Address CVE-2022-21698

[pierreprinetti]

Upgrade the Prometheus client to v1.11.1.

This commit is the result of running:

go get github.com/prometheus/[email protected] \
	&& go mod tidy && go mod vendor

See GHSA-cg3q-j54f-5p7p

What this PR does / why we need it:
Upgrades github.com/prometheus/client_golang to v1.11.1, where the vulnerability has been fixed.

Which issue(s) this PR fixes:
Fixes #300

Special notes for your reviewer:
One handy way to check that the version of client_go used for compiling contains the security patch, is to run go mod vendor and check that the InstrumentRoundTripperCounter method contains a variadic options argument.

$ grep InstrumentRoundTripperCounter vendor/github.com/prometheus/client_golang/prometheus/promhttp/instrument_client.go
// InstrumentRoundTripperCounter is a middleware that wraps the provided
func InstrumentRoundTripperCounter(counter *prometheus.CounterVec, next http.RoundTripper, opts ...Option) RoundTripperFunc {

/kind bug

Address CVE-2022-21698

[k8s-ci-robot]

Hi @pierreprinetti. Thanks for your PR.

I'm waiting for a kubernetes-csi member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[pierreprinetti]

/assign @msau42
as the bot suggests

[coveralls]

Pull Request Test Coverage Report for Build 2035349643

• 0 of 0 changed or added relevant lines in 0 files are covered.
• No unchanged relevant lines lost coverage.
• Overall coverage remained the same at 77.868%

---

Totals
Change from base Build 2032726918:	0.0%
Covered Lines:	577
Relevant Lines:	741

---

💛 - Coveralls

[andyzhangx]

/ok-to-test

[andyzhangx]

I am curious where is github.com/prometheus/client_golang lib used in this project? I could not find any code referencing prometheus/client_golang

[andyzhangx]

o, it's referenced by

csi-driver-nfs/vendor/k8s.io/component-base/metrics/legacyregistry/registry.go

Lines 22 to 23 in 0a08bf7

	"github.com/prometheus/client_golang/prometheus"
	"github.com/prometheus/client_golang/prometheus/promhttp"

[andyzhangx]

set indirect dependency is not ideal way in long term maintenance

[andyzhangx]

the vendor change only applies in k8s 1.24: kubernetes/kubernetes#108328

[pierreprinetti]

You are correct, it's indirect. The idea is to remove the explicit require once dependencies bump it themselves.
This patch has the advantage that it can be easily backported. Shall we merge, or wait for a k8s bump? I have no strong opinion.

[andyzhangx]

/lgtm
/approve
thanks, let's merge this PR first.

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: andyzhangx, pierreprinetti

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [andyzhangx]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment