add release pipeline & replace imgbom with syft (#60)

.bouncer.yaml

@@ -2,4 +2,5 @@ permit:
   - BSD.*
   - MIT.*
   - Apache.*
-  - MPL.*
+  - MPL.*
+  - ISC

.circleci/config.yml

@@ -100,7 +100,7 @@ jobs:
             - "integration/test-fixtures/tar-cache"
 
 workflows:
-  "Static Analysis & All Tests":
+  "Static Analysis + Unit + Integration":
     jobs:
       - run-static-analysis:
           name: "Static Analysis"

.github/workflows/release.yaml

@@ -0,0 +1,81 @@
+name: 'Release'
+on:
+  push:
+    # take no actions on push...
+    branches-ignore:
+      - '**'
+    # ... only act on release tags
+    tags:
+      - 'v*'
+env:
+  GO_VERSION: "1.14.x"
+jobs:
+  wait-for-checks:
+    runs-on: ubuntu-latest
+    steps:
+
+      - uses: actions/checkout@v2
+
+      # we don't want to release commits that have been pushed and tagged, but not necessarily merged onto master
+      - name: Ensure tagged commit is on master
+        run: |
+          echo "Tag: ${GITHUB_REF##*/}"
+          git fetch origin master
+          git merge-base --is-ancestor ${GITHUB_REF##*/} origin/master && echo "${GITHUB_REF##*/} is a commit on master!"
+
+      - name: Check static anaylysis, unit, and integration test results
+        uses: fountainhead/action-wait-for-check@v1
+        id: sa-unit-int
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          # This check name is defined as the circle-ci workflow name (in .circleci/config.yaml)
+          checkName: "Static Analysis + Unit + Integration"
+          ref: ${{ github.event.pull_request.head.sha || github.sha }}
+
+      - name: Quality gate
+        if: steps.sa-unit-int.outputs.conclusion != 'success'
+        run: |
+          echo "Static/Unit/Integration Status: ${{ steps.sa-unit-int.outputs.conclusion }}"
+          false
+
+  release:
+    runs-on: ubuntu-latest
+    steps:
+
+      # TODO: remove me after release
+      - name: Configure git for private modules
+        env:
+          TOKEN: ${{ secrets.ANCHORE_GIT_READ_TOKEN }}
+        run: git config --global url."https://anchore:${TOKEN}@github.com".insteadOf "https://github.com"
+
+      - uses: actions/setup-go@v2
+        with:
+          go-version: ${{ env.GO_VERSION }}
+
+      - uses: actions/checkout@v2
+
+      - name: Restore bootstrap cache
+        id: cache
+        uses: actions/cache@v2
+        with:
+          path: |
+            ~/go/pkg/mod
+            ${{ github.workspace }}/.tmp
+          key: ${{ runner.os }}-go-${{ env.GO_VERSION }}-${{ hashFiles('Makefile') }}-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-${{ env.GO_VERSION }}-${{ hashFiles('Makefile') }}-
+            ${{ runner.os }}-go-${{ env.GO_VERSION }}-
+
+      - name: Bootstrap dependencies
+        if: steps.cache.outputs.cache-hit != 'true'
+        run: make ci-bootstrap
+
+      - name: Build snapshot artifacts
+        run: make release
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - uses: actions/upload-artifact@v2
+        with:
+          name: artifacts
+          path: dist

.gitignore

@@ -1,3 +1,5 @@
+snapshot/
+dist/
 *.profile
 .server
 Dockerfile

.goreleaser.yaml

@@ -0,0 +1,44 @@
+builds:
+  - binary: vulnscan
+    env:
+      - CGO_ENABLED=0
+    goos:
+      # windows not supported yet (due to jotframe)
+      # - windows
+      - linux
+      - darwin
+    goarch:
+      - amd64
+    # Set the modified timestamp on the output binary to the git timestamp (to ensure a reproducible build)
+    mod_timestamp: '{{ .CommitTimestamp }}'
+    ldflags: |
+      -w
+      -s
+      -extldflags '-static'
+      -X github.com/anchore/vulnscan/internal/version.version={{.Version}}
+      -X github.com/anchore/vulnscan/internal/version.gitCommit={{.Commit}}
+      -X github.com/anchore/vulnscan/internal/version.buildDate={{.Date}}
+      -X github.com/anchore/vulnscan/internal/version.gitTreeState={{.Env.BUILD_GIT_TREE_STATE}}
+
+nfpms:
+  - license: "Apache 2.0"
+    maintainer: "Anchore, Inc"
+    homepage: &website "https://github.com/anchore/vulnscan"
+    description: &description "A vulnerability scanner for container images and filesystems"
+    formats:
+      - rpm
+      - deb
+
+brews:
+  - tap:
+      owner: anchore
+      name: homebrew-vulnscan
+    homepage: *website
+    description: *description
+
+archives:
+  - format: tar.gz
+    format_overrides:
+      - goos: windows
+        format: zip
+

Makefile

@@ -13,10 +13,33 @@ RESET := $(shell tput -T linux sgr0)
 TITLE := $(BOLD)$(PURPLE)
 SUCCESS := $(BOLD)$(GREEN)
 # the quality gate lower threshold for unit test total % coverage (by function statements)
-COVERAGE_THRESHOLD := 55
+COVERAGE_THRESHOLD := 60
+
+## Build variables
+DISTDIR=./dist
+SNAPSHOTDIR=./snapshot
+GITTREESTATE=$(if $(shell git status --porcelain),dirty,clean)
+
+ifeq "$(strip $(VERSION))" ""
+ override VERSION = $(shell git describe --always --tags --dirty)
+endif
+
+## Variable assertions
 
 ifndef TEMPDIR
-    $(error TEMPDIR is not set)
+	$(error TEMPDIR is not set)
+endif
+
+ifndef RESULTSDIR
+	$(error RESULTSDIR is not set)
+endif
+
+ifndef DISTDIR
+	$(error DISTDIR is not set)
+endif
+
+ifndef SNAPSHOTDIR
+	$(error SNAPSHOTDIR is not set)
 endif
 
 define title
@@ -25,47 +48,59 @@ endef
 
 .PHONY: all bootstrap lint lint-fix unit coverage integration check-pipeline clear-cache help test
 
-all: lint test ## Run all checks (linting, unit tests, and integration tests)
+all: clean lint check-licenses test ## Run all checks (linting, license check, unit, and integration tests)
 	@printf '$(SUCCESS)All checks pass!$(RESET)\n'
 
+.PHONY: compare
 compare:
-	@cd comparison && make
+	@cd test/inline-compare && make
 
