fix(deps): updated vulnerable dependencies

[rootxrishabh]

Purpose of PR?:
This PR updates all the vulnerable dependencies alerted by the OSSF scorecard.
Fixes #
#1532
Does this PR introduce a breaking change?
No
If the changes in this PR are manually verified, list down the scenarios covered::

Additional information for reviewer? :
Mention if this PR is part of any design or a continuation of previous PRs

Checklist:

• Bug fix. Fixes #
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• This change requires a documentation update
• PR Title follows the convention of <type>(<scope>): <subject>
• Commit has unit tests
• Commit has integration tests

[DelusionalOptimist]

@rootxrishabh can you try by removing these k8s.io replace directives across KubeArmor's and other go.mod files? I think it should fix the current build failure. 🤔

KubeArmor/KubeArmor/go.mod

Lines 22 to 24 in 2142379

	k8s.io/api => k8s.io/api v0.26.4
	k8s.io/apimachinery => k8s.io/apimachinery v0.26.4
	k8s.io/client-go => k8s.io/client-go v0.26.4

[rootxrishabh]

@DelusionalOptimist I'll get it done.

[rootxrishabh]

@DelusionalOptimist There are some build errors, fixing them might require dependency updates. If yes, should we upgrade dependencies across Kubearmor?

[rootxrishabh]

Kubearmor Controller uses configurations such as MetricsBindAddress and port which were present in current package controller-runtime:0.14.x but have been removed in latest. Should we explore to reconfigure the controller or stick to old release?

[rootxrishabh]

libbpf-based vulnerabilities are still present as the patch is yet to be released across all releases.

[rootxrishabh]

Kubearmor Controller uses configurations such as MetricsBindAddress and port which were present in current package controller-runtime:0.14.x but have been removed in latest. Should we explore to reconfigure the controller or stick to old release?

Shifting to an older release makes sense as of now.

[rootxrishabh]

@nyrahul failing snyk tests require maintainers access, could you please take a look?

[DelusionalOptimist]

Kubearmor Controller uses configurations such as MetricsBindAddress and port which were present in current package controller-runtime:0.14.x but have been removed in latest. Should we explore to reconfigure the controller or stick to old release?

Shifting to an older release makes sense as of now.

Sure, we can handle these later as per need. 👍

[DelusionalOptimist]

All other updates look good. 👍

[DelusionalOptimist]

libbpf-based vulnerabilities are still present as the patch is yet to be released across all releases.

cc @daemon1024

[daemon1024]

I believe the libbpf vulnerability is due it existing as a submodule right?
I have created this issue to track that #1580
Even if the fix is released, it won't be a simple update for us.

[daemon1024]

https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXCRYPTOSSH-6130669

golang.org/x/[email protected] › golang.org/x/[email protected] 

Snyk failure cause

[rootxrishabh]

Upgraded to golang.org/x/[email protected] uses golang.org/x/crypto v0.18.0, still snyk fails. Am I missing something?

[rootxrishabh]

Upgraded to golang.org/x/[email protected] uses golang.org/x/crypto v0.18.0, still snyk fails. Am I missing something?

Solved!
Could you provide a bit more insight on security/snyk (nyrahul) ?

[Aryan-sharma11]

https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGOJOSEGOJOSE-6070736
Snyk failure cause

[rootxrishabh]

@Aryan-sharma11 I test all our go.mod files using snyk CLI. Other than golang.org/x/net/[email protected](low risk vuln, fix yet to implemented upstream) I can't find any vulnerability. Also, github.com/go-jose/go-jose is a transitive dependency to a package. Can we ignore this?