SANDBOX-1357: update kube & openshift dependencies to 4.19

[rsoaresd]

Description

Update dependencies

Tool/Library	Current Version	Updates to Version
k8s.io/*	v0.31.2	v0.32.2
controller-runtime	v0.19.7	v0.20.4
controller-tools	v0.16.5	v0.17.2

Related PRs

• SANDBOX-1357: update kube & openshift dependencies to 4.19 api#484
• SANDBOX-1357: update kube & openshift dependencies to 4.19  member-operator#696
• SANDBOX-1357: update kube & openshift dependencies to 4.19 host-operator#1196
• SANDBOX-1357: update kube & openshift dependencies to 4.19 registration-service#547
• SANDBOX-1357: update kube & openshift dependencies to 4.19 toolchain-e2e#1193
• SANDBOX-1357: update operator-sdk and operator-registry toolchain-cicd#151
• SANDBOX-1357: update kube & openshift dependencies to 4.19 kubesaw/ksctl#125

Issue ticket number and link

SANDBOX-1357

Summary by CodeRabbit

• New Requirements

  • Minimum Go version raised to 1.23.x (1.23.12+).

• Chores

  • Bumped Go toolchain and refreshed Kubernetes/OpenShift stacks and many dependencies.
  • Cleared previously ignored vulnerability entries so all findings will be surfaced.
  • Enabled an additional CI linter.

• Documentation

  • Build instructions updated to reflect the new minimum Go version.

[coderabbitai]

Walkthrough

Clears ignored vulnerabilities in .govulncheck.yaml, bumps the Go toolchain to 1.23 in go.mod and README.adoc, refreshes many dependencies (Kubernetes/OpenShift, golang.org/x/*, protobuf, zap, JSON tooling, kustomize/kyaml, etc.), and enables the copyloopvar linter.

Changes

Cohort / File(s)	Summary of Changes
Security config ./.govulncheck.yaml	Replaced a populated ignored-vulnerabilities list (entries: GO-2025-3563, GO-2025-3750, GO-2025-3751 with metadata) with an empty array [].
Documentation ./README.adoc	Updated minimum Go version in Build section from 1.22.x (1.22.12+) to 1.23.x (1.23.12+).
Toolchain & dependencies ./go.mod	Bumped go to 1.23.0 and toolchain to go1.23.12; upgraded Kubernetes/OpenShift libs (k8s/* to v0.32.2, controller-runtime v0.20.4, openshift/* to newer commits), refreshed many golang.org/x/*, google.golang.org/protobuf, go.uber.org/zap, JSON/OpenAPI tooling, kustomize/kyaml and other indirects; several test/dev deps updated or changed.
Linters ./.golangci.yml	Added copyloopvar to linters.enable.

Sequence Diagram(s)

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

Thump-thump, I hop through go.mod rows,
I clear old vulns where the cold wind blows.
1.23 carrots gleam in morning light,
Linters stretch and deps take flight.
Quiet whiskers, then onward I go—🥕

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The title "SANDBOX-1357: update kube & openshift dependencies to 4.19" concisely and accurately summarizes the primary change (upgrading Kubernetes and OpenShift dependency lines to 4.19) and matches the go.mod changes and PR objectives, making it clear and actionable for reviewers.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

✨ Finishing touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment

Tip

👮 Agentic pre-merge checks are now available in preview!

Pro plan users can now enable pre-merge checks in their settings to enforce checklists before merging PRs.

• Built-in checks – Quickly apply ready-made checks to enforce title conventions, require pull request descriptions that follow templates, validate linked issues for compliance, and more.
• Custom agentic checks – Define your own rules using CodeRabbit’s advanced agentic capabilities to enforce organization-specific policies and workflows. For example, you can instruct CodeRabbit’s agent to verify that API documentation is updated whenever API schema files are modified in a PR. Note: Upto 5 custom checks are currently allowed during the preview period. Pricing for this feature will be announced in a few weeks.

Please see the documentation for more information.

Example:

reviews:
  pre_merge_checks:
    custom_checks:
      - name: "Undocumented Breaking Changes"
        mode: "warning"
        instructions: |
          Pass/fail criteria: All breaking changes to public APIs, CLI flags, environment variables, configuration keys, database schemas, or HTTP/GraphQL endpoints must be documented in the "Breaking Change" section of the PR description and in CHANGELOG.md. Exclude purely internal or private changes (e.g., code not exported from package entry points or explicitly marked as internal).

