Skip to content

CNTRLPLANE-2996: dependencies: k8s 1.35 rebase #853

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
openshift-merge-bot merged 1 commit into from
Mar 19, 2026
Merged

CNTRLPLANE-2996: dependencies: k8s 1.35 rebase #853

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
The table of contents is too big for display.
Diff view
Diff view
  •  
  •  
  •  
78 changes: 39 additions & 39 deletions go.mod
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,31 +8,31 @@ require (
github.com/golang-jwt/jwt/v5 v5.2.2
github.com/google/cel-go v0.26.0
github.com/google/go-cmp v0.7.0
github.com/onsi/ginkgo/v2 v2.21.0
github.com/onsi/ginkgo/v2 v2.27.2
github.com/openshift-eng/openshift-tests-extension v0.0.0-20251205182537-ff5553e56f33
github.com/openshift/api v0.0.0-20260304122341-cf5d8996109f
github.com/openshift/build-machinery-go v0.0.0-20250530140348-dc5b2804eeee
github.com/openshift/client-go v0.0.0-20260108185524-48f4ccfc4e13
github.com/openshift/library-go v0.0.0-20260213153706-03f1709971c5
github.com/openshift/client-go v0.0.0-20260302182750-20813ce71ca6
github.com/openshift/library-go v0.0.0-20260303171201-5d9eb6295ff6
github.com/openshift/multi-operator-manager v0.0.0-20241205181422-20aa3906b99d
github.com/spf13/cobra v1.9.1
github.com/spf13/pflag v1.0.6
github.com/spf13/cobra v1.10.0
github.com/spf13/pflag v1.0.9
github.com/stretchr/testify v1.11.1
go.etcd.io/etcd/client/v3 v3.6.4
go.etcd.io/etcd/client/v3 v3.6.5
golang.org/x/net v0.47.0
google.golang.org/genproto/googleapis/api v0.0.0-20250303144028-a0af3efb3deb
gopkg.in/yaml.v2 v2.4.0
k8s.io/api v0.34.1
k8s.io/apiextensions-apiserver v0.34.1
k8s.io/apimachinery v0.34.1
k8s.io/apiserver v0.34.1
k8s.io/cli-runtime v0.34.0
k8s.io/client-go v0.34.1
k8s.io/component-base v0.34.1
k8s.io/api v0.35.2
k8s.io/apiextensions-apiserver v0.35.2
k8s.io/apimachinery v0.35.2
k8s.io/apiserver v0.35.2
k8s.io/cli-runtime v0.35.2
k8s.io/client-go v0.35.2
k8s.io/component-base v0.35.2
k8s.io/klog/v2 v2.130.1
k8s.io/kube-aggregator v0.34.1
k8s.io/pod-security-admission v0.34.0
k8s.io/utils v0.0.0-20250604170112-4c0f3b243397
k8s.io/kube-aggregator v0.35.2
k8s.io/pod-security-admission v0.35.2
k8s.io/utils v0.0.0-20251002143259-bc988d571ff4
sigs.k8s.io/kube-storage-version-migrator v0.0.6-0.20230721195810-5c8923c5ff96
)

