fix/appsre-11869: Bump golang pkg version to resolve CVE-2024-45337

[RH-tj]

context:
https://redhat-internal.slack.com/archives/CCRND57FW/p1745846542422719
https://nvd.nist.gov/vuln/detail/CVE-2024-45337
https://github.com/openshift/oauth-proxy/blob/master/go.mod#L19

testing/validation:

• tried to follow build/test info in README but there are dead links there
• successfully ran go test . on my local machine and got no errors:

02:14:27 tcarvalh@tcarvalh-thinkpadp1gen5 oauth-proxy ±|fix/APPSRE-11869|→ go test .
ok      github.com/openshift/oauth-proxy        0.334s

[openshift-ci-robot]

@RH-tj: This pull request references appsre-11869 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.19.0" version, but no target version was set.

In response to this:

context:
https://redhat-internal.slack.com/archives/CCRND57FW/p1745846542422719
https://nvd.nist.gov/vuln/detail/CVE-2024-45337
https://github.com/openshift/oauth-proxy/blob/master/go.mod#L19

testing/validation:

• tried to follow build/test info in README but there are dead links there
• successfully ran go test . on my local machine and got no errors:

02:14:27 tcarvalh@tcarvalh-thinkpadp1gen5 oauth-proxy ±|fix/APPSRE-11869|→ go test .
ok      github.com/openshift/oauth-proxy        0.334s

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: RH-tj
Once this PR has been reviewed and has the lgtm label, please assign ibihim for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

Hi @RH-tj. Thanks for your PR.

I'm waiting for a openshift member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[RH-tj]

ran a proper local test with instructions from @ibihim :

12:18:05 tcarvalh@tcarvalh-thinkpadp1gen5 oauth-proxy ±|fix/APPSRE-11869|→ docker run -it --rm -v /var/run/docker.sock:/var/run/docker.sock -v $(pwd):/go/src/github.com/openshift/api --workdir=/go/src/github.com/openshift/api registry.ci.openshift.org/openshift/release:rhel-9-release-golang-1.23-openshift-4.19 make update
Unable to find image 'registry.ci.openshift.org/openshift/release:rhel-9-release-golang-1.23-openshift-4.19' locally
rhel-9-release-golang-1.23-openshift-4.19: Pulling from openshift/release
5e09f8650bc2: Pull complete 
a4ec02f5fa45: Pull complete 
083ba189da1d: Pull complete 
d0b8e51240c5: Pull complete 
Digest: sha256:7ec1310c7a0e71db5bc44abdd6618028f9b509e8cc340ace7ef5fdfbd3757b4d
Status: Downloaded newer image for registry.ci.openshift.org/openshift/release:rhel-9-release-golang-1.23-openshift-4.19
Running `gofmt -s -l -w` on 43 file(s).
01:48:31 tcarvalh@tcarvalh-thinkpadp1gen5 oauth-proxy ±|fix/APPSRE-11869|→ go test .
ok  	github.com/openshift/oauth-proxy	(cached)

[RH-tj]

per instructions:https://redhat-internal.slack.com/archives/CB48XQ4KZ/p1746173791399829?thread_ts=1745867615.197179&cid=CB48XQ4KZ

