OCPBUGS-85649: bump gRPC-Go package

[jhadvig]

Analysis / Root cause:

CVE-2026-33186 (OCPBUGS-83940) — gRPC-Go versions
prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2
:path pseudo-header. The gRPC-Go server accepts requests where :path omits the mandatory leading
slash, causing path-based authorization interceptors (including grpc/authz) to fail matching deny
rules.

The console backend uses gRPC-Go v1.72.2 as an indirect (transitive) dependency — it does not run a
gRPC server or use gRPC authorization interceptors, so the vulnerability is not exploitable in
practice. However, the dependency must be bumped to satisfy security scanners and compliance
requirements.

Solution description:

Bump google.golang.org/grpc from v1.72.2 to v1.79.3 via go get, go mod tidy, and go mod vendor.
This also pulls in minor transitive dependency updates:

• cel.dev/expr v0.24.0 → v0.25.1
• go.opentelemetry.io/auto/sdk v1.1.0 → v1.2.1
• go.opentelemetry.io/otel v1.36.0 → v1.39.0
• golang.org/x/oauth2 v0.30.0 → v0.34.0
• google.golang.org/genproto/googleapis/api and /rpc updated
• google.golang.org/protobuf v1.36.8 → v1.36.10

No Go source code changes — only go.mod, go.sum, and vendor/ are modified.

Screenshots / screen recording:

N/A — backend dependency bump, no UI changes.

Test setup:

No special setup required.

Test cases:

• Backend builds successfully (./build-backend.sh)
• All backend unit tests pass (./test-backend.sh)
• CI passes

Browser conformance:

N/A — no frontend changes.

Additional info:

• CVE: CVE-2026-33186
• Jira: OCPBUGS-85649
• Exploitability: None. The console does not import google.golang.org/grpc in any pkg/ or cmd/
  Go files. It is pulled in transitively by k8s.io/apiserver, helm.sh/helm/v3,
  operator-framework/*, and other upstream modules. The console runs a pure HTTP/HTTPS server — no gRPC
  server, no gRPC authorization interceptors.

Reviewers and assignees:

/assign @jon

Summary by CodeRabbit

• Chores
  • Updated core project dependencies to latest compatible versions, including libraries for authentication, observability, and gRPC communication. These routine updates enhance security, improve stability and performance, and ensure alignment with current standards and best practices.

[openshift-ci-robot]

@jhadvig: This pull request references Jira Issue OCPBUGS-83940, which is invalid:

• expected the vulnerability to target either version "5.0." or "openshift-5.0.", but it targets "4.22.0" instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Analysis / Root cause:

CVE-2026-33186 (OCPBUGS-83940) — gRPC-Go versions
prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2
:path pseudo-header. The gRPC-Go server accepts requests where :path omits the mandatory leading
slash, causing path-based authorization interceptors (including grpc/authz) to fail matching deny
rules.

The console backend uses gRPC-Go v1.72.2 as an indirect (transitive) dependency — it does not run a
gRPC server or use gRPC authorization interceptors, so the vulnerability is not exploitable in
practice. However, the dependency must be bumped to satisfy security scanners and compliance
requirements.

Solution description:

Bump google.golang.org/grpc from v1.72.2 to v1.79.3 via go get, go mod tidy, and go mod vendor.
This also pulls in minor transitive dependency updates:

• cel.dev/expr v0.24.0 → v0.25.1
• go.opentelemetry.io/auto/sdk v1.1.0 → v1.2.1
• go.opentelemetry.io/otel v1.36.0 → v1.39.0
• golang.org/x/oauth2 v0.30.0 → v0.34.0
• google.golang.org/genproto/googleapis/api and /rpc updated
• google.golang.org/protobuf v1.36.8 → v1.36.10

No Go source code changes — only go.mod, go.sum, and vendor/ are modified.

Screenshots / screen recording:

N/A — backend dependency bump, no UI changes.

