chore(module): fix CVEs (#1039)

* chore(module): fix CVEs

- Update golang.org/x/crypto to v0.38.0, mitigate CVE-2024-45337,CVE-2025-22869
- Update golang.org/x/net to v0.40.0, mitigate CVE-2025-22870, CVE-2025-22872
- Update github.com/go-jose/go-jose/v3@v3.0.4, mitigate CVE-2025-27144
- Update Go 1.23, mitigate CVE-2024-45336, CVE-2024-45341, CVE-2025-22866, CVE-2025-22871
- Use Go 1.23 for virtualization-artifact, dvcr-importer, dvcr-updater, kube-api-rewriter, pre-delete-hook, CDI images, for helper C programs and dvcr.
- Cleanup virtualization_images.yaml, only ALT_P11 remains.

---------

Signed-off-by: Ivan Mikheykin <ivan.mikheykin@flant.com>

Author: diafour

.github/workflows/dev_module_build.yml

@@ -25,6 +25,7 @@ env:
   GOLANGCI_LINT_VERSION: "1.64.8"
   SOURCE_REPO: "${{secrets.SOURCE_REPO}}"
   SOURCE_REPO_GIT: "${{secrets.SOURCE_REPO_GIT}}"
+  TRIVY_DISABLE_VEX_NOTICE: "true"
 
 on:
   workflow_dispatch:

base-images/virtualization_images.yml

@@ -1,13 +1,5 @@
 # REGISTRY_PATH is a special key which is concatenated with other base images
 REGISTRY_PATH: "docker.io/"
 
-# Virtualization images
-BASE_DEBIAN_BOOKWORM_SLIM: "debian:bookworm-slim@sha256:e9ac68ffde903b241342267a51cd74c5417414af652cb2e380c6ddcf522589bc"
-BASE_CONTAINER_REGISTRY: "registry:2.8.3@sha256:ac0192b549007e22998eb74e8d8488dcfe70f1489520c3b144a6047ac5efbe90"
-BASE_GOLANG_22_BOOKWORM: "golang:1.22.8-bookworm@sha256:9e7db50b9858e9cd804043200f1e6acd5a11111151ce886951c9fe3523002cea"
-BASE_GOLANG_23_BOOKWORM: "golang:1.23.6-bookworm@sha256:441f59f8a2104b99320e1f5aaf59a81baabbc36c81f4e792d5715ef09dd29355"
-
-BASE_ALT_P10: "alt:p10@sha256:4fab03b8d23eb16147397b0bc41a5025ba59f4e834f7fb4b933ac5206431d740"
 # Digest for image created at 2024-09-20.
 BASE_ALT_P11: "alt:p11@sha256:39f03d3bca1a92dc36835c28c2ba2f22ec15257e950b3930e0a3f034466e8dfb"
-BASE_ALPINE: "alpine:3.17.10@sha256:3451da08fc6ef554a100da3e2df5ac6d598c82f2a774d5f6ed465c3d80cd163a"

images/base-alt-p10/werf.inc.yaml

@@ -12,7 +12,7 @@ imageSpec:
 ---
 image: {{ $.ImageName }}-cbuilder
 final: false
-fromImage: BASE_DEBIAN_BOOKWORM_SLIM
+fromImage: builder/golang-bookworm-1.23
 git:
   - add: /images/{{ $.ImageName }}/static_binaries
     to: /
@@ -22,12 +22,10 @@ git:
 shell:
   beforeInstall:
   {{- include "debian packages proxy" . | nindent 2 }}
-  - |
-    apt-get install --yes \
-      gcc musl-dev musl-tools
+  - apt-get install --yes musl-dev musl-tools
   {{- include "debian packages clean" . | nindent 2 }}
   install:
-  - |    
+  - |
     echo "Building simple app that prints hello cdi"
     mkdir -p /bins
     musl-gcc -static -Os -o /bins/hello_bounder hello_bounder.c

images/bounder/werf.inc.yaml

@@ -1,11 +1,11 @@
 ---
 {{- $version := "1.60.3" }}
-{{- $goVersion := "1.22.7" }}
 {{- $gitRepoUrl := "kubevirt/containerized-data-importer.git" }}
 
