[release/1.7] silence govulncheck false positives

[AkihiroSuda]

govulncheck -mode=binary detected the following vulns, but -mode=source says "your code doesn't appear to call these vulnerabilities."

=== Symbol Results ===

Vulnerability #1: GO-2025-3503
    HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net
  More info: https://pkg.go.dev/vuln/GO-2025-3503
  Module: golang.org/x/net
    Found in: golang.org/x/net@v0.33.0
    Fixed in: golang.org/x/net@v0.36.0
    Vulnerable symbols found:
      #1: httpproxy.config.useProxy
      #2: httpproxy.domainMatch.match
      #3: proxy.Dial
      #4: proxy.FromEnvironment
      #5: proxy.FromEnvironmentUsing
      Use '-show traces' to see the other 3 found symbols

Vulnerability #2: GO-2025-3488
    Unexpected memory consumption during token parsing in golang.org/x/oauth2
  More info: https://pkg.go.dev/vuln/GO-2025-3488
  Module: golang.org/x/oauth2
    Found in: golang.org/x/oauth2@v0.11.0
    Fixed in: golang.org/x/oauth2@v0.27.0
    Vulnerable symbols found:
      #1: jws.Verify

Vulnerability #3: GO-2025-3487
    Potential denial of service in golang.org/x/crypto
  More info: https://pkg.go.dev/vuln/GO-2025-3487
  Module: golang.org/x/crypto
    Found in: golang.org/x/crypto@v0.31.0
    Fixed in: golang.org/x/crypto@v0.35.0
    Vulnerable symbols found:
      #1: ssh.Client.Dial
      #2: ssh.Client.DialContext
      #3: ssh.Client.DialTCP
      #4: ssh.Client.Listen
      #5: ssh.Client.ListenTCP
      Use '-show traces' to see the other 48 found symbols

Your code is affected by 3 vulnerabilities from 3 modules.
This scan found no other vulnerabilities in packages you import or modules you
require.
Use '-show verbose' for more details.

NOTE: Go version requirement is now bumped up from 1.21 to 1.23

Fix #11668

[AkihiroSuda]

( Caused by golang/net@5095d0c )

[AkihiroSuda]

CI failure seems irrelevant

• [FAILED] [0.291 seconds]
[k8s.io] Networking runtime should support networking [It] runtime should support port mapping with host port and container port [Conformance]
github.com/kubernetes-sigs/cri-tools/pkg/validate/networking.go:108

  Timeline >>
  STEP: create a PodSandbox with host port and container port mapping @ 04/11/25 00:25:16.316
  Apr 11 00:25:16.604: INFO: Unexpected error occurred: rpc error: code = Unknown desc = failed to setup network for sandbox "7079324a39612decedbe5ed6383c5d486312709f981c7a0b82f613d5feaeb8ad": plugin type="portmap" failed (add): unable to create chain CNI-HOSTPORT-SETMARK: running [/usr/sbin/ip6tables -t nat -C CNI-HOSTPORT-SETMARK -m comment --comment CNI portfwd masquerade mark -j MARK --set-xmark 0x2000/0x2000 --wait]: exit status 2: Warning: Extension MARK revision 0 not supported, missing kernel module?
  ip6tables v1.8.9 (nf_tables): unknown option "--set-xmark"
  Try `ip6tables -h' or 'ip6tables --help' for more information.

  [FAILED] in [It] - github.com/kubernetes-sigs/cri-tools/pkg/framework/util.go:219 @ 04/11/25 00:25:16.604
  STEP: stop PodSandbox @ 04/11/25 00:25:16.604
  STEP: delete PodSandbox @ 04/11/25 00:25:16.605
  << Timeline

  [FAILED] failed to create PodSandbox: rpc error: code = Unknown desc = failed to setup network for sandbox "7079324a39612decedbe5ed6383c5d486312709f981c7a0b82f613d5feaeb8ad": plugin type="portmap" failed (add): unable to create chain CNI-HOSTPORT-SETMARK: running [/usr/sbin/ip6tables -t nat -C CNI-HOSTPORT-SETMARK -m comment --comment CNI portfwd masquerade mark -j MARK --set-xmark 0x2000/0x2000 --wait]: exit status 2: Warning: Extension MARK revision 0 not supported, missing kernel module?
  ip6tables v1.8.9 (nf_tables): unknown option "--set-xmark"
  Try `ip6tables -h' or 'ip6tables --help' for more information.

https://github.com/containerd/containerd/actions/runs/14385903219/job/40363087812?pr=11679

Likely to be an issue of the kernel:

• Incompatibility with Linux 6.11.{4,5} and 6.6.{57,58} due to ip6tables error tailscale/tailscale#13863

[austinvazquez]

@akhilerm reported the issue actions/runner-images#11985 for the CI failure.