chore(deps): bump kataras/iris to 12.2.0-beta7 to resolve vulns

[mdtro]

Bumps github.com/kataras/iris from v12.2.0-beta5 to v12.2.0-beta7 to resolve some transitive vulnerabilities.

Resolves:

• GO-2022-1144 / CVE-2022-41717
• GO-2023-1495 / CVE-2022-41721
• GO-2022-1059 / CVE-2022-32149

The CHANGELOG for v12.2.0-beta7 can be found here.

[codecov]

Codecov Report

Base: 78.80% // Head: 76.55% // Decreases project coverage by -2.26% ⚠️

Coverage data is based on head (dc2252f) compared to base (0a44c63).
Patch has no changes to coverable lines.

❗ Current head dc2252f differs from pull request most recent head 8719c6f. Consider uploading reports for the commit 8719c6f to get more accurate results

Additional details and impacted files

@@            Coverage Diff             @@
##           master     #550      +/-   ##
==========================================
- Coverage   78.80%   76.55%   -2.26%     
==========================================
  Files          38       30       -8     
  Lines        3860     3387     -473     
==========================================
- Hits         3042     2593     -449     
+ Misses        714      697      -17     
+ Partials      104       97       -7     

Impacted Files	Coverage Δ
internal/otel/baggage/baggage.go	44.05% <0.00%> (-53.50%)	⬇️
span_recorder.go	75.86% <0.00%> (-13.80%)	⬇️
interfaces.go	93.22% <0.00%> (-0.12%)	⬇️
otel/span_map.go
otel/internal/utils/sentryrequest.go
internal/testutils/asserts.go
otel/propagator.go
otel/span_processor.go
otel/internal/utils/spanattributes.go
otel/event_processor.go
... and 5 more

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

☔ View full report at Codecov.
📢 Do you have feedback about the report comment? Let us know in this issue.

[tonyo]

Hey @mdtro , for additional context, could you link to the changelog, and/or vulnerability report please?

[mdtro]

Hey @mdtro , for additional context, could you link to the changelog, and/or vulnerability report please?

Done! Apologies for not including it to begin with. 🙂

[tonyo]

Thanks! 🏄

[cleptric]

Please keep in mind that we're forcing Sentry users to upgrade iris by merging this.
This is kinda against our philosophy, but we got a lot of complaints about the Go SDK triggering some false positives in weird security scanners.

[mdtro]

Please keep in mind that we're forcing Sentry users to upgrade iris by merging this. This is kinda against our philosophy, but we got a lot of complaints about the Go SDK triggering some false positives in weird security scanners.

@cleptric I understand the concern. We are only moving from beta5 to beta7, but that definitely moves a lot of the indirect dependencies forward quite a few versions.

I second the SDKs generating false positives in the various security scanners. I used three different ones and ended up with three different answers. 🙃

v12.2.0-beta7 was released just over 30 days ago, so we want to wait a bit longer for any bugs to surface -- I think that's reasonable.

[cleptric]

Let's bite the bullet 😄

[mdtro]

Ooph, the checks aren't happy. I'll add this to my list to dig in on early next week.

[github-actions]

This pull request has gone three weeks without activity. In another week, I will close it.

But! If you comment or otherwise update it, I will reset the clock, and if you label it Status: Backlog or Status: In Progress, I will leave it alone ... forever!

---

"A weed is but an unloved flower." ― Ella Wheeler Wilcox 🥀

[cleptric]

Part of #595