fix/appsre-11869: Bump golang pkg version to resolve CVE-2024-45337

[RH-tj]

context:
https://redhat-internal.slack.com/archives/CCRND57FW/p1745846542422719
https://nvd.nist.gov/vuln/detail/CVE-2024-45337
https://github.com/openshift/oauth-proxy/blob/master/go.mod#L19

testing/validation:

• tried to follow build/test info in README but there are dead links there
• successfully ran go test . on my local machine and got no errors:

02:14:27 tcarvalh@tcarvalh-thinkpadp1gen5 oauth-proxy ±|fix/APPSRE-11869|→ go test .
ok      github.com/openshift/oauth-proxy        0.334s

[openshift-ci-robot]

@RH-tj: This pull request references appsre-11869 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.19.0" version, but no target version was set.

In response to this:

context:
https://redhat-internal.slack.com/archives/CCRND57FW/p1745846542422719
https://nvd.nist.gov/vuln/detail/CVE-2024-45337
https://github.com/openshift/oauth-proxy/blob/master/go.mod#L19

testing/validation:

• tried to follow build/test info in README but there are dead links there
• successfully ran go test . on my local machine and got no errors:

02:14:27 tcarvalh@tcarvalh-thinkpadp1gen5 oauth-proxy ±|fix/APPSRE-11869|→ go test .
ok      github.com/openshift/oauth-proxy        0.334s

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: RH-tj
Once this PR has been reviewed and has the lgtm label, please assign ibihim for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

Hi @RH-tj. Thanks for your PR.

I'm waiting for a openshift member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[RH-tj]

ran a proper local test with instructions from @ibihim :

12:18:05 tcarvalh@tcarvalh-thinkpadp1gen5 oauth-proxy ±|fix/APPSRE-11869|→ docker run -it --rm -v /var/run/docker.sock:/var/run/docker.sock -v $(pwd):/go/src/github.com/openshift/api --workdir=/go/src/github.com/openshift/api registry.ci.openshift.org/openshift/release:rhel-9-release-golang-1.23-openshift-4.19 make update
Unable to find image 'registry.ci.openshift.org/openshift/release:rhel-9-release-golang-1.23-openshift-4.19' locally
rhel-9-release-golang-1.23-openshift-4.19: Pulling from openshift/release
5e09f8650bc2: Pull complete 
a4ec02f5fa45: Pull complete 
083ba189da1d: Pull complete 
d0b8e51240c5: Pull complete 
Digest: sha256:7ec1310c7a0e71db5bc44abdd6618028f9b509e8cc340ace7ef5fdfbd3757b4d
Status: Downloaded newer image for registry.ci.openshift.org/openshift/release:rhel-9-release-golang-1.23-openshift-4.19
Running `gofmt -s -l -w` on 43 file(s).
01:48:31 tcarvalh@tcarvalh-thinkpadp1gen5 oauth-proxy ±|fix/APPSRE-11869|→ go test .
ok  	github.com/openshift/oauth-proxy	(cached)

[RH-tj]

per instructions:https://redhat-internal.slack.com/archives/CB48XQ4KZ/p1746173791399829?thread_ts=1745867615.197179&cid=CB48XQ4KZ