Expand All @@ -54,7 +54,7 @@ require (
github.com/felixge/httpsnoop v1.0.4 // indirect
github.com/fsnotify/fsnotify v1.9.0 // indirect
github.com/fxamacker/cbor/v2 v2.9.0 // indirect
github.com/go-logr/logr v1.4.2 // indirect
github.com/go-logr/logr v1.4.3 // indirect
github.com/go-logr/stdr v1.2.2 // indirect
github.com/go-openapi/jsonpointer v0.21.0 // indirect
github.com/go-openapi/jsonreference v0.20.2 // indirect
Expand All @@ -64,7 +64,7 @@ require (
github.com/golang/protobuf v1.5.4 // indirect
github.com/google/btree v1.1.3 // indirect
github.com/google/gnostic-models v0.7.0 // indirect
github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db // indirect
github.com/google/pprof v0.0.0-20250403155104-27863c87afa6 // indirect
github.com/google/uuid v1.6.0 // indirect
github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 // indirect
github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.3 // indirect
Expand All @@ -77,55 +77,55 @@ require (
github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee // indirect
github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
github.com/onsi/gomega v1.35.1 // indirect
github.com/onsi/gomega v1.38.2 // indirect
github.com/pkg/errors v0.9.1 // indirect
github.com/pkg/profile v1.7.0 // indirect
github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
github.com/prometheus/client_golang v1.22.0 // indirect
github.com/prometheus/client_model v0.6.1 // indirect
github.com/prometheus/common v0.62.0 // indirect
github.com/prometheus/procfs v0.15.1 // indirect
github.com/prometheus/client_golang v1.23.2 // indirect
github.com/prometheus/client_model v0.6.2 // indirect
github.com/prometheus/common v0.66.1 // indirect
github.com/prometheus/procfs v0.16.1 // indirect
github.com/robfig/cron v1.2.0 // indirect
github.com/shopspring/decimal v1.3.1 // indirect
github.com/sirupsen/logrus v1.9.3 // indirect
github.com/stoewer/go-strcase v1.3.0 // indirect
github.com/x448/float16 v0.8.4 // indirect
go.etcd.io/etcd/api/v3 v3.6.4 // indirect
go.etcd.io/etcd/client/pkg/v3 v3.6.4 // indirect
go.etcd.io/etcd/api/v3 v3.6.5 // indirect
go.etcd.io/etcd/client/pkg/v3 v3.6.5 // indirect
go.opentelemetry.io/auto/sdk v1.1.0 // indirect
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.60.0 // indirect
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.58.0 // indirect
go.opentelemetry.io/otel v1.35.0 // indirect
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0 // indirect
go.opentelemetry.io/otel v1.36.0 // indirect
go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.34.0 // indirect
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.34.0 // indirect
go.opentelemetry.io/otel/metric v1.35.0 // indirect
go.opentelemetry.io/otel/sdk v1.34.0 // indirect
go.opentelemetry.io/otel/trace v1.35.0 // indirect
go.opentelemetry.io/otel/metric v1.36.0 // indirect
go.opentelemetry.io/otel/sdk v1.36.0 // indirect
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Mar 17, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== Confirm vulnerable otel sdk pin in go.mod =="
rg -n 'go\.opentelemetry\.io/otel/sdk\s+v' go.mod

echo
echo "== Show all otel module pins for alignment check =="
rg -n 'go\.opentelemetry\.io/(otel|otel/sdk|otel/trace|otel/metric|contrib/instrumentation/net/http/otelhttp)\s+v' go.mod

echo
echo "== Find direct imports of otel sdk in repository (non-vendor) =="
rg -n --type=go 'go\.opentelemetry\.io/otel/sdk' -g '!**/vendor/**'

Repository: openshift/cluster-authentication-operator

Length of output: 607

🌐 Web query:

go.opentelemetry.io/otel/sdk v1.36.0 vulnerability CVE RCE

💡 Result:

go.opentelemetry.io/otel/sdk v1.36.0 is vulnerable to CVE-2026-24051 (aliases GHSA-9h8m-3fm2-qjrq, GO-2026-4394) on macOS/Darwin due to PATH hijacking: the SDK’s resource detection (sdk/resource/host_id.go) executes ioreg via the search PATH instead of an absolute path, so an attacker who can modify PATH can get arbitrary code execution in the application’s context. This is generally local code execution (not remote over the network). [1][2][3]

Affected range: >= 1.21.0 and < 1.40.0 (so 1.36.0 is affected). [2][3]
Fix: upgrade to v1.40.0+. [1][2][3]

Sources:
[1] NVD CVE-2026-24051 https://nvd.nist.gov/vuln/detail/CVE-2026-24051
[2] OSV / GO-2026-4394 https://osv.dev/vulnerability/GO-2026-4394
[3] GitLab advisory for CVE-2026-24051 https://advisories.gitlab.com/pkg/golang/go.opentelemetry.io/otel/sdk/CVE-2026-24051/

🌐 Web query:

OpenTelemetry SDK security advisory 1.36.0

💡 Result:

OpenTelemetry Go SDK v1.36.0 is affected by CVE-2026-24051 / GHSA-9h8m-3fm2-qjrq (published Feb 2, 2026, updated Feb 27, 2026): on macOS/Darwin, the SDK’s resource detection runs the ioreg command using the system PATH, enabling local PATH hijacking that can lead to arbitrary code execution. Affected: >= 1.21.0, < 1.40.0 (so 1.36.0 is affected). Fix: upgrade to v1.40.0+. [1][2]

Sources
[1] GHSA-9h8m-3fm2-qjrq
[2] https://advisories.gitlab.com/pkg/golang/go.opentelemetry.io/otel/sdk/resource/CVE-2026-24051/

🏁 Script executed:

#!/bin/bash
# Check available go.opentelemetry.io/otel/sdk versions and their security status
# using go command if available in sandbox
go list -versions github.com/go-opentelemetry.io/otel/sdk 2>/dev/null || echo "Unable to query go modules in sandbox"

Repository: openshift/cluster-authentication-operator

Length of output: 122

Blocker: vulnerable go.opentelemetry.io/otel/sdk version must be upgraded

Line 101 pins go.opentelemetry.io/otel/sdk v1.36.0, which is affected by CVE-2026-24051 (GHSA-9h8m-3fm2-qjrq). On macOS/Darwin, the SDK's resource detection runs ioreg via the system PATH without an absolute path, allowing local PATH hijacking and arbitrary code execution. Upgrade to v1.40.0 or later and ensure all go.opentelemetry.io/otel* modules remain aligned.

