NO-ISSUE: Bump google.golang.org/grpc v1.79.3 to fix CVE-2026-33186

[kunalmemane]

Bump google.golang.org/grpc v1.79.3 to fix CVE-2026-33186

Summary by CodeRabbit

• Chores
  • Updated indirect dependencies to the latest compatible versions.

[openshift-ci-robot]

@kunalmemane: This pull request explicitly references no jira issue.

Details

In response to this:

Bump google.golang.org/grpc v1.79.3 to fix CVE-2026-33186

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Walkthrough

This PR updates indirect dependencies in go.mod. The CEL expression library is bumped from v0.24.0 to v0.25.1. OpenTelemetry packages (otel, auto/sdk, and related modules) are upgraded alongside transitive dependencies in the golang.org/x/* and google.golang.org/* namespaces.

Changes

Dependency Version Updates

Layer / File(s)	Summary
CEL library upgrade go.mod	Indirect dependency cel.dev/expr bumped from v0.24.0 to v0.25.1.
OpenTelemetry and transitive ecosystem go.mod	go.opentelemetry.io packages (otel, auto/sdk, metric, sdk, trace) upgraded to v1.39.0 and v1.2.1; transitive golang.org/x/* modules (crypto, net, oauth2, sync, sys, term, text, tools) and google.golang.org/* modules (genproto, grpc, protobuf) updated to newer versions.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

🚥 Pre-merge checks | ✅ 10 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Microshift Test Compatibility	⚠️ Warning	New Ginkgo e2e tests use ClusterOperator API (config.openshift.io/v1) unavailable on MicroShift without protective labels.	Add [apigroup:config.openshift.io] tags to network_policy.go tests, or [Skipped:MicroShift] labels. Add guards for openshift-etcd and openshift-monitoring namespace assumptions.
Single Node Openshift (Sno) Test Compatibility	⚠️ Warning	New Ginkgo e2e tests lack SNO compatibility. testHeadlessStatefulServingCertSecretDeleteData uses 3 StatefulSet replicas. Network policy enforcement tests require cross-pod connectivity patterns.	Add [Skipped:SingleReplicaTopology] labels or SNO topology checks. testHeadlessStatefulServingCertSecretDeleteData and network policy enforcement tests need protection.

✅ Passed checks (10 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly and specifically addresses the main change: bumping google.golang.org/grpc to fix a critical CVE vulnerability.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	No Ginkgo tests found in the codebase. The check is not applicable to this PR which only updates go.mod dependencies. Codebase uses standard Go testing package, not Ginkgo.
Test Structure And Quality	✅ Passed	The custom check reviews Ginkgo test code quality. This PR only updates go.mod, go.sum, and vendored dependencies—no Ginkgo test files are modified. The check is not applicable to this PR.
Topology-Aware Scheduling Compatibility	✅ Passed	PR only modifies dependencies (go.mod, go.sum, vendor/). No deployment manifests, operator code, or scheduling constraints have been modified. Custom check not applicable.
Ote Binary Stdout Contract	✅ Passed	No OTE Binary Stdout Contract violations found. The service-ca-operator-tests-ext binary has no process-level stdout writes. klog.Fatal() in main() writes to stderr by default.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	This PR does not add any new Ginkgo e2e tests. It only updates vendor dependencies (go.mod, go.sum, and vendored files). The IPv6 and disconnected network compatibility check is not applicable.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign gangwgr for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@go.mod`:
- Line 84: The otel module versions in go.mod are pinned to vulnerable releases
(go.opentelemetry.io/otel v1.39.0 and related sdk/metric/trace indirect
entries); update the dependency versions to safe releases (upgrade
go.opentelemetry.io/otel to >= v1.41.0 and the otel/sdk modules to >= v1.43.0)
by editing go.mod to replace the listed versions and then run `go get`/`go mod
tidy` to fetch and lock the new versions so the vulnerable GHSA issues are
resolved.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: c83224b8-8519-4c5f-84c3-031e03e6f798

📥 Commits

Reviewing files that changed from the base of the PR and between e7ccfa3 and e28ab5a.

