[Release-4.21]OCPBUGS-80840,OCPBUGS-80839: Bump google.golang.org/grpc to v1.79.3 by MrSanketkumar · Pull Request #713 · openshift/operator-framework-operator-controller

MrSanketkumar · 2026-05-05T12:15:37Z

Summary by CodeRabbit

Chores
- Updated project dependencies across the repository. Key updates include OpenTelemetry components, gRPC and protobuf stacks, CEL expression library, and various golang.org/x modules.
- Resulting impact: alignment with newer platform libraries, improved compatibility and stability, and refreshed indirect dependency versions.

openshift-ci-robot · 2026-05-05T12:15:44Z

@MrSanketkumar: This pull request references Jira Issue OCPBUGS-80840, which is invalid:

release note text must be set and not match the template OR release note type must be set to "Release Note Not Required". For more information you can reference the OpenShift Bug Process.
expected dependent Jira Issue OCPBUGS-83997 to be in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA), but it is Closed (Duplicate) instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

coderabbitai · 2026-05-05T12:15:46Z

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 999d5606-8eb6-485a-845c-1e1e35be034b

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

🔍 Trigger review

Walkthrough

Dependency versions were bumped across multiple module files: core repo go.mod and two openshift submodule go.mod files. Updates include golang.org/x/* modules, cel.dev/expr, OpenTelemetry components (to v1.39.x family), and google.golang.org/grpc/genproto/protobuf revisions.

Changes

Dependency Updates

Layer / File(s)	Summary
Top-level module require/list `go.mod`	Updated indirect dependencies: `golang.org/x/sync` v0.18.0 → v0.19.0, `cel.dev/expr` v0.24.0 → v0.25.1, and a set of OpenTelemetry-related indirect modules moved toward v1.39.x; `google.golang.org/grpc` and related genproto/protobuf versions bumped.
Submodule manifests `openshift/default-catalog-consistency/go.mod`, `openshift/tests-extension/go.mod`	Applied matching/version-aligned bumps in submodule go.mod files: go-jose v4.1.1 → v4.1.3 (indirect), `golang.org/x/*` updates (crypto, net, oauth2, mod, sync, sys, term, text, tools), OpenTelemetry indirect upgrades, and grpc/protobuf/genproto version alignment.
Indirect/version lockstep details `go.mod`, `openshift/*/go.mod`	Multiple indirects adjusted to maintain compatibility: `golang.org/x/crypto` → v0.46.0, `golang.org/x/net` → v0.48.0, `google.golang.org/protobuf` → v1.36.10, genproto revisions updated, and other transitive lines changed to reflect new upstream revisions.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error, 1 warning)

Check name	Status	Explanation	Resolution
Ote Binary Stdout Contract	❌ Error	fmt.Println in suite Describe() at openshift/default-catalog-consistency/test/validate/suite_test.go:34 violates OTE stdout contract. Runs during suite construction, corrupting JSON test listing.	Remove or redirect fmt.Println to stderr. Suite-level code must not write to stdout as it breaks OTE's JSON contract with openshift-tests.
Microshift Test Compatibility	⚠️ Warning	Ginkgo e2e tests use MicroShift-incompatible APIs: ClusterOperator in olmv1-incompatible.go; SetupProject() in olmv1_cc.go and olmv1_ce.go. None have MicroShift protections.	Add [apigroup:config.openshift.io] tag to ClusterOperator test. Replace SetupProject() with Namespaces. Or add [Skipped:MicroShift] if intentionally incompatible.

✅ Passed checks (10 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title references bumping google.golang.org/grpc to v1.79.3, which is covered in the change summary, but the PR makes much broader dependency updates across multiple modules including OpenTelemetry, CEL, golang.org/x packages, and others. The title is partially related but emphasizes only one aspect of a more comprehensive dependency update.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR is a dependency update with no test file modifications. Repository uses standard Go testing package, not Ginkgo. Check not applicable.
Test Structure And Quality	✅ Passed	Custom check "Test Structure and Quality" is designed to review Ginkgo test code. The PR adds test files, but all use standard Go testing package, not Ginkgo. Check is not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	This PR only updates Go module dependencies in go.mod files. No new Ginkgo e2e tests are added or modified. The custom check for SNO compatibility is not applicable when no new tests are introduced.
Topology-Aware Scheduling Compatibility	✅ Passed	PR only updates Go module dependencies (grpc, OpenTelemetry, golang.org/x packages). No deployment manifests, operator code, or scheduling constraints are modified.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	Check not applicable. PR adds e2e tests using standard Go testing.T patterns, not Ginkgo (It(), Describe(), etc.). Check applies only to new Ginkgo e2e tests.

✨ Finishing Touches

🧪 Generate unit tests (beta)

Create PR with unit tests

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

MrSanketkumar · 2026-05-05T12:16:08Z

/jira refresh

openshift-ci-robot · 2026-05-05T12:16:12Z

@MrSanketkumar: This pull request references Jira Issue OCPBUGS-80840, which is invalid:

release note text must be set and not match the template OR release note type must be set to "Release Note Not Required". For more information you can reference the OpenShift Bug Process.
expected dependent Jira Issue OCPBUGS-83997 to be in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA), but it is Closed (Duplicate) instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

MrSanketkumar · 2026-05-05T12:16:14Z

@coderabbitai review

openshift-ci · 2026-05-05T12:16:18Z

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: MrSanketkumar
Once this PR has been reviewed and has the lgtm label, please assign perdasilva for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

DOWNSTREAM_OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

coderabbitai · 2026-05-05T12:16:19Z

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

openshift-ci-robot · 2026-05-05T12:19:11Z

@MrSanketkumar: This pull request references Jira Issue OCPBUGS-80840, which is invalid:

expected dependent Jira Issue OCPBUGS-83997 to be in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA), but it is Closed (Duplicate) instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

Details

In response to this:

Summary by CodeRabbit

Chores

Updated project dependencies to latest versions.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

coderabbitai

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@go.mod`:
- Line 221: The go.mod currently pins a vulnerable opentelemetry SDK (module
go.opentelemetry.io/otel/sdk at v1.39.0); update that dependency to v1.43.0 or
later to remediate the HIGH advisories (GO-2026-4394 / GHSA-9h8m-3fm2-qjrq /
GHSA-hfvc-g4fc-pqhx) and then refresh the module graph (e.g., run go get
go.opentelemetry.io/otel/sdk@v1.43.0 or newer and run go mod tidy) so the
lockfile and transitive deps are updated.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

Push a commit to this branch (recommended)
Create a new PR with the fixes

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: a96d5dda-89b6-4ec5-824f-cfe0aa972b2b

📥 Commits

Reviewing files that changed from the base of the PR and between d0f315f and 933c5ea.

⛔ Files ignored due to path filters (151)

