[Release-4.19] OCPBUGS-80485,OCPBUGS-80484: Update grpc to v1.75.1-sec.1 to fix CVE-2026-33186

[MrSanketkumar]

Summary

Fixes CVE-2026-33186 by updating grpc to patched version v1.75.1-sec.1 from openshift-sustaining fork.

Changes

• Main module: google.golang.org/grpc => github.com/openshift-sustaining/grpc-go v1.75.1-sec.1
• openshift/default-catalog-consistency: google.golang.org/grpc => github.com/openshift-sustaining/grpc-go v1.75.1-sec.1
• Updated vendor directories

Summary by CodeRabbit

• Chores
  • Updated project dependencies to newer versions for improved performance and security.
  • Applied a targeted override for the gRPC implementation to enhance stability and address compatibility/security concerns.
  • Bumped several indirect libraries to maintain consistency and reduce exposure to known vulnerabilities.

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 63ed3ff9-8cc3-48c5-b059-3d3d0033745e

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

Walkthrough

The PR updates indirect Go module versions in the root and openshift/default-catalog-consistency go.mod files and adds a replace directive mapping google.golang.org/grpc to github.com/openshift-sustaining/grpc-go v1.75.1-sec.1.

Changes

Dependency Version Upgrades and gRPC Override

Layer / File(s)	Summary
Core library and logging versions go.mod, openshift/default-catalog-consistency/go.mod	github.com/go-logr/logr updated to v1.4.3 and github.com/go-jose/go-jose/v4 updated to v4.1.1 in root and submodule.
Standard library, expression evaluation, and observability platform go.mod, openshift/default-catalog-consistency/go.mod	Root module upgraded golang.org/x/mod, golang.org/x/sync, golang.org/x/tools, and updated cel.dev/expr to v0.24.0; OpenTelemetry and google.golang.org/genproto entries bumped in root; submodule updated multiple golang.org/x/* and genproto entries.
gRPC security override replace directives go.mod, openshift/default-catalog-consistency/go.mod	Both root and submodule add replace directive mapping google.golang.org/grpc to github.com/openshift-sustaining/grpc-go v1.75.1-sec.1.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• openshift/operator-framework-operator-controller#727: Modifies openshift/default-catalog-consistency/go.mod to adjust google.golang.org/grpc versioning (this PR applies a replace override instead).

---

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (2 errors, 2 warnings)

Check name	Status	Explanation	Resolution
Stable And Deterministic Test Names	❌ Error	openshift/default-catalog-consistency/test/validate/suite_test.go line 54 uses fmt.Sprintf with dynamic 'name' variable in It() test title, violating stable and deterministic test name requirement.	Replace It(fmt.Sprintf("validates image: %s", name), ...) with a static description like It("validates images from catalog", ...) and move dynamic data to test body assertions.
Ote Binary Stdout Contract	❌ Error	PR adds fmt.Println() to stdout in suite_test.go line 47 within Ginkgo Describe() setup, violating OTE Binary Stdout Contract.	Replace fmt.Println with os.Stderr write or remove debug logging from suite-level code in openshift/default-catalog-consistency/test/validate/suite_test.go:47.
Test Structure And Quality	⚠️ Warning	The Ginkgo test file violates requirements: setup in Describe block instead of BeforeEach, missing timeouts on context, and assertion messages lacking meaningful failure descriptions.	Move setup code to BeforeEach, add context.WithTimeout() for image operations, and add meaningful failure messages to all Expect(err) assertions.
Ipv6 And Disconnected Network Test Compatibility	⚠️ Warning	New Ginkgo test requires external connectivity to pull images from registry.redhat.io without using internal mirrors or caches. This fails in IPv6-only disconnected environments.	Either add [Skipped:Disconnected] to test name, or modify test to work with internal registry mirrors for disconnected CI environments.

✅ Passed checks (8 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly specifies the primary change: updating grpc to v1.75.1-sec.1 to fix CVE-2026-33186, which aligns with the main objective and the dependency changes in both go.mod files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Microshift Test Compatibility	✅ Passed	The PR adds a Ginkgo test that validates catalog images but doesn't interact with any Kubernetes cluster or use MicroShift-incompatible APIs.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	New Ginkgo test added validates container images locally with no multi-node cluster assumptions, no pod scheduling, and no topology requirements; test is SNO-compatible.
Topology-Aware Scheduling Compatibility	✅ Passed	PR only modifies go.mod dependency versions to fix CVE-2026-33186; no deployment manifests or controller code are changed, so this topology-aware check is not applicable.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci-robot]

@MrSanketkumar: This pull request references Jira Issue OCPBUGS-80485, which is invalid:

• release note text must be set and not match the template OR release note type must be set to "Release Note Not Required". For more information you can reference the OpenShift Bug Process.
• expected Jira Issue OCPBUGS-80485 to depend on a bug targeting a version in 4.20.0, 4.20.z and in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA), but no dependents were found

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

This pull request references Jira Issue OCPBUGS-80484, which is invalid:

• release note text must be set and not match the template OR release note type must be set to "Release Note Not Required". For more information you can reference the OpenShift Bug Process.
• expected Jira Issue OCPBUGS-80484 to depend on a bug targeting a version in 4.20.0, 4.20.z and in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA), but no dependents were found

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Summary

Fixes CVE-2026-33186 by updating grpc-go to patched version v1.75.1-sec.1 from openshift-sustaining fork.