Test setup:

No special setup required.

Test cases:

• Backend builds successfully (./build-backend.sh)
• All backend unit tests pass (./test-backend.sh)
• CI passes

Browser conformance:

N/A — no frontend changes.

Additional info:

• CVE: CVE-2026-33186
• Jira: OCPBUGS-83940
• Exploitability: None. The console does not import google.golang.org/grpc in any pkg/ or cmd/
  Go files. It is pulled in transitively by k8s.io/apiserver, helm.sh/helm/v3,
  operator-framework/*, and other upstream modules. The console runs a pure HTTP/HTTPS server — no gRPC
  server, no gRPC authorization interceptors.

Reviewers and assignees:

/assign @spadgett

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

📝 Walkthrough

Walkthrough

This pull request updates the go.mod file with multiple dependency version bumps across the Go backend stack. Key updates include OAuth2 authentication libraries (v0.34.0), OpenTelemetry instrumentation and tracing modules (v1.39.0), gRPC and protobuf libraries (v1.79.3 and v1.36.10 respectively), and CEL expression evaluation. These are predominantly patch and minor version increments, affecting observability, authentication, and RPC communication infrastructure used by the OpenShift Console backend.

🚥 Pre-merge checks | ✅ 11 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	Title references a gRPC bump but lists OCPBUGS-85649 while PR objectives show OCPBUGS-83940; title partially captures the main change (dependency updates) but is incomplete and contains a ticket number mismatch.	Correct the ticket number to OCPBUGS-83940 and optionally include the CVE reference or mention indirect dependencies for clarity.

✅ Passed checks (11 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	Not applicable. This PR only modifies dependencies (go.mod/go.sum/vendor/). No test files or source code changed. Project uses testify/testing, not Ginkgo.
Test Structure And Quality	✅ Passed	This PR contains only Go dependency updates (go.mod, go.sum, vendor/). No Ginkgo tests are present in the codebase or modified in this PR. The custom check is not applicable to dependency-only PRs.
Microshift Test Compatibility	✅ Passed	Custom check not applicable. PR only updates Go module dependencies (go.mod/go.sum/vendor); no new Ginkgo e2e tests are added. MicroShift compatibility check applies only to new test code.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR contains only Go module dependency updates (go.mod, go.sum, vendor/) with no new Ginkgo e2e tests. SNO compatibility check is not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	Pure dependency update (go.mod only). No deployment manifests, operator code, or controller changes. Custom check scoped to code changes—not applicable.
Ote Binary Stdout Contract	✅ Passed	PR contains only dependency updates with no source code changes. The OTE Binary Stdout Contract check evaluates process-level code patterns for stdout violations, which is not applicable here.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR is a Go module dependency update only (gRPC v1.79.3). No new Ginkgo e2e tests added. Custom check for IPv6/disconnected network compatibility is not applicable.
Description check	✅ Passed	PR description comprehensively addresses all template sections with clear analysis, solution details, CVE context, and testing evidence.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@go.mod`:
- Around line 189-191: Update the OpenTelemetry module versions in go.mod for
go.opentelemetry.io/otel, go.opentelemetry.io/otel/metric, and
go.opentelemetry.io/otel/trace from v1.39.0 to v1.41.0 (or later) to remediate
GHSA-mh2q-q3fh-2475; after changing those module lines, run go mod tidy (and
optionally go test / go build) to refresh go.sum and ensure compatibility across
the three packages.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 27d0bf78-f2ab-4614-8964-42a3c51918ee

📥 Commits

Reviewing files that changed from the base of the PR and between 0390b3d and 5e6a918.

