fix: GO-2024-2687 and GO-2023-1571

[cmontemuino]

PROBLEM: the project incldues some old package versions that come with vulnerabilities

SOLUTION: upgrade k8s.io/xxx packages to the minimum version that fixes the reported vulnerabilities

@cmontemuino ➜ /workspaces/kubectl-who-can (main) $ go mod tidy

go: downloading github.com/spf13/pflag v1.0.5 go: downloading k8s.io/cli-runtime v0.27.15 go: downloading k8s.io/client-go v0.27.15 go: downloading k8s.io/klog/v2 v2.90.1 go: downloading github.com/stretchr/testify v1.8.3 go: downloading github.com/spf13/cobra v1.6.0 go: downloading k8s.io/api v0.27.15 go: downloading k8s.io/apiextensions-apiserver v0.27.15 go: downloading k8s.io/apimachinery v0.27.15 go: downloading github.com/evanphx/json-patch v4.12.0+incompatible go: downloading github.com/google/uuid v1.3.0 go: downloading k8s.io/utils v0.0.0-20230209194617-a36077c30491 go: downloading github.com/go-logr/logr v1.2.3 go: downloading github.com/davecgh/go-spew v1.1.1 go: downloading github.com/pmezard/go-difflib v1.0.0 go: downloading gopkg.in/yaml.v3 v3.0.1 go: downloading github.com/inconshreveable/mousetrap v1.0.1 go: downloading github.com/gogo/protobuf v1.3.2 go: downloading github.com/google/go-cmp v0.5.9 go: downloading github.com/google/gofuzz v1.1.0 go: downloading sigs.k8s.io/yaml v1.3.0 go: downloading github.com/golang/protobuf v1.5.4 go: downloading github.com/google/gnostic v0.5.7-v3refs go: downloading google.golang.org/protobuf v1.33.0 go: downloading k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f go: downloading github.com/imdario/mergo v0.3.6 go: downloading golang.org/x/term v0.18.0 go: downloading golang.org/x/net v0.23.0 go: downloading github.com/stretchr/objx v0.5.0 go: downloading sigs.k8s.io/structured-merge-diff/v4 v4.2.3 go: downloading github.com/pkg/errors v0.9.1 go: downloading sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd go: downloading github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de go: downloading golang.org/x/text v0.14.0 go: downloading gopkg.in/yaml.v2 v2.4.0 go: downloading sigs.k8s.io/kustomize/api v0.13.2 go: downloading sigs.k8s.io/kustomize/kyaml v0.14.1 go: downloading github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7 go: downloading github.com/peterbourgon/diskv v2.0.1+incompatible go: downloading golang.org/x/oauth2 v0.7.0 go: downloading gopkg.in/inf.v0 v0.9.1 go: downloading golang.org/x/time v0.3.0 go: downloading golang.org/x/sys v0.18.0 go: downloading github.com/go-openapi/swag v0.22.3 go: downloading github.com/json-iterator/go v1.1.12 go: downloading github.com/go-openapi/jsonreference v0.20.1 go: downloading github.com/google/btree v1.0.1 go: downloading github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 go: downloading github.com/mailru/easyjson v0.7.7 go: downloading gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c go: downloading github.com/onsi/ginkgo/v2 v2.9.1 go: downloading github.com/onsi/gomega v1.27.4 go: downloading github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd go: downloading github.com/modern-go/reflect2 v1.0.2 go: downloading github.com/go-openapi/jsonpointer v0.19.6 go: downloading github.com/go-errors/errors v1.4.2 go: downloading github.com/sergi/go-diff v1.1.0 go: downloading google.golang.org/appengine v1.6.7 go: downloading github.com/emicklei/go-restful/v3 v3.9.0 go: downloading github.com/josharian/intern v1.0.0 go: downloading github.com/kr/pretty v0.3.0 go: downloading github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 go: downloading github.com/xlab/treeprint v1.1.0 go: downloading github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 go: downloading github.com/kr/text v0.2.0 go: downloading github.com/rogpeppe/go-internal v1.12.0 go: downloading go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5 go: downloading github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0 go: downloading golang.org/x/tools v0.16.1 go: downloading github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1 go: downloading github.com/onsi/ginkgo v1.16.4

