x/crypto: Update golang.org/x/text to 0.3.7

[ristomcgehee]

x/crypto is currently using version 0.3.6 of golang.org/x/text which has a denial of service vulnerability: https://osv.dev/vulnerability/GO-2021-0113.

I would like to request that x/crypto updates its modules to use version 0.3.7 or higher of golang.org/x/text. Alternatively, if you're confident that x/crypto does not call the vulnerable functions, go ahead and close this issue.

[mengzhuo]

cc @FiloSottile @rolandshoemaker

[hyangah]

FYI govulncheck result came clean. (-all -json -tests, and even with -imports)
cc @zpavlinovic

[matthewhartstonge]

For what it's worth, golang.org/x/text is being dragged in indirectly via golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2.

This is causing some deep scanning vuln checkers to fire - i.e. Synk as it's reading go.sum.

Updating x/crypto to the latest version of /x/net will resolve this. As of 2022-01-22 x/net was updated to use x/text@v0.3.7 via golang/net@4395403

[gopherbot]

Change https://go.dev/cl/387654 mentions this issue: go.mod: update golang.org/x/net to latest

[FiloSottile]

Vulnerability scanners that detect this as a vulnerability are firing false positives, and I wish we didn't set the example that it's ok to cause work and churn in all unaffected downstream users of a package with a vulnerability.

This is the fifth CL we get to fix a vulnerability that does not affect the modules the CLs are filed against.

https://go-review.googlesource.com/c/net/+/241127
https://go-review.googlesource.com/c/net/+/374374
https://go-review.googlesource.com/c/build/+/378934
https://go-review.googlesource.com/c/crypto/+/374278/2#message-d211e0864e678482daa7e5cd8f2497e12d816914
https://go-review.googlesource.com/c/crypto/+/387654/

This kind of busywork and noise is what discourages packages from reporting vulnerabilities to the database, and precisely what we set out to avoid with govulncheck.

/cc @golang/vulndb @golang/security

[matthewhartstonge]

@FiloSottile 💯!

Trust me, I was annoyed at Synk once I worked out was going on...