go.sum is excluded by !**/*.sum
vendor/cel.dev/expr/BUILD.bazel is excluded by !**/vendor/**, !vendor/**
vendor/cel.dev/expr/MODULE.bazel is excluded by !**/vendor/**, !vendor/**
vendor/cel.dev/expr/checked.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/cel.dev/expr/eval.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/cel.dev/expr/explain.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/cel.dev/expr/syntax.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/cel.dev/expr/value.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/go.opentelemetry.io/auto/sdk/internal/telemetry/id.go is excluded by !**/vendor/**, !vendor/**
vendor/go.opentelemetry.io/auto/sdk/internal/telemetry/number.go is excluded by !**/vendor/**, !vendor/**
vendor/go.opentelemetry.io/auto/sdk/internal/telemetry/span.go is excluded by !**/vendor/**, !vendor/**
vendor/go.opentelemetry.io/auto/sdk/internal/telemetry/status.go is excluded by !**/vendor/**, !vendor/**
vendor/go.opentelemetry.io/auto/sdk/internal/telemetry/traces.go is excluded by !**/vendor/**, !vendor/**
vendor/go.opentelemetry.io/auto/sdk/internal/telemetry/value.go is excluded by !**/vendor/**, !vendor/**
vendor/go.opentelemetry.io/auto/sdk/span.go is excluded by !**/vendor/**, !vendor/**
vendor/go.opentelemetry.io/auto/sdk/tracer.go is excluded by !**/vendor/**, !vendor/**
vendor/go.opentelemetry.io/otel/.codespellignore is excluded by !**/vendor/**, !vendor/**
vendor/go.opentelemetry.io/otel/.golangci.yml is excluded by !**/vendor/**, !vendor/**
vendor/go.opentelemetry.io/otel/.lycheeignore is excluded by !**/vendor/**, !vendor/**
vendor/go.opentelemetry.io/otel/CHANGELOG.md is excluded by !**/vendor/**, !vendor/**
vendor/go.opentelemetry.io/otel/CONTRIBUTING.md is excluded by !**/vendor/**, !vendor/**
vendor/go.opentelemetry.io/otel/Makefile is excluded by !**/vendor/**, !vendor/**
vendor/go.opentelemetry.io/otel/README.md is excluded by !**/vendor/**, !vendor/**
vendor/go.opentelemetry.io/otel/RELEASING.md is excluded by !**/vendor/**, !vendor/**
vendor/go.opentelemetry.io/otel/VERSIONING.md is excluded by !**/vendor/**, !vendor/**
vendor/go.opentelemetry.io/otel/attribute/encoder.go is excluded by !**/vendor/**, !vendor/**
vendor/go.opentelemetry.io/otel/attribute/set.go is excluded by !**/vendor/**, !vendor/**
vendor/go.opentelemetry.io/otel/attribute/type_string.go is excluded by !**/vendor/**, !vendor/**
vendor/go.opentelemetry.io/otel/baggage/baggage.go is excluded by !**/vendor/**, !vendor/**
vendor/go.opentelemetry.io/otel/dependencies.Dockerfile is excluded by !**/vendor/**, !vendor/**
vendor/go.opentelemetry.io/otel/internal/global/meter.go is excluded by !**/vendor/**, !vendor/**
vendor/go.opentelemetry.io/otel/metric.go is excluded by !**/vendor/**, !vendor/**
vendor/go.opentelemetry.io/otel/metric/config.go is excluded by !**/vendor/**, !vendor/**
vendor/go.opentelemetry.io/otel/propagation/trace_context.go is excluded by !**/vendor/**, !vendor/**
vendor/go.opentelemetry.io/otel/sdk/LICENSE is excluded by !**/vendor/**, !vendor/**
vendor/go.opentelemetry.io/otel/sdk/internal/env/env.go is excluded by !**/vendor/**, !vendor/**
vendor/go.opentelemetry.io/otel/sdk/internal/x/x.go is excluded by !**/vendor/**, !vendor/**
vendor/go.opentelemetry.io/otel/sdk/resource/builtin.go is excluded by !**/vendor/**, !vendor/**
vendor/go.opentelemetry.io/otel/sdk/resource/container.go is excluded by !**/vendor/**, !vendor/**
vendor/go.opentelemetry.io/otel/sdk/resource/env.go is excluded by !**/vendor/**, !vendor/**
vendor/go.opentelemetry.io/otel/sdk/resource/host_id.go is excluded by !**/vendor/**, !vendor/**
vendor/go.opentelemetry.io/otel/sdk/resource/host_id_bsd.go is excluded by !**/vendor/**, !vendor/**
vendor/go.opentelemetry.io/otel/sdk/resource/host_id_linux.go is excluded by !**/vendor/**, !vendor/**
vendor/go.opentelemetry.io/otel/sdk/resource/host_id_unsupported.go is excluded by !**/vendor/**, !vendor/**
vendor/go.opentelemetry.io/otel/sdk/resource/host_id_windows.go is excluded by !**/vendor/**, !vendor/**
vendor/go.opentelemetry.io/otel/sdk/resource/os.go is excluded by !**/vendor/**, !vendor/**
vendor/go.opentelemetry.io/otel/sdk/resource/os_release_unix.go is excluded by !**/vendor/**, !vendor/**
vendor/go.opentelemetry.io/otel/sdk/resource/os_unix.go is excluded by !**/vendor/**, !vendor/**
vendor/go.opentelemetry.io/otel/sdk/resource/os_unsupported.go is excluded by !**/vendor/**, !vendor/**
vendor/go.opentelemetry.io/otel/sdk/resource/process.go is excluded by !**/vendor/**, !vendor/**
vendor/go.opentelemetry.io/otel/sdk/resource/resource.go is excluded by !**/vendor/**, !vendor/**
vendor/go.opentelemetry.io/otel/sdk/trace/batch_span_processor.go is excluded by !**/vendor/**, !vendor/**
vendor/go.opentelemetry.io/otel/sdk/trace/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/go.opentelemetry.io/otel/sdk/trace/id_generator.go is excluded by !**/vendor/**, !vendor/**
vendor/go.opentelemetry.io/otel/sdk/trace/provider.go is excluded by !**/vendor/**, !vendor/**
vendor/go.opentelemetry.io/otel/sdk/trace/sampling.go is excluded by !**/vendor/**, !vendor/**
vendor/go.opentelemetry.io/otel/sdk/trace/simple_span_processor.go is excluded by !**/vendor/**, !vendor/**
vendor/go.opentelemetry.io/otel/sdk/trace/snapshot.go is excluded by !**/vendor/**, !vendor/**
vendor/go.opentelemetry.io/otel/sdk/trace/span.go is excluded by !**/vendor/**, !vendor/**
vendor/go.opentelemetry.io/otel/sdk/trace/span_limits.go is excluded by !**/vendor/**, !vendor/**
vendor/go.opentelemetry.io/otel/sdk/trace/tracer.go is excluded by !**/vendor/**, !vendor/**
vendor/go.opentelemetry.io/otel/sdk/trace/version.go is excluded by !**/vendor/**, !vendor/**
vendor/go.opentelemetry.io/otel/sdk/version.go is excluded by !**/vendor/**, !vendor/**
vendor/go.opentelemetry.io/otel/semconv/v1.34.0/MIGRATION.md is excluded by !**/vendor/**, !vendor/**
vendor/go.opentelemetry.io/otel/semconv/v1.34.0/README.md is excluded by !**/vendor/**, !vendor/**
vendor/go.opentelemetry.io/otel/semconv/v1.34.0/attribute_group.go is excluded by !**/vendor/**, !vendor/**
vendor/go.opentelemetry.io/otel/semconv/v1.34.0/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/go.opentelemetry.io/otel/semconv/v1.34.0/error_type.go is excluded by !**/vendor/**, !vendor/**
vendor/go.opentelemetry.io/otel/semconv/v1.34.0/exception.go is excluded by !**/vendor/**, !vendor/**
vendor/go.opentelemetry.io/otel/semconv/v1.34.0/schema.go is excluded by !**/vendor/**, !vendor/**
vendor/go.opentelemetry.io/otel/semconv/v1.37.0/error_type.go is excluded by !**/vendor/**, !vendor/**
vendor/go.opentelemetry.io/otel/trace/config.go is excluded by !**/vendor/**, !vendor/**
vendor/go.opentelemetry.io/otel/trace/span.go is excluded by !**/vendor/**, !vendor/**
vendor/go.opentelemetry.io/otel/version.go is excluded by !**/vendor/**, !vendor/**
vendor/go.opentelemetry.io/otel/versions.yaml is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/http2/transport.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/trace/events.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sync/errgroup/errgroup.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/cpu/cpu.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/cpu/cpu_arm64.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/cpu/cpu_arm64.s is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/cpu/cpu_gc_arm64.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/cpu/cpu_gccgo_arm64.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/cpu/cpu_netbsd_arm64.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/cpu/cpu_openbsd_arm64.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/unix/mkerrors.sh is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/unix/zerrors_linux.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/unix/zerrors_linux_386.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/unix/zerrors_linux_amd64.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/unix/zerrors_linux_arm.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/unix/zerrors_linux_arm64.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/unix/zerrors_linux_loong64.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/unix/zerrors_linux_mips.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/unix/zerrors_linux_mips64.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/unix/zerrors_linux_mips64le.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/unix/zerrors_linux_mipsle.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/unix/zerrors_linux_ppc.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/unix/zerrors_linux_ppc64.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/unix/zerrors_linux_ppc64le.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/unix/zerrors_linux_riscv64.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/unix/zerrors_linux_s390x.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/unix/zerrors_linux_sparc64.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/unix/ztypes_netbsd_arm.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/text/encoding/unicode/unicode.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/grpc/balancer/balancer.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/grpc/balancer/pickfirst/internal/internal.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/grpc/balancer/pickfirst/pickfirst.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/grpc/balancer/pickfirst/pickfirstleaf/pickfirstleaf.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/grpc/balancer/roundrobin/roundrobin.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/grpc/balancer/subconn.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/grpc/balancer_wrapper.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/grpc/binarylog/grpc_binarylog_v1/binarylog.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/google.golang.org/grpc/clientconn.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/grpc/credentials/credentials.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/grpc/credentials/tls.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/grpc/encoding/encoding.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/grpc/encoding/gzip/gzip.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/grpc/experimental/stats/metricregistry.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/grpc/experimental/stats/metrics.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/grpc/health/grpc_health_v1/health.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/google.golang.org/grpc/health/grpc_health_v1/health_grpc.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/google.golang.org/grpc/interceptor.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/grpc/internal/balancer/gracefulswitch/gracefulswitch.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/grpc/internal/envconfig/envconfig.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/grpc/internal/envconfig/xds.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/grpc/internal/experimental.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/grpc/internal/idle/idle.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/grpc/internal/internal.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/grpc/internal/resolver/delegatingresolver/delegatingresolver.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/grpc/internal/resolver/dns/dns_resolver.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/grpc/internal/stats/metrics_recorder_list.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/grpc/internal/transport/client_stream.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/grpc/internal/transport/controlbuf.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/grpc/internal/transport/flowcontrol.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/grpc/internal/transport/handler_server.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/grpc/internal/transport/http2_client.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/grpc/internal/transport/http2_server.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/grpc/internal/transport/http_util.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/grpc/internal/transport/server_stream.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/grpc/internal/transport/transport.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/grpc/mem/buffer_pool.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/grpc/mem/buffer_slice.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/grpc/mem/buffers.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/grpc/preloader.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/grpc/resolver/resolver.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/grpc/resolver_wrapper.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/grpc/rpc_util.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/grpc/server.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/grpc/stream.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/grpc/version.go is excluded by !**/vendor/**, !vendor/**
vendor/modules.txt is excluded by !**/vendor/**, !vendor/**

