Enhance documentation regarding trivy server and redis cache use in the server and client

[sastorsl]

Description

With regards to client, server and redis cache it would be good to enhance the documentation to explain better what is handled where.

I.e. the Java DB cache is now client side only, re #3560, and with many builds it is of assistanse to have a redis cache backend.

But it is not crystal clear what then is the benefit of having a trivy server in addition.

Link

• Client/Server: https://aquasecurity.github.io/trivy/v0.55/docs/references/modes/client-server/
• Cache / Redis: https://aquasecurity.github.io/trivy/v0.55/docs/configuration/cache/#redis
• Databases: https://aquasecurity.github.io/trivy/v0.55/docs/configuration/db/#vulnerability-database

Suggestions

Document use cases:

• Where trivy server helps
• With regards to various cache backends
• Document what is server side and client side
• Highlight that the Java DB is client side only perhaps also on the trivy server documentation.

[sastorsl]

I can help with the writing, but would need some insights from the team and other users.

[knqyf263]

• Where trivy server helps
  • To share:
    • the vulnerability database
    • the scan cache (analysis results)
• With regards to various cache backends
  • FS cache has a limitation.
  • Redis cache fits in that case.
• Document what is server side and client side
  • The overview is written here.
  • Trivy consists of two phases: analysis and detection, as described in the architecture diagram. The analysis phase is performed on the client side. The Java DB is used in this phase, and that's why it's done at the client end.

[sastorsl]

Perhaps a short enhancement note on both the client/server, redis and DB pages regarding the java DB. I see that the Java DB note mentions a little bit how the workload is distributed - https://aquasecurity.github.io/trivy/v0.55/docs/configuration/db/#java-index-database

[sastorsl]

https://aquasecurity.github.io/trivy/v0.55/docs/references/modes/client-server/ have a section on which scans runs server side, and which scans runs client side.

This could also be a good place to outline where a redis / external cache fits in with a client/server setup.

[sastorsl]

The trivy-java-db is not cached in the redis server either.
Ref #6177

[sastorsl]

trivy-db (vulnerability database) is downloaded to the local, file based, cache directory even with cache-backend redis://hostname:6379 defined, also for trivy server.

1. Start a redis server
2. Start trivy server
3. Observe that the local file system cache is filled
4. Observe that no keys have been added to redis

Redis:

rm -rf ~/tmp/redis &&
mkdir -p ~/tmp/redis &&
(docker stop trivy-backend ; docker rm trivy-backend) >/dev/null 2>&1 ;
docker run --publish 6379:6379 --name trivy-backend --detach redis:7-alpine

Trivy server:

rm -rf ~/tmp/trivy &&
mkdir -p ~/tmp/trivy &&
trivy server --listen 127.0.0.1:8080 --token foobar --cache-dir $HOME/tmp/trivy --cache-backend redis://localhost:6379 --cache-ttl 10m --debug

In another shell

# Observe that we have 500Mb + downloaded
ls -l ~/tmp/trivy/db
du -hs ~/tmp/trivy/db

# ...and no new keys in the redis backend
redis-cli keys "*"

[nasseredine]

Hello @sastorsl, there is something that I don't understand with the response from the example request from the client/server documentation page: https://trivy.dev/docs/latest/references/modes/client-server/#version.

Why does it return JavaDB and PolicyBundle while it is in server mode? Shouldn't it return only VulnerabilityDB as mentioned here:

trivy/pkg/rpc/server/listen_test.go

Line 220 in fa195b4

// Server mode excludes JavaDB and CheckBundle as they are managed on the client side

I find this line in the documentation a bit confusing.

Returns the version of the Trivy and all components (db, policy). Authentication is not required.

Isn't this only possible if the server and the client are running on the same machine as they would share the same cache directory?

From my understanding java db and checks bundle repositories are downloaded from the client side (and not served by the Trivy server). Is this correct?

[sastorsl]

Hi @nasseredine I am not sure of the answer. In addition I think your question is a bit outside the scope of the original posting so perhaps you could start a new discussion regarding your questions?

[nasseredine]

In my opinion my comment falls into the topic "Enhance documentation regarding trivy server [...]" of this discussion. Maybe I misunderstood and it is specific to the interaction between Trivy server and Redis cache? I can open a new discussion but it will mostly be a copy of my current comment.
What do you think if I open one with the title "Misleading Trivy server version endpoint example request for Trivy client/server mode documentation"?

[dhensche]

If running in server/client mode, is the in-memory cache used by default? If that is the case, I would assume the caches would all be empty/cold when a server is restarted. What would happen if we set the server to use a FS cache where the location is a persistent volume? would the client/server setup then lose its benefit because the FS based cache only allows single user access at a time?