10:11:39 tcarvalh@tcarvalh-thinkpadp1gen5 oauth-proxy ±|fix/APPSRE-11869|→ make update
Running `gofmt -s -l -w` on 43 file(s).
10:11:41 tcarvalh@tcarvalh-thinkpadp1gen5 oauth-proxy ±|fix/APPSRE-11869|→ go mod vendor
go: downloading github.com/openshift/client-go v0.0.0-20230503144108-75015d2347cb
go: downloading github.com/bitly/go-simplejson v0.5.1-0.20170206154632-da1a8928f709
go: downloading github.com/openshift/library-go v0.0.0-20230724150037-c515269de16e
go: downloading github.com/stretchr/testify v1.8.1
go: downloading golang.org/x/net v0.17.0
go: downloading k8s.io/apimachinery v0.27.4
go: downloading k8s.io/api v0.27.4
go: downloading k8s.io/apiserver v0.27.4
go: downloading github.com/openshift/api v0.0.0-20230613151523-ba04973d3ed1
go: downloading github.com/bmizerany/assert v0.0.0-20160611221934-b7ed37b82869
go: downloading k8s.io/client-go v0.27.4
go: downloading k8s.io/utils v0.0.0-20230406110748-d93618cff8a2
go: downloading github.com/google/uuid v1.3.0
go: downloading github.com/18F/hmacauth v0.0.0-20151013130326-9232a6386b73
go: downloading github.com/BurntSushi/toml v0.3.1
go: downloading github.com/fsnotify/fsnotify v1.6.0
go: downloading github.com/openshift/build-machinery-go v0.0.0-20220913142420-e25cf57ea46d
go: downloading github.com/mreiferson/go-options v1.0.0
go: downloading github.com/yhat/wsutil v0.0.0-20170731153501-1d66fa95c997
go: downloading github.com/kr/pretty v0.3.0
go: downloading github.com/gogo/protobuf v1.3.2
go: downloading github.com/google/gofuzz v1.2.0
go: downloading k8s.io/klog/v2 v2.90.1
go: downloading k8s.io/component-base v0.27.4
go: downloading k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f
go: downloading github.com/spf13/pflag v1.0.5
go: downloading go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.10.0
go: downloading go.opentelemetry.io/otel/sdk v1.10.0
go: downloading go.opentelemetry.io/otel v1.10.0
go: downloading golang.org/x/sys v0.13.0
go: downloading google.golang.org/grpc v1.51.0
go: downloading gopkg.in/natefinch/lumberjack.v2 v2.0.0
go: downloading github.com/imdario/mergo v0.3.7
go: downloading golang.org/x/term v0.13.0
go: downloading github.com/davecgh/go-spew v1.1.1
go: downloading github.com/pmezard/go-difflib v1.0.0
go: downloading gopkg.in/yaml.v3 v3.0.1
go: downloading sigs.k8s.io/structured-merge-diff/v4 v4.2.3
go: downloading gopkg.in/inf.v0 v0.9.1
go: downloading golang.org/x/sync v0.1.0
go: downloading golang.org/x/time v0.0.0-20220210224613-90d013bbcef8
go: downloading go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.10.0
go: downloading github.com/kr/text v0.2.0
go: downloading github.com/rogpeppe/go-internal v1.11.0
go: downloading sigs.k8s.io/yaml v1.3.0
go: downloading github.com/evanphx/json-patch v4.12.0+incompatible
go: downloading github.com/google/cel-go v0.12.6
go: downloading sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.1.2
go: downloading k8s.io/kms v0.27.4
go: downloading github.com/coreos/go-systemd/v22 v22.4.0
go: downloading github.com/emicklei/go-restful/v3 v3.9.0
go: downloading go.opentelemetry.io/otel/trace v1.10.0
go: downloading github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0
go: downloading go.etcd.io/etcd/client/pkg/v3 v3.5.7
go: downloading go.etcd.io/etcd/client/v3 v3.5.7
go: downloading go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.35.0
go: downloading go.uber.org/zap v1.19.0
go: downloading github.com/google/go-cmp v0.5.9
go: downloading golang.org/x/oauth2 v0.0.0-20220411215720-9780585627b5
go: downloading github.com/golang/protobuf v1.5.3
go: downloading github.com/google/gnostic v0.5.7-v3refs
go: downloading github.com/go-logr/logr v1.2.3
go: downloading github.com/blang/semver/v4 v4.0.0
go: downloading github.com/prometheus/client_golang v1.14.0
go: downloading github.com/prometheus/client_model v0.3.0
go: downloading github.com/prometheus/procfs v0.8.0
go: downloading github.com/spf13/cobra v1.6.1
go: downloading go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.35.1
go: downloading golang.org/x/text v0.13.0
go: downloading sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd
go: downloading github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da
go: downloading go.opentelemetry.io/otel/exporters/otlp/internal/retry v1.10.0
go: downloading go.opentelemetry.io/proto/otlp v0.19.0
go: downloading google.golang.org/genproto v0.0.0-20220502173005-c8bf987b8c21
go: downloading github.com/go-openapi/jsonreference v0.20.1
go: downloading github.com/go-openapi/swag v0.22.3
go: downloading google.golang.org/protobuf v1.33.0
go: downloading github.com/pkg/errors v0.9.1
go: downloading go.etcd.io/etcd/api/v3 v3.5.7
go: downloading github.com/NYTimes/gziphandler v1.1.1
go: downloading github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822
go: downloading gopkg.in/yaml.v2 v2.4.0
go: downloading github.com/json-iterator/go v1.1.12
go: downloading github.com/stoewer/go-strcase v1.2.0
go: downloading github.com/felixge/httpsnoop v1.0.3
go: downloading go.opentelemetry.io/otel/metric v0.31.0
go: downloading github.com/prometheus/common v0.37.0
go: downloading github.com/beorn7/perks v1.0.1
go: downloading github.com/cespare/xxhash/v2 v2.1.2
go: downloading github.com/inconshreveable/mousetrap v1.0.1
go: downloading go.uber.org/atomic v1.7.0
go: downloading go.uber.org/multierr v1.6.0
go: downloading github.com/cenkalti/backoff/v4 v4.1.3
go: downloading github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a
go: downloading github.com/mitchellh/mapstructure v1.4.1
go: downloading github.com/grpc-ecosystem/grpc-gateway/v2 v2.7.0
go: downloading github.com/antlr/antlr4/runtime/Go/antlr v1.4.10
go: downloading github.com/mailru/easyjson v0.7.7
go: downloading github.com/go-openapi/jsonpointer v0.19.6
go: downloading github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd
go: downloading github.com/modern-go/reflect2 v1.0.2
go: downloading github.com/go-logr/stdr v1.2.2
go: downloading google.golang.org/appengine v1.6.7
go: downloading github.com/coreos/go-semver v0.3.0
go: downloading github.com/matttproud/golang_protobuf_extensions v1.0.2
go: downloading github.com/josharian/intern v1.0.0
go: github.com/openshift/oauth-proxy imports
        golang.org/x/crypto/bcrypt: missing go.sum entry for module providing package golang.org/x/crypto/bcrypt (imported by github.com/openshift/oauth-proxy); to add:
        go get github.com/openshift/oauth-proxy
go: github.com/openshift/oauth-proxy/providers/openshift imports
        k8s.io/apiserver/pkg/server/options imports
        k8s.io/apiserver/pkg/server imports
        golang.org/x/crypto/cryptobyte: missing go.sum entry for module providing package golang.org/x/crypto/cryptobyte (imported by k8s.io/apiserver/pkg/server); to add:
        go get k8s.io/apiserver/pkg/[email protected]
go: github.com/openshift/oauth-proxy/providers/openshift imports
        k8s.io/apiserver/pkg/server/options imports
        k8s.io/apiserver/pkg/server/options/encryptionconfig imports
        k8s.io/apiserver/pkg/storage/value/encrypt/secretbox imports
        golang.org/x/crypto/nacl/secretbox: missing go.sum entry for module providing package golang.org/x/crypto/nacl/secretbox (imported by k8s.io/apiserver/pkg/storage/value/encrypt/secretbox); to add:
        go get k8s.io/apiserver/pkg/storage/value/encrypt/[email protected]
10:11:52 tcarvalh@tcarvalh-thinkpadp1gen5 oauth-proxy ±|fix/APPSRE-11869|→ go get github.com/openshift/oauth-proxy && go get k8s.io/apiserver/pkg/[email protected] && go get k8s.io/apiserver/pkg/storage/value/encrypt/[email protected]
go: downloading golang.org/x/crypto v0.37.0
go: downloading golang.org/x/net v0.21.0
go: downloading golang.org/x/sys v0.32.0
go: downloading golang.org/x/term v0.31.0
go: downloading golang.org/x/sync v0.13.0
go: downloading golang.org/x/text v0.24.0
go: upgraded go 1.20 => 1.23.0
go: added toolchain go1.23.8
go: upgraded golang.org/x/net v0.17.0 => v0.21.0
go: upgraded golang.org/x/sync v0.1.0 => v0.13.0
go: upgraded golang.org/x/sys v0.13.0 => v0.32.0
go: upgraded golang.org/x/term v0.13.0 => v0.31.0
go: upgraded golang.org/x/text v0.13.0 => v0.24.0
10:13:11 tcarvalh@tcarvalh-thinkpadp1gen5 oauth-proxy ±|fix/APPSRE-11869 ✗|→ go mod vendor
10:13:39 tcarvalh@tcarvalh-thinkpadp1gen5 oauth-proxy ±|fix/APPSRE-11869 ✗|→ git status