Changes

• Main module: google.golang.org/grpc => github.com/openshift-sustaining/grpc-go v1.75.1-sec.1
• openshift/default-catalog-consistency: google.golang.org/grpc => github.com/openshift-sustaining/grpc-go v1.75.1-sec.1
• Updated vendor directories

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[MrSanketkumar]

/jira refresh

[openshift-ci-robot]

@MrSanketkumar: This pull request references Jira Issue OCPBUGS-80485, which is invalid:

• expected dependent Jira Issue OCPBUGS-80663 to be in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA), but it is MODIFIED instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

This pull request references Jira Issue OCPBUGS-80484, which is invalid:

• expected dependent Jira Issue OCPBUGS-80662 to be in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA), but it is MODIFIED instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[MrSanketkumar]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@go.mod`:
- Line 106: Update the pinned module version for github.com/go-jose/go-jose/v4
from v4.1.1 to v4.1.4 (or later) to remediate GHSA-78h2-9frx-2jm8; after
changing the version entry for github.com/go-jose/go-jose/v4, run the Go tooling
(e.g., go get github.com/go-jose/go-jose/v4@v4.1.4 and go mod tidy) to refresh
go.mod and go.sum so the lockfile and transitive deps are updated.
- Line 217: Update the vulnerable OpenTelemetry module versions in go.mod by
bumping the module entries for go.opentelemetry.io/otel and
go.opentelemetry.io/otel/sdk to patched releases; specifically change the
go.opentelemetry.io/otel line to v1.41.0 or later and the
go.opentelemetry.io/otel/sdk line to v1.40.0 or later, then run `go mod
tidy`/`go get` to resolve and verify the updated dependency graph and ensure
builds/tests pass; target the module names "go.opentelemetry.io/otel" and
"go.opentelemetry.io/otel/sdk" when making the edits.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: b071406e-f9ea-4a08-99a6-fdd7750fba3a

📥 Commits

Reviewing files that changed from the base of the PR and between 4b3ad17 and b848f37.

⛔ Files ignored due to path filters (236)

