[Bug] Update go.mod to address Fixable CVEs in KubeRay Operator

[jbusche]

Search before asking

• I searched the issues and found no similar issues.

KubeRay Component

ray-operator

What happened + What you expected to happen

Using Twistlock I can see three fixable CVEs that are easily fixed by updating two go.mod items. I've created a branch where it works, I just need to create a PR in draft mode and make sure it passes all tests and that it runs properly on my server.

severityCHML    cvss    riskFactors     cve     link    hasFix  status  packageType     packageName
        M       6.2     DoS - Low,Has fix,Medium severity       PRISMA-2023-0056        https://github.com/sirupsen/logrus/issues/1370  Y       fixed in v1.9.3 go      github.com/sirupsen/logrus
        M       0       Has fix,Medium severity,Recent vulnerability    CVE-2023-39325  https://nvd.nist.gov/vuln/detail/CVE-2023-39325 Y       fixed in 0.17.0 go      golang.org/x/net
        M       6.1     Attack complexity: low,Attack vector: network,Has fix,Medium severity,Recent vulnerability      CVE-2023-3978   https://nvd.nist.gov/vuln/detail/CVE-2023-3978  Y       fixed in 0.13.0 go      golang.org/x/net

After my go.mod updates to the suggested fixed versions, then the three vulnerabilities above are gone when scanned with Twistlock.

Reproduction script

I built the ray-operator image manually with:

cd ray-operator
make docker-image

And then used Twistlock to scan the image and it reported the 3 items above.

Then, I updated the go.mod iiems and did a go mod tidy and then re-built the image and the Twistlock scan no longer indicates those 3 items.

More testing needs to occur before I change my pr from draft mode.

Anything else

With newly built images as well as the existing public ray-operator images (0.6.0 and the last rc)

Are you willing to submit a PR?

• Yes I am willing to submit a PR!

[jbusche]

Created PR #1495 for this