ci: fix golang security

[auspham]

Why I did it

Currently there is a golang vulnerability golang.org/x/net (GHSA-qxp5-gwg8-xv66) which flagged since the x/net is 0.33.0 instead of 0.36.0. This could be a transitive module.

To address this, we can build grpcurl from source instead.

Work item tracking

• Microsoft ADO (number only): 36979761

How I did it

How to verify it

Which release branch to backport (provide reason below if selected)

• 202305
• 202311
• 202405
• 202411
• 202505
• 202511

Tested branch (Please provide the tested image version)

Description for the changelog

Link to config_db schema for YANG module changes

A picture of a cute animal (not mandatory but encouraged)

[mssonicbld]

/azp run Azure.sonic-buildimage

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[Copilot]

Pull request overview

Updates the docker-ptf container build to remediate a reported Go module vulnerability by forcing grpcurl to be built from source with a newer golang.org/x/net version, aligning the PTF image with current security scanning expectations.

Changes:

• Switch grpcurl installation from go install ...@v1.9.3 to a source build from the grpcurl repo tag.
• Explicitly upgrade/pin golang.org/x/net to v0.36.0 during the grpcurl build to address GHSA-qxp5-gwg8-xv66.

[yijingyan2]

/azpw ms_conflict