fix: Fixing git-urls dependency using another fork of the repo

[BKirov]

Checklist:

• Either (a) I've created an enhancement proposal and discussed it with the community, (b) this is a bug fix, or (c) this does not need to be in the release notes.
• The title of the PR states what changed and the related issues number (used for the release note).
• The title of the PR conforms to the Toolchain Guide
• I've included "Closes [ISSUE #]" or "Fixes [ISSUE #]" in the description to automatically close the associated issue.
• I've updated both the CLI and UI to expose my feature, or I plan to submit a second PR with them.
• Does this PR require documentation updates?
• I've updated documentation as required by this PR.
• I have signed off all my commits as required by DCO
• I have written unit and/or e2e tests for my change. PRs without these are unlikely to be merged.
• My build is green (troubleshooting builds).
• My new feature complies with the feature status guidelines.
• I have added a brief description of why this PR is necessary and/or what this PR solves.
• Optional. My organization is added to USERS.md.
• Optional. For bug fixes, I've indicated what older releases this fix should be cherry-picked into (this may or may not happen depending on risk/complexity).

[crenshaw-dev]

Thanks, @BKirov! Can you fix the DCO check? Instructions are in the details link of the failed check.

[BKirov]

Fixed @crenshaw-dev

[jannfis]

I was wondering if we should use a replace rule to get rid of all the instances in github.com/whilp/git-urls across our dependencies.

[crenshaw-dev]

Yeah good idea, come to think of it @BKirov that's the only way to be sure we clear up your image scanners.

[BKirov]

fixed , can you please approve

[crenshaw-dev]

Hm. The vunlerable version is still showing up as an indirect dependency. Do you need two replaces?

github.com/whilp/git-urls v0.0.0-20191001220047-6db9661140c0 // indirect

[BKirov]

@crenshaw-dev @jannfis can you please approve

[crenshaw-dev]

Hm. The vunlerable version is still showing up as an indirect dependency. Do you need two replaces?

github.com/whilp/git-urls v0.0.0-20191001220047-6db9661140c0 // indirect

[BKirov]

@crenshaw-dev can you help with that ? where to put the second replace ? this line for the old github.com/whilp/git-urls v0.0.0-20191001220047-6db9661140c0 // indirect
was automatically created ....

[crenshaw-dev]

@BKirov I'm not super up on how go mod works, but I think you could just add it after the existing replace.

was automatically created

Yep, because it's a transient dependency. So we haven't quite eliminated the vulnerable code yet.

[BKirov]

So i am addint it like that ? @crenshaw-dev
// Avoid CVE-2023-46402
github.com/whilp/git-urls v1.0.0 => github.com/chainguard-dev/git-urls v1.0.2
github.com/whilp/git-urls v0.0.0-20191001220047-6db9661140c0 => github.com/chainguard-dev/git-urls v1.0.2

`bkirov@OT-MAC-C02GX0AZQ6LX argo-cd % go mod tidy

go: github.com/chainguard-dev/[email protected] used for two different module paths (github.com/chainguard-dev/git-urls and github.com/whilp/git-urls)`

[crenshaw-dev]

Suggested change

	github.com/whilp/git-urls v1.0.0 => github.com/chainguard-dev/git-urls v1.0.2
	github.com/whilp/git-urls => github.com/chainguard-dev/git-urls v1.0.2

Ah. That oughta do it.

[crenshaw-dev]

Don't commit the suggestion here though, do it locally and then run go mod tidy.

[BKirov]

@crenshaw-dev I am getting this locally and then here too :

go: github.com/chainguard-dev/[email protected] used for two different module paths (github.com/chainguard-dev/git-urls and github.com/whilp/git-urls)

[crenshaw-dev]

Trying fresh here: #17732

[crenshaw-dev]

Merged here: #17732

Thanks for your patience @BKirov, it turned out to be trickier than expected. :-)