-test: unit integration ## Run all tests (unit & integration tests)
+.PHONY: test
+test: unit integration ## Run all tests (currently unit & integration tests )
 
 help:
 	@grep -E '^[a-zA-Z_-]+:.*?## .*$$' $(MAKEFILE_LIST) | sort | awk 'BEGIN {FS = ":.*?## "}; {printf "$(BOLD)$(CYAN)%-25s$(RESET)%s\n", $$1, $$2}'
 
-ci-bootstrap: ci-lib-dependencies bootstrap
+ci-bootstrap: bootstrap
 	sudo apt install -y bc
 
-ci-lib-dependencies:
-	# libdb5.3-dev and libssl-dev are required for Berkeley DB C bindings for RPM DB support (in imgbom)
-	sudo apt install -y libdb5.3-dev libssl-dev
-
-bootstrap: ## Download and install all project dependencies (+ prep tooling in the ./tmp dir)
-	$(call title,Downloading dependencies)
+.PHONY: boostrap
+bootstrap: ## Download and install all go dependencies (+ prep tooling in the ./tmp dir)
+	$(call title,Boostrapping dependencies)
+	@pwd
 	# prep temp dirs
 	mkdir -p $(TEMPDIR)
 	mkdir -p $(RESULTSDIR)
-	# install project dependencies
-	go get ./...
-	# install golangci-lint
-	curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b .tmp/ v1.26.0
-	# install bouncer
-	curl -sSfL https://raw.githubusercontent.com/wagoodman/go-bouncer/master/bouncer.sh | sh -s -- -b .tmp/ v0.2.0
+	# install go dependencies
+	go mod download
+	# install utilities
+	[ -f "$(TEMPDIR)/golangci" ] || curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(TEMPDIR)/ v1.26.0
+	[ -f "$(TEMPDIR)/bouncer" ] || curl -sSfL https://raw.githubusercontent.com/wagoodman/go-bouncer/master/bouncer.sh | sh -s -- -b $(TEMPDIR)/ v0.1.0
+	[ -f "$(TEMPDIR)/goreleaser" ] || curl -sfL https://install.goreleaser.com/github.com/goreleaser/goreleaser.sh | sh -s -- -b $(TEMPDIR)/ v0.140.0
 
+.PHONY: lint
 lint: ## Run gofmt + golangci lint checks
 	$(call title,Running linters)
+	# ensure there are no go fmt differences
 	@printf "files with gofmt issues: [$(shell gofmt -l -s .)]\n"
 	@test -z "$(shell gofmt -l -s .)"
+
+	# run all golangci-lint rules
 	$(LINTCMD)
 
+	# go tooling does not play well with certain filename characters, ensure the common cases don't result in future "go get" failures
+	$(eval MALFORMED_FILENAMES := $(shell find . | grep -e ':'))
+	@bash -c "[[ '$(MALFORMED_FILENAMES)' == '' ]] || (printf '\nfound unsupported filename characters:\n$(MALFORMED_FILENAMES)\n\n' && false)"
+
 lint-fix: ## Auto-format all source code + run golangci lint fixers
 	$(call title,Running lint fixers)
 	gofmt -w -s .
 	$(LINTCMD) --fix
 
+.PHONY: check-licenses
+check-licenses:
+	$(TEMPDIR)/bouncer check
+
 unit: ## Run unit tests (with coverage)
 	$(call title,Running unit tests)
 	mkdir -p $(RESULTSDIR)
@@ -76,10 +111,10 @@ unit: ## Run unit tests (with coverage)
 
 integration: ## Run integration tests
 	$(call title,Running integration tests)
-	go test -v -tags=integration ./integration
+	go test -v -tags=integration ./test/integration
 
 integration/test-fixtures/tar-cache.key, integration-fingerprint:
-	find integration/test-fixtures/image-* -type f -exec md5sum {} + | awk '{print $1}' | sort | md5sum | tee integration/test-fixtures/tar-cache.fingerprint
+	find test/integration/test-fixtures/image-* -type f -exec md5sum {} + | awk '{print $1}' | sort | md5sum | tee test/integration/test-fixtures/tar-cache.fingerprint
 
 clear-test-cache: ## Delete all test cache (built docker image tars)
 	find . -type f -wholename "**/test-fixtures/tar-cache/*.tar" -delete
@@ -93,15 +128,43 @@ check-pipeline: ## Run local CircleCI pipeline locally (sanity check)
 	circleci local execute -c .tmp/circleci.yml --job "Unit & Integration Tests (go-latest)"
 	@printf '$(SUCCESS)Pipeline checks pass!$(RESET)\n'
 
-# todo: replace this with goreleaser
-build-release: ## Build final release binary
-	@mkdir -p dist
-	go build -s -w -X main.version="$(git describe --tags --dirty --always)" \
-				   -X main.commit="$(git describe --dirty --always)" \
-				   -X main.buildTime="$(date --rfc-3339=seconds --utc)"
-				   -o dist/vulnscan
+.PHONY: build
+build: $(SNAPSHOTDIR) ## Build release snapshot binaries and packages
 
-# todo: this should be later used by goreleaser
-check-licenses:
-	$(TEMPDIR)/bouncer list -o json | tee $(LICENSES_REPORT)
-	$(TEMPDIR)/bouncer check
+$(SNAPSHOTDIR): ## Build snapshot release binaries and packages
+	$(call title,Building snapshot artifacts)
+	# create a config with the dist dir overridden
+	echo "dist: $(SNAPSHOTDIR)" > $(TEMPDIR)/goreleaser.yaml
+	cat .goreleaser.yaml >> $(TEMPDIR)/goreleaser.yaml
+
+	# build release snapshots
+	BUILD_GIT_TREE_STATE=$(GITTREESTATE) \
+	$(TEMPDIR)/goreleaser release --skip-publish --rm-dist --snapshot --config $(TEMPDIR)/goreleaser.yaml
+
+# TODO: this is not releasing yet
+.PHONY: release
+release: clean-dist ## Build and publish final binaries and packages
+	$(call title,Publishing release artifacts)
+	# create a config with the dist dir overridden
+	echo "dist: $(DISTDIR)" > $(TEMPDIR)/goreleaser.yaml
+	cat .goreleaser.yaml >> $(TEMPDIR)/goreleaser.yaml
+
+	# release
+	BUILD_GIT_TREE_STATE=$(GITTREESTATE) \
+	$(TEMPDIR)/goreleaser --skip-publish --rm-dist --config $(TEMPDIR)/goreleaser.yaml
+
+	# create a version file for version-update checks
+	echo "$(VERSION)" > $(DISTDIR)/VERSION
+	# TODO: add upload to bucket
+
+.PHONY: clean
+clean: clean-dist clean-shapshot  ## Remove previous builds and result reports
+	rm -rf $(RESULTSDIR)/*
+
+.PHONY: clean-shapshot
+clean-shapshot:
+	rm -rf $(SNAPSHOTDIR) $(TEMPDIR)/goreleaser.yaml
+
+.PHONY: clean-dist
+clean-dist:
+	rm -rf $(DISTDIR) $(TEMPDIR)/goreleaser.yaml

cmd/cmd.go

@@ -4,7 +4,7 @@ import (
 	"fmt"
 	"os"
 