⛔ Files ignored due to path filters (155)

• go.sum is excluded by !**/*.sum
• vendor/cel.dev/expr/BUILD.bazel is excluded by !**/vendor/**, !vendor/**
• vendor/cel.dev/expr/MODULE.bazel is excluded by !**/vendor/**, !vendor/**
• vendor/cel.dev/expr/checked.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/cel.dev/expr/eval.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/cel.dev/expr/explain.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/cel.dev/expr/syntax.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/cel.dev/expr/value.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/auto/sdk/internal/telemetry/id.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/auto/sdk/internal/telemetry/number.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/auto/sdk/internal/telemetry/span.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/auto/sdk/internal/telemetry/status.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/auto/sdk/internal/telemetry/traces.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/auto/sdk/internal/telemetry/value.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/auto/sdk/span.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/auto/sdk/tracer.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/.clomonitor.yml is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/.codespellignore is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/.golangci.yml is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/.lycheeignore is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/CHANGELOG.md is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/CODEOWNERS is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/CONTRIBUTING.md is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/LICENSE is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/Makefile is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/README.md is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/RELEASING.md is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/SECURITY-INSIGHTS.yml is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/VERSIONING.md is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/attribute/encoder.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/attribute/filter.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/attribute/hash.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/attribute/internal/attribute.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/attribute/internal/xxhash/xxhash.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/attribute/iterator.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/attribute/key.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/attribute/kv.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/attribute/set.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/attribute/type_string.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/attribute/value.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/baggage/baggage.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/codes/codes.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/dependencies.Dockerfile is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/internal/global/internal_logging.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/internal/global/meter.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/internal/global/trace.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/metric.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/metric/LICENSE is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/metric/config.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/propagation/baggage.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/propagation/propagation.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/propagation/trace_context.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/semconv/v1.37.0/MIGRATION.md is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/semconv/v1.37.0/README.md is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/semconv/v1.37.0/attribute_group.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/semconv/v1.37.0/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/semconv/v1.37.0/error_type.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/semconv/v1.37.0/exception.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/semconv/v1.37.0/schema.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/trace/LICENSE is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/trace/auto.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/trace/config.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/trace/hex.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/trace/internal/telemetry/attr.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/trace/internal/telemetry/id.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/trace/internal/telemetry/value.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/trace/noop.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/trace/noop/noop.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/trace/span.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/trace/trace.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/trace/tracestate.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/version.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/versions.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/oauth2/deviceauth.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/oauth2/oauth2.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/oauth2/pkce.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/oauth2/token.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/oauth2/transport.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/genproto/googleapis/api/expr/v1alpha1/checked.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/google.golang.org/genproto/googleapis/api/expr/v1alpha1/eval.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/google.golang.org/genproto/googleapis/api/expr/v1alpha1/explain.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/google.golang.org/genproto/googleapis/api/expr/v1alpha1/syntax.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/google.golang.org/genproto/googleapis/api/expr/v1alpha1/value.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/CONTRIBUTING.md is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/MAINTAINERS.md is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/README.md is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/balancer/balancer.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/balancer/endpointsharding/endpointsharding.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/balancer/pickfirst/internal/internal.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/balancer/pickfirst/pickfirst.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/balancer/pickfirst/pickfirstleaf/pickfirstleaf.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/balancer/roundrobin/roundrobin.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/balancer/subconn.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/balancer_wrapper.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/binarylog/grpc_binarylog_v1/binarylog.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/clientconn.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/credentials/credentials.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/credentials/insecure/insecure.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/credentials/tls.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/dialoptions.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/encoding/encoding.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/encoding/internal/internal.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/encoding/proto/proto.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/experimental/stats/metricregistry.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/experimental/stats/metrics.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/interceptor.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/balancer/gracefulswitch/gracefulswitch.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/balancer/weight/weight.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/buffer/unbounded.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/channelz/trace.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/credentials/credentials.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/envconfig/envconfig.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/envconfig/xds.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/experimental.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/grpcsync/callback_serializer.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/grpcsync/event.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/idle/idle.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/internal.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/resolver/delegatingresolver/delegatingresolver.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/resolver/dns/dns_resolver.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/stats/metrics_recorder_list.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/stats/stats.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/status/status.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/transport/client_stream.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/transport/controlbuf.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/transport/flowcontrol.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/transport/handler_server.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/transport/http2_client.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/transport/http2_server.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/transport/http_util.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/transport/server_stream.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/transport/transport.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/mem/buffer_pool.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/mem/buffer_slice.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/mem/buffers.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/picker_wrapper.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/preloader.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/resolver/resolver.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/resolver_wrapper.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/rpc_util.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/server.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/stats/handlers.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/stats/stats.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/stream.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/version.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/protobuf/internal/editionssupport/editions.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/protobuf/internal/filedesc/desc.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/protobuf/internal/filedesc/desc_init.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/protobuf/internal/filedesc/desc_lazy.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/protobuf/internal/filedesc/editions.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/protobuf/internal/version/version.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/protobuf/reflect/protodesc/desc.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/protobuf/reflect/protodesc/desc_init.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/protobuf/reflect/protodesc/proto.go is excluded by !**/vendor/**, !vendor/**
• vendor/modules.txt is excluded by !**/vendor/**, !vendor/**

