tomlloader.go

@@ -51,22 +51,17 @@ func (c TOMLLoader) Load(pathToToml, keyPass string) error {
 		}
 
 		s := ServerInfo{ServerName: serverName}
-		s.Images = make(map[string]Image)
-
-		// image are able to set any server type
-		for name, image := range v.Images {
-			if err := IsValidImage(image); err != nil {
-				return err
-			}
-			s.Images[name] = image
-		}
-
 		if v.Type != ServerTypePseudo {
 			s.Host = v.Host
 			if len(s.Host) == 0 {
 				return xerrors.Errorf("%s is invalid. host is empty", serverName)
 			}
 
+			s.JumpServer = v.JumpServer
+			if len(s.JumpServer) == 0 {
+				s.JumpServer = d.JumpServer
+			}
+
 			switch {
 			case v.Port != "":
 				s.Port = v.Port
@@ -87,6 +82,11 @@ func (c TOMLLoader) Load(pathToToml, keyPass string) error {
 				}
 			}
 
+			s.SSHConfigPath = v.SSHConfigPath
+			if len(s.SSHConfigPath) == 0 {
+				s.SSHConfigPath = d.SSHConfigPath
+			}
+
 			s.KeyPath = v.KeyPath
 			if len(s.KeyPath) == 0 {
 				s.KeyPath = d.KeyPath
@@ -292,17 +292,3 @@ func toCpeURI(cpename string) (string, error) {
 	}
 	return "", xerrors.Errorf("Unknow CPE format: %s", cpename)
 }
-
-// IsValidImage checks a container configuration
-func IsValidImage(c Image) error {
-	if c.Name == "" {
-		return xerrors.New("Invalid arguments : no image name")
-	}
-	if c.Tag == "" && c.Digest == "" {
-		return xerrors.New("Invalid arguments : no image tag and digest")
-	}
-	if c.Tag != "" && c.Digest != "" {
-		return xerrors.New("Invalid arguments : you can either set image tag or digest")
-	}
-	return nil
-}

config/tomlloader_test.go

@@ -42,62 +42,3 @@ func TestToCpeURI(t *testing.T) {
 		}
 	}
 }
-
-func TestIsValidImage(t *testing.T) {
-	var tests = []struct {
-		name     string
-		img      Image
-		errOccur bool
-	}{
-		{
-			name: "ok with tag",
-			img: Image{
-				Name: "ok",
-				Tag:  "ok",
-			},
-			errOccur: false,
-		},
-		{
-			name: "ok with digest",
-			img: Image{
-				Name:   "ok",
-				Digest: "ok",
-			},
-			errOccur: false,
-		},
-
-		{
-			name: "no image name with tag",
-			img: Image{
-				Tag: "ok",
-			},
-			errOccur: true,
-		},
-
-		{
-			name: "no image name with digest",
-			img: Image{
-				Digest: "ok",
-			},
-			errOccur: true,
-		},
-
-		{
-			name: "no tag and digest",
-			img: Image{
-				Name: "ok",
-			},
-			errOccur: true,
-		},
-	}
-	for i, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			err := IsValidImage(tt.img)
-			actual := err != nil
-			if actual != tt.errOccur {
-				t.Errorf("[%d] act: %v, exp: %v",
-					i, actual, tt.errOccur)
-			}
-		})
-	}
-}

contrib/future-vuls/README.md

@@ -0,0 +1,38 @@
+# future-vuls
+
+## Main Features
+
+- upload vuls results json to future-vuls
+
+## Installation
+
+```
+git clone https://github.com/future-architect/vuls.git
+make build-future-vuls
+```
+
+## Command Reference
+
+```
+Upload to FutureVuls
+
+Usage:
+  future-vuls upload [flags]
+
+Flags:
+      --config string   config file (default is $HOME/.cobra.yaml)
+  -g, --group-id int    future vuls group id, ENV: VULS_GROUP_ID
+  -h, --help            help for upload
+  -s, --stdin           input from stdin. ENV: VULS_STDIN
+  -t, --token string    future vuls token
+      --url string      future vuls upload url
+      --uuid string     server uuid. ENV: VULS_SERVER_UUID
+```
+
+## Usage
+
+- update results json
+
+```
+ cat results.json | future-vuls upload --stdin --token xxxx --url https://xxxx --group-id 1 --uuid xxxx
+```

contrib/future-vuls/cmd/main.go

@@ -0,0 +1,98 @@
+package main
+
+import (
+	"bufio"
+	"bytes"
+	"encoding/json"
+	"fmt"
+	"os"
+	"strconv"
+
+	"github.com/future-architect/vuls/config"
+	"github.com/future-architect/vuls/models"
+	"github.com/future-architect/vuls/report"
+	"github.com/spf13/cobra"
+)
+
+var (
+	configFile string
+	stdIn      bool
+	jsonDir    string
+	serverUUID string
+	groupID    int64
+	token      string
+	url        string
+)
+
+func main() {
+	var err error
+	var cmdFvulsUploader = &cobra.Command{
+		Use:   "upload",
+		Short: "Upload to FutureVuls",
+		Long:  `Upload to FutureVuls`,
+		Run: func(cmd *cobra.Command, args []string) {
+			if len(serverUUID) == 0 {
+				serverUUID = os.Getenv("VULS_SERVER_UUID")
+			}
+			if groupID == 0 {
+				envGroupID := os.Getenv("VULS_GROUP_ID")
+				if groupID, err = strconv.ParseInt(envGroupID, 10, 64); err != nil {
+					fmt.Printf("Invalid GroupID: %s\n", envGroupID)
+					return
+				}
+			}
+			if len(url) == 0 {
+				url = os.Getenv("VULS_URL")
+			}
+			if len(token) == 0 {
+				token = os.Getenv("VULS_TOKEN")
+			}
+
+			var scanResultJSON []byte
+			if stdIn {
+				reader := bufio.NewReader(os.Stdin)
+				buf := new(bytes.Buffer)
+				if _, err = buf.ReadFrom(reader); err != nil {
+					return
+				}
+				scanResultJSON = buf.Bytes()
+			} else {
+				fmt.Println("use --stdin option")
+				os.Exit(1)
+				return
+			}
+
+			var scanResult models.ScanResult
+			if err = json.Unmarshal(scanResultJSON, &scanResult); err != nil {
+				fmt.Println("Failed to parse json", err)
+				os.Exit(1)
+				return
+			}
+			scanResult.ServerUUID = serverUUID
+
+			config.Conf.Saas.GroupID = groupID
+			config.Conf.Saas.Token = token
+			config.Conf.Saas.URL = url
+			if err = (report.SaasWriter{}).Write(scanResult); err != nil {
+				fmt.Println(err)
+				os.Exit(1)
+				return
+			}
+			return
+		},
+	}
+	cmdFvulsUploader.PersistentFlags().StringVar(&serverUUID, "uuid", "", "server uuid. ENV: VULS_SERVER_UUID")
+	cmdFvulsUploader.PersistentFlags().StringVar(&configFile, "config", "", "config file (default is $HOME/.cobra.yaml)")
+	cmdFvulsUploader.PersistentFlags().BoolVarP(&stdIn, "stdin", "s", false, "input from stdin. ENV: VULS_STDIN")
+	// TODO Read JSON file from directory
+	//	cmdFvulsUploader.Flags().StringVarP(&jsonDir, "results-dir", "d", "./", "vuls scan results json dir")
+	cmdFvulsUploader.PersistentFlags().Int64VarP(&groupID, "group-id", "g", 0, "future vuls group id, ENV: VULS_GROUP_ID")
+	cmdFvulsUploader.PersistentFlags().StringVarP(&token, "token", "t", "", "future vuls token")
+	cmdFvulsUploader.PersistentFlags().StringVar(&url, "url", "", "future vuls upload url")
+
+	var rootCmd = &cobra.Command{Use: "future-vuls"}
+	rootCmd.AddCommand(cmdFvulsUploader)
+	if err = rootCmd.Execute(); err != nil {
+		fmt.Println("Failed to execute command", err)
+	}
+}

contrib/owasp-dependency-check/parser/parser.go

@@ -16,11 +16,11 @@ type analysis struct {
 }
 
 type dependency struct {
-	Identifiers []vulnerabilityId `xml:"identifiers>vulnerabilityIds"`
+	Identifiers []vulnerabilityID `xml:"identifiers>vulnerabilityIds"`
 }
 
-type vulnerabilityId struct {
-	Id string `xml:"id"`
+type vulnerabilityID struct {
+	ID string `xml:"id"`
 }
 
 func appendIfMissing(slice []string, str string) []string {
@@ -55,7 +55,7 @@ func Parse(path string) ([]string, error) {
 	cpes := []string{}
 	for _, d := range anal.Dependencies {
 		for _, ident := range d.Identifiers {
-			id := ident.Id // Start with cpe:2.3:
+			id := ident.ID // Start with cpe:2.3:
 			// Convert from CPE 2.3 to CPE 2.2
 			if strings.HasPrefix(id, "cpe:2.3:") {
 				wfn, err := naming.UnbindFS(id)

contrib/trivy/README.md

@@ -0,0 +1,35 @@
+# trivy-to-vuls
+
+## Main Features
+
+- convert trivy's results json to vuls's report json
+
+## Installation
+
+```
+git clone https://github.com/future-architect/vuls.git
+make build-trivy-to-vuls
+```
+
+## Command Reference
+
+```
+Parse trivy json to vuls results
+
+Usage:
+  trivy-to-vuls parse [flags]
+
+Flags:
+  -h, --help                          help for parse
+  -s, --stdin                         input from stdin
+  -d, --trivy-json-dir string         trivy json dir (default "./")
+  -f, --trivy-json-file-name string   trivy json file name (default "results.json")
+```
+
+## Usage
+
+- use trivy output
+
+```
+ trivy -q image -f=json python:3.4-alpine | trivy-to-vuls parse --stdin
+```

contrib/trivy/cmd/main.go

@@ -0,0 +1,78 @@
+package main
+
+import (
+	"bufio"
+	"bytes"
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"os"
+	"path/filepath"
+
+	"github.com/future-architect/vuls/contrib/trivy/parser"
+	"github.com/future-architect/vuls/models"
+	"github.com/spf13/cobra"
+)
+
+var (
+	serverUUID   string
+	stdIn        bool
+	jsonDir      string
+	jsonFileName string
+)
+
+func main() {
+	var err error
+	var cmdTrivyToVuls = &cobra.Command{
+		Use:   "parse",
+		Short: "Parse trivy json to vuls results",
+		Long:  `Parse trivy json to vuls results`,
+		Run: func(cmd *cobra.Command, args []string) {
+			jsonFilePath := filepath.Join(jsonDir, jsonFileName)
+			var trivyJSON []byte
+			if stdIn {
+				reader := bufio.NewReader(os.Stdin)
+				buf := new(bytes.Buffer)
+				if _, err = buf.ReadFrom(reader); err != nil {
+					os.Exit(1)
+					return
+				}
+				trivyJSON = buf.Bytes()
+			} else {
+				if trivyJSON, err = ioutil.ReadFile(jsonFilePath); err != nil {
+					fmt.Println("Failed to read file", err)
+					os.Exit(1)
+					return
+				}
+			}
+
+			scanResult := &models.ScanResult{
+				JSONVersion: models.JSONVersion,
+				ScannedCves: models.VulnInfos{},
+			}
+			if scanResult, err = parser.Parse(trivyJSON, scanResult); err != nil {
+				fmt.Println("Failed to execute command", err)
+				os.Exit(1)
+				return
+			}
+			var resultJSON []byte
+			if resultJSON, err = json.MarshalIndent(scanResult, "", "   "); err != nil {
+				fmt.Println("Failed to create json", err)
+				os.Exit(1)
+				return
+			}
+			fmt.Println(string(resultJSON))
+			return
+		},
+	}
+	cmdTrivyToVuls.Flags().BoolVarP(&stdIn, "stdin", "s", false, "input from stdin")
+	cmdTrivyToVuls.Flags().StringVarP(&jsonDir, "trivy-json-dir", "d", "./", "trivy json dir")
+	cmdTrivyToVuls.Flags().StringVarP(&jsonFileName, "trivy-json-file-name", "f", "results.json", "trivy json file name")
+
+	var rootCmd = &cobra.Command{Use: "trivy-to-vuls"}
+	rootCmd.AddCommand(cmdTrivyToVuls)
+	if err = rootCmd.Execute(); err != nil {
+		fmt.Println("Failed to execute command", err)
+		os.Exit(1)
+	}
+}

contrib/trivy/parser/parser.go

@@ -0,0 +1,163 @@
+package parser
+
+import (
+	"encoding/json"
+	"sort"
+	"time"
+
+	"github.com/aquasecurity/fanal/analyzer/os"
+	"github.com/aquasecurity/trivy/pkg/report"
+	"github.com/aquasecurity/trivy/pkg/types"
+	"github.com/future-architect/vuls/models"
+)
+
+// Parse :
+func Parse(vulnJSON []byte, scanResult *models.ScanResult) (result *models.ScanResult, err error) {
+	var trivyResults report.Results
+	if err = json.Unmarshal(vulnJSON, &trivyResults); err != nil {
+		return nil, err
+	}
+
+	pkgs := models.Packages{}
+	vulnInfos := models.VulnInfos{}
+	uniqueLibraryScannerPaths := map[string]models.LibraryScanner{}
+	for _, trivyResult := range trivyResults {
+		for _, vuln := range trivyResult.Vulnerabilities {
+			if _, ok := vulnInfos[vuln.VulnerabilityID]; !ok {
+				vulnInfos[vuln.VulnerabilityID] = models.VulnInfo{
+					CveID: vuln.VulnerabilityID,
+					Confidences: models.Confidences{
+						{
+							Score:           100,
+							DetectionMethod: models.TrivyMatchStr,
+						},
+					},
+					AffectedPackages: models.PackageFixStatuses{},
+					CveContents:      models.CveContents{},
+					LibraryFixedIns:  models.LibraryFixedIns{},
+					// VulnType : "",
+				}
+			}
+			vulnInfo := vulnInfos[vuln.VulnerabilityID]
+			var notFixedYet bool
+			fixState := ""
+			if len(vuln.FixedVersion) == 0 {
+				notFixedYet = true
+				fixState = "Affected"
+			}
+			vulnInfo.AffectedPackages = append(vulnInfo.AffectedPackages, models.PackageFixStatus{
+				Name:        vuln.PkgName,
+				NotFixedYet: notFixedYet,
+				FixState:    fixState,
+				FixedIn:     vuln.FixedVersion,
+			})
+
+			var references models.References
+			for _, reference := range vuln.References {
+				references = append(references, models.Reference{
+					Source: "trivy",
+					Link:   reference,
+				})
+			}
+
+			sort.Slice(references, func(i, j int) bool {
+				return references[i].Link < references[j].Link
+			})
+
+			vulnInfo.CveContents = models.CveContents{
+				models.Trivy: models.CveContent{
+					Cvss3Severity: vuln.Severity,
+					References:    references,
+					Title:         vuln.Title,
+					Summary:       vuln.Description,
+				},
+			}
+			// do only if image type is Vuln
+			if IsTrivySupportedOS(trivyResult.Type) {
+				pkgs[vuln.PkgName] = models.Package{
+					Name:    vuln.PkgName,
+					Version: vuln.InstalledVersion,
+				}
+				// overwrite every time if os package
+				scanResult.Family = trivyResult.Type
+				scanResult.ServerName = trivyResult.Target
+				scanResult.Optional = map[string]interface{}{
+					"trivy-target": trivyResult.Target,
+				}
+				scanResult.ScannedAt = time.Now()
+				scanResult.ScannedBy = "trivy"
+				scanResult.ScannedVia = "trivy"
+			} else {
+				// LibraryScanの結果
+				vulnInfo.LibraryFixedIns = append(vulnInfo.LibraryFixedIns, models.LibraryFixedIn{
+					Key:     trivyResult.Type,
+					Name:    vuln.PkgName,
+					FixedIn: vuln.FixedVersion,
+				})
+				libScanner := uniqueLibraryScannerPaths[trivyResult.Target]
+				libScanner.Libs = append(libScanner.Libs, types.Library{
+					Name:    vuln.PkgName,
+					Version: vuln.InstalledVersion,
+				})
+				uniqueLibraryScannerPaths[trivyResult.Target] = libScanner
+			}
+			vulnInfos[vuln.VulnerabilityID] = vulnInfo
+		}
+	}
+	// flatten and unique libraries
+	libraryScanners := make([]models.LibraryScanner, 0, len(uniqueLibraryScannerPaths))
+	for path, v := range uniqueLibraryScannerPaths {
+		uniqueLibrary := map[string]types.Library{}
+		for _, lib := range v.Libs {
+			uniqueLibrary[lib.Name+lib.Version] = lib
+		}
+
+		var libraries []types.Library
+		for _, library := range uniqueLibrary {
+			libraries = append(libraries, library)
+		}
+
+		sort.Slice(libraries, func(i, j int) bool {
+			return libraries[i].Name < libraries[j].Name
+		})
+
+		libscanner := models.LibraryScanner{
+			Path: path,
+			Libs: libraries,
+		}
+		libraryScanners = append(libraryScanners, libscanner)
+	}
+	sort.Slice(libraryScanners, func(i, j int) bool {
+		return libraryScanners[i].Path < libraryScanners[j].Path
+	})
+	scanResult.ScannedCves = vulnInfos
+	scanResult.Packages = pkgs
+	scanResult.LibraryScanners = libraryScanners
+	return scanResult, nil
+}
+
+// IsTrivySupportedOS :
+func IsTrivySupportedOS(family string) bool {
+	supportedFamilies := []string{
+		os.RedHat,
+		os.Debian,
+		os.Ubuntu,
+		os.CentOS,
+		os.Fedora,
+		os.Amazon,
+		os.Oracle,
+		os.Windows,
+		os.OpenSUSE,
+		os.OpenSUSELeap,
+		os.OpenSUSETumbleweed,
+		os.SLES,
+		os.Photon,
+		os.Alpine,
+	}
+	for _, supportedFamily := range supportedFamilies {
+		if family == supportedFamily {
+			return true
+		}
+	}
+	return false
+}

cwe/sans.go

@@ -29,5 +29,5 @@ var SansTopTwentyfive = map[string]string{
 	"759": "25",
 }
 
-// SansTopTwentyfiveURL
+// SansTopTwentyfiveURL is a URL of sans 25
 var SansTopTwentyfiveURL = "https://www.sans.org/top25-software-errors/"

github/github.go

@@ -5,14 +5,13 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
+	"io/ioutil"
 	"net/http"
 	"time"
 