-	"github.com/anchore/imgbom/imgbom"
+	"github.com/anchore/syft/syft"
 	"github.com/anchore/vulnscan/internal/config"
 	"github.com/anchore/vulnscan/internal/format"
 	"github.com/anchore/vulnscan/internal/logger"
@@ -75,7 +75,7 @@ func initLogging() {
 	logWrapper := logger.NewZapLogger(config)
 	log = logWrapper.Logger
 	vulnscan.SetLogger(logWrapper)
-	imgbom.SetLogger(logWrapper)
+	syft.SetLogger(logWrapper)
 }
 
 func logAppConfig() {

cmd/root.go

@@ -5,7 +5,7 @@ import (
 	"os"
 	"runtime/pprof"
 
-	"github.com/anchore/imgbom/imgbom/scope"
+	"github.com/anchore/syft/syft/scope"
 	"github.com/anchore/vulnscan/internal"
 	"github.com/anchore/vulnscan/internal/format"
 	"github.com/anchore/vulnscan/vulnscan"
@@ -16,7 +16,7 @@ import (
 
 var rootCmd = &cobra.Command{
 	Use:   fmt.Sprintf("%s [IMAGE]", internal.ApplicationName),
-	Short: "A vulnerability scanner tool", // TODO: add copy, add path-based scans
+	Short: "A vulnerability scanner for container images and filesystems", // TODO: add copy, add path-based scans
 	Long: format.Tprintf(`Supports the following image sources:
     {{.appName}} yourrepo/yourimage:tag             defaults to using images from a docker daemon
     {{.appName}} docker://yourrepo/yourimage:tag    explicitly use a docker daemon

comparison/Dockerfile

@@ -1,7 +0,0 @@
-FROM python:3
-
-WORKDIR /
-COPY vulnscan-reports /vulnscan-reports
-COPY inline-reports /inline-reports
-COPY compare.py .
-ENTRYPOINT ["/compare.py"]

go.mod

@@ -6,8 +6,8 @@ require (
 	github.com/adrg/xdg v0.2.1
 	github.com/anchore/go-testutils v0.0.0-20200624184116-66aa578126db
 	github.com/anchore/go-version v1.2.2-0.20200701162849-18adb9c92b9b
-	github.com/anchore/imgbom v0.0.0-20200723135439-3cb7c43dbcfd
 	github.com/anchore/siren-db v0.0.0-20200721170640-64923624e7b2
+	github.com/anchore/syft v0.0.0-20200724005404-a4016d35ce09
 	github.com/facebookincubator/nvdtools v0.1.4-0.20200622182922-aed862a62ae6
 	github.com/go-test/deep v1.0.7
 	github.com/hashicorp/go-getter v1.4.1

