OCPBUGS-42155: Libraries bump to mitigate CVE-2024-27289

[paul-maidment]

The goal of this PR is to ensure that the github.com/jackc/pgx library is no longer on 4.16.0 which is vulnerable to CVE-2024-27289

If we bump to a very recent version of pgx, we have new constraints placed on the text encoding that a connection may have.

Perhaps his warrants a bigger investigation in a separate issue as it would be good to be able to upgrade to the latest and greatest postgres driver if possible.

I have created the following ticket https://issues.redhat.com/browse/MGMT-18949 to follow up on this at a later date (outside of the CVE process)

For now, we will use replace to bump the pgx to a non vulnerable version of 4.18.3

[openshift-ci-robot]

@paul-maidment: This pull request references Jira Issue OCPBUGS-42155, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

* bug is open, matching expected state (open) * bug target version (4.18.0) matches configured target version for branch (4.18.0) * bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact: /cc @mhanss

The bug has been updated to refer to the pull request using the external bug tracker.

In response to [this](https://github.com/openshift/assisted-installer-agent/pull/781): >The goal of this PR is to ensure that the github.com/jackc/pgx library is no longer on 4.16.0 which is vulnerable to CVE-2024-27289 > >If we bump to a very recent version of pgx, we have new constraints placed on the text encoding that a connection may have. > >Perhaps his warrants a bigger investigation in a separate issue as it would be good to be able to upgrade to the latest and greatest postgres driver if possible. > >I have created the following ticket https://issues.redhat.com/browse/MGMT-18949 to follow up on this at a later date (outside of the CVE process) > >For now, we will use replace to bump the pgx to a non vulnerable version of 4.18.3 Instructions for interacting with me using PR comments are available [here](https://prow.ci.openshift.org/command-help?repo=openshift%2Fassisted-installer-agent). If you have questions or suggestions related to my behavior, please file an issue against the [openshift-eng/jira-lifecycle-plugin](https://github.com/openshift-eng/jira-lifecycle-plugin/issues/new) repository.

[codecov[bot]]

Codecov Report

All modified and coverable lines are covered by tests :white_check_mark:

Project coverage is 59.54%. Comparing base (9bebe91) to head (f5722f0). Report is 1 commits behind head on master.

Additional details and impacted files

[](https://app.codecov.io/gh/openshift/assisted-installer-agent/pull/781?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=openshift) ```diff @@ Coverage Diff @@ ## master #781 +/- ## ========================================== - Coverage 59.60% 59.54% -0.06% ========================================== Files 74 74 Lines 3755 3755 ========================================== - Hits 2238 2236 -2 - Misses 1356 1357 +1 - Partials 161 162 +1 ``` [see 1 file with indirect coverage changes](https://app.codecov.io/gh/openshift/assisted-installer-agent/pull/781/indirect-changes?src=pr&el=tree-more&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=openshift)

[paul-maidment]

/test edge-e2e-ai-operator-ztp

[openshift-ci[bot]]

@paul-maidment: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes-sigs/prow](https://github.com/kubernetes-sigs/prow/issues/new?title=Prow%20issue:) repository. I understand the commands that are listed [here](https://go.k8s.io/bot-commands).

[openshift-ci[bot]]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: danmanor, paul-maidment

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files: - ~~[OWNERS](https://github.com/openshift/assisted-installer-agent/blob/master/OWNERS)~~ [danmanor,paul-maidment] Approvers can indicate their approval by writing `/approve` in a comment Approvers can cancel approval by writing `/approve cancel` in a comment

[openshift-ci-robot]

@paul-maidment: Jira Issue OCPBUGS-42155: All pull requests linked via external trackers have merged:

• openshift/assisted-installer-agent#781

Jira Issue OCPBUGS-42155 has been moved to the MODIFIED state.

In response to [this](https://github.com/openshift/assisted-installer-agent/pull/781): >The goal of this PR is to ensure that the github.com/jackc/pgx library is no longer on 4.16.0 which is vulnerable to CVE-2024-27289 > >If we bump to a very recent version of pgx, we have new constraints placed on the text encoding that a connection may have. > >Perhaps his warrants a bigger investigation in a separate issue as it would be good to be able to upgrade to the latest and greatest postgres driver if possible. > >I have created the following ticket https://issues.redhat.com/browse/MGMT-18949 to follow up on this at a later date (outside of the CVE process) > >For now, we will use replace to bump the pgx to a non vulnerable version of 4.18.3 Instructions for interacting with me using PR comments are available [here](https://prow.ci.openshift.org/command-help?repo=openshift%2Fassisted-installer-agent). If you have questions or suggestions related to my behavior, please file an issue against the [openshift-eng/jira-lifecycle-plugin](https://github.com/openshift-eng/jira-lifecycle-plugin/issues/new) repository.