Fix: Update related kind labels and bump dependencies

[matthyx]

Summary by CodeRabbit

• Chores
  • Updated numerous third‑party dependencies across core Go libraries, observability, RPC, and container tooling to pick up performance, compatibility, and security improvements.
  • Refined metadata label handling and validation so resource metadata is more consistent (including normalized kind and cloud account identifiers) without changing public APIs.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR updates multiple Go module dependencies in go.mod and changes label handling in the object cache: GetLabels now uses RelatedKindMetadataKey/RelatedNameMetadataKey, trims a leading "ECS" prefix from derived kind values, and switches validation from util.IsValidLabelValue to content.IsLabelValue.

Changes

Cohort / File(s)	Summary
Dependency Updates go.mod	Bumped many module versions (e.g., github.com/armosec/armoapi-go, github.com/kubescape/backend, github.com/kubescape/k8s-interface, github.com/kubescape/storage, golang.org/x/net, golang.org/x/sys, google.golang.org/grpc, OpenTelemetry and several indirects).
Object cache label handling pkg/objectcache/shared_container_data.go	Replaced KindMetadataKey/NameMetadataKey with RelatedKindMetadataKey/RelatedNameMetadataKey; trim "ECS" prefix from WLID-derived kind; switch label validation from validation.IsValidLabelValue/util.IsValidLabelValue to content.IsLabelValue; update cloud account key to CloudAccountIdentifierMetadataKey.
Manifest / metadata lines go.sum, go.mod (implicit)	Lines changed roughly +35/-35 reflecting dependency bumps and synced checksums.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related PRs

• bump: update dependencies for backend, storage, and OpenAPI packages #704 — Related dependency version bumps in go.mod (overlapping modules updated).
• add new metadata to CPs #745 — Changes the same GetLabels area in pkg/objectcache/shared_container_data.go (label keys/validation and cloud metadata).
• bump: update armoapi-go dependency to v0.0.671 #702 — Prior dependency bump for armosec/armoapi-go in go.mod.

Poem

🐰 I hopped through modules, nudged versions anew,
I renamed some labels and trimmed an "ECS" too.
Content checks now, no tumble or fall,
A tiny clean cache — a carrot for all! 🥕

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the two main changes in the PR: updating related kind labels (in shared_container_data.go) and bumping dependencies (in go.mod). It's concise and specific without being overly broad.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch backend-integration

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@go.mod`:
- Around line 403-414: The go.mod contains mismatched OpenTelemetry versions:
core modules (go.opentelemetry.io/otel, /trace, /metric, /sdk, etc.) are at
v1.42.0 while OTLP exporters
(go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp,
/otlpmetric/otlpmetrichttp, /otlptrace, /otlptrace/otlptracehttp) are still at
v1.38.0; update those exporter module versions to v1.42.0 to align with the core
modules (or alternatively downgrade the core modules to v1.38.0 if that is
required), ensuring go.mod entries for otlploghttp, otlpmetrichttp, otlptrace,
and otlptracehttp match the chosen version and then run go mod tidy to apply the
changes.

In `@pkg/objectcache/shared_container_data.go`:
- Around line 102-108: The code may produce empty normalized related labels
(e.g., labels[i] becomes "") after the switch on
helpersv1.RelatedKindMetadataKey / helpersv1.RelatedNameMetadataKey using
wlid.GetKindFromWlid or wlid.GetNameFromWlid; add a post-switch guard that
checks if labels[i] == "" and, if so, skip validation/processing for that entry
(same cleanup behavior as earlier) before calling content.IsLabelValue so you
don't emit incomplete metadata. Locate the switch block that assigns labels[i],
insert the empty-string check immediately after it, and return/continue/omit
that label from further validation/emit paths referenced by
content.IsLabelValue.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: a456c779-5c9b-483d-92e9-e0297b8a5a79

📥 Commits

Reviewing files that changed from the base of the PR and between f673d45 and c0e73f7.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (2)

• go.mod
• pkg/objectcache/shared_container_data.go

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Guard against empty related labels after normalization.

Line 103 can normalize to an empty string, but empty-value cleanup currently happens earlier (Line 96). Add a post-switch empty check before validation to avoid emitting incomplete metadata.

💡 Suggested patch

 			switch i {
 			case helpersv1.RelatedKindMetadataKey:
 				labels[i] = strings.TrimPrefix(wlid.GetKindFromWlid(watchedContainer.Wlid), "ECS")
 			case helpersv1.RelatedNameMetadataKey:
 				labels[i] = wlid.GetNameFromWlid(watchedContainer.Wlid)
 			}
+			if labels[i] == "" {
+				delete(labels, i)
+				continue
+			}
 			errs := content.IsLabelValue(labels[i])

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/objectcache/shared_container_data.go` around lines 102 - 108, The code
may produce empty normalized related labels (e.g., labels[i] becomes "") after
the switch on helpersv1.RelatedKindMetadataKey /
helpersv1.RelatedNameMetadataKey using wlid.GetKindFromWlid or
wlid.GetNameFromWlid; add a post-switch guard that checks if labels[i] == ""
and, if so, skip validation/processing for that entry (same cleanup behavior as
earlier) before calling content.IsLabelValue so you don't emit incomplete
metadata. Locate the switch block that assigns labels[i], insert the
empty-string check immediately after it, and return/continue/omit that label
from further validation/emit paths referenced by content.IsLabelValue.