[ibihim]

EOL isn't set properly, indicated by the red (➖)

[RH-tj]

Not sure I understand, I changed the line as instructed, so it shows a line removed (red) and a line added (green).

[ibihim]

You would need to adjust the commits:

1. go.mod: bump crypto pkg version to resolve CVE-2024-45337
2. drop the manual change to vendor
3. .ci-operator.yml: update image
4. make update

[ibihim]

/ok-to-test

[RH-tj]

You would need to adjust the commits:

1. go.mod: bump crypto pkg version to resolve CVE-2024-45337
2. drop the manual change to vendor
3. .ci-operator.yml: update image
4. make update

Regarding #2 "drop the manual change to vendor" do you mean revert the changes I made to vendor/modules.txt or drop (aka remove/delete) the entire file?

[RH-tj]

/retest

[RH-tj]

/retest

[openshift-ci]

@RH-tj: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/images	0e47341	link	true	/test images
ci/prow/e2e-component	0e47341	link	true	/test e2e-component
ci/prow/okd-scos-e2e-aws-ovn	0e47341	link	false	/test okd-scos-e2e-aws-ovn
ci/prow/e2e-aws	0e47341	link	true	/test e2e-aws

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[RH-tj]

@ibihim Can we work together on moving this forward? At your convenience of course

[ibihim]

/close

fixed with #324

[openshift-merge-robot]

PR needs rebase.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-ci]

@ibihim: Closed this PR.

In response to this:

/close

fixed with #324

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.