📒 Files selected for processing (1)

• go.mod

📜 Review details

🧰 Additional context used

📓 Path-based instructions (2)

**/*

📄 CodeRabbit inference engine (STYLEGUIDE.md)

Use lowercase dash-separated names for all files (to avoid git issues with case-insensitive file systems)

Files:

• go.mod

go.mod

📄 CodeRabbit inference engine (README.md)

go.mod: Pin backend dependencies to an exact semver, sha, or git tag with no caret (^) operator
When updating backend dependencies, commit dependency changes separately from code changes with two commits: first code changes, then vendor changes

Files:

• go.mod

🪛 OSV Scanner (2.3.8)

go.mod

[HIGH] 189-189: go.opentelemetry.io/otel 1.39.0: OpenTelemetry-Go: multi-value baggage header extraction causes excessive allocations (remote dos amplification)

(GHSA-mh2q-q3fh-2475)

🔀 Multi-repo context openshift/console-operator

openshift/console-operator findings

• go.mod references indirect upgraded modules:

  • cel.dev/expr v0.24.0 // indirect — go.mod:31 [::openshift/console-operator::go.mod:31]
  • go.opentelemetry.io/auto/sdk v1.1.0 // indirect — go.mod:82 [::openshift/console-operator::go.mod:82]
  • go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.60.0 // indirect — go.mod:83 [::openshift/console-operator::go.mod:83]
  • go.opentelemetry.io/otel v1.36.0 // indirect — go.mod:85 [::openshift/console-operator::go.mod:85]
  • golang.org/x/oauth2 v0.30.0 // indirect — go.mod:98 [::openshift/console-operator::go.mod:98]
  • google.golang.org/grpc v1.72.2 // indirect — go.mod:106 [::openshift/console-operator::go.mod:106]
  • google.golang.org/protobuf v1.36.8 // indirect — go.mod:107 [::openshift/console-operator::go.mod:107]

• go.sum contains entries for the older versions (pre-bump) of these modules (examples):

  • cel.dev/expr v0.24.0 — go.sum:1 [::openshift/console-operator::go.sum:1]
  • go.opentelemetry.io/auto/sdk v1.1.0 — go.sum:224 [::openshift/console-operator::go.sum:224]
  • go.opentelemetry.io/otel v1.36.0 — go.sum:230 [::openshift/console-operator::go.sum:230]
  • golang.org/x/oauth2 v0.30.0 — go.sum:273 [::openshift/console-operator::go.sum:273]
  • google.golang.org/grpc v1.72.2 — go.sum:311 [::openshift/console-operator::go.sum:311]
  • google.golang.org/protobuf v1.36.8 — go.sum:313 [::openshift/console-operator::go.sum:313]

• Vendored code (vendor/) pulls in grpc usage across dependencies (shows consumers/transitive users):

