Bump indirect dependencies required to add Trivy tool dependency

[ivanvc]

Spun off from #19804 (comment).

Alternative to #19819, it only bumps indirect dependencies required to add Trivy as a tool dependency.

Part of #19363.

Please read https://github.com/etcd-io/etcd/blob/main/CONTRIBUTING.md#contribution-flow.

[ivanvc]

/retest

[ivanvc]

/retest

[joshjms]

/retest

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 68.77%. Comparing base (2876a4e) to head (4d698b3).
Report is 42 commits behind head on main.

Additional details and impacted files

see 27 files with indirect coverage changes

@@            Coverage Diff             @@
##             main   #19821      +/-   ##
==========================================
- Coverage   68.80%   68.77%   -0.03%     
==========================================
  Files         421      421              
  Lines       35863    35863              
==========================================
- Hits        24675    24665      -10     
- Misses       9758     9764       +6     
- Partials     1430     1434       +4     

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update a4bbb46...4d698b3. Read the comment docs.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[ahrtr]

Sorry, I still do not get the point. Usually we don't bump indirect dependencies, I am not sure why you raise this PR.

As mentioned in #19804 (comment), the image scan script only needs to add dependency github.com/aquasecurity/trivy. I don't see how the indirect dependencies (bumped in this PR) are required by github.com/aquasecurity/trivy.

Please correct me if I miss anything.

[ivanvc]

Hi @ahrtr,

If I want to add the Trivy dependency to be managed by our tools/mod module, I need to bump indirect dependencies, because we have a CI check to ensure that dependencies are consistent. I did try to add only Trivy to the module without bumping dependencies, and this is the Prow job failure: https://prow.k8s.io/view/gs/kubernetes-ci-logs/pr-logs/pull/etcd-io_etcd/19804/pull-etcd-verify/1916021285796712448

If we don't want to bump these dependencies, the only other option would be to set a fixed version for Trivy, and manually bump it. i.e.,

TRIVY_VERSION=v0.61.1
curl -sSfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b ./bin "${TRIVY_VERSION}"

The only issue with this approach is that we may forget to update the Trivy version, and I'm unsure if fetching the vulnerability database may fail for an out of date version.

[ahrtr]

because we have a CI check to ensure that dependencies are consistent.

Got it, thx for the clarification.

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ahrtr, ivanvc

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [ahrtr]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment