OCPBUGS-84383: fix(deps): bump go-jose/v3 to v3.0.5 for JWE unwrap DoS

[marioferh]

Upgrade github.com/go-jose/go-jose/v3 from v3.0.3 to v3.0.5.

Earlier releases could panic when decrypting a crafted JWE whose alg is a key-wrapping algorithm (suffix KW, excluding GCM-KW variants) and encrypted_key is empty or too short. KeyUnwrap then tried to allocate a slice with invalid length, which could crash the process (denial of service). v3.0.5 rejects too-short ciphertext and returns an error instead.

Regenerated vendor with go mod vendor.

Made-with: Cursor

Summary by CodeRabbit

• Chores
  • Updated dependency versions.

[openshift-ci-robot]

@marioferh: This pull request references Jira Issue OCPBUGS-84383, which is invalid:

• expected the vulnerability to target either version "5.0." or "openshift-5.0.", but it targets "4.22.0" instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Upgrade github.com/go-jose/go-jose/v3 from v3.0.3 to v3.0.5.

Earlier releases could panic when decrypting a crafted JWE whose alg is a key-wrapping algorithm (suffix KW, excluding GCM-KW variants) and encrypted_key is empty or too short. KeyUnwrap then tried to allocate a slice with invalid length, which could crash the process (denial of service). v3.0.5 rejects too-short ciphertext and returns an error instead.

Regenerated vendor with go mod vendor.

Made-with: Cursor

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 18dd8ffa-02a6-47a2-abda-1f54df9413e9

📥 Commits

Reviewing files that changed from the base of the PR and between d6c7dd4 and 0548768.

⛔ Files ignored due to path filters (7)

• go.sum is excluded by !**/*.sum
• vendor/github.com/go-jose/go-jose/v3/asymmetric.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-jose/go-jose/v3/cipher/key_wrap.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-jose/go-jose/v3/jwe.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-jose/go-jose/v3/jws.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-jose/go-jose/v3/symmetric.go is excluded by !**/vendor/**, !vendor/**
• vendor/modules.txt is excluded by !**/vendor/**, !vendor/**

📒 Files selected for processing (1)

• go.mod

---

Walkthrough

Updates the github.com/go-jose/go-jose/v3 dependency from v3.0.3 to v3.0.5 in go.mod.

Changes

Cohort / File(s)	Summary
Dependency Update go.mod	Bumps go-jose/go-jose/v3 from v3.0.3 to v3.0.5.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

🚥 Pre-merge checks | ✅ 12

✅ Passed checks (12 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically summarizes the main change: upgrading go-jose/v3 to v3.0.5 to fix a JWE unwrap denial-of-service vulnerability.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR updates go.mod dependency only; no test files changed, so Ginkgo test name check is not applicable and passes by default.
Test Structure And Quality	✅ Passed	Pull request only modifies dependencies and vendored files; no Ginkgo test code modifications.
Microshift Test Compatibility	✅ Passed	MicroShift Test Compatibility check is not applicable; this PR only updates go.mod dependencies without adding new e2e tests.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	This PR only updates Go module dependencies in go.mod and go.sum files, bumping github.com/go-jose/go-jose/v3 from v3.0.3 to v3.0.5 to address a JWE unwrap denial of service vulnerability. No new Ginkgo e2e tests are added.
Topology-Aware Scheduling Compatibility	✅ Passed	PR only updates go.mod and vendor directory for security fix; no changes to deployment manifests, operator code, or controllers.
Ote Binary Stdout Contract	✅ Passed	Pull request only updates go-jose/go-jose/v3 dependency from v3.0.3 to v3.0.5 with no changes to application source code or stdout behavior.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	This PR is exclusively a dependency version update, bumping go-jose/v3 from v3.0.3 to v3.0.5. The custom check only applies when new Ginkgo e2e tests are added, which is not the case here.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.11.4)

Error: can't load config: unsupported version of the configuration: "" See https://golangci-lint.run/docs/product/migration-guide for migration instructions
The command is terminated due to an error: can't load config: unsupported version of the configuration: "" See https://golangci-lint.run/docs/product/migration-guide for migration instructions

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[simonpasquier]

/lgtm
/verified by tests
/jira refresh

Note that the issue doesn't affect telemeter client which doesn't import github.com/go-jose/go-jose/v3 (only the server binary does).

[openshift-ci-robot]

@simonpasquier: This PR has been marked as verified by tests.

Details

In response to this:

/lgtm
/verified by tests
/jira refresh

Note that the issue doesn't affect telemeter client which doesn't import github.com/go-jose/go-jose/v3 (only the server binary does).

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@simonpasquier: This pull request references Jira Issue OCPBUGS-84383, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)

Details

In response to this:

/lgtm
/verified by tests
/jira refresh

Note that the issue doesn't affect telemeter client which doesn't import github.com/go-jose/go-jose/v3 (only the server binary does).

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-merge-bot]

/retest-required

Remaining retests: 0 against base HEAD d6c7dd4 and 2 for PR HEAD 0548768 in total

[danielmellado]

Note that we should also backport this to the release-4.22 and 4.23 branches.

[danielmellado]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: danielmellado, marioferh, simonpasquier

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [danielmellado,marioferh,simonpasquier]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[danielmellado]

/retest-required

[marioferh]

/test e2e-aws-upgrade

[simonpasquier]

/retest-required

[marioferh]

/test e2e-aws-upgrade

[marioferh]

/test e2e-aws-upgrade

[marioferh]

/retest-required

[openshift-ci]

@marioferh: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[openshift-ci-robot]

@marioferh: Jira Issue Verification Checks: Jira Issue OCPBUGS-84383
✔️ This pull request was pre-merge verified.
✔️ All associated pull requests have merged.
✔️ All associated, merged pull requests were pre-merge verified.

Jira Issue OCPBUGS-84383 has been moved to the MODIFIED state and will move to the VERIFIED state when the change is available in an accepted nightly payload. 🕓

Details

In response to this:

Upgrade github.com/go-jose/go-jose/v3 from v3.0.3 to v3.0.5.

Earlier releases could panic when decrypting a crafted JWE whose alg is a key-wrapping algorithm (suffix KW, excluding GCM-KW variants) and encrypted_key is empty or too short. KeyUnwrap then tried to allocate a slice with invalid length, which could crash the process (denial of service). v3.0.5 rejects too-short ciphertext and returns an error instead.

Regenerated vendor with go mod vendor.

Made-with: Cursor

Summary by CodeRabbit

• Chores
• Updated dependency versions.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[simonpasquier]

/jira backport release-4.22

[openshift-ci-robot]

@simonpasquier: The following backport issues have been created:

• OCPBUGS-84937 for branch release-4.22

Queuing cherrypicks to the requested branches to be created after this PR merges:
/cherrypick release-4.22

Details

In response to this:

/jira backport release-4.22

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-cherrypick-robot]

@openshift-ci-robot: new pull request created: #598

Details

In response to this:

@simonpasquier: The following backport issues have been created:

• OCPBUGS-84937 for branch release-4.22

Queuing cherrypicks to the requested branches to be created after this PR merges:
/cherrypick release-4.22

In response to this:

/jira backport release-4.22

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.