[main] Fix #6429

[blackpiglet]

Remove CVE-2021-3121 affected github.com/gogo/protobuf version from go.sum

Thank you for contributing to Velero!

Please add a summary of your change

Does your change fix a particular issue?

Fixes #6429

Please indicate you've done the following:

• Accepted the DCO. Commits without the DCO will delay acceptance.
• Created a changelog file or added /kind changelog-not-required as a comment on this pull request.
• Updated the corresponding documentation in site/content/docs/main.

[codecov-commenter]

Codecov Report

Merging #6453 (a382016) into main (84eca51) will increase coverage by 0.01%.
The diff coverage is n/a.

@@            Coverage Diff             @@
##             main    #6453      +/-   ##
==========================================
+ Coverage   59.14%   59.15%   +0.01%     
==========================================
  Files         229      229              
  Lines       24184    24193       +9     
==========================================
+ Hits        14303    14311       +8     
- Misses       8880     8882       +2     
+ Partials     1001     1000       -1     

see 3 files with indirect coverage changes

[anshulahuja98]

Thank you for the fix!

[anshulahuja98]

LGTM

[sseago]

This seems to be a false positive. As of go 1.17, all direct and indirect dependencies are included in go.mod. go.sum lists every dependency of every package prior to package version resolution, so multiple versions can be listed. Only one version of a package will be built, though, and that version should be specified in go.mod:

$ grep gogo go.mod 
	github.com/gogo/protobuf v1.3.2 // indirect

Also, go list -m all will list all modules for the build list, again only the (fixed) version is included:

$ go list -m all|grep gogo
github.com/gogo/protobuf v1.3.2

I also confirmed this by running go mod vendor locally:

$ grep gogo vendor/modules.txt 
# github.com/gogo/protobuf v1.3.2
github.com/gogo/protobuf/proto
github.com/gogo/protobuf/sortkeys

Note that Dependabot has stopped using go.sum for vulnerability scanning as well: https://github.blog/changelog/2023-03-07-dependency-graph-removes-go-sum-support/

[sseago]

Also, if you check PR/issue history, we fixed this CVE a while back, which is why the currently-included package for the build is the fixed version. I'd rather avoid replace directives when they're unnecessary as then later if a package requires a newer version of this package, the replace becomes a forced downgrade, which could introduce unexpected behavior or bugs.

[sseago]

I'd recommend that we close this PR as unnecessary, but holding off on that until the reported issue is closed.