Nuke conda pkgs cache after install to eliminate cached JAR/binary CVEs

micromamba clean --all leaves extracted packages in /opt/conda/pkgs/
because installed files are hardlinked from there. Trivy scans the full
filesystem and flags CVEs in cached JARs (picard, fgbio, snpeff) and
binaries. Adding rm -rf /opt/conda/pkgs/* to install-conda-deps.sh
eliminates all cache copies in one place.

Removed per-file pkgs cache deletions from Dockerfiles since the script
now handles it centrally.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: dpark01

docker/Dockerfile.assemble

@@ -32,8 +32,7 @@ COPY docker/install-conda-deps.sh /tmp/
 # never use --dash mode; delete inline so it never appears in any layer.
 RUN /tmp/install-conda-deps.sh /tmp/requirements/baseimage.txt /tmp/requirements/core.txt /tmp/requirements/assemble.txt \
     --x86-only:/tmp/requirements/assemble-x86.txt && \
-    rm -f /opt/conda/libexec/mafft/dash_client && \
-    rm -f /opt/conda/pkgs/*/libexec/mafft/dash_client
+    rm -f /opt/conda/libexec/mafft/dash_client
 
 # Copy source code (includes assembly module)
 COPY src/ /opt/viral-ngs/source/src/

docker/Dockerfile.baseimage

@@ -63,10 +63,8 @@ COPY docker/install-conda-deps.sh /tmp/
 # Remove gcloud-crc32c — Go binary compiled with old Go stdlib (CVEs).
 # gcloud/gsutil use the conda environment Python, not the bundled one.
 RUN /tmp/install-conda-deps.sh /tmp/requirements/baseimage.txt && \
-    rm -rf /opt/conda/pkgs/google-cloud-sdk-*/share/google-cloud-sdk-*/platform/bundledpythonunix && \
     rm -rf /opt/conda/share/google-cloud-sdk-*/platform/bundledpythonunix && \
     rm -f /opt/conda/share/google-cloud-sdk-*/bin/gcloud-crc32c && \
-    rm -f /opt/conda/pkgs/google-cloud-sdk-*/share/google-cloud-sdk-*/bin/gcloud-crc32c && \
     rm -rf /tmp/requirements /tmp/install-conda-deps.sh
 
 # Install firecloud via pip instead of conda because the conda noarch

docker/Dockerfile.mega

@@ -31,8 +31,7 @@ RUN /tmp/install-conda-deps.sh /tmp/requirements/baseimage.txt /tmp/requirements
     --x86-only:/tmp/requirements/assemble-x86.txt \
     --x86-only:/tmp/requirements/classify-x86.txt \
     --x86-only:/tmp/requirements/phylo-x86.txt && \
-    rm -f /opt/conda/libexec/mafft/dash_client && \
-    rm -f /opt/conda/pkgs/*/libexec/mafft/dash_client
+    rm -f /opt/conda/libexec/mafft/dash_client
 
 # Copy source code (includes all modules)
 COPY src/ /opt/viral-ngs/source/src/

docker/Dockerfile.phylo

@@ -29,8 +29,7 @@ COPY docker/install-conda-deps.sh /tmp/
 # never use --dash mode; delete inline so it never appears in any layer.
 RUN /tmp/install-conda-deps.sh /tmp/requirements/baseimage.txt /tmp/requirements/core.txt /tmp/requirements/phylo.txt \
     --x86-only:/tmp/requirements/phylo-x86.txt && \
-    rm -f /opt/conda/libexec/mafft/dash_client && \
-    rm -f /opt/conda/pkgs/*/libexec/mafft/dash_client
+    rm -f /opt/conda/libexec/mafft/dash_client
 
 # Copy source code (includes phylo module)
 COPY src/ /opt/viral-ngs/source/src/

docker/install-conda-deps.sh

@@ -114,8 +114,12 @@ echo ""
 echo "Installed packages:"
 micromamba list
 
-# Clean up
+# Clean up: micromamba clean removes tarballs and index cache, but leaves
+# extracted packages in /opt/conda/pkgs/ for hardlink-installed files.
+# Trivy scans the full filesystem and flags CVEs in cached JARs/binaries,
+# so we nuke the entire pkgs cache to avoid false positives.
 micromamba clean -y --all
+rm -rf /opt/conda/pkgs/*
 
 echo ""
 echo "Done installing conda dependencies."