Skip to content

SANDBOX-1357: update kube & openshift dependencies to 4.19 #491

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
rsoaresd merged 12 commits into from
Sep 16, 2025
Merged

SANDBOX-1357: update kube & openshift dependencies to 4.19 #491

Show file tree
Hide file tree
Changes from 7 commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
5cd587e
SANDBOX-1357: update kube & openshift dependencies to 4.19
Sep 4, 2025
314ac53
Merge branch 'master' into openshift_4_19_toolchain-common
Sep 4, 2025
3e27da1
improvements
Sep 4, 2025
1517302
replace api
Sep 4, 2025
e52c2ff
update
Sep 4, 2025
7c569c8
improvement
Sep 4, 2025
b44d23a
update golang.org/x/net
rsoaresd Sep 9, 2025
e197b73
Merge branch 'master' into openshift_4_19_toolchain-common
rsoaresd Sep 10, 2025
f2740c7
go mod tidy
rsoaresd Sep 10, 2025
aabf156
update replace
rsoaresd Sep 10, 2025
fa49ff0
update k8s.io/kubectl
rsoaresd Sep 11, 2025
f61e680
remove replace
rsoaresd Sep 16, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .golangci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@ linters:
- testifylint
- unparam
- zerologlint
- copyloopvar
disable:
- contextcheck
- noctx
Expand Down
20 changes: 1 addition & 19 deletions .govulncheck.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,19 +1 @@
ignored-vulnerabilities:
# Request smuggling due to acceptance of invalid chunked data in net/http
# Found in Found in: net/http/[email protected]
# Fixed in Fixed in: net/http/[email protected]
- id: GO-2025-3563
info: https://pkg.go.dev/vuln/GO-2025-3563
silence-until: 2025-10-02
# Inconsistent handling of O_CREATE|O_EXCL on Unix and Windows in os in syscall
# Found in Found in: [email protected]
# Fixed in Fixed in: [email protected]
- id: GO-2025-3750
info: https://pkg.go.dev/vuln/GO-2025-3750
silence-until: 2025-10-02
# Sensitive headers not cleared on cross-origin redirect in net/http
# Found in Found in: net/[email protected]
# Fixed in Fixed in: net/[email protected]
- id: GO-2025-3751
info: https://pkg.go.dev/vuln/GO-2025-3751
silence-until: 2025-10-02
ignored-vulnerabilities: []
2 changes: 1 addition & 1 deletion README.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ This repo is for controllers, libs, scripts, make files, etc to be shared betwee

== Build

Requires Go version 1.22.x (1.22.12 or higher) - download for your development environment https://golang.org/dl/[here].
Requires Go version 1.23.x (1.23.12 or higher) - download for your development environment https://golang.org/dl/[here].

This repository uses https://github.com/golang/go/wiki/Modules[Go modules].

Expand Down
76 changes: 37 additions & 39 deletions go.mod
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,28 +1,28 @@
module github.com/codeready-toolchain/toolchain-common

go 1.22.0
go 1.23.0
Copy link

@coderabbitai coderabbitai bot Sep 9, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Fix invalid go directive format.

go.mod only accepts major.minor (e.g., go 1.23). Using 1.23.0 will error.

-go 1.23.0
+go 1.23
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
go 1.23.0
go 1.23
🤖 Prompt for AI Agents 
In go.mod around line 3, the go directive is incorrectly set to "go 1.23.0";
change it to the supported major.minor format "go 1.23" so the module file uses
a valid go directive and will not error during toolchain validation.


toolchain go1.22.12
toolchain go1.23.12

require (
github.com/go-logr/logr v1.4.2
github.com/golang-jwt/jwt/v5 v5.2.2
github.com/lestrrat-go/jwx v1.2.29
github.com/magiconair/properties v1.8.5
// using latest commit from 'github.com/openshift/api branch release-4.18'
github.com/openshift/api v0.0.0-20250410062700-d6c84c55a124
// using latest commit from 'github.com/openshift/library-go branch release-4.18'
github.com/openshift/library-go v0.0.0-20250403134058-7c43fdf96c62
// using latest commit from 'github.com/openshift/api branch release-4.19'
github.com/openshift/api v0.0.0-20250903165707-ce7baf0afbc4
// using latest commit from 'github.com/openshift/library-go branch release-4.19'
github.com/openshift/library-go v0.0.0-20250826065405-6d18d1191f49
github.com/pkg/errors v0.9.1
github.com/redhat-cop/operator-utils v1.3.8
github.com/stretchr/testify v1.10.0
gopkg.in/go-jose/go-jose.v2 v2.6.3
gopkg.in/h2non/gock.v1 v1.0.14
gotest.tools v2.2.0+incompatible
k8s.io/api v0.31.2
k8s.io/apimachinery v0.31.2
k8s.io/client-go v0.31.2
sigs.k8s.io/controller-runtime v0.19.7
k8s.io/api v0.32.1
k8s.io/apimachinery v0.32.1
k8s.io/client-go v0.32.1
sigs.k8s.io/controller-runtime v0.20.4
)
Copy link

@coderabbitai coderabbitai bot Sep 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Verification agent

🧩 Analysis chain

Quick checks script (optional).

