[release-4.15] OCPBUGS-79889: Bump google.golang.org/grpc to v1.79.3

[ocp-sustaining-admins]

This is an automated PR from the ARC system.

Go version used: go1.20.14

Patch applied: github.com/openshift-sustaining/[email protected]

Modules affected: .

The commands used to generate this PR were:

go mod edit -replace google.golang.org/grpc=github.com/openshift-sustaining/[email protected]
go mod tidy
go mod vendor

A member of the Red Hat Openshift Sustaining Team will review the PR and take appropriate action.

Summary by CodeRabbit

• Chores
  • Updated Go module dependencies to latest stable versions, including security and performance improvements for core libraries.

[openshift-ci-robot]

@ocp-sustaining-admins: This pull request references Jira Issue OCPBUGS-79889, which is invalid:

• expected the bug to be open, but it isn't
• expected the bug to be in one of the following states: NEW, ASSIGNED, POST, but it is Closed (Not a Bug) instead
• release note text must be set and not match the template OR release note type must be set to "Release Note Not Required". For more information you can reference the OpenShift Bug Process.
• expected Jira Issue OCPBUGS-79889 to depend on a bug targeting a version in 4.16.0, 4.16.z and in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA), but no dependents were found

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

This is an automated PR from the ARC system.

Go version used: go1.20.14

Patch applied: github.com/openshift-sustaining/[email protected]

Modules affected: .

The commands used to generate this PR were:

go mod edit -replace google.golang.org/grpc=github.com/openshift-sustaining/[email protected]
go mod tidy
go mod vendor

A member of the Red Hat Openshift Sustaining Team will review the PR and take appropriate action.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: ocp-sustaining-admins
Once this PR has been reviewed and has the lgtm label, please assign adambkaplan for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

Hi @ocp-sustaining-admins. Thanks for your PR.

I'm waiting for a openshift member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Tip

We noticed you've done this a few times! Consider joining the org to skip this step and gain /lgtm and other bot rights. We recommend asking approvers on your previous PRs to sponsor you.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[coderabbitai]

Walkthrough

Updates Go module dependencies in go.mod across logging, system utilities, protobuf, UUID generation, cryptographic and networking libraries, gRPC, and tools. Adds a replace directive to use an OpenShift-maintained gRPC fork for security patching.

Changes

Dependency Version Bumps and Fork Redirect

Layer / File(s)	Summary
Core library and utility version updates go.mod	Bumps github.com/go-logr/logr (v1.3.0 → v1.4.1), golang.org/x/sys (v0.17.0 → v0.21.0), github.com/golang/protobuf (v1.5.3 → v1.5.4), github.com/google/uuid (v1.4.0 → v1.6.0), golang.org/x/tools to v0.21.1-0.20240508182429-e35e4ccd0d2d, and google.golang.org/genproto/googleapis/rpc to a newer revision.
golang.org/x/ suite updates* go.mod	Bumps multiple golang.org/x/* indirect dependencies (crypto, mod, net, oauth2, sync, term, text, time) to newer versions aligned with x/sys and x/tools updates.
gRPC version bump and OpenShift fork redirect go.mod	Upgrades google.golang.org/grpc (v1.58.3 → v1.62.1) and adds a replace directive to use github.com/openshift-sustaining/grpc-go v1.64.1-sec.1 for security patching.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 11 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	The PR title references bumping google.golang.org/grpc to v1.79.3, but the actual changes show the version was bumped to v1.62.1 with a replace directive to v1.64.1-sec.1, not v1.79.3.	Update the PR title to accurately reflect the actual version bump: google.golang.org/grpc to v1.62.1 with replace to v1.64.1-sec.1, or verify the intended version matches the implementation.