go.sum

@@ -115,18 +115,14 @@ github.com/anchore/go-testutils v0.0.0-20200624184116-66aa578126db h1:LWKezJnFTF
 github.com/anchore/go-testutils v0.0.0-20200624184116-66aa578126db/go.mod h1:D3rc2L/q4Hcp9eeX6AIJH4Q+kPjOtJCFhG9za90j+nU=
 github.com/anchore/go-version v1.2.2-0.20200701162849-18adb9c92b9b h1:e1bmaoJfZVsCYMrIZBpFxwV26CbsuoEh5muXD5I1Ods=
 github.com/anchore/go-version v1.2.2-0.20200701162849-18adb9c92b9b/go.mod h1:Bkc+JYWjMCF8OyZ340IMSIi2Ebf3uwByOk6ho4wne1E=
-github.com/anchore/imgbom v0.0.0-20200721160203-7ebb9f4e0b25 h1:X/w78P7u4WAWLjgzPDox0iOVsIKVGz+vP/hqlFwo0S4=
-github.com/anchore/imgbom v0.0.0-20200721160203-7ebb9f4e0b25/go.mod h1:o7jSrMfQQjYv/S8ai69/bg30N5isLPe9gutTcnF9pf0=
-github.com/anchore/imgbom v0.0.0-20200721200020-265516682fb5 h1:RqpgpAcrD7yjmlpFgUudjdgW4DuEG3a3c4mP8CCzlu0=
-github.com/anchore/imgbom v0.0.0-20200721200020-265516682fb5/go.mod h1:o7jSrMfQQjYv/S8ai69/bg30N5isLPe9gutTcnF9pf0=
-github.com/anchore/imgbom v0.0.0-20200723135439-3cb7c43dbcfd h1:2ddXdl0Q6++JKovMsMiTdmU2E2zf9kClRwgg7NUZpuM=
-github.com/anchore/imgbom v0.0.0-20200723135439-3cb7c43dbcfd/go.mod h1:cVJAKNNyRXNOs1H4ydbg9gGViFdHJPz4BCbLxeGQ9Us=
 github.com/anchore/siren-db v0.0.0-20200721170640-64923624e7b2 h1:j3MwtIO1HBgGYD7pG0RVl+jXwkgpTfTk1EoT/QFIYhY=
 github.com/anchore/siren-db v0.0.0-20200721170640-64923624e7b2/go.mod h1:/n1sNOhAfvg5CrlhjWOinKEWpeLYYm9H8gv+afWtpOk=
 github.com/anchore/stereoscope v0.0.0-20200520221116-025e07f1c93e h1:QBwtrM0MXi0z+GcHk3RoSyzaQ+CLgas0bC/uOd1P+PQ=
 github.com/anchore/stereoscope v0.0.0-20200520221116-025e07f1c93e/go.mod h1:bkyLl5VITnrmgErv4S1vDfVz/TGAZ5il6161IQo7w2g=
 github.com/anchore/stereoscope v0.0.0-20200706164556-7cf39d7f4639 h1:J1oytkj+aBuACNF2whtEiVxRXIZ8zwT+EiPTqm/FvwA=
 github.com/anchore/stereoscope v0.0.0-20200706164556-7cf39d7f4639/go.mod h1:WntReQTI/I27FOQ87UgLVVzWgku6+ZsqfOTLxpIZFCs=
+github.com/anchore/syft v0.0.0-20200724005404-a4016d35ce09 h1:kDfnvX7J6Ys6GXonKNbttQvgyh0dzQCfuLy0wiJlc/c=
+github.com/anchore/syft v0.0.0-20200724005404-a4016d35ce09/go.mod h1:9y7/7XgBFbHBEer3tJt5TMDfMm8/enrhB420Stuan4A=
 github.com/andreyvit/diff v0.0.0-20170406064948-c7f18ee00883 h1:bvNMNQO63//z+xNgfBlViaCIJKLlCJ6/fmUseuG0wVQ=
 github.com/andreyvit/diff v0.0.0-20170406064948-c7f18ee00883/go.mod h1:rCTlJbsFo29Kk6CurOXKm700vrz8f0KW0JNfpkRJY/8=
 github.com/andybalholm/cascadia v1.1.0/go.mod h1:GsXiBklL0woXo1j/WYWtSYYC4ouU9PqHO0sqidkEA4Y=
@@ -278,6 +274,8 @@ github.com/go-openapi/spec v0.19.3/go.mod h1:FpwSN1ksY1eteniUU7X0N/BgJ7a4WvBFVA8
 github.com/go-openapi/swag v0.0.0-20160704191624-1d0bd113de87/go.mod h1:DXUve3Dpr1UfpPtxFw+EFuQ41HhCWZfha5jSVRG7C7I=
 github.com/go-openapi/swag v0.19.2/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk=
 github.com/go-openapi/swag v0.19.5/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk=
+github.com/go-restruct/restruct v0.0.0-20191227155143-5734170a48a1 h1:LoN2wx/aN8JPGebG+2DaUyk4M+xRcqJXfuIbs8AWHdE=
+github.com/go-restruct/restruct v0.0.0-20191227155143-5734170a48a1/go.mod h1:KqrpKpn4M8OLznErihXTGLlsXFGeLxHUrLRRI/1YjGk=
 github.com/go-sql-driver/mysql v1.4.0/go.mod h1:zAC/RDZ24gD3HViQzih4MyKcchzm+sOG5ZlKdlhCg5w=
 github.com/go-sql-driver/mysql v1.4.1/go.mod h1:zAC/RDZ24gD3HViQzih4MyKcchzm+sOG5ZlKdlhCg5w=
 github.com/go-sql-driver/mysql v1.5.0 h1:ozyZYNQW3x3HtqT1jira07DN2PArx2v7/mN66gGcHOs=
@@ -508,12 +506,8 @@ github.com/klauspost/compress v1.4.0/go.mod h1:RyIbtBH6LamlWaDj8nUwkbUhJ87Yi3uG0
 github.com/klauspost/compress v1.4.1/go.mod h1:RyIbtBH6LamlWaDj8nUwkbUhJ87Yi3uG0guNDohfE1A=
 github.com/klauspost/cpuid v0.0.0-20180405133222-e7e905edc00e/go.mod h1:Pj4uuM528wm8OyEC2QMXAi2YiTZ96dNQPGgoMS4s3ek=
 github.com/klauspost/cpuid v1.2.0/go.mod h1:Pj4uuM528wm8OyEC2QMXAi2YiTZ96dNQPGgoMS4s3ek=
-github.com/knqyf263/berkeleydb v0.0.0-20190501065933-fafe01fb9662 h1:UGS0RbPHwXJkq8tcba8OD0nvVUWLf2h7uUJznuHPPB0=
-github.com/knqyf263/berkeleydb v0.0.0-20190501065933-fafe01fb9662/go.mod h1:bu1CcN4tUtoRcI/B/RFHhxMNKFHVq/c3SV+UTyduoXg=
 github.com/knqyf263/go-deb-version v0.0.0-20190517075300-09fca494f03d h1:X4cedH4Kn3JPupAwwWuo4AzYp16P0OyLO9d7OnMZc/c=
 github.com/knqyf263/go-deb-version v0.0.0-20190517075300-09fca494f03d/go.mod h1:o8sgWoz3JADecfc/cTYD92/Et1yMqMy0utV1z+VaZao=
-github.com/knqyf263/go-rpmdb v0.0.0-20190501070121-10a1c42a10dc h1:pumO9pqmRAjvic6oove22RGh9wDZQnj96XQjJSbSEPs=
-github.com/knqyf263/go-rpmdb v0.0.0-20190501070121-10a1c42a10dc/go.mod h1:MrSSvdMpTSymaQWk1yFr9sxFSyQmKMj6jkbvGrchBV8=
 github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
 github.com/konsorten/go-windows-terminal-sequences v1.0.2/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
 github.com/konsorten/go-windows-terminal-sequences v1.0.3 h1:CE8S1cTafDpPvMhIxNJKvHsGVBgn1xWYf1NbHQhywc8=
@@ -780,6 +774,8 @@ github.com/wagoodman/go-partybus v0.0.0-20200526224238-eb215533f07d/go.mod h1:JP
 github.com/wagoodman/go-progress v0.0.0-20200621122631-1a2120f0695a/go.mod h1:jLXFoL31zFaHKAAyZUh+sxiTDFe1L1ZHrcK2T1itVKA=
 github.com/wagoodman/go-progress v0.0.0-20200621153512-2778c704bf22 h1:GYaiTP0ywrCjJ4qMxxCg+YKPSDMeFJg6i1X9X55LJCA=
 github.com/wagoodman/go-progress v0.0.0-20200621153512-2778c704bf22/go.mod h1:jLXFoL31zFaHKAAyZUh+sxiTDFe1L1ZHrcK2T1itVKA=
+github.com/wagoodman/go-rpmdb v0.0.0-20200719223757-ce54a4b0607b h1:elYGLFZPymeTWJ6qA3tIzFet3LQ9D/Jl6HLWNyFjdQc=
+github.com/wagoodman/go-rpmdb v0.0.0-20200719223757-ce54a4b0607b/go.mod h1:MjoIZzKmbYfcpbC6ARWMcHijAjtLBViDaHcayXKWQWI=
 github.com/wagoodman/jotframe v0.0.0-20200622123948-2995cbd43525 h1:fGlwSBQrl9/axciK2+gJ9q86SeQYJpbPx4vOrExvZXY=
 github.com/wagoodman/jotframe v0.0.0-20200622123948-2995cbd43525/go.mod h1:DzXZ1wfRedNhC3KQTick8Gf3CEPMFHsP5k4R/ldjKtw=
 github.com/xanzy/go-gitlab v0.31.0/go.mod h1:sPLojNBn68fMUWSxIJtdVVIP8uSBYqesTfDUseX11Ug=
@@ -1060,7 +1056,6 @@ golang.org/x/tools v0.0.0-20200502202811-ed308ab3e770/go.mod h1:EkVYQZoAsY45+roY
 golang.org/x/tools v0.0.0-20200512131952-2bc93b1c0c88/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
 golang.org/x/tools v0.0.0-20200527183253-8e7acdbce89d h1:SR+e35rACZFBohNb4Om1ibX6N3iO0FtdbwqGSuD9dBU=
 golang.org/x/tools v0.0.0-20200527183253-8e7acdbce89d/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
-golang.org/x/xerrors v0.0.0-20190410155217-1f06c39b4373/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543 h1:E7g+9GITq07hpfrRu66IVDexMakfv52eLZ2CXBWiKr4=

integration/test-fixtures/image-debian-match-coverage/java/generate-fixtures.md

@@ -1 +0,0 @@
-See the imgbom/cataloger/java/test-fixtures/java-builds dir to generate test fixtures and copy to here manually.