+---
 image: {{ $.ImageName }}
 final: false
-fromImage: BASE_GOLANG_22_BOOKWORM
+fromImage: builder/golang-bookworm-1.23
 mount:
   - fromPath: ~/go-pkg-cache
     to: /go/pkg
@@ -32,35 +32,46 @@ shell:
   install:
   - |
     mkdir -p ~/.ssh && echo "StrictHostKeyChecking accept-new" > ~/.ssh/config
-    
-    git clone --depth 1 $(cat /run/secrets/SOURCE_REPO)/{{ $gitRepoUrl }} --branch v{{ $version }} /containerized-data-importer
-  
-    cd /containerized-data-importer
 
-    echo Download Go modules.
-    go get golang.org/x/crypto@v0.31.0
-    go mod download
-  
-    go mod tidy
-    go mod vendor
+    echo "Git clone CDI repository..."
+    git config --global --add advice.detachedHead false
+    git clone --depth 1 --branch v{{ $version }} $(cat /run/secrets/SOURCE_REPO)/{{ $gitRepoUrl }} /containerized-data-importer
 
   - |
+    cd /containerized-data-importer
     for p in /patches/*.patch ; do
       echo -n "Apply ${p} ... "
       git apply  --ignore-space-change --ignore-whitespace ${p} && echo OK || (echo FAIL ; exit 1)
     done
 
+  - |
+    echo Download Go modules.
+    go mod download
+
+    echo Update modules to mitigate CVEs...
+
+    # CVE-2024-45337,CVE-2025-22869
+    go get golang.org/x/crypto@v0.38.0
+    # CVE-2025-22870, CVE-2025-22872
+    go get golang.org/x/net@v0.40.0
+
+    # CVE-2025-27144
+    go get github.com/go-jose/go-jose/v3@v3.0.4
+
+    go mod tidy
+    go mod vendor
+
   setup:
   - mkdir /cdi-binaries
   - cd /containerized-data-importer
 
-  - export GO111MODULE=on
   - export GOOS=linux
-  - export CGO_ENABLED=0
   - export GOARCH=amd64
+  - export CGO_ENABLED=0
+  - export X_FLAGS="-X kubevirt.io/containerized-data-importer/pkg/version.gitVersion=v{{ $version }}-patched"
 
   - echo ============== Build cdi-apiserver ===========
-  - go build -ldflags="-s -w" -o /cdi-binaries/cdi-apiserver ./cmd/cdi-apiserver
+  - go build -ldflags="-s -w $X_FLAGS" -o /cdi-binaries/cdi-apiserver ./cmd/cdi-apiserver
 
   - echo ============== Build cdi-cloner ===========
   - go build -ldflags="-s -w" -o /cdi-binaries/cdi-cloner ./cmd/cdi-cloner
@@ -83,15 +94,13 @@ shell:
   - echo ============== Build cdi-operator  ===========
   - go build -ldflags="-s -w" -o /cdi-binaries/cdi-operator ./cmd/cdi-operator
 
-  - strip /cdi-binaries/*
-  - chmod +x /cdi-binaries/*
   - chown -R 64535:64535 /cdi-binaries/*
   - ls -la /cdi-binaries
 
 ---
 image: {{ $.ImageName }}-cbuilder
 final: false
-fromImage: BASE_DEBIAN_BOOKWORM_SLIM
+fromImage: builder/golang-bookworm-1.23
 git:
   - add: /images/{{ $.ImageName }}/static_binaries
     to: /
@@ -100,9 +109,9 @@ git:
         - '*.c'
 shell:
   install:
-  {{- include "debian packages proxy" . | nindent 2 }}  
+  {{- include "debian packages proxy" . | nindent 2 }}
   - |
-    apt-get install --yes gcc musl-dev musl-tools
+    apt-get install --yes musl-dev musl-tools
   {{- include "debian packages clean" . | nindent 2 }}
   - |
     echo "Building simple app that prints hello cdi"

images/cdi-artifact/werf.inc.yaml

@@ -51,7 +51,7 @@ shell:
 ---
 image: {{ $.ImageName }}-gobuild
 final: false
-fromImage: BASE_GOLANG_22_BOOKWORM
+fromImage: builder/golang-bookworm-1.23
 git:
   - add: /images/{{ $.ImageName }}/cloner-startup
     to: /app
@@ -60,7 +60,7 @@ git:
         - '**/*'
 shell:
   install:
-    - |
-      mkdir -p /cdi-binaries
-      cd /app
-      go build -ldflags="-s -w" -o /cdi-binaries/cloner-startup ./cmd/cloner-startup
+  - |
+    mkdir -p /cdi-binaries
+    cd /app
+    go build -ldflags="-s -w" -o /cdi-binaries/cloner-startup ./cmd/cloner-startup

images/cdi-cloner/werf.inc.yaml

@@ -1,32 +1,30 @@
 module github.com/deckhouse/virtualization-controller/dvcr-importers
 