 	"github.com/future-architect/vuls/config"
 	"github.com/future-architect/vuls/errof"
 	"github.com/future-architect/vuls/models"
-	"github.com/future-architect/vuls/util"
-	"github.com/k0kubun/pp"
 	"golang.org/x/oauth2"
 )
 
@@ -25,8 +24,9 @@ func FillGitHubSecurityAlerts(r *models.ScanResult, owner, repo, token string) (
 	httpClient := oauth2.NewClient(context.Background(), src)
 
 	// TODO Use `https://github.com/shurcooL/githubv4` if the tool supports vulnerabilityAlerts Endpoint
+	// Memo : https://developer.github.com/v4/explorer/
 	const jsonfmt = `{"query":
-	"query { repository(owner:\"%s\", name:\"%s\") { url, vulnerabilityAlerts(first: %d, %s) { pageInfo{ endCursor, hasNextPage, startCursor}, edges { node { id, externalIdentifier, externalReference, fixedIn, packageName,  dismissReason, dismissedAt } } } } }"}`
+	"query { repository(owner:\"%s\", name:\"%s\") { url vulnerabilityAlerts(first: %d, %s) { pageInfo { endCursor hasNextPage startCursor } edges { node { id dismissReason dismissedAt securityVulnerability{ package { name ecosystem } severity vulnerableVersionRange firstPatchedVersion { identifier } } securityAdvisory { description ghsaId permalink publishedAt summary updatedAt withdrawnAt origin severity references { url } identifiers { type value } } } } } } } "}`
 	after := ""
 
 	for {
@@ -43,7 +43,7 @@ func FillGitHubSecurityAlerts(r *models.ScanResult, owner, repo, token string) (
 		// To toggle this preview and access data, need to provide a custom media type in the Accept header:
 		// MEMO: I tried to get the affected version via GitHub API. Bit it seems difficult to determin the affected version if there are multiple dependency files such as package.json.
 		// TODO remove this header if it is no longer preview status in the future.
-		req.Header.Set("Accept", "application/vnd.github.vixen-preview+json")
+		req.Header.Set("Accept", "application/vnd.github.package-deletes-preview+json")
 		req.Header.Set("Content-Type", "application/json")
 
 		resp, err := httpClient.Do(req)
@@ -51,16 +51,23 @@ func FillGitHubSecurityAlerts(r *models.ScanResult, owner, repo, token string) (
 			return 0, err
 		}
 		defer resp.Body.Close()
-		alerts := SecurityAlerts{}
-		if json.NewDecoder(resp.Body).Decode(&alerts); err != nil {
+
+		body, err := ioutil.ReadAll(resp.Body)
+		if err != nil {
 			return 0, err
 		}
 
-		util.Log.Debugf("%s", pp.Sprint(alerts))
+		alerts := SecurityAlerts{}
+		if err := json.Unmarshal(body, &alerts); err != nil {
+			return 0, err
+		}
+
+		// util.Log.Debugf("%s", pp.Sprint(alerts))
+		// util.Log.Debugf("%s", string(body))
 		if alerts.Data.Repository.URL == "" {
 			return 0, errof.New(
 				errof.ErrFailedToAccessGithubAPI,
-				fmt.Sprintf("Failed to access to GitHub API. Response: %#v", alerts),
+				fmt.Sprintf("Failed to access to GitHub API. Response: %s", string(body)),
 			)
 		}
 
@@ -70,31 +77,45 @@ func FillGitHubSecurityAlerts(r *models.ScanResult, owner, repo, token string) (
 			}
 
 			pkgName := fmt.Sprintf("%s %s",
-				alerts.Data.Repository.URL, v.Node.PackageName)
+				alerts.Data.Repository.URL, v.Node.SecurityVulnerability.Package.Name)
 
 			m := models.GitHubSecurityAlert{
 				PackageName:   pkgName,
-				FixedIn:       v.Node.FixedIn,
-				AffectedRange: v.Node.AffectedRange,
+				FixedIn:       v.Node.SecurityVulnerability.FirstPatchedVersion.Identifier,
+				AffectedRange: v.Node.SecurityVulnerability.VulnerableVersionRange,
 				Dismissed:     len(v.Node.DismissReason) != 0,
 				DismissedAt:   v.Node.DismissedAt,
 				DismissReason: v.Node.DismissReason,
 			}
 
-			cveID := v.Node.ExternalIdentifier
-
-			if val, ok := r.ScannedCves[cveID]; ok {
-				val.GitHubSecurityAlerts = val.GitHubSecurityAlerts.Add(m)
-				r.ScannedCves[cveID] = val
-				nCVEs++
-			} else {
-				v := models.VulnInfo{
-					CveID:                cveID,
-					Confidences:          models.Confidences{models.GitHubMatch},
-					GitHubSecurityAlerts: models.GitHubSecurityAlerts{m},
+			cveIDs, other := []string{}, []string{}
+			for _, identifier := range v.Node.SecurityAdvisory.Identifiers {
+				if identifier.Type == "CVE" {
+					cveIDs = append(cveIDs, identifier.Value)
+				} else {
+					other = append(other, identifier.Value)
+				}
+			}
+
+			// If CVE-ID has not been assigned, use the GHSA ID etc as a ID.
+			if len(cveIDs) == 0 {
+				cveIDs = other
+			}
+
+			for _, cveID := range cveIDs {
+				if val, ok := r.ScannedCves[cveID]; ok {
+					val.GitHubSecurityAlerts = val.GitHubSecurityAlerts.Add(m)
+					r.ScannedCves[cveID] = val
+					nCVEs++
+				} else {
+					v := models.VulnInfo{
+						CveID:                cveID,
+						Confidences:          models.Confidences{models.GitHubMatch},
+						GitHubSecurityAlerts: models.GitHubSecurityAlerts{m},
+					}
+					r.ScannedCves[cveID] = v
+					nCVEs++
 				}
-				r.ScannedCves[cveID] = v
-				nCVEs++
 			}
 		}
 		if !alerts.Data.Repository.VulnerabilityAlerts.PageInfo.HasNextPage {
@@ -109,26 +130,50 @@ func FillGitHubSecurityAlerts(r *models.ScanResult, owner, repo, token string) (
 type SecurityAlerts struct {
 	Data struct {
 		Repository struct {
-			URL                 string `json:"url,omitempty"`
+			URL                 string `json:"url"`
 			VulnerabilityAlerts struct {
 				PageInfo struct {
-					EndCursor   string `json:"endCursor,omitempty"`
-					HasNextPage bool   `json:"hasNextPage,omitempty"`
-					StartCursor string `json:"startCursor,omitempty"`
-				} `json:"pageInfo,omitempty"`
+					EndCursor   string `json:"endCursor"`
+					HasNextPage bool   `json:"hasNextPage"`
+					StartCursor string `json:"startCursor"`
+				} `json:"pageInfo"`
 				Edges []struct {
 					Node struct {
-						ID                 string    `json:"id,omitempty"`
-						ExternalIdentifier string    `json:"externalIdentifier,omitempty"`
-						ExternalReference  string    `json:"externalReference,omitempty"`
-						FixedIn            string    `json:"fixedIn,omitempty"`
-						AffectedRange      string    `json:"affectedRange,omitempty"`
-						PackageName        string    `json:"packageName,omitempty"`
-						DismissReason      string    `json:"dismissReason,omitempty"`
-						DismissedAt        time.Time `json:"dismissedAt,omitempty"`
-					} `json:"node,omitempty"`
-				} `json:"edges,omitempty"`
-			} `json:"vulnerabilityAlerts,omitempty"`
-		} `json:"repository,omitempty"`
-	} `json:"data,omitempty"`
+						ID                    string    `json:"id"`
+						DismissReason         string    `json:"dismissReason"`
+						DismissedAt           time.Time `json:"dismissedAt"`
+						SecurityVulnerability struct {
+							Package struct {
+								Name      string `json:"name"`
+								Ecosystem string `json:"ecosystem"`
+							} `json:"package"`
+							Severity               string `json:"severity"`
+							VulnerableVersionRange string `json:"vulnerableVersionRange"`
+							FirstPatchedVersion    struct {
+								Identifier string `json:"identifier"`
+							} `json:"firstPatchedVersion"`
+						} `json:"securityVulnerability"`
+						SecurityAdvisory struct {
+							Description string    `json:"description"`
+							GhsaID      string    `json:"ghsaId"`
+							Permalink   string    `json:"permalink"`
+							PublishedAt time.Time `json:"publishedAt"`
+							Summary     string    `json:"summary"`
+							UpdatedAt   time.Time `json:"updatedAt"`
+							WithdrawnAt time.Time `json:"withdrawnAt"`
+							Origin      string    `json:"origin"`
+							Severity    string    `json:"severity"`
+							References  []struct {
+								URL string `json:"url"`
+							} `json:"references"`
+							Identifiers []struct {
+								Type  string `json:"type"`
+								Value string `json:"value"`
+							} `json:"identifiers"`
+						} `json:"securityAdvisory"`
+					} `json:"node"`
+				} `json:"edges"`
+			} `json:"vulnerabilityAlerts"`
+		} `json:"repository"`
+	} `json:"data"`
 }

go.mod

@@ -3,54 +3,55 @@ module github.com/future-architect/vuls
 go 1.13
 
 replace (
-	github.com/genuinetools/reg => github.com/tomoyamachi/reg v0.16.1-0.20190706172545-2a2250fd7c00
 	gopkg.in/mattn/go-colorable.v0 => github.com/mattn/go-colorable v0.1.0
 	gopkg.in/mattn/go-isatty.v0 => github.com/mattn/go-isatty v0.0.6
 )
 
 require (
-	github.com/Azure/azure-sdk-for-go v33.2.0+incompatible
-	github.com/Azure/go-autorest/autorest v0.9.1 // indirect
-	github.com/Azure/go-autorest/autorest/to v0.3.0 // indirect
+	github.com/Azure/azure-sdk-for-go v42.0.0+incompatible
 	github.com/BurntSushi/toml v0.3.1
 	github.com/RackSec/srslog v0.0.0-20180709174129-a4725f04ec91
-	github.com/aquasecurity/fanal v0.0.0-20200124194549-91468b8e0460
-	github.com/aquasecurity/go-dep-parser v0.0.0-20190819075924-ea223f0ef24b
-	github.com/aquasecurity/trivy v0.1.6
+	github.com/aquasecurity/fanal v0.0.0-20200505074551-9239a362deca
+	github.com/aquasecurity/go-dep-parser v0.0.0-20200123140603-4dc0125084da // indirect
+	github.com/aquasecurity/trivy v0.8.0
+	github.com/aquasecurity/trivy-db v0.0.0-20200514134639-7e57e3e02470
 	github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a
-	github.com/aws/aws-sdk-go v1.25.31
+	github.com/aws/aws-sdk-go v1.30.16
 	github.com/boltdb/bolt v1.3.1
 	github.com/cenkalti/backoff v2.2.1+incompatible
-	github.com/dnaeon/go-vcr v1.0.1 // indirect
-	github.com/elazarl/goproxy v0.0.0-20190911111923-ecfe977594f1 // indirect
-	github.com/google/subcommands v1.0.1
-	github.com/gosuri/uitable v0.0.3
+	github.com/d4l3k/messagediff v1.2.2-0.20190829033028-7e0a312ae40b
+	github.com/google/subcommands v1.2.0
+	github.com/gosuri/uitable v0.0.4
+	github.com/hashicorp/go-uuid v1.0.2
 	github.com/hashicorp/go-version v1.2.0
-	github.com/hashicorp/uuid v0.0.0-20160311170451-ebb0a03e909c
 	github.com/howeyc/gopass v0.0.0-20190910152052-7cb4b85ec19c
-	github.com/jroimartin/gocui v0.4.0
+	github.com/jesseduffield/gocui v0.3.0
 	github.com/k0kubun/pp v3.0.1+incompatible
+	github.com/knqyf263/go-apk-version v0.0.0-20200609155635-041fdbb8563f
 	github.com/knqyf263/go-cpe v0.0.0-20180327054844-659663f6eca2
 	github.com/knqyf263/go-deb-version v0.0.0-20190517075300-09fca494f03d
 	github.com/knqyf263/go-rpm-version v0.0.0-20170716094938-74609b86c936
 	github.com/knqyf263/go-version v1.1.1
-	github.com/knqyf263/gost v0.1.2
-	github.com/kotakanbe/go-cve-dictionary v0.4.1
+	github.com/knqyf263/gost v0.1.3
+	github.com/kotakanbe/go-cve-dictionary v0.4.2
 	github.com/kotakanbe/go-pingscanner v0.1.0
-	github.com/kotakanbe/goval-dictionary v0.2.3
+	github.com/kotakanbe/goval-dictionary v0.2.5
 	github.com/kotakanbe/logrus-prefixed-formatter v0.0.0-20180123152602-928f7356cb96
 	github.com/mgutz/ansi v0.0.0-20170206155736-9520e82c474b // indirect
 	github.com/mitchellh/go-homedir v1.1.0
 	github.com/mozqnet/go-exploitdb v0.0.0-20190911093644-f647f17ea8ca
 	github.com/nlopes/slack v0.6.0
-	github.com/nsf/termbox-go v0.0.0-20190817171036-93860e161317 // indirect
-	github.com/olekukonko/tablewriter v0.0.2-0.20190607075207-195002e6e56a
-	github.com/parnurzeal/gorequest v0.2.15
+	github.com/nsf/termbox-go v0.0.0-20200418040025-38ba6e5628f1 // indirect
+	github.com/olekukonko/tablewriter v0.0.4
+	github.com/parnurzeal/gorequest v0.2.16
 	github.com/rifflock/lfshook v0.0.0-20180920164130-b9218ef580f5
-	github.com/satori/go.uuid v1.2.0 // indirect
-	github.com/sirupsen/logrus v1.4.2
-	github.com/smartystreets/goconvey v0.0.0-20190731233626-505e41936337 // indirect
-	golang.org/x/crypto v0.0.0-20190911031432-227b76d455e7
-	golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45
-	golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7
+	github.com/sirupsen/logrus v1.5.0
+	github.com/spf13/afero v1.2.2
+	github.com/spf13/cobra v0.0.5
+	golang.org/x/crypto v0.0.0-20200414173820-0848c9571904
+	golang.org/x/lint v0.0.0-20200302205851-738671d3881b // indirect
+	golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d
+	golang.org/x/tools v0.0.0-20200501065659-ab2804fb9c9d // indirect
+	golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543
+	k8s.io/utils v0.0.0-20191114184206-e782cd3c129f
 )

gost/microsoft.go

@@ -18,7 +18,7 @@ func (ms Microsoft) DetectUnfixed(driver db.DB, r *models.ScanResult, _ bool) (n
 	if driver == nil {
 		return 0, nil
 	}
-	var cveIDs []string
+	cveIDs := []string{}
 	for cveID := range r.ScannedCves {
 		cveIDs = append(cveIDs, cveID)
 	}
@@ -72,7 +72,7 @@ func (ms Microsoft) ConvertToModel(cve *gostmodels.MicrosoftCVE) *models.CveCont
 	if 0 < len(cve.Workaround) {
 		option["workaround"] = cve.Workaround
 	}
-	var kbids []string
+	kbids := []string{}
 	for _, kbid := range cve.KBIDs {
 		kbids = append(kbids, kbid.KBID)
 	}

gost/pseudo.go

@@ -1,9 +1,10 @@
 package gost
 
 import (
+	"strings"
+
 	"github.com/future-architect/vuls/models"
 	"github.com/knqyf263/gost/db"
-	"strings"
 )
 