Run to surface version skew and flagged vulns for the changed modules.

Also applies to: 39-41, 125-125, 37-37, 102-103

🏁 Script executed:

#!/bin/bash
set -euo pipefail
echo "go.mod summary:"
rg -nP '^(require|replace)\b|^\t(k8s\.io/|sigs\.k8s\.io/controller-runtime|golang\.org/x/(oauth2|crypto)|github\.com/codeready-toolchain/api|k8s\.io/kubectl)\b' go.mod -n -C0 || true
echo
echo "OSV checks:"
for mod in 'golang.org/x/[email protected]' 'golang.org/x/[email protected]'; do
  name="${mod%@*}"; ver="${mod#*@}"
  echo "Checking $mod ..."
  curl -s "https://api.osv.dev/v1/query" -H 'content-type: application/json' \
    --data "{\"version\":\"$ver\",\"package\":{\"name\":\"$name\",\"ecosystem\":\"Go\"}}" | jq '[.vulns[]?.id] // []'
done

Length of output: 1881

Upgrade vulnerable dependencies and align Kubernetes module versions
Vulnerability scan flagged:

  • golang.org/x/[email protected]GHSA-6v2p-p543-phr9, GO-2025-3488
  • golang.org/x/[email protected]GHSA-hcg3-q754-cr77, GO-2025-3487
    Also, k8s.io/api, apimachinery, client-go, controller-runtime are at v0.32.1 while kubectl (v0.31.2) and cli-runtime (v0.31.2) remain at v0.31.x, introducing version skew.
    Bump oauth2 and crypto to patched releases (e.g. oauth2 ≥ v0.24.0, crypto ≥ v0.34.0) and standardize all Kubernetes modules to v0.32.1.
🤖 Prompt for AI Agents 
In go.mod around lines 22 to 26, the project uses vulnerable
golang.org/x/[email protected] and golang.org/x/[email protected] and has Kubernetes
module version skew between some modules at v0.31.x and others at v0.32.1;
update the oauth2 module to at least v0.24.0 and crypto to at least v0.34.0 in
go.mod, and ensure all k8s modules (k8s.io/api, k8s.io/apimachinery,
k8s.io/client-go, sigs.k8s.io/controller-runtime, kubectl, cli-runtime, etc.)
are pinned to the same v0.32.1 version to remove skew, then run `go get` / `go
mod tidy` to resolve transitive deps and verify builds/tests.


require (
Expand All @@ -34,10 +34,10 @@ require (
github.com/migueleliasweb/go-github-mock v0.0.18
github.com/prometheus/client_golang v1.19.1
github.com/prometheus/client_model v0.6.1
golang.org/x/oauth2 v0.21.0
golang.org/x/oauth2 v0.23.0
Copy link

@coderabbitai coderabbitai bot Sep 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Verification agent

🧩 Analysis chain

Security: bump golang.org/x/oauth2 to >= v0.27.0 (CVE-2025-22868).

v0.23.0 is vulnerable (GO-2025-3488 / GHSA-6v2p-p543-phr9). Fixed in v0.27.0. (pkg.go.dev, go.googlesource.com, osv.dev)

-    golang.org/x/oauth2 v0.23.0
+    golang.org/x/oauth2 v0.27.0

If compatibility concerns exist, I can propose a minimal-changes bump plan.

🏁 Script executed:

#!/bin/bash
grep -n "golang.org/x/oauth2" go.mod

Length of output: 68

Upgrade golang.org/x/oauth2 to v0.27.0 to remediate CVE-2025-22868

The project depends on v0.23.0, which is affected by GO-2025-3488 (CVE-2025-22868) and fixed in v0.27.0 – bump the module accordingly. (pkg.go.dev, advisories.gitlab.com)

- golang.org/x/oauth2 v0.23.0
+ golang.org/x/oauth2 v0.27.0
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
golang.org/x/oauth2 v0.23.0
golang.org/x/oauth2 v0.27.0
🧰 Tools
🪛 OSV Scanner (2.1.0)

[HIGH] 37-37: golang.org/x/oauth2 0.23.0: Unexpected memory consumption during token parsing in golang.org/x/oauth2

(GO-2025-3488)

[HIGH] 37-37: golang.org/x/oauth2 0.23.0: golang.org/x/oauth2 Improper Validation of Syntactic Correctness of Input vulnerability

(GHSA-6v2p-p543-phr9)

🤖 Prompt for AI Agents 
In go.mod around line 37, the dependency golang.org/x/oauth2 is pinned to
v0.23.0 which is vulnerable (CVE-2025-22868); update it to v0.27.0 to remediate.
Edit the go.mod entry to reference v0.27.0 (or run: go get
golang.org/x/[email protected]), then run go mod tidy (and update/commit go.sum)
and run the project tests/build to ensure compatibility.

