Handle CVE-2022-27191

[smuda]

Description

Running trivy reveals CVE-2022-27191 in golang.org/x/crypto

LIBRARY	VULNERABILITY ID	SEVERITY	INSTALLED VERSION	FIXED VERSION	TITLE
golang.org/x/crypto	CVE-2022-27191	HIGH	v0.0.0-20201002170205-7f63de1d35b0	0.0.0-20220315160706-3147a52a75dd	golang: crash in a golang.org/x/crypto/ssh server -->avd.aquasec.com/nvd/cve-2022-27191

That indirect dependency is coming from a number of dependencies:

% go mod graph | grep v0.0.0-20201002170205-7f63de1d35b0                                          
k8s.io/client-go@v0.20.2 golang.org/x/crypto@v0.0.0-20201002170205-7f63de1d35b0
github.com/Azure/go-autorest/autorest/adal@v0.9.5 golang.org/x/crypto@v0.0.0-20201002170205-7f63de1d35b0
golang.org/x/crypto@v0.0.0-20201002170205-7f63de1d35b0 golang.org/x/net@v0.0.0-20190404232315-eb5bcb51f2a3
golang.org/x/crypto@v0.0.0-20201002170205-7f63de1d35b0 golang.org/x/sys@v0.0.0-20190412213103-97732733099d
k8s.io/client-go@v0.20.1 golang.org/x/crypto@v0.0.0-20201002170205-7f63de1d35b0
k8s.io/apiserver@v0.20.1 golang.org/x/crypto@v0.0.0-20201002170205-7f63de1d35b0

If we don't want to update all dependencies, a simple replace directive will handle the CVE.

Relevant issues/tickets

The issue was detected in PR #724

Type of change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)

Checklist

• This change requires a documentation update
• I have added tests that prove my fix is effective or that my feature works
• I have added a test case that will be used to verify my changes
• Verified independently on a cluster by reviewer

Verification steps

$ docker build --no-cache -t grafana-operator:cve . 
$ trivy image --vuln-type  os,library --severity  CRITICAL,HIGH --no-progress grafana-operator:cve

[NissesSenap]

Thanks alot for this, I saw the error yesterday but I didn't have time to actually think of what the problem was.

@smuda was going to rebase your branch but I don't think you have given maintainers right to update your branches so you have to do it yourself.
Ping me when it's done and I will merge the PR.

[smuda]

@NissesSenap Rebased and tests pass.

And I'll look into giving maintainers rights, I didn't know I could/should do something like that... :-)

[NissesSenap]

@smuda if I remember correctly it's when you create the PR. You will get a question if you want to allow mainatinters update things. We will be able to jump in and update the branch of the fork to help with things like this.

[NissesSenap]

@smuda I looked at your PR again, you are coming you have forked the repo with another organization. And I guess from a security point of view GitHub don't allow maintainers update other organization branches. But if you would run the fork from your user and not the organizations then it would be possible.

But it's not a big issue from our side but good for you to know and especially since we enforce latest commit to be in the PR so from time to time you might have to go in and update your PR:s.