chore(cve): Fix CVE in the Keda autoscaler library (#7066)

* Upgrade keda from 2.7.1 to 2.12.0

* Update Keda to 2.13.0

* Upgrade Keda to 2.14.0

* Upgrade to Keda 2.15.0

* Upgrade to Keda 2.17.3

* Update transitive dep expr-lang/expr coming from Keda to fix CVE

* Add comment in go.mod for cve

* Bump k8s libs in executor to resolve go.mod after the changes in the operator

* Add replace for expr-lang/expr in go.mod in executor as well

* Update licenses for the operator. Remove additional license info for go-jose(from previous version of keda), now resolving properly

* Update executor licenses; entry for JohnCGriffin/overflow had to be manually copy-pasted into the license.txt

* Update tarball licenses in the operator and executor Dockerfiles

Author: vtaskow

executor/Dockerfile.executor

@@ -25,19 +25,15 @@ RUN CGO_ENABLED=1 GOOS=linux GOARCH=amd64 go build -a -o executor cmd/executor/m
 RUN wget -O go-sql-driver-mysql.tar.gz https://github.com/go-sql-driver/mysql/archive/master.tar.gz
 RUN wget -O hashicorp-errwrap.tar.gz https://github.com/hashicorp/errwrap/archive/master.tar.gz
 RUN wget -O hashicorp-go-cleanhttp.tar.gz https://github.com/hashicorp/go-cleanhttp/archive/master.tar.gz
-RUN wget -O hashicorp-go-immutable-radix.tar.gz https://github.com/hashicorp/go-immutable-radix/archive/master.tar.gz
 RUN wget -O hashicorp-go-multierror.tar.gz https://github.com/hashicorp/go-multierror/archive/master.tar.gz
-RUN wget -O hashicorp-go-plugin.tar.gz https://github.com/hashicorp/go-plugin/archive/master.tar.gz
 RUN wget -O hashicorp-go-retryablehttp.tar.gz https://github.com/hashicorp/go-retryablehttp/archive/master.tar.gz
 RUN wget -O hashicorp-go-rootcerts.tar.gz https://github.com/hashicorp/go-rootcerts/archive/master.tar.gz
 RUN wget -O hashicorp-go-secure-stdlib.tar.gz https://github.com/hashicorp/go-secure-stdlib/archive/master.tar.gz
 RUN wget -O hashicorp-go-sockaddr.tar.gz https://github.com/hashicorp/go-sockaddr/archive/master.tar.gz
 RUN wget -O hashicorp-go-uuid.tar.gz https://github.com/hashicorp/go-uuid/archive/master.tar.gz
-RUN wget -O hashicorp-go-version.tar.gz https://github.com/hashicorp/go-version/archive/master.tar.gz
 RUN wget -O hashicorp-golang-lru.tar.gz https://github.com/hashicorp/golang-lru/archive/master.tar.gz
 RUN wget -O hashicorp-hcl.tar.gz https://github.com/hashicorp/hcl/archive/master.tar.gz
 RUN wget -O hashicorp-vault.tar.gz https://github.com/hashicorp/vault/archive/master.tar.gz
-RUN wget -O hashicorp-yamux.tar.gz https://github.com/hashicorp/yamux/archive/master.tar.gz
 
 # Copy OpenAPI folder and change the permissions
 # NOTE: We need to give `x` access to folders, so that users can list their

executor/go.mod

@@ -10,81 +10,82 @@ require (
 	github.com/golang/protobuf v1.5.4
 	github.com/google/uuid v1.6.0
 	github.com/gorilla/mux v1.8.0
-	github.com/grpc-ecosystem/go-grpc-middleware v1.3.0
-	github.com/onsi/gomega v1.36.2
+	github.com/grpc-ecosystem/go-grpc-middleware v1.4.0
+	github.com/onsi/gomega v1.37.0
 	github.com/opentracing/opentracing-go v1.2.0
 	github.com/pkg/errors v0.9.1
-	github.com/prometheus/client_golang v1.16.0
-	github.com/prometheus/common v0.44.0
+	github.com/prometheus/client_golang v1.21.1
+	github.com/prometheus/common v0.63.0
 	github.com/seldonio/seldon-core/operator v0.0.0-00010101000000-000000000000
 	github.com/tensorflow/tensorflow/tensorflow/go/core v0.0.0-00010101000000-000000000000
 	github.com/uber/jaeger-client-go v2.25.0+incompatible
-	go.uber.org/automaxprocs v1.4.0
+	go.uber.org/automaxprocs v1.6.0
 	go.uber.org/zap v1.27.0
-	golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2
-	google.golang.org/grpc v1.56.3
+	golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028
+	google.golang.org/grpc v1.71.1
 	gotest.tools v2.2.0+incompatible
-	k8s.io/api v0.28.4
-	sigs.k8s.io/controller-runtime v0.16.3
+	k8s.io/api v0.32.2
+	sigs.k8s.io/controller-runtime v0.19.7
 )
 
