fix: allow reading from cache folders for any users

[afdesk]

Description

A new cache folder is created without read access for another users.
This PR grants read permissions.

Reproduction Steps:

$ trivy server -d --cache-dir ~/Library/Caches/trivy/subpath

Before:

$ ls -l ~/Library/Caches/trivy
total 0
drwxr-xr-x  4 user  staff  128 27 Aug 00:25 db
drwx------  3 user  staff   96 26 Aug 14:02 fanal
drwxr-xr-x@ 4 user  staff  128 16 Aug 12:45 java-db
drwxr-xr-x@ 4 user  staff  128 19 Aug 19:47 policy
drwx------  4 user  staff  128 27 Aug 01:15 subpath

After:

$ ls -l ~/Library/Caches/trivy                  
total 0
drwxr-xr-x  4 user  staff  128 27 Aug 00:25 db
drwx------  3 user  staff   96 26 Aug 14:02 fanal
drwxr-xr-x@ 4 user  staff  128 16 Aug 12:45 java-db
drwxr-xr-x@ 4 user  staff  128 19 Aug 19:47 policy
drwxr--r--@ 4 user  staff  128 27 Aug 01:29 subpath

Related issues

• Extra "db" string in the trivy cache path. #7399

Checklist

• I've read the guidelines for contributing to this repository.
• I've followed the conventions in the PR title.
• I've added tests that prove my fix is effective or that my feature works.
• I've updated the documentation with the relevant information (if needed).
• I've added usage information (if the PR introduces new options)
• I've included a "before" and "after" example to the description (if the PR is a user interface change).

[afdesk]

I've added a read permission for all users, but cache can contain a sensitive data.
does it make sence?

@knqyf263 wdyt?

[knqyf263]

I think users should be responsible for the permission. If needed, they can change permission of the cache dir at their own risk.

[afdesk]

I think users should be responsible for the permission. If needed, they can change permission of the cache dir at their own risk.

sure. let's close this pr, right?

[knqyf263]

Usually the user who creates the cache directory and the user who runs Trivy should be the same. Does this problem occur if the directory is created manually?

[afdesk]

Usually the user who creates the cache directory and the user who runs Trivy should be the same. Does this problem occur if the directory is created manually?

no, I can create a subfolder and there is no problem with permissions if modes allow to create files.

but if I create a new folder through sudo the issue is occur as expected:

$ sudo mkdir subpath4

$ trivy i --cache-backend memory --cache-dir ~/Library/Caches/trivy/subpath4/ tomcat:9 
2024-09-02T08:34:38+06:00	INFO	[db] Need to update DB
2024-09-02T08:34:38+06:00	INFO	[db] Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-09-02T08:34:42+06:00	FATAL	Fatal error	init error: DB error: failed to download vulnerability DB: database download error: oci download error: download error: failed to download /var/folders/q0/ykp5nvjx0j5_t4llxyh5hcm40000gn/T/trivy121102855/db.tar.gz: mkdir ~/Library/Caches/trivy/subpath4/db: permission denied

[knqyf263]

but if I create a new folder through sudo the issue is occur as expected:

Yes, that is what I meant. The error you shared shows "permission denied", and it's clear enough. Users should fix the problem themselves. What do you think?

[afdesk]

but if I create a new folder through sudo the issue is occur as expected:

Yes, that is what I meant. The error you shared shows "permission denied", and it's clear enough. Users should fix the problem themselves. What do you think?

I think you're right as usual. We shouldn't update default permissions for cache folders.
close this PR.

[knqyf263]

This might be another problem from #7380, as it shows a different error.

DEBUG Failed to get DB metadata err="unable to open a file: open /var/cache/trivy/subpath/db/db/metadata.json: no such file or directory"

[afdesk]

This might be another problem from #7380, as it shows a different error.

DEBUG Failed to get DB metadata err="unable to open a file: open /var/cache/trivy/subpath/db/db/metadata.json: no such file or directory"

yes, I've re-opened the discussion and retesting it with systemd script