 // Pseudo is Gost client except for RedHat family and Debian

gost/redhat.go

@@ -23,7 +23,7 @@ func (red RedHat) DetectUnfixed(driver db.DB, r *models.ScanResult, ignoreWillNo
 }
 
 func (red RedHat) fillFixed(driver db.DB, r *models.ScanResult) error {
-	var cveIDs []string
+	cveIDs := []string{}
 	for cveID, vuln := range r.ScannedCves {
 		if _, ok := vuln.CveContents[models.RedHatAPI]; ok {
 			continue
@@ -139,8 +139,7 @@ func (red RedHat) fillUnfixed(driver db.DB, r *models.ScanResult, ignoreWillNotF
 		}
 		for _, pack := range r.Packages {
 			// CVE-ID: RedhatCVE
-			cves := map[string]gostmodels.RedhatCVE{}
-			cves = driver.GetUnfixedCvesRedhat(major(r.Release), pack.Name, ignoreWillNotFix)
+			cves := driver.GetUnfixedCvesRedhat(major(r.Release), pack.Name, ignoreWillNotFix)
 			for _, cve := range cves {
 				cveCont := red.ConvertToModel(&cve)
 				v, ok := r.ScannedCves[cve.Name]
@@ -245,7 +244,7 @@ func (red RedHat) ConvertToModel(cve *gostmodels.RedhatCVE) *models.CveContent {
 		v3severity = cve.ThreatSeverity
 	}
 
-	var refs []models.Reference
+	refs := []models.Reference{}
 	for _, r := range cve.References {
 		refs = append(refs, models.Reference{Link: r.Reference})
 	}

libmanager/libManager.go

@@ -1,33 +1,103 @@
 package libmanager
 
 import (
-	"github.com/aquasecurity/trivy/pkg/db"
-	"github.com/aquasecurity/trivy/pkg/log"
+	"context"
 
+	db2 "github.com/aquasecurity/trivy-db/pkg/db"
+	"github.com/aquasecurity/trivy/pkg/db"
+	"github.com/aquasecurity/trivy/pkg/github"
+	"github.com/aquasecurity/trivy/pkg/indicator"
+	"github.com/aquasecurity/trivy/pkg/log"
+	"github.com/spf13/afero"
+	"golang.org/x/xerrors"
+	"k8s.io/utils/clock"
+
+	"github.com/future-architect/vuls/config"
 	"github.com/future-architect/vuls/models"
+	"github.com/future-architect/vuls/util"
 )
 
 // FillLibrary fills LibraryScanner informations
 func FillLibrary(r *models.ScanResult) (totalCnt int, err error) {
+	if len(r.LibraryScanners) == 0 {
+		return
+	}
+
 	// initialize trivy's logger and db
 	err = log.InitLogger(false, false)
 	if err != nil {
 		return 0, err
 	}
-	if err := db.Init(); err != nil {
+
+	util.Log.Info("Updating library db...")
+	if err := downloadDB(config.Version, config.Conf.TrivyCacheDBDir, config.Conf.NoProgress, false, false); err != nil {
 		return 0, err
 	}
+
+	if err := db2.Init(config.Conf.TrivyCacheDBDir); err != nil {
+		return 0, err
+	}
+	defer db2.Close()
+
 	for _, lib := range r.LibraryScanners {
 		vinfos, err := lib.Scan()
 		if err != nil {
 			return 0, err
 		}
 		for _, vinfo := range vinfos {
+			vinfo.Confidences.AppendIfMissing(models.TrivyMatch)
 			r.ScannedCves[vinfo.CveID] = vinfo
 		}
 		totalCnt += len(vinfos)
 	}
-	db.Close()
 
 	return totalCnt, nil
 }
+
+func downloadDB(appVersion, cacheDir string, quiet, light, skipUpdate bool) error {
+	client := initializeDBClient(cacheDir, quiet)
+	ctx := context.Background()
+	needsUpdate, err := client.NeedsUpdate(appVersion, light, skipUpdate)
+	if err != nil {
+		return xerrors.Errorf("database error: %w", err)
+	}
+
+	if needsUpdate {
+		util.Log.Info("Need to update DB")
+		util.Log.Info("Downloading DB...")
+		if err := client.Download(ctx, cacheDir, light); err != nil {
+			return xerrors.Errorf("failed to download vulnerability DB: %w", err)
+		}
+		if err = client.UpdateMetadata(cacheDir); err != nil {
+			return xerrors.Errorf("unable to update database metadata: %w", err)
+		}
+	}
+
+	// for debug
+	if err := showDBInfo(cacheDir); err != nil {
+		return xerrors.Errorf("failed to show database info: %w", err)
+	}
+	return nil
+}
+
+func initializeDBClient(cacheDir string, quiet bool) db.Client {
+	config := db2.Config{}
+	client := github.NewClient()
+	progressBar := indicator.NewProgressBar(quiet)
+	realClock := clock.RealClock{}
+	fs := afero.NewOsFs()
+	metadata := db.NewMetadata(fs, cacheDir)
+	dbClient := db.NewClient(config, client, progressBar, realClock, metadata)
+	return dbClient
+}
+
+func showDBInfo(cacheDir string) error {
+	m := db.NewMetadata(afero.NewOsFs(), cacheDir)
+	metadata, err := m.Get()
+	if err != nil {
+		return xerrors.Errorf("something wrong with DB: %w", err)
+	}
+	util.Log.Debugf("DB Schema: %d, Type: %d, UpdatedAt: %s, NextUpdate: %s",
+		metadata.Version, metadata.Type, metadata.UpdatedAt, metadata.NextUpdate)
+	return nil
+}

models/cvecontents.go

@@ -3,7 +3,7 @@ package models
 import (
 	"time"
 
-	"github.com/aquasecurity/trivy/pkg/vulnsrc/vulnerability"
+	"github.com/aquasecurity/trivy-db/pkg/vulnsrc/vulnerability"
 )
 
 // CveContents has CveContent
@@ -223,16 +223,18 @@ func NewCveContentType(name string) CveContentType {
 		return WPVulnDB
 	case "amazon":
 		return Amazon
-	case vulnerability.NodejsSecurityWg:
-		return NodeSec
-	case vulnerability.PythonSafetyDB:
-		return PythonSec
-	case vulnerability.RustSec:
-		return RustSec
-	case vulnerability.PhpSecurityAdvisories:
-		return PhpSec
-	case vulnerability.RubySec:
-		return RubySec
+	case "trivy":
+		return Trivy
+	// case vulnerability.NodejsSecurityWg:
+	// 	return NodeSec
+	// case vulnerability.PythonSafetyDB:
+	// 	return PythonSec
+	// case vulnerability.RustSec:
+	// 	return RustSec
+	// case vulnerability.PhpSecurityAdvisories:
+	// 	return PhpSec
+	// case vulnerability.RubySec:
+	// 	return RubySec
 	default:
 		return Unknown
 	}
@@ -278,20 +280,23 @@ const (
 	// WPVulnDB is WordPress
 	WPVulnDB CveContentType = "wpvulndb"
 
+	// Trivy is Trivy
+	Trivy CveContentType = "trivy"
+
 	// NodeSec : for JS
-	NodeSec CveContentType = "node"
+	// NodeSec CveContentType = "node"
 
-	// PythonSec : for PHP
-	PythonSec CveContentType = "python"
+	// // PythonSec : for PHP
+	// PythonSec CveContentType = "python"
 
-	// PhpSec : for PHP
-	PhpSec CveContentType = "php"
+	// // PhpSec : for PHP
+	// PhpSec CveContentType = "php"
 
-	// RubySec : for Ruby
-	RubySec CveContentType = "ruby"
+	// // RubySec : for Ruby
+	// RubySec CveContentType = "ruby"
 
-	// RustSec : for Rust
-	RustSec CveContentType = "rust"
+	// // RustSec : for Rust
+	// RustSec CveContentType = "rust"
 
 	// Unknown is Unknown
 	Unknown CveContentType = "unknown"
@@ -313,11 +318,12 @@ var AllCveContetTypes = CveContentTypes{
 	SUSE,
 	DebianSecurityTracker,
 	WPVulnDB,
-	NodeSec,
-	PythonSec,
-	PhpSec,
-	RubySec,
-	RustSec,
+	Trivy,
+	// NodeSec,
+	// PythonSec,
+	// PhpSec,
+	// RubySec,
+	// RustSec,
 }
 
 // Except returns CveContentTypes except for given args

models/library.go

@@ -3,15 +3,35 @@ package models
 import (
 	"path/filepath"
 
-	"github.com/aquasecurity/trivy/pkg/scanner/library"
-	"github.com/aquasecurity/trivy/pkg/vulnsrc/vulnerability"
+	"github.com/aquasecurity/trivy-db/pkg/db"
+	trivyDBTypes "github.com/aquasecurity/trivy-db/pkg/types"
+	"github.com/aquasecurity/trivy/pkg/detector/library"
+
+	"github.com/aquasecurity/trivy/pkg/types"
 	"github.com/future-architect/vuls/util"
 	"golang.org/x/xerrors"
 
-	"github.com/aquasecurity/go-dep-parser/pkg/types"
+	// "github.com/aquasecurity/go-dep-parser/pkg/types"
 	"github.com/knqyf263/go-version"
 )
 
+// LibraryScanners is an array of LibraryScanner
+type LibraryScanners []LibraryScanner
+
+// Find : find by name
+func (lss LibraryScanners) Find(name string) map[string]types.Library {
+	filtered := map[string]types.Library{}
+	for _, ls := range lss {
+		for _, lib := range ls.Libs {
+			if lib.Name == name {
+				filtered[ls.Path] = lib
+				break
+			}
+		}
+	}
+	return filtered
+}
+
 // LibraryScanner has libraries information
 type LibraryScanner struct {
 	Path string
@@ -20,18 +40,12 @@ type LibraryScanner struct {
 
 // Scan : scan target library
 func (s LibraryScanner) Scan() ([]VulnInfo, error) {
-	scanner := library.NewScanner(filepath.Base(string(s.Path)))
+	scanner := library.DriverFactory{}.NewDriver(filepath.Base(string(s.Path)))
 	if scanner == nil {
 		return nil, xerrors.New("unknown file type")
 	}
 
-	util.Log.Info("Updating library db...")
-	err := scanner.UpdateDB()
-	if err != nil {
-		return nil, xerrors.Errorf("failed to update %s advisories: %w", scanner.Type(), err)
-	}
-
-	var vulnerabilities []VulnInfo
+	var vulnerabilities = []VulnInfo{}
 	for _, pkg := range s.Libs {
 		v, err := version.NewVersion(pkg.Version)
 		if err != nil {
@@ -43,6 +57,9 @@ func (s LibraryScanner) Scan() ([]VulnInfo, error) {
 		if err != nil {
 			return nil, xerrors.Errorf("failed to detect %s vulnerabilities: %w", scanner.Type(), err)
 		}
+		if len(tvulns) == 0 {
+			continue
+		}
 
 		vulns := s.convertFanalToVuln(tvulns)
 		vulnerabilities = append(vulnerabilities, vulns...)
@@ -51,25 +68,27 @@ func (s LibraryScanner) Scan() ([]VulnInfo, error) {
 	return vulnerabilities, nil
 }
 
-func (s LibraryScanner) convertFanalToVuln(tvulns []vulnerability.DetectedVulnerability) (vulns []VulnInfo) {
+func (s LibraryScanner) convertFanalToVuln(tvulns []types.DetectedVulnerability) (vulns []VulnInfo) {
 	for _, tvuln := range tvulns {
-		vinfo, _ := s.getVulnDetail(tvuln)
+		vinfo, err := s.getVulnDetail(tvuln)
+		if err != nil {
+			util.Log.Debugf("failed to getVulnDetail. err: %s, tvun: %#v", err, tvuln)
+			continue
+		}
 		vulns = append(vulns, vinfo)
 	}
 	return vulns
 }
 
-func (s LibraryScanner) getVulnDetail(tvuln vulnerability.DetectedVulnerability) (vinfo VulnInfo, err error) {
-	details, err := vulnerability.Get(tvuln.VulnerabilityID)
+func (s LibraryScanner) getVulnDetail(tvuln types.DetectedVulnerability) (vinfo VulnInfo, err error) {
+	vul, err := db.Config{}.GetVulnerability(tvuln.VulnerabilityID)
 	if err != nil {
 		return vinfo, err
-	} else if len(details) == 0 {
-		return vinfo, xerrors.Errorf("Unknown vulnID : %s", tvuln.VulnerabilityID)
 	}
-	vinfo.CveID = tvuln.VulnerabilityID
-	vinfo.CveContents = getCveContents(details)
-	if tvuln.FixedVersion != "" {
 
+	vinfo.CveID = tvuln.VulnerabilityID
+	vinfo.CveContents = getCveContents(tvuln.VulnerabilityID, vul)
+	if tvuln.FixedVersion != "" {
 		vinfo.LibraryFixedIns = []LibraryFixedIn{
 			{
 				Key:     s.GetLibraryKey(),
@@ -81,38 +100,22 @@ func (s LibraryScanner) getVulnDetail(tvuln vulnerability.DetectedVulnerability)
 	return vinfo, nil
 }
 
-func getCveContents(details map[string]vulnerability.Vulnerability) (contents map[CveContentType]CveContent) {
+func getCveContents(cveID string, vul trivyDBTypes.Vulnerability) (contents map[CveContentType]CveContent) {
 	contents = map[CveContentType]CveContent{}
-	for source, detail := range details {
-		refs := []Reference{}
-		for _, refURL := range detail.References {
-			refs = append(refs, Reference{Source: refURL, Link: refURL})
-		}
-
-		content := CveContent{
-			Type:          NewCveContentType(source),
-			CveID:         detail.ID,
-			Title:         detail.Title,
-			Summary:       detail.Description,
-			Cvss3Score:    detail.CvssScoreV3,
-			Cvss3Severity: string(detail.SeverityV3),
-			Cvss2Score:    detail.CvssScore,
-			Cvss2Severity: string(detail.Severity),
-			References:    refs,
-
-			//SourceLink    string            `json:"sourceLink"`
-			//Cvss2Vector   string            `json:"cvss2Vector"`
-			//Cvss3Vector   string            `json:"cvss3Vector"`
-			//Cvss3Severity string            `json:"cvss3Severity"`
-			//Cpes          []Cpe             `json:"cpes,omitempty"`
-			//CweIDs        []string          `json:"cweIDs,omitempty"`
-			//Published     time.Time         `json:"published"`
-			//LastModified  time.Time         `json:"lastModified"`
-			//Mitigation    string            `json:"mitigation"` // RedHat API
-			//Optional      map[string]string `json:"optional,omitempty"`
-		}
-		contents[NewCveContentType(source)] = content
+	refs := []Reference{}
+	for _, refURL := range vul.References {
+		refs = append(refs, Reference{Source: "trivy", Link: refURL})
 	}
+
+	content := CveContent{
+		Type:          Trivy,
+		CveID:         cveID,
+		Title:         vul.Title,
+		Summary:       vul.Description,
+		Cvss3Severity: string(vul.Severity),
+		References:    refs,
+	}
+	contents[Trivy] = content
 	return contents
 }
 
@@ -122,7 +125,7 @@ var LibraryMap = map[string]string{
 	"yarn.lock":         "node",
 	"Gemfile.lock":      "ruby",
 	"Cargo.lock":        "rust",
-	"composer.json":     "php",
+	"composer.lock":     "php",
 	"Pipfile.lock":      "python",
 	"poetry.lock":       "python",
 }

models/library_test.go

@@ -1,52 +1,99 @@
 package models
 
 import (
+	"reflect"
 	"testing"
 
-	godeptypes "github.com/aquasecurity/go-dep-parser/pkg/types"
-	"github.com/aquasecurity/trivy/pkg/db"
-	"github.com/aquasecurity/trivy/pkg/log"
+	"github.com/aquasecurity/trivy/pkg/types"
 )
 