@cmontemuino ➜ /workspaces/kubectl-who-can (fix-vulnerabilities) $ make unit-tests

GO111MODULE=on go test -v -short -race -timeout 30s -coverprofile=coverage.txt -covermode=atomic ./... github.com/aquasecurity/kubectl-who-can/cmd/kubectl-who-can coverage: 0.0% of statements === RUN TestIsAllowed === RUN TestIsAllowed/Should_return_true_when_SSAR's_allowed_property_is_true === RUN TestIsAllowed/Should_return_false_when_SSAR's_allowed_property_is_false === RUN TestIsAllowed/Should_return_error_when_API_request_fails --- PASS: TestIsAllowed (0.00s) --- PASS: TestIsAllowed/Should_return_true_when_SSAR's_allowed_property_is_true (0.00s) --- PASS: TestIsAllowed/Should_return_false_when_SSAR's_allowed_property_is_false (0.00s) --- PASS: TestIsAllowed/Should_return_error_when_API_request_fails (0.00s) === RUN TestActionFrom === RUN TestActionFrom/A list_test.go:182: PASS: Namespace() === RUN TestActionFrom/B list_test.go:182: PASS: Namespace() === RUN TestActionFrom/C === RUN TestActionFrom/D === RUN TestActionFrom/F === RUN TestActionFrom/G --- PASS: TestActionFrom (0.00s) --- PASS: TestActionFrom/A (0.00s) --- PASS: TestActionFrom/B (0.00s) --- PASS: TestActionFrom/C (0.00s) --- PASS: TestActionFrom/D (0.00s) --- PASS: TestActionFrom/F (0.00s) --- PASS: TestActionFrom/G (0.00s) === RUN TestValidate === RUN TestValidate/Should_return_nil_when_namespace_is_valid list_test.go:248: PASS: Validate(string) === RUN TestValidate/Should_return_error_when_namespace_does_not_exist list_test.go:248: PASS: Validate(string) === RUN TestValidate/Should_return_error_when_--subresource_flag_is_used_with_non-resource_URL --- PASS: TestValidate (0.00s) --- PASS: TestValidate/Should_return_nil_when_namespace_is_valid (0.00s) --- PASS: TestValidate/Should_return_error_when_namespace_does_not_exist (0.00s) --- PASS: TestValidate/Should_return_error_when_--subresource_flag_is_used_with_non-resource_URL (0.00s) === RUN TestWhoCan_CheckAPIAccess === RUN TestWhoCan_CheckAPIAccess/A list_test.go:355: PASS: IsAllowedTo(string,string,string) list_test.go:355: PASS: IsAllowedTo(string,string,string) list_test.go:355: PASS: IsAllowedTo(string,string,string) list_test.go:355: PASS: IsAllowedTo(string,string,string) list_test.go:355: PASS: IsAllowedTo(string,string,string) === RUN TestWhoCan_CheckAPIAccess/B list_test.go:355: PASS: IsAllowedTo(string,string,string) list_test.go:355: PASS: IsAllowedTo(string,string,string) --- PASS: TestWhoCan_CheckAPIAccess (0.00s) --- PASS: TestWhoCan_CheckAPIAccess/A (0.00s) --- PASS: TestWhoCan_CheckAPIAccess/B (0.00s) === RUN TestWhoCan_GetRolesFor list_test.go:417: PASS: MatchesRole(v1.Role,cmd.resolvedAction) list_test.go:417: PASS: MatchesRole(v1.Role,cmd.resolvedAction) --- PASS: TestWhoCan_GetRolesFor (0.00s) === RUN TestWhoCan_GetClusterRolesFor list_test.go:476: PASS: MatchesClusterRole(v1.ClusterRole,cmd.resolvedAction) list_test.go:476: PASS: MatchesClusterRole(v1.ClusterRole,cmd.resolvedAction) --- PASS: TestWhoCan_GetClusterRolesFor (0.00s) === RUN TestWhoCan_GetRoleBindings --- PASS: TestWhoCan_GetRoleBindings (0.00s) === RUN TestWhoCan_GetClusterRoleBindings --- PASS: TestWhoCan_GetClusterRoleBindings (0.00s) === RUN TestNamespaceValidator_Validate === RUN TestNamespaceValidator_Validate/Should_return_error_when_getting_namespace_fails === RUN TestNamespaceValidator_Validate/Should_return_error_when_namespace_does_not_exist === RUN TestNamespaceValidator_Validate/Should_return_error_when_namespace_is_not_active === RUN TestNamespaceValidator_Validate/Should_return_nil_when_namespace_is_active --- PASS: TestNamespaceValidator_Validate (0.00s) --- PASS: TestNamespaceValidator_Validate/Should_return_error_when_getting_namespace_fails (0.00s) --- PASS: TestNamespaceValidator_Validate/Should_return_error_when_namespace_does_not_exist (0.00s) --- PASS: TestNamespaceValidator_Validate/Should_return_error_when_namespace_is_not_active (0.00s) --- PASS: TestNamespaceValidator_Validate/Should_return_nil_when_namespace_is_active (0.00s) === RUN TestMatcher_MatchesRole --- PASS: TestMatcher_MatchesRole (0.00s) === RUN TestMatcher_MatchesClusterRole --- PASS: TestMatcher_MatchesClusterRole (0.00s) === RUN TestMatcher_matches === RUN TestMatcher_matches/A === RUN TestMatcher_matches/B === RUN TestMatcher_matches/C === RUN TestMatcher_matches/D === RUN TestMatcher_matches/E === RUN TestMatcher_matches/F === RUN TestMatcher_matches/G === RUN TestMatcher_matches/H === RUN TestMatcher_matches/I === RUN TestMatcher_matches/J === RUN TestMatcher_matches/K === RUN TestMatcher_matches/L === RUN TestMatcher_matches/Should_return_true_when_PolicyRule's_APIGroup_matches_resolved_resource's_group === RUN TestMatcher_matches/Should_return_true_when_PolicyRule's_APIGroup_matches_all_('')resource_groups === RUN TestMatcher_matches/Should_return_false_when_PolicyRule's_APIGroup_doesn't_match_resolved_resource's_Group --- PASS: TestMatcher_matches (0.00s) --- PASS: TestMatcher_matches/A (0.00s) --- PASS: TestMatcher_matches/B (0.00s) --- PASS: TestMatcher_matches/C (0.00s) --- PASS: TestMatcher_matches/D (0.00s) --- PASS: TestMatcher_matches/E (0.00s) --- PASS: TestMatcher_matches/F (0.00s) --- PASS: TestMatcher_matches/G (0.00s) --- PASS: TestMatcher_matches/H (0.00s) --- PASS: TestMatcher_matches/I (0.00s) --- PASS: TestMatcher_matches/J (0.00s) --- PASS: TestMatcher_matches/K (0.00s) --- PASS: TestMatcher_matches/L (0.00s) --- PASS: TestMatcher_matches/Should_return_true_when_PolicyRule's_APIGroup_matches_resolved_resource's_group (0.00s) --- PASS: TestMatcher_matches/Should_return_true_when_PolicyRule's_APIGroup_matches_all('')_resource_groups (0.00s) --- PASS: TestMatcher_matches/Should_return_false_when_PolicyRule's_APIGroup_doesn't_match_resolved_resource's_Group (0.00s) === RUN TestResourceResolver_Resolve === RUN TestResourceResolver_Resolve/A resource_resolver_test.go:187: PASS: ResourceFor(schema.GroupVersionResource) === RUN TestResourceResolver_Resolve/B resource_resolver_test.go:187: PASS: ResourceFor(schema.GroupVersionResource) === RUN TestResourceResolver_Resolve/C resource_resolver_test.go:187: PASS: ResourceFor(schema.GroupVersionResource) === RUN TestResourceResolver_Resolve/D resource_resolver_test.go:187: PASS: ResourceFor(schema.GroupVersionResource) === RUN TestResourceResolver_Resolve/E resource_resolver_test.go:187: PASS: ResourceFor(schema.GroupVersionResource) === RUN TestResourceResolver_Resolve/F resource_resolver_test.go:187: PASS: ResourceFor(schema.GroupVersionResource) === RUN TestResourceResolver_Resolve/G resource_resolver_test.go:187: PASS: ResourceFor(schema.GroupVersionResource) === RUN TestResourceResolver_Resolve/H resource_resolver_test.go:187: PASS: ResourceFor(schema.GroupVersionResource) === RUN TestResourceResolver_Resolve/I === RUN TestResourceResolver_Resolve/Should_resolve_psp resource_resolver_test.go:187: PASS: ResourceFor(schema.GroupVersionResource) === RUN TestResourceResolver_Resolve/Should_return_error_when_psp_verb_is_not_supported resource_resolver_test.go:187: PASS: ResourceFor(schema.GroupVersionResource) --- PASS: TestResourceResolver_Resolve (0.00s) --- PASS: TestResourceResolver_Resolve/A (0.00s) --- PASS: TestResourceResolver_Resolve/B (0.00s) --- PASS: TestResourceResolver_Resolve/C (0.00s) --- PASS: TestResourceResolver_Resolve/D (0.00s) --- PASS: TestResourceResolver_Resolve/E (0.00s) --- PASS: TestResourceResolver_Resolve/F (0.00s) --- PASS: TestResourceResolver_Resolve/G (0.00s) --- PASS: TestResourceResolver_Resolve/H (0.00s) --- PASS: TestResourceResolver_Resolve/I (0.00s) --- PASS: TestResourceResolver_Resolve/Should_resolve_psp (0.00s) --- PASS: TestResourceResolver_Resolve/Should_return_error_when_psp_verb_is_not_supported (0.00s) === RUN TestPrinter_PrintWarnings === RUN TestPrinter_PrintWarnings/A === RUN TestPrinter_PrintWarnings/B === RUN TestPrinter_PrintWarnings/C --- PASS: TestPrinter_PrintWarnings (0.00s) --- PASS: TestPrinter_PrintWarnings/A (0.00s) --- PASS: TestPrinter_PrintWarnings/B (0.00s) --- PASS: TestPrinter_PrintWarnings/C (0.00s) === RUN TestPrinter_PrintChecks === RUN TestPrinter_PrintChecks/A === RUN TestPrinter_PrintChecks/B === RUN TestPrinter_PrintChecks/C === RUN TestPrinter_PrintChecks/D === RUN TestPrinter_PrintChecks/E --- PASS: TestPrinter_PrintChecks (0.00s) --- PASS: TestPrinter_PrintChecks/A (0.00s) --- PASS: TestPrinter_PrintChecks/B (0.00s) --- PASS: TestPrinter_PrintChecks/C (0.00s) --- PASS: TestPrinter_PrintChecks/D (0.00s) --- PASS: TestPrinter_PrintChecks/E (0.00s) === RUN TestPrinter_ExportData === RUN TestPrinter_ExportData/A === RUN TestPrinter_ExportData/B === RUN TestPrinter_ExportData/C === RUN TestPrinter_ExportData/D === RUN TestPrinter_ExportData/E === RUN TestPrinter_ExportData/F --- PASS: TestPrinter_ExportData (0.00s) --- PASS: TestPrinter_ExportData/A (0.00s) --- PASS: TestPrinter_ExportData/B (0.00s) --- PASS: TestPrinter_ExportData/C (0.00s) --- PASS: TestPrinter_ExportData/D (0.00s) --- PASS: TestPrinter_ExportData/E (0.00s) --- PASS: TestPrinter_ExportData/F (0.00s) PASS coverage: 75.5% of statements ok github.com/aquasecurity/kubectl-who-can/pkg/cmd 1.177s coverage: 75.5% of statements === RUN TestIntegration integration_test.go:36: Integration test --- SKIP: TestIntegration (0.00s) PASS coverage: [no statements] ok github.com/aquasecurity/kubectl-who-can/test 1.041s coverage: [no statements]

@cmontemuino ➜ /workspaces/kubectl-who-can (main) $ govulncheck ./...

No vulnerabilities found.

[CLAassistant]

All committers have signed the CLA.