📒 Files selected for processing (1)

go.mod

coderabbitai · 2026-05-05T12:21:58Z

GHSA-9h8m-3fm2-qjrq

-	go.opentelemetry.io/otel/sdk v1.37.0 // indirect
-	go.opentelemetry.io/otel/trace v1.38.0 // indirect
+	go.opentelemetry.io/otel/metric v1.39.0 // indirect
+	go.opentelemetry.io/otel/sdk v1.39.0 // indirect


⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🌐 Web query:

`What is the first fixed version of go.opentelemetry.io/otel/sdk for:

GO-2026-4394

GHSA-9h8m-3fm2-qjrq

GHSA-hfvc-g4fc-pqhx
Please include the affected version ranges and patched version ranges from official advisory sources.`

💡 Result:

GO-2026-4394 (GHSA-9h8m-3fm2-qjrq, CVE-2026-24051): First fixed version of go.opentelemetry.io/otel/sdk is v1.40.0. Affected range: Go >=1.21.0 before v1.40.0 [1][2][3]. Patched in v1.40.0 and later [3][4]. GHSA-hfvc-g4fc-pqhx: First fixed version of go.opentelemetry.io/otel/sdk is v1.43.0. Affected range: >= v1.15.0, <= v1.42.0 [5]. Patched in v1.43.0 and later [5][6]. Note: This is an incomplete fix for the prior vulnerability, affecting BSD/Solaris platforms [5]. No separate GO-ID found in pkg.go.dev searches.

Citations:

1: https://pkg.go.dev/vuln/GO-2026-4394

2: https://osv.dev/vulnerability/GO-2026-4394

3: GHSA-9h8m-3fm2-qjrq

4: https://github.com/open-telemetry/opentelemetry-go/releases/tag/v1.40.0

5: GHSA-hfvc-g4fc-pqhx

6: googleapis/google-cloud-go@b4c40aa

Security blocker: go.opentelemetry.io/otel/sdk v1.39.0 has multiple HIGH advisories

Line 221 pins a vulnerable version (GO-2026-4394, GHSA-9h8m-3fm2-qjrq, GHSA-hfvc-g4fc-pqhx). Bump to v1.43.0 or later to address all reported vulnerabilities and refresh the module graph before merge.

🧰 Tools

🪛 OSV Scanner (2.3.6)

[HIGH] 221-221: go.opentelemetry.io/otel/sdk 1.39.0: OpenTelemetry Go SDK Vulnerable to Arbitrary Code Execution via PATH Hijacking in go.opentelemetry.io/otel/sdk

(GO-2026-4394)

[HIGH] 221-221: go.opentelemetry.io/otel/sdk 1.39.0: OpenTelemetry Go SDK Vulnerable to Arbitrary Code Execution via PATH Hijacking

(GHSA-9h8m-3fm2-qjrq)

[HIGH] 221-221: go.opentelemetry.io/otel/sdk 1.39.0: opentelemetry-go: BSD kenv command not using absolute path enables PATH hijacking

(GHSA-hfvc-g4fc-pqhx)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@go.mod` at line 221, The go.mod currently pins a vulnerable opentelemetry SDK (module go.opentelemetry.io/otel/sdk at v1.39.0); update that dependency to v1.43.0 or later to remediate the HIGH advisories (GO-2026-4394 / GHSA-9h8m-3fm2-qjrq / GHSA-hfvc-g4fc-pqhx) and then refresh the module graph (e.g., run go get go.opentelemetry.io/otel/sdk@v1.43.0 or newer and run go mod tidy) so the lockfile and transitive deps are updated.

MrSanketkumar · 2026-05-05T12:30:23Z

/retest-required

rissh · 2026-05-06T06:44:28Z

/retitle [Release-4.21]OCPBUGS-80840,OCPBUGS-80839: Bump google.golang.org/grpc to v1.79.3

openshift-ci-robot · 2026-05-06T06:44:39Z

@MrSanketkumar: This pull request references Jira Issue OCPBUGS-80840, which is invalid:

expected dependent Jira Issue OCPBUGS-83997 to be in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA), but it is Closed (Duplicate) instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

This pull request references Jira Issue OCPBUGS-80839, which is valid. The bug has been moved to the POST state.

7 validation(s) were run on this bug

bug is open, matching expected state (open)
bug target version (4.21.z) matches configured target version for branch (4.21.z)
bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, POST)
release note text is set and does not match the template
dependent bug Jira Issue OCPBUGS-81194 is in the state Closed (Done), which is one of the valid states (VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA))
dependent Jira Issue OCPBUGS-81194 targets the "4.22.0" version, which is one of the valid target versions: 4.22.0
bug has dependents

No GitHub users were found matching the public email listed for the QA contact in Jira (ocp-sustaining-admins@redhat.com), skipping review request.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Summary by CodeRabbit

Chores

Updated project dependencies to latest versions.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

MrSanketkumar · 2026-05-06T08:05:38Z

@coderabbitai review

coderabbitai · 2026-05-06T08:05:45Z

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

openshift-ci-robot · 2026-05-06T08:15:09Z

@MrSanketkumar: This pull request references Jira Issue OCPBUGS-80840, which is invalid:

expected dependent Jira Issue OCPBUGS-83997 to be in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA), but it is Closed (Duplicate) instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

This pull request references Jira Issue OCPBUGS-80839, which is valid.

7 validation(s) were run on this bug

bug is open, matching expected state (open)
bug target version (4.21.z) matches configured target version for branch (4.21.z)
bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)
release note text is set and does not match the template
dependent bug Jira Issue OCPBUGS-81194 is in the state Closed (Done), which is one of the valid states (VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA))
dependent Jira Issue OCPBUGS-81194 targets the "4.22.0" version, which is one of the valid target versions: 4.22.0
bug has dependents

No GitHub users were found matching the public email listed for the QA contact in Jira (ocp-sustaining-admins@redhat.com), skipping review request.

Details

In response to this:

Summary by CodeRabbit

Chores

Updated project dependencies across the repository. Key updates include OpenTelemetry components, gRPC and protobuf stacks, CEL expression library, and various golang.org/x modules.