• go.sum is excluded by !**/*.sum
• openshift/default-catalog-consistency/go.sum is excluded by !**/*.sum
• openshift/default-catalog-consistency/vendor/github.com/go-jose/go-jose/v4/CHANGELOG.md is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/github.com/go-jose/go-jose/v4/jwe.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/github.com/go-jose/go-jose/v4/jwk.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/github.com/go-jose/go-jose/v4/jws.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/github.com/go-jose/go-jose/v4/symmetric.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/github.com/go-logr/logr/.golangci.yaml is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/github.com/go-logr/logr/funcr/funcr.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/golang.org/x/net/http2/frame.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/golang.org/x/net/trace/events.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/golang.org/x/oauth2/internal/doc.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/golang.org/x/oauth2/internal/oauth2.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/golang.org/x/oauth2/internal/token.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/golang.org/x/oauth2/internal/transport.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/golang.org/x/oauth2/oauth2.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/golang.org/x/oauth2/pkce.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/golang.org/x/oauth2/token.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/golang.org/x/oauth2/transport.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/golang.org/x/sync/errgroup/errgroup.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/golang.org/x/sys/cpu/cpu.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/golang.org/x/sys/cpu/cpu_linux_riscv64.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/golang.org/x/sys/cpu/cpu_riscv64.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/golang.org/x/sys/windows/security_windows.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/golang.org/x/sys/windows/syscall_windows.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/golang.org/x/sys/windows/types_windows.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/golang.org/x/sys/windows/zsyscall_windows.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/golang.org/x/term/terminal.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/golang.org/x/tools/go/ast/inspector/inspector.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/golang.org/x/tools/go/ast/inspector/typeof.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/genproto/googleapis/api/annotations/annotations.pb.go is excluded by !**/*.pb.go, !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/genproto/googleapis/api/annotations/client.pb.go is excluded by !**/*.pb.go, !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/genproto/googleapis/api/annotations/field_behavior.pb.go is excluded by !**/*.pb.go, !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/genproto/googleapis/api/annotations/field_info.pb.go is excluded by !**/*.pb.go, !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/genproto/googleapis/api/annotations/http.pb.go is excluded by !**/*.pb.go, !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/genproto/googleapis/api/annotations/resource.pb.go is excluded by !**/*.pb.go, !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/genproto/googleapis/api/annotations/routing.pb.go is excluded by !**/*.pb.go, !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/genproto/googleapis/api/launch_stage.pb.go is excluded by !**/*.pb.go, !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/CONTRIBUTING.md is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/MAINTAINERS.md is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/README.md is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/balancer/balancer.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/balancer/base/balancer.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/balancer/endpointsharding/endpointsharding.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/balancer/pickfirst/pickfirstleaf/pickfirstleaf.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/balancer/roundrobin/roundrobin.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/binarylog/grpc_binarylog_v1/binarylog.pb.go is excluded by !**/*.pb.go, !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/clientconn.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/credentials/credentials.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/credentials/insecure/insecure.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/credentials/tls.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/dialoptions.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/internal/balancer/gracefulswitch/gracefulswitch.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/internal/credentials/credentials.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/internal/envconfig/envconfig.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/internal/envconfig/xds.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/internal/grpcsync/event.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/internal/internal.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/internal/metadata/metadata.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/internal/resolver/delegatingresolver/delegatingresolver.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/internal/resolver/dns/dns_resolver.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/internal/status/status.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/internal/transport/client_stream.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/internal/transport/controlbuf.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/internal/transport/handler_server.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/internal/transport/http2_client.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/internal/transport/http2_server.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/internal/transport/http_util.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/internal/transport/server_stream.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/internal/transport/transport.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/mem/buffer_slice.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/picker_wrapper.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/resolver/map.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/resolver/resolver.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/resolver_wrapper.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/rpc_util.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/server.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/stats/handlers.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/stats/stats.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/stream.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/version.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/modules.txt is excluded by !**/vendor/**
• vendor/cel.dev/expr/.bazelversion is excluded by !**/vendor/**, !vendor/**
• vendor/cel.dev/expr/MODULE.bazel is excluded by !**/vendor/**, !vendor/**
• vendor/cel.dev/expr/README.md is excluded by !**/vendor/**, !vendor/**
• vendor/cel.dev/expr/cloudbuild.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/cel.dev/expr/eval.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/go-jose/go-jose/v4/CHANGELOG.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-jose/go-jose/v4/jwe.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-jose/go-jose/v4/jwk.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-jose/go-jose/v4/jws.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-jose/go-jose/v4/symmetric.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-logr/logr/.golangci.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-logr/logr/funcr/funcr.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/.gitignore is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/.golangci.yml is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/CHANGELOG.md is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/CONTRIBUTING.md is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/Makefile is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/README.md is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/RELEASING.md is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/attribute/filter.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/attribute/value.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/get_main_pkgs.sh is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/internal/attribute/attribute.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/internal/gen.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/internal/global/handler.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/internal/global/meter.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/internal/global/trace.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/internal/rawhelpers.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/metric/asyncfloat64.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/metric/asyncint64.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/metric/instrument.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/metric/meter.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/metric/noop/noop.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/propagation/baggage.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/propagation/propagation.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/renovate.json is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/requirements.txt is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/internal/env/env.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/builtin.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/container.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/env.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/host_id.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/os.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/os_release_darwin.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/process.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/resource.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/batch_span_processor.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/id_generator.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/provider.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/sampling.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/simple_span_processor.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/span.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/tracer.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/version.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/trace/noop.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/verify_readmes.sh is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/version.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/versions.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/crypto/bcrypt/bcrypt.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/mod/modfile/rule.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/mod/modfile/work.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/mod/module/module.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/mod/semver/semver.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/http2/frame.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/trace/events.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/oauth2/internal/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/oauth2/internal/oauth2.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/oauth2/internal/token.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/oauth2/internal/transport.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/oauth2/oauth2.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/oauth2/pkce.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/oauth2/token.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/oauth2/transport.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sync/errgroup/errgroup.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/cpu/cpu.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/cpu/cpu_linux_riscv64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/cpu/cpu_riscv64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/windows/security_windows.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/windows/syscall_windows.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/windows/types_windows.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/windows/zsyscall_windows.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/term/terminal.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/go/ast/inspector/inspector.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/go/ast/inspector/typeof.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/go/packages/golist.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/go/packages/packages.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/go/types/typeutil/callee.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/analysisinternal/analysis.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/astutil/cursor/cursor.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/packagesinternal/packages.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/stdlib/deps.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/stdlib/manifest.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/stdlib/stdlib.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/genproto/googleapis/api/annotations/annotations.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/google.golang.org/genproto/googleapis/api/annotations/client.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/google.golang.org/genproto/googleapis/api/annotations/field_behavior.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/google.golang.org/genproto/googleapis/api/annotations/field_info.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/google.golang.org/genproto/googleapis/api/annotations/http.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/google.golang.org/genproto/googleapis/api/annotations/resource.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/google.golang.org/genproto/googleapis/api/annotations/routing.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/google.golang.org/genproto/googleapis/api/expr/v1alpha1/checked.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/google.golang.org/genproto/googleapis/api/expr/v1alpha1/eval.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/google.golang.org/genproto/googleapis/api/expr/v1alpha1/explain.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/google.golang.org/genproto/googleapis/api/expr/v1alpha1/syntax.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/google.golang.org/genproto/googleapis/api/expr/v1alpha1/value.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/google.golang.org/genproto/googleapis/api/httpbody/httpbody.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/google.golang.org/genproto/googleapis/api/launch_stage.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/google.golang.org/genproto/googleapis/rpc/errdetails/error_details.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/CONTRIBUTING.md is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/MAINTAINERS.md is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/README.md is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/balancer/balancer.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/balancer/base/balancer.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/balancer/endpointsharding/endpointsharding.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/balancer/pickfirst/pickfirstleaf/pickfirstleaf.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/balancer/roundrobin/roundrobin.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/binarylog/grpc_binarylog_v1/binarylog.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/clientconn.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/credentials/credentials.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/credentials/insecure/insecure.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/credentials/tls.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/dialoptions.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/health/grpc_health_v1/health.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/health/grpc_health_v1/health_grpc.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/balancer/gracefulswitch/gracefulswitch.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/credentials/credentials.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/envconfig/envconfig.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/envconfig/xds.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/grpcsync/event.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/internal.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/metadata/metadata.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/resolver/delegatingresolver/delegatingresolver.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/resolver/dns/dns_resolver.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/status/status.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/transport/client_stream.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/transport/controlbuf.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/transport/handler_server.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/transport/http2_client.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/transport/http2_server.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/transport/http_util.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/transport/server_stream.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/transport/transport.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/mem/buffer_slice.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/picker_wrapper.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/resolver/map.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/resolver/resolver.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/resolver_wrapper.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/rpc_util.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/server.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/stats/handlers.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/stats/stats.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/stream.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/version.go is excluded by !**/vendor/**, !vendor/**
• vendor/modules.txt is excluded by !**/vendor/**, !vendor/**