Please share your feedback with us on this Discord post.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 78.62%. Comparing base (b410cd4) to head (f61e680).
⚠️ Report is 1 commits behind head on master.

Additional details and impacted files

@@           Coverage Diff           @@
##           master     #491   +/-   ##
=======================================
  Coverage   78.62%   78.62%           
=======================================
  Files          52       52           
  Lines        2638     2638           
=======================================
  Hits         2074     2074           
  Misses        502      502           
  Partials       62       62           

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[rsoaresd]

temporary, will be deleted before merge

[coderabbitai]

Actionable comments posted: 4

🧹 Nitpick comments (4)

.govulncheck.yaml (2)

1-1: Clearing ignores: confirm pipeline still passes and matches org policy.

Removing all ignores is great if the code is clean; otherwise scans may fail unexpectedly. Please run govulncheck in CI and adjust as needed.

---

1-1: Add trailing newline to satisfy linters.

YAMLlint flags “no new line at end of file”.

-ignored-vulnerabilities: []
+ignored-vulnerabilities: []
+

go.mod (2)

39-41: Consider aligning kubectl with k8s 0.32.x.

You’re on k8s libs v0.32.1 but kubectl v0.31.2 (and cli-runtime is 0.31.x indirect). To reduce dependency skew, try bumping both to 0.32.1 and run tests.

-    k8s.io/kubectl v0.31.2
+    k8s.io/kubectl v0.32.1

---

12-16: Tooling/codegen sanity.

Given the bumps to OpenAPI/JSON libs and OCP APIs, ensure codegen (controller-tools v0.17.x) in your repo or build images is also updated to match OCP 4.19/K8s 1.32.

Also applies to: 114-114, 117-118, 121-122

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 769c1bb and 1517302.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (3)

• .govulncheck.yaml (1 hunks)
• README.adoc (1 hunks)
• go.mod (4 hunks)

🧰 Additional context used

🪛 YAMLlint (1.37.1)

.govulncheck.yaml

[error] 1-1: no new line character at the end of file

(new-line-at-end-of-file)

🪛 OSV Scanner (2.1.0)

go.mod

[HIGH] 37-37: golang.org/x/oauth2 0.23.0: Unexpected memory consumption during token parsing in golang.org/x/oauth2

(GO-2025-3488)

---

[HIGH] 37-37: golang.org/x/oauth2 0.23.0: golang.org/x/oauth2 Improper Validation of Syntactic Correctness of Input vulnerability

(GHSA-6v2p-p543-phr9)

---

[HIGH] 102-102: golang.org/x/crypto 0.32.0: Potential denial of service in golang.org/x/crypto

(GO-2025-3487)

---

[HIGH] 102-102: golang.org/x/crypto 0.32.0: golang.org/x/crypto Vulnerable to Denial of Service (DoS) via Slow or Incomplete Key Exchange

(GHSA-hcg3-q754-cr77)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: Verify Dependencies
• GitHub Check: GolangCI Lint
• GitHub Check: Test with Coverage

🔇 Additional comments (5)

README.adoc (1)

11-11: Go 1.23.x bump aligns with toolchain—LGTM.

Please verify CI/build images and devcontainers use Go toolchain 1.23.12 to avoid drift.

go.mod (4)

3-5: Go 1.23.0 + toolchain 1.23.12: good upgrade.

Matches controller-runtime v0.20’s minimum Go requirement.

Ensure CI images and builders use go1.23.12.

---

12-16: Pinning OpenShift release-4.19 commits: OK.

Comments help future maintainers; no action needed.

---

22-26: Version alignment looks correct.

controller-runtime v0.20.x targets k8s 1.32 and requires Go 1.23—this matches your k8s v0.32.1 bump. (github.com)

---

22-26: OCP target confirmation (informational).

OpenShift 4.19 tracks Kubernetes 1.32.x, so your v0.32.x k8s deps are on target. (issues.redhat.com)

Also applies to: 39-41

[coderabbitai]

💡 Verification agent

🧩 Analysis chain

Quick checks script (optional).

Run to surface version skew and flagged vulns for the changed modules.

