Update google.golang.org/genproto/googleapis/api digest to f0a9213#212
Conversation
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
|
Hi @red-hat-konflux-kflux-prd-rh02[bot]. Thanks for your PR. I'm waiting for a openshift-hyperfleet member to verify that this patch is reasonable to test. If it is, they should reply with Regular contributors should join the org to skip this step. Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
📝 WalkthroughSummary by CodeRabbit
Walkthrough
Estimated code review effort: 1 (Trivial) | ~3 minutes Suggested labels: dependencies, supply-chain, go.mod Suggested reviewers: module-maintainers 🚥 Pre-merge checks | ✅ 11✅ Passed checks (11 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
✨ Simplify code
Comment |
|
Closing — waiting for Go 1.26 bump (HYPERFLEET-1311). Renovate will recreate with proper go.sum after the bump. |
|
/ok-to-test |
Risk Score: 0 —
|
| Signal | Detail | Points |
|---|---|---|
| PR size | 52 lines | +0 |
| Sensitive paths | none | +0 |
Computed by hyperfleet-risk-scorer
68a4dcc to
3a37454
Compare
|
/retest |
Signed-off-by: red-hat-konflux-kflux-prd-rh02 <190377777+red-hat-konflux-kflux-prd-rh02[bot]@users.noreply.github.com>
3a37454 to
ebda401
Compare
ℹ️ Artifact update noticeFile name: go.modIn order to perform the update(s) described in the table above, Renovate ran the
Details:
|
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@go.mod`:
- Line 128: Upgrade the indirect golang.org/x/crypto dependency in go.mod from
v0.51.0 to v0.52.0 or later and refresh go.sum so the module graph resolves to
the fixed release; keep the change scoped to the dependency entry and ensure any
related checksum updates are included.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Central YAML (base), Organization UI (inherited)
Review profile: CHILL
Plan: Enterprise
Run ID: 9aa26284-7dae-4456-aff8-82343a9eac50
⛔ Files ignored due to path filters (1)
go.sumis excluded by!**/*.sum,!**/go.sum
📒 Files selected for processing (1)
go.mod
🔗 Linked repositories identified
CodeRabbit considers these linked repositories for cross-repo context during reviews:
openshift-hyperfleet/architecture(manual)openshift-hyperfleet/hyperfleet-api(manual) → reviewed against open PR#276konflux/mintmaker/main/google.golang.org-genproto-googleapis-api-digestinstead of the default branchopenshift-hyperfleet/hyperfleet-sentinel(manual)openshift-hyperfleet/hyperfleet-adapter(manual) → reviewed against open PR#214konflux/mintmaker/main/google.golang.org-genproto-googleapis-api-digestinstead of the default branchopenshift-hyperfleet/hyperfleet-broker(manual)
| go.yaml.in/yaml/v3 v3.0.4 // indirect | ||
| golang.org/x/crypto v0.49.0 // indirect | ||
| golang.org/x/net v0.52.0 // indirect | ||
| golang.org/x/crypto v0.51.0 // indirect |
There was a problem hiding this comment.