-func TestScan(t *testing.T) {
-	var tests = []struct {
-		path string
-		pkgs []godeptypes.Library
+func TestLibraryScanners_Find(t *testing.T) {
+	type args struct {
+		name string
+	}
+	tests := []struct {
+		name string
+		lss  LibraryScanners
+		args args
+		want map[string]types.Library
 	}{
 		{
-			path: "app/package-lock.json",
-			pkgs: []godeptypes.Library{
+			name: "single file",
+			lss: LibraryScanners{
 				{
-					Name:    "jquery",
-					Version: "2.2.4",
+					Path: "/pathA",
+					Libs: []types.Library{
+						{
+							Name:    "libA",
+							Version: "1.0.0",
+						},
+					},
 				},
-				{
-					Name:    "@babel/traverse",
-					Version: "7.4.4",
+			},
+			args: args{"libA"},
+			want: map[string]types.Library{
+				"/pathA": {
+					Name:    "libA",
+					Version: "1.0.0",
 				},
 			},
 		},
+		{
+			name: "multi file",
+			lss: LibraryScanners{
+				{
+					Path: "/pathA",
+					Libs: []types.Library{
+						{
+							Name:    "libA",
+							Version: "1.0.0",
+						},
+					},
+				},
+				{
+					Path: "/pathB",
+					Libs: []types.Library{
+						{
+							Name:    "libA",
+							Version: "1.0.5",
+						},
+					},
+				},
+			},
+			args: args{"libA"},
+			want: map[string]types.Library{
+				"/pathA": {
+					Name:    "libA",
+					Version: "1.0.0",
+				},
+				"/pathB": {
+					Name:    "libA",
+					Version: "1.0.5",
+				},
+			},
+		},
+		{
+			name: "miss",
+			lss: LibraryScanners{
+				{
+					Path: "/pathA",
+					Libs: []types.Library{
+						{
+							Name:    "libA",
+							Version: "1.0.0",
+						},
+					},
+				},
+			},
+			args: args{"libB"},
+			want: map[string]types.Library{},
+		},
 	}
-
-	if err := log.InitLogger(false, false); err != nil {
-		t.Errorf("trivy logger failed")
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if got := tt.lss.Find(tt.args.name); !reflect.DeepEqual(got, tt.want) {
+				t.Errorf("LibraryScanners.Find() = %v, want %v", got, tt.want)
+			}
+		})
 	}
-
-	if err := db.Init(); err != nil {
-		t.Errorf("trivy db.Init failed")
-	}
-	for _, v := range tests {
-		lib := LibraryScanner{
-			Path: v.path,
-			Libs: v.pkgs,
-		}
-		actual, err := lib.Scan()
-		if err != nil {
-			t.Errorf("error occurred")
-		}
-		if len(actual) == 0 {
-			t.Errorf("no vuln found : actual: %v\n", actual)
-		}
-	}
-	db.Close()
 }

models/scanresults.go

@@ -24,7 +24,6 @@ type ScanResult struct {
 	Family           string                `json:"family"`
 	Release          string                `json:"release"`
 	Container        Container             `json:"container"`
-	Image            Image                 `json:"image"`
 	Platform         Platform              `json:"platform"`
 	IPv4Addrs        []string              `json:"ipv4Addrs,omitempty"` // only global unicast address (https://golang.org/pkg/net/#IP.IsGlobalUnicast)
 	IPv6Addrs        []string              `json:"ipv6Addrs,omitempty"` // only global unicast address (https://golang.org/pkg/net/#IP.IsGlobalUnicast)
@@ -49,7 +48,7 @@ type ScanResult struct {
 	Packages          Packages               `json:"packages"`
 	SrcPackages       SrcPackages            `json:",omitempty"`
 	WordPressPackages *WordPressPackages     `json:",omitempty"`
-	LibraryScanners   []LibraryScanner       `json:"libScanners"`
+	LibraryScanners   LibraryScanners        `json:"libraries,omitempty"`
 	CweDict           CweDict                `json:"cweDict,omitempty"`
 	Optional          map[string]interface{} `json:",omitempty"`
 	Config            struct {
@@ -196,7 +195,7 @@ func (r ScanResult) FilterUnfixed() ScanResult {
 
 // FilterIgnorePkgs is filter function.
 func (r ScanResult) FilterIgnorePkgs() ScanResult {
-	ignorePkgsRegexps := []string{}
+	var ignorePkgsRegexps []string
 	if len(r.Container.Name) == 0 {
 		ignorePkgsRegexps = config.Conf.Servers[r.ServerName].IgnorePkgsRegexp
 	} else {
@@ -435,11 +434,6 @@ func (r ScanResult) IsContainer() bool {
 	return 0 < len(r.Container.ContainerID)
 }
 
-// IsImage returns whether this ServerInfo is about container
-func (r ScanResult) IsImage() bool {
-	return 0 < len(r.Image.Name)
-}
-
 // IsDeepScanMode checks if the scan mode is deep scan mode.
 func (r ScanResult) IsDeepScanMode() bool {
 	for _, s := range r.Config.Scan.Servers {
@@ -461,13 +455,6 @@ type Container struct {
 	UUID        string `json:"uuid"`
 }
 
-// Image has Container information
-type Image struct {
-	Name   string `json:"name"`
-	Tag    string `json:"tag"`
-	Digest string `json:"digest"`
-}
-
 // Platform has platform information
 type Platform struct {
 	Name       string `json:"name"` // aws or azure or gcp or other...

models/utils.go

@@ -6,60 +6,18 @@ import (
 	cvedict "github.com/kotakanbe/go-cve-dictionary/models"
 )
 
-// ConvertNvdXMLToModel convert NVD to CveContent
-func ConvertNvdXMLToModel(cveID string, nvd *cvedict.NvdXML) *CveContent {
-	if nvd == nil {
-		return nil
-	}
-	var cpes []Cpe
-	for _, c := range nvd.Cpes {
-		cpes = append(cpes, Cpe{
-			FormattedString: c.FormattedString,
-			URI:             c.URI,
-		})
-	}
-
-	var refs []Reference
-	for _, r := range nvd.References {
-		refs = append(refs, Reference{
-			Link:   r.Link,
-			Source: r.Source,
-		})
-	}
-
-	cweIDs := []string{}
-	for _, cid := range nvd.Cwes {
-		cweIDs = append(cweIDs, cid.CweID)
-	}
-
-	return &CveContent{
-		Type:          Nvd,
-		CveID:         cveID,
-		Summary:       nvd.Summary,
-		Cvss2Score:    nvd.Cvss2.BaseScore,
-		Cvss2Vector:   nvd.Cvss2.VectorString,
-		Cvss2Severity: nvd.Cvss2.Severity,
-		SourceLink:    "https://nvd.nist.gov/vuln/detail/" + cveID,
-		// Cpes:          cpes,
-		CweIDs:       cweIDs,
-		References:   refs,
-		Published:    nvd.PublishedDate,
-		LastModified: nvd.LastModifiedDate,
-	}
-}
-
 // ConvertJvnToModel convert JVN to CveContent
 func ConvertJvnToModel(cveID string, jvn *cvedict.Jvn) *CveContent {
 	if jvn == nil {
 		return nil
 	}
-	var cpes []Cpe
-	for _, c := range jvn.Cpes {
-		cpes = append(cpes, Cpe{
-			FormattedString: c.FormattedString,
-			URI:             c.URI,
-		})
-	}
+	// var cpes = []Cpe{}
+	// for _, c := range jvn.Cpes {
+	// 	cpes = append(cpes, Cpe{
+	// 		FormattedString: c.FormattedString,
+	// 		URI:             c.URI,
+	// 	})
+	// }
 
 	refs := []Reference{}
 	for _, r := range jvn.References {
@@ -93,15 +51,15 @@ func ConvertNvdJSONToModel(cveID string, nvd *cvedict.NvdJSON) *CveContent {
 	if nvd == nil {
 		return nil
 	}
-	var cpes []Cpe
-	for _, c := range nvd.Cpes {
-		cpes = append(cpes, Cpe{
-			FormattedString: c.FormattedString,
-			URI:             c.URI,
-		})
-	}
+	// var cpes = []Cpe{}
+	// for _, c := range nvd.Cpes {
+	// 	cpes = append(cpes, Cpe{
+	// 		FormattedString: c.FormattedString,
+	// 		URI:             c.URI,
+	// 	})
+	// }
 
-	var refs []Reference
+	var refs = []Reference{}
 	for _, r := range nvd.References {
 		refs = append(refs, Reference{
 			Link:   r.Link,

models/vulninfos.go

@@ -200,6 +200,14 @@ type GitHubSecurityAlert struct {
 // LibraryFixedIns is a list of Library's FixedIn
 type LibraryFixedIns []LibraryFixedIn
 
+// Names return a slice of names
+func (lfs LibraryFixedIns) Names() (names []string) {
+	for _, lf := range lfs {
+		names = append(names, lf.Name)
+	}
+	return names
+}
+
 // WpPackageFixStats is a list of WpPackageFixStatus
 type WpPackageFixStats []WpPackageFixStatus
 
@@ -237,7 +245,7 @@ func (v VulnInfo) Titles(lang, myFamily string) (values []CveContentStr) {
 		values = append(values, CveContentStr{RedHatAPI, cont.Title})
 	}
 
-	order := CveContentTypes{Nvd, NvdXML, NewCveContentType(myFamily)}
+	order := CveContentTypes{Trivy, Nvd, NvdXML, NewCveContentType(myFamily)}
 	order = append(order, AllCveContetTypes.Except(append(order, Jvn)...)...)
 	for _, ctype := range order {
 		// Only JVN has meaningful title. so return first 100 char of summary
@@ -277,7 +285,7 @@ func (v VulnInfo) Summaries(lang, myFamily string) (values []CveContentStr) {
 		}
 	}
 
-	order := CveContentTypes{NewCveContentType(myFamily), Nvd, NvdXML}
+	order := CveContentTypes{Trivy, NewCveContentType(myFamily), Nvd, NvdXML}
 	order = append(order, AllCveContetTypes.Except(append(order, Jvn)...)...)
 	for _, ctype := range order {
 		if cont, found := v.CveContents[ctype]; found && 0 < len(cont.Summary) {
@@ -415,6 +423,18 @@ func (v VulnInfo) Cvss3Scores() (values []CveContentCvss) {
 			})
 		}
 	}
+
+	if cont, found := v.CveContents[Trivy]; found && cont.Cvss3Severity != "" {
+		values = append(values, CveContentCvss{
+			Type: Trivy,
+			Value: Cvss{
+				Type:     CVSS3,
+				Score:    severityToV2ScoreRoughly(cont.Cvss3Severity),
+				Severity: strings.ToUpper(cont.Cvss3Severity),
+			},
+		})
+	}
+
 	return
 }
 
@@ -567,6 +587,13 @@ func (v VulnInfo) PatchStatus(packs Packages) string {
 			return "unfixed"
 		}
 
+		// Fast and offline mode can not get the candidate version.
+		// Vuls can be considered as 'fixed' if not-fixed-yet==true and
+		// the fixed-in-version (information in the oval) is not an empty.
+		if p.FixedIn != "" {
+			continue
+		}
+
 		// fast, offline mode doesn't have new version
 		if pack, ok := packs[p.Name]; ok {
 			if pack.NewVersion == "" {
@@ -617,15 +644,6 @@ func (c Cvss) Format() string {
 	return ""
 }
 
-func cvss2ScoreToSeverity(score float64) string {
-	if 7.0 <= score {
-		return "HIGH"
-	} else if 4.0 <= score {
-		return "MEDIUM"
-	}
-	return "LOW"
-}
-
 // Amazon Linux Security Advisory
 // Critical, Important, Medium, Low
 // https://alas.aws.amazon.com/
@@ -848,6 +866,9 @@ const (
 	// DebianSecurityTrackerMatchStr is a String representation of DebianSecurityTrackerMatch
 	DebianSecurityTrackerMatchStr = "DebianSecurityTrackerMatch"
 
+	// TrivyMatchStr is a String representation of Trivy
+	TrivyMatchStr = "TrivyMatch"
+
 	// ChangelogExactMatchStr is a String representation of ChangelogExactMatch
 	ChangelogExactMatchStr = "ChangelogExactMatch"
 
@@ -886,6 +907,9 @@ var (
 	// DebianSecurityTrackerMatch ranking how confident the CVE-ID was deteted correctly
 	DebianSecurityTrackerMatch = Confidence{100, DebianSecurityTrackerMatchStr, 0}
 
+	// TrivyMatch ranking how confident the CVE-ID was deteted correctly
+	TrivyMatch = Confidence{100, TrivyMatchStr, 0}
+
 	// ChangelogExactMatch is a ranking how confident the CVE-ID was deteted correctly
 	ChangelogExactMatch = Confidence{95, ChangelogExactMatchStr, 3}
 

oval/debian.go

@@ -2,6 +2,7 @@ package oval
 
 import (
 	"fmt"
+	"strings"
 
 	"github.com/future-architect/vuls/config"
 	"github.com/future-architect/vuls/models"
@@ -75,7 +76,7 @@ func (o DebianBase) update(r *models.ScanResult, defPacks defPacks) {
 }
 
 func (o DebianBase) convertToModel(def *ovalmodels.Definition) *models.CveContent {
-	var refs []models.Reference
+	refs := []models.Reference{}
 	for _, r := range def.References {
 		refs = append(refs, models.Reference{
 			Link:   r.RefURL,
@@ -189,61 +190,135 @@ func (o Ubuntu) FillWithOval(driver db.DB, r *models.ScanResult) (nCVEs int, err
 	switch major(r.Release) {
 	case "14":
 		kernelNamesInOval := []string{
-			"linux",
 			"linux-aws",
 			"linux-azure",
-			"linux-firmware",
-			"linux-lts-utopic",
-			"linux-lts-vivid",
-			"linux-lts-wily",
 			"linux-lts-xenial",
+			"linux-meta",
+			"linux-meta-aws",
+			"linux-meta-azure",
+			"linux-meta-lts-xenial",
+			"linux-signed",
+			"linux-signed-azure",
+			"linux-signed-lts-xenial",
+			"linux",
 		}
 		return o.fillWithOval(driver, r, kernelNamesInOval)
 	case "16":
 		kernelNamesInOval := []string{
-			"linux-image-aws",
-			"linux-image-aws-hwe",
-			"linux-image-azure",
-			"linux-image-extra-virtual",
-			"linux-image-extra-virtual-lts-utopic",
-			"linux-image-extra-virtual-lts-vivid",
-			"linux-image-extra-virtual-lts-wily",
-			"linux-image-extra-virtual-lts-xenial",
-			"linux-image-gcp",
-			"linux-image-generic-lpae",
-			"linux-image-generic-lpae-hwe-16.04",
-			"linux-image-generic-lpae-lts-utopic",
-			"linux-image-generic-lpae-lts-vivid",
-			"linux-image-generic-lpae-lts-wily",
-			"linux-image-generic-lpae-lts-xenial",
-			"linux-image-generic-lts-utopic",
-			"linux-image-generic-lts-vivid",
-			"linux-image-generic-lts-wily",
-			"linux-image-generic-lts-xenial",
-			"linux-image-gke",
-			"linux-image-hwe-generic-trusty",
-			"linux-image-hwe-virtual-trusty",
-			"linux-image-kvm",
-			"linux-image-lowlatency",
-			"linux-image-lowlatency-lts-utopic",
-			"linux-image-lowlatency-lts-vivid",
-			"linux-image-lowlatency-lts-wily",
+			"linux-aws",
+			"linux-aws-hwe",
+			"linux-azure",
+			"linux-euclid",
+			"linux-flo",
+			"linux-gcp",
+			"linux-gke",
+			"linux-goldfish",
+			"linux-hwe",
+			"linux-kvm",
+			"linux-mako",
+			"linux-meta",
+			"linux-meta-aws",
+			"linux-meta-aws-hwe",
+			"linux-meta-azure",
+			"linux-meta-gcp",
+			"linux-meta-hwe",
+			"linux-meta-kvm",
+			"linux-meta-oracle",
+			"linux-meta-raspi2",
+			"linux-meta-snapdragon",
+			"linux-oem",
+			"linux-oracle",
+			"linux-raspi2",
+			"linux-signed",
+			"linux-signed-azure",
+			"linux-signed-gcp",
+			"linux-signed-hwe",
+			"linux-signed-oracle",
+			"linux-snapdragon",
+			"linux",
 		}
 		return o.fillWithOval(driver, r, kernelNamesInOval)
 	case "18":
 		kernelNamesInOval := []string{
-			"linux-image-aws",
-			"linux-image-azure",
-			"linux-image-extra-virtual",
-			"linux-image-gcp",
-			"linux-image-generic-lpae",
-			"linux-image-kvm",
-			"linux-image-lowlatency",
-			"linux-image-oem",
-			"linux-image-oracle",
-			"linux-image-raspi2",
-			"linux-image-snapdragon",
-			"linux-image-virtual",
+			"linux-aws",
+			"linux-aws-5.0",
+			"linux-azure",
+			"linux-gcp",
+			"linux-gcp-5.3",
+			"linux-gke-4.15",
+			"linux-gke-5.0",
+			"linux-gke-5.3",
+			"linux-hwe",
+			"linux-kvm",
+			"linux-meta",
+			"linux-meta-aws",
+			"linux-meta-aws-5.0",
+			"linux-meta-azure",
+			"linux-meta-gcp",
+			"linux-meta-gcp-5.3",
+			"linux-meta-gke-4.15",
+			"linux-meta-gke-5.0",
+			"linux-meta-gke-5.3",
+			"linux-meta-hwe",
+			"linux-meta-kvm",
+			"linux-meta-oem",
+			"linux-meta-oem-osp1",
+			"linux-meta-oracle",
+			"linux-meta-oracle-5.0",
+			"linux-meta-oracle-5.3",
+			"linux-meta-raspi2",
+			"linux-meta-raspi2-5.3",
+			"linux-meta-snapdragon",
+			"linux-oem",
+			"linux-oem-osp1",
+			"linux-oracle",
+			"linux-oracle-5.0",
+			"linux-oracle-5.3",
+			"linux-raspi2",
+			"linux-raspi2-5.3",
+			"linux-signed",
+			"linux-signed-azure",
+			"linux-signed-gcp",
+			"linux-signed-gcp-5.3",
+			"linux-signed-gke-4.15",
+			"linux-signed-gke-5.0",
+			"linux-signed-gke-5.3",
+			"linux-signed-hwe",
+			"linux-signed-oem",
+			"linux-signed-oem-osp1",
+			"linux-signed-oracle",
+			"linux-signed-oracle-5.0",
+			"linux-signed-oracle-5.3",
+			"linux-snapdragon",
+			"linux",
+		}
+		return o.fillWithOval(driver, r, kernelNamesInOval)
+	case "20":
+		kernelNamesInOval := []string{
+			"linux-aws",
+			"linux-azure",
+			"linux-gcp",
+			"linux-kvm",
+			"linux-meta",
+			"linux-meta-aws",
+			"linux-meta-azure",
+			"linux-meta-gcp",
+			"linux-meta-kvm",
+			"linux-meta-oem-5.6",
+			"linux-meta-oracle",
+			"linux-meta-raspi",
+			"linux-meta-riscv",
+			"linux-oem-5.6",
+			"linux-oracle",
+			"linux-raspi",
+			"linux-raspi2",
+			"linux-riscv",
+			"linux-signed",
+			"linux-signed-azure",
+			"linux-signed-gcp",
+			"linux-signed-oem-5.6",
+			"linux-signed-oracle",
+			"linux",
 		}
 		return o.fillWithOval(driver, r, kernelNamesInOval)
 	}
@@ -251,12 +326,12 @@ func (o Ubuntu) FillWithOval(driver db.DB, r *models.ScanResult) (nCVEs int, err
 }
 
 func (o Ubuntu) fillWithOval(driver db.DB, r *models.ScanResult, kernelNamesInOval []string) (nCVEs int, err error) {
-	// kernel names in OVAL except for linux-image-generic
 	linuxImage := "linux-image-" + r.RunningKernel.Release
 	runningKernelVersion := ""
 	kernelPkgInOVAL := ""
-	isOVALKernelPkgAdded := true
+	isOVALKernelPkgAdded := false
 	unusedKernels := []models.Package{}
+	copiedSourcePkgs := models.SrcPackages{}
 
 	if r.Container.ContainerID == "" {
 		if v, ok := r.Packages[linuxImage]; ok {
@@ -281,17 +356,31 @@ func (o Ubuntu) fillWithOval(driver db.DB, r *models.ScanResult, kernelNamesInOv
 			}
 		}
 