Also applies to: 39-41, 125-125, 37-37, 102-103

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail
echo "go.mod summary:"
rg -nP '^(require|replace)\b|^\t(k8s\.io/|sigs\.k8s\.io/controller-runtime|golang\.org/x/(oauth2|crypto)|github\.com/codeready-toolchain/api|k8s\.io/kubectl)\b' go.mod -n -C0 || true
echo
echo "OSV checks:"
for mod in 'golang.org/x/[email protected]' 'golang.org/x/[email protected]'; do
  name="${mod%@*}"; ver="${mod#*@}"
  echo "Checking $mod ..."
  curl -s "https://api.osv.dev/v1/query" -H 'content-type: application/json' \
    --data "{\"version\":\"$ver\",\"package\":{\"name\":\"$name\",\"ecosystem\":\"Go\"}}" | jq '[.vulns[]?.id] // []'
done

Length of output: 1881

---

Upgrade vulnerable dependencies and align Kubernetes module versions
Vulnerability scan flagged:

• golang.org/x/[email protected] → GHSA-6v2p-p543-phr9, GO-2025-3488
• golang.org/x/[email protected] → GHSA-hcg3-q754-cr77, GO-2025-3487
  Also, k8s.io/api, apimachinery, client-go, controller-runtime are at v0.32.1 while kubectl (v0.31.2) and cli-runtime (v0.31.2) remain at v0.31.x, introducing version skew.
  Bump oauth2 and crypto to patched releases (e.g. oauth2 ≥ v0.24.0, crypto ≥ v0.34.0) and standardize all Kubernetes modules to v0.32.1.

🤖 Prompt for AI Agents

In go.mod around lines 22 to 26, the project uses vulnerable
golang.org/x/[email protected] and golang.org/x/[email protected] and has Kubernetes
module version skew between some modules at v0.31.x and others at v0.32.1;
update the oauth2 module to at least v0.24.0 and crypto to at least v0.34.0 in
go.mod, and ensure all k8s modules (k8s.io/api, k8s.io/apimachinery,
k8s.io/client-go, sigs.k8s.io/controller-runtime, kubectl, cli-runtime, etc.)
are pinned to the same v0.32.1 version to remove skew, then run `go get` / `go
mod tidy` to resolve transitive deps and verify builds/tests.

[coderabbitai]

💡 Verification agent

🧩 Analysis chain

Security: bump golang.org/x/oauth2 to >= v0.27.0 (CVE-2025-22868).

v0.23.0 is vulnerable (GO-2025-3488 / GHSA-6v2p-p543-phr9). Fixed in v0.27.0. (pkg.go.dev, go.googlesource.com, osv.dev)

-    golang.org/x/oauth2 v0.23.0
+    golang.org/x/oauth2 v0.27.0

If compatibility concerns exist, I can propose a minimal-changes bump plan.

---

🏁 Script executed:

#!/bin/bash
grep -n "golang.org/x/oauth2" go.mod

Length of output: 68

---

Upgrade golang.org/x/oauth2 to v0.27.0 to remediate CVE-2025-22868

The project depends on v0.23.0, which is affected by GO-2025-3488 (CVE-2025-22868) and fixed in v0.27.0 – bump the module accordingly. (pkg.go.dev, advisories.gitlab.com)

- golang.org/x/oauth2 v0.23.0
+ golang.org/x/oauth2 v0.27.0

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	golang.org/x/oauth2 v0.23.0
	golang.org/x/oauth2 v0.27.0

🧰 Tools

🪛 OSV Scanner (2.1.0)

[HIGH] 37-37: golang.org/x/oauth2 0.23.0: Unexpected memory consumption during token parsing in golang.org/x/oauth2

(GO-2025-3488)

---

[HIGH] 37-37: golang.org/x/oauth2 0.23.0: golang.org/x/oauth2 Improper Validation of Syntactic Correctness of Input vulnerability

(GHSA-6v2p-p543-phr9)

🤖 Prompt for AI Agents

In go.mod around line 37, the dependency golang.org/x/oauth2 is pinned to
v0.23.0 which is vulnerable (CVE-2025-22868); update it to v0.27.0 to remediate.
Edit the go.mod entry to reference v0.27.0 (or run: go get
golang.org/x/[email protected]), then run go mod tidy (and update/commit go.sum)
and run the project tests/build to ensure compatibility.

