fix: CVE-2023-7104(github.com/mattn/go-sqlite3)

[AjayJagan]

This PR is intended to fix CVE-2023-7104.

Description

It fixes the following CVE

• https://app.snyk.io/org/red-hat-openshift-data-science-rhods/project/570fd96f-09ad-488b-bb37-f822c34c973f#issue-SNYK-GOLANG-GITHUBCOMMATTNGOSQLITE3-6139875

How Has This Been Tested?

Tried to run the operator and everything works well.

Merge criteria:

• The commits are squashed in a cohesive manner and have meaningful messages.
• Testing instructions have been added in the PR body (for PRs involving changes that are not immediately obvious).
• The developer has manually tested the changes and verified that the changes work

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[AjayJagan]

after looking at the libraries to update, it seems that this: github.com/operator-framework/operator-lifecycle-manager@v0.26.0(This is the latest version)
is one of the libraries which uses the above versions which has the cves.
So this pr is kind of a temporary fix.
Either we can use this or we can wait until they update their library.
let me know what you think @zdtsw @VaishnaviHire :)

[VaishnaviHire]

Updating to github.com/operator-framework/operator-lifecycle-manager@v0.26.0 introduces other critical issues in synk

[VaishnaviHire]

Need to run go mod tidy to update go.sum

[AjayJagan]

I have run the go mod tidy but the issue is that library is not present in our go.sum. Instead it is being used by one of the libraries we use and that is the reason why we see this 😅 .

[AjayJagan]

since it is a dependency of another library, I guess we cannot do much unless they update it. So I though we can temporarily fix it using the replace 😅 . But if this is not the right way to do so, we should ignore the cve until there is an update from the other library's side. Please let me know what you think

[VaishnaviHire]

Yes I agree, but we still would have some updates in go.sum..right? Given we are introducing additional packages

[AjayJagan]

I tried to a go mod tidy, and there is no update to go.sum. I have no idea why 😅

[zdtsw]

hum, when i used your go.mod from this PR , i have a lot cleaned up in go.sum

[AjayJagan]

🤔

[AjayJagan]

I tried again :( no updates for me. Am I missing something while doing go mod tidy

[VaishnaviHire]

@AjayJagan You can try cleaning up the cache once

 go ​clean -modcache

[AjayJagan]

done, still the same go.sum file 😅

[AjayJagan]

Updating to github.com/operator-framework/operator-lifecycle-manager@v0.26.0 introduces other critical issues in synk

@VaishnaviHire but we are already on v0.26.0 right? In the incubation branch itself?

[AjayJagan]

/retest-required

[AjayJagan]

/retest

[zdtsw]

/test opendatahub-operator-e2e

[AjayJagan]

looks like e2e fails, I will take a look

[zdtsw]

/retest

[AjayJagan]

@VaishnaviHire , I have used replaces on the grpc library. But looks like even after updating, it does not fix the sqllite version. So I updated grpc+sqllite libraries. I tested the operator manually and also ran e2e tests. Everything seems to work well. Please let me know if this is okay :)

[VaishnaviHire]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: VaishnaviHire

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [VaishnaviHire]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

New changes are detected. LGTM label has been removed.