🔒 Security & Privacy | 🔴 Critical | ⚡ Quick win
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
printf 'go.mod excerpt:\n'
nl -ba go.mod | sed -n '118,136p'
printf '\nGo crypto references:\n'
rg -n 'golang.org/x/crypto|golang.org/x/term|golang.org/x/sys' go.mod go.sumRepository: openshift-hyperfleet/hyperfleet-sentinel
Length of output: 234
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "go.mod excerpt:"
awk 'NR>=118 && NR<=136 { printf "%4d %s\n", NR, $0 }' go.mod
echo
echo "go.sum references:"
rg -n 'golang.org/x/crypto|golang.org/x/term|golang.org/x/sys' go.sum go.mod || true
echo
echo "module graph entries for golang.org/x/crypto (if go is available):"
if command -v go >/dev/null 2>&1; then
go list -m all 2>/dev/null | rg '^golang.org/x/crypto(\s|$)' || true
else
echo "go command not available"
fiRepository: openshift-hyperfleet/hyperfleet-sentinel
Length of output: 3160
🌐 Web query:
golang.org/x/crypto v0.51.0 vulnerability GO-2026 ssh agent advisories
💡 Result:
The version golang.org/x/crypto v0.51.0 is affected by multiple security vulnerabilities related to the ssh/agent package, which were addressed in version v0.52.0 [1]. Key security advisories affecting v0.51.0 include: 1. Pathological Input Panic: A vulnerability (CVE-2026-46598 / GO-2026-5033) exists where specifically crafted wire bytes can cause a client panic when creating an ed25519.PrivateKey [2][3][4]. 2. Dropped Agent Constraints: A vulnerability (CVE-2026-39832 / GO-2026-5006) occurs where constraint extensions (such as destination restrictions) are silently stripped when forwarding keys to a remote agent, potentially allowing unauthorized use of the key [5][6]. 3. Unenforced Confirmation Constraints: A vulnerability (CVE-2026-39833 / GO-2026-5005) exists where the in-memory keyring accepted but failed to enforce the ConfirmBeforeUse constraint, allowing keys to sign without the expected confirmation prompt [7][8]. These issues were resolved in golang.org/x/crypto v0.52.0, released on May 22, 2026 [9][1]. Users are advised to upgrade to v0.52.0 or later to mitigate these risks [1].
Citations:
- 1: https://www.openwall.com/lists/oss-security/2026/05/22/6
- 2: https://deps.dev/advisory/osv/GO-2026-5033
- 3: x/crypto/ssh/agent: pathological inputs can lead to client panic golang/go#79596
- 4: https://nvd.nist.gov/vuln/detail/cve-2026-46598
- 5: https://osv.dev/vulnerability/GO-2026-5006
- 6: https://nvd.nist.gov/vuln/detail/cve-2026-39832
- 7: https://deps.dev/advisory/osv/GO-2026-5005
- 8: https://nvd.nist.gov/vuln/detail/cve-2026-39833
- 9: https://groups.google.com/g/golang-announce/c/a082jnz-LvI
Upgrade golang.org/x/crypto to v0.52.0 or later.
v0.51.0 is still in the module graph and is affected by CVE-2026-39833 / GO-2026-5005, CVE-2026-39832 / GO-2026-5006, and CVE-2026-46598 / GO-2026-5033. Refresh go.sum with the fixed release.
🧰 Tools
🪛 OSV Scanner (2.4.0)
[CRITICAL] 128-128: golang.org/x/crypto 0.51.0: Invoking key constraints not enforced in golang.org/x/crypto/ssh/agent
(GO-2026-5005)
[CRITICAL] 128-128: golang.org/x/crypto 0.51.0: Invoking agent constraints dropped when forwarding keys in golang.org/x/crypto/ssh/agent
(GO-2026-5006)
[CRITICAL] 128-128: golang.org/x/crypto 0.51.0: Invoking byte arithmetic causes underflow and panic in golang.org/x/crypto/ssh
(GO-2026-5013)
[CRITICAL] 128-128: golang.org/x/crypto 0.51.0: Invoking bypass of certificate restrictions in golang.org/x/crypto/ssh
(GO-2026-5014)
[CRITICAL] 128-128: golang.org/x/crypto 0.51.0: Invoking server panic during CheckHostKey/Authenticate in golang.org/x/crypto/ssh
(GO-2026-5015)
