Fix CVE-2024-45337: Update golang.org/x/crypto in statsd_exporter to >= v0.31.0

[turguns]

Fix CVE-2024-45337: Update golang.org/x/crypto in statsd_exporter to >= v0.31.0

Part of https://github.com/stackabletech/docker-images/issues/xxx

---

Problem

The stackable/statsd_exporter image embedded in the Superset product image contains a CRITICAL vulnerability:

CVE	Library	Installed	Fixed	Severity
CVE-2024-45337	golang.org/x/crypto	v0.27.0	v0.31.0	CRITICAL

Description: Misuse of ServerConfig.PublicKeyCallback may cause authorization bypass in golang.org/x/crypto/ssh. See: https://avd.aquasec.com/nvd/cve-2024-45337

This CVE is present in both:

• oci.stackable.tech/sdp/superset:4.1.4-stackable26.3.0
• oci.stackable.tech/sdp/superset:6.0.0-stackable26.3.0

The statsd_exporter binary is compiled with golang.org/x/crypto v0.27.0. The fix requires rebuilding the binary with golang.org/x/crypto >= v0.31.0.

Note: While statsd_exporter does not expose SSH functionality and the vulnerable PublicKeyCallback code path is not reachable at runtime, the vulnerability still triggers CRITICAL findings in standard security scanners (Trivy, Wiz, etc.), blocking internal compliance and image promotion pipelines.

---

• Add: statsd_exporter built with golang.org/x/crypto >= v0.31.0
• Remove: statsd_exporter built with golang.org/x/crypto v0.27.0

Tip

Please add the scheduled-for/YY.M.X label, and add to the Stackable Engineering project.

Update tasks

• Update boil-config.toml to reflect the agreed upon versions in the spreadsheet (including the removal of old versions).
• Create a new constraints file (see superset/README.md).
• Create a file: superset/stackable/patches/x.y.z/.gitkeep, add patches if applicable.
• Delete old constraint files and patch directories.
• Update golang.org/x/crypto dependency in statsd_exporter to >= v0.31.0 and rebuild the binary.
• Update other dependencies if applicable (e.g. python, auth_lib, cyclonedx-bom, etc).
• Check other operators (getting_started / kuttl / supported-versions) for usage of the versions. Add the PR(s) to the list below.
• Ensure prerequisites are up to date (required-external-components.adoc).
• Update the version in demos. Add the PR(s) to the list below.

Related Pull Requests

Tip

Delete any items that do not apply so that all applicable items can be checked.

• Link to the docker-images PR (statsd_exporter rebuild with patched crypto)
• Link to the operator PR (getting_started / kuttl / supported-versions)
• Link to any other operator PRs (getting_started / kuttl)
• Link to demo PR (raise against the main branch)
• Link to the Release Notes PR in the documentation repo (if not a comment below)

Acceptance

Tip

This list should be completed by the assignee(s), once respective PRs have been merged. Once all items have been checked, the issue can be moved into Development: Done.

• Can build image (either locally, or in CI)
• Trivy scan of rebuilt image shows CVE-2024-45337 resolved (no CRITICAL findings for golang.org/x/crypto)
• All kuttl tests pass (either locally, or in CI)
• Release notes added to documentation and linked as a PR above
• Release notes written in a comment below
• Applicable release-note label added to this issue

<details> <summary>Testing instructions</summary>

# Verify the CVE is resolved after rebuild
trivy image oci.stackable.tech/sdp/superset:x.y.z-stackable0.0.0-dev | grep CVE-2024-45337
# Should return no results
Standard image build and test
Where x.y.z is the new version added in this PR
boil build superset=x.y.z --strip-architecture --load

kind load docker-image oci.stackable.tech/sdp/superset:x.y.z-stackable0.0.0-dev
Change directory into the superset-operator repository and update the
product version in tests/test-definition.yaml
./scripts/run-tests --test-suite smoke-latest # or similar

</details>

Please consider updating this template if these instructions are wrong, or could be made clearer.

# Fix CVE-2024-45337: Update `golang.org/x/crypto` in `statsd_exporter` to >= v0.31.0

Part of https://github.com/stackabletech/docker-images/issues/xxx

---