grpc_health_probe in opm:v1.55.0 is still using older golang.org/x/crypto v0.31.0 despite go.mod referencing v0.38.0 #1716
Description
Describe the bug
The grpc_health_probe binary bundled in the official opm container image (quay.io/operator-framework/opm:v1.55.0) is built using an outdated version of golang.org/x/crypto — specifically v0.31.0, which is known to be vulnerable (e.g., CVE-2025-22869).
However, the go.mod file in the v1.55.0 release references golang.org/x/crypto v0.38.0.
This mismatch suggests that the binary inside the image may not be built from the latest declared dependency — either due to outdated vendored code or inclusion of a precompiled binary.
How to Reproduce
Run the following on any system with Docker:
docker run --rm --entrypoint "" quay.io/operator-framework/opm:v1.55.0 \
strings /bin/grpc_health_probe | grep 'golang.org/x/crypto'Output:
vendor/golang.org/x/crypto/hkdf
vendor/golang.org/x/crypto/sha3
vendor/golang.org/x/crypto/cryptobyte
vendor/golang.org/x/crypto/cryptobyte/asn1
vendor/golang.org/x/crypto/chacha20poly1305
dep golang.org/x/crypto v0.31.0 h1:ihbySMvVjLAeSH1IbfcRTkD/iNscyz8rGzjF/E5hV6U=
This confirms that grpc_health_probe inside the image is still compiled using v0.31.0, not the secure v0.38.0 version declared in go.mod.
Affecting:
golang.org/x/crypto v0.31.0 is impacted by vulnerabilities including CVE-2025-22869
It affects downstream users who rely on opm base images (e.g., for catalog publishing)
A security scan flags this version even if the go.mod is correct