📒 Files selected for processing (2)

• go.mod
• openshift/default-catalog-consistency/go.mod

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🌐 Web query:

What is the first patched version of github.com/go-jose/go-jose/v4 for GHSA-78h2-9frx-2jm8, and is v4.1.1 affected?

💡 Result:

The first patched version of github.com/go-jose/go-jose/v4 for GHSA-78h2-9frx-2jm8 is v4.1.4 [1]. Yes, v4.1.1 is affected (the advisory lists affected versions as < 4.1.4) [1].

Citations:

• 1: GHSA-78h2-9frx-2jm8

---

Bump go-jose to v4.1.4 to address GHSA-78h2-9frx-2jm8.

Line 106 pins github.com/go-jose/go-jose/v4 to v4.1.1, which is vulnerable to GHSA-78h2-9frx-2jm8. Upgrade to v4.1.4 or later before merge.

🧰 Tools

🪛 OSV Scanner (2.3.8)

[HIGH] 106-106: github.com/go-jose/go-jose/v4 4.1.1: Go JOSE Panics in JWE decryption

(GHSA-78h2-9frx-2jm8)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` at line 106, Update the pinned module version for
github.com/go-jose/go-jose/v4 from v4.1.1 to v4.1.4 (or later) to remediate
GHSA-78h2-9frx-2jm8; after changing the version entry for
github.com/go-jose/go-jose/v4, run the Go tooling (e.g., go get
github.com/go-jose/go-jose/v4@v4.1.4 and go mod tidy) to refresh go.mod and
go.sum so the lockfile and transitive deps are updated.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🌐 Web query:

`What are the first patched versions for:

1. GHSA-mh2q-q3fh-2475 in go.opentelemetry.io/otel
2. GHSA-9h8m-3fm2-qjrq and GHSA-hfvc-g4fc-pqhx (GO-2026-4394) in go.opentelemetry.io/otel/sdk?
   Are versions 1.37.0 affected?`

💡 Result:

1. GHSA-mh2q-q3fh-2475 (go.opentelemetry.io/otel) - First patched versions: v1.41.0 for go.opentelemetry.io/otel (advisory lists patched version v1.41.0) [1][2]. - Versions affected: >= v1.36.0, <= v1.40.0 [1]. 2) GHSA-9h8m-3fm2-qjrq and GHSA-hfvc-g4fc-pqhx (GO-2026-4394) (go.opentelemetry.io/otel/sdk) - First patched version: v1.40.0 for go.opentelemetry.io/otel/sdk (pkg.go.dev vuln entry shows affected versions are “from v1.21.0 before v1.40.0”) [3]. - Another corroboration from downstream dependency update indicates sdk@v1.36.0 is replaced with sdk@v1.40.0 to resolve GO-2026-4394 [4]. Are versions 1.37.0 affected? - For GHSA-mh2q-q3fh-2475: yes. The advisory states affected versions are >= v1.36.0 and <= v1.40.0, which includes 1.37.0 [1]. - For GO-2026-4394 (GHSA-9h8m-3fm2-qjrq / GHSA-hfvc-g4fc-pqhx): yes, because affected versions are “from v1.21.0 before v1.40.0”, which includes 1.37.0 [3].