[coderabbitai]

Actionable comments posted: 0

♻️ Duplicate comments (3)

go.mod (3)

37-37: Vulnerability: bump golang.org/x/oauth2 (CVE/GO-2025-3488).

v0.23.0 is flagged; upgrade to the fixed line (e.g., v0.27.0).

Apply:

-	golang.org/x/oauth2 v0.23.0
+	golang.org/x/oauth2 v0.27.0

---

101-101: Vulnerability: bump golang.org/x/crypto (DoS).

v0.32.0 is flagged; upgrade to ≥ v0.35.0.

Apply:

-	golang.org/x/crypto v0.32.0 // indirect
+	golang.org/x/crypto v0.35.0 // indirect

---

124-124: Remove personal fork replace before merge.

replace github.com/codeready-toolchain/api => github.com/rsoaresd/api … breaks reproducible builds. Drop it, and if needed use go.work locally.

Apply:

-replace github.com/codeready-toolchain/api => github.com/rsoaresd/api v0.0.0-20250904111715-ce08642a4499

🧹 Nitpick comments (2)

go.mod (2)

12-15: Pin rationale for OpenShift pseudo-versions (release-4.19).

Pseudo-versions are commit-stable. If there are release tags for 4.19 in openshift/api and library-go, prefer those; otherwise, please confirm these commits are from the release-4.19 branch and link them in the PR description.

---

40-40: k8s.io/utils commit pin — double-check compatibility.

Pinned to a 2024-11 commit. Likely fine, but please confirm it’s known-good with k8s v0.32.1; prefer a tag if available.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 1517302 and e52c2ff.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (1)

• go.mod (4 hunks)

🧰 Additional context used

🪛 OSV Scanner (2.1.0)

go.mod

[HIGH] 37-37: golang.org/x/oauth2 0.23.0: Unexpected memory consumption during token parsing in golang.org/x/oauth2

(GO-2025-3488)

---

[HIGH] 37-37: golang.org/x/oauth2 0.23.0: golang.org/x/oauth2 Improper Validation of Syntactic Correctness of Input vulnerability

(GHSA-6v2p-p543-phr9)

---

[HIGH] 101-101: golang.org/x/crypto 0.32.0: Potential denial of service in golang.org/x/crypto

(GO-2025-3487)

---

[HIGH] 101-101: golang.org/x/crypto 0.32.0: golang.org/x/crypto Vulnerable to Denial of Service (DoS) via Slow or Incomplete Key Exchange

(GHSA-hcg3-q754-cr77)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: Verify Dependencies
• GitHub Check: GolangCI Lint
• GitHub Check: Test with Coverage

🔇 Additional comments (3)

go.mod (3)

3-5: Confirm Go 1.23 toolchain availability in CI/build images.

The go 1.23.0 directive and toolchain go1.23.12 look fine; just ensure CI and dev containers use ≥1.23.12 to avoid module resolution drift.

---

22-25: Kubernetes stack version alignment looks good.

All core k8s modules (api, apimachinery, client-go, kubectl, cli-runtime) and controller-runtime are aligned to v0.32.1/v0.20.4, eliminating version skew.

Also applies to: 39-39, 113-115

---

56-57: Misc dependency refreshes look fine.

These bumps (json-patch/jsonpath, go-openapi, pflag, zap, x/*, protobuf, kube-openapi, kustomize, structured-merge-diff) are consistent with the Kubernetes/controller-runtime upgrades.

Also applies to: 62-62, 64-64, 68-68, 96-96, 100-100, 102-102, 104-105, 107-109, 116-121

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

.golangci.yml (1)

33-33: copyloopvar enabled and CI version verified; consider enabling check-alias

go.mod uses Go 1.23.0 and workflows install golangci-lint v2.0.2 (verify-dependencies.yml) and v2.1.6 (linters.yml), both ≥ v1.57.0. .golangci.yml already enables copyloopvar.
Optional: under linters.settings.copyloopvar, add:

copyloopvar:
  check-alias: true

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between e52c2ff and 7c569c8.

📒 Files selected for processing (1)

• .golangci.yml (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: GolangCI Lint
• GitHub Check: Verify Dependencies

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (2)

go.mod (2)

124-124: Drop personal fork replace before merge.

Temporary replace to github.com/rsoaresd/api will break reproducible builds. Remove it prior to merging.