✅ Passed checks (11 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR only modifies go.mod/go.sum (dependency versions). No test code was changed. The custom check applies only to Ginkgo test naming, which is not applicable here.
Test Structure And Quality	✅ Passed	This PR contains no Ginkgo test code. The repository uses standard Go testing (testing.T) with testify/assert. The custom check for Ginkgo quality is not applicable.
Microshift Test Compatibility	✅ Passed	No new Ginkgo e2e tests are added in this PR. The PR only modifies go.mod/go.sum and vendor dependencies. The custom check condition (new tests with It(), Describe(), etc.) is not triggered.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	This PR only modifies go.mod with dependency updates. It does not add any new Ginkgo e2e tests. The SNO compatibility check only applies when new tests are added, so it is not applicable here.
Topology-Aware Scheduling Compatibility	✅ Passed	PR only updates go.mod dependencies. No deployment manifests, operator code, or controllers are modified. Topology-aware scheduling check is not applicable.
Ote Binary Stdout Contract	✅ Passed	PR introduces no new stdout writes in process-level code. Changes are dependency updates and a minor function call signature modification. No OTE Stdout Contract violations.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	This PR does not add Ginkgo e2e tests—only Go unit tests and dependency updates. The check is not applicable.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[kunalmemane]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@go.mod`:
- Around line 118-121: Update the vulnerable indirect module pins in go.mod for
golang.org/x/crypto and golang.org/x/oauth2 to patched releases: replace the
current versions for the symbols golang.org/x/crypto and golang.org/x/oauth2
with the latest security-patched tags, run go get <module>@<patched-version> and
go mod tidy to update go.sum, then run your test suite and static analyses; if
you cannot upgrade, add a documented suppression with reachability evidence and
justification referencing those exact module symbols.
- Line 127: The go.mod currently uses a replace directive pointing to
github.com/openshift-sustaining/grpc-go v1.64.1-sec.1 (a fork based on v1.64.1)
while the PR title claims v1.79.3; inspect the replace entry in go.mod and
verify whether that fork backports the CVE-2026-33186 fix from upstream
v1.79.3—if it does, update the PR title/description to state the actual forked
version and include proof (commit hash or changelog); if it does not, either
switch the dependency to upstream google.golang.org/grpc v1.79.3 or vendor a
proper patched fork that contains the fix, then update the go.mod
replace/directive and PR metadata accordingly.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: d98d2c9a-52cd-47e7-b38b-b2dd85296bc3

📥 Commits

Reviewing files that changed from the base of the PR and between 5c5fbe0 and e9df6d1.

⛔ Files ignored due to path filters (261)