Citations:

• 1: GHSA-mh2q-q3fh-2475
• 2: GHSA-mh2q-q3fh-2475
• 3: https://pkg.go.dev/vuln/GO-2026-4394
• 4: helm/helm@5b26d4f

---

Upgrade go.opentelemetry.io/otel and go.opentelemetry.io/otel/sdk to patched versions.

Lines 217 and 221 contain vulnerable versions that are affected by:

• GHSA-mh2q-q3fh-2475 (PATH-hijacking and DoS in go.opentelemetry.io/otel)
• GO-2026-4394 / GHSA-9h8m-3fm2-qjrq / GHSA-hfvc-g4fc-pqhx (go.opentelemetry.io/otel/sdk)

Upgrade to:

• go.opentelemetry.io/otel → v1.41.0 or later
• go.opentelemetry.io/otel/sdk → v1.40.0 or later

🧰 Tools

🪛 OSV Scanner (2.3.8)

[HIGH] 217-217: go.opentelemetry.io/otel 1.37.0: OpenTelemetry-Go: multi-value baggage header extraction causes excessive allocations (remote dos amplification)

(GHSA-mh2q-q3fh-2475)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` at line 217, Update the vulnerable OpenTelemetry module versions in
go.mod by bumping the module entries for go.opentelemetry.io/otel and
go.opentelemetry.io/otel/sdk to patched releases; specifically change the
go.opentelemetry.io/otel line to v1.41.0 or later and the
go.opentelemetry.io/otel/sdk line to v1.40.0 or later, then run `go mod
tidy`/`go get` to resolve and verify the updated dependency graph and ensure
builds/tests pass; target the module names "go.opentelemetry.io/otel" and
"go.opentelemetry.io/otel/sdk" when making the edits.

[MrSanketkumar]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[openshift-ci-robot]

@MrSanketkumar: This pull request references Jira Issue OCPBUGS-80485, which is invalid:

• expected dependent Jira Issue OCPBUGS-80663 to be in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA), but it is MODIFIED instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

This pull request references Jira Issue OCPBUGS-80484, which is invalid:

• expected dependent Jira Issue OCPBUGS-80662 to be in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA), but it is MODIFIED instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Summary

Fixes CVE-2026-33186 by updating grpc to patched version v1.75.1-sec.1 from openshift-sustaining fork.

Changes

• Main module: google.golang.org/grpc => github.com/openshift-sustaining/grpc-go v1.75.1-sec.1
• openshift/default-catalog-consistency: google.golang.org/grpc => github.com/openshift-sustaining/grpc-go v1.75.1-sec.1
• Updated vendor directories

Summary by CodeRabbit

• Chores
• Updated project dependencies to newer versions for improved performance and security.
• Applied a targeted override for the gRPC implementation to enhance stability and address compatibility/security concerns.
• Bumped several indirect libraries to maintain consistency and reduce exposure to known vulnerabilities.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@openshift/default-catalog-consistency/go.mod`:
- Line 46: Update the vulnerable dependency version in go.mod by bumping the
module github.com/go-jose/go-jose/v4 from v4.1.1 to v4.1.4 (or later); edit the
go.mod entry for github.com/go-jose/go-jose/v4 and then run `go get
github.com/go-jose/go-jose/v4@v4.1.4` (or the chosen patched version) followed
by `go mod tidy` to ensure go.sum is updated and the project builds cleanly.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: b8fcfbc3-3574-4969-9ab5-13ec1ed0cd84

📥 Commits

Reviewing files that changed from the base of the PR and between b848f37 and 360fbb9.