Resulting impact: alignment with newer platform libraries, improved compatibility and stability, and refreshed indirect dependency versions.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

coderabbitai

Actionable comments posted: 1

♻️ Duplicate comments (1)

go.mod (1)

217-222: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Security blocker: OpenTelemetry core/sdk are pinned to vulnerable versions.

Lines 217–222 pin go.opentelemetry.io/otel* at v1.39.0, which is affected by high-severity advisories (including GHSA-mh2-q3fh-2475 for otel and GHSA-9h8m-3fm2-qjrq / GHSA-hfvc-g4fc-pqhx for otel/sdk). Please bump the OTel stack to a fixed floor (sdk >= v1.43.0; otel >= v1.41.0).

🔧 Suggested patch (aligned family)

-	go.opentelemetry.io/otel v1.39.0 // indirect
-	go.opentelemetry.io/otel/metric v1.39.0 // indirect
-	go.opentelemetry.io/otel/sdk v1.39.0 // indirect
-	go.opentelemetry.io/otel/trace v1.39.0 // indirect
+	go.opentelemetry.io/otel v1.43.0 // indirect
+	go.opentelemetry.io/otel/metric v1.43.0 // indirect
+	go.opentelemetry.io/otel/sdk v1.43.0 // indirect
+	go.opentelemetry.io/otel/trace v1.43.0 // indirect

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` around lines 217 - 222, Update the pinned OpenTelemetry modules in
go.mod to non-vulnerable releases: raise go.opentelemetry.io/otel to at least
v1.41.0 and go.opentelemetry.io/otel/sdk to at least v1.43.0 (and bump related
packages like go.opentelemetry.io/otel/metric, go.opentelemetry.io/otel/trace,
and go.opentelemetry.io/otel/exporters/otlp/otlptrace* to matching compatible
versions) by editing the version strings for those module entries and then run
your Go module update (e.g., go get) and tests to ensure compatibility; target
aligned family versions so otel, otel/sdk, otel/metric, otel/trace, and
otlptrace packages are mutually compatible.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@openshift/default-catalog-consistency/go.mod`:
- Line 46: The go.mod currently pins the vulnerable dependency
"github.com/go-jose/go-jose/v4 v4.1.3"; update that module to "v4.1.4" (or
newer) in go.mod, then run "go get github.com/go-jose/go-jose/v4@v4.1.4" (or the
desired newer version) and "go mod tidy" to refresh go.sum, and commit the
updated go.mod and go.sum so the CVE-2026-34986 denial-of-service fix is
applied.

---

Duplicate comments:
In `@go.mod`:
- Around line 217-222: Update the pinned OpenTelemetry modules in go.mod to
non-vulnerable releases: raise go.opentelemetry.io/otel to at least v1.41.0 and
go.opentelemetry.io/otel/sdk to at least v1.43.0 (and bump related packages like
go.opentelemetry.io/otel/metric, go.opentelemetry.io/otel/trace, and
go.opentelemetry.io/otel/exporters/otlp/otlptrace* to matching compatible
versions) by editing the version strings for those module entries and then run
your Go module update (e.g., go get) and tests to ensure compatibility; target
aligned family versions so otel, otel/sdk, otel/metric, otel/trace, and
otlptrace packages are mutually compatible.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

Push a commit to this branch (recommended)
Create a new PR with the fixes

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: c8cba45b-c1bd-43cf-8d54-cbb5438c6498

📥 Commits

Reviewing files that changed from the base of the PR and between 933c5ea and cf7df47.

⛔ Files ignored due to path filters (297)

