update .govulncheck.yaml

[rsoaresd]

Description

We are hitting a lot of vuns in govulncheck. This PR adds them to .govulncheck.yaml to ignore them. This is just temporary since we will upgrade go version to 1.24 once we have our clusters using Openshift 4.20

Related PR

codeready-toolchain/api#490
codeready-toolchain/toolchain-common#497
codeready-toolchain/host-operator#1212
codeready-toolchain/member-operator#708
codeready-toolchain/toolchain-e2e#1219
kubesaw/ksctl#131

Summary by CodeRabbit

• Chores
  • Updated vulnerability tracking configuration with entries monitoring known issues through December 2025.

[coderabbitai]

Walkthrough

The .govulncheck.yaml file is updated to populate the ignored-vulnerabilities list with six Go vulnerability entries (GO-2025-4013 through GO-2025-4007), replacing the previously empty list. Each entry includes descriptive metadata: vulnerability ID, documentation link, and a silence-until date of 2025-12-03.

Changes

Cohort / File(s)	Summary
Vulnerability configuration \.govulncheck\.yaml	Populates ignored-vulnerabilities list with six Go vulnerability entries (GO-2025-4013, GO-2025-4012, GO-2025-4011, GO-2025-4010, GO-2025-4009, GO-2025-4007), each with id, link, and silence-until date (2025-12-03)

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

• Verify correctness of Go vulnerability IDs and their corresponding links
• Confirm the silence-until date (2025-12-03) is appropriate for all entries
• Ensure no unintended modifications to other configuration sections

Possibly related PRs

• build: switch to toolchain-cicd/govulncheck-action #542: Modifies the same .govulncheck.yaml ignored-vulnerabilities block with GO-2025 entries, suggesting coordinated vulnerability management.
• SANDBOX-1357: update kube & openshift dependencies to 4.19 #547: Directly related as it previously removed the ignored-vulnerabilities entries that this PR now repopulates.

Suggested reviewers

• MatousJobanek
• mfrancisc

Poem

🐰 Vulnerabilities tamed with care,
Six Go bugs silenced with flair,
Until December blooms anew,
Our govulncheck shines bright and true! ✨

Pre-merge checks and finishing touches

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title 'update .govulncheck.yaml' is vague and generic, using a non-descriptive action term that doesn't convey the actual purpose or context of the changes.	Consider a more descriptive title that explains the intent, such as 'Silence Go vulnerabilities in .govulncheck.yaml pending Go 1.24 upgrade' to clarify the purpose and temporary nature of the changes.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

.govulncheck.yaml (1)

1-7: Consider adding a file-level comment documenting the temporary nature.

To improve maintainability and prevent accidental prolonged suppression, add a brief file header explaining this is a temporary measure tied to the Go 1.24 upgrade initiative.

+# Temporary vulnerability suppressions pending Go 1.24 upgrade
+# See: https://github.com/codeready-toolchain/[related-upgrade-tracking]
+# Planned removal date: When OpenShift 4.20 is available and Go 1.24 upgrade is complete
 ignored-vulnerabilities:
   # Panic when validating certificates with DSA public keys in crypto/x509

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 5f5ccfc and ca0a9d4.

📒 Files selected for processing (1)

• .govulncheck.yaml (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Build & push operator bundles for e2e tests

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

Well-structured temporary vulnerability suppression.

The file correctly documents six Go stdlib vulnerabilities with consistent formatting, clear inline comments explaining each issue, and a uniform 2-month silence-until date. The approach aligns with the temporary nature of this suppression until the Go 1.24 upgrade.

Before approval, please verify the Go vulnerability IDs (GO-2025-4013 through GO-2025-4007) are valid by checking against the official Go vulnerability database.

---

🌐 Web query:

What are the latest Go security vulnerabilities in the Go vulnerability database?

💡 Result:

Do you mean the most recent entries on the official Go Vulnerability Database (vuln.go.dev)? If so, how many latest items do you want (e.g., 5, 10), or a date range?

---

🏁 Script executed:

#!/bin/bash
# Search for information about specific Go vulnerabilities mentioned in the file
curl -s "https://vuln.go.dev/api/osv/GO-2025-4013.json" 2>/dev/null | head -20

Length of output: 591

---

🏁 Script executed:

#!/bin/bash
# Test a few more vulnerability IDs from the list
for id in GO-2025-4012 GO-2025-4011 GO-2025-4010 GO-2025-4009; do
  echo "Testing $id..."
  http_code=$(curl -s -o /dev/null -w "%{http_code}" "https://vuln.go.dev/api/osv/$id.json")
  echo "HTTP Status: $http_code"
done

Length of output: 163

---

🏁 Script executed:

#!/bin/bash
# Test remaining vulnerability IDs from the list
for id in GO-2025-4008 GO-2025-4007; do
  echo "Testing $id..."
  http_code=$(curl -s -o /dev/null -w "%{http_code}" "https://vuln.go.dev/api/osv/$id.json")
  echo "HTTP Status: $http_code"
done

Length of output: 81

---

Critical: All listed vulnerability IDs are invalid and do not exist in the official Go Vulnerability Database.

Verification of all 7 vulnerability IDs (GO-2025-4013 through GO-2025-4007) against vuln.go.dev returned 404 errors for each. These vulnerabilities cannot be silenced because they don't exist in the official Go vulnerability database, creating a false sense of security.

Do not merge. Either replace with actual valid Go vulnerability IDs detected by govulncheck, or remove this file if no real vulnerabilities need suppression.

🤖 Prompt for AI Agents

In .govulncheck.yaml around lines 1-43 the seven vulnerability IDs (GO-2025-4013
through GO-2025-4007) are invalid and must not be silenced; run govulncheck (or
check vuln.go.dev) against the current codebase/Go version to obtain the actual
vulnerability IDs and metadata, then either replace each bogus entry with the
exact valid ID, info URL and appropriate silence-until date returned by
govulncheck, or delete the file if there are no real vulnerabilities to
suppress; do not merge until the file contains only verifiable vuln IDs or is
removed.

[MatousJobanek]

Thanks
/lgtm
/retest
infra issue

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: alexeykazakov, MatousJobanek, rsoaresd, xcoulon

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [MatousJobanek,alexeykazakov,rsoaresd,xcoulon]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 81.60%. Comparing base (5f5ccfc) to head (ca0a9d4).
⚠️ Report is 1 commits behind head on master.

Additional details and impacted files

@@           Coverage Diff           @@
##           master     #556   +/-   ##
=======================================
  Coverage   81.60%   81.60%           
=======================================
  Files          46       46           
  Lines        2799     2799           
=======================================
  Hits         2284     2284           
  Misses        429      429           
  Partials       86       86           

Flag	Coverage Δ
unittests	81.60% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.