internal/config/config.go

@@ -8,7 +8,7 @@ import (
 	"github.com/anchore/vulnscan/vulnscan/presenter"
 
 	"github.com/adrg/xdg"
-	"github.com/anchore/imgbom/imgbom/scope"
+	"github.com/anchore/syft/syft/scope"
 	"github.com/anchore/vulnscan/internal"
 	"github.com/anchore/vulnscan/vulnscan/db"
 	"github.com/mitchellh/go-homedir"

test/inline-compare/Makefile

@@ -5,13 +5,21 @@ VULNSCAN_REPORT = $(VULNSCAN_DIR)/$(IMAGE_CLEAN).json
 INLINE_DIR = inline-reports
 INLINE_REPORT = $(INLINE_DIR)/$(IMAGE_CLEAN)-content-os.json
 
-.PHONY: bootstrap
+ifndef VULNSCAN_DIR
+	$(error VULNSCAN_DIR is not set)
+endif
 
+ifndef INLINE_DIR
+	$(error INLINE_DIR is not set)
+endif
+
+.PHONY: all
 all: compare
 
+.PHONY: compare
 compare: $(INLINE_REPORT) $(VULNSCAN_REPORT)
-	docker build -t compare-imgbom:latest .
-	docker run compare-imgbom:latest $(IMAGE)
+	docker build -t compare-vulnscan:latest .
+	docker run compare-vulnscan:latest $(IMAGE)
 
 $(INLINE_REPORT):
 	echo "Creating $(INLINE_REPORT)..."
@@ -24,4 +32,8 @@ $(VULNSCAN_REPORT):
 	echo "Creating $(VULNSCAN_REPORT)..."
 	mkdir -p $(VULNSCAN_DIR)
 	docker pull $(IMAGE)
-	go run ../main.go centos:latest -o json > $(VULNSCAN_REPORT)
+	go run ../../main.go $(IMAGE) -o json > $(VULNSCAN_REPORT)
+
+.PHONY: clean
+clean:
+	rm -f $(INLINE_DIR)/*  $(VULNSCAN_DIR)/*

test/inline-compare/compare.py

@@ -2,7 +2,6 @@
 import os
 import sys
 import json
-import functools
 import collections
 
 QUALITY_GATE_THRESHOLD = 0.9
@@ -33,7 +32,6 @@ class InlineScan:
             for entry in data[section]:
                 yield entry
 
-    @functools.lru_cache
     def vulnerabilities(self):
         vulnerabilities = set()
         metadata = collections.defaultdict(dict)
@@ -66,7 +64,6 @@ class Vulnscan:
             for entry in data:
                 yield entry
 
-    @functools.lru_cache
     def vulnerabilities(self):
         vulnerabilities = set()
         metadata = collections.defaultdict(dict)
@@ -123,19 +120,19 @@ def main(image):
     ) * 100.0
 
     if len(bonus_vulnerabilities) > 0:
-        print("Imgbom Bonus vulnerability:")
+        print("Vulnscan Bonus vulnerability:")
         for vulnerability in sorted(list(bonus_vulnerabilities)):
             print("    " + repr(vulnerability))
         print()
 
     if len(missing_pacakges) > 0:
-        print("Imgbom Missing vulnerability:")
+        print("Vulnscan Missing vulnerability:")
         for vulnerability in sorted(list(missing_pacakges)):
             print("    " + repr(vulnerability))
         print()
 
-    print("Inline Packages: %d" % len(inline_vulnerabilities))
-    print("Imgbom Packages: %d" % len(vulnscan_vulnerabilities))
+    print("Inline Packages  : %d" % len(inline_vulnerabilities))
+    print("Vulnscan Packages: %d" % len(vulnscan_vulnerabilities))
     print()
     print(
         "Baseline Vulnerabilities Matched: %2.3f %% (%d/%d vulnerability)"
@@ -151,7 +148,7 @@ def main(image):
     print("Overall Score: %2.3f %%" % overall_score)
 
     if overall_score < (QUALITY_GATE_THRESHOLD * 100):
-        print("failed quality gate (>= %d %%)" % (QUALITY_GATE_THRESHOLD * 100))
+        print("\nfailed quality gate (>= %d %%)\n" % (QUALITY_GATE_THRESHOLD * 100))
         return 1
 
     return 0

test/integration/match_coverage_test.go

@@ -4,8 +4,8 @@ import (
 	"testing"
 
 	"github.com/anchore/go-testutils"
-	"github.com/anchore/imgbom/imgbom/pkg"
-	"github.com/anchore/imgbom/imgbom/scope"
+	"github.com/anchore/syft/syft/pkg"
+	"github.com/anchore/syft/syft/scope"
 	"github.com/anchore/vulnscan/internal"
 	"github.com/anchore/vulnscan/vulnscan"
 	"github.com/anchore/vulnscan/vulnscan/match"
@@ -30,7 +30,7 @@ func addJavascriptMatches(t *testing.T, theScope scope.Scope, catalog *pkg.Catal
 	packages := getPackagesByPath(t, theScope, catalog, "/javascript/pkg-lock/package-lock.json")
 	if len(packages) != 1 {
 		t.Logf("Javascript Packages: %+v", packages)
-		t.Fatalf("problem with upstream imgbom cataloger (javascript)")
+		t.Fatalf("problem with upstream syft cataloger (javascript)")
 	}
 	thePkg := packages[0]
 	theVuln := theStore.backend["github:npm"][thePkg.Name][0]
@@ -53,7 +53,7 @@ func addPythonMatches(t *testing.T, theScope scope.Scope, catalog *pkg.Catalog,
 	packages := getPackagesByPath(t, theScope, catalog, "/python/dist-info/METADATA")
 	if len(packages) != 1 {
 		t.Logf("Python Packages: %+v", packages)
-		t.Fatalf("problem with upstream imgbom cataloger (python)")
+		t.Fatalf("problem with upstream syft cataloger (python)")
 	}
 	thePkg := packages[0]
 	theVuln := theStore.backend["github:python"][thePkg.Name][0]
@@ -76,7 +76,7 @@ func addRubyMatches(t *testing.T, theScope scope.Scope, catalog *pkg.Catalog, th
 	packages := getPackagesByPath(t, theScope, catalog, "/ruby/Gemfile.lock")
 	if len(packages) != 1 {
 		t.Logf("Ruby Packages: %+v", packages)
-		t.Fatalf("problem with upstream imgbom cataloger (ruby)")
+		t.Fatalf("problem with upstream syft cataloger (ruby)")
 	}
 	thePkg := packages[0]
 	theVuln := theStore.backend["github:gem"][thePkg.Name][0]
@@ -102,7 +102,7 @@ func addJavaMatches(t *testing.T, theScope scope.Scope, catalog *pkg.Catalog, th
 	}
 	if len(packages) != 1 {
 		t.Logf("Java Packages: %+v", packages)
-		t.Fatalf("problem with upstream imgbom cataloger (java)")
+		t.Fatalf("problem with upstream syft cataloger (java)")
 	}
 	thePkg := packages[0]
 