-replace github.com/codeready-toolchain/api => github.com/rsoaresd/api v0.0.0-20250904111715-ce08642a4499

---

37-37: Security: bump golang.org/x/oauth2 to a fixed release.

v0.23.0 is vulnerable (GO-2025-3488/GHSA-6v2p-p543-phr9). Upgrade to ≥ v0.27.0.

-	golang.org/x/oauth2 v0.23.0
+	golang.org/x/oauth2 v0.27.0

After editing, run:

• go get golang.org/x/[email protected]
• go mod tidy

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 7c569c8 and b44d23a.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (1)

• go.mod (4 hunks)

🧰 Additional context used

🪛 OSV Scanner (2.1.0)

go.mod

[HIGH] 37-37: golang.org/x/oauth2 0.23.0: Unexpected memory consumption during token parsing in golang.org/x/oauth2

(GO-2025-3488)

---

[HIGH] 37-37: golang.org/x/oauth2 0.23.0: golang.org/x/oauth2 Improper Validation of Syntactic Correctness of Input vulnerability

(GHSA-6v2p-p543-phr9)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: GolangCI Lint
• GitHub Check: Verify Dependencies
• GitHub Check: Test with Coverage

🔇 Additional comments (4)

go.mod (4)

12-15: OpenShift 4.19 pins look good.

Pinned to release-4.19 pseudo-versions; consistent with the PR goal.

---

22-25: Kubernetes stack is aligned to 1.32 — nice.

api/apimachinery/client-go/kubectl/cli-runtime at v0.32.1 and controller-runtime at v0.20.4 are version-compatible.

Also applies to: 39-39, 113-115

---

100-107: x/crypto and protobuf versions are up-to-date.

golang.org/x/crypto v0.36.0 includes recent fixes; google.golang.org/protobuf v1.35.1 is current.

Also applies to: 109-109

---

5-5: Verify Go toolchain version availability
go1.23.12 is not listed on the official Go download index; ensure this exact patch is supported in your CI/build images or update to a known-available version.

[coderabbitai]

⚠️ Potential issue

Fix invalid go directive format.

go.mod only accepts major.minor (e.g., go 1.23). Using 1.23.0 will error.

-go 1.23.0
+go 1.23

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	go 1.23.0
	go 1.23

🤖 Prompt for AI Agents

In go.mod around line 3, the go directive is incorrectly set to "go 1.23.0";
change it to the supported major.minor format "go 1.23" so the module file uses
a valid go directive and will not error during toolchain validation.

[coderabbitai]

Actionable comments posted: 2

♻️ Duplicate comments (3)

go.mod (3)

3-3: Fix invalid Go directive format (must be major.minor).

Change go 1.23.0 → go 1.23 to satisfy go mod validation.

Apply:

-go 1.23.0
+go 1.23

---

37-37: Bump vulnerable golang.org/x/oauth2 (CVE/GO advisories).

v0.23.0 is flagged; upgrade to a patched release (e.g., v0.27.0).

Apply:

-	golang.org/x/oauth2 v0.23.0
+	golang.org/x/oauth2 v0.27.0

#!/bin/bash
# Verify vuln status for current vs proposed
for ver in 0.23.0 0.27.0; do
  echo "oauth2@$ver -> vulns:"
  curl -s https://api.osv.dev/v1/query -H 'content-type: application/json' \
    --data "{\"version\":\"$ver\",\"package\":{\"name\":\"golang.org/x/oauth2\",\"ecosystem\":\"Go\"}}" | jq '[.vulns[]?.id] // []'
done

---

124-124: Do not merge with personal fork replace; it also breaks CI.

replace github.com/codeready-toolchain/api => github.com/rsoaresd/api ... violates org policy and causes the pipeline error. Drop before merge; rely on upstream tag/pseudo-version.