  • sigs.k8s.io/apiserver-network-proxy konnectivity-client uses google.golang.org/grpc — vendor/sigs.k8s.io/apiserver-network-proxy/konnectivity-client/pkg/client/client.go:30 [::openshift/console-operator::vendor/sigs.k8s.io/apiserver-network-proxy/konnectivity-client/pkg/client/client.go:30]
  • Generated gRPC stubs reference grpc in multiple vendored pb files (example): vendor/sigs.k8s.io/apiserver-network-proxy/.../client_grpc.pb.go:26 [::openshift/console-operator::vendor/sigs.k8s.io/apiserver-network-proxy/konnectivity-client/proto/client/client_grpc.pb.go:26]
  • k8s.io kms API generated gRPC files reference grpc — vendor/k8s.io/kms/apis/v1beta1/api_grpc.pb.go:44 and vendor/k8s.io/kms/apis/v2/api_grpc.pb.go:44 [::openshift/console-operator::vendor/k8s.io/kms/apis/v1beta1/api_grpc.pb.go:44] [::openshift/console-operator::vendor/k8s.io/kms/apis/v2/api_grpc.pb.go:44]
  • k8s.io apiserver packages import grpc (eg. apiserver/pkg/server/egressselector/egress_selector.go:34) — vendor/k8s.io/apiserver/pkg/server/egressselector/egress_selector.go:34 [::openshift/console-operator::vendor/k8s.io/apiserver/pkg/server/egressselector/egress_selector.go:34]
  • etcd client imports grpc — vendor/go.etcd.io/etcd/client/v3/client.go:27 [::openshift/console-operator::vendor/go.etcd.io/etcd/client/v3/client.go:27]
  • grpc-related instrumentation and otel packages present in vendor (examples: vendor/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc listed in vendor/modules.txt) — vendor/modules.txt:448-451 [::openshift/console-operator::vendor/modules.txt:448-451]

Quick interpretation (observed facts only): the repository currently vendors grpc and many transitive packages that import/use google.golang.org/grpc (k8s libs, etcd, apiserver-network-proxy, generated pb files, grpc-ecosystem libs, otel instrumentation). The PR updates the indirect google.golang.org/grpc (and related transitive modules) in go.mod/go.sum/vendor to a fixed newer version; no direct source-level grpc server code in console-operator root was detected in the search results.

🔇 Additional comments (1)

go.mod (1)

34-34: LGTM!

Also applies to: 50-50, 187-187, 204-207

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "Fetching GHSA details from OSV..."
curl -s https://api.osv.dev/v1/vulns/GHSA-mh2q-q3fh-2475 | jq '{
  id,
  summary,
  aliases,
  affected: [.affected[] | {
    module: .package.name,
    ecosystem: .package.ecosystem,
    ranges: .ranges
  }]
}'

echo
echo "Checking whether go.opentelemetry.io/otel@v1.39.0 is reported as affected..."
curl -s https://api.osv.dev/v1/query -H "Content-Type: application/json" \
  -d '{"package":{"name":"go.opentelemetry.io/otel","ecosystem":"Go"},"version":"1.39.0"}' \
  | jq '{vulns: [.vulns[]?.id]}'

Repository: openshift/console

Length of output: 2033

---

🏁 Script executed (no clone):

#!/bin/bash
set -euo pipefail

echo "Fetching GHSA-mh2q-q3fh-2475 details from OSV..."
curl -s https://api.osv.dev/v1/vulns/GHSA-mh2q-q3fh-2475 | jq '{
  id,
  summary,
  aliases,
  affected: [.affected[] | {
    module: .package.name,
    ecosystem: .package.ecosystem,
    ranges: .ranges
  }]
}'

echo
echo "Checking whether go.opentelemetry.io/otel@v1.39.0 is reported as affected..."
curl -s https://api.osv.dev/v1/query -H "Content-Type: application/json" \
  -d '{"package":{"name":"go.opentelemetry.io/otel","ecosystem":"Go"},"version":"1.39.0"}' \
  | jq '{vulns: [.vulns[]?.id]}'

