fix: config outdated-api result filtered by k8s version

Signed-off-by: chenk <hen.keinan@gmail.com>

go.mod

@@ -8,7 +8,7 @@ require (
 	github.com/NYTimes/gziphandler v1.1.1
 	github.com/alicebob/miniredis/v2 v2.23.0
 	github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986
-	github.com/aquasecurity/defsec v0.82.9
+	github.com/aquasecurity/defsec v0.82.10-0.20230208203455-252f7b606d53
 	github.com/aquasecurity/go-dep-parser v0.0.0-20230130190635-5e31092b0621
 	github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce
 	github.com/aquasecurity/go-npm-version v0.0.0-20201110091526-0b796d180798

go.sum

@@ -178,8 +178,8 @@ github.com/apparentlymart/go-textseg/v13 v13.0.0 h1:Y+KvPE1NYz0xl601PVImeQfFyEy6
 github.com/apparentlymart/go-textseg/v13 v13.0.0/go.mod h1:ZK2fH7c4NqDTLtiYLvIkEghdlcqw7yxLeM89kiTRPUo=
 github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986 h1:2a30xLN2sUZcMXl50hg+PJCIDdJgIvIbVcKqLJ/ZrtM=
 github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986/go.mod h1:NT+jyeCzXk6vXR5MTkdn4z64TgGfE5HMLC8qfj5unl8=
-github.com/aquasecurity/defsec v0.82.9 h1:bThdD+Mr/6ZYPDTX0f24GY9wF4hoVJ5KF/L0WnhjEwQ=
-github.com/aquasecurity/defsec v0.82.9/go.mod h1:f/acz2sBQzfTcnaPxSjVnkRhCQ9hUbC6qwQCaHQwrFc=
+github.com/aquasecurity/defsec v0.82.10-0.20230208203455-252f7b606d53 h1:wGkl+H6A0EMbx6yRORzxrah0jdBTI8IJhcZEStHA50U=
+github.com/aquasecurity/defsec v0.82.10-0.20230208203455-252f7b606d53/go.mod h1:f/acz2sBQzfTcnaPxSjVnkRhCQ9hUbC6qwQCaHQwrFc=
 github.com/aquasecurity/go-dep-parser v0.0.0-20230130190635-5e31092b0621 h1:y8e5XlnOJd2kdKOB2TDNM+84yHkkkIjVCxHhePxXy+4=
 github.com/aquasecurity/go-dep-parser v0.0.0-20230130190635-5e31092b0621/go.mod h1:E5p/rvZrFOz2Py3WtBopQjC1d7AqU54D2FqjjEFHEkk=
 github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce h1:QgBRgJvtEOBtUXilDb1MLi1p1MWoyFDXAu5DEUl5nwM=

pkg/commands/artifact/io.go

@@ -0,0 +1,47 @@
+package artifact
+
+import (
+	"encoding/json"
+	"errors"
+	"fmt"
+	"os"
+	"path/filepath"
+
+	"github.com/aquasecurity/trivy/pkg/log"
+)
+
+const k8sDataFile = "k8s_data"
+const K8sRegoDataSubFolder = "k8sData"
+
+type K8s struct {
+	K8s Data `json:"k8s"`
+}
+
+type Data struct {
+	Version string `json:"version"`
+}
+
+func createTempK8sRegoDataFile(version string, regoDataFolder string) error {
+	k8sData := K8s{Data{Version: version}}
+	b, err := json.Marshal(&k8sData)
+	if err != nil {
+		return err
+	}
+	if _, err := os.Stat(regoDataFolder); errors.Is(err, os.ErrNotExist) {
+		err := os.Mkdir(regoDataFolder, os.ModePerm)
+		if err != nil {
+			return err
+		}
+	}
+	return os.WriteFile(filepath.Join(regoDataFolder, fmt.Sprintf("%s-*.json", k8sDataFile)), b, 0600)
+}
+
+func removeK8sDataFolder(filename string) {
+	if err := os.RemoveAll(filename); err != nil {
+		log.Logger.Errorf("failed to remove temp file %s: %s:", filename, err)
+	}
+}
+
+func getTempk8sRegoDataFolder() string {
+	return filepath.Join(os.TempDir(), K8sRegoDataSubFolder)
+}