⛔ Files ignored due to path filters (239)

• go.sum is excluded by !**/*.sum
• vendor/cel.dev/expr/BUILD.bazel is excluded by !**/vendor/**, !vendor/**
• vendor/cel.dev/expr/MODULE.bazel is excluded by !**/vendor/**, !vendor/**
• vendor/cel.dev/expr/checked.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/cel.dev/expr/eval.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/cel.dev/expr/explain.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/cel.dev/expr/syntax.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/cel.dev/expr/value.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/auto/sdk/internal/telemetry/id.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/auto/sdk/internal/telemetry/number.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/auto/sdk/internal/telemetry/span.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/auto/sdk/internal/telemetry/status.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/auto/sdk/internal/telemetry/traces.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/auto/sdk/internal/telemetry/value.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/auto/sdk/span.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/auto/sdk/tracer.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/.clomonitor.yml is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/.codespellignore is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/.golangci.yml is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/.lycheeignore is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/CHANGELOG.md is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/CODEOWNERS is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/CONTRIBUTING.md is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/LICENSE is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/Makefile is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/README.md is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/RELEASING.md is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/SECURITY-INSIGHTS.yml is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/VERSIONING.md is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/attribute/encoder.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/attribute/filter.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/attribute/hash.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/attribute/internal/attribute.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/attribute/internal/xxhash/xxhash.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/attribute/iterator.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/attribute/key.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/attribute/kv.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/attribute/set.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/attribute/type_string.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/attribute/value.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/baggage/baggage.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/codes/codes.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/dependencies.Dockerfile is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/internal/global/internal_logging.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/internal/global/meter.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/internal/global/trace.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/metric.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/metric/LICENSE is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/metric/config.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/propagation/baggage.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/propagation/propagation.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/propagation/trace_context.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/LICENSE is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/internal/x/features.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/internal/x/x.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/builtin.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/container.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/env.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/host_id.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/host_id_bsd.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/host_id_linux.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/host_id_unsupported.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/host_id_windows.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/os.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/os_release_unix.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/os_unix.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/os_unsupported.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/process.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/resource.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/batch_span_processor.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/id_generator.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/internal/env/env.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/internal/observ/batch_span_processor.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/internal/observ/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/internal/observ/simple_span_processor.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/internal/observ/tracer.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/provider.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/sampling.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/simple_span_processor.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/snapshot.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/span.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/span_limits.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/tracer.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/version.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/version.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/semconv/internal/http.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/semconv/v1.37.0/MIGRATION.md is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/semconv/v1.37.0/README.md is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/semconv/v1.37.0/attribute_group.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/semconv/v1.37.0/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/semconv/v1.37.0/error_type.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/semconv/v1.37.0/exception.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/semconv/v1.37.0/otelconv/metric.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/semconv/v1.37.0/schema.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/trace/LICENSE is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/trace/auto.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/trace/config.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/trace/hex.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/trace/internal/telemetry/attr.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/trace/internal/telemetry/id.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/trace/internal/telemetry/value.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/trace/noop.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/trace/noop/noop.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/trace/span.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/trace/trace.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/trace/tracestate.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/version.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/versions.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/http2/transport.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/trace/events.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/oauth2/deviceauth.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/oauth2/oauth2.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/oauth2/pkce.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/oauth2/token.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/oauth2/transport.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/cpu/cpu.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/cpu/cpu_arm64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/cpu/cpu_arm64.s is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/cpu/cpu_gc_arm64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/cpu/cpu_gccgo_arm64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/cpu/cpu_netbsd_arm64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/cpu/cpu_openbsd_arm64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/mkerrors.sh is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_386.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_amd64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_arm.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_arm64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_loong64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_mips.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_mips64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_mips64le.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_mipsle.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_ppc.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_ppc64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_ppc64le.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_riscv64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_s390x.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_sparc64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/ztypes_netbsd_arm.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/text/encoding/japanese/eucjp.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/text/encoding/japanese/iso2022jp.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/text/encoding/japanese/shiftjis.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/text/encoding/korean/euckr.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/text/encoding/simplifiedchinese/gbk.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/text/encoding/simplifiedchinese/hzgb2312.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/text/encoding/traditionalchinese/big5.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/text/encoding/unicode/unicode.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/go/ast/inspector/cursor.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/genproto/googleapis/api/annotations/annotations.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/google.golang.org/genproto/googleapis/api/annotations/client.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/google.golang.org/genproto/googleapis/api/annotations/field_behavior.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/google.golang.org/genproto/googleapis/api/annotations/field_info.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/google.golang.org/genproto/googleapis/api/annotations/http.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/google.golang.org/genproto/googleapis/api/annotations/resource.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/google.golang.org/genproto/googleapis/api/annotations/routing.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/google.golang.org/genproto/googleapis/api/expr/v1alpha1/checked.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/google.golang.org/genproto/googleapis/api/expr/v1alpha1/eval.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/google.golang.org/genproto/googleapis/api/expr/v1alpha1/explain.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/google.golang.org/genproto/googleapis/api/expr/v1alpha1/syntax.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/google.golang.org/genproto/googleapis/api/expr/v1alpha1/value.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/google.golang.org/genproto/googleapis/api/httpbody/httpbody.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/google.golang.org/genproto/googleapis/api/launch_stage.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/CONTRIBUTING.md is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/MAINTAINERS.md is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/README.md is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/balancer/balancer.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/balancer/endpointsharding/endpointsharding.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/balancer/pickfirst/internal/internal.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/balancer/pickfirst/pickfirst.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/balancer/pickfirst/pickfirstleaf/pickfirstleaf.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/balancer/roundrobin/roundrobin.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/balancer/subconn.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/balancer_wrapper.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/binarylog/grpc_binarylog_v1/binarylog.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/clientconn.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/credentials/credentials.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/credentials/insecure/insecure.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/credentials/tls.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/dialoptions.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/encoding/encoding.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/encoding/gzip/gzip.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/encoding/internal/internal.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/encoding/proto/proto.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/experimental/stats/metricregistry.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/experimental/stats/metrics.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/health/grpc_health_v1/health.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/health/grpc_health_v1/health_grpc.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/interceptor.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/balancer/gracefulswitch/gracefulswitch.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/balancer/weight/weight.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/buffer/unbounded.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/channelz/trace.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/credentials/credentials.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/envconfig/envconfig.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/envconfig/xds.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/experimental.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/grpcsync/callback_serializer.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/grpcsync/event.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/idle/idle.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/internal.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/resolver/delegatingresolver/delegatingresolver.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/resolver/dns/dns_resolver.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/stats/metrics_recorder_list.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/stats/stats.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/status/status.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/transport/client_stream.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/transport/controlbuf.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/transport/flowcontrol.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/transport/handler_server.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/transport/http2_client.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/transport/http2_server.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/transport/http_util.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/transport/server_stream.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/transport/transport.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/mem/buffer_pool.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/mem/buffer_slice.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/mem/buffers.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/picker_wrapper.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/preloader.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/resolver/resolver.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/resolver_wrapper.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/rpc_util.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/server.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/stats/handlers.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/stats/stats.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/stream.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/version.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/protobuf/internal/editionssupport/editions.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/protobuf/internal/filedesc/desc.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/protobuf/internal/filedesc/desc_init.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/protobuf/internal/filedesc/desc_lazy.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/protobuf/internal/filedesc/editions.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/protobuf/internal/version/version.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/protobuf/reflect/protodesc/desc.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/protobuf/reflect/protodesc/desc_init.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/protobuf/reflect/protodesc/proto.go is excluded by !**/vendor/**, !vendor/**
• vendor/modules.txt is excluded by !**/vendor/**, !vendor/**