⛔ Files ignored due to path filters (259)

• go.sum is excluded by !**/*.sum
• openshift/default-catalog-consistency/go.sum is excluded by !**/*.sum
• openshift/default-catalog-consistency/vendor/github.com/go-jose/go-jose/v4/CHANGELOG.md is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/github.com/go-jose/go-jose/v4/jwe.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/github.com/go-jose/go-jose/v4/jwk.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/github.com/go-jose/go-jose/v4/jws.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/github.com/go-jose/go-jose/v4/symmetric.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/github.com/go-jose/go-jose/v4/symmetric_go124.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/github.com/go-jose/go-jose/v4/symmetric_legacy.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/github.com/go-logr/logr/.golangci.yaml is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/github.com/go-logr/logr/funcr/funcr.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/golang.org/x/net/http2/frame.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/golang.org/x/net/trace/events.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/golang.org/x/oauth2/internal/doc.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/golang.org/x/oauth2/internal/oauth2.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/golang.org/x/oauth2/internal/token.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/golang.org/x/oauth2/internal/transport.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/golang.org/x/oauth2/oauth2.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/golang.org/x/oauth2/pkce.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/golang.org/x/oauth2/token.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/golang.org/x/oauth2/transport.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/golang.org/x/sync/errgroup/errgroup.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/golang.org/x/sys/cpu/cpu.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/golang.org/x/sys/cpu/cpu_linux_riscv64.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/golang.org/x/sys/cpu/cpu_riscv64.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/golang.org/x/sys/windows/security_windows.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/golang.org/x/sys/windows/syscall_windows.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/golang.org/x/sys/windows/types_windows.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/golang.org/x/sys/windows/zsyscall_windows.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/golang.org/x/term/terminal.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/golang.org/x/tools/go/ast/inspector/inspector.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/golang.org/x/tools/go/ast/inspector/typeof.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/genproto/googleapis/api/annotations/annotations.pb.go is excluded by !**/*.pb.go, !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/genproto/googleapis/api/annotations/client.pb.go is excluded by !**/*.pb.go, !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/genproto/googleapis/api/annotations/field_behavior.pb.go is excluded by !**/*.pb.go, !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/genproto/googleapis/api/annotations/field_info.pb.go is excluded by !**/*.pb.go, !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/genproto/googleapis/api/annotations/http.pb.go is excluded by !**/*.pb.go, !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/genproto/googleapis/api/annotations/resource.pb.go is excluded by !**/*.pb.go, !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/genproto/googleapis/api/annotations/routing.pb.go is excluded by !**/*.pb.go, !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/genproto/googleapis/api/launch_stage.pb.go is excluded by !**/*.pb.go, !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/CONTRIBUTING.md is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/MAINTAINERS.md is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/README.md is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/balancer/balancer.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/balancer/base/balancer.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/balancer/endpointsharding/endpointsharding.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/balancer/pickfirst/pickfirstleaf/pickfirstleaf.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/balancer/roundrobin/roundrobin.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/binarylog/grpc_binarylog_v1/binarylog.pb.go is excluded by !**/*.pb.go, !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/clientconn.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/credentials/credentials.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/credentials/insecure/insecure.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/credentials/tls.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/dialoptions.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/internal/balancer/gracefulswitch/gracefulswitch.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/internal/credentials/credentials.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/internal/envconfig/envconfig.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/internal/envconfig/xds.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/internal/grpcsync/event.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/internal/internal.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/internal/metadata/metadata.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/internal/resolver/delegatingresolver/delegatingresolver.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/internal/resolver/dns/dns_resolver.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/internal/status/status.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/internal/transport/client_stream.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/internal/transport/controlbuf.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/internal/transport/handler_server.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/internal/transport/http2_client.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/internal/transport/http2_server.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/internal/transport/http_util.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/internal/transport/server_stream.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/internal/transport/transport.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/mem/buffer_slice.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/picker_wrapper.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/resolver/map.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/resolver/resolver.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/resolver_wrapper.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/rpc_util.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/server.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/stats/handlers.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/stats/stats.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/stream.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/google.golang.org/grpc/version.go is excluded by !**/vendor/**
• openshift/default-catalog-consistency/vendor/modules.txt is excluded by !**/vendor/**
• vendor/cel.dev/expr/.bazelversion is excluded by !**/vendor/**, !vendor/**
• vendor/cel.dev/expr/MODULE.bazel is excluded by !**/vendor/**, !vendor/**
• vendor/cel.dev/expr/README.md is excluded by !**/vendor/**, !vendor/**
• vendor/cel.dev/expr/cloudbuild.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/cel.dev/expr/eval.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/go-jose/go-jose/v4/CHANGELOG.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-jose/go-jose/v4/jwe.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-jose/go-jose/v4/jwk.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-jose/go-jose/v4/jws.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-jose/go-jose/v4/symmetric.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-jose/go-jose/v4/symmetric_go124.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-jose/go-jose/v4/symmetric_legacy.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-logr/logr/.golangci.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-logr/logr/funcr/funcr.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/.gitignore is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/.golangci.yml is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/CHANGELOG.md is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/CONTRIBUTING.md is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/Makefile is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/README.md is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/RELEASING.md is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/attribute/filter.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/attribute/internal/attribute.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/attribute/rawhelpers.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/attribute/value.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/dependencies.Dockerfile is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/get_main_pkgs.sh is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/internal/gen.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/internal/global/handler.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/internal/global/meter.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/internal/global/trace.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/internal/rawhelpers.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/metric/asyncfloat64.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/metric/asyncint64.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/metric/instrument.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/metric/meter.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/metric/noop/noop.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/propagation/baggage.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/propagation/propagation.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/renovate.json is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/requirements.txt is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/internal/env/env.