trivy clean -a deletes too much

[PenelopeFudd]

Description

For reasons, we're running trivy with --cache-dir /var/tmp, and it's working fine.
Today we tried trivy clean --cache-dir /var/tmp -a, and were surprised to find that /var/tmp was gone!

Desired Behavior

We expected trivy clean -a to be functionally identical to
trivy clean --checks-bundle --java-db --scan-cache --vex-repo --vuln-db
That is to say, there may be non-Trivy files or directories in the cache dir that should be left alone.

Actual Behavior

trivy clean --cache-dir $directory -a appears to be functionally equivalent to rm -rf $directory.

Reproduction Steps

1. `mkdir /var/tmp/testing`
2. `trivy clean --cache-dir /var/tmp/testing -a`
3. `ls -l /var/tmp/testing`
`ls: cannot access '/var/tmp/testing': No such file or directory`

Target

None

Scanner

None

Output Format

None

Mode

Standalone

Debug Output

# trivy clean --cache-dir /var/tmp/testing -a --debug
 
2024-10-04T14:41:11-07:00	DEBUG	No plugins loaded
2024-10-04T14:41:11-07:00	DEBUG	Default config file "file_path=trivy.yaml" not found, using built in values
2024-10-04T14:41:11-07:00	DEBUG	Cache dir	dir="/var/tmp/testing"
2024-10-04T14:41:11-07:00	DEBUG	Cache dir	dir="/var/tmp/testing"
2024-10-04T14:41:11-07:00	INFO	Removing all caches...

Operating System

Ubuntu 22.04

Version

Version: 0.56.1

Checklist

• Run trivy clean --all
• Read the troubleshooting

[PenelopeFudd]

I had to laugh when I saw the first checklist item. 😆

[PenelopeFudd]

Maybe create a target named database, to centralize downloading the databases? For instance, while trivy server has --download-db-only, it doesn't have --download-java-db-only, which we found on trivy image.

We stumbled across this bug while trying to set up a central server for downloading the databases and sharing among all of our hosts, so we don't end up downloading 300+ copies of the vulnerability and java dbs all at the same time. We figured that many people would consider that "antisocial behaviour". 😄

[PenelopeFudd]

BTW, https://aquasecurity.github.io/trivy/test/docs/configuration/db/#remove-dbs says to use trivy image --reset, but that gives:

2024-10-04T14:51:50-07:00	ERROR	"--reset" was removed. Use "trivy clean --all" instead.
2024-10-04T14:51:50-07:00	FATAL	Fatal error	flag error: db flag error: unable to parse flag: removed flag ("--reset")

[PenelopeFudd]

After clicking around a bit, I finally found a page that said "You're not viewing the latest version. Click here to go to latest.":

• https://aquasecurity.github.io/trivy/test/docs/target/rootfs/
  This page did not, until I removed the anchor from the end:
• https://aquasecurity.github.io/trivy/test/docs/configuration/db/#remove-dbs

[DmitriyLewen]

Hello @PenelopeFudd
As you correctly said - trivy clean -a deletes the trivy cache dir.
If you need to delete a specific database, you can use one (or more) flags for that (e.g. trivy clean --vuln-db) - https://aquasecurity.github.io/trivy/v0.56/docs/references/configuration/cli/trivy_clean/

[knqyf263]

Created #7703