--exit-code is overloaded

[chrisnovakovic]

Description

The documentation for the --exit-code option says

      --exit-code int              specify exit code when any security issues are found

but this value is also used when errors occur that are not related to security findings. The most common example I've encountered is when the databases fail to update (which is happening a lot lately - see #7668), but from pkg/plugin/plugin.go it looks like the same value is also used for plugin execution failures. This overloading makes it hard to distinguish between failures that might be resolved with a retry and failures that won't be.

It seems something like this has been considered before because there's also an --exit-code-eol option:

      --exit-on-eol int            exit with the specified code when the OS reaches end of service/life

so perhaps it's simply a case of adding a new option (--exit-on-db-error?).

Desired Behavior

At a minimum, different exit codes are used when encountering security issues and encountering other run-time failures, for example database update errors.

Actual Behavior

Trivy exits with exit code 1 (or whatever the value of --exit-code is set to) for several reasons.

Reproduction Steps

N/A

Target

Container Image

Scanner

Vulnerability

Output Format

None

Mode

Standalone

Debug Output

N/A

Operating System

Ubuntu 22.04

Version

Version: 0.57.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-09-10 06:14:13.623414582 +0000 UTC
  NextUpdate: 2024-09-10 12:14:13.623414211 +0000 UTC
  DownloadedAt: 2024-09-10 09:53:10.337499769 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2024-05-29 01:02:42.771482943 +0000 UTC
  NextUpdate: 2024-06-01 01:02:42.771482773 +0000 UTC
  DownloadedAt: 2024-05-29 14:40:04.998222314 +0000 UTC

Checklist

• Run trivy clean --all
• Read the troubleshooting

[itaysk]

I think it makes sense just reclassifying as a enhancement request not as bug

[knqyf263]

$ trivy image --exit-code 100 alpine:3.20
2024-11-14T19:42:40+02:00	INFO	[vulndb] Need to update DB
2024-11-14T19:42:40+02:00	INFO	[vulndb] Downloading vulnerability DB...
2024-11-14T19:42:40+02:00	INFO	[vulndb] Downloading artifact...	repo="ghcr.io/aquasecurity/trivy-db:2"
2024-11-14T19:42:42+02:00	ERROR	[vulndb] Failed to download artifact	repo="ghcr.io/aquasecurity/trivy-db:2" err="OCI repository error: 1 error occurred:\n\t* GET https://ghcr.io/v2/aquasecurity/trivy-db/manifests/2: TOOMANYREQUESTS: retry-after: 143.14µs, allowed: 44000/minute\n\n"
2024-11-14T19:42:42+02:00	FATAL	Fatal error	init error: DB error: failed to download vulnerability DB: OCI artifact error: failed to download vulnerability DB: failed to download artifact from any source
$ echo $?
1

I don't see the behavior. Also, I confirmed the value is used only for security findings.

trivy/pkg/commands/operation/operation.go

Line 126 in bdfcc19

return &types.ExitError{Code: opts.ExitCode}