go.sum is excluded by !**/*.sum
openshift/default-catalog-consistency/go.sum is excluded by !**/*.sum
openshift/default-catalog-consistency/vendor/github.com/go-jose/go-jose/v4/CHANGELOG.md is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/github.com/go-jose/go-jose/v4/README.md is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/github.com/go-jose/go-jose/v4/crypter.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/github.com/go-jose/go-jose/v4/jwk.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/github.com/go-jose/go-jose/v4/shared.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/github.com/go-jose/go-jose/v4/signing.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/github.com/go-jose/go-jose/v4/symmetric.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/github.com/go-jose/go-jose/v4/symmetric_legacy.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/golang.org/x/crypto/openpgp/s2k/s2k.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/golang.org/x/crypto/salsa20/salsa/hsalsa20.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/golang.org/x/crypto/sha3/doc.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/golang.org/x/crypto/sha3/hashes.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/golang.org/x/crypto/sha3/hashes_noasm.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/golang.org/x/crypto/sha3/keccakf.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/golang.org/x/crypto/sha3/keccakf_amd64.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/golang.org/x/crypto/sha3/keccakf_amd64.s is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/golang.org/x/crypto/sha3/sha3.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/golang.org/x/crypto/sha3/sha3_s390x.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/golang.org/x/crypto/sha3/sha3_s390x.s is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/golang.org/x/crypto/sha3/shake.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/golang.org/x/crypto/sha3/shake_noasm.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/golang.org/x/mod/semver/semver.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/golang.org/x/net/context/context.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/golang.org/x/net/html/escape.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/golang.org/x/net/html/parse.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/golang.org/x/net/html/render.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/golang.org/x/net/http2/config.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/golang.org/x/net/http2/config_go124.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/golang.org/x/net/http2/config_pre_go124.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/golang.org/x/net/http2/frame.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/golang.org/x/net/http2/gotrack.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/golang.org/x/net/http2/http2.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/golang.org/x/net/http2/server.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/golang.org/x/net/http2/timer.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/golang.org/x/net/http2/transport.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/golang.org/x/net/http2/writesched.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/golang.org/x/net/http2/writesched_roundrobin.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/golang.org/x/net/internal/httpcommon/request.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/golang.org/x/net/trace/events.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/golang.org/x/oauth2/deviceauth.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/golang.org/x/oauth2/oauth2.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/golang.org/x/oauth2/pkce.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/golang.org/x/oauth2/token.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/golang.org/x/oauth2/transport.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/golang.org/x/sync/errgroup/errgroup.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/golang.org/x/sys/cpu/cpu_arm64.s is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/golang.org/x/sys/plan9/pwd_go15_plan9.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/golang.org/x/sys/plan9/pwd_plan9.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/golang.org/x/sys/unix/affinity_linux.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/golang.org/x/sys/unix/fdset.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/golang.org/x/sys/unix/ifreq_linux.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/golang.org/x/sys/unix/mkall.sh is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/golang.org/x/sys/unix/mkerrors.sh is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/golang.org/x/sys/unix/syscall_linux.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/golang.org/x/sys/unix/syscall_netbsd.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/golang.org/x/sys/unix/syscall_solaris.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/golang.org/x/sys/unix/zerrors_linux.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/golang.org/x/sys/unix/zerrors_linux_386.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/golang.org/x/sys/unix/zerrors_linux_amd64.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/golang.org/x/sys/unix/zerrors_linux_arm.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/golang.org/x/sys/unix/zerrors_linux_arm64.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/golang.org/x/sys/unix/zerrors_linux_loong64.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/golang.org/x/sys/unix/zerrors_linux_mips.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/golang.org/x/sys/unix/zerrors_linux_mips64.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/golang.org/x/sys/unix/zerrors_linux_mips64le.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/golang.org/x/sys/unix/zerrors_linux_mipsle.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/golang.org/x/sys/unix/zerrors_linux_ppc.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/golang.org/x/sys/unix/zerrors_linux_ppc64.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/golang.org/x/sys/unix/zerrors_linux_ppc64le.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/golang.org/x/sys/unix/zerrors_linux_riscv64.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/golang.org/x/sys/unix/zerrors_linux_s390x.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/golang.org/x/sys/unix/zerrors_linux_sparc64.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/golang.org/x/sys/unix/zsyscall_linux.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/golang.org/x/sys/unix/zsyscall_solaris_amd64.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/golang.org/x/sys/unix/ztypes_linux.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/golang.org/x/sys/unix/ztypes_netbsd_arm.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/golang.org/x/sys/windows/syscall_windows.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/golang.org/x/sys/windows/types_windows.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/golang.org/x/sys/windows/zsyscall_windows.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/golang.org/x/term/terminal.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/golang.org/x/text/encoding/japanese/eucjp.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/golang.org/x/text/encoding/japanese/iso2022jp.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/golang.org/x/text/encoding/japanese/shiftjis.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/golang.org/x/text/encoding/korean/euckr.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/golang.org/x/text/encoding/simplifiedchinese/gbk.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/golang.org/x/text/encoding/simplifiedchinese/hzgb2312.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/golang.org/x/text/encoding/traditionalchinese/big5.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/golang.org/x/text/encoding/unicode/unicode.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/golang.org/x/text/unicode/bidi/core.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/golang.org/x/tools/go/ast/inspector/cursor.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/golang.org/x/tools/go/packages/golist.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/golang.org/x/tools/go/packages/visit.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/golang.org/x/tools/go/types/objectpath/objectpath.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/golang.org/x/tools/go/types/typeutil/map.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/golang.org/x/tools/internal/event/core/event.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/golang.org/x/tools/internal/gcimporter/bimport.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/golang.org/x/tools/internal/gcimporter/iexport.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/golang.org/x/tools/internal/gcimporter/iimport.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/golang.org/x/tools/internal/gcimporter/iimport_go122.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/golang.org/x/tools/internal/stdlib/deps.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/golang.org/x/tools/internal/stdlib/import.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/golang.org/x/tools/internal/stdlib/manifest.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/golang.org/x/tools/internal/typeparams/normalize.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/golang.org/x/tools/internal/typesinternal/element.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/golang.org/x/tools/internal/typesinternal/qualifier.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/golang.org/x/tools/internal/typesinternal/types.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/golang.org/x/tools/internal/typesinternal/varkind.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/golang.org/x/tools/internal/typesinternal/zerovalue.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/golang.org/x/tools/internal/versions/features.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/google.golang.org/grpc/CONTRIBUTING.md is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/google.golang.org/grpc/balancer/balancer.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/google.golang.org/grpc/balancer/pickfirst/internal/internal.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/google.golang.org/grpc/balancer/pickfirst/pickfirst.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/google.golang.org/grpc/balancer/pickfirst/pickfirstleaf/pickfirstleaf.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/google.golang.org/grpc/balancer/roundrobin/roundrobin.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/google.golang.org/grpc/balancer/subconn.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/google.golang.org/grpc/balancer_wrapper.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/google.golang.org/grpc/binarylog/grpc_binarylog_v1/binarylog.pb.go is excluded by !**/*.pb.go, !**/vendor/**
openshift/default-catalog-consistency/vendor/google.golang.org/grpc/clientconn.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/google.golang.org/grpc/credentials/credentials.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/google.golang.org/grpc/credentials/tls.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/google.golang.org/grpc/encoding/encoding.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/google.golang.org/grpc/encoding/proto/proto.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/google.golang.org/grpc/experimental/stats/metricregistry.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/google.golang.org/grpc/experimental/stats/metrics.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/google.golang.org/grpc/interceptor.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/google.golang.org/grpc/internal/balancer/gracefulswitch/gracefulswitch.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/google.golang.org/grpc/internal/buffer/unbounded.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/google.golang.org/grpc/internal/channelz/trace.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/google.golang.org/grpc/internal/envconfig/envconfig.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/google.golang.org/grpc/internal/envconfig/xds.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/google.golang.org/grpc/internal/experimental.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/google.golang.org/grpc/internal/grpcsync/callback_serializer.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/google.golang.org/grpc/internal/idle/idle.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/google.golang.org/grpc/internal/internal.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/google.golang.org/grpc/internal/resolver/delegatingresolver/delegatingresolver.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/google.golang.org/grpc/internal/resolver/dns/dns_resolver.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/google.golang.org/grpc/internal/stats/metrics_recorder_list.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/google.golang.org/grpc/internal/transport/client_stream.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/google.golang.org/grpc/internal/transport/controlbuf.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/google.golang.org/grpc/internal/transport/flowcontrol.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/google.golang.org/grpc/internal/transport/handler_server.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/google.golang.org/grpc/internal/transport/http2_client.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/google.golang.org/grpc/internal/transport/http2_server.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/google.golang.org/grpc/internal/transport/http_util.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/google.golang.org/grpc/internal/transport/server_stream.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/google.golang.org/grpc/internal/transport/transport.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/google.golang.org/grpc/mem/buffer_pool.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/google.golang.org/grpc/mem/buffer_slice.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/google.golang.org/grpc/mem/buffers.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/google.golang.org/grpc/preloader.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/google.golang.org/grpc/resolver/resolver.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/google.golang.org/grpc/resolver_wrapper.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/google.golang.org/grpc/rpc_util.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/google.golang.org/grpc/server.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/google.golang.org/grpc/stream.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/google.golang.org/grpc/version.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/google.golang.org/protobuf/internal/editionssupport/editions.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/google.golang.org/protobuf/internal/filedesc/desc.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/google.golang.org/protobuf/internal/filedesc/desc_init.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/google.golang.org/protobuf/internal/filedesc/desc_lazy.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/google.golang.org/protobuf/internal/filedesc/editions.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/google.golang.org/protobuf/internal/version/version.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/google.golang.org/protobuf/reflect/protodesc/desc.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/google.golang.org/protobuf/reflect/protodesc/desc_init.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/google.golang.org/protobuf/reflect/protodesc/proto.go is excluded by !**/vendor/**