• go.sum is excluded by !**/*.sum
• vendor/github.com/go-logr/logr/README.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-logr/logr/context.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-logr/logr/context_noslog.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-logr/logr/context_slog.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-logr/logr/logr.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-logr/logr/sloghandler.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-logr/logr/slogr.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-logr/logr/slogsink.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/golang/protobuf/jsonpb/decode.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/golang/protobuf/jsonpb/encode.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/golang/protobuf/jsonpb/json.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/golang/protobuf/ptypes/any.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/uuid/CHANGELOG.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/uuid/hash.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/uuid/time.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/uuid/uuid.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/uuid/version6.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/uuid/version7.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/crypto/chacha20/chacha_ppc64le.s is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/crypto/internal/poly1305/sum_ppc64le.s is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/crypto/ocsp/ocsp.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/crypto/sha3/hashes.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/crypto/sha3/hashes_generic.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/crypto/sha3/hashes_noasm.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/crypto/sha3/sha3.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/crypto/sha3/sha3_s390x.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/crypto/sha3/shake.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/crypto/sha3/shake_generic.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/crypto/sha3/shake_noasm.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/crypto/sha3/xor.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/crypto/sha3/xor_generic.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/crypto/sha3/xor_unaligned.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/crypto/ssh/client_auth.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/crypto/ssh/keys.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/crypto/ssh/server.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/mod/modfile/read.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/mod/modfile/rule.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/http/httpguts/httplex.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/http2/frame.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/http2/http2.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/http2/pipe.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/http2/server.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/http2/timer.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/http2/transport.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/http2/writesched_priority.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/proxy/per_host.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sync/errgroup/errgroup.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sync/semaphore/semaphore.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/cpu/cpu.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/cpu/cpu_arm64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/cpu/cpu_arm64.s is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/cpu/cpu_gc_arm64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/cpu/cpu_linux_arm64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/execabs/execabs.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/execabs/execabs_go118.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/execabs/execabs_go119.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/aliases.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/asm_zos_s390x.s is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/bpxsvc_zos.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/bpxsvc_zos.s is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/epoll_zos.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/fstatfs_zos.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/mkerrors.sh is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/mmap_nomremap.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/pagesize_unix.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/readdirent_getdirentries.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/sockcmsg_zos.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/symaddr_zos_s390x.s is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/syscall_darwin_libSystem.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/syscall_freebsd.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/syscall_linux.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/syscall_zos_s390x.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/sysvshm_unix.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/sysvshm_unix_other.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_386.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_amd64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_arm64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_zos_s390x.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zsymaddr_zos_s390x.s is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zsyscall_linux.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zsyscall_zos_s390x.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zsysnum_linux_386.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zsysnum_linux_amd64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zsysnum_linux_arm.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zsysnum_linux_arm64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zsysnum_linux_loong64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zsysnum_linux_mips.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zsysnum_linux_mips64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zsysnum_linux_mips64le.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zsysnum_linux_mipsle.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zsysnum_linux_ppc.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zsysnum_linux_ppc64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zsysnum_linux_ppc64le.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zsysnum_linux_riscv64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zsysnum_linux_s390x.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zsysnum_linux_sparc64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zsysnum_zos_s390x.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/ztypes_linux.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/ztypes_linux_386.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/ztypes_linux_amd64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/ztypes_linux_arm.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/ztypes_linux_arm64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/ztypes_linux_loong64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/ztypes_linux_mips.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/ztypes_linux_mips64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/ztypes_linux_mips64le.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/ztypes_linux_mipsle.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/ztypes_linux_ppc.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/ztypes_linux_ppc64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/ztypes_linux_ppc64le.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/ztypes_linux_riscv64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/ztypes_linux_s390x.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/ztypes_linux_sparc64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/ztypes_zos_s390x.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/windows/aliases.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/windows/empty.s is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/windows/security_windows.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/windows/syscall_windows.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/windows/types_windows.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/windows/zsyscall_windows.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/time/rate/rate.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/go/gcexportdata/gcexportdata.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/go/internal/packagesdriver/sizes.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/go/packages/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/go/packages/external.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/go/packages/golist.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/go/packages/golist_overlay.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/go/packages/packages.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/go/types/objectpath/objectpath.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/aliases/aliases.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/aliases/aliases_go121.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/aliases/aliases_go122.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/event/keys/util.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/event/tag/tag.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/gcimporter/gcimporter.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/gcimporter/iexport.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/gcimporter/iimport.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/gcimporter/support_go117.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/gcimporter/support_go118.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/gcimporter/unified_no.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/gcimporter/unified_yes.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/gcimporter/ureader_no.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/gcimporter/ureader_yes.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/gocommand/invoke.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/gocommand/vendor.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/packagesinternal/packages.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/pkgbits/decoder.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/stdlib/manifest.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/stdlib/stdlib.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/tokeninternal/tokeninternal.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/typeparams/common.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/typeparams/coretype.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/typeparams/enabled_go117.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/typeparams/enabled_go118.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/typeparams/normalize.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/typeparams/termlist.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/typeparams/typeparams_go117.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/typeparams/typeparams_go118.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/typeparams/typeterm.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/typesinternal/errorcode.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/typesinternal/objectpath.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/typesinternal/recv.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/typesinternal/toonew.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/typesinternal/types.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/typesinternal/types_118.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/versions/features.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/versions/gover.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/versions/toolchain.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/versions/toolchain_go119.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/versions/toolchain_go120.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/versions/toolchain_go121.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/versions/types.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/versions/types_go121.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/versions/types_go122.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/versions/versions.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/CONTRIBUTING.md is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/MAINTAINERS.md is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/Makefile is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/README.md is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/attributes/attributes.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/balancer/balancer.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/balancer_conn_wrappers.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/balancer_wrapper.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/binarylog/grpc_binarylog_v1/binarylog.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/clientconn.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/codegen.sh is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/codes/codes.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/credentials/credentials.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/credentials/tls.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/dialoptions.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/encoding/encoding.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/encoding/proto/proto.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/backoff/backoff.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/balancer/gracefulswitch/config.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/balancer/gracefulswitch/gracefulswitch.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/binarylog/method_logger.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/binarylog/sink.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/buffer/unbounded.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/channelz/channel.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/channelz/channelmap.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/channelz/funcs.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/channelz/id.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/channelz/logging.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/channelz/server.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/channelz/socket.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/channelz/subchannel.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/channelz/syscall_linux.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/channelz/syscall_nonlinux.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/channelz/trace.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/channelz/types.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/envconfig/envconfig.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/envconfig/xds.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/experimental.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/grpcrand/grpcrand.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/grpcrand/grpcrand_go1.21.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/grpcsync/callback_serializer.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/grpcutil/compressor.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/idle/idle.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/internal.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/pretty/pretty.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/resolver/dns/dns_resolver.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/resolver/dns/internal/internal.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/resolver/unix/unix.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/status/status.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/tcp_keepalive_others.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/tcp_keepalive_unix.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/tcp_keepalive_windows.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/transport/controlbuf.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/transport/handler_server.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/transport/http2_client.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/transport/http2_server.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/transport/http_util.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/transport/proxy.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/transport/transport.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/internal/xds_handshake_cluster.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/metadata/metadata.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/peer/peer.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/picker_wrapper.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/pickfirst.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/regenerate.sh is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/resolver/dns/dns_resolver.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/resolver/map.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/resolver/resolver.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/resolver_conn_wrapper.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/resolver_wrapper.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/rpc_util.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/server.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/service_config.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/stats/stats.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/stream.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/stream_interfaces.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/tap/tap.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/trace.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/trace_notrace.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/trace_withtrace.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/version.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/grpc/vet.sh is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/protobuf/protoadapt/convert.go is excluded by !**/vendor/**, !vendor/**
• vendor/modules.txt is excluded by !**/vendor/**, !vendor/**

