--download-db-only doesn't work with the latest version of Trivy

[asprouse5]

Description

Running

trivy --cache-dir $TRIVY_TEMP_DIR image --download-db-only

Results in FATAL unknown flag: --download-db-only.

I have a Dockerfile that installs trivy and downloads the database file:

FROM alpine

RUN apk add --update --no-cache curl
RUN curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -x -s -- -b /usr/local/bin

RUN export TRIVY_TEMP_DIR=$(mktemp -d)
RUN trivy --cache-dir $TRIVY_TEMP_DIR image --download-db-only  # <--- stops here

# more stuff that doesn't run yet

It does seem that it works if I run each command on its own on a basic alpine image, which is odd.

Desired Behavior

The command to successfully pull down the database file

Actual Behavior

Failed with unknown flag: --download-db-only

Reproduction Steps

1. Run `docker build -t trivy:local .` with the above Dockerfile
2. See the error returned by the docker command

Target

Container Image

Scanner

Vulnerability

Output Format

None

Mode

Standalone

Debug Output

$ trivy --cache-dir $TRIVY_TEMP_DIR image --download-db-only --debug
Error: unknown flag: --download-db-only
Usage:
  trivy [global flags] command [flags] target
  trivy [command]

Examples:
  # Scan a container image
  $ trivy image python:3.4-alpine

  # Scan a container image from a tar archive
  $ trivy image --input ruby-3.1.tar

  # Scan local filesystem
  $ trivy fs .

  # Run in server mode
  $ trivy server

Scanning Commands
  aws         [EXPERIMENTAL] Scan AWS account
  config      Scan config files for misconfigurations
  filesystem  Scan local filesystem
  image       Scan a container image
  kubernetes  [EXPERIMENTAL] Scan kubernetes cluster
  repository  Scan a repository
  rootfs      Scan rootfs
  sbom        Scan SBOM for vulnerabilities
  vm          [EXPERIMENTAL] Scan a virtual machine image

Management Commands
  module      Manage modules
  plugin      Manage plugins

Utility Commands
  completion  Generate the autocompletion script for the specified shell
  convert     Convert Trivy JSON report into a different format
  help        Help about any command
  server      Server mode
  version     Print the version

Flags:
      --cache-dir string          cache directory (default "/Users/adrianasprouse/Library/Caches/trivy")
  -c, --config string             config path (default "trivy.yaml")
  -d, --debug                     debug mode
  -f, --format string             version format (json)
      --generate-default-config   write the default config to trivy-default.yaml
  -h, --help                      help for trivy
      --insecure                  allow insecure server connections
  -q, --quiet                     suppress progress bar and log output
      --timeout duration          timeout (default 5m0s)
  -v, --version                   show version

Use "trivy [command] --help" for more information about a command.

2024-02-28T14:06:34.499-0500    FATAL   unknown flag: --download-db-only

Operating System

Alpine 3.19.1

Version

$ trivy --version
Version: 0.49.1

Checklist

• Run trivy image --reset
• Read the troubleshooting

[DmitriyLewen]

Hello @asprouse5
Thanks for your report.

$TRIVY_TEMP_DIR env is empty.
So Trivy takes image as cache dir:
Take a look this example:

FROM alpine

RUN apk add --update --no-cache curl
RUN curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -x -s -- -b /usr/local/bin

RUN export TRIVY_TEMP_DIR=$(mktemp -d)
RUN trivy --cache-dir $TRIVY_TEMP_DIR image image --download-db-only

➜  6228 docker build -t 6228 .                 
[+] Building 0.0s (9/9) FINISHED                                                docker:desktop-linux
 => [internal] load build definition from Dockerfile                                            0.0s
 => => transferring dockerfile: 367B                                                            0.0s
 => [internal] load .dockerignore                                                               0.0s
 => => transferring context: 2B                                                                 0.0s
 => [internal] load metadata for docker.io/library/alpine:latest                                0.0s
 => [1/5] FROM docker.io/library/alpine                                                         0.0s
 => CACHED [2/5] RUN apk add --update --no-cache curl                                           0.0s
 => CACHED [3/5] RUN curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contr  0.0s
 => CACHED [4/5] RUN export TRIVY_TEMP_DIR=$(mktemp -d)                                         0.0s
 => CACHED [5/5] RUN trivy --cache-dir $TRIVY_TEMP_DIR image image --download-db-only           0.0s
 => exporting to image                                                                          0.0s
 => => exporting layers                                                                         0.0s
 => => writing image sha256:2445af64341d203c8680ded287997ea00d8be16533a0d3810c501d3563499f1a    0.0s
 => => naming to docker.io/library/6228                                                         0.0s

What's Next?
  View summary of image vulnerabilities and recommendations → docker scout quickview
➜  6228 docker run -it --rm 6228 ls -hl ./image
total 8K     
drwxr-xr-x    2 root     root        4.0K Feb 29 06:22 db
drwx------    2 root     root        4.0K Feb 29 06:22 fanal

Regards, Dmitriy