openshift/default-catalog-consistency/vendor/modules.txt is excluded by !**/vendor/**
openshift/tests-extension/go.sum is excluded by !**/*.sum
openshift/tests-extension/vendor/cel.dev/expr/BUILD.bazel is excluded by !**/vendor/**
openshift/tests-extension/vendor/cel.dev/expr/MODULE.bazel is excluded by !**/vendor/**
openshift/tests-extension/vendor/cel.dev/expr/checked.pb.go is excluded by !**/*.pb.go, !**/vendor/**
openshift/tests-extension/vendor/cel.dev/expr/eval.pb.go is excluded by !**/*.pb.go, !**/vendor/**
openshift/tests-extension/vendor/cel.dev/expr/explain.pb.go is excluded by !**/*.pb.go, !**/vendor/**
openshift/tests-extension/vendor/cel.dev/expr/syntax.pb.go is excluded by !**/*.pb.go, !**/vendor/**
openshift/tests-extension/vendor/cel.dev/expr/value.pb.go is excluded by !**/*.pb.go, !**/vendor/**
openshift/tests-extension/vendor/go.opentelemetry.io/auto/sdk/internal/telemetry/id.go is excluded by !**/vendor/**
openshift/tests-extension/vendor/go.opentelemetry.io/auto/sdk/internal/telemetry/number.go is excluded by !**/vendor/**
openshift/tests-extension/vendor/go.opentelemetry.io/auto/sdk/internal/telemetry/span.go is excluded by !**/vendor/**
openshift/tests-extension/vendor/go.opentelemetry.io/auto/sdk/internal/telemetry/status.go is excluded by !**/vendor/**
openshift/tests-extension/vendor/go.opentelemetry.io/auto/sdk/internal/telemetry/traces.go is excluded by !**/vendor/**
openshift/tests-extension/vendor/go.opentelemetry.io/auto/sdk/internal/telemetry/value.go is excluded by !**/vendor/**
openshift/tests-extension/vendor/go.opentelemetry.io/auto/sdk/span.go is excluded by !**/vendor/**
openshift/tests-extension/vendor/go.opentelemetry.io/auto/sdk/tracer.go is excluded by !**/vendor/**
openshift/tests-extension/vendor/go.opentelemetry.io/otel/.codespellignore is excluded by !**/vendor/**
openshift/tests-extension/vendor/go.opentelemetry.io/otel/.golangci.yml is excluded by !**/vendor/**
openshift/tests-extension/vendor/go.opentelemetry.io/otel/.lycheeignore is excluded by !**/vendor/**
openshift/tests-extension/vendor/go.opentelemetry.io/otel/CHANGELOG.md is excluded by !**/vendor/**
openshift/tests-extension/vendor/go.opentelemetry.io/otel/CODEOWNERS is excluded by !**/vendor/**
openshift/tests-extension/vendor/go.opentelemetry.io/otel/CONTRIBUTING.md is excluded by !**/vendor/**
openshift/tests-extension/vendor/go.opentelemetry.io/otel/LICENSE is excluded by !**/vendor/**
openshift/tests-extension/vendor/go.opentelemetry.io/otel/Makefile is excluded by !**/vendor/**
openshift/tests-extension/vendor/go.opentelemetry.io/otel/README.md is excluded by !**/vendor/**
openshift/tests-extension/vendor/go.opentelemetry.io/otel/RELEASING.md is excluded by !**/vendor/**
openshift/tests-extension/vendor/go.opentelemetry.io/otel/SECURITY-INSIGHTS.yml is excluded by !**/vendor/**
openshift/tests-extension/vendor/go.opentelemetry.io/otel/VERSIONING.md is excluded by !**/vendor/**
openshift/tests-extension/vendor/go.opentelemetry.io/otel/attribute/encoder.go is excluded by !**/vendor/**
openshift/tests-extension/vendor/go.opentelemetry.io/otel/attribute/filter.go is excluded by !**/vendor/**
openshift/tests-extension/vendor/go.opentelemetry.io/otel/attribute/hash.go is excluded by !**/vendor/**
openshift/tests-extension/vendor/go.opentelemetry.io/otel/attribute/internal/attribute.go is excluded by !**/vendor/**
openshift/tests-extension/vendor/go.opentelemetry.io/otel/attribute/internal/xxhash/xxhash.go is excluded by !**/vendor/**
openshift/tests-extension/vendor/go.opentelemetry.io/otel/attribute/iterator.go is excluded by !**/vendor/**
openshift/tests-extension/vendor/go.opentelemetry.io/otel/attribute/key.go is excluded by !**/vendor/**
openshift/tests-extension/vendor/go.opentelemetry.io/otel/attribute/kv.go is excluded by !**/vendor/**
openshift/tests-extension/vendor/go.opentelemetry.io/otel/attribute/set.go is excluded by !**/vendor/**
openshift/tests-extension/vendor/go.opentelemetry.io/otel/attribute/type_string.go is excluded by !**/vendor/**
openshift/tests-extension/vendor/go.opentelemetry.io/otel/attribute/value.go is excluded by !**/vendor/**
openshift/tests-extension/vendor/go.opentelemetry.io/otel/baggage/baggage.go is excluded by !**/vendor/**
openshift/tests-extension/vendor/go.opentelemetry.io/otel/codes/codes.go is excluded by !**/vendor/**
openshift/tests-extension/vendor/go.opentelemetry.io/otel/dependencies.Dockerfile is excluded by !**/vendor/**
openshift/tests-extension/vendor/go.opentelemetry.io/otel/internal/global/internal_logging.go is excluded by !**/vendor/**
openshift/tests-extension/vendor/go.opentelemetry.io/otel/internal/global/meter.go is excluded by !**/vendor/**
openshift/tests-extension/vendor/go.opentelemetry.io/otel/internal/global/trace.go is excluded by !**/vendor/**
openshift/tests-extension/vendor/go.opentelemetry.io/otel/metric.go is excluded by !**/vendor/**
openshift/tests-extension/vendor/go.opentelemetry.io/otel/metric/LICENSE is excluded by !**/vendor/**
openshift/tests-extension/vendor/go.opentelemetry.io/otel/metric/config.go is excluded by !**/vendor/**
openshift/tests-extension/vendor/go.opentelemetry.io/otel/propagation/baggage.go is excluded by !**/vendor/**
openshift/tests-extension/vendor/go.opentelemetry.io/otel/propagation/propagation.go is excluded by !**/vendor/**
openshift/tests-extension/vendor/go.opentelemetry.io/otel/propagation/trace_context.go is excluded by !**/vendor/**
openshift/tests-extension/vendor/go.opentelemetry.io/otel/sdk/LICENSE is excluded by !**/vendor/**
openshift/tests-extension/vendor/go.opentelemetry.io/otel/sdk/internal/x/features.go is excluded by !**/vendor/**
openshift/tests-extension/vendor/go.opentelemetry.io/otel/sdk/internal/x/x.go is excluded by !**/vendor/**
openshift/tests-extension/vendor/go.opentelemetry.io/otel/sdk/resource/builtin.go is excluded by !**/vendor/**
openshift/tests-extension/vendor/go.opentelemetry.io/otel/sdk/resource/container.go is excluded by !**/vendor/**
openshift/tests-extension/vendor/go.opentelemetry.io/otel/sdk/resource/env.go is excluded by !**/vendor/**
openshift/tests-extension/vendor/go.opentelemetry.io/otel/sdk/resource/host_id.go is excluded by !**/vendor/**
openshift/tests-extension/vendor/go.opentelemetry.io/otel/sdk/resource/host_id_bsd.go is excluded by !**/vendor/**
openshift/tests-extension/vendor/go.opentelemetry.io/otel/sdk/resource/host_id_linux.go is excluded by !**/vendor/**
openshift/tests-extension/vendor/go.opentelemetry.io/otel/sdk/resource/host_id_unsupported.go is excluded by !**/vendor/**
openshift/tests-extension/vendor/go.opentelemetry.io/otel/sdk/resource/host_id_windows.go is excluded by !**/vendor/**
openshift/tests-extension/vendor/go.opentelemetry.io/otel/sdk/resource/os.go is excluded by !**/vendor/**
openshift/tests-extension/vendor/go.opentelemetry.io/otel/sdk/resource/os_release_unix.go is excluded by !**/vendor/**
openshift/tests-extension/vendor/go.opentelemetry.io/otel/sdk/resource/os_unix.go is excluded by !**/vendor/**
openshift/tests-extension/vendor/go.opentelemetry.io/otel/sdk/resource/os_unsupported.go is excluded by !**/vendor/**
openshift/tests-extension/vendor/go.opentelemetry.io/otel/sdk/resource/process.go is excluded by !**/vendor/**
openshift/tests-extension/vendor/go.opentelemetry.io/otel/sdk/resource/resource.go is excluded by !**/vendor/**
openshift/tests-extension/vendor/go.opentelemetry.io/otel/sdk/trace/batch_span_processor.go is excluded by !**/vendor/**
openshift/tests-extension/vendor/go.opentelemetry.io/otel/sdk/trace/doc.go is excluded by !**/vendor/**
openshift/tests-extension/vendor/go.opentelemetry.io/otel/sdk/trace/id_generator.go is excluded by !**/vendor/**
openshift/tests-extension/vendor/go.opentelemetry.io/otel/sdk/trace/internal/env/env.go is excluded by !**/vendor/**
openshift/tests-extension/vendor/go.opentelemetry.io/otel/sdk/trace/internal/observ/batch_span_processor.go is excluded by !**/vendor/**
openshift/tests-extension/vendor/go.opentelemetry.io/otel/sdk/trace/internal/observ/doc.go is excluded by !**/vendor/**
openshift/tests-extension/vendor/go.opentelemetry.io/otel/sdk/trace/internal/observ/simple_span_processor.go is excluded by !**/vendor/**
openshift/tests-extension/vendor/go.opentelemetry.io/otel/sdk/trace/internal/observ/tracer.go is excluded by !**/vendor/**
openshift/tests-extension/vendor/go.opentelemetry.io/otel/sdk/trace/provider.go is excluded by !**/vendor/**
openshift/tests-extension/vendor/go.opentelemetry.io/otel/sdk/trace/sampling.go is excluded by !**/vendor/**
openshift/tests-extension/vendor/go.opentelemetry.io/otel/sdk/trace/simple_span_processor.go is excluded by !**/vendor/**
openshift/tests-extension/vendor/go.opentelemetry.io/otel/sdk/trace/snapshot.go is excluded by !**/vendor/**
openshift/tests-extension/vendor/go.opentelemetry.io/otel/sdk/trace/span.go is excluded by !**/vendor/**
openshift/tests-extension/vendor/go.opentelemetry.io/otel/sdk/trace/span_limits.go is excluded by !**/vendor/**
openshift/tests-extension/vendor/go.opentelemetry.io/otel/sdk/trace/tracer.go is excluded by !**/vendor/**
openshift/tests-extension/vendor/go.opentelemetry.io/otel/sdk/trace/version.go is excluded by !**/vendor/**
openshift/tests-extension/vendor/go.opentelemetry.io/otel/sdk/version.go is excluded by !**/vendor/**
openshift/tests-extension/vendor/go.opentelemetry.io/otel/semconv/v1.34.0/MIGRATION.md is excluded by !**/vendor/**
openshift/tests-extension/vendor/go.opentelemetry.io/otel/semconv/v1.34.0/README.md is excluded by !**/vendor/**
openshift/tests-extension/vendor/go.opentelemetry.io/otel/semconv/v1.34.0/attribute_group.go is excluded by !**/vendor/**
openshift/tests-extension/vendor/go.opentelemetry.io/otel/semconv/v1.34.0/doc.go is excluded by !**/vendor/**
openshift/tests-extension/vendor/go.opentelemetry.io/otel/semconv/v1.34.0/exception.go is excluded by !**/vendor/**
openshift/tests-extension/vendor/go.opentelemetry.io/otel/semconv/v1.34.0/schema.go is excluded by !**/vendor/**
openshift/tests-extension/vendor/go.opentelemetry.io/otel/semconv/v1.37.0/MIGRATION.md is excluded by !**/vendor/**
openshift/tests-extension/vendor/go.opentelemetry.io/otel/semconv/v1.37.0/README.md is excluded by !**/vendor/**
openshift/tests-extension/vendor/go.opentelemetry.io/otel/semconv/v1.37.0/attribute_group.go is excluded by !**/vendor/**
openshift/tests-extension/vendor/go.opentelemetry.io/otel/semconv/v1.37.0/doc.go is excluded by !**/vendor/**
openshift/tests-extension/vendor/go.opentelemetry.io/otel/semconv/v1.37.0/error_type.go is excluded by !**/vendor/**
openshift/tests-extension/vendor/go.opentelemetry.io/otel/semconv/v1.37.0/exception.go is excluded by !**/vendor/**
openshift/tests-extension/vendor/go.opentelemetry.io/otel/semconv/v1.37.0/otelconv/metric.go is excluded by !**/vendor/**
openshift/tests-extension/vendor/go.opentelemetry.io/otel/semconv/v1.37.0/schema.go is excluded by !**/vendor/**
openshift/tests-extension/vendor/go.opentelemetry.io/otel/trace/LICENSE is excluded by !**/vendor/**
openshift/tests-extension/vendor/go.opentelemetry.io/otel/trace/auto.go is excluded by !**/vendor/**
openshift/tests-extension/vendor/go.opentelemetry.io/otel/trace/config.go is excluded by !**/vendor/**
openshift/tests-extension/vendor/go.opentelemetry.io/otel/trace/hex.go is excluded by !**/vendor/**
openshift/tests-extension/vendor/go.opentelemetry.io/otel/trace/internal/telemetry/attr.go is excluded by !**/vendor/**
openshift/tests-extension/vendor/go.opentelemetry.io/otel/trace/internal/telemetry/id.go is excluded by !**/vendor/**
openshift/tests-extension/vendor/go.opentelemetry.io/otel/trace/internal/telemetry/value.go is excluded by !**/vendor/**
openshift/tests-extension/vendor/go.opentelemetry.io/otel/trace/noop.go is excluded by !**/vendor/**
openshift/tests-extension/vendor/go.opentelemetry.io/otel/trace/noop/noop.go is excluded by !**/vendor/**
openshift/tests-extension/vendor/go.opentelemetry.io/otel/trace/span.go is excluded by !**/vendor/**
openshift/tests-extension/vendor/go.opentelemetry.io/otel/trace/trace.go is excluded by !**/vendor/**
openshift/tests-extension/vendor/go.opentelemetry.io/otel/trace/tracestate.go is excluded by !**/vendor/**
openshift/tests-extension/vendor/go.opentelemetry.io/otel/version.go is excluded by !**/vendor/**
openshift/tests-extension/vendor/go.opentelemetry.io/otel/versions.yaml is excluded by !**/vendor/**
openshift/tests-extension/vendor/golang.org/x/crypto/chacha20/chacha_arm64.s is excluded by !**/vendor/**
openshift/tests-extension/vendor/golang.org/x/crypto/curve25519/curve25519.go is excluded by !**/vendor/**
openshift/tests-extension/vendor/golang.org/x/crypto/ssh/cipher.go is excluded by !**/vendor/**
openshift/tests-extension/vendor/golang.org/x/crypto/ssh/client_auth.go is excluded by !**/vendor/**
openshift/tests-extension/vendor/golang.org/x/crypto/ssh/common.go is excluded by !**/vendor/**
openshift/tests-extension/vendor/golang.org/x/crypto/ssh/doc.go is excluded by !**/vendor/**
openshift/tests-extension/vendor/golang.org/x/crypto/ssh/handshake.go is excluded by !**/vendor/**
openshift/tests-extension/vendor/golang.org/x/crypto/ssh/kex.go is excluded by !**/vendor/**
openshift/tests-extension/vendor/golang.org/x/crypto/ssh/keys.go is excluded by !**/vendor/**
openshift/tests-extension/vendor/golang.org/x/crypto/ssh/mac.go is excluded by !**/vendor/**
openshift/tests-extension/vendor/golang.org/x/crypto/ssh/messages.go is excluded by !**/vendor/**
openshift/tests-extension/vendor/golang.org/x/crypto/ssh/server.go is excluded by !**/vendor/**
openshift/tests-extension/vendor/golang.org/x/crypto/ssh/ssh_gss.go is excluded by !**/vendor/**
openshift/tests-extension/vendor/golang.org/x/crypto/ssh/streamlocal.go is excluded by !**/vendor/**
openshift/tests-extension/vendor/golang.org/x/crypto/ssh/tcpip.go is excluded by !**/vendor/**