[CRITICAL] 128-128: golang.org/x/crypto 0.51.0: Invoking memory leak when rejecting channels can lead to DoS in golang.org/x/crypto/ssh
(GO-2026-5016)
[CRITICAL] 128-128: golang.org/x/crypto 0.51.0: Invoking client can cause server deadlock on unexpected responses in golang.org/x/crypto/ssh
(GO-2026-5017)
[CRITICAL] 128-128: golang.org/x/crypto 0.51.0: Invoking pathological RSA/DSA parameters may cause DoS in golang.org/x/crypto/ssh
(GO-2026-5018)
[CRITICAL] 128-128: golang.org/x/crypto 0.51.0: Invoking bypass of FIDO/U2F security keys physical interaction in golang.org/x/crypto/ssh
(GO-2026-5019)
[CRITICAL] 128-128: golang.org/x/crypto 0.51.0: Invoking infinite loop on large channel writes in golang.org/x/crypto/ssh
(GO-2026-5020)
[CRITICAL] 128-128: golang.org/x/crypto 0.51.0: Invoking auth bypass via unenforced @revoked status in golang.org/x/crypto/ssh/knownhosts
(GO-2026-5021)
[CRITICAL] 128-128: golang.org/x/crypto 0.51.0: Invoking VerifiedPublicKeyCallback permissions skip enforcement in golang.org/x/crypto/ssh
(GO-2026-5023)
[CRITICAL] 128-128: golang.org/x/crypto 0.51.0: Invoking pathological inputs can lead to client panic in golang.org/x/crypto/ssh/agent
(GO-2026-5033)
[CRITICAL] 128-128: golang.org/x/crypto 0.51.0: golang.org/x/crypto vulnerable to invoking bypass of certificate restrictions
[CRITICAL] 128-128: golang.org/x/crypto 0.51.0: golang.org/x/crypto vulnerable to auth bypass via unenforced @revoked status
[CRITICAL] 128-128: golang.org/x/crypto 0.51.0: golang.org/x/crypto is vulnerable to invoking server panic during CheckHostKey/Authenticate flow
[CRITICAL] 128-128: golang.org/x/crypto 0.51.0: golang.org/x/crypto: FIDO/U2F security key physical presence check can be bypassed
[CRITICAL] 128-128: golang.org/x/crypto 0.51.0: golang.org/x/crypto: Invoking pathological inputs can lead to client panic
[CRITICAL] 128-128: golang.org/x/crypto 0.51.0: golang.org/x/crypto doesn't drop invoking agent constraints when forwarding keys
[CRITICAL] 128-128: golang.org/x/crypto 0.51.0: golang.org/x/crypto doesn't enforce invoking key constraints
[CRITICAL] 128-128: golang.org/x/crypto 0.51.0: golang.org/x/crypto: Invoking byte arithmetic causes underflow and panic
[CRITICAL] 128-128: golang.org/x/crypto 0.51.0: golang.org/x/crypto: Invoking memory leak when rejecting channels can lead to DoS
[CRITICAL] 128-128: golang.org/x/crypto 0.51.0: golang.org/x/crypto vulnerable to infinite loop on large channel writes
[CRITICAL] 128-128: golang.org/x/crypto 0.51.0: golang.org/x/crypto: Invoking client can cause server deadlock on unexpected responses
[CRITICAL] 128-128: golang.org/x/crypto 0.51.0: golang.org/x/crypto: Invoking pathological RSA/DSA parameters may cause DoS
[CRITICAL] 128-128: golang.org/x/crypto 0.51.0: golang.org/x/crypto: Invoking VerifiedPublicKeyCallback permissions skip enforcement
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@go.mod` at line 128, Upgrade the indirect golang.org/x/crypto dependency in
go.mod from v0.51.0 to v0.52.0 or later and refresh go.sum so the module graph
resolves to the fixed release; keep the change scoped to the dependency entry
and ensure any related checksum updates are included.
Sources: Path instructions, Linters/SAST tools
|
@red-hat-konflux-kflux-prd-rh02[bot]: The following tests failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
This PR contains the following updates:
9d38bb4→f0a9213Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
To execute skipped test pipelines write comment
/ok-to-test.Documentation
Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.