Skip to content

Merge https://github.com/openshift/oadp-operator:oadp-dev (7e53a85) into oadp-dev #2114

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
oadp-rebasebot-app wants to merge 3 commits into
base: oadp-dev
Choose a base branch
from
Open

Merge https://github.com/openshift/oadp-operator:oadp-dev (7e53a85) into oadp-dev #2114

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
4563671
UPSTREAM: <drop>: Updating go modules
oadp-maintainers Apr 10, 2026
057192e
UPSTREAM: <drop>: update Velero CRDs @ oadp-dev
oadp-maintainers Apr 10, 2026
1b3d013
UPSTREAM: <drop>: make bundle update
oadp-maintainers Apr 10, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions bundle/manifests/oadp.openshift.io_dataprotectionapplications.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -655,6 +655,10 @@ spec:
type: string
cpuRequest:
type: string
ephemeralStorageLimit:
type: string
ephemeralStorageRequest:
type: string
memoryLimit:
type: string
memoryRequest:
Expand Down Expand Up @@ -757,6 +761,10 @@ spec:
type: string
cpuRequest:
type: string
ephemeralStorageLimit:
type: string
ephemeralStorageRequest:
type: string
memoryLimit:
type: string
memoryRequest:
Expand Down
4 changes: 1 addition & 3 deletions bundle/manifests/velero.io_backuprepositories.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -69,9 +69,7 @@ spec:
- ""
type: string
resticIdentifier:
description: |-
ResticIdentifier is the full restic-compatible string for identifying
this repository. This field is only used when RepositoryType is "restic".
description: Deprecated
type: string
volumeNamespace:
description: |-
Expand Down
8 changes: 8 additions & 0 deletions config/crd/bases/oadp.openshift.io_dataprotectionapplications.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -655,6 +655,10 @@ spec:
type: string
cpuRequest:
type: string
ephemeralStorageLimit:
type: string
ephemeralStorageRequest:
type: string
memoryLimit:
type: string
memoryRequest:
Expand Down Expand Up @@ -757,6 +761,10 @@ spec:
type: string
cpuRequest:
type: string
ephemeralStorageLimit:
type: string
ephemeralStorageRequest:
type: string
memoryLimit:
type: string
memoryRequest:
Expand Down
4 changes: 1 addition & 3 deletions config/crd/bases/velero.io_backuprepositories.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -69,9 +69,7 @@ spec:
- ""
type: string
resticIdentifier:
description: |-
ResticIdentifier is the full restic-compatible string for identifying
this repository. This field is only used when RepositoryType is "restic".
description: Deprecated
type: string
volumeNamespace:
description: |-
Expand Down
46 changes: 23 additions & 23 deletions go.mod
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,7 @@ require (
)

require (
cel.dev/expr v0.24.0 // indirect
cel.dev/expr v0.25.1 // indirect
cloud.google.com/go v0.121.6 // indirect
cloud.google.com/go/auth v0.17.0 // indirect
cloud.google.com/go/auth/oauth2adapt v0.2.8 // indirect
Expand Down Expand Up @@ -78,13 +78,13 @@ require (
github.com/blang/semver/v4 v4.0.0 // indirect
github.com/cespare/xxhash/v2 v2.3.0 // indirect
github.com/chmduquesne/rollinghash v4.0.0+incompatible // indirect
github.com/cncf/xds/go v0.0.0-20251022180443-0feb69152e9f // indirect
github.com/cncf/xds/go v0.0.0-20251210132809-ee656c7534f5 // indirect
github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
github.com/dustin/go-humanize v1.0.1 // indirect
github.com/edsrzf/mmap-go v1.2.0 // indirect
github.com/emicklei/go-restful/v3 v3.11.0 // indirect
github.com/envoyproxy/go-control-plane/envoy v1.35.0 // indirect
github.com/envoyproxy/protoc-gen-validate v1.2.1 // indirect
github.com/envoyproxy/go-control-plane/envoy v1.36.0 // indirect
github.com/envoyproxy/protoc-gen-validate v1.3.0 // indirect
github.com/evanphx/json-patch/v5 v5.9.11 // indirect
github.com/fatih/color v1.18.0 // indirect
github.com/felixge/httpsnoop v1.0.4 // indirect
Expand Down Expand Up @@ -165,32 +165,32 @@ require (
github.com/x448/float16 v0.8.4 // indirect
github.com/zeebo/blake3 v0.2.4 // indirect
go.opentelemetry.io/auto/sdk v1.2.1 // indirect
go.opentelemetry.io/contrib/detectors/gcp v1.38.0 // indirect
go.opentelemetry.io/contrib/detectors/gcp v1.39.0 // indirect
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.61.0 // indirect
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0 // indirect
go.opentelemetry.io/otel v1.38.0 // indirect
go.opentelemetry.io/otel/metric v1.38.0 // indirect
go.opentelemetry.io/otel/sdk v1.38.0 // indirect
go.opentelemetry.io/otel/sdk/metric v1.38.0 // indirect
go.opentelemetry.io/otel/trace v1.38.0 // indirect
go.opentelemetry.io/otel v1.42.0 // indirect
go.opentelemetry.io/otel/metric v1.42.0 // indirect
go.opentelemetry.io/otel/sdk v1.42.0 // indirect
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai bot Apr 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "Querying OSV for go.opentelemetry.io/otel/sdk@v1.42.0 ..."
curl -s https://api.osv.dev/v1/query \
  -H 'Content-Type: application/json' \
  -d '{"package":{"ecosystem":"Go","name":"go.opentelemetry.io/otel/sdk"},"version":"v1.42.0"}' \
  | jq -r '
    .vulns[]? as $v
    | "id=\($v.id) aliases=\(($v.aliases // [])|join(",")) summary=\($v.summary // "n/a")",
      ($v.affected[]?.ranges[]?.events[]? | select(has("fixed")) | "fixed=\(.fixed)")
  '