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/builtin.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/container.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/env.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/host_id.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/os.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/os_release_darwin.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/process.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/resource.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/batch_span_processor.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/id_generator.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/provider.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/sampling.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/simple_span_processor.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/span.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/tracer.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/version.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/semconv/v1.34.0/MIGRATION.md is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/semconv/v1.34.0/README.md is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/semconv/v1.34.0/attribute_group.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/semconv/v1.34.0/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/semconv/v1.34.0/exception.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/semconv/v1.34.0/schema.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/trace/auto.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/trace/internal/telemetry/attr.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/trace/internal/telemetry/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/trace/internal/telemetry/id.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/trace/internal/telemetry/number.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/trace/internal/telemetry/resource.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/trace/internal/telemetry/scope.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/trace/internal/telemetry/span.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/trace/internal/telemetry/status.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/trace/internal/telemetry/traces.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/trace/internal/telemetry/value.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/trace/noop.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/verify_readmes.sh is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/version.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/versions.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/crypto/bcrypt/bcrypt.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/mod/modfile/rule.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/mod/modfile/work.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/mod/module/module.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/mod/semver/semver.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/http2/frame.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/trace/events.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/oauth2/internal/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/oauth2/internal/oauth2.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/oauth2/internal/token.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/oauth2/internal/transport.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/oauth2/oauth2.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/oauth2/pkce.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/oauth2/token.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/oauth2/transport.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sync/errgroup/errgroup.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/cpu/cpu.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/cpu/cpu_linux_riscv64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/cpu/cpu_riscv64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/windows/security_windows.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/windows/syscall_windows.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/windows/types_windows.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/windows/zsyscall_windows.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/term/terminal.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/go/ast/inspector/inspector.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/go/ast/inspector/typeof.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/go/packages/golist.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/go/packages/packages.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/go/types/typeutil/callee.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/analysisinternal/analysis.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/astutil/cursor/cursor.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/packagesinternal/packages.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/stdlib/deps.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/stdlib/manifest.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/stdlib/stdlib.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/genproto/googleapis/api/annotations/annotations.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/google.golang.org/genproto/googleapis/api/annotations/client.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/google.golang.org/genproto/googleapis/api/annotations/field_behavior.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/google.golang.org/genproto/googleapis/api/annotations/field_info.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/google.golang.org/genproto/googleapis/api/annotations/http.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/google.golang.org/genproto/googleapis/api/annotations/resource.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/google.golang.org/genproto/googleapis/api/annotations/routing.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/google.golang.org/genproto/googleapis/api/expr/v1alpha1/checked.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/google.golang.org/genproto/googleapis/api/expr/v1alpha1/eval.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/google.golang.org/genproto/googleapis/api/expr/v1alpha1/explain.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/google.golang.org/genproto/googleapis/api/expr/v1alpha1/syntax.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/google.golang.org/genproto/googleapis/api/expr/v1alpha1/value.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/google.golang.org/genproto/googleapis/api/httpbody/httpbody.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/google.golang.org/genproto/googleapis/api/launch_stage.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/google.golang.org/genproto/googleapis/rpc/errdetails/error_details.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/CONTRIBUTING.md is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/MAINTAINERS.md is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/README.md is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/balancer/balancer.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/balancer/base/balancer.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/balancer/endpointsharding/endpointsharding.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/balancer/pickfirst/pickfirstleaf/pickfirstleaf.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/balancer/roundrobin/roundrobin.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/binarylog/grpc_binarylog_v1/binarylog.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/clientconn.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/credentials/credentials.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/credentials/insecure/insecure.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/credentials/tls.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/dialoptions.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/health/grpc_health_v1/health.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/health/grpc_health_v1/health_grpc.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/balancer/gracefulswitch/gracefulswitch.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/credentials/credentials.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/envconfig/envconfig.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/envconfig/xds.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/grpcsync/event.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/internal.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/metadata/metadata.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/resolver/delegatingresolver/delegatingresolver.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/resolver/dns/dns_resolver.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/status/status.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/transport/client_stream.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/transport/controlbuf.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/transport/handler_server.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/transport/http2_client.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/transport/http2_server.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/transport/http_util.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/transport/server_stream.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/transport/transport.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/mem/buffer_slice.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/picker_wrapper.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/resolver/map.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/resolver/resolver.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/resolver_wrapper.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/rpc_util.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/server.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/stats/handlers.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/stats/stats.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/stream.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/version.go is excluded by !**/vendor/**, !vendor/**
• vendor/modules.txt is excluded by !**/vendor/**, !vendor/**

