Deleting a VulnerabilityReport in a cluster causes a wrong CRD to be send via the webhook (with verb delete)

[jamand]

What steps did you take and what happened:

I am observing the same issue as described in #2110, that is when using the Trivy webhook and operator.webhookSendDeletedReports set to true, I get a wrong (arbitrary CRD) sent as OperatorObject. Like in the other issue, the CRD that is sent is intact (and not changed in the time frame between deletion of the report I want to delete and the time the wrong CRD is sent via the Webhook).

1. I am running a local k3d cluster.
2. I installed the trivy-operator via Helm, I also installed trivy-server in a standalone installation (in the same cluster.
3. I added my own Go microservice to the cluster which exposes a POST webhook accessible by the Trivy Operator.
4. I delete an existing report from the cluster: e.g.
   kubectl delete vulnerabilityreports.aquasecurity.github.io statefulset-mysql-mysql
5. I check the logs of my webhook and see a delete call for another resource:
   msg="processing VulnerabilityReport" name=replicaset-defectdojo-django-859668bf47-uwsgi verb=delete
   The (wrongly sent) VulnerabilityReport resource replicaset-defectdojo-django-859668bf47-uwsgi still exists. After some time the VulnerabilityReport I deleted is recreated and sent to the webhook with the update verb.

What did you expect to happen:

I expect to get the CRD of the deleted report.

Environment:

• Trivy-Operator version (use trivy-operator version): 0.25.0 (with AppVersion 0.23.0)
• Kubernetes version (use kubectl version): v1.30.4+k3s1 (k3d) (with Client v1.31.0)
• OS (macOS 10.15, Windows 10, Ubuntu 19.10 etc): Mac Sonoma 14.7.1