@@ -129,7 +129,7 @@ func addDpkgMatches(t *testing.T, theScope scope.Scope, catalog *pkg.Catalog, th
 	packages := getPackagesByPath(t, theScope, catalog, "/var/lib/dpkg/status")
 	if len(packages) != 1 {
 		t.Logf("Dpkg Packages: %+v", packages)
-		t.Fatalf("problem with upstream imgbom cataloger (dpkg)")
+		t.Fatalf("problem with upstream syft cataloger (dpkg)")
 	}
 	thePkg := packages[0]
 	// NOTE: this is an indirect match, in typical debian style
@@ -153,7 +153,7 @@ func addRhelMatches(t *testing.T, theScope scope.Scope, catalog *pkg.Catalog, th
 	packages := getPackagesByPath(t, theScope, catalog, "/var/lib/rpm/Packages")
 	if len(packages) != 1 {
 		t.Logf("RPMDB Packages: %+v", packages)
-		t.Fatalf("problem with upstream imgbom cataloger (RPMDB)")
+		t.Fatalf("problem with upstream syft cataloger (RPMDB)")
 	}
 	thePkg := packages[0]
 	theVuln := theStore.backend["rhel:8"][thePkg.Name][0]

test/integration/test-fixtures/image-debian-match-coverage/java/generate-fixtures.md

@@ -0,0 +1 @@
+See the syft/cataloger/java/test-fixtures/java-builds dir to generate test fixtures and copy to here manually.

vulnscan/cpe/cpe.go

@@ -3,7 +3,7 @@ package cpe
 import (
 	"fmt"
 
-	"github.com/anchore/imgbom/imgbom/pkg"
+	"github.com/anchore/syft/syft/pkg"
 	"github.com/anchore/vulnscan/internal"
 	"github.com/facebookincubator/nvdtools/wfn"
 )

vulnscan/cpe/cpe_test.go

@@ -1,7 +1,7 @@
 package cpe
 
 import (
-	"github.com/anchore/imgbom/imgbom/pkg"
+	"github.com/anchore/syft/syft/pkg"
 	"github.com/sergi/go-diff/diffmatchpatch"
 	"testing"
 )

vulnscan/lib.go

@@ -7,10 +7,10 @@ import (
 
 	"github.com/anchore/vulnscan/vulnscan/logger"
 
-	"github.com/anchore/imgbom/imgbom"
-	"github.com/anchore/imgbom/imgbom/distro"
-	"github.com/anchore/imgbom/imgbom/pkg"
-	"github.com/anchore/imgbom/imgbom/scope"
+	"github.com/anchore/syft/syft"
+	"github.com/anchore/syft/syft/distro"
+	"github.com/anchore/syft/syft/pkg"
+	"github.com/anchore/syft/syft/scope"
 	"github.com/anchore/vulnscan/internal/log"
 	"github.com/anchore/vulnscan/vulnscan/matcher"
 	"github.com/anchore/vulnscan/vulnscan/result"
@@ -22,7 +22,7 @@ const LibraryName = "vulnscan"
 
 func FindVulnerabilities(provider vulnerability.Provider, userImageStr string, scopeOpt scope.Option) (result.Result, *pkg.Catalog, *scope.Scope, error) {
 	log.Info("Cataloging image")
-	catalog, theScope, theDistro, err := imgbom.Catalog(userImageStr, scopeOpt)
+	catalog, theScope, theDistro, err := syft.Catalog(userImageStr, scopeOpt)
 	if err != nil {
 		return result.Result{}, nil, nil, err
 	}

vulnscan/match/match.go

@@ -3,7 +3,7 @@ package match
 import (
 	"fmt"
 
-	"github.com/anchore/imgbom/imgbom/pkg"
+	"github.com/anchore/syft/syft/pkg"
 	"github.com/anchore/vulnscan/vulnscan/vulnerability"
 )
 

vulnscan/matcher/bundler/matcher.go

@@ -1,8 +1,8 @@
 package bundler
 
 import (
-	"github.com/anchore/imgbom/imgbom/distro"
-	"github.com/anchore/imgbom/imgbom/pkg"
+	"github.com/anchore/syft/syft/distro"
+	"github.com/anchore/syft/syft/pkg"
 	"github.com/anchore/vulnscan/vulnscan/match"
 	"github.com/anchore/vulnscan/vulnscan/matcher/common"
 	"github.com/anchore/vulnscan/vulnscan/vulnerability"

vulnscan/matcher/common/cpe_matchers.go

@@ -3,7 +3,7 @@ package common
 import (
 	"fmt"
 
-	"github.com/anchore/imgbom/imgbom/pkg"
+	"github.com/anchore/syft/syft/pkg"
 	"github.com/anchore/vulnscan/vulnscan/match"
 	"github.com/anchore/vulnscan/vulnscan/version"
 	"github.com/anchore/vulnscan/vulnscan/vulnerability"

vulnscan/matcher/common/cpe_matchers_test.go

@@ -1,7 +1,7 @@
 package common
 
 import (
-	"github.com/anchore/imgbom/imgbom/pkg"
+	"github.com/anchore/syft/syft/pkg"
 	"github.com/anchore/vulnscan/internal"
 	"github.com/anchore/vulnscan/vulnscan/cpe"
 	"github.com/anchore/vulnscan/vulnscan/match"

vulnscan/matcher/common/distro_matchers.go

@@ -6,8 +6,8 @@ import (
 
 	"github.com/anchore/vulnscan/vulnscan/version"
 
