Epic Goal

• Fix the current list of CVEs opened against Sandboxed Containers

Why is this important?

• As a security product, we want to be as clean as possible of CVEs and security issues
• As a company, Red Hat has a couple of SLAs standards to follow.  In a nutshell, moderate issues should be fixed within 90 days window and a couple of the issues opened are open for more than a year

Scenarios

1. https://issues.redhat.com/issues/?filter=12443934&jql=Labels%20%3D%20SecurityTracking%20and%20project%20in%20(OCPBUGS%2C%20PROJQUAY%2C%20ROX)%20and%20statusCategory%20!%3D%20Done%20and%20Duedate%20%3C%3D%20now()%20and%20level%20!%3D%20%22Embargoed%20Security%20Issue%22%20and%20project%20%3D%20OCPBUGS%20and%20project%20%3D%20OCPBUGS%20and%20component%20%3D%20sandboxed-containers%20order%20by%20due%20asc

Acceptance Criteria 

(The Epic is complete when...)

1. Current CVEs fixes are implemented and tested.

Additional context:

After a quick investigation, looks like most CVEs are dependencies of dependencies in go code.  ATM goproxy, opentelemetry, protobuff and a couple of other sub dependencies needs to be bumped. We can blindly bump them or bump the libraries that are using those things.

• Updating go.mod to either replace sub-dependencies ( using replace() ) or preferred to update the actual dependencies in the require list to avoid older sub-deps. eg: By using  go mod graph I can see who's pulling otelhttp@v0.20.0, neweer versions of that library should be using otelhttp 0.44