Update to golang.org/x/net@v0.33 to fix CVE-2024-45337(CRITICAL) a…

[brecode]

What type of PR is this?

/kind cleanup

What this PR does / why we need it:

Trivy scans alerted on cluster-autoscaler:v1.30.3 on following CVEs

CVE-2024-45337
CVE-2024-45338

This PR addresses the above CVEs on autoscaler release-1.30 codebase

for subdir in cluster-autoscaler/apis cluster-autoscaler/cloudprovider/azure/test cluster-autoscaler; do
  pushd $subdir
  go get golang.org/x/net@v0.33
  go mod tidy
  popd
done

Does this PR introduce a user-facing change?

NONE

[linux-foundation-easycla]

The committers listed above are authorized under a signed CLA.

• ✅ login: brecode / name: Nikos (4d4ba6c)

[k8s-ci-robot]

Welcome @brecode!

It looks like this is your first PR to kubernetes/autoscaler 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes/autoscaler has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

[k8s-ci-robot]

Hi @brecode. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[voelzmo]

Hey @brecode thanks for offering a fix for the CVE! I see that you're PRing to a CA release branch, so any change that doesn't involve the CA component should probably not be in here.

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: brecode
Once this PR has been reviewed and has the lgtm label, please assign towca for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• cluster-autoscaler/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[brecode]

@voelzmo thanks for the feedback, updated PR with changes related to cluster-autoscaler only

[x13n]

PR title mentions golang.org/x/oauth2@v0.27, but go.mod contents don't actually change this package version - only other packages.

[x13n]

Also, CA tends to stay in sync with k/k dependencies. I see oauth2 v0.10.0 is also used there: https://github.com/kubernetes/kubernetes/blob/v1.30.11/go.mod#L79 Would you mind addressing this CVE in upstream Kubernetes repository? The dependency will then be imported to Cluster Autoscaler during next update.

[brecode]

PR title mentions golang.org/x/oauth2@v0.27, but go.mod contents don't actually change this package version - only other packages.

Wrong copy paste. Title fixed. Command used is on description:
go get golang.org/x/net@v0.33

The above covers the x/crypto CVE too

Also, CA tends to stay in sync with k/k dependencies. I see oauth2 v0.10.0 is also used there: https://github.com/kubernetes/kubernetes/blob/v1.30.11/go.mod#L79 Would you mind addressing this CVE in upstream Kubernetes repository? The dependency will then be imported to Cluster Autoscaler during next update.

I can certainly open a PR on kubernetes repo for v1.30.11. I see cluster autoscaler is using 1.30.5
https://github.com/kubernetes/autoscaler/blob/cc795019c6b6cb985769ae57d1acf479c3910546/cluster-autoscaler/go.mod#L54C3-L54C27

Is that going to be upgraded to 1.30.xx (latest) on next release for cluster-autoscaler ?

Thanks

[x13n]

Yes, it already was: #7922

For k/k repo, 1.30.11 tag already exists, but CVE fix can be included in time before 1.30.12 comes out (this month I think?)

[brecode]

Opened a PR here: kubernetes/kubernetes#130832.

In the meantime is there any other reason not to merge this or you want this update to be brought in from k8s 1.30.12?
Either way it's a direct import on autoscaler

[BenTheElder]

Autoscaler isn't running an SSH server is it??

I would recommend using a symbol aware scanner.