Fix code scanning alert - CVE-2022-1996

[spilchen]

Tracking issue for:

• [ ] https://github.com/vertica/vertica-kubernetes/security/code-scanning/2

The package is github.com/emicklei/go-restful. This is used indirectly:

$ go mod why -m github.com/emicklei/go-restful
# github.com/emicklei/go-restful
github.com/vertica/vertica-kubernetes/pkg/controllers/vdb
k8s.io/client-go/discovery
k8s.io/client-go/openapi
k8s.io/kube-openapi/pkg/handler3
k8s.io/kube-openapi/pkg/common
github.com/emicklei/go-restful

It comes from k8s.io/client-go. We are currently using v0.24.0 of client-go. We can only update this once the operator-sdk is updated though. Leaving this open until we move up the operator-sdk to a version that fixes this.

This vulnerability doesn't look like it could be exploited in the operator. The go-restful package is used to create a REST-style web service. It seems the vulnerability is specific to when you have setup a web service. However, we are only using this package indirectly to query the k8s control plane to get information about its version and build info. We aren't setting up a web service using this package. So, it doesn't apply.

[spilchen]

We upgraded the operator-sdk to v1.23.0, which changed the client-go tto v0.24.2. The vulnerability is still an issue in that version. Waiting for the next operator-sdk release.

[spilchen]

Fixed in #296 with upgrade to operator-sdk 1.25.2