-		if kernelPkgInOVAL == "" {
-			if r.Release == "14" {
-				kernelPkgInOVAL = "linux"
-			} else if _, ok := r.Packages["linux-image-generic"]; !ok {
-				util.Log.Warnf("The OVAL name of the running kernel image %s is not found. So vulns of linux-image-generic wll be detected. server: %s",
-					r.RunningKernel.Version, r.ServerName)
-				kernelPkgInOVAL = "linux-image-generic"
-			} else {
-				isOVALKernelPkgAdded = false
+		// Remove linux-* in order to detect only vulnerabilities in the running kernel.
+		for n := range r.Packages {
+			if n != kernelPkgInOVAL && strings.HasPrefix(n, "linux-") {
+				unusedKernels = append(unusedKernels, r.Packages[n])
+				delete(r.Packages, n)
 			}
 		}
+		for srcPackName, srcPack := range r.SrcPackages {
+			copiedSourcePkgs[srcPackName] = srcPack
+			targetBianryNames := []string{}
+			for _, n := range srcPack.BinaryNames {
+				if n == kernelPkgInOVAL || !strings.HasPrefix(n, "linux-") {
+					targetBianryNames = append(targetBianryNames, n)
+				}
+			}
+			srcPack.BinaryNames = targetBianryNames
+			r.SrcPackages[srcPackName] = srcPack
+		}
+
+		if kernelPkgInOVAL == "" {
+			util.Log.Warnf("The OVAL name of the running kernel image %+v is not found. So vulns of `linux` wll be detected. server: %s",
+				r.RunningKernel, r.ServerName)
+			kernelPkgInOVAL = "linux"
+			isOVALKernelPkgAdded = true
+		}
 
 		if runningKernelVersion != "" {
 			r.Packages[kernelPkgInOVAL] = models.Package{
@@ -318,6 +407,7 @@ func (o Ubuntu) fillWithOval(driver db.DB, r *models.ScanResult, kernelNamesInOv
 	for _, p := range unusedKernels {
 		r.Packages[p.Name] = p
 	}
+	r.SrcPackages = copiedSourcePkgs
 
 	for _, defPacks := range relatedDefs.entries {
 		// Remove "linux" added above for searching oval

oval/debian_test.go

@@ -34,7 +34,7 @@ func TestPackNamesOfUpdateDebian(t *testing.T) {
 					},
 				},
 				binpkgFixstat: map[string]fixStat{
-					"packB": fixStat{
+					"packB": {
 						notFixedYet: true,
 						fixedIn:     "1.0.0",
 					},

oval/redhat_test.go

@@ -111,7 +111,7 @@ func TestPackNamesOfUpdate(t *testing.T) {
 					},
 				},
 				binpkgFixstat: map[string]fixStat{
-					"packB": fixStat{
+					"packB": {
 						notFixedYet: true,
 						fixedIn:     "1.0.0",
 					},

oval/suse.go

@@ -86,7 +86,7 @@ func (o SUSE) update(r *models.ScanResult, defPacks defPacks) {
 }
 
 func (o SUSE) convertToModel(def *ovalmodels.Definition) *models.CveContent {
-	var refs []models.Reference
+	refs := []models.Reference{}
 	for _, r := range def.References {
 		refs = append(refs, models.Reference{
 			Link:   r.RefURL,

oval/util.go

@@ -11,6 +11,7 @@ import (
 	"github.com/future-architect/vuls/config"
 	"github.com/future-architect/vuls/models"
 	"github.com/future-architect/vuls/util"
+	apkver "github.com/knqyf263/go-apk-version"
 	debver "github.com/knqyf263/go-deb-version"
 	rpmver "github.com/knqyf263/go-rpm-version"
 	"github.com/kotakanbe/goval-dictionary/db"
@@ -358,15 +359,26 @@ func isOvalDefAffected(def ovalmodels.Definition, req request, family string, ru
 var centosVerPattern = regexp.MustCompile(`\.[es]l(\d+)(?:_\d+)?(?:\.centos)?`)
 var esVerPattern = regexp.MustCompile(`\.el(\d+)(?:_\d+)?`)
 
-func lessThan(family, versionRelease string, packB ovalmodels.Package) (bool, error) {
+func lessThan(family, newVer string, packInOVAL ovalmodels.Package) (bool, error) {
 	switch family {
 	case config.Debian,
 		config.Ubuntu:
-		vera, err := debver.NewVersion(versionRelease)
+		vera, err := debver.NewVersion(newVer)
 		if err != nil {
 			return false, err
 		}
-		verb, err := debver.NewVersion(packB.Version)
+		verb, err := debver.NewVersion(packInOVAL.Version)
+		if err != nil {
+			return false, err
+		}
+		return vera.LessThan(verb), nil
+
+	case config.Alpine:
+		vera, err := apkver.NewVersion(newVer)
+		if err != nil {
+			return false, err
+		}
+		verb, err := apkver.NewVersion(packInOVAL.Version)
 		if err != nil {
 			return false, err
 		}
@@ -374,16 +386,15 @@ func lessThan(family, versionRelease string, packB ovalmodels.Package) (bool, er
 
 	case config.Oracle,
 		config.SUSEEnterpriseServer,
-		config.Alpine,
 		config.Amazon:
-		vera := rpmver.NewVersion(versionRelease)
-		verb := rpmver.NewVersion(packB.Version)
+		vera := rpmver.NewVersion(newVer)
+		verb := rpmver.NewVersion(packInOVAL.Version)
 		return vera.LessThan(verb), nil
 
 	case config.RedHat,
 		config.CentOS:
-		vera := rpmver.NewVersion(centosVerPattern.ReplaceAllString(versionRelease, ".el$1"))
-		verb := rpmver.NewVersion(esVerPattern.ReplaceAllString(packB.Version, ".el$1"))
+		vera := rpmver.NewVersion(centosVerPattern.ReplaceAllString(newVer, ".el$1"))
+		verb := rpmver.NewVersion(esVerPattern.ReplaceAllString(packInOVAL.Version, ".el$1"))
 		return vera.LessThan(verb), nil
 
 	default:

oval/util_test.go

@@ -38,7 +38,7 @@ func TestUpsert(t *testing.T) {
 							DefinitionID: "1111",
 						},
 						binpkgFixstat: map[string]fixStat{
-							"pack1": fixStat{
+							"pack1": {
 								notFixedYet: true,
 								fixedIn:     "1.0.0",
 							},
@@ -56,7 +56,7 @@ func TestUpsert(t *testing.T) {
 							DefinitionID: "1111",
 						},
 						binpkgFixstat: map[string]fixStat{
-							"pack1": fixStat{
+							"pack1": {
 								notFixedYet: true,
 								fixedIn:     "1.0.0",
 							},
@@ -67,7 +67,7 @@ func TestUpsert(t *testing.T) {
 							DefinitionID: "2222",
 						},
 						binpkgFixstat: map[string]fixStat{
-							"pack3": fixStat{
+							"pack3": {
 								notFixedYet: true,
 								fixedIn:     "2.0.0",
 							},
@@ -91,11 +91,11 @@ func TestUpsert(t *testing.T) {
 							DefinitionID: "1111",
 						},
 						binpkgFixstat: map[string]fixStat{
-							"pack1": fixStat{
+							"pack1": {
 								notFixedYet: true,
 								fixedIn:     "1.0.0",
 							},
-							"pack2": fixStat{
+							"pack2": {
 								notFixedYet: false,
 								fixedIn:     "3.0.0",
 							},
@@ -106,7 +106,7 @@ func TestUpsert(t *testing.T) {
 							DefinitionID: "2222",
 						},
 						binpkgFixstat: map[string]fixStat{
-							"pack3": fixStat{
+							"pack3": {
 								notFixedYet: true,
 								fixedIn:     "2.0.0",
 							},
@@ -155,12 +155,12 @@ func TestDefpacksToPackStatuses(t *testing.T) {
 						},
 					},
 					binpkgFixstat: map[string]fixStat{
-						"a": fixStat{
+						"a": {
 							notFixedYet: true,
 							fixedIn:     "1.0.0",
 							isSrcPack:   false,
 						},
-						"b": fixStat{
+						"b": {
 							notFixedYet: true,
 							fixedIn:     "1.0.0",
 							isSrcPack:   true,

report/email.go

@@ -1,6 +1,7 @@
 package report
 
 import (
+	"crypto/tls"
 	"fmt"
 	"net"
 	"net/mail"
@@ -54,14 +55,15 @@ func (w EMailWriter) Write(rs ...models.ScanResult) (err error) {
 			}
 		}
 	}
-	summary := ""
+	var summary string
 	if config.Conf.IgnoreUnscoredCves {
 		summary = fmt.Sprintf("Total: %d (High:%d Medium:%d Low:%d)",
 			m["High"]+m["Medium"]+m["Low"], m["High"], m["Medium"], m["Low"])
+	} else {
+		summary = fmt.Sprintf("Total: %d (High:%d Medium:%d Low:%d ?:%d)",
+			m["High"]+m["Medium"]+m["Low"]+m["Unknown"],
+			m["High"], m["Medium"], m["Low"], m["Unknown"])
 	}
-	summary = fmt.Sprintf("Total: %d (High:%d Medium:%d Low:%d ?:%d)",
-		m["High"]+m["Medium"]+m["Low"]+m["Unknown"],
-		m["High"], m["Medium"], m["Low"], m["Unknown"])
 	origmessage := message
 	if conf.FormatOneEMail {
 		message = fmt.Sprintf("One Line Summary\r\n================\r\n%s", formatOneLineSummary(rs...))
@@ -86,6 +88,61 @@ type emailSender struct {
 	send func(string, smtp.Auth, string, []string, []byte) error
 }
 
+func smtps(emailConf config.SMTPConf, message string) (err error) {
+	auth := smtp.PlainAuth("",
+		emailConf.User,
+		emailConf.Password,
+		emailConf.SMTPAddr,
+	)
+
+	//TLS Config
+	tlsConfig := &tls.Config{
+		ServerName: emailConf.SMTPAddr,
+	}
+
+	smtpServer := net.JoinHostPort(emailConf.SMTPAddr, emailConf.SMTPPort)
+	//New TLS connection
+	con, err := tls.Dial("tcp", smtpServer, tlsConfig)
+	if err != nil {
+		return xerrors.Errorf("Failed to create TLS connection: %w", err)
+	}
+	defer con.Close()
+
+	c, err := smtp.NewClient(con, emailConf.SMTPAddr)
+	if err != nil {
+		return xerrors.Errorf("Failed to create new client: %w", err)
+	}
+	if err = c.Auth(auth); err != nil {
+		return xerrors.Errorf("Failed to authenticate: %w", err)
+	}
+	if err = c.Mail(emailConf.From); err != nil {
+		return xerrors.Errorf("Failed to send Mail command: %w", err)
+	}
+	for _, to := range emailConf.To {
+		if err = c.Rcpt(to); err != nil {
+			return xerrors.Errorf("Failed to send Rcpt command: %w", err)
+		}
+	}
+
+	w, err := c.Data()
+	if err != nil {
+		return xerrors.Errorf("Failed to send Data command: %w", err)
+	}
+	_, err = w.Write([]byte(message))
+	if err != nil {
+		return xerrors.Errorf("Failed to write EMail message: %w", err)
+	}
+	err = w.Close()
+	if err != nil {
+		return xerrors.Errorf("Failed to close Writer: %w", err)
+	}
+	err = c.Quit()
+	if err != nil {
+		return xerrors.Errorf("Failed to close connection: %w", err)
+	}
+	return nil
+}
+
 func (e *emailSender) Send(subject, body string) (err error) {
 	emailConf := e.conf
 	to := strings.Join(emailConf.To[:], ", ")
@@ -112,20 +169,28 @@ func (e *emailSender) Send(subject, body string) (err error) {
 	smtpServer := net.JoinHostPort(emailConf.SMTPAddr, emailConf.SMTPPort)
 
 	if emailConf.User != "" && emailConf.Password != "" {
-		err = e.send(
-			smtpServer,
-			smtp.PlainAuth(
-				"",
-				emailConf.User,
-				emailConf.Password,
-				emailConf.SMTPAddr,
-			),
-			emailConf.From,
-			mailAddresses,
-			[]byte(message),
-		)
-		if err != nil {
-			return xerrors.Errorf("Failed to send emails: %w", err)
+		switch emailConf.SMTPPort {
+		case "465":
+			err := smtps(emailConf, message)
+			if err != nil {
+				return xerrors.Errorf("Failed to send emails: %w", err)
+			}
+		default:
+			err = e.send(
+				smtpServer,
+				smtp.PlainAuth(
+					"",
+					emailConf.User,
+					emailConf.Password,
+					emailConf.SMTPAddr,
+				),
+				emailConf.From,
+				mailAddresses,
+				[]byte(message),
+			)
+			if err != nil {
+				return xerrors.Errorf("Failed to send emails: %w", err)
+			}
 		}
 		return nil
 	}

report/http.go

@@ -17,7 +17,9 @@ type HTTPRequestWriter struct{}
 func (w HTTPRequestWriter) Write(rs ...models.ScanResult) (err error) {
 	for _, r := range rs {
 		b := new(bytes.Buffer)
-		json.NewEncoder(b).Encode(r)
+		if err := json.NewEncoder(b).Encode(r); err != nil {
+			return err
+		}
 		_, err = http.Post(c.Conf.HTTP.URL, "application/json; charset=utf-8", b)
 		if err != nil {
 			return err

report/report.go

@@ -25,7 +25,7 @@ import (
 	"github.com/future-architect/vuls/oval"
 	"github.com/future-architect/vuls/util"
 	"github.com/future-architect/vuls/wordpress"
-	"github.com/hashicorp/uuid"
+	"github.com/hashicorp/go-uuid"
 	gostdb "github.com/knqyf263/gost/db"
 	cvedb "github.com/kotakanbe/go-cve-dictionary/db"
 	cvemodels "github.com/kotakanbe/go-cve-dictionary/models"
@@ -44,6 +44,7 @@ func FillCveInfos(dbclient DBClient, rs []models.ScanResult, dir string) ([]mode
 	var filledResults []models.ScanResult
 	reportedAt := time.Now()
 	hostname, _ := os.Hostname()
+	wpVulnCaches := map[string]string{}
 	for _, r := range rs {
 		if c.Conf.RefreshCve || needToRefreshCve(r) {
 			if ovalSupported(&r) {
@@ -83,7 +84,7 @@ func FillCveInfos(dbclient DBClient, rs []models.ScanResult, dir string) ([]mode
 			// Integrations
 			githubInts := GithubSecurityAlerts(c.Conf.Servers[r.ServerName].GitHubRepos)
 
-			wpOpt := WordPressOption{c.Conf.Servers[r.ServerName].WordPress.WPVulnDBToken}
+			wpOpt := WordPressOption{c.Conf.Servers[r.ServerName].WordPress.WPVulnDBToken, &wpVulnCaches}
 
 			if err := FillCveInfo(dbclient,
 				&r,
@@ -213,7 +214,7 @@ func FillCveInfo(dbclient DBClient, r *models.ScanResult, cpeURIs []string, igno
 
