Update module github.com/prometheus/client_golang to v1.12.2

[kingdonb]

Suggested by Renovate and Snyk, there is a medium sev reported in prometheus/client_golang which we could upgrade:

Testing fluxcd/flux:1.25.2...

✗ Medium severity vulnerability found in github.com/prometheus/client_golang/prometheus/promhttp
  Description: Denial of Service (DoS)
  Info: https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMPROMETHEUSCLIENTGOLANGPROMETHEUSPROMHTTP-2401819
  Introduced through: github.com/prometheus/client_golang/prometheus/promhttp@1.11.0
  From: github.com/prometheus/client_golang/prometheus/promhttp@1.11.0
  Fixed in: 1.11.1

This is just the one issue I noticed that we can do something about right away, I just decided to drop in and scope out potential changes for a next release since we are coming up on 30 days since the last one.

There are also critical reports from pcre2/pcre2 introduced by our base image (alpine:3.15.4), it's not clear when a new base image patch version will be released, so if we can mitigate this manually or just check for it in the resulting build, which I'm testing out now as I submit this.

Perhaps it will be updated out without a rev in the base image, but I think we don't run apk update in our build process if it's not, so we may have to either change that, or wait for a new revision, and I'm inclined to just wait.

Not exactly sure how they do things at Alpine HQ to be honest, but I'm sure they're on top of this, so maybe we want to delay a release until this all can be resolved out too, (I will look for it in the test build result):

Testing fluxcd/flux:1.25.2...

✗ Critical severity vulnerability found in pcre2/pcre2
  Description: Out-of-bounds Read
  Info: https://snyk.io/vuln/SNYK-ALPINE315-PCRE2-2869383
  Introduced through: pcre2/pcre2@10.39-r0, git/git@2.34.2-r0
  From: pcre2/pcre2@10.39-r0
  From: git/git@2.34.2-r0 > pcre2/pcre2@10.39-r0
  Image layer: Introduced by your base image (alpine:3.15.4)
  Fixed in: 10.40-r0

✗ Critical severity vulnerability found in pcre2/pcre2
  Description: Out-of-bounds Read
  Info: https://snyk.io/vuln/SNYK-ALPINE315-PCRE2-2869384
  Introduced through: pcre2/pcre2@10.39-r0, git/git@2.34.2-r0
  From: pcre2/pcre2@10.39-r0
  From: git/git@2.34.2-r0 > pcre2/pcre2@10.39-r0
  Image layer: Introduced by your base image (alpine:3.15.4)
  Fixed in: 10.40-r0

✗ Critical severity vulnerability found in openldap/libldap
  Description: SQL Injection
  Info: https://snyk.io/vuln/SNYK-ALPINE315-OPENLDAP-2863511
  Introduced through: openldap/libldap@2.6.0-r0, gnupg/gpg@2.2.31-r1
  From: openldap/libldap@2.6.0-r0
  From: gnupg/gpg@2.2.31-r1 > gnupg/gnupg@2.2.31-r1 > gnupg/gnupg-dirmngr@2.2.31-r1 > openldap/libldap@2.6.0-r0
  Image layer: 'apk add --no-cache openssh-client ca-certificates tini 'git>=2.24.2' 'gnutls>=3.6.7' 'glib>=2.62.5-r0' gnupg gawk socat'
  Fixed in: 2.6.2-r0

The last recorded issue from the scan, which I'll mention just for completeness, is another one which I'm not sure we can do anything about, since SOPS @ v4 must likely contain a breaking change else it would not have got a major increment, I don't know if we can adopt this upgrade or if we've already covered this in prior discussions.

(But I know the jwt-go vulnerability was mitigated in one of our most recent releases, thanks @pjbgf):

Testing fluxcd/flux:1.25.2...

✗ High severity vulnerability found in github.com/dgrijalva/jwt-go
  Description: Access Restriction Bypass
  Info: https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMDGRIJALVAJWTGO-596515
  Introduced through: github.com/dgrijalva/jwt-go@3.2.0+incompatible
  From: github.com/dgrijalva/jwt-go@3.2.0+incompatible
  Fixed in: 4.0.0-preview1



Organization:      kingdonb
Package manager:   gomodules
Target file:       /usr/local/bin/sops
Project name:      go.mozilla.org/sops/v3
Docker image:      fluxcd/flux:1.25.2
Licenses:          enabled

I am not in any hurry to push the release button again, just testing. 👍

[kingdonb]

Looks like merging this and tagging the resulting build would take care of all those, minus the SOPS issue that I mentioned can't be mitigated without a breaking upgrade (and here is the clean scan output):

$ docker scan kingdonb/flux:renovate-githubcom-prometheus-clientgolang-1x-08cff926-wip

Testing kingdonb/flux:renovate-githubcom-prometheus-clientgolang-1x-08cff926-wip...

Organization:      kingdonb
Package manager:   apk
Project name:      docker-image|kingdonb/flux
Docker image:      kingdonb/flux:renovate-githubcom-prometheus-clientgolang-1x-08cff926-wip
Platform:          linux/amd64
Base image:        alpine:3.15.4
Licenses:          enabled

✔ Tested 68 dependencies for known issues, no vulnerable paths found.

According to our scan, you are currently using the most secure version of the selected base image

-------------------------------------------------------

Testing kingdonb/flux:renovate-githubcom-prometheus-clientgolang-1x-08cff926-wip...

Organization:      kingdonb
Package manager:   gomodules
Target file:       /usr/local/bin/fluxd
Project name:      github.com/fluxcd/flux
Docker image:      kingdonb/flux:renovate-githubcom-prometheus-clientgolang-1x-08cff926-wip
Licenses:          enabled

✔ Tested 469 dependencies for known issues, no vulnerable paths found.

-------------------------------------------------------

Testing kingdonb/flux:renovate-githubcom-prometheus-clientgolang-1x-08cff926-wip...

✗ High severity vulnerability found in github.com/dgrijalva/jwt-go
  Description: Access Restriction Bypass
  Info: https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMDGRIJALVAJWTGO-596515
  Introduced through: github.com/dgrijalva/jwt-go@3.2.0+incompatible
  From: github.com/dgrijalva/jwt-go@3.2.0+incompatible
  Fixed in: 4.0.0-preview1



Organization:      kingdonb
Package manager:   gomodules
Target file:       /usr/local/bin/sops
Project name:      go.mozilla.org/sops/v3
Docker image:      kingdonb/flux:renovate-githubcom-prometheus-clientgolang-1x-08cff926-wip
Licenses:          enabled

Tested 167 dependencies for known issues, found 1 issue.


Tested 3 projects, 1 contained vulnerable paths.

[pjbgf]

@kingdonb nice one!

LGTM