pkg/commands/artifact/run.go

@@ -562,7 +562,13 @@ func initScannerConfig(opts flag.Options, cacheClient cache.Cache) (ScannerConfi
 			log.Logger.Debug("Policies successfully loaded from disk")
 			disableEmbedded = true
 		}
-
+		if len(opts.MisconfOptions.K8sVersion) > 0 {
+			err := createTempK8sRegoDataFile(opts.MisconfOptions.K8sVersion, getTempk8sRegoDataFolder())
+			if err != nil {
+				return ScannerConfig{}, scanOptions, err
+			}
+			opts.DataPaths = append(opts.DataPaths, getTempk8sRegoDataFolder())
+		}
 		configScannerOptions = config.ScannerOption{
 			Trace:                   opts.Trace,
 			Namespaces:              append(opts.PolicyNamespaces, defaultPolicyNamespaces...),
@@ -639,12 +645,13 @@ func initScannerConfig(opts flag.Options, cacheClient cache.Cache) (ScannerConfi
 
 func scan(ctx context.Context, opts flag.Options, initializeScanner InitializeScanner, cacheClient cache.Cache) (
 	types.Report, error) {
-
 	scannerConfig, scanOptions, err := initScannerConfig(opts, cacheClient)
 	if err != nil {
 		return types.Report{}, err
 	}
-
+	if len(opts.MisconfOptions.K8sVersion) > 0 {
+		defer removeK8sDataFolder(getTempk8sRegoDataFolder())
+	}
 	s, cleanup, err := initializeScanner(ctx, scannerConfig)
 	if err != nil {
 		return types.Report{}, xerrors.Errorf("unable to initialize a scanner: %w", err)

pkg/flag/misconf_flags.go

@@ -43,6 +43,12 @@ var (
 		Value:      []string{},
 		Usage:      "specify paths to override the Terraform tfvars files",
 	}
+	K8sVersionFlag = Flag{
+		Name:       "k8s-version",
+		ConfigName: "misconfiguration.k8s.version",
+		Value:      "",
+		Usage:      "specify k8s version to validate outdated api by it (example: 1.21.0)",
+	}
 )
 
 // MisconfFlagGroup composes common printer flag structs used for commands providing misconfinguration scanning.
@@ -55,6 +61,7 @@ type MisconfFlagGroup struct {
 	HelmFileValues   *Flag
 	HelmStringValues *Flag
 	TerraformTFVars  *Flag
+	K8sVersion       *Flag
 }
 
 type MisconfOptions struct {
@@ -66,6 +73,7 @@ type MisconfOptions struct {
 	HelmFileValues   []string
 	HelmStringValues []string
 	TerraformTFVars  []string
+	K8sVersion       string
 }
 
 func NewMisconfFlagGroup() *MisconfFlagGroup {
@@ -76,6 +84,7 @@ func NewMisconfFlagGroup() *MisconfFlagGroup {
 		HelmStringValues:   &HelmSetStringFlag,
 		HelmValueFiles:     &HelmValuesFileFlag,
 		TerraformTFVars:    &TfVarsFlag,
+		K8sVersion:         &K8sVersionFlag,
 	}
 }
 
@@ -91,6 +100,7 @@ func (f *MisconfFlagGroup) Flags() []*Flag {
 		f.HelmFileValues,
 		f.HelmStringValues,
 		f.TerraformTFVars,
+		f.K8sVersion,
 	}
 }
 
@@ -102,5 +112,6 @@ func (f *MisconfFlagGroup) ToOptions() (MisconfOptions, error) {
 		HelmFileValues:     getStringSlice(f.HelmFileValues),
 		HelmStringValues:   getStringSlice(f.HelmStringValues),
 		TerraformTFVars:    getStringSlice(f.TerraformTFVars),
+		K8sVersion:         getString(f.K8sVersion),
 	}, nil
 }