 // fillCveDetail fetches NVD, JVN from CVE Database
 func fillCveDetail(driver cvedb.DB, r *models.ScanResult) error {
-	var cveIDs []string
+	cveIDs := []string{}
 	for _, v := range r.ScannedCves {
 		cveIDs = append(cveIDs, v.CveID)
 	}
@@ -224,9 +225,6 @@ func fillCveDetail(driver cvedb.DB, r *models.ScanResult) error {
 	}
 	for _, d := range ds {
 		nvd := models.ConvertNvdJSONToModel(d.CveID, d.NvdJSON)
-		if nvd == nil {
-			nvd = models.ConvertNvdXMLToModel(d.CveID, d.NvdXML)
-		}
 		jvn := models.ConvertJvnToModel(d.CveID, d.Jvn)
 
 		alerts := fillCertAlerts(&d)
@@ -432,14 +430,15 @@ func (g GithubSecurityAlertOption) apply(r *models.ScanResult, ints *integration
 
 // WordPressOption :
 type WordPressOption struct {
-	token string
+	token        string
+	wpVulnCaches *map[string]string
 }
 
 func (g WordPressOption) apply(r *models.ScanResult, ints *integrationResults) (err error) {
 	if g.token == "" {
 		return nil
 	}
-	n, err := wordpress.FillWordPress(r, g.token)
+	n, err := wordpress.FillWordPress(r, g.token, g.wpVulnCaches)
 	if err != nil {
 		return xerrors.Errorf("Failed to fetch from WPVulnDB. Check the WPVulnDBToken in config.toml. err: %w", err)
 	}
@@ -504,23 +503,27 @@ func fillCweDict(r *models.ScanResult) {
 
 const reUUID = "[\\da-f]{8}-[\\da-f]{4}-[\\da-f]{4}-[\\da-f]{4}-[\\da-f]{12}"
 
-// Scanning with the -containers-only, -images-only flag at scan time, the UUID of Container Host may not be generated,
+// Scanning with the -containers-only flag at scan time, the UUID of Container Host may not be generated,
 // so check it. Otherwise create a UUID of the Container Host and set it.
-func getOrCreateServerUUID(r models.ScanResult, server c.ServerInfo) (serverUUID string) {
+func getOrCreateServerUUID(r models.ScanResult, server c.ServerInfo) (serverUUID string, err error) {
 	if id, ok := server.UUIDs[r.ServerName]; !ok {
-		serverUUID = uuid.GenerateUUID()
+		if serverUUID, err = uuid.GenerateUUID(); err != nil {
+			return "", xerrors.Errorf("Failed to generate UUID: %w", err)
+		}
 	} else {
 		matched, err := regexp.MatchString(reUUID, id)
 		if !matched || err != nil {
-			serverUUID = uuid.GenerateUUID()
+			if serverUUID, err = uuid.GenerateUUID(); err != nil {
+				return "", xerrors.Errorf("Failed to generate UUID: %w", err)
+			}
 		}
 	}
-	return serverUUID
+	return serverUUID, nil
 }
 
 // EnsureUUIDs generate a new UUID of the scan target server if UUID is not assigned yet.
 // And then set the generated UUID to config.toml and scan results.
-func EnsureUUIDs(configPath string, results models.ScanResults) error {
+func EnsureUUIDs(configPath string, results models.ScanResults) (err error) {
 	// Sort Host->Container
 	sort.Slice(results, func(i, j int) bool {
 		if results[i].ServerName == results[j].ServerName {
@@ -529,6 +532,7 @@ func EnsureUUIDs(configPath string, results models.ScanResults) error {
 		return results[i].ServerName < results[j].ServerName
 	})
 
+	re := regexp.MustCompile(reUUID)
 	for i, r := range results {
 		server := c.Conf.Servers[r.ServerName]
 		if server.UUIDs == nil {
@@ -538,21 +542,20 @@ func EnsureUUIDs(configPath string, results models.ScanResults) error {
 		name := ""
 		if r.IsContainer() {
 			name = fmt.Sprintf("%s@%s", r.Container.Name, r.ServerName)
-			if uuid := getOrCreateServerUUID(r, server); uuid != "" {
-				server.UUIDs[r.ServerName] = uuid
+			serverUUID, err := getOrCreateServerUUID(r, server)
+			if err != nil {
+				return err
 			}
-		} else if r.IsImage() {
-			name = fmt.Sprintf("%s%s@%s", r.Image.Tag, r.Image.Digest, r.ServerName)
-			if uuid := getOrCreateServerUUID(r, server); uuid != "" {
-				server.UUIDs[r.ServerName] = uuid
+			if serverUUID != "" {
+				server.UUIDs[r.ServerName] = serverUUID
 			}
 		} else {
 			name = r.ServerName
 		}
 
 		if id, ok := server.UUIDs[name]; ok {
-			matched, err := regexp.MatchString(reUUID, id)
-			if !matched || err != nil {
+			ok := re.MatchString(id)
+			if !ok || err != nil {
 				util.Log.Warnf("UUID is invalid. Re-generate UUID %s: %s", id, err)
 			} else {
 				if r.IsContainer() {
@@ -567,16 +570,19 @@ func EnsureUUIDs(configPath string, results models.ScanResults) error {
 		}
 
 		// Generate a new UUID and set to config and scan result
-		id := uuid.GenerateUUID()
-		server.UUIDs[name] = id
+		serverUUID, err := uuid.GenerateUUID()
+		if err != nil {
+			return err
+		}
+		server.UUIDs[name] = serverUUID
 		server = cleanForTOMLEncoding(server, c.Conf.Default)
 		c.Conf.Servers[r.ServerName] = server
 
 		if r.IsContainer() {
-			results[i].Container.UUID = id
+			results[i].Container.UUID = serverUUID
 			results[i].ServerUUID = server.UUIDs[r.ServerName]
 		} else {
-			results[i].ServerUUID = id
+			results[i].ServerUUID = serverUUID
 		}
 	}
 

report/report_test.go

@@ -42,7 +42,10 @@ func TestGetOrCreateServerUUID(t *testing.T) {
 	}
 
 	for testcase, v := range cases {
-		uuid := getOrCreateServerUUID(v.scanResult, v.server)
+		uuid, err := getOrCreateServerUUID(v.scanResult, v.server)
+		if err != nil {
+			t.Errorf("%s", err)
+		}
 		if (uuid == defaultUUID) != v.isDefault {
 			t.Errorf("%s : expected isDefault %t got %s", testcase, v.isDefault, uuid)
 		}

report/s3.go

@@ -23,16 +23,24 @@ import (
 // S3Writer writes results to S3
 type S3Writer struct{}
 
-func getS3() *s3.S3 {
-	Config := &aws.Config{
+func getS3() (*s3.S3, error) {
+	ses, err := session.NewSession()
+	if err != nil {
+		return nil, err
+	}
+	config := &aws.Config{
 		Region: aws.String(c.Conf.AWS.Region),
 		Credentials: credentials.NewChainCredentials([]credentials.Provider{
 			&credentials.EnvProvider{},
 			&credentials.SharedCredentialsProvider{Filename: "", Profile: c.Conf.AWS.Profile},
-			&ec2rolecreds.EC2RoleProvider{Client: ec2metadata.New(session.New())},
+			&ec2rolecreds.EC2RoleProvider{Client: ec2metadata.New(ses)},
 		}),
 	}
-	return s3.New(session.New(Config))
+	s, err := session.NewSession(config)
+	if err != nil {
+		return nil, err
+	}
+	return s3.New(s), nil
 }
 
 // Write results to S3
@@ -42,7 +50,10 @@ func (w S3Writer) Write(rs ...models.ScanResult) (err error) {
 		return nil
 	}
 
-	svc := getS3()
+	svc, err := getS3()
+	if err != nil {
+		return err
+	}
 
 	if c.Conf.FormatOneLineText {
 		timestr := rs[0].ScannedAt.Format(time.RFC3339)
@@ -99,7 +110,11 @@ func (w S3Writer) Write(rs ...models.ScanResult) (err error) {
 
 // CheckIfBucketExists check the existence of S3 bucket
 func CheckIfBucketExists() error {
-	svc := getS3()
+	svc, err := getS3()
+	if err != nil {
+		return err
+	}
+
 	result, err := svc.ListBuckets(&s3.ListBucketsInput{})
 	if err != nil {
 		return xerrors.Errorf(

report/saas.go

@@ -34,7 +34,7 @@ type TempCredential struct {
 }
 
 type payload struct {
-	GroupID      int    `json:"GroupID"`
+	GroupID      int64  `json:"GroupID"`
 	Token        string `json:"Token"`
 	ScannedBy    string `json:"ScannedBy"`
 	ScannedIPv4s string `json:"ScannedIPv4s"`

report/slack.go

@@ -16,12 +16,6 @@ import (
 	"golang.org/x/xerrors"
 )
 
-type field struct {
-	Title string `json:"title"`
-	Value string `json:"value"`
-	Short bool   `json:"short"`
-}
-
 type message struct {
 	Text        string             `json:"text"`
 	Username    string             `json:"username"`

report/syslog.go

@@ -28,7 +28,7 @@ func (w SyslogWriter) Write(rs ...models.ScanResult) (err error) {
 	for _, r := range rs {
 		messages := w.encodeSyslog(r)
 		for _, m := range messages {
-			if _, err = fmt.Fprintf(sysLog, m); err != nil {
+			if _, err = fmt.Fprint(sysLog, m); err != nil {
 				return err
 			}
 		}

report/tui.go

@@ -16,7 +16,7 @@ import (
 	"github.com/future-architect/vuls/util"
 	"github.com/google/subcommands"
 	"github.com/gosuri/uitable"
-	"github.com/jroimartin/gocui"
+	"github.com/jesseduffield/gocui"
 )
 
 var scanResults models.ScanResults
@@ -36,14 +36,15 @@ func RunTui(results models.ScanResults) subcommands.ExitStatus {
 		return scanResults[i].ServerName < scanResults[j].ServerName
 	})
 
-	g, err := gocui.NewGui(gocui.OutputNormal)
+	g := gocui.NewGui()
+	err := g.Init()
 	if err != nil {
 		util.Log.Errorf("%+v", err)
 		return subcommands.ExitFailure
 	}
 	defer g.Close()
 
-	g.SetManagerFunc(layout)
+	g.SetLayout(layout)
 	if err := keybindings(g); err != nil {
 		util.Log.Errorf("%+v", err)
 		return subcommands.ExitFailure
@@ -100,7 +101,6 @@ func keybindings(g *gocui.Gui) (err error) {
 	errs = append(errs, g.SetKeybinding("summary", gocui.KeySpace, gocui.ModNone, cursorPageDown))
 	errs = append(errs, g.SetKeybinding("summary", gocui.KeyBackspace, gocui.ModNone, cursorPageUp))
 	errs = append(errs, g.SetKeybinding("summary", gocui.KeyBackspace2, gocui.ModNone, cursorPageUp))
-	//  errs = append(errs, g.SetKeybinding("summary", gocui.KeyCtrlM, gocui.ModNone, cursorMoveMiddle))
 	errs = append(errs, g.SetKeybinding("summary", gocui.KeyEnter, gocui.ModNone, nextView))
 	errs = append(errs, g.SetKeybinding("summary", gocui.KeyCtrlN, gocui.ModNone, nextSummary))
 	errs = append(errs, g.SetKeybinding("summary", gocui.KeyCtrlP, gocui.ModNone, previousSummary))
@@ -168,19 +168,19 @@ func nextView(g *gocui.Gui, v *gocui.View) error {
 	var err error
 
 	if v == nil {
-		_, err = g.SetCurrentView("side")
+		return g.SetCurrentView("side")
 	}
 	switch v.Name() {
 	case "side":
-		_, err = g.SetCurrentView("summary")
+		err = g.SetCurrentView("summary")
 	case "summary":
-		_, err = g.SetCurrentView("detail")
+		err = g.SetCurrentView("detail")
 	case "detail":
-		_, err = g.SetCurrentView("changelog")
+		err = g.SetCurrentView("changelog")
 	case "changelog":
-		_, err = g.SetCurrentView("side")
+		err = g.SetCurrentView("side")
 	default:
-		_, err = g.SetCurrentView("summary")
+		err = g.SetCurrentView("summary")
 	}
 	return err
 }
@@ -189,19 +189,19 @@ func previousView(g *gocui.Gui, v *gocui.View) error {
 	var err error
 
 	if v == nil {
-		_, err = g.SetCurrentView("side")
+		return g.SetCurrentView("side")
 	}
 	switch v.Name() {
 	case "side":
-		_, err = g.SetCurrentView("side")
+		err = g.SetCurrentView("side")
 	case "summary":
-		_, err = g.SetCurrentView("side")
+		err = g.SetCurrentView("side")
 	case "detail":
-		_, err = g.SetCurrentView("summary")
+		err = g.SetCurrentView("summary")
 	case "changelog":
-		_, err = g.SetCurrentView("detail")
+		err = g.SetCurrentView("detail")
 	default:
-		_, err = g.SetCurrentView("side")
+		err = g.SetCurrentView("side")
 	}
 	return err
 }
@@ -282,31 +282,15 @@ func cursorDown(g *gocui.Gui, v *gocui.View) error {
 				return err
 			}
 		}
-		onMovingCursorRedrawView(g, v)
+		err := onMovingCursorRedrawView(g, v)
+		if err != nil {
+			return err
+		}
 	}
 
 	cx, cy := v.Cursor()
 	ox, oy := v.Origin()
-	debug(g, fmt.Sprintf("%v, %v, %v, %v", cx, cy, ox, oy))
-	return nil
-}
-
-func cursorMoveTop(g *gocui.Gui, v *gocui.View) error {
-	if v != nil {
-		cx, _ := v.Cursor()
-		v.SetCursor(cx, 0)
-	}
-	onMovingCursorRedrawView(g, v)
-	return nil
-}
-
-func cursorMoveBottom(g *gocui.Gui, v *gocui.View) error {
-	if v != nil {
-		_, maxY := v.Size()
-		cx, _ := v.Cursor()
-		v.SetCursor(cx, maxY-1)
-	}
-	onMovingCursorRedrawView(g, v)
+	_ = debug(g, fmt.Sprintf("%v, %v, %v, %v", cx, cy, ox, oy))
 	return nil
 }
 
@@ -314,9 +298,13 @@ func cursorMoveMiddle(g *gocui.Gui, v *gocui.View) error {
 	if v != nil {
 		_, maxY := v.Size()
 		cx, _ := v.Cursor()
-		v.SetCursor(cx, maxY/2)
+		if err := v.SetCursor(cx, maxY/2); err != nil {
+			return err
+		}
+	}
+	if err := onMovingCursorRedrawView(g, v); err != nil {
+		return err
 	}
-	onMovingCursorRedrawView(g, v)
 	return nil
 }
 
@@ -331,23 +319,25 @@ func cursorPageDown(g *gocui.Gui, v *gocui.View) error {
 
 		if !ok {
 			if yLimit < maxY {
-				v.SetCursor(cx, yLimit)
+				_ = v.SetCursor(cx, yLimit)
 			} else {
-				v.SetCursor(cx, maxY-1)
-				v.SetOrigin(ox, yLimit-maxY+1)
+				_ = v.SetCursor(cx, maxY-1)
+				_ = v.SetOrigin(ox, yLimit-maxY+1)
 			}
 		} else if yLimit < oy+jump+maxY {
 			if yLimit < maxY {
-				v.SetCursor(cx, yLimit)
+				_ = v.SetCursor(cx, yLimit)
 			} else {
-				v.SetOrigin(ox, yLimit-maxY+1)
-				v.SetCursor(cx, maxY-1)
+				_ = v.SetOrigin(ox, yLimit-maxY+1)
+				_ = v.SetCursor(cx, maxY-1)
 			}
 		} else {
-			v.SetCursor(cx, cy)
-			v.SetOrigin(ox, oy+jump)
+			_ = v.SetCursor(cx, cy)
+			if err := v.SetOrigin(ox, oy+jump); err != nil {
+				return err
+			}
 		}
-		onMovingCursorRedrawView(g, v)
+		_ = onMovingCursorRedrawView(g, v)
 	}
 	return nil
 }
@@ -362,7 +352,7 @@ func cursorUp(g *gocui.Gui, v *gocui.View) error {
 			}
 		}
 	}
-	onMovingCursorRedrawView(g, v)
+	_ = onMovingCursorRedrawView(g, v)
 	return nil
 }
 
@@ -372,11 +362,13 @@ func cursorPageUp(g *gocui.Gui, v *gocui.View) error {
 		cx, _ := v.Cursor()
 		ox, oy := v.Origin()
 		if err := v.SetOrigin(ox, oy-jump); err != nil {
-			v.SetOrigin(ox, 0)
-			v.SetCursor(cx, 0)
+			if err := v.SetOrigin(ox, 0); err != nil {
+				return err
+			}
+			_ = v.SetCursor(cx, 0)
 