Apply:

-replace github.com/codeready-toolchain/api => github.com/rsoaresd/api v0.0.0-20250910155735-270447f471cd

#!/bin/bash
# Ensure no forbidden replaces remain
rg -nP '^\s*replace\s+github\.com/codeready-toolchain/api' go.mod && { echo "Found forbidden replace"; exit 1; } || echo "OK: no forbidden replace"

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between b44d23a and aabf156.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (1)

• go.mod (4 hunks)

🧰 Additional context used

🪛 OSV Scanner (2.1.0)

go.mod

[HIGH] 37-37: golang.org/x/oauth2 0.23.0: Unexpected memory consumption during token parsing in golang.org/x/oauth2

(GO-2025-3488)

---

[HIGH] 37-37: golang.org/x/oauth2 0.23.0: golang.org/x/oauth2 Improper Validation of Syntactic Correctness of Input vulnerability

(GHSA-6v2p-p543-phr9)

🪛 GitHub Actions: ci-check-gomod

go.mod

[error] 1-1: the above replacement(s) are not allowed in go.mod

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: GolangCI Lint
• GitHub Check: Verify Dependencies

🔇 Additional comments (3)

go.mod (3)

5-5: Toolchain pin looks good.

toolchain go1.23.12 is valid and consistent with the Go 1.23 line.

---

12-15: OK to pin OpenShift to release-4.19 commits.

Pseudo-versions point to release-4.19; no action needed.

---

101-107: x/ bumps look good (crypto/net/sync/sys/term/text/time).*

x/crypto v0.36.0 addresses prior advisories; others are current for Go 1.23.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[coderabbitai]

Actionable comments posted: 0

♻️ Duplicate comments (2)

go.mod (2)

3-3: Fix invalid go directive: must be "go 1.23" (not 1.23.0).

Go only allows major.minor in go.mod. This will fail tooling.

-go 1.23.0
+go 1.23

---

37-37: Security: bump golang.org/x/oauth2 to a patched version (fixes GO-2025-3488).

v0.23.0 is flagged with HIGH severity issues. Upgrade to the first fixed release (≥ v0.27.0).

-	golang.org/x/oauth2 v0.23.0
+	golang.org/x/oauth2 v0.27.0

What is the minimum golang.org/x/oauth2 version that fixes GO-2025-3488 (GHSA-6v2p-p543-phr9)?

🧹 Nitpick comments (1)

go.mod (1)

12-15: Pinned to release-4.19 pseudo-versions: OK; consider tagging or annotating stability.

Using branch-head pseudo-versions is acceptable; if tags exist, prefer them for reproducibility. Otherwise, keep these SHAs and note in the PR description why branch heads are required.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between aabf156 and f61e680.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (1)

• go.mod (3 hunks)

🧰 Additional context used

🪛 OSV Scanner (2.1.0)

go.mod

[HIGH] 37-37: golang.org/x/oauth2 0.23.0: Unexpected memory consumption during token parsing in golang.org/x/oauth2

(GO-2025-3488)

---

[HIGH] 37-37: golang.org/x/oauth2 0.23.0: golang.org/x/oauth2 Improper Validation of Syntactic Correctness of Input vulnerability

(GHSA-6v2p-p543-phr9)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: Verify Dependencies
• GitHub Check: GolangCI Lint
• GitHub Check: Test with Coverage

🔇 Additional comments (7)

go.mod (7)

39-40: kubectl 0.32.2 and k8s.io/utils pin: LGTM.

---

91-92: Test deps updated (ginkgo/gomega): LGTM.

---

102-109: golang.org/x/ refresh: crypto ≥ 0.35 achieved; others current enough.*

Nice. Once oauth2 is bumped, the x/* set will be consistent.

---

115-122: K8s indirects aligned to 0.32.2; schema libs updated: LGTM.

---

22-25: Approve — k8s v0.32.2 + controller-runtime v0.20.4 alignment OK.
go.sum contains no leftover v0.32.1 (sanity check returned: "No 0.32.1 found in go.sum").

---

29-31: Upstream toolchain/api pseudo-version OK — no personal-fork replace remains.
Confirmed: go.mod references the upstream pseudo-version and contains no replace directive for github.com/codeready-toolchain/api (scan output: "No replace for api").

---

5-5: CI installs Go from go.mod in main workflows; verify the custom gomod-check action.

actions/setup-go@v6 is used with go-version-file: go.mod in .github/workflows/linters.yml, test-with-coverage.yml, and verify-dependencies.yml; govulncheck also forwards go-version-file: go.mod. .github/workflows/ci-check-gomod.yml uses codeready-toolchain/toolchain-cicd/gomod-check@master and does not run setup-go — ensure that action honors go.mod or explicitly installs Go 1.23.x.