🧰 Tools
🪛 OSV Scanner (2.3.3)

[HIGH] 101-101: go.opentelemetry.io/otel/sdk 1.36.0: OpenTelemetry Go SDK Vulnerable to Arbitrary Code Execution via PATH Hijacking in go.opentelemetry.io/otel/sdk

(GO-2026-4394)

[HIGH] 101-101: go.opentelemetry.io/otel/sdk 1.36.0: OpenTelemetry Go SDK Vulnerable to Arbitrary Code Execution via PATH Hijacking

(GHSA-9h8m-3fm2-qjrq)

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@go.mod` at line 101, The go.mod pins a vulnerable module version
go.opentelemetry.io/otel/sdk v1.36.0 which is affected by CVE-2026-24051; update
the module requirement to v1.40.0 or later (e.g., replace
go.opentelemetry.io/otel/sdk v1.36.0 with v1.40.0+) and run go mod tidy to
update transitive dependencies, and then verify all go.opentelemetry.io/otel*
modules in go.mod are aligned to compatible versions (upgrade any mismatched
otel modules to the same minimum safe series) so the SDK uses the fixed release.

Copy link
Copy Markdown
Contributor Author

@everettraven everettraven Mar 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For posterity, I investigated this further and had shared my findings with @liouk in slack.

Here is a recap of my findings:

I took a closer look and it looks like this is a long dependency chain that we are only picking up because apiservers use the otel sdk for tracing.

AFAICT the cluster-authentication-operator doesn't actually end up using this dependency and I suspect we are not actually subject to this vulnerability
For reference, this is the go mod why chain:

go mod why go.opentelemetry.io/otel/sdk
# go.opentelemetry.io/otel/sdk
github.com/openshift/cluster-authentication-operator/pkg/cmd/operator
github.com/openshift/library-go/pkg/controller/controllercmd
github.com/openshift/library-go/pkg/config/serving
k8s.io/apiserver/pkg/server/options
go.opentelemetry.io/otel/sdk/resource
go.opentelemetry.io/otel/sdk

github.com/openshift/library-go/pkg/controller/controllercmd doesn't actually look to use github.com/openshift/library-go/pkg/config/serving directly so this is seems to be a very transitive dependency

Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Mar 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems like the humans are having a chat. I'll hop back into my burrow for now. If you need me again, just tag @coderabbitai in a new comment, and I'll come hopping out!

go.opentelemetry.io/otel/trace v1.36.0 // indirect
go.opentelemetry.io/proto/otlp v1.5.0 // indirect
go.uber.org/multierr v1.11.0 // indirect
go.uber.org/zap v1.27.0 // indirect
go.yaml.in/yaml/v2 v2.4.2 // indirect
go.yaml.in/yaml/v2 v2.4.3 // indirect
go.yaml.in/yaml/v3 v3.0.4 // indirect
golang.org/x/crypto v0.45.0 // indirect
golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 // indirect
golang.org/x/oauth2 v0.27.0 // indirect
golang.org/x/oauth2 v0.30.0 // indirect
golang.org/x/sync v0.18.0 // indirect
golang.org/x/sys v0.38.0 // indirect
golang.org/x/term v0.37.0 // indirect
golang.org/x/text v0.31.0 // indirect
golang.org/x/time v0.9.0 // indirect
golang.org/x/tools v0.38.0 // indirect
google.golang.org/genproto/googleapis/rpc v0.0.0-20250303144028-a0af3efb3deb // indirect
google.golang.org/grpc v1.72.1 // indirect
google.golang.org/protobuf v1.36.5 // indirect
gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
google.golang.org/genproto/googleapis/rpc v0.0.0-20250528174236-200df99c418a // indirect
google.golang.org/grpc v1.72.2 // indirect
google.golang.org/protobuf v1.36.8 // indirect
gopkg.in/evanphx/json-patch.v4 v4.13.0 // indirect
gopkg.in/inf.v0 v0.9.1 // indirect
gopkg.in/natefinch/lumberjack.v2 v2.2.1 // indirect
gopkg.in/yaml.v3 v3.0.1 // indirect
k8s.io/kms v0.34.1 // indirect
k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b // indirect
k8s.io/kms v0.35.2 // indirect
k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 // indirect
sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.2 // indirect
sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 // indirect
sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 // indirect
sigs.k8s.io/randfill v1.0.0 // indirect
sigs.k8s.io/structured-merge-diff/v6 v6.3.0 // indirect
sigs.k8s.io/yaml v1.6.0 // indirect
Expand Down
Loading