 		}
-		onMovingCursorRedrawView(g, v)
+		_ = onMovingCursorRedrawView(g, v)
 	}
 	return nil
 }
@@ -384,7 +376,7 @@ func cursorPageUp(g *gocui.Gui, v *gocui.View) error {
 func previousSummary(g *gocui.Gui, v *gocui.View) error {
 	if v != nil {
 		// cursor to summary
-		if _, err := g.SetCurrentView("summary"); err != nil {
+		if err := g.SetCurrentView("summary"); err != nil {
 			return err
 		}
 		// move next line
@@ -392,7 +384,7 @@ func previousSummary(g *gocui.Gui, v *gocui.View) error {
 			return err
 		}
 		// cursor to detail
-		if _, err := g.SetCurrentView("detail"); err != nil {
+		if err := g.SetCurrentView("detail"); err != nil {
 			return err
 		}
 	}
@@ -402,7 +394,7 @@ func previousSummary(g *gocui.Gui, v *gocui.View) error {
 func nextSummary(g *gocui.Gui, v *gocui.View) error {
 	if v != nil {
 		// cursor to summary
-		if _, err := g.SetCurrentView("summary"); err != nil {
+		if err := g.SetCurrentView("summary"); err != nil {
 			return err
 		}
 		// move next line
@@ -410,7 +402,7 @@ func nextSummary(g *gocui.Gui, v *gocui.View) error {
 			return err
 		}
 		// cursor to detail
-		if _, err := g.SetCurrentView("detail"); err != nil {
+		if err := g.SetCurrentView("detail"); err != nil {
 			return err
 		}
 	}
@@ -484,7 +476,7 @@ func getLine(g *gocui.Gui, v *gocui.View) error {
 			return err
 		}
 		fmt.Fprintln(v, l)
-		if _, err := g.SetCurrentView("msg"); err != nil {
+		if err := g.SetCurrentView("msg"); err != nil {
 			return err
 		}
 	}
@@ -507,7 +499,7 @@ func showMsg(g *gocui.Gui, v *gocui.View) error {
 			return err
 		}
 		fmt.Fprintln(v, l)
-		if _, err := g.SetCurrentView("msg"); err != nil {
+		if err := g.SetCurrentView("msg"); err != nil {
 			return err
 		}
 	}
@@ -518,7 +510,7 @@ func delMsg(g *gocui.Gui, v *gocui.View) error {
 	if err := g.DeleteView("msg"); err != nil {
 		return err
 	}
-	_, err := g.SetCurrentView("summary")
+	err := g.SetCurrentView("summary")
 	return err
 }
 
@@ -543,10 +535,12 @@ func debug(g *gocui.Gui, str string) error {
 	if config.Conf.Debug {
 		maxX, maxY := g.Size()
 		if _, err := g.View("debug"); err != gocui.ErrUnknownView {
-			g.DeleteView("debug")
+			if err := g.DeleteView("debug"); err != nil {
+				return err
+			}
 		}
 		if v, err := g.SetView("debug", maxX/2-7, maxY/2, maxX/2+7, maxY/2+2); err != nil {
-			fmt.Fprintf(v, str)
+			fmt.Fprint(v, str)
 		}
 	}
 	return nil
@@ -568,7 +562,7 @@ func setSideLayout(g *gocui.Gui) error {
 		}
 		currentScanResult = scanResults[0]
 		vinfos = scanResults[0].ScannedCves.ToSortedSlice()
-		if _, err := g.SetCurrentView("side"); err != nil {
+		if err := g.SetCurrentView("side"); err != nil {
 			return err
 		}
 	}
@@ -583,7 +577,7 @@ func setSummaryLayout(g *gocui.Gui) error {
 		}
 
 		lines := summaryLines(currentScanResult)
-		fmt.Fprintf(v, lines)
+		fmt.Fprint(v, lines)
 
 		v.Highlight = true
 		v.Editable = false
@@ -621,6 +615,7 @@ func summaryLines(r models.ScanResult) string {
 		pkgNames = append(pkgNames, vinfo.CpeURIs...)
 		pkgNames = append(pkgNames, vinfo.GitHubSecurityAlerts.Names()...)
 		pkgNames = append(pkgNames, vinfo.WpPackageFixStats.Names()...)
+		pkgNames = append(pkgNames, vinfo.LibraryFixedIns.Names()...)
 
 		exploits := ""
 		if 0 < len(vinfo.Exploits) {
@@ -718,8 +713,6 @@ func setChangelogLayout(g *gocui.Gui) error {
 						lines = append(lines, fmt.Sprintf("  * PID: %s %s Port: %s",
 							p.PID, p.Name, p.ListenPorts))
 					}
-				} else {
-					// lines = append(lines, fmt.Sprintf("  * No affected process"))
 				}
 			}
 		}
@@ -751,17 +744,11 @@ func setChangelogLayout(g *gocui.Gui) error {
 			}
 		}
 
-		// check library fixedin
-		for _, scanner := range r.LibraryScanners {
-			key := scanner.GetLibraryKey()
-			for _, fixedin := range vinfo.LibraryFixedIns {
-				for _, lib := range scanner.Libs {
-					if fixedin.Key == key && lib.Name == fixedin.Name {
-						lines = append(lines, fmt.Sprintf("* %s-%s, FixedIn: %s",
-							lib.Name, lib.Version, fixedin.FixedIn))
-						continue
-					}
-				}
+		for _, l := range vinfo.LibraryFixedIns {
+			libs := r.LibraryScanners.Find(l.Name)
+			for path, lib := range libs {
+				lines = append(lines, fmt.Sprintf("%s-%s, FixedIn: %s (%s)",
+					lib.Name, lib.Version, l.FixedIn, path))
 			}
 		}
 
@@ -875,15 +862,24 @@ func detailLines() (string, error) {
 		links = append(links, url)
 	}
 
-	refs := []models.Reference{}
+	refsMap := map[string]models.Reference{}
 	for _, rr := range vinfo.CveContents.References(r.Family) {
 		for _, ref := range rr.Value {
 			if ref.Source == "" {
 				ref.Source = "-"
 			}
-			refs = append(refs, ref)
+			refsMap[ref.Link] = ref
 		}
 	}
+	if cont, found := vinfo.CveContents[models.Trivy]; found {
+		for _, ref := range cont.References {
+			refsMap[ref.Link] = ref
+		}
+	}
+	refs := []models.Reference{}
+	for _, v := range refsMap {
+		refs = append(refs, v)
+	}
 
 	summary := vinfo.Summaries(r.Lang, r.Family)[0]
 	mitigation := vinfo.Mitigations(r.Family)[0]

report/util.go

@@ -291,6 +291,15 @@ No CVE-IDs are found in updatable packages.
 			}
 		}
 
+		for _, l := range vuln.LibraryFixedIns {
+			libs := r.LibraryScanners.Find(l.Name)
+			for path, lib := range libs {
+				data = append(data, []string{l.Key,
+					fmt.Sprintf("%s-%s, FixedIn: %s (%s)",
+						lib.Name, lib.Version, l.FixedIn, path)})
+			}
+		}
+
 		for _, confidence := range vuln.Confidences {
 			data = append(data, []string{"Confidence", confidence.String()})
 		}
@@ -599,7 +608,7 @@ func ListValidJSONDirs() (dirs []string, err error) {
 // Otherwise, returns the path of the latest directory
 func JSONDir(args []string) (string, error) {
 	var err error
-	dirs := []string{}
+	var dirs []string
 
 	if 0 < len(args) {
 		if dirs, err = ListValidJSONDirs(); err != nil {

scan/base.go

@@ -416,12 +416,6 @@ func (l *base) convertToModel() models.ScanResult {
 		Type:        ctype,
 	}
 
-	image := models.Image{
-		Name:   l.ServerInfo.Image.Name,
-		Tag:    l.ServerInfo.Image.Tag,
-		Digest: l.ServerInfo.Image.Digest,
-	}
-
 	errs, warns := []string{}, []string{}
 	for _, e := range l.errs {
 		errs = append(errs, fmt.Sprintf("%+v", e))
@@ -445,7 +439,6 @@ func (l *base) convertToModel() models.ScanResult {
 		Family:            l.Distro.Family,
 		Release:           l.Distro.Release,
 		Container:         container,
-		Image:             image,
 		Platform:          l.Platform,
 		IPv4Addrs:         l.ServerInfo.IPv4Addrs,
 		IPv6Addrs:         l.ServerInfo.IPv6Addrs,
@@ -683,7 +676,7 @@ func (l *base) detectWpThemes() ([]models.WpPackage, error) {
 	}
 	err := json.Unmarshal([]byte(r.Stdout), &themes)
 	if err != nil {
-		return nil, xerrors.Errorf("Failed to unmarshal wp theme list: %w", cmd, err)
+		return nil, xerrors.Errorf("Failed to unmarshal wp theme list: %w", err)
 	}
 	for i := range themes {
 		themes[i].Type = models.WPTheme

scan/container.go

@@ -1,224 +0,0 @@
-package scan
-
-import (
-	"context"
-	"fmt"
-	"strings"
-	"time"
-
-	"github.com/aquasecurity/fanal/analyzer"
-	"github.com/aquasecurity/fanal/cache"
-	"github.com/aquasecurity/fanal/extractor/docker"
-	"github.com/aquasecurity/fanal/utils"
-	"golang.org/x/xerrors"
-
-	fanalos "github.com/aquasecurity/fanal/analyzer/os"
-	godeptypes "github.com/aquasecurity/go-dep-parser/pkg/types"
-	"github.com/future-architect/vuls/config"
-	"github.com/future-architect/vuls/models"
-	"github.com/future-architect/vuls/util"
-
-	// Register library analyzers
-	_ "github.com/aquasecurity/fanal/analyzer/library/bundler"
-	_ "github.com/aquasecurity/fanal/analyzer/library/cargo"
-	_ "github.com/aquasecurity/fanal/analyzer/library/composer"
-	_ "github.com/aquasecurity/fanal/analyzer/library/npm"
-	_ "github.com/aquasecurity/fanal/analyzer/library/pipenv"
-	_ "github.com/aquasecurity/fanal/analyzer/library/poetry"
-	_ "github.com/aquasecurity/fanal/analyzer/library/yarn"
-
-	// Register os analyzers
-	_ "github.com/aquasecurity/fanal/analyzer/os/alpine"
-	_ "github.com/aquasecurity/fanal/analyzer/os/amazonlinux"
-	_ "github.com/aquasecurity/fanal/analyzer/os/debianbase"
-	_ "github.com/aquasecurity/fanal/analyzer/os/redhatbase"
-	_ "github.com/aquasecurity/fanal/analyzer/os/suse"
-
-	// Register package analyzers
-	_ "github.com/aquasecurity/fanal/analyzer/pkg/apk"
-	_ "github.com/aquasecurity/fanal/analyzer/pkg/dpkg"
-	_ "github.com/aquasecurity/fanal/analyzer/pkg/rpmcmd"
-)
-
-// inherit OsTypeInterface
-type image struct {
-	base
-}
-
-// newDummyOS is constructor
-func newDummyOS(c config.ServerInfo) *image {
-	d := &image{
-		base: base{
-			osPackages: osPackages{
-				Packages:  models.Packages{},
-				VulnInfos: models.VulnInfos{},
-			},
-		},
-	}
-	d.log = util.NewCustomLogger(c)
-	d.setServerInfo(c)
-	return d
-}
-
-func detectContainerImage(c config.ServerInfo) (itsMe bool, containerImage osTypeInterface, err error) {
-	if err = config.IsValidImage(c.Image); err != nil {
-		return false, nil, nil
-	}
-
-	os, pkgs, libs, err := scanImage(c)
-	if err != nil {
-		// use Alpine for setErrs
-		return false, newDummyOS(c), err
-	}
-	switch os.Family {
-	case fanalos.OpenSUSELeap, fanalos.OpenSUSETumbleweed, fanalos.OpenSUSE:
-		return false, newDummyOS(c), xerrors.Errorf("Unsupported OS : %s", os.Family)
-	}
-
-	libScanners, err := convertLibWithScanner(libs)
-	if err != nil {
-		return false, newDummyOS(c), err
-	}
-
-	osName := os.Name
-	switch os.Family {
-	case fanalos.Amazon:
-		osName = "1"
-		if strings.HasPrefix(os.Family, "2") {
-			osName = "2"
-		}
-	}
-	p := newContainerImage(c, pkgs, libScanners)
-	p.setDistro(os.Family, osName)
-	return true, p, nil
-}
-
-func convertLibWithScanner(libs map[analyzer.FilePath][]godeptypes.Library) ([]models.LibraryScanner, error) {
-	scanners := []models.LibraryScanner{}
-	for path, pkgs := range libs {
-		scanners = append(scanners, models.LibraryScanner{Path: string(path), Libs: pkgs})
-	}
-	return scanners, nil
-}
-
-// scanImage returns os, packages on image layers
-func scanImage(c config.ServerInfo) (os *analyzer.OS, pkgs []analyzer.Package, libs map[analyzer.FilePath][]godeptypes.Library, err error) {
-
-	ctx := context.Background()
-	domain := c.Image.GetFullName()
-	util.Log.Info("Start fetch container... ", domain)
-
-	fanalCache := cache.Initialize(utils.CacheDir())
-	// Configure dockerOption
-	dockerOption := c.Image.DockerOption
-	if dockerOption.Timeout == 0 {
-		dockerOption.Timeout = 60 * time.Second
-	}
-	ext, err := docker.NewDockerExtractor(dockerOption, fanalCache)
-	if err != nil {
-		return nil, nil, nil, xerrors.Errorf("Failed initialize docker extractor%w", err)
-	}
-	ac := analyzer.Config{Extractor: ext}
-	files, err := ac.Analyze(ctx, domain, dockerOption)
-
-	if err != nil {
-		return nil, nil, nil, xerrors.Errorf("Failed scan files %q, %w", domain, err)
-	}
-
-	containerOs, err := analyzer.GetOS(files)
-	if err != nil {
-		return nil, nil, nil, xerrors.Errorf("Failed scan os %q, %w", domain, err)
-	}
-
-	pkgs, err = analyzer.GetPackages(files)
-	if err != nil {
-		return nil, nil, nil, xerrors.Errorf("Failed scan pkgs %q, %w", domain, err)
-	}
-	libs, err = analyzer.GetLibraries(files)
-	if err != nil {
-		return nil, nil, nil, xerrors.Errorf("Failed scan libs %q, %w", domain, err)
-	}
-	return &containerOs, pkgs, libs, nil
-}
-
-func convertFanalToVulsPkg(pkgs []analyzer.Package) (map[string]models.Package, map[string]models.SrcPackage) {
-	modelPkgs := map[string]models.Package{}
-	modelSrcPkgs := map[string]models.SrcPackage{}
-	for _, pkg := range pkgs {
-		version := pkg.Version
-		if pkg.Epoch != 0 {
-			version = fmt.Sprintf("%d:%s", pkg.Epoch, pkg.Version)
-		}
-		modelPkgs[pkg.Name] = models.Package{
-			Name:    pkg.Name,
-			Release: pkg.Release,
-			Version: version,
-			Arch:    pkg.Arch,
-		}
-
-		// add SrcPacks
-		if pkg.Name != pkg.SrcName {
-			if pack, ok := modelSrcPkgs[pkg.SrcName]; ok {
-				pack.AddBinaryName(pkg.Name)
-				modelSrcPkgs[pkg.SrcName] = pack
-			} else {
-				modelSrcPkgs[pkg.SrcName] = models.SrcPackage{
-					Name:        pkg.SrcName,
-					Version:     pkg.SrcVersion,
-					Arch:        pkg.Arch,
-					BinaryNames: []string{pkg.Name},
-				}
-			}
-		}
-	}
-	return modelPkgs, modelSrcPkgs
-}
-
-func newContainerImage(c config.ServerInfo, pkgs []analyzer.Package, libs []models.LibraryScanner) *image {
-	modelPkgs, modelSrcPkgs := convertFanalToVulsPkg(pkgs)
-	d := &image{
-		base: base{
-			osPackages: osPackages{
-				Packages:    modelPkgs,
-				SrcPackages: modelSrcPkgs,
-				VulnInfos:   models.VulnInfos{},
-			},
-			LibraryScanners: libs,
-		},
-	}
-	d.log = util.NewCustomLogger(c)
-	d.setServerInfo(c)
-	return d
-}
-
-func (o *image) checkScanMode() error {
-	return nil
-}
-
-func (o *image) checkIfSudoNoPasswd() error {
-	return nil
-}
-
-func (o *image) checkDeps() error {
-	return nil
-}
-
-func (o *image) preCure() error {
-	return nil
-}
-
-func (o *image) postScan() error {
-	return nil
-}
-
-func (o *image) scanPackages() error {
-	return nil
-}
-
-func (o *image) parseInstalledPackages(string) (models.Packages, models.SrcPackages, error) {
-	return nil, nil, nil
-}
-
-func (o *image) detectPlatform() {
-	o.setPlatform(models.Platform{Name: "image"})
-}

scan/debian.go

@@ -687,7 +687,7 @@ func (o *debian) scanChangelogs(updatablePacks models.Packages, meta *cache.Meta
 		return nil, xerrors.Errorf("errs: %w", errs)
 	}
 
-	var cveIDs []DetectedCveID
+	cveIDs := []DetectedCveID{}
 	for k := range cvePackages {
 		cveIDs = append(cveIDs, k)
 	}

scan/debian_test.go

@@ -389,8 +389,8 @@ Calculating upgrade... Done
 		}
 		if len(tt.expected) != len(actual) {
 			t.Errorf("Result length is not as same as expected. expected: %d, actual: %d", len(tt.expected), len(actual))
-			pp.Println(tt.expected)
-			pp.Println(actual)
+			_, _ = pp.Println(tt.expected)
+			_, _ = pp.Println(actual)
 			return
 		}
 		for i := range tt.expected {

scan/executil.go

@@ -260,7 +260,9 @@ func sshExecExternal(c conf.ServerInfo, cmd string, sudo bool) (result execResul
 
 	defaultSSHArgs := []string{"-tt"}
 
-	if !conf.Conf.SSHConfig {
+	if 0 < len(c.SSHConfigPath) {
+		defaultSSHArgs = append(defaultSSHArgs, "-F", c.SSHConfigPath)
+	} else {
 		home, err := homedir.Dir()
 		if err != nil {
 			msg := fmt.Sprintf("Failed to get HOME directory: %s", err)
@@ -285,6 +287,10 @@ func sshExecExternal(c conf.ServerInfo, cmd string, sudo bool) (result execResul
 		defaultSSHArgs = append(defaultSSHArgs, "-vvv")
 	}
 
