aquasecurity · knqyf263 · Sep 1, 2023 · Aug 31, 2023 · Aug 31, 2023
diff --git a/get.go b/get.go
@@ -102,13 +102,18 @@ func findArtifactDigest(digest name.Digest, opts getOptions) (name.Digest, error
 	return artifactDigest, nil
 }
 
-func findReferrerByDigest(index *v1.IndexManifest, opts getOptions) (v1.Descriptor, error) {
+func findReferrerByDigest(index v1.ImageIndex, opts getOptions) (v1.Descriptor, error) {
 	digest := opts.Digest
 	if !strings.HasPrefix(digest, "sha256:") {
 		digest = "sha256:" + digest
 	}
 
-	m, found := lo.Find(index.Manifests, func(item v1.Descriptor) bool {
+	indexManifest, err := index.IndexManifest()
+	if err != nil {
+		return v1.Descriptor{}, fmt.Errorf("error getting index manifest: %w", err)
+	}
+
+	m, found := lo.Find(indexManifest.Manifests, func(item v1.Descriptor) bool {
 		return strings.HasPrefix(item.Digest.String(), digest)
 	})
 	if !found {
@@ -117,14 +122,19 @@ func findReferrerByDigest(index *v1.IndexManifest, opts getOptions) (v1.Descript
 	return m, nil
 }
 
-func findLatestReferrerByType(index *v1.IndexManifest, opts getOptions) (v1.Descriptor, error) {
+func findLatestReferrerByType(imageIndex v1.ImageIndex, opts getOptions) (v1.Descriptor, error) {
 
 	artifactType, err := artifactTypeFromName(opts.Type)
 	if err != nil {
 		return v1.Descriptor{}, fmt.Errorf("error getting artifact type: %w", err)
 	}
 
-	filtered := lo.Filter(index.Manifests, func(item v1.Descriptor, index int) bool {
+	indexManifest, err := imageIndex.IndexManifest()
+	if err != nil {
+		return v1.Descriptor{}, fmt.Errorf("error getting index manifest: %w", err)
+	}
+
+	filtered := lo.Filter(indexManifest.Manifests, func(item v1.Descriptor, index int) bool {
 		return item.ArtifactType == artifactType.MediaType()
 	})
 

diff --git a/go.mod b/go.mod
@@ -1,85 +1,81 @@
 module github.com/aquasecurity/trivy-plugin-referrer
 
-go 1.20
+go 1.21.0
 
 require (
 	github.com/aquasecurity/table v1.8.0
-	github.com/aquasecurity/trivy v0.39.1
+	github.com/aquasecurity/trivy v0.44.1
 	github.com/fatih/color v1.15.0
-	github.com/google/go-containerregistry v0.14.0
+	github.com/google/go-containerregistry v0.16.1
 	github.com/owenrumney/go-sarif v1.1.1
 	github.com/samber/lo v1.38.1
-	github.com/spdx/tools-golang v0.3.1-0.20230104082527-d6f58551be3f
+	github.com/spdx/tools-golang v0.5.3
 	github.com/spf13/cobra v1.7.0
-	github.com/spf13/viper v1.15.0
+	github.com/spf13/viper v1.16.0
 	github.com/xlab/treeprint v1.2.0
 )
 