gopkg.in/yaml.v2 v2.4.0
k8s.io/kubectl v0.31.2
k8s.io/utils v0.0.0-20240921022957-49e7df575cb6
k8s.io/kubectl v0.32.1
k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738
)

require (
Expand All @@ -53,19 +53,19 @@ require (
github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0 // indirect
github.com/emicklei/go-restful/v3 v3.11.0 // indirect
github.com/evanphx/json-patch/v5 v5.9.0 // indirect
github.com/exponent-io/jsonpath v0.0.0-20151013193312-d6023ce2651d // indirect
github.com/evanphx/json-patch/v5 v5.9.11 // indirect
github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f // indirect
github.com/fsnotify/fsnotify v1.7.0 // indirect
github.com/fxamacker/cbor/v2 v2.7.0 // indirect
github.com/go-errors/errors v1.4.2 // indirect
github.com/go-logr/zapr v1.3.0 // indirect
github.com/go-openapi/jsonpointer v0.19.6 // indirect
github.com/go-openapi/jsonpointer v0.21.0 // indirect
github.com/go-openapi/jsonreference v0.20.2 // indirect
github.com/go-openapi/swag v0.22.4 // indirect
github.com/go-openapi/swag v0.23.0 // indirect
github.com/goccy/go-json v0.10.2 // indirect
github.com/gogo/protobuf v1.3.2 // indirect
github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
github.com/golang/protobuf v1.5.4 // indirect
github.com/google/btree v1.1.3 // indirect
github.com/google/gnostic-models v0.6.8 // indirect
github.com/google/go-querystring v1.1.0 // indirect
github.com/google/gofuzz v1.2.0 // indirect
Expand All @@ -88,39 +88,37 @@ require (
github.com/modern-go/reflect2 v1.0.2 // indirect
github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 // indirect
github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
github.com/onsi/ginkgo/v2 v2.20.1 // indirect
github.com/onsi/gomega v1.34.2 // indirect
github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
github.com/prometheus/common v0.55.0 // indirect
github.com/prometheus/procfs v0.15.1 // indirect
github.com/shopspring/decimal v1.2.0 // indirect
github.com/spf13/cast v1.3.1 // indirect
github.com/spf13/pflag v1.0.5 // indirect
github.com/spf13/pflag v1.0.6 // indirect
github.com/x448/float16 v0.8.4 // indirect
github.com/xlab/treeprint v1.2.0 // indirect
go.starlark.net v0.0.0-20230525235612-a134d8f9ddca // indirect
go.uber.org/multierr v1.11.0 // indirect
go.uber.org/zap v1.26.0 // indirect
golang.org/x/crypto v0.31.0 // indirect
golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 // indirect
golang.org/x/net v0.33.0 // indirect
golang.org/x/sync v0.10.0 // indirect
golang.org/x/sys v0.28.0 // indirect
golang.org/x/term v0.27.0 // indirect
golang.org/x/text v0.21.0 // indirect
golang.org/x/time v0.3.0 // indirect
go.uber.org/zap v1.27.0 // indirect
golang.org/x/crypto v0.36.0 // indirect
golang.org/x/net v0.38.0 // indirect
golang.org/x/sync v0.12.0 // indirect
golang.org/x/sys v0.31.0 // indirect
golang.org/x/term v0.30.0 // indirect
golang.org/x/text v0.23.0 // indirect
golang.org/x/time v0.7.0 // indirect
gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect
google.golang.org/protobuf v1.34.2 // indirect
google.golang.org/protobuf v1.35.1 // indirect
gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
gopkg.in/inf.v0 v0.9.1 // indirect
gopkg.in/yaml.v3 v3.0.1 // indirect
k8s.io/apiextensions-apiserver v0.31.2 // indirect
k8s.io/cli-runtime v0.31.2 // indirect
k8s.io/apiextensions-apiserver v0.32.1 // indirect
k8s.io/cli-runtime v0.32.1 // indirect
k8s.io/klog/v2 v2.130.1 // indirect
k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340 // indirect
sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
sigs.k8s.io/kustomize/api v0.17.2 // indirect
sigs.k8s.io/kustomize/kyaml v0.17.1 // indirect
sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect
k8s.io/kube-openapi v0.0.0-20241105132330-32ad38e42d3f // indirect
sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3 // indirect
sigs.k8s.io/kustomize/api v0.18.0 // indirect
sigs.k8s.io/kustomize/kyaml v0.18.1 // indirect
sigs.k8s.io/structured-merge-diff/v4 v4.4.2 // indirect
sigs.k8s.io/yaml v1.4.0 // indirect
)

replace github.com/codeready-toolchain/api => github.com/rsoaresd/api v0.0.0-20250904111715-ce08642a4499
Copy link
Contributor Author

@rsoaresd rsoaresd Sep 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

temporary, will be deleted before merge

Loading
Loading