+	if len(c.JumpServer) != 0 {
+		defaultSSHArgs = append(defaultSSHArgs, "-J", strings.Join(c.JumpServer, ","))
+	}
+
 	args := append(defaultSSHArgs, fmt.Sprintf("%s@%s", c.User, c.Host))
 	args = append(args, "-p", c.Port)
 	if 0 < len(c.KeyPath) {

scan/freebsd.go

@@ -189,7 +189,7 @@ func (o *bsd) scanUnsecurePackages() (models.VulnInfos, error) {
 		return nil, nil
 	}
 
-	var packAdtRslt []pkgAuditResult
+	packAdtRslt := []pkgAuditResult{}
 	blocks := o.splitIntoBlocks(r.Stdout)
 	for _, b := range blocks {
 		name, cveIDs, vulnID := o.parseBlock(b)

scan/library.go

@@ -0,0 +1,26 @@
+package scan
+
+import (
+	"github.com/aquasecurity/fanal/types"
+	"github.com/future-architect/vuls/models"
+
+	trivyTypes "github.com/aquasecurity/trivy/pkg/types"
+)
+
+func convertLibWithScanner(apps []types.Application) ([]models.LibraryScanner, error) {
+	scanners := []models.LibraryScanner{}
+	for _, app := range apps {
+		libs := []trivyTypes.Library{}
+		for _, lib := range app.Libraries {
+			libs = append(libs, trivyTypes.Library{
+				Name:    lib.Library.Name,
+				Version: lib.Library.Version,
+			})
+		}
+		scanners = append(scanners, models.LibraryScanner{
+			Path: app.FilePath,
+			Libs: libs,
+		})
+	}
+	return scanners, nil
+}

scan/serverapi.go

@@ -109,18 +109,6 @@ func detectOS(c config.ServerInfo) (osType osTypeInterface) {
 		return
 	}
 
-	itsMe, osType, fatalErr = detectContainerImage(c)
-	if fatalErr != nil {
-		osType.setErrs(
-			[]error{xerrors.Errorf("Failed to detect OS: %w", fatalErr)},
-		)
-		return
-	}
-	if itsMe {
-		util.Log.Debugf("Container")
-		return
-	}
-
 	itsMe, osType, fatalErr = detectDebianWithRetry(c)
 	if fatalErr != nil {
 		osType.setErrs([]error{
@@ -179,28 +167,9 @@ func PrintSSHableServerNames() bool {
 	return true
 }
 
-func needScans() (needBaseServer, scanContainer, scanImage bool) {
-	scanContainer = true
-	scanImage = true
-	if !config.Conf.ContainersOnly && !config.Conf.ImagesOnly {
-		needBaseServer = true
-	}
-
-	if config.Conf.ImagesOnly && !config.Conf.ContainersOnly {
-		scanContainer = false
-	}
-
-	if config.Conf.ContainersOnly && !config.Conf.ImagesOnly {
-		scanImage = false
-	}
-	return needBaseServer, scanContainer, scanImage
-}
-
 // InitServers detect the kind of OS distribution of target servers
 func InitServers(timeoutSec int) error {
-	needBaseServers, scanContainer, scanImage := needScans()
-
-	// use global servers, errServers when scan containers and images
+	// use global servers, errServers when scan containers
 	servers, errServers = detectServerOSes(timeoutSec)
 	if len(servers) == 0 {
 		return xerrors.New("No scannable base servers")
@@ -208,23 +177,16 @@ func InitServers(timeoutSec int) error {
 
 	// scan additional servers
 	var actives, inactives []osTypeInterface
-	if scanImage {
-		oks, errs := detectImageOSes(timeoutSec)
-		actives = append(actives, oks...)
-		inactives = append(inactives, errs...)
-	}
-	if scanContainer {
-		oks, errs := detectContainerOSes(timeoutSec)
-		actives = append(actives, oks...)
-		inactives = append(inactives, errs...)
-	}
+	oks, errs := detectContainerOSes(timeoutSec)
+	actives = append(actives, oks...)
+	inactives = append(inactives, errs...)
 
-	if needBaseServers {
-		servers = append(servers, actives...)
-		errServers = append(errServers, inactives...)
-	} else {
+	if config.Conf.ContainersOnly {
 		servers = actives
 		errServers = inactives
+	} else {
+		servers = append(servers, actives...)
+		errServers = append(errServers, inactives...)
 	}
 
 	if len(servers) == 0 {
@@ -342,7 +304,6 @@ func detectContainerOSes(timeoutSec int) (actives, inactives []osTypeInterface)
 					u.setErrs([]error{
 						xerrors.New("Timed out"),
 					})
-					inactives = append(inactives)
 					util.Log.Errorf("Timed out: %s", servername)
 				}
 			}
@@ -434,81 +395,6 @@ func detectContainerOSesOnServer(containerHost osTypeInterface) (oses []osTypeIn
 	return oses
 }
 
-func detectImageOSes(timeoutSec int) (actives, inactives []osTypeInterface) {
-	util.Log.Info("Detecting OS of static containers... ")
-	osTypesChan := make(chan []osTypeInterface, len(servers))
-	defer close(osTypesChan)
-	for _, s := range servers {
-		go func(s osTypeInterface) {
-			defer func() {
-				if p := recover(); p != nil {
-					util.Log.Debugf("Panic: %s on %s",
-						p, s.getServerInfo().GetServerName())
-				}
-			}()
-			osTypesChan <- detectImageOSesOnServer(s)
-		}(s)
-	}
-
-	timeout := time.After(time.Duration(timeoutSec) * time.Second)
-	for i := 0; i < len(servers); i++ {
-		select {
-		case res := <-osTypesChan:
-			for _, osi := range res {
-				sinfo := osi.getServerInfo()
-				if 0 < len(osi.getErrs()) {
-					inactives = append(inactives, osi)
-					util.Log.Errorf("Failed: %s err: %+v", sinfo.ServerName, osi.getErrs())
-					continue
-				}
-				actives = append(actives, osi)
-				util.Log.Infof("Detected: %s@%s: %s",
-					sinfo.Image.Name, sinfo.ServerName, osi.getDistro())
-			}
-		case <-timeout:
-			msg := "Timed out while detecting static containers"
-			util.Log.Error(msg)
-			for servername, sInfo := range config.Conf.Servers {
-				found := false
-				for _, o := range append(actives, inactives...) {
-					if servername == o.getServerInfo().ServerName {
-						found = true
-						break
-					}
-				}
-				if !found {
-					u := &unknown{}
-					u.setServerInfo(sInfo)
-					u.setErrs([]error{
-						xerrors.New("Timed out"),
-					})
-					inactives = append(inactives)
-					util.Log.Errorf("Timed out: %s", servername)
-				}
-			}
-		}
-	}
-	return
-}
-
-func detectImageOSesOnServer(containerHost osTypeInterface) (oses []osTypeInterface) {
-	containerHostInfo := containerHost.getServerInfo()
-	if len(containerHostInfo.Images) == 0 {
-		return
-	}
-
-	for idx, img := range containerHostInfo.Images {
-		copied := containerHostInfo
-		// change servername for original
-		copied.ServerName = fmt.Sprintf("%s@%s", idx, containerHostInfo.ServerName)
-		copied.Image = img
-		copied.Type = ""
-		os := detectOS(copied)
-		oses = append(oses, os)
-	}
-	return oses
-}
-
 // CheckScanModes checks scan mode
 func CheckScanModes() error {
 	for _, s := range servers {

server/server.go

@@ -41,7 +41,10 @@ func (h VulsHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		}
 	} else if mediatype == "text/plain" {
 		buf := new(bytes.Buffer)
-		io.Copy(buf, r.Body)
+		if _, err := io.Copy(buf, r.Body); err != nil {
+			http.Error(w, err.Error(), http.StatusBadRequest)
+			return
+		}
 		if result, err = scan.ViaHTTP(r.Header, buf.String()); err != nil {
 			util.Log.Error(err)
 			http.Error(w, err.Error(), http.StatusBadRequest)
@@ -59,6 +62,12 @@ func (h VulsHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	// set ReportedAt to current time when it's set to the epoch, ensures that ReportedAt will be set
+	// properly for scans sent to vuls when running in server mode
+	if result.ReportedAt.IsZero() {
+		result.ReportedAt = time.Now()
+	}
+
 	// report
 	reports := []report.ResultWriter{
 		report.HTTPResponseWriter{Writer: w},

util/logutil.go

@@ -1,6 +1,7 @@
 package util
 
 import (
+	"flag"
 	"fmt"
 	"io/ioutil"
 	"os"
@@ -39,14 +40,14 @@ func NewCustomLogger(c config.ServerInfo) *logrus.Entry {
 		logDir = config.Conf.LogDir
 	}
 
-	if _, err := os.Stat(logDir); os.IsNotExist(err) {
-		if err := os.Mkdir(logDir, 0700); err != nil {
-			log.Errorf("Failed to create log directory. path: %s, err: %s", logDir, err)
-		}
-	}
-
 	// Only log to a file if quiet mode enabled
-	if config.Conf.Quiet {
+	if config.Conf.Quiet && flag.Lookup("test.v") == nil {
+		if _, err := os.Stat(logDir); os.IsNotExist(err) {
+			if err := os.Mkdir(logDir, 0700); err != nil {
+				log.Errorf("Failed to create log directory. path: %s, err: %s", logDir, err)
+			}
+		}
+
 		logFile := logDir + "/vuls.log"
 		if file, err := os.OpenFile(logFile, os.O_CREATE|os.O_WRONLY|os.O_APPEND, 0644); err == nil {
 			log.Out = file

wordpress/wordpress.go

@@ -8,6 +8,7 @@ import (
 	"strings"
 	"time"
 
+	c "github.com/future-architect/vuls/config"
 	"github.com/future-architect/vuls/models"
 	"github.com/future-architect/vuls/util"
 	version "github.com/hashicorp/go-version"
@@ -47,34 +48,54 @@ type References struct {
 
 // FillWordPress access to wpvulndb and fetch scurity alerts and then set to the given ScanResult.
 // https://wpvulndb.com/
-func FillWordPress(r *models.ScanResult, token string) (int, error) {
+func FillWordPress(r *models.ScanResult, token string, wpVulnCaches *map[string]string) (int, error) {
 	// Core
 	ver := strings.Replace(r.WordPressPackages.CoreVersion(), ".", "", -1)
 	if ver == "" {
 		return 0, xerrors.New("Failed to get WordPress core version")
 	}
-	url := fmt.Sprintf("https://wpvulndb.com/api/v3/wordpresses/%s", ver)
-	body, err := httpRequest(url, token)
-	if err != nil {
-		return 0, err
-	}
-	if body == "" {
-		util.Log.Warnf("A result of REST access is empty: %s", url)
+
+	body, ok := searchCache(ver, wpVulnCaches)
+	if !ok {
+		url := fmt.Sprintf("https://wpvulndb.com/api/v3/wordpresses/%s", ver)
+		var err error
+		body, err = httpRequest(url, token)
+		if err != nil {
+			return 0, err
+		}
+		if body == "" {
+			util.Log.Warnf("A result of REST access is empty: %s", url)
+		}
+
+		(*wpVulnCaches)[ver] = body
 	}
+
 	wpVinfos, err := convertToVinfos(models.WPCore, body)
 	if err != nil {
 		return 0, err
 	}
 
-	//TODO add a flag ignore inactive plugin or themes such as -wp-ignore-inactive flag to cmd line option or config.toml
+	themes := r.WordPressPackages.Themes()
+	plugins := r.WordPressPackages.Plugins()
+
+	if c.Conf.WpIgnoreInactive {
+		themes = removeInactives(themes)
+		plugins = removeInactives(plugins)
+	}
 
 	// Themes
-	for _, p := range r.WordPressPackages.Themes() {
-		url := fmt.Sprintf("https://wpvulndb.com/api/v3/themes/%s", p.Name)
-		body, err := httpRequest(url, token)
-		if err != nil {
-			return 0, err
+	for _, p := range themes {
+		body, ok := searchCache(p.Name, wpVulnCaches)
+		if !ok {
+			url := fmt.Sprintf("https://wpvulndb.com/api/v3/themes/%s", p.Name)
+			var err error
+			body, err = httpRequest(url, token)
+			if err != nil {
+				return 0, err
+			}
+			(*wpVulnCaches)[p.Name] = body
 		}
+
 		if body == "" {
 			continue
 		}
@@ -105,12 +126,18 @@ func FillWordPress(r *models.ScanResult, token string) (int, error) {
 	}
 
 	// Plugins
-	for _, p := range r.WordPressPackages.Plugins() {
-		url := fmt.Sprintf("https://wpvulndb.com/api/v3/plugins/%s", p.Name)
-		body, err := httpRequest(url, token)
-		if err != nil {
-			return 0, err
+	for _, p := range plugins {
+		body, ok := searchCache(p.Name, wpVulnCaches)
+		if !ok {
+			url := fmt.Sprintf("https://wpvulndb.com/api/v3/plugins/%s", p.Name)
+			var err error
+			body, err = httpRequest(url, token)
+			if err != nil {
+				return 0, err
+			}
+			(*wpVulnCaches)[p.Name] = body
 		}
+
 		if body == "" {
 			continue
 		}
@@ -260,3 +287,21 @@ loop:
 	}
 	return "", err
 }
+
+func removeInactives(pkgs models.WordPressPackages) (removed models.WordPressPackages) {
+	for _, p := range pkgs {
+		if p.Status == "inactive" {
+			continue
+		}
+		removed = append(removed, p)
+	}
+	return removed
+}
+
+func searchCache(name string, wpVulnCaches *map[string]string) (string, bool) {
+	value, ok := (*wpVulnCaches)[name]
+	if ok {
+		return value, true
+	}
+	return "", false
+}

wordpress/wordpress_test.go

@@ -0,0 +1,130 @@
+package wordpress
+
+import (
+	"reflect"
+	"testing"
+
+	"github.com/future-architect/vuls/models"
+)
+
+func TestRemoveInactive(t *testing.T) {
+	var tests = []struct {
+		in       models.WordPressPackages
+		expected models.WordPressPackages
+	}{
+		{
+			in: models.WordPressPackages{
+				{
+					Name:    "akismet",
+					Status:  "inactive",
+					Update:  "",
+					Version: "",
+					Type:    "",
+				},
+			},
+			expected: nil,
+		},
+		{
+			in: models.WordPressPackages{
+				{
+					Name:    "akismet",
+					Status:  "inactive",
+					Update:  "",
+					Version: "",
+					Type:    "",
+				},
+				{
+					Name:    "BackWPup",
+					Status:  "inactive",
+					Update:  "",
+					Version: "",
+					Type:    "",
+				},
+			},
+			expected: nil,
+		},
+		{
+			in: models.WordPressPackages{
+				{
+					Name:    "akismet",
+					Status:  "active",
+					Update:  "",
+					Version: "",
+					Type:    "",
+				},
+				{
+					Name:    "BackWPup",
+					Status:  "inactive",
+					Update:  "",
+					Version: "",
+					Type:    "",
+				},
+			},
+			expected: models.WordPressPackages{
+				{
+					Name:    "akismet",
+					Status:  "active",
+					Update:  "",
+					Version: "",
+					Type:    "",
+				},
+			},
+		},
+	}
+
+	for i, tt := range tests {
+		actual := removeInactives(tt.in)
+		if !reflect.DeepEqual(actual, tt.expected) {
+			t.Errorf("[%d] WordPressPackages error ", i)
+		}
+	}
+}
+
+func TestSearchCache(t *testing.T) {
+
+	var tests = []struct {
+		name        string
+		wpVulnCache map[string]string
+		value       string
+		ok          bool
+	}{
+		{
+			name: "akismet",
+			wpVulnCache: map[string]string{
+				"akismet": "body",
+			},
+			value: "body",
+			ok:    true,
+		},
+		{
+			name: "akismet",
+			wpVulnCache: map[string]string{
+				"BackWPup": "body",
+				"akismet":  "body",
+			},
+			value: "body",
+			ok:    true,
+		},
+		{
+			name: "akismet",
+			wpVulnCache: map[string]string{
+				"BackWPup": "body",
+			},
+			value: "",
+			ok:    false,
+		},
+		{
+			name:        "akismet",
+			wpVulnCache: nil,
+			value:       "",
+			ok:          false,
+		},
+	}
+
+	for i, tt := range tests {
+		value, ok := searchCache(tt.name, &tt.wpVulnCache)
+		if value != tt.value || ok != tt.ok {
+			t.Errorf("[%d] searchCache error ", i)
+		}
+	}
+}