trivy-db can't be built with Go 1.14

[knqyf263]

You will see the following error when you build the database with Go 1.14.

$ make db-build
./trivy-db build  --cache-dir cache --update-interval 12h
2020/03/31 14:53:09 Updating vulnerability database...
2020/03/31 14:53:09 Updating alpine data...
2020/03/31 14:53:11 Saving Alpine DB
2020/03/31 14:53:38 Updating redhat data...
2020/03/31 14:53:42 Saving RedHat DB
2020/03/31 14:55:15 Updating php-security-advisories data...
2020/03/31 14:55:16 Updating debian-oval data...
2020/03/31 14:55:28 Saving Debian OVAL
2020/03/31 14:55:40 Updating ruby-advisory-db data...
2020/03/31 14:55:40 Updating nodejs-security-wg data...
2020/03/31 14:55:40 error in nodejs-security-wg update: failed to update node vulnerabilities: batch update failed: error in batch update: failed to walk node advisories: json: invalid number literal, trying to unmarshal "\"4.8 (Medium)\"" into Number
make: *** [db-build] Error 1

This is caused by this change.
golang/go#34272

nodejs-security-wg has both float like 5.2 and string like "4.8 (Medium)" in the same key. But "4.8 (Medium)" is an invalid number and json.Number no longer accepts it after Go 1.14.

I think we have to implement our original type as suggested here.
https://go.googlesource.com/go/+/master/doc/go1.14.html?autodive=0%2F%2F%2F%2F%2F#602

[simar7]

Currently there are no tests for function

trivy-db/pkg/vulnsrc/node/node.go

Line 82 in c9031b0

func (vs VulnSrc) walk(tx *bolt.Tx, root string) error {

Could you point me to the right place where I can find such advisories for node, in order to be able to write a unit test?

[knqyf263]

I'm sorry, but I don't get your point. Do you want to know the repository which includes security advisories for node.js? Here it is.
https://github.com/aquasecurity/vuln-list

If you want to find the above data, you can use grep.

[simar7]

This is fixed now with this #38