contrib/*: update dependencies to avoid vulnerabilities

[jefflinse]

Our organization's code scanning has revealed a handful of High and Medium level code vulnerabilities in Go package dependencies for dd-trace-go. These should be easily resolvable by upgrading to newer versions of the respective packages.

Version of dd-trace-go

v1.52.0

Describe what happened:

Vulnerabilities:

• github.com/emicklei/go-restful: Authorization Bypass Through User-Controlled Key
  • Current Version: v2.16.0+incompatible
  • Fixed In Version: v3.8.0
• github.com/emicklei/go-restful: Authorization Bypass
  • Current Version: v2.16.0+incompatible
  • Fixed In Version: v3.8.0
• github.com/mattn/go-sqlite3: Denial of Service (DoS)
  • Current Version: v1.14.14
  • Fixed In Version: v1.14.15
• github.com/gofiber/fiber Origin Validation Error
  • Current Version: v2.24.0
  • Fixed In Version: v2.43.0

Additional environment details (Version of Go, Operating System, etc.):

go 1.20.6

[mudideng]

We're using dd-trace-go version v1.53.0 in our org and also have the following critical vulnerabilities:

• CVE-2020-16251 github.com/hashicorp/vault/api
• CVE-2022-40083 github.com/labstack/echo
• CVE-2022-1996 github.com/emicklei/go-restful
• CVE-2020-10661 github.com/hashicorp/vault/api

Golang version 1.20.

[knusbaum]

👋 Hello and thanks for the report.

Please see our Security Policy for info on how we handle vulnerabilities in dependencies.

Currently there are no reported vulnerabilities for our module run with go1.19.12, go1.20.7 or go1.21.0.
If you think there is a false negative, please report the specific vulnerability in our source.

I will also note that you can update these dependencies to more recent versions in your project using go get -u [module] which should satisfy your dependency scanners.