Upgrade github.com/crewjam/saml dep to v0.4.6 to resolve CVE-2020-26160

[jlourenc]

The aim of this PR is to resolve CVE-2020-26160 present in github.com/dgrijalva/jwt-go and imported in go-baseapp via github.com/crewjam/saml v0.4.5.

The CVE is fixed in github.com/crewjam/saml thanks to crewjam/saml#383, which has been released as part of v0.4.6.

However, this version also includes breaking changes which need fixing, the relevant ones being:

• Fix AuthN Request signing for HTTP-Redirect binding crewjam/saml#339
• artifact binding crewjam/saml#397

[palantirtech]

Thanks for your interest in palantir/go-baseapp, @jlourenc! Before we can accept your pull request, you need to sign our contributor license agreement - just visit https://cla.palantir.com/ and follow the instructions. Once you sign, I'll automatically update this pull request.

[bluekeyes]

This looks good to me, thank you for the update!

[jlourenc]

Thank you @bluekeyes for your quick action!

It'd be great to release a new version of the library so that palantir/go-githubapp's dependency can be upgraded too.

[bluekeyes]

Sure thing, I just tagged v0.3.1. While probably still a good idea to upgrade go-githubapp, it only depends on this module via the example package, which doesn't use the auth/saml package from here.

[jlourenc]

Thanks, that's great news.

Security bots like Dependabot or Renovatebot generally look at the dependency graph without much consideration whether the vulnerable code path and/or package is indeed used.

With that in mind, I think it'd be great for the community to release a v0.10.1 version of palantir/go-githubapp to move off the vulnerable version of crewjam/saml.

[asvoboda]

@jlourenc I tagged v0.10.1.