10:11:39 tcarvalh@tcarvalh-thinkpadp1gen5 oauth-proxy ±|fix/APPSRE-11869|→ make update
Running `gofmt -s -l -w` on 43 file(s).
10:11:41 tcarvalh@tcarvalh-thinkpadp1gen5 oauth-proxy ±|fix/APPSRE-11869|→ go mod vendor
go: downloading github.com/openshift/client-go v0.0.0-20230503144108-75015d2347cb
go: downloading github.com/bitly/go-simplejson v0.5.1-0.20170206154632-da1a8928f709
go: downloading github.com/openshift/library-go v0.0.0-20230724150037-c515269de16e
go: downloading github.com/stretchr/testify v1.8.1
go: downloading golang.org/x/net v0.17.0
go: downloading k8s.io/apimachinery v0.27.4
go: downloading k8s.io/api v0.27.4
go: downloading k8s.io/apiserver v0.27.4
go: downloading github.com/openshift/api v0.0.0-20230613151523-ba04973d3ed1
go: downloading github.com/bmizerany/assert v0.0.0-20160611221934-b7ed37b82869
go: downloading k8s.io/client-go v0.27.4
go: downloading k8s.io/utils v0.0.0-20230406110748-d93618cff8a2
go: downloading github.com/google/uuid v1.3.0
go: downloading github.com/18F/hmacauth v0.0.0-20151013130326-9232a6386b73
go: downloading github.com/BurntSushi/toml v0.3.1
go: downloading github.com/fsnotify/fsnotify v1.6.0
go: downloading github.com/openshift/build-machinery-go v0.0.0-20220913142420-e25cf57ea46d
go: downloading github.com/mreiferson/go-options v1.0.0
go: downloading github.com/yhat/wsutil v0.0.0-20170731153501-1d66fa95c997
go: downloading github.com/kr/pretty v0.3.0
go: downloading github.com/gogo/protobuf v1.3.2
go: downloading github.com/google/gofuzz v1.2.0
go: downloading k8s.io/klog/v2 v2.90.1
go: downloading k8s.io/component-base v0.27.4
go: downloading k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f
go: downloading github.com/spf13/pflag v1.0.5
go: downloading go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.10.0
go: downloading go.opentelemetry.io/otel/sdk v1.10.0
go: downloading go.opentelemetry.io/otel v1.10.0
go: downloading golang.org/x/sys v0.13.0
go: downloading google.golang.org/grpc v1.51.0
go: downloading gopkg.in/natefinch/lumberjack.v2 v2.0.0
go: downloading github.com/imdario/mergo v0.3.7
go: downloading golang.org/x/term v0.13.0
go: downloading github.com/davecgh/go-spew v1.1.1
go: downloading github.com/pmezard/go-difflib v1.0.0
go: downloading gopkg.in/yaml.v3 v3.0.1
go: downloading sigs.k8s.io/structured-merge-diff/v4 v4.2.3
go: downloading gopkg.in/inf.v0 v0.9.1
go: downloading golang.org/x/sync v0.1.0
go: downloading golang.org/x/time v0.0.0-20220210224613-90d013bbcef8
go: downloading go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.10.0
go: downloading github.com/kr/text v0.2.0
go: downloading github.com/rogpeppe/go-internal v1.11.0
go: downloading sigs.k8s.io/yaml v1.3.0
go: downloading github.com/evanphx/json-patch v4.12.0+incompatible
go: downloading github.com/google/cel-go v0.12.6
go: downloading sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.1.2
go: downloading k8s.io/kms v0.27.4
go: downloading github.com/coreos/go-systemd/v22 v22.4.0
go: downloading github.com/emicklei/go-restful/v3 v3.9.0
go: downloading go.opentelemetry.io/otel/trace v1.10.0
go: downloading github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0
go: downloading go.etcd.io/etcd/client/pkg/v3 v3.5.7
go: downloading go.etcd.io/etcd/client/v3 v3.5.7
go: downloading go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.35.0
go: downloading go.uber.org/zap v1.19.0
go: downloading github.com/google/go-cmp v0.5.9
go: downloading golang.org/x/oauth2 v0.0.0-20220411215720-9780585627b5
go: downloading github.com/golang/protobuf v1.5.3
go: downloading github.com/google/gnostic v0.5.7-v3refs
go: downloading github.com/go-logr/logr v1.2.3
go: downloading github.com/blang/semver/v4 v4.0.0
go: downloading github.com/prometheus/client_golang v1.14.0
go: downloading github.com/prometheus/client_model v0.3.0
go: downloading github.com/prometheus/procfs v0.8.0
go: downloading github.com/spf13/cobra v1.6.1
go: downloading go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.35.1
go: downloading golang.org/x/text v0.13.0
go: downloading sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd
go: downloading github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da
go: downloading go.opentelemetry.io/otel/exporters/otlp/internal/retry v1.10.0
go: downloading go.opentelemetry.io/proto/otlp v0.19.0
go: downloading google.golang.org/genproto v0.0.0-20220502173005-c8bf987b8c21
go: downloading github.com/go-openapi/jsonreference v0.20.1
go: downloading github.com/go-openapi/swag v0.22.3
go: downloading google.golang.org/protobuf v1.33.0
go: downloading github.com/pkg/errors v0.9.1
go: downloading go.etcd.io/etcd/api/v3 v3.5.7
go: downloading github.com/NYTimes/gziphandler v1.1.1
