Running the vulnxscan command twice in a row shows that there is some caching going on, because the second run returns almost immediately.

Rebooting causes the same vulnxscan command to run for a long time again.

I there a way to have finer grained control over this caching behaviour? Say to invalidate the cache after n days.

Any advice (or clarification of how caching is done) is appreciated.

From the top of my head, following caching behavior might impact:

• For grype scan, vulnxscan just invokes grype which caches its database locally, as explained here: https://github.com/anchore/grype#local-database-cache-directory. On Linux, the default grype cache location is $HOME/.cache/grype/.
• If your scan target is a nix out-path or derivation (not an SBOM), vulnxscan invokes vulnix which also caches its database locally by default under $HOME/.cache/vulnix.
• If your scan target is a nix out-path or derivation (not an SBOM), vulnxscan updates the local CPE cache if it's more than week old, by default under $HOME/.cache/sbomnix.

Does some of those caches get cleaned on reboot on your system?

Closing this old issue that was left hanging.
@lestephane: let me know if I didn't answer your question properly.