Length of output: 746

---

🏁 Script executed:

#!/bin/bash
# Check the exact versions of otel-related packages in go.mod
grep -A 2 "go.opentelemetry.io/otel" go.mod | head -20

Repository: openshift/console

Length of output: 291

---

Upgrade OpenTelemetry packages to fix DoS vulnerability (GHSA-mh2q-q3fh-2475).

go.opentelemetry.io/otel v1.39.0 is affected by a remote DoS amplification vulnerability through multi-value baggage header extraction. Affected versions: 1.36.0 to <1.41.0. Upgrade otel, otel/metric, and otel/trace to v1.41.0 or later together.

🧰 Tools

🪛 OSV Scanner (2.3.8)

[HIGH] 189-189: go.opentelemetry.io/otel 1.39.0: OpenTelemetry-Go: multi-value baggage header extraction causes excessive allocations (remote dos amplification)

(GHSA-mh2q-q3fh-2475)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` around lines 189 - 191, Update the OpenTelemetry module versions in
go.mod for go.opentelemetry.io/otel, go.opentelemetry.io/otel/metric, and
go.opentelemetry.io/otel/trace from v1.39.0 to v1.41.0 (or later) to remediate
GHSA-mh2q-q3fh-2475; after changing those module lines, run go mod tidy (and
optionally go test / go build) to refresh go.sum and ensure compatibility across
the three packages.

[openshift-ci-robot]

@jhadvig: This pull request references Jira Issue OCPBUGS-85649, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Analysis / Root cause:

CVE-2026-33186 (OCPBUGS-83940) — gRPC-Go versions
prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2
:path pseudo-header. The gRPC-Go server accepts requests where :path omits the mandatory leading
slash, causing path-based authorization interceptors (including grpc/authz) to fail matching deny
rules.

The console backend uses gRPC-Go v1.72.2 as an indirect (transitive) dependency — it does not run a
gRPC server or use gRPC authorization interceptors, so the vulnerability is not exploitable in
practice. However, the dependency must be bumped to satisfy security scanners and compliance
requirements.

Solution description:

Bump google.golang.org/grpc from v1.72.2 to v1.79.3 via go get, go mod tidy, and go mod vendor.
This also pulls in minor transitive dependency updates:

• cel.dev/expr v0.24.0 → v0.25.1
• go.opentelemetry.io/auto/sdk v1.1.0 → v1.2.1
• go.opentelemetry.io/otel v1.36.0 → v1.39.0
• golang.org/x/oauth2 v0.30.0 → v0.34.0
• google.golang.org/genproto/googleapis/api and /rpc updated
• google.golang.org/protobuf v1.36.8 → v1.36.10

No Go source code changes — only go.mod, go.sum, and vendor/ are modified.

Screenshots / screen recording:

N/A — backend dependency bump, no UI changes.

Test setup:

No special setup required.

Test cases:

• Backend builds successfully (./build-backend.sh)
• All backend unit tests pass (./test-backend.sh)
• CI passes

Browser conformance:

N/A — no frontend changes.

Additional info:

• CVE: CVE-2026-33186
• Jira: OCPBUGS-83940
• Exploitability: None. The console does not import google.golang.org/grpc in any pkg/ or cmd/
  Go files. It is pulled in transitively by k8s.io/apiserver, helm.sh/helm/v3,
  operator-framework/*, and other upstream modules. The console runs a pure HTTP/HTTPS server — no gRPC
  server, no gRPC authorization interceptors.

Reviewers and assignees:

/assign @jon

Summary by CodeRabbit

• Chores
• Updated core project dependencies to latest compatible versions, including libraries for authentication, observability, and gRPC communication. These routine updates enhance security, improve stability and performance, and ensure alignment with current standards and best practices.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@jhadvig: This pull request references Jira Issue OCPBUGS-85649, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Details

In response to this:

Analysis / Root cause:

CVE-2026-33186 (OCPBUGS-83940) — gRPC-Go versions
prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2
:path pseudo-header. The gRPC-Go server accepts requests where :path omits the mandatory leading
slash, causing path-based authorization interceptors (including grpc/authz) to fail matching deny
rules.

