Backport of [NET-8601] security: upgrade vault/api to remove go-jose.v2 into release/1.15.x

[hc-github-team-consul-core]

Backport

This PR is auto-generated from #20910 to be assessed for backporting due to the inclusion of the label backport/1.15.

🚨

Warning automatic cherry-pick of commits failed. If the first commit failed,
you will see a blank no-op commit below. If at least one commit succeeded, you
will see the cherry-picked commits up to, not including, the commit where
the merge conflict occurred.

The person who merged in the original PR is:
@zalimeni
This person should manually cherry-pick the original PR into a new backport PR,
and close this one when the manual backport PR is merged in.

merge conflict error: POST https://api.github.com/repos/hashicorp/consul/merges: 409 Merge conflict []

The below text is copied from the body of the original PR.

---

This dependency has an open vulnerability (GO-2024-2631 AKA CVE-2024-28180), and is no longer needed by the latest vault/api. This is a follow-up to the upgrade of go-jose/v3 in this repository to make all our dependencies consolidate on v3.

Also remove the recently added security scan triage block for GO-2024-2631, which was added due to incorrect reports that go-jose/v3@3.0.3 was impacted; in reality, is was this indirect client dependency (not impacted by CVE) that the scanner was flagging. A bug report has been filed to address the incorrect reporting.

This PR will fail some backports due to go.mod/go.sum conflicts, but opening w/ labels to ensure we don't forget. I'll fix up the backports that fail.

Description

• Upgrade vault/api to latest
• Remove triage block for go-jose from scanner config

Testing & Reproduction steps

CI including Security Scan continue to pass.

Links

Follow-up to #20901

PR Checklist

• updated test coverage
• external facing docs updated
• appropriate backport labels added
• not a security concern

---

Overview of commits

• 1c8e398

[github-team-consul-core-pr-approver]

Auto approved Consul Bot automated PR

[hashicorp-cla-app]

Thank you for your submission! We require that all contributors sign our Contributor License Agreement ("CLA") before we can accept the contribution. Read and sign the agreement

Learn more about why HashiCorp requires a CLA and what the CLA includes

---

temp seems not to be a GitHub user.
You need a GitHub account to be able to sign the CLA.
If you have already a GitHub account, please add the email address used for this commit to your account.

_{Have you signed the CLA already but the status is still pending? Recheck it.}