-replace github.com/spdx/tools-golang => github.com/spdx/tools-golang v0.3.0
-
 require (
-	github.com/CycloneDX/cyclonedx-go v0.7.1 // indirect
-	github.com/apparentlymart/go-textseg/v13 v13.0.0 // indirect
-	github.com/aquasecurity/go-dep-parser v0.0.0-20230413091456-df0396537e15 // indirect
-	github.com/aquasecurity/trivy-db v0.0.0-20230411140759-3c2ee2168575 // indirect
+	github.com/CycloneDX/cyclonedx-go v0.7.2-0.20230625092137-07e2f29defc3 // indirect
+	github.com/anchore/go-struct-converter v0.0.0-20221118182256-c68fdcfa2092 // indirect
+	github.com/aquasecurity/go-dep-parser v0.0.0-20230803125501-bd9cf68d8636 // indirect
+	github.com/aquasecurity/trivy-db v0.0.0-20230726112157-167ba4f2faeb // indirect
 	github.com/containerd/stargz-snapshotter/estargz v0.14.3 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
-	github.com/docker/cli v23.0.3+incompatible // indirect
-	github.com/docker/distribution v2.8.1+incompatible // indirect
-	github.com/docker/docker v23.0.3+incompatible // indirect
+	github.com/docker/cli v24.0.0+incompatible // indirect
+	github.com/docker/distribution v2.8.2+incompatible // indirect
+	github.com/docker/docker v24.0.0+incompatible // indirect
 	github.com/docker/docker-credential-helpers v0.7.0 // indirect
 	github.com/fsnotify/fsnotify v1.6.0 // indirect
 	github.com/google/licenseclassifier/v2 v2.0.0 // indirect
 	github.com/google/uuid v1.3.0 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-multierror v1.1.1 // indirect
 	github.com/hashicorp/hcl v1.0.0 // indirect
-	github.com/in-toto/in-toto-golang v0.7.1 // indirect
+	github.com/in-toto/in-toto-golang v0.9.0 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
-	github.com/klauspost/compress v1.16.4 // indirect
+	github.com/klauspost/compress v1.16.5 // indirect
 	github.com/knqyf263/go-rpm-version v0.0.0-20220614171824-631e686d1075 // indirect
-	github.com/kr/pretty v0.3.1 // indirect
 	github.com/magiconair/properties v1.8.7 // indirect
-	github.com/masahiro331/go-xfs-filesystem v0.0.0-20230228020636-7a08aef44f20 // indirect
+	github.com/masahiro331/go-xfs-filesystem v0.0.0-20230608043311-a335f4599b70 // indirect
 	github.com/mattn/go-colorable v0.1.13 // indirect
-	github.com/mattn/go-isatty v0.0.18 // indirect
-	github.com/mattn/go-runewidth v0.0.14 // indirect
+	github.com/mattn/go-isatty v0.0.17 // indirect
+	github.com/mattn/go-runewidth v0.0.13 // indirect
 	github.com/mitchellh/go-homedir v1.1.0 // indirect
 	github.com/mitchellh/hashstructure/v2 v2.0.2 // indirect
 	github.com/mitchellh/mapstructure v1.5.0 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
-	github.com/opencontainers/image-spec v1.1.0-rc2.0.20221020182949-4df8887994e8 // indirect
-	github.com/owenrumney/go-sarif/v2 v2.1.3 // indirect
-	github.com/package-url/packageurl-go v0.1.1-0.20220428063043-89078438f170 // indirect
-	github.com/pelletier/go-toml/v2 v2.0.6 // indirect
+	github.com/opencontainers/image-spec v1.1.0-rc4 // indirect
+	github.com/package-url/packageurl-go v0.1.1 // indirect
+	github.com/pelletier/go-toml/v2 v2.0.8 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
-	github.com/rivo/uniseg v0.4.4 // indirect
-	github.com/secure-systems-lab/go-securesystemslib v0.5.0 // indirect
-	github.com/sergi/go-diff v1.3.1 // indirect
+	github.com/rivo/uniseg v0.2.0 // indirect
+	github.com/secure-systems-lab/go-securesystemslib v0.7.0 // indirect
+	github.com/sergi/go-diff v1.2.0 // indirect
 	github.com/shibumi/go-pathspec v1.3.0 // indirect
-	github.com/sirupsen/logrus v1.9.0 // indirect
-	github.com/spf13/afero v1.9.3 // indirect
-	github.com/spf13/cast v1.5.0 // indirect
+	github.com/sirupsen/logrus v1.9.3 // indirect
+	github.com/spf13/afero v1.9.5 // indirect
+	github.com/spf13/cast v1.5.1 // indirect
 	github.com/spf13/jwalterweatherman v1.1.0 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
 	github.com/stretchr/objx v0.5.0 // indirect
-	github.com/stretchr/testify v1.8.2 // indirect
+	github.com/stretchr/testify v1.8.4 // indirect
 	github.com/subosito/gotenv v1.4.2 // indirect
 	github.com/vbatts/tar-split v0.11.3 // indirect
-	github.com/zclconf/go-cty v1.13.1 // indirect
+	github.com/zclconf/go-cty v1.10.0 // indirect
 	go.etcd.io/bbolt v1.3.7 // indirect
 	go.uber.org/atomic v1.10.0 // indirect
-	go.uber.org/multierr v1.11.0 // indirect
+	go.uber.org/multierr v1.9.0 // indirect
 	go.uber.org/zap v1.24.0 // indirect
-	golang.org/x/crypto v0.8.0 // indirect
-	golang.org/x/exp v0.0.0-20230321023759-10a507213a29 // indirect
-	golang.org/x/sync v0.1.0 // indirect
-	golang.org/x/sys v0.7.0 // indirect
-	golang.org/x/term v0.7.0 // indirect
-	golang.org/x/text v0.9.0 // indirect
+	golang.org/x/crypto v0.11.0 // indirect
+	golang.org/x/exp v0.0.0-20230522175609-2e198f4a06a1 // indirect
+	golang.org/x/sync v0.3.0 // indirect
+	golang.org/x/sys v0.10.0 // indirect
+	golang.org/x/term v0.10.0 // indirect
+	golang.org/x/text v0.11.0 // indirect
 	golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	k8s.io/utils v0.0.0-20230406110748-d93618cff8a2 // indirect
+	k8s.io/utils v0.0.0-20230220204549-a5ecb0141aa5 // indirect
 )