deprecatedAPI scanning in K8s cluster not working as expected

[jkleinlercher]

Description

I applied a cronjob described in https://github.com/suxess-it/deprecated-k8s-api-testcase/blob/main/cronjob-deprecated.yaml and when scanning the yaml with "trivy conf cronjob-deprecated.yaml" it correctly says

apiVersion 'batch/v1beta1' and kind 'CronJob' has been deprecated on: 'v1.21' and planned for removal on:'v1.25'

However, after applying the manifest to the K8s cluster and run "trivy kubernetes --report all -n dep-apis-test all" I don't get any deprecatedAPI misconfiguration.

Desired Behavior

trivy should show "apiVersion 'batch/v1beta1' and kind 'CronJob' has been deprecated on: 'v1.21' and planned for removal on:'v1.25'" alert while scanning the cluster.

Actual Behavior

trivy doesn't recognize the deprecated API.

Reproduction Steps

1. create or use a K8s cluster with version 1.24
2. scan the yaml in https://github.com/suxess-it/deprecated-k8s-api-testcase/blob/main/cronjob-deprecated.yaml with "trivy conf cronjob-deprecated.yaml" and you will see the deprecated API alert.
3. apply the manifest with "kubectl apply -f cronjob-deprecated.yaml -n <your-ns>"
4. scan cluster with "trivy kubernetes --report all -n <your-ns> all" --> you wont't see the deprecated API alert

Target

Kubernetes

Scanner

Misconfiguration

Output Format

None

Mode

Client/Server

Debug Output

trivy kubernetes --report all -n dep-apis-test all --debug
2023-07-05T16:52:28.880+0200    DEBUG   Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-07-05T16:52:30.309+0200    DEBUG   cache dir:  /home/johannes/.cache/trivy
2023-07-05T16:52:30.309+0200    DEBUG   DB update was skipped because the local DB is the latest
2023-07-05T16:52:30.309+0200    DEBUG   DB Schema: 2, UpdatedAt: 2023-07-05 12:11:04.500000989 +0000 UTC, NextUpdate: 2023-07-05 18:11:04.500000289 +0000 UTC

Operating System

ubuntu

Version

trivy --version
Version: 0.43.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2023-07-05 12:11:04.500000989 +0000 UTC
  NextUpdate: 2023-07-05 18:11:04.500000289 +0000 UTC
  DownloadedAt: 2023-07-05 12:46:24.380787155 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2023-07-03 00:53:46.661061023 +0000 UTC
  NextUpdate: 2023-07-06 00:53:46.661060523 +0000 UTC
  DownloadedAt: 2023-07-03 13:04:33.70268622 +0000 UTC
Policy Bundle:
  Digest: sha256:30ca89c908eac67d337f8b393262de10ccc2b4f486e7b47bf7828167ad6840b5
  DownloadedAt: 2023-07-05 07:02:24.202668804 +0000 UTC

Checklist

• Run trivy image --reset
• Read the troubleshooting

[chen-keinan]

@jkleinlercher have you used the k8s version flag :
--k8s-version string specify k8s version to validate outdated api by it (example: 1.21.0)

[jkleinlercher]

unfortunately this doesn't work either .. also with specifying the k8s version it doesn't detect the deprecation

[AnaisUrlichs]

Hi @jkleinlercher -- thank you for pointing out the inconsistency between the docs and the tutorial -- I will update the tutorial

[jkleinlercher]

Hey @AnaisUrlichs could it be that you meant #4768 ?

[AnaisUrlichs]

Yes Sorry Wrong thread hahah

[chen-keinan]

@jkleinlercher I have created an issue #4784 for investigation