The console backend uses gRPC-Go v1.72.2 as an indirect (transitive) dependency — it does not run a
gRPC server or use gRPC authorization interceptors, so the vulnerability is not exploitable in
practice. However, the dependency must be bumped to satisfy security scanners and compliance
requirements.

Solution description:

Bump google.golang.org/grpc from v1.72.2 to v1.79.3 via go get, go mod tidy, and go mod vendor.
This also pulls in minor transitive dependency updates:

• cel.dev/expr v0.24.0 → v0.25.1
• go.opentelemetry.io/auto/sdk v1.1.0 → v1.2.1
• go.opentelemetry.io/otel v1.36.0 → v1.39.0
• golang.org/x/oauth2 v0.30.0 → v0.34.0
• google.golang.org/genproto/googleapis/api and /rpc updated
• google.golang.org/protobuf v1.36.8 → v1.36.10

No Go source code changes — only go.mod, go.sum, and vendor/ are modified.

Screenshots / screen recording:

N/A — backend dependency bump, no UI changes.

Test setup:

No special setup required.

Test cases:

• Backend builds successfully (./build-backend.sh)
• All backend unit tests pass (./test-backend.sh)
• CI passes

Browser conformance:

N/A — no frontend changes.

Additional info:

• CVE: CVE-2026-33186
• Jira: OCPBUGS-83940
• Exploitability: None. The console does not import google.golang.org/grpc in any pkg/ or cmd/
  Go files. It is pulled in transitively by k8s.io/apiserver, helm.sh/helm/v3,
  operator-framework/*, and other upstream modules. The console runs a pure HTTP/HTTPS server — no gRPC
  server, no gRPC authorization interceptors.

Reviewers and assignees:

/assign @jon

Summary by CodeRabbit

• Chores
• Updated core project dependencies to latest compatible versions, including libraries for authentication, observability, and gRPC communication. These routine updates enhance security, improve stability and performance, and ensure alignment with current standards and best practices.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[Leo6Leo]

Verified locally against a live OCP 4.23.0 (main) nightly cluster with clusterbot:

• go mod verify — all modules verified
• ./build-backend.sh — builds cleanly
• ./test-backend.sh — all tests pass (except pre-existing pkg/helm/actions env issue)
• Bridge binary starts, binds to port 9000, serves static assets and health endpoint (HTTP 200), shuts down cleanly
• Confirmed no direct google.golang.org/grpc imports in pkg/ or cmd/ — transitive dependency only

/lgtm
/verified by @Leo6Leo

[openshift-ci-robot]

@Leo6Leo: This PR has been marked as verified by @Leo6Leo.

Details

In response to this:

Verified locally against a live OCP 4.23.0 (main) nightly cluster with clusterbot:

• go mod verify — all modules verified
• ./build-backend.sh — builds cleanly
• ./test-backend.sh — all tests pass (except pre-existing pkg/helm/actions env issue)
• Bridge binary starts, binds to port 9000, serves static assets and health endpoint (HTTP 200), shuts down cleanly
• Confirmed no direct google.golang.org/grpc imports in pkg/ or cmd/ — transitive dependency only

/lgtm
/verified by @Leo6Leo

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jhadvig, Leo6Leo

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [jhadvig]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-merge-bot]

/retest-required

Remaining retests: 0 against base HEAD fd28c3e and 2 for PR HEAD 5e6a918 in total

[openshift-merge-bot]

/retest-required

Remaining retests: 0 against base HEAD 13eb35a and 1 for PR HEAD 5e6a918 in total

[openshift-ci]

@jhadvig: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.