📒 Files selected for processing (2)

• go.mod
• openshift/default-catalog-consistency/go.mod

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🌐 Web query:

What is the first patched version for GHSA-78h2-9frx-2jm8 in github.com/go-jose/go-jose/v4, and is v4.1.1 affected?

💡 Result:

First patched version for GHSA-78h2-9frx-2jm8 in github.com/go-jose/go-jose/v4 is v4.1.4, and v4.1.1 is affected (because the advisory states all versions < 4.1.4 are affected, and 4.1.4 is the first patched/fixed version). [1] Conclusion on v4.1.1: Yes, v4.1.1 is affected; it falls under the advisory’s affected range “< 4.1.4”, and the patched versions list starts at “4.1.4”. [1]

Citations:

• 1: GHSA-78h2-9frx-2jm8

---

Upgrade github.com/go-jose/go-jose/v4 to a patched version.

Line 46 pins github.com/go-jose/go-jose/v4 to v4.1.1, which is affected by GHSA-78h2-9frx-2jm8. Bump to v4.1.4 or later before merge.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@openshift/default-catalog-consistency/go.mod` at line 46, Update the
vulnerable dependency version in go.mod by bumping the module
github.com/go-jose/go-jose/v4 from v4.1.1 to v4.1.4 (or later); edit the go.mod
entry for github.com/go-jose/go-jose/v4 and then run `go get
github.com/go-jose/go-jose/v4@v4.1.4` (or the chosen patched version) followed
by `go mod tidy` to ensure go.sum is updated and the project builds cleanly.

[MrSanketkumar]

/retest

[MrSanketkumar]

/test verify-deps

[openshift-ci]

@MrSanketkumar: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[MrSanketkumar]

/jira refresh

[openshift-ci-robot]

@MrSanketkumar: This pull request references Jira Issue OCPBUGS-80485, which is invalid:

• expected dependent Jira Issue OCPBUGS-80663 to be in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA), but it is MODIFIED instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

This pull request references Jira Issue OCPBUGS-80484, which is invalid:

• expected dependent Jira Issue OCPBUGS-80662 to be in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA), but it is MODIFIED instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[tmshort]

/lgtm
/approve
The main change is to use a sustaining version of grpc.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: MrSanketkumar, tmshort

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• DOWNSTREAM_OWNERS [tmshort]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[MrSanketkumar]

/jira refresh

[openshift-ci-robot]

@MrSanketkumar: This pull request references Jira Issue OCPBUGS-80485, which is invalid:

• expected dependent Jira Issue OCPBUGS-80663 to be in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA), but it is ON_QA instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

This pull request references Jira Issue OCPBUGS-80484, which is invalid:

• expected dependent Jira Issue OCPBUGS-80662 to be in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA), but it is ON_QA instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[MrSanketkumar]

/jira refresh

[openshift-ci-robot]

@MrSanketkumar: This pull request references Jira Issue OCPBUGS-80485, which is invalid:

• expected dependent Jira Issue OCPBUGS-80663 to be in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA), but it is ON_QA instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

This pull request references Jira Issue OCPBUGS-80484, which is invalid:

• expected dependent Jira Issue OCPBUGS-80662 to be in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA), but it is ON_QA instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[tmshort]

/verified by tmshort

This is a dependency bump and all CI passed.

[openshift-ci-robot]

@tmshort: This PR has been marked as verified by tmshort.

Details

In response to this:

/verified by tmshort

This is a dependency bump and all CI passed.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[MrSanketkumar]

/jira refresh

[openshift-ci-robot]

@MrSanketkumar: This pull request references Jira Issue OCPBUGS-80485, which is valid. The bug has been moved to the POST state.

7 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.19.z) matches configured target version for branch (4.19.z)
• bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, POST)
• release note text is set and does not match the template
• dependent bug Jira Issue OCPBUGS-80663 is in the state Verified, which is one of the valid states (VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA))
• dependent Jira Issue OCPBUGS-80663 targets the "4.20.z" version, which is one of the valid target versions: 4.20.0, 4.20.z
• bug has dependents

No GitHub users were found matching the public email listed for the QA contact in Jira (ocp-sustaining-admins@redhat.com), skipping review request.

This pull request references Jira Issue OCPBUGS-80484, which is valid. The bug has been moved to the POST state.

7 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.19.z) matches configured target version for branch (4.19.z)
• bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, POST)
• release note text is set and does not match the template
• dependent bug Jira Issue OCPBUGS-80662 is in the state Verified, which is one of the valid states (VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA))
• dependent Jira Issue OCPBUGS-80662 targets the "4.20.z" version, which is one of the valid target versions: 4.20.0, 4.20.z
• bug has dependents

No GitHub users were found matching the public email listed for the QA contact in Jira (ocp-sustaining-admins@redhat.com), skipping review request.

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.