-	"github.com/anchore/imgbom/imgbom/distro"
-	"github.com/anchore/imgbom/imgbom/pkg"
+	"github.com/anchore/syft/syft/distro"
+	"github.com/anchore/syft/syft/pkg"
 	"github.com/anchore/vulnscan/vulnscan/match"
 	"github.com/anchore/vulnscan/vulnscan/vulnerability"
 )

vulnscan/matcher/common/distro_matchers_test.go

@@ -4,8 +4,8 @@ import (
 	"strings"
 	"testing"
 
-	"github.com/anchore/imgbom/imgbom/distro"
-	"github.com/anchore/imgbom/imgbom/pkg"
+	"github.com/anchore/syft/syft/distro"
+	"github.com/anchore/syft/syft/pkg"
 	"github.com/anchore/vulnscan/internal"
 	"github.com/anchore/vulnscan/vulnscan/match"
 	"github.com/anchore/vulnscan/vulnscan/version"

vulnscan/matcher/common/language_matchers.go

@@ -6,7 +6,7 @@ import (
 
 	"github.com/anchore/vulnscan/vulnscan/version"
 
-	"github.com/anchore/imgbom/imgbom/pkg"
+	"github.com/anchore/syft/syft/pkg"
 	"github.com/anchore/vulnscan/vulnscan/match"
 	"github.com/anchore/vulnscan/vulnscan/vulnerability"
 )

vulnscan/matcher/common/language_matchers_test.go

@@ -4,7 +4,7 @@ import (
 	"fmt"
 	"testing"
 
-	"github.com/anchore/imgbom/imgbom/pkg"
+	"github.com/anchore/syft/syft/pkg"
 	"github.com/anchore/vulnscan/internal"
 	"github.com/anchore/vulnscan/vulnscan/match"
 	"github.com/anchore/vulnscan/vulnscan/version"

vulnscan/matcher/controller.go

@@ -1,8 +1,8 @@
 package matcher
 
 import (
-	"github.com/anchore/imgbom/imgbom/distro"
-	"github.com/anchore/imgbom/imgbom/pkg"
+	"github.com/anchore/syft/syft/distro"
+	"github.com/anchore/syft/syft/pkg"
 	"github.com/anchore/vulnscan/internal/log"
 	"github.com/anchore/vulnscan/vulnscan/match"
 	"github.com/anchore/vulnscan/vulnscan/matcher/bundler"

vulnscan/matcher/dpkg/matcher.go

@@ -3,8 +3,8 @@ package dpkg
 import (
 	"fmt"
 
-	"github.com/anchore/imgbom/imgbom/distro"
-	"github.com/anchore/imgbom/imgbom/pkg"
+	"github.com/anchore/syft/syft/distro"
+	"github.com/anchore/syft/syft/pkg"
 	"github.com/anchore/vulnscan/vulnscan/match"
 	"github.com/anchore/vulnscan/vulnscan/matcher/common"
 	"github.com/anchore/vulnscan/vulnscan/vulnerability"

vulnscan/matcher/dpkg/matcher_mocks_test.go

@@ -3,8 +3,8 @@ package dpkg
 import (
 	"strings"
 
-	"github.com/anchore/imgbom/imgbom/distro"
-	"github.com/anchore/imgbom/imgbom/pkg"
+	"github.com/anchore/syft/syft/distro"
+	"github.com/anchore/syft/syft/pkg"
 	"github.com/anchore/vulnscan/vulnscan/version"
 	"github.com/anchore/vulnscan/vulnscan/vulnerability"
 )

vulnscan/matcher/dpkg/matcher_test.go

@@ -3,8 +3,8 @@ package dpkg
 import (
 	"testing"
 
-	"github.com/anchore/imgbom/imgbom/distro"
-	"github.com/anchore/imgbom/imgbom/pkg"
+	"github.com/anchore/syft/syft/distro"
+	"github.com/anchore/syft/syft/pkg"
 	"github.com/anchore/vulnscan/internal"
 	"github.com/anchore/vulnscan/vulnscan/match"
 )

vulnscan/matcher/java/matcher.go

@@ -1,8 +1,8 @@
 package java
 
 import (
-	"github.com/anchore/imgbom/imgbom/distro"
-	"github.com/anchore/imgbom/imgbom/pkg"
+	"github.com/anchore/syft/syft/distro"
+	"github.com/anchore/syft/syft/pkg"
 	"github.com/anchore/vulnscan/vulnscan/match"
 	"github.com/anchore/vulnscan/vulnscan/matcher/common"
 	"github.com/anchore/vulnscan/vulnscan/vulnerability"

vulnscan/matcher/javascript/matcher.go

@@ -1,8 +1,8 @@
 package javascript
 
 import (
-	"github.com/anchore/imgbom/imgbom/distro"
-	"github.com/anchore/imgbom/imgbom/pkg"
+	"github.com/anchore/syft/syft/distro"
+	"github.com/anchore/syft/syft/pkg"
 	"github.com/anchore/vulnscan/vulnscan/match"
 	"github.com/anchore/vulnscan/vulnscan/matcher/common"
 	"github.com/anchore/vulnscan/vulnscan/vulnerability"

vulnscan/matcher/matcher.go

@@ -1,8 +1,8 @@
 package matcher
 
 import (
-	"github.com/anchore/imgbom/imgbom/distro"
-	"github.com/anchore/imgbom/imgbom/pkg"
+	"github.com/anchore/syft/syft/distro"
+	"github.com/anchore/syft/syft/pkg"
 	"github.com/anchore/vulnscan/vulnscan/match"
 	"github.com/anchore/vulnscan/vulnscan/vulnerability"
 )

vulnscan/matcher/python/matcher.go

@@ -1,8 +1,8 @@
 package python
 
 import (
-	"github.com/anchore/imgbom/imgbom/distro"
-	"github.com/anchore/imgbom/imgbom/pkg"
+	"github.com/anchore/syft/syft/distro"
+	"github.com/anchore/syft/syft/pkg"
 	"github.com/anchore/vulnscan/vulnscan/match"
 	"github.com/anchore/vulnscan/vulnscan/matcher/common"
 	"github.com/anchore/vulnscan/vulnscan/vulnerability"

vulnscan/matcher/rpmdb/matcher.go

@@ -1,8 +1,8 @@
 package rpmdb
 
 import (
-	"github.com/anchore/imgbom/imgbom/distro"
-	"github.com/anchore/imgbom/imgbom/pkg"
+	"github.com/anchore/syft/syft/distro"
+	"github.com/anchore/syft/syft/pkg"
 	"github.com/anchore/vulnscan/vulnscan/match"
 	"github.com/anchore/vulnscan/vulnscan/matcher/common"
 	"github.com/anchore/vulnscan/vulnscan/vulnerability"

vulnscan/presenter/json/presenter.go

@@ -4,7 +4,7 @@ import (
 	"encoding/json"
 	"io"
 
