Update Go to 1.16 (from official repository), Update Go modules, Update mongo-db-tools

[padyx]

The intention of this MR is to update the image to use newer dependencies to resolve several vulnerabilities in the components contained therein.

• Change the Build of the backman binary to get the Go installation from the official Go Project repositories (1.16.3) instead from the Ubuntu 20.04 package manager (which currently provides only 1.13.8).
• Update all Go packages and remove the vendor directory.
  • This resolves several vulnerabilities for the backman binary caused by old packages -- even though it won't resolve it for the whole image.
  • Please check the latter carefully, I tried it, and tests still worked - but I have no clue if there is any side effect of it which I didn't think about.
• Update mongodb tools to the newest patch version
  • Sadly, this doesn't resolve vulnerabilities, since apparently the tools aren't update to the newest Go mongoDB driver (1.4.3), but still at a vulnerable 1.4.2.

This MR would update several things at once, I'm open to discussion here to split or squash this, if desired.

[JamesClonk]

@padyx Could you please undo the vendor directory deletion? I have it committed for 100% offline reproducible builds in all my projects. (Storing text files in git is cheap, getting stuck because dependencies changed/disappeared/are offline is not)
From a preliminary look the rest should be fine, I'll have a closer look over the weekend. 👍️

I don't quite understand the vulnerability report on the Go MongoDB drivers, as I'm not using or having them included anywhere at all. Are they just part of mongodb-tools by default and get dragged into the image by them, even though I don't need/use those?

[padyx]

Thanks for the feedback @JamesClonk
Sure, I had wondered why that directory was present 😀 I've replaced that commit with one that syncs the vendor directory (go mod vendor) with the changes to go.mod

Regarding the Go mongoDB drivers: Yes, they are bundled in the mongodb executables (mongoimport, for example) which are provided from the "mongodb-database-tools" packages (installed as a dependency from the "mongodb-org-tools"). I added my detailed analysis steps below.

padyx@myhost:~$ go version -m mongoimport
mongoimport: go1.15.8
        path    command-line-arguments
        mod     github.com/mongodb/mongo-tools  (devel)
        dep     github.com/aws/aws-sdk-go       v1.34.28
<OMITTED>
        dep     go.mongodb.org/mongo-driver     v1.4.2  <<<<<
<OMITTED>

vcap@d30deeaa1645:~/app$ which mongoimport
/usr/bin/mongoimport

vcap@d30deeaa1645:~/app$ dpkg -S /usr/bin/mongoimport
mongodb-database-tools: /usr/bin/mongoimport

vcap@d30deeaa1645:~/app$ dpkg -s mongodb-database-tools
Package: mongodb-database-tools
Status: install ok installed
Priority: optional
Section: database
Maintainer: MongoDB Connectors Team <database-tools-packaging@mongodb.com>
Architecture: amd64
Version: 100.3.1
Replaces: mongodb-database-tools (<= 100.3.1), mongodb-org-tools (<= 4.3.2), mongodb-org-tools-unstable (<= 4.3.2), mongodb-enterprise-tools (<= 4.3.2), mongodb-enterprise-tools-unstable (<= 4.3.2)
Provides: mongodb-database-tools
Depends: libc6, libgssapi-krb5-2, libkrb5-3, libk5crypto3, libcomerr2, libkrb5support0, libkeyutils1
Breaks: mongodb-org-tools (<= 4.3.2), mongodb-org-tools-unstable (<= 4.3.2), mongodb-enterprise-tools (<= 4.3.2), mongodb-enterprise-tools-unstable (<= 4.3.2)
Conflicts: mongodb-database-tools
Description: <OMITTED>

vcap@d30deeaa1645:~/app$ dpkg -s mongodb-org-tools
Package: mongodb-org-tools
Status: install ok installed
Priority: optional
Section: database
Installed-Size: 8
Maintainer: MongoDB Packaging <packaging@mongodb.com>
Architecture: amd64
Source: mongodb-org
Version: 4.4.5
Depends: mongodb-database-tools, mongodb-org-database-tools-extra
<OMITTED>

[JamesClonk]

Looks good. 👍️
I'll build a new release with the merged updates asap. Cheers!