 require (
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/codahale/hdrhistogram v0.0.0-00010101000000-000000000000 // indirect
-	github.com/davecgh/go-spew v1.1.1 // indirect
-	github.com/emicklei/go-restful/v3 v3.11.0 // indirect
-	github.com/evanphx/json-patch/v5 v5.6.0 // indirect
-	github.com/fsnotify/fsnotify v1.6.0 // indirect
+	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
+	github.com/emicklei/go-restful/v3 v3.12.1 // indirect
+	github.com/evanphx/json-patch/v5 v5.9.11 // indirect
+	github.com/expr-lang/expr v1.17.2 // indirect
+	github.com/fsnotify/fsnotify v1.9.0 // indirect
+	github.com/fxamacker/cbor/v2 v2.7.0 // indirect
 	github.com/go-logr/zapr v1.3.0 // indirect
 	github.com/go-openapi/jsonpointer v0.21.0 // indirect
-	github.com/go-openapi/jsonreference v0.20.2 // indirect
+	github.com/go-openapi/jsonreference v0.21.0 // indirect
 	github.com/go-openapi/swag v0.23.0 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/google/gnostic-models v0.7.0 // indirect
 	github.com/google/go-cmp v0.7.0 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
-	github.com/imdario/mergo v0.3.12 // indirect
+	github.com/imdario/mergo v0.3.16 // indirect
 	github.com/josharian/intern v1.0.1-0.20211109044230-42b52b674af5 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
-	github.com/kedacore/keda/v2 v2.7.1 // indirect
+	github.com/kedacore/keda/v2 v2.17.3 // indirect
 	github.com/lightstep/tracecontext.go v0.0.0-20181129014701-1757c391b1ac // indirect
-	github.com/mailru/easyjson v0.7.7 // indirect
-	github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect
+	github.com/mailru/easyjson v0.9.0 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
-	github.com/prometheus/client_model v0.4.0 // indirect
-	github.com/prometheus/procfs v0.10.1 // indirect
+	github.com/prometheus/client_model v0.6.1 // indirect
+	github.com/prometheus/procfs v0.15.1 // indirect
 	github.com/spf13/pflag v1.0.6 // indirect
 	github.com/uber/jaeger-lib v2.2.0+incompatible // indirect
-	go.opencensus.io v0.23.0 // indirect
-	go.uber.org/atomic v1.10.0 // indirect
+	github.com/x448/float16 v0.8.4 // indirect
+	go.opencensus.io v0.24.0 // indirect
+	go.uber.org/atomic v1.11.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	go.yaml.in/yaml/v2 v2.4.2 // indirect
 	go.yaml.in/yaml/v3 v3.0.4 // indirect
-	golang.org/x/exp v0.0.0-20220722155223-a9213eeb770e // indirect
+	golang.org/x/exp v0.0.0-20250210185358-939b2ce775ac // indirect
 	golang.org/x/net v0.44.0 // indirect
-	golang.org/x/oauth2 v0.27.0 // indirect
+	golang.org/x/oauth2 v0.29.0 // indirect
 	golang.org/x/sys v0.36.0 // indirect
 	golang.org/x/term v0.35.0 // indirect
 	golang.org/x/text v0.29.0 // indirect
-	golang.org/x/time v0.9.0 // indirect
+	golang.org/x/time v0.11.0 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20230525234030-28d5490b6b19 // indirect
-	google.golang.org/protobuf v1.36.5 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20250313205543-e70fdf4c4cb4 // indirect
+	google.golang.org/protobuf v1.36.6 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	k8s.io/apiextensions-apiserver v0.28.3 // indirect
+	k8s.io/apiextensions-apiserver v0.32.2 // indirect
 	k8s.io/apimachinery v0.34.1 // indirect
 	k8s.io/client-go v12.0.0+incompatible // indirect
-	k8s.io/component-base v0.28.3 // indirect
 	k8s.io/klog/v2 v2.130.1 // indirect
 	k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b // indirect
 	k8s.io/utils v0.0.0-20250604170112-4c0f3b243397 // indirect
-	knative.dev/pkg v0.0.0-20220502225657-4fced0164c9a // indirect
+	knative.dev/pkg v0.0.0-20250326102644-9f3e60a9244c // indirect
 	sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 // indirect
 	sigs.k8s.io/randfill v1.0.0 // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.6.0 // indirect
@@ -93,11 +94,28 @@ require (
 
 replace (
 	github.com/codahale/hdrhistogram => github.com/HdrHistogram/hdrhistogram-go v1.1.2
+	// Resolves https://access.redhat.com/security/cve/CVE-2025-68156
+	github.com/expr-lang/expr v1.17.2 => github.com/expr-lang/expr v1.17.7
+
+	github.com/prometheus/client_golang => github.com/prometheus/client_golang v1.19.1
+	github.com/prometheus/client_model => github.com/prometheus/client_model v0.6.1
+	github.com/prometheus/common => github.com/prometheus/common v0.55.0
+	github.com/prometheus/prometheus => github.com/prometheus/prometheus v0.54.0
 	github.com/seldonio/seldon-core/operator => ./_operator
 	github.com/tensorflow/tensorflow/tensorflow/go/core => ./proto/tensorflow/core
-	k8s.io/apimachinery => k8s.io/apimachinery v0.29.0-alpha.3
-	k8s.io/client-go => k8s.io/client-go v0.28.4
-	k8s.io/kube-openapi => k8s.io/kube-openapi v0.0.0-20250628140032-d90c4fd18f59
+
+	gopkg.in/yaml.v3 => go.yaml.in/yaml/v3 v3.0.1
+
+	k8s.io/api => k8s.io/api v0.31.7
+	k8s.io/apiextensions-apiserver => k8s.io/apiextensions-apiserver v0.31.7
+	k8s.io/apimachinery => k8s.io/apimachinery v0.31.7
+	k8s.io/apiserver => k8s.io/apiserver v0.31.7
+	k8s.io/client-go => k8s.io/client-go v0.31.7
+	k8s.io/code-generator => k8s.io/code-generator v0.31.7
+	k8s.io/component-base => k8s.io/component-base v0.31.7
+	k8s.io/gengo/v2 => k8s.io/gengo/v2 v2.0.0-20240228010128-51d4e06bde70
+	k8s.io/kube-openapi => k8s.io/kube-openapi v0.0.0-20250701173324-9bd5c66d9911
+	k8s.io/metrics => k8s.io/metrics v0.31.7
 )
 
 exclude github.com/go-logr/logr v1.0.0