-	"github.com/anchore/imgbom/imgbom/pkg"
+	"github.com/anchore/syft/syft/pkg"
 	"github.com/anchore/vulnscan/vulnscan/result"
 )
 

vulnscan/presenter/json/presenter_test.go

@@ -6,7 +6,7 @@ import (
 	"testing"
 
 	"github.com/anchore/go-testutils"
-	"github.com/anchore/imgbom/imgbom/pkg"
+	"github.com/anchore/syft/syft/pkg"
 	"github.com/anchore/vulnscan/vulnscan/match"
 	"github.com/anchore/vulnscan/vulnscan/result"
 	"github.com/anchore/vulnscan/vulnscan/vulnerability"

vulnscan/presenter/presenter.go

@@ -3,7 +3,7 @@ package presenter
 import (
 	"io"
 
-	"github.com/anchore/imgbom/imgbom/pkg"
+	"github.com/anchore/syft/syft/pkg"
 	"github.com/anchore/vulnscan/vulnscan/presenter/json"
 	"github.com/anchore/vulnscan/vulnscan/result"
 )

vulnscan/result/result.go

@@ -1,7 +1,7 @@
 package result
 
 import (
-	"github.com/anchore/imgbom/imgbom/pkg"
+	"github.com/anchore/syft/syft/pkg"
 	"github.com/anchore/vulnscan/vulnscan/match"
 )
 

vulnscan/version/format.go

@@ -3,7 +3,7 @@ package version
 import (
 	"strings"
 
-	"github.com/anchore/imgbom/imgbom/pkg"
+	"github.com/anchore/syft/syft/pkg"
 )
 
 const (

vulnscan/version/format_test.go

@@ -4,7 +4,7 @@ import (
 	"fmt"
 	"testing"
 
-	"github.com/anchore/imgbom/imgbom/pkg"
+	"github.com/anchore/syft/syft/pkg"
 )
 
 func TestParseFormat(t *testing.T) {

vulnscan/version/version.go

@@ -4,7 +4,7 @@ import (
 	"fmt"
 
 	hashiVer "github.com/anchore/go-version"
-	"github.com/anchore/imgbom/imgbom/pkg"
+	"github.com/anchore/syft/syft/pkg"
 	"github.com/anchore/vulnscan/vulnscan/cpe"
 	deb "github.com/knqyf263/go-deb-version"
 )

vulnscan/vulnerability/namespace.go

@@ -4,8 +4,8 @@ import (
 	"fmt"
 	"strings"
 
-	"github.com/anchore/imgbom/imgbom/distro"
-	"github.com/anchore/imgbom/imgbom/pkg"
+	"github.com/anchore/syft/syft/distro"
+	"github.com/anchore/syft/syft/pkg"
 	"github.com/anchore/vulnscan/internal"
 )
 
@@ -39,6 +39,10 @@ func distroNamespace(d distro.Distro) string {
 	switch d.Type {
 	case distro.CentOS, distro.RedHat:
 		distroStr = "rhel"
+	case distro.AmazonLinux:
+		distroStr = "amzn"
+	case distro.OracleLinux:
+		distroStr = "ol"
 	default:
 		distroStr = d.Type.String()
 	}

vulnscan/vulnerability/namespace_test.go

@@ -4,7 +4,7 @@ import (
 	"fmt"
 	"testing"
 
-	"github.com/anchore/imgbom/imgbom/distro"
+	"github.com/anchore/syft/syft/distro"
 )
 
 func TestDistroNamespace_AllDistros(t *testing.T) {
@@ -14,11 +14,36 @@ func TestDistroNamespace_AllDistros(t *testing.T) {
 		version  string
 		expected string
 	}{
+		{
+			dist:     distro.RedHat,
+			version:  "8",
+			expected: "rhel:8",
+		},
+		{
+			dist:     distro.AmazonLinux,
+			version:  "2",
+			expected: "amzn:2",
+		},
+		{
+			dist:     distro.OracleLinux,
+			version:  "6",
+			expected: "ol:6",
+		},
+		{
+			dist:     distro.Alpine,
+			version:  "1.3.1",
+			expected: "alpine:1.3.1",
+		},
 		{
 			dist:     distro.Debian,
 			version:  "8",
 			expected: "debian:8",
 		},
+		{
+			dist:     distro.Fedora,
+			version:  "31",
+			expected: "fedora:31",
+		},
 		{
 			dist:     distro.Busybox,
 			version:  "3.1.1",
@@ -34,11 +59,6 @@ func TestDistroNamespace_AllDistros(t *testing.T) {
 			version:  "18.04",
 			expected: "ubuntu:18.04",
 		},
-		{
-			dist:     distro.RedHat,
-			version:  "6",
-			expected: "rhel:6",
-		},
 	}
 
 	for _, test := range tests {

vulnscan/vulnerability/provider.go

@@ -1,8 +1,8 @@
 package vulnerability
 
 import (
-	"github.com/anchore/imgbom/imgbom/distro"
-	"github.com/anchore/imgbom/imgbom/pkg"
+	"github.com/anchore/syft/syft/distro"
+	"github.com/anchore/syft/syft/pkg"
 	"github.com/anchore/vulnscan/vulnscan/cpe"
 )
 

vulnscan/vulnerability/store_provider.go

@@ -3,9 +3,9 @@ package vulnerability
 import (
 	"fmt"
 
-	"github.com/anchore/imgbom/imgbom/distro"
-	"github.com/anchore/imgbom/imgbom/pkg"
 	"github.com/anchore/siren-db/pkg/db"
+	"github.com/anchore/syft/syft/distro"
+	"github.com/anchore/syft/syft/pkg"
 	"github.com/anchore/vulnscan/vulnscan/cpe"
 	"github.com/facebookincubator/nvdtools/wfn"
 )

vulnscan/vulnerability/store_provider_test.go

@@ -5,8 +5,8 @@ import (
 	"github.com/go-test/deep"
 	"testing"
 
-	"github.com/anchore/imgbom/imgbom/distro"
-	"github.com/anchore/imgbom/imgbom/pkg"
+	"github.com/anchore/syft/syft/distro"
+	"github.com/anchore/syft/syft/pkg"
 	"github.com/anchore/vulnscan/vulnscan/version"
 )