-go 1.22.7
+go 1.23.0
+
+toolchain go1.23.9
 
 require (
 	github.com/containers/image/v5 v5.32.0
+	github.com/deckhouse/virtualization/api v0.0.0-20241220154636-ce1f73499998
 	github.com/distribution/reference v0.6.0
 	github.com/docker/cli v27.1.1+incompatible
 	github.com/golang/snappy v0.0.4
 	github.com/google/go-containerregistry v0.20.0
 	github.com/google/uuid v1.6.0
 	github.com/hashicorp/go-multierror v1.1.1
+	github.com/manifoldco/promptui v0.9.0
 	github.com/openshift/library-go v0.0.0-20240621150525-4bb4238aef81
 	github.com/pkg/errors v0.9.1
 	github.com/prometheus/client_golang v1.19.0
 	github.com/prometheus/client_model v0.6.0
-	golang.org/x/net v0.26.0 // indirect
-	golang.org/x/sync v0.10.0
+	github.com/spf13/cobra v1.8.1
+	golang.org/x/sync v0.14.0
 	k8s.io/klog/v2 v2.120.1
 	kubevirt.io/containerized-data-importer v0.0.0-00010101000000-000000000000
 	kubevirt.io/containerized-data-importer-api v1.60.3
 )
 
-require (
-	github.com/deckhouse/virtualization/api v0.0.0-20241220154636-ce1f73499998
-	github.com/manifoldco/promptui v0.9.0
-	github.com/spf13/cobra v1.8.1
-)
-
 require (
 	cloud.google.com/go v0.112.0 // indirect
 	cloud.google.com/go/compute/metadata v0.3.0 // indirect
@@ -108,12 +106,13 @@ require (
 	go.opentelemetry.io/otel v1.24.0 // indirect
 	go.opentelemetry.io/otel/metric v1.24.0 // indirect
 	go.opentelemetry.io/otel/trace v1.24.0 // indirect
-	golang.org/x/crypto v0.31.0 // indirect
+	golang.org/x/crypto v0.38.0 // indirect
 	golang.org/x/exp v0.0.0-20240613232115-7f521ea00fb8 // indirect
+	golang.org/x/net v0.26.0 // indirect
 	golang.org/x/oauth2 v0.21.0 // indirect
-	golang.org/x/sys v0.28.0 // indirect
-	golang.org/x/term v0.27.0 // indirect
-	golang.org/x/text v0.21.0 // indirect
+	golang.org/x/sys v0.33.0 // indirect
+	golang.org/x/term v0.32.0 // indirect
+	golang.org/x/text v0.25.0 // indirect
 	golang.org/x/time v0.5.0 // indirect
 	google.golang.org/api v0.155.0 // indirect
 	google.golang.org/genproto v0.0.0-20240123012728-ef4313101c80 // indirect
@@ -143,11 +142,15 @@ require (
 replace (
 	github.com/aws/aws-sdk-go => github.com/aws/aws-sdk-go v1.34.0
 	github.com/chzyer/logex => github.com/chzyer/logex v1.2.1
+	github.com/go-jose/go-jose/v3 => github.com/go-jose/go-jose/v3 v3.0.4
 	github.com/openshift/api => github.com/openshift/api v0.0.0-20230406152840-ce21e3fe5da2
 	github.com/openshift/client-go => github.com/openshift/client-go v0.0.0-20230324103026-3f1513df25e0
 	github.com/openshift/library-go => github.com/mhenriks/library-go v0.0.0-20230310153733-63d38b55bd5a
 	github.com/operator-framework/operator-lifecycle-manager => github.com/operator-framework/operator-lifecycle-manager v0.0.0-20190128024246-5eb7ae5bdb7a
 
+	golang.org/x/crypto => golang.org/x/crypto v0.38.0 // CVE-2024-45337,CVE-2025-22869
+	golang.org/x/net => golang.org/x/net v0.40.0 // CVE-2025-22870, CVE-2025-22872
+
 	k8s.io/api => k8s.io/api v0.30.2
 	k8s.io/apiextensions-apiserver => k8s.io/apiextensions-apiserver v0.30.2
 	k8s.io/apimachinery => k8s.io/apimachinery v0.30.2