📒 Files selected for processing (1)

• go.mod

[coderabbitai]

⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

🧩 Analysis chain

🌐 Web query:

go.opentelemetry.io/otel v1.39.0 GHSA-mh2q-q3fh-2475 vulnerability details

💡 Result:

GHSA-mh2q-q3fh-2475 (in go.opentelemetry.io/otel) is a denial-of-service risk caused by multi-value W3C Baggage header extraction allocating/parsing excessively. Affected versions - go.opentelemetry.io/otel/baggage: >= v1.36.0, <= v1.40.0 [1] What the vulnerability is - The advisory describes that multi-value baggage: header extraction parses each header field-value independently and then aggregates members across values. This allows an attacker to amplify CPU and allocations by sending many baggage: header lines, even if each individual value is within the 8192-byte per-value parse limit. [1] - The call site is propagation/baggage.go:58 (extractMultiBaggage), where attacker-controlled inbound HTTP request headers (many baggage field-values) flow through propagation.HeaderCarrier.Values("baggage") and then repeatedly call baggage.Parse plus member aggregation. [1] Impact - In a default net/http configuration (max header bytes 1mb), a single request with many baggage: header field-values can cause large per-request allocations and increased latency. [1] Expected vs actual behavior - Expected: multiple baggage header field-values should be semantically equivalent to a single comma-joined baggage value and should not multiply parsing/alloc work within the effective header byte budget. [1] - Actual: multiple baggage header field-values trigger repeated parsing and member aggregation, causing high per-request allocations and increased latency even when each individual value is within 8192 bytes. [1] Mitigations / Fix guidance (from the advisory) - The advisory recommends avoiding repeated parsing across multi-values by enforcing a global budget and/or normalizing multi-values into a single value before parsing (e.g., treat multi-values as a single comma-joined string and cap total parsed bytes; example given: 8192 bytes total). [1] Release context for “v1.39.0” - The advisory covers go.opentelemetry.io/otel/baggage versions up to and including v1.40.0 (so v1.39.0 is within the stated affected range). [1]

Citations:

• 1: GHSA-mh2q-q3fh-2475

---

🌐 Web query:

go.opentelemetry.io/otel/sdk v1.39.0 PATH hijacking vulnerability latest fix

💡 Result:

The go.opentelemetry.io/otel/sdk v1.39.0 is vulnerable to a PATH hijacking vulnerability (CVE-2026-24051, GHSA-9h8m-3fm2-qjrq), allowing arbitrary code execution on macOS/Darwin systems. The resource detection code in sdk/resource/host_id.go executes the 'ioreg' command without an absolute path, enabling local attackers to hijack via PATH modification.[1][2][3] This was fixed in commit d45961b ("WithHostID detector... to use full path for ioreg command on Darwin (macOS)"), included in v1.40.0 released on 2026-02-02.[1][3][4][5] Upgrade to v1.40.0 or later (latest is v1.43.0 as of 2026-04).[6][4][7] A follow-up issue (CVE-2026-39883) affected BSD/Solaris in v1.40.0-v1.42.0 due to unpatched 'kenv' command; upgrade beyond v1.42.0 for full protection.[8]

Citations:

• 1: https://scout.docker.com/vulnerabilities/id/CVE-2026-24051?n=sdk&ns=go.opentelemetry.io%2Fotel&s=github&t=golang&vr=%3E%3D1.21.0%2C%3C1.40.0
• 2: GHSA-9h8m-3fm2-qjrq
• 3: GHSA-9h8m-3fm2-qjrq
• 4: https://github.com/open-telemetry/opentelemetry-go/releases/tag/v1.40.0
• 5: https://vulert.com/vuln-db/opentelemetry-go-sdk-vulnerable-to-arbitrary-code-execution-via-path-hijacking-in-go-opentelemetry-i-
• 6: https://github.com/open-telemetry/opentelemetry-go
• 7: open-telemetry/opentelemetry-go@v1.37.0...v1.43.0
• 8: https://scout.docker.com/vulnerabilities/id/CVE-2026-39883?n=sdk&ns=go.opentelemetry.io%2Fotel&s=github&t=golang&vr=%3E%3D1.15.0%2C%3C%3D1.42.0

---

🏁 Script executed:

#!/bin/bash
# Check for latest secure versions and advisories for OpenTelemetry packages
echo "=== Checking go.opentelemetry.io/otel ==="
gh api graphql -f query='
{
  securityVulnerabilities(first: 5, ecosystem: GO, package: "go.opentelemetry.io/otel") {
    nodes {
      advisory {
        summary
        severity
        publishedAt
        identifiers {
          type
          value
        }
      }
      vulnerableVersionRange
      firstPatchedVersion {
        identifier
      }
    }
  }
}'

echo ""
echo "=== Checking go.opentelemetry.io/otel/sdk ==="
gh api graphql -f query='
{
  securityVulnerabilities(first: 5, ecosystem: GO, package: "go.opentelemetry.io/otel/sdk") {
    nodes {
      advisory {
        summary
        severity
        publishedAt
        identifiers {
          type
          value
        }
      }
      vulnerableVersionRange
      firstPatchedVersion {
        identifier
      }
    }
  }
}'

Repository: openshift/service-ca-operator

Length of output: 1366

---

🏁 Script executed:

cat -n go.mod | sed -n '80,92p'

Repository: openshift/service-ca-operator

Length of output: 926

---

Critical: OpenTelemetry packages updated to vulnerable versions.

go.opentelemetry.io/otel v1.39.0, metric v1.39.0, sdk v1.39.0, and trace v1.39.0 contain HIGH severity vulnerabilities:

• go.opentelemetry.io/otel: Remote DOS amplification via multi-value baggage header (GHSA-mh2q-q3fh-2475) — patched in v1.41.0
• go.opentelemetry.io/otel/sdk: PATH hijacking vulnerabilities enabling arbitrary code execution (GHSA-9h8m-3fm2-qjrq, GHSA-hfvc-g4fc-pqhx) — patched in v1.40.0 and v1.43.0 respectively

Upgrade to v1.41.0+ for otel and v1.43.0+ for sdk to resolve all vulnerabilities.

🧰 Tools

🪛 OSV Scanner (2.3.8)

[HIGH] 84-84: go.opentelemetry.io/otel 1.39.0: OpenTelemetry-Go: multi-value baggage header extraction causes excessive allocations (remote dos amplification)

(GHSA-mh2q-q3fh-2475)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` at line 84, The otel module versions in go.mod are pinned to
vulnerable releases (go.opentelemetry.io/otel v1.39.0 and related
sdk/metric/trace indirect entries); update the dependency versions to safe
releases (upgrade go.opentelemetry.io/otel to >= v1.41.0 and the otel/sdk
modules to >= v1.43.0) by editing go.mod to replace the listed versions and then
run `go get`/`go mod tidy` to fetch and lock the new versions so the vulnerable
GHSA issues are resolved.

[openshift-ci]

@kunalmemane: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws	e28ab5a	link	true	/test e2e-aws

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.