[TRB-43095] PRISMA-2022-0227 issue in go-restful/v3

[tian-ma]

Intent

Issue PRISMA-2022-0227 reported by TwistLock scan

Background

github.com/emicklei/go-restful/v3 module prior to v3.10.0 is vulnerable to Authentication Bypass by Primary Weakness. There is an inconsistency in how go-restful parses URL paths. This inconsistency could lead to several security check bypass in a complex system. \ \ Fix: fixed in v3.10.0 \ \ Image: icr.io/cpopen/turbonomic/kubeturbo:8.9.4-SNAPSHOT \ \ Details: https://github.com/emicklei/go-restful/issues/497

Testing

Check updated whitesource scanner report. TwistLock scan report twistlock-scan-results-20230705-162317-565579000-UTC-06160807.results.csv

Manual testing

• build image using the changes

docker buildx build --platform=linux/amd64 --tag docker-na.artifactory.swg-devops.com/hyc-turbo-internal-team-docker-local/turbonomic/tamer/badkubeturbo:8.9.5-TM -f build/Dockerfile.multi-archs --build-arg VERSION=8.9.5-TM --push .

• deploy it to ROSA cluster using helm, test and check pod log for errors.

  image:
  #repository: icr.io/cpopen/turbonomic/kubeturbo
  repository:  docker-na.artifactory.swg-devops.com/hyc-turbo-internal-team-docker-local/turbonomic/tamer/badkubeturbo
  tag: 8.9.5-TM
  pullPolicy: Always

Checklist

These are the items that must be done by the developer and by reviewers before the change is ready to merge. Please strikeout any items that are not applicable, but don't delete them

• [ ] Developer Checks
  • [X] Full build with unit tests and fmt and vet checks
  • [ ] Unit tests added / updated
  • [X] No unlicensed images, no third-party code (such as from StackOverflow)
  • [ ] Integration tests added / updated
  • [X] Manual testing done (and described)
  • [ ] Product sweep run and passed
  • [ ] Developer wiki updated (and linked to this description)
• [ ] Reviewer Checks
  • [ ] Merge request description clear and understandable
  • [ ] Developer checklist items complete
  • [ ] Functional code review (how is the code written)
  • [ ] Architectural review (does the code try to do the right thing, in the right way)
  • [ ] Defensive coding (incoming data checked / sanitized, exceptions logged, clear error messages)
  • [ ] No unlicensed images, no third-party code (such as from StackOverflow)
  • [ ] Security review checklist complete.

Audience

@ading1977 @irfanurrehman