📒 Files selected for processing (3)

go.mod
openshift/default-catalog-consistency/go.mod
openshift/tests-extension/go.mod

coderabbitai · 2026-05-06T08:18:37Z

GHSA-78h2-9frx-2jm8

 	github.com/go-git/go-billy/v5 v5.6.2 // indirect
 	github.com/go-git/go-git/v5 v5.16.2 // indirect
-	github.com/go-jose/go-jose/v4 v4.1.1 // indirect
+	github.com/go-jose/go-jose/v4 v4.1.3 // indirect


⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

find . -name "go.mod" -path "*openshift/default-catalog-consistency*" -type f

Repository: openshift/operator-framework-operator-controller

Length of output: 139

🌐 Web query:

GHSA-78h2-9frx-2jm8 go-jose vulnerability

💡 Result:

GHSA-78h2-9frx-2jm8 is a go-jose (go-jose/go-jose) vulnerability titled “Panic in JWE decryption”, with CVE-2026-34986. It can be triggered during JSON Web Encryption (JWE) decryption, where go-jose may panic (leading to denial of service) if the JWE header’s alg indicates a key wrapping algorithm (ending in “KW”, except the GCMKW variants) and the JWE encrypted_key field is empty. [1] Affected / fixed versions (per the upstream advisory): - github.com/go-jose/go-jose/v3: affected < 3.0.5; fixed in 3.0.5. [1] - github.com/go-jose/go-jose/v4: affected < 4.1.4; fixed in 4.1.4. [1] Reachability / exploitation details (from the advisory): - The panic occurs when cipher.KeyUnwrap() in key_wrap.go attempts to allocate a slice with a zero or negative length derived from the (empty) encrypted_key. [1] - The code path is reachable by parsing a JWE (ParseEncrypted / ParseEncryptedJSON / ParseEncryptedCompact) followed by Decrypt on the resulting object. [1] - A mitigation/workaround is that if the application passes a keyAlgorithms list to the parse functions that does not include key wrapping algorithms (alg values ending in “KW”), then parsing will fail and the application is unaffected. [1] - If you accept JWE Compact Serialization, you can prevalidate that the encrypted_key field (the data between the first and second “.” in the compact form) is non-empty. [1] Practical guidance: 1) Upgrade go-jose to at least the patched versions (v3 >= 3.0.5 or v4 >= 4.1.4). [1] 2) If you can’t upgrade immediately, ensure your accepted key algorithm set excludes *KW algorithms, or add input validation to reject JWE objects with an empty encrypted_key when using key wrapping algs. [1] Additional note from a vendor scan writeup: a product may detect CVE-2026-34986 transitively via a vulnerable go-jose version, but mark the component “not affected” if the vulnerable code path is not reachable in that product’s runtime context. [2]