go: downloading github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822
go: downloading gopkg.in/yaml.v2 v2.4.0
go: downloading github.com/json-iterator/go v1.1.12
go: downloading github.com/stoewer/go-strcase v1.2.0
go: downloading github.com/felixge/httpsnoop v1.0.3
go: downloading go.opentelemetry.io/otel/metric v0.31.0
go: downloading github.com/prometheus/common v0.37.0
go: downloading github.com/beorn7/perks v1.0.1
go: downloading github.com/cespare/xxhash/v2 v2.1.2
go: downloading github.com/inconshreveable/mousetrap v1.0.1
go: downloading go.uber.org/atomic v1.7.0
go: downloading go.uber.org/multierr v1.6.0
go: downloading github.com/cenkalti/backoff/v4 v4.1.3
go: downloading github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a
go: downloading github.com/mitchellh/mapstructure v1.4.1
go: downloading github.com/grpc-ecosystem/grpc-gateway/v2 v2.7.0
go: downloading github.com/antlr/antlr4/runtime/Go/antlr v1.4.10
go: downloading github.com/mailru/easyjson v0.7.7
go: downloading github.com/go-openapi/jsonpointer v0.19.6
go: downloading github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd
go: downloading github.com/modern-go/reflect2 v1.0.2
go: downloading github.com/go-logr/stdr v1.2.2
go: downloading google.golang.org/appengine v1.6.7
go: downloading github.com/coreos/go-semver v0.3.0
go: downloading github.com/matttproud/golang_protobuf_extensions v1.0.2
go: downloading github.com/josharian/intern v1.0.0
go: github.com/openshift/oauth-proxy imports
        golang.org/x/crypto/bcrypt: missing go.sum entry for module providing package golang.org/x/crypto/bcrypt (imported by github.com/openshift/oauth-proxy); to add:
        go get github.com/openshift/oauth-proxy
go: github.com/openshift/oauth-proxy/providers/openshift imports
        k8s.io/apiserver/pkg/server/options imports
        k8s.io/apiserver/pkg/server imports
        golang.org/x/crypto/cryptobyte: missing go.sum entry for module providing package golang.org/x/crypto/cryptobyte (imported by k8s.io/apiserver/pkg/server); to add:
        go get k8s.io/apiserver/pkg/[email protected]
go: github.com/openshift/oauth-proxy/providers/openshift imports
        k8s.io/apiserver/pkg/server/options imports
        k8s.io/apiserver/pkg/server/options/encryptionconfig imports
        k8s.io/apiserver/pkg/storage/value/encrypt/secretbox imports
        golang.org/x/crypto/nacl/secretbox: missing go.sum entry for module providing package golang.org/x/crypto/nacl/secretbox (imported by k8s.io/apiserver/pkg/storage/value/encrypt/secretbox); to add:
        go get k8s.io/apiserver/pkg/storage/value/encrypt/[email protected]
10:11:52 tcarvalh@tcarvalh-thinkpadp1gen5 oauth-proxy ±|fix/APPSRE-11869|→ go get github.com/openshift/oauth-proxy && go get k8s.io/apiserver/pkg/[email protected] && go get k8s.io/apiserver/pkg/storage/value/encrypt/[email protected]
go: downloading golang.org/x/crypto v0.37.0
go: downloading golang.org/x/net v0.21.0
go: downloading golang.org/x/sys v0.32.0
go: downloading golang.org/x/term v0.31.0
go: downloading golang.org/x/sync v0.13.0
go: downloading golang.org/x/text v0.24.0
go: upgraded go 1.20 => 1.23.0
go: added toolchain go1.23.8
go: upgraded golang.org/x/net v0.17.0 => v0.21.0
go: upgraded golang.org/x/sync v0.1.0 => v0.13.0
go: upgraded golang.org/x/sys v0.13.0 => v0.32.0
go: upgraded golang.org/x/term v0.13.0 => v0.31.0
go: upgraded golang.org/x/text v0.13.0 => v0.24.0
10:13:11 tcarvalh@tcarvalh-thinkpadp1gen5 oauth-proxy ±|fix/APPSRE-11869 ✗|→ go mod vendor
10:13:39 tcarvalh@tcarvalh-thinkpadp1gen5 oauth-proxy ±|fix/APPSRE-11869 ✗|→ git status

[ibihim]

EOL isn't set properly, indicated by the red (➖)

[RH-tj]

Not sure I understand, I changed the line as instructed, so it shows a line removed (red) and a line added (green).

[ibihim]

You would need to adjust the commits:

1. go.mod: bump crypto pkg version to resolve CVE-2024-45337
2. drop the manual change to vendor
3. .ci-operator.yml: update image
4. make update

[ibihim]

/ok-to-test

[RH-tj]

You would need to adjust the commits:

1. go.mod: bump crypto pkg version to resolve CVE-2024-45337
2. drop the manual change to vendor
3. .ci-operator.yml: update image
4. make update

Regarding #2 "drop the manual change to vendor" do you mean revert the changes I made to vendor/modules.txt or drop (aka remove/delete) the entire file?

[RH-tj]

/retest

[RH-tj]

/retest

[openshift-ci]

@RH-tj: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/images	0e47341	link	true	/test images
ci/prow/e2e-component	0e47341	link	true	/test e2e-component
ci/prow/okd-scos-e2e-aws-ovn	0e47341	link	false	/test okd-scos-e2e-aws-ovn
ci/prow/e2e-aws	0e47341	link	true	/test e2e-aws

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.