Update go-toolset version for CVEs

[anishasthana]

There's a number of CVEs that are closed in the latest versions of the go-1.19 toolset.

1. https://bugzilla.redhat.com/show_bug.cgi?id=2234712
2. https://bugzilla.redhat.com/show_bug.cgi?id=2234713
3. https://bugzilla.redhat.com/show_bug.cgi?id=2237782
4. https://bugzilla.redhat.com/show_bug.cgi?id=2237798
5. https://bugzilla.redhat.com/show_bug.cgi?id=2238352

Related: ray-project/kuberay#1488

[jbusche]

Hi @anishasthana and @tedhtchang
I built the image locally from this branch and see 43 fixable issues.
I then switched in the Dockerfile:

FROM registry.access.redhat.com/ubi8/ubi-minimal:8.7
to
FROM registry.access.redhat.com/ubi8/ubi-minimal:8.8

And this cleans up all the OS items and leaves just 8 Go items left from the /manager path:
C:0|H:1|M:7|L:0|T:8

severityCHML    cvss    riskFactors     cve     link    hasFix  status  packageType     packageName     packageVersion
M       5.4     Has fix,Medium severity PRISMA-2022-0270        https://github.com/golang-jwt/jwt/issues/223    Y       fixed in v4.4.3 go      github.com/golang-jwt/jwt/v4    v4.4.1
M       0       Attack complexity: low,Attack vector: network,DoS - High,Has fix,Medium severity,Recent vulnerability   CVE-2023-39325  https://nvd.nist.gov/vuln/detail/CVE-2023-39325 Y       fixed in 0.17.0 go      golang.org/x/net        v0.12.0
M       6.1     Attack complexity: low,Attack vector: network,Has fix,Medium severity,Recent vulnerability      CVE-2023-3978   https://nvd.nist.gov/vuln/detail/CVE-2023-3978  Y       fixed in 0.13.0 go      golang.org/x/net        v0.12.0
M       6.5     Attack complexity: low,Attack vector: network,Has fix,Medium severity,Recent vulnerability      CVE-2023-29406  https://nvd.nist.gov/vuln/detail/CVE-2023-29406 Y       fixed in 1.20.6, 1.19.11        app     go      1.19.10
M       6.1     Attack complexity: low,Attack vector: network,Has fix,Medium severity,Recent vulnerability      CVE-2023-39319  https://nvd.nist.gov/vuln/detail/CVE-2023-39319 Y       fixed in 1.21.1, 1.20.8 app     go      1.19.10
H       7.5     Attack complexity: low,Attack vector: network,DoS - High,Has fix,High severity,Recent vulnerability     CVE-2023-39533  https://nvd.nist.gov/vuln/detail/CVE-2023-39533 Y       fixed in 1.20.7, 1.19.12        app     go      1.19.10
M       5.3     Attack complexity: low,Attack vector: network,DoS - Low,Has fix,Medium severity,Recent vulnerability    CVE-2023-29409  https://nvd.nist.gov/vuln/detail/CVE-2023-29409 Y       fixed in 1.20.7, 1.19.12        app     go      1.19.10
M       6.1     Attack complexity: low,Attack vector: network,Has fix,Medium severity,Recent vulnerability      CVE-2023-39318  https://nvd.nist.gov/vuln/detail/CVE-2023-39318 Y       fixed in 1.21.1, 1.20.8 app     go      1.19.10

If you see the quay.io security scan for my two images, it shows the unmodified Dockerfile with 3 high and 18 fixable issues, where the ubi-minimal:8.8 is clean (But quay security scan doesn't catch the items in the /manager folder)

[jbusche]

Looks good - thanks Anish! Big vulnerability improvement

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jbusche

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [jbusche]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[jbusche]

Ran it locally on my OC 4.13.4 cluster, looked good

Appwrapper number is 20
....
All 20 appwrappers finished: 16:02:32
Total amount of time for 20 appwrappers is: 140 seconds