Citations:

1: GHSA-78h2-9frx-2jm8

2: https://knowledge.broadcom.com/external/article/435970/cve202634986-ghsa78h29frx2jm8-detected.html

🌐 Web query:

CVE-2026-34986 go-jose

💡 Result:

CVE-2026-34986 is a denial-of-service (panic) vulnerability in the go-jose library’s JWE decryption path. Specifically, in go-jose versions prior to 4.1.4 (v4) and prior to 3.0.5 (v3), decrypting a JWE object can panic when: (1) the JWE header alg indicates a key wrapping algorithm (ends with KW, with exceptions A128GCMKW/A192GCMKW/A256GCMKW), and (2) the JWE encrypted_key field is empty [1][2]. Impact / what happens - The panic occurs because cipher.KeyUnwrap() (in go-jose’s key_wrap.go) attempts to allocate a slice using a zero or negative length derived from the length of encrypted_key [1][2]. - This panic can crash the process, i.e., an attacker may cause a denial of service by sending a crafted JWE object [1][2]. Reachability details - The vulnerable code path is reachable by parsing a JWE (via ParseEncrypted(), ParseEncryptedJSON(), or ParseEncryptedCompact()), followed by calling Decrypt() on the resulting object [1][2]. - If the application configures the parser with a list of accepted key algorithms that does not include any key wrapping algorithms, parsing will fail and the application is unaffected [1][2]. - It can also be triggered by directly calling cipher.KeyUnwrap() with ciphertext shorter than 16 bytes, though this is described as less common [1][2]. Fixed versions / remediation - Upgrade go-jose v4 to 4.1.4 or later, and upgrade go-jose v3 to 3.0.5 or later to fix the JWE decryption panic [1][3][4]. - go-jose’s 4.1.4 release notes explicitly state it “Fixes Panic in JWE decryption” and reference the GHSA advisory for this issue [3]. If you tell me which go-jose major version your application uses (v3 vs v4) and the versions you currently run, I can map that to the exact “affected/unaffected” status and suggest the minimal upgrade target.

Citations:

1: https://nvd.nist.gov/vuln/detail/CVE-2026-34986

2: GHSA-78h2-9frx-2jm8

3: https://github.com/go-jose/go-jose/releases/tag/v4.1.4

4: https://osv.dev/vulnerability/GHSA-78h2-9frx-2jm8

🏁 Script executed:

cat -n ./openshift/default-catalog-consistency/go.mod | sed -n '40,52p'

Repository: openshift/operator-framework-operator-controller

Length of output: 856

Security blocker: github.com/go-jose/go-jose/v4 v4.1.3 is vulnerable to GHSA-78h2-9frx-2jm8.

Line 46 pins a version affected by CVE-2026-34986, a denial-of-service vulnerability in JWE decryption that can cause a panic when parsing a JWE with an empty encrypted_key field and a key wrapping algorithm. Bump to v4.1.4 or newer to fix.

🔧 Suggested patch

- github.com/go-jose/go-jose/v4 v4.1.3 // indirect + github.com/go-jose/go-jose/v4 v4.1.4 // indirect

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

github.com/go-jose/go-jose/v4 v4.1.3 // indirect

github.com/go-jose/go-jose/v4 v4.1.4 // indirect

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@openshift/default-catalog-consistency/go.mod` at line 46, The go.mod currently pins the vulnerable dependency "github.com/go-jose/go-jose/v4 v4.1.3"; update that module to "v4.1.4" (or newer) in go.mod, then run "go get github.com/go-jose/go-jose/v4@v4.1.4" (or the desired newer version) and "go mod tidy" to refresh go.sum, and commit the updated go.mod and go.sum so the CVE-2026-34986 denial-of-service fix is applied.

MrSanketkumar · 2026-05-06T09:38:59Z

/retest-required

openshift-ci · 2026-05-06T09:47:25Z

@MrSanketkumar: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-gcp-ovn-upgrade	`94e6dcb`	link	true	`/test e2e-gcp-ovn-upgrade`
ci/prow/images	`94e6dcb`	link	true	`/test images`
ci/prow/openshift-e2e-aws	`94e6dcb`	link	true	`/test openshift-e2e-aws`
ci/prow/okd-scos-images	`94e6dcb`	link	true	`/test okd-scos-images`
ci/prow/e2e-aws-techpreview-olmv1-ext	`94e6dcb`	link	true	`/test e2e-aws-techpreview-olmv1-ext`
ci/prow/default-catalog-consistency	`94e6dcb`	link	true	`/test default-catalog-consistency`
ci/prow/verify	`94e6dcb`	link	true	`/test verify`
ci/prow/verify-deps	`94e6dcb`	link	true	`/test verify-deps`
ci/prow/unit	`94e6dcb`	link	true	`/test unit`
ci/prow/e2e-aws-olmv1-ext	`94e6dcb`	link	true	`/test e2e-aws-olmv1-ext`

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

openshift-ci Bot requested review from grokspawn and rashmigottipati May 5, 2026 12:16

MrSanketkumar force-pushed the CVE-2026-33186-4.21 branch from 933c5ea to 1a5dca5 Compare May 5, 2026 12:21

coderabbitai Bot reviewed May 5, 2026

View reviewed changes

openshift-ci Bot changed the title ~~[Release-4.21]OCPBUGS-80840: Bump google.golang.org/grpc to v1.79.3~~ [Release-4.21]OCPBUGS-80840,OCPBUGS-80839: Bump google.golang.org/grpc to v1.79.3 May 6, 2026

MrSanketkumar force-pushed the CVE-2026-33186-4.21 branch from 1a5dca5 to cf7df47 Compare May 6, 2026 08:05

coderabbitai Bot reviewed May 6, 2026

View reviewed changes

UPSTREAM: <carry>:Bump google.golang.org/grpc to v1.79.3

94e6dcb

MrSanketkumar force-pushed the CVE-2026-33186-4.21 branch from cf7df47 to 94e6dcb Compare May 6, 2026 08:25

	github.com/go-jose/go-jose/v4 v4.1.3 // indirect
	github.com/go-jose/go-jose/v4 v4.1.4 // indirect

Conversation

MrSanketkumar commented May 5, 2026 • edited by coderabbitai Bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary by CodeRabbit

Uh oh!

openshift-ci-robot commented May 5, 2026

Uh oh!

coderabbitai Bot commented May 5, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Review skipped

Walkthrough

Changes

Estimated code review effort

Pre-merge checks failed

❌ Failed checks (1 error, 1 warning)

Uh oh!

MrSanketkumar commented May 5, 2026

Uh oh!

openshift-ci-robot commented May 5, 2026

Uh oh!

MrSanketkumar commented May 5, 2026

Uh oh!

openshift-ci Bot commented May 5, 2026

Uh oh!

coderabbitai Bot commented May 5, 2026

Uh oh!

openshift-ci-robot commented May 5, 2026

Summary by CodeRabbit

Uh oh!

coderabbitai Bot left a comment

Choose a reason for hiding this comment

Uh oh!

coderabbitai Bot May 5, 2026

Choose a reason for hiding this comment

Uh oh!

MrSanketkumar commented May 5, 2026

Uh oh!

rissh commented May 6, 2026

Uh oh!

openshift-ci-robot commented May 6, 2026

Summary by CodeRabbit

Uh oh!

MrSanketkumar commented May 6, 2026

Uh oh!

coderabbitai Bot commented May 6, 2026

Uh oh!

openshift-ci-robot commented May 6, 2026

Summary by CodeRabbit

Uh oh!

coderabbitai Bot left a comment

Choose a reason for hiding this comment

Uh oh!

coderabbitai Bot May 6, 2026

Choose a reason for hiding this comment

Uh oh!

MrSanketkumar commented May 6, 2026

Uh oh!

openshift-ci Bot commented May 6, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

MrSanketkumar commented May 5, 2026 •

edited by coderabbitai Bot

Loading

coderabbitai Bot commented May 5, 2026 •

edited

Loading