[coderabbitai]

♻️ Duplicate comments (1)

pkg/objectcache/shared_container_data.go (1)

102-108: ⚠️ Potential issue | 🟡 Minor

Add a post-normalization empty-value guard.

After Line 102-Line 105, a normalized related value can become empty (for example, kind "ECS" → ""), but empty cleanup currently happens only before the switch. Add a second empty check before Line 107 validation.

💡 Proposed patch

 			switch i {
 			case helpersv1.RelatedKindMetadataKey:
 				labels[i] = strings.TrimPrefix(wlid.GetKindFromWlid(watchedContainer.Wlid), "ECS")
 			case helpersv1.RelatedNameMetadataKey:
 				labels[i] = wlid.GetNameFromWlid(watchedContainer.Wlid)
 			}
+			if labels[i] == "" {
+				delete(labels, i)
+				continue
+			}
 			errs := content.IsLabelValue(labels[i])

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/objectcache/shared_container_data.go` around lines 102 - 108, After you
normalize the related value inside the switch (the cases using
wlid.GetKindFromWlid(watchedContainer.Wlid) and
wlid.GetNameFromWlid(watchedContainer.Wlid) that assign to labels[i]), add a
post-normalization guard that skips validation if labels[i] is now empty (e.g.,
if strings.TrimPrefix returned an empty string) before calling
content.IsLabelValue(labels[i]); in short, ensure labels[i] is checked for == ""
right after the switch and return/continue or skip adding errors so
content.IsLabelValue is not run on an empty normalized value.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In `@pkg/objectcache/shared_container_data.go`:
- Around line 102-108: After you normalize the related value inside the switch
(the cases using wlid.GetKindFromWlid(watchedContainer.Wlid) and
wlid.GetNameFromWlid(watchedContainer.Wlid) that assign to labels[i]), add a
post-normalization guard that skips validation if labels[i] is now empty (e.g.,
if strings.TrimPrefix returned an empty string) before calling
content.IsLabelValue(labels[i]); in short, ensure labels[i] is checked for == ""
right after the switch and return/continue or skip adding errors so
content.IsLabelValue is not run on an empty normalized value.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: b4af0e9e-5088-4032-9e82-46cd79cc48ee

📥 Commits

Reviewing files that changed from the base of the PR and between c0e73f7 and 4eab851.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (2)

• go.mod
• pkg/objectcache/shared_container_data.go

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@go.mod`:
- Line 58: Update the pinned dependency for google.golang.org/grpc from v1.79.2
to v1.79.3 (or newer) in go.mod to address GHSA-p77j-4mvh-x3m3, then refresh
module metadata by re-resolving modules (e.g., run the equivalent of go get to
the new version and run go mod tidy) so go.sum is updated; target the dependency
named google.golang.org/grpc and ensure no other code references a stricter
version constraint.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: f03f7af7-9862-436e-9914-1cf08fc68a31

📥 Commits

Reviewing files that changed from the base of the PR and between 4eab851 and 386e450.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (2)

• go.mod
• pkg/objectcache/shared_container_data.go

🚧 Files skipped from review as they are similar to previous changes (1)

• pkg/objectcache/shared_container_data.go

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify whether google.golang.org/grpc@v1.79.2 is affected and identify fixed versions via OSV.
set -euo pipefail

payload='{
  "package": {"ecosystem": "Go", "name": "google.golang.org/grpc"},
  "version": "1.79.2"
}'

curl -sS https://api.osv.dev/v1/query -d "$payload" \
| jq '{
    affected: (.vulns // [] | map({id, summary, aliases, fixed: ([.affected[]?.ranges[]?.events[]?.fixed] | flatten | unique)}))
  }'

Repository: kubescape/node-agent

Length of output: 334

---

Upgrade vulnerable google.golang.org/grpc version before merge.

Line 58 pins google.golang.org/grpc v1.79.2, which contains GHSA-p77j-4mvh-x3m3 (authorization bypass via missing leading slash in :path). Upgrade to v1.79.3 or newer and re-tidy modules.

🧰 Tools

🪛 OSV Scanner (2.3.3)

[CRITICAL] 58-58: google.golang.org/grpc 1.79.2: gRPC-Go has an authorization bypass via missing leading slash in :path

(GHSA-p77j-4mvh-x3m3)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@go.mod` at line 58, Update the pinned dependency for google.golang.org/grpc
from v1.79.2 to v1.79.3 (or newer) in go.mod to address GHSA-p77j-4mvh-x3m3,
then refresh module metadata by re-resolving modules (e.g., run the equivalent
of go get to the new version and run go mod tidy) so go.sum is updated; target
the dependency named google.golang.org/grpc and ensure no other code references
a stricter version constraint.