echo "Confirming pinned version in go.mod ..."
rg -n 'go\.opentelemetry\.io/otel/sdk v1\.42\.0' go.mod

Repository: openshift/oadp-operator

Length of output: 367

Fix HIGH security advisory in otel/sdk v1.42.0.

Line 173 pins go.opentelemetry.io/otel/sdk v1.42.0, which contains GHSA-hfvc-g4fc-pqhx (CVE-2026-39883)—a PATH hijacking vulnerability via unqualified BSD kenv command. Upgrade to v1.43.0 or later before merge.

🧰 Tools
🪛 OSV Scanner (2.3.5)

[HIGH] 173-173: go.opentelemetry.io/otel/sdk 1.42.0: opentelemetry-go: BSD kenv command not using absolute path enables PATH hijacking

(GHSA-hfvc-g4fc-pqhx)

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@go.mod` at line 173, The go.mod entry pins the vulnerable module
go.opentelemetry.io/otel/sdk at v1.42.0; update that module requirement to
v1.43.0 or later (replace the version string for go.opentelemetry.io/otel/sdk)
and then run the Go tooling (e.g., go get go.opentelemetry.io/otel/sdk@v1.43.0
&& go mod tidy) to refresh go.sum; finally run the test/build to ensure no
breakages.

go.opentelemetry.io/otel/sdk/metric v1.42.0 // indirect
go.opentelemetry.io/otel/trace v1.42.0 // indirect
go.uber.org/multierr v1.11.0 // indirect
go.uber.org/zap v1.27.1 // indirect
go.yaml.in/yaml/v2 v2.4.3 // indirect
golang.org/x/crypto v0.45.0 // indirect
golang.org/x/net v0.47.0 // indirect
golang.org/x/oauth2 v0.33.0 // indirect
golang.org/x/sync v0.18.0 // indirect
golang.org/x/sys v0.38.0 // indirect
golang.org/x/term v0.37.0 // indirect
golang.org/x/text v0.31.0 // indirect
golang.org/x/crypto v0.49.0 // indirect
golang.org/x/net v0.52.0 // indirect
golang.org/x/oauth2 v0.35.0 // indirect
golang.org/x/sync v0.20.0 // indirect
golang.org/x/sys v0.42.0 // indirect
golang.org/x/term v0.41.0 // indirect
golang.org/x/text v0.35.0 // indirect
golang.org/x/time v0.14.0 // indirect
golang.org/x/tools v0.38.0 // indirect
golang.org/x/tools v0.42.0 // indirect
gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect
google.golang.org/genproto v0.0.0-20250603155806-513f23925822 // indirect
google.golang.org/genproto/googleapis/api v0.0.0-20251022142026-3a174f9686a8 // indirect
google.golang.org/genproto/googleapis/rpc v0.0.0-20251103181224-f26f9409b101 // indirect
google.golang.org/grpc v1.77.0 // indirect
google.golang.org/protobuf v1.36.10 // indirect
google.golang.org/genproto/googleapis/api v0.0.0-20260209200024-4cfbd4190f57 // indirect
google.golang.org/genproto/googleapis/rpc v0.0.0-20260209200024-4cfbd4190f57 // indirect
google.golang.org/grpc v1.79.3 // indirect
google.golang.org/protobuf v1.36.11 // indirect
gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
gopkg.in/inf.v0 v0.9.1 // indirect
gopkg.in/yaml.v3 v3.0.1 // indirect
Expand All @@ -202,6 +202,6 @@ require (
sigs.k8s.io/yaml v1.4.0 // indirect
)

replace github.com/vmware-tanzu/velero => github.com/openshift/velero v0.10.2-0.20260219202759-5cf28471570d
replace github.com/vmware-tanzu/velero => github.com/openshift/velero v0.10.2-0.20260408223415-82b0e3ef4406

replace github.com/kopia/kopia => github.com/migtools/kopia v0.0.0-20260211121325-b68c22afd36d
Loading