📒 Files selected for processing (1)

• go.mod

[coderabbitai]

⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify currently pinned versions in go.mod and query OSV for known vulns.

set -euo pipefail

echo "Pinned versions:"
rg -n '^\s*golang\.org/x/crypto\s+|^\s*golang\.org/x/oauth2\s+' go.mod

echo
echo "OSV query: golang.org/x/[email protected]"
curl -s https://api.osv.dev/v1/query -H 'Content-Type: application/json' \
  -d '{"package":{"ecosystem":"Go","name":"golang.org/x/crypto"},"version":"v0.24.0"}' | jq '.vulns[]?.id'

echo
echo "OSV query: golang.org/x/[email protected]"
curl -s https://api.osv.dev/v1/query -H 'Content-Type: application/json' \
  -d '{"package":{"ecosystem":"Go","name":"golang.org/x/oauth2"},"version":"v0.18.0"}' | jq '.vulns[]?.id'

Repository: openshift/builder

Length of output: 448

---

Bump vulnerable dependencies to patched versions before merge.

Lines 118 and 121 pin versions with known security advisories:

• golang.org/x/crypto v0.24.0 has 9 known vulnerabilities (GHSA-f6x5-jh6r-wrfv, GHSA-hcg3-q754-cr77, GHSA-j5w8-q4qc-rx2x, GHSA-v778-237x-gjrc, and others)
• golang.org/x/oauth2 v0.18.0 has 2 known vulnerabilities (GHSA-6v2p-p543-phr9, GO-2025-3488)

Update to patched releases or document a justified suppression with reachability evidence.

🧰 Tools

🪛 OSV Scanner (2.3.8)

[CRITICAL] 118-118: golang.org/x/crypto 0.24.0: Misuse of connection.serverAuthenticate may cause authorization bypass in golang.org/x/crypto

(GO-2024-3321)

---

[CRITICAL] 118-118: golang.org/x/crypto 0.24.0: Potential denial of service in golang.org/x/crypto

(GO-2025-3487)

---

[CRITICAL] 118-118: golang.org/x/crypto 0.24.0: Potential denial of service in golang.org/x/crypto/ssh/agent

(GO-2025-4116)

---

[CRITICAL] 118-118: golang.org/x/crypto 0.24.0: Unbounded memory consumption in golang.org/x/crypto/ssh

(GO-2025-4134)

---

[CRITICAL] 118-118: golang.org/x/crypto 0.24.0: Malformed constraint may cause denial of service in golang.org/x/crypto/ssh/agent

(GO-2025-4135)

---

[CRITICAL] 118-118: golang.org/x/crypto 0.24.0: golang.org/x/crypto/ssh/agent vulnerable to panic if message is malformed due to out of bounds read

(GHSA-f6x5-jh6r-wrfv)

---

[CRITICAL] 118-118: golang.org/x/crypto 0.24.0: golang.org/x/crypto Vulnerable to Denial of Service (DoS) via Slow or Incomplete Key Exchange

(GHSA-hcg3-q754-cr77)

---

[CRITICAL] 118-118: golang.org/x/crypto 0.24.0: golang.org/x/crypto/ssh allows an attacker to cause unbounded memory consumption

(GHSA-j5w8-q4qc-rx2x)

---

[CRITICAL] 118-118: golang.org/x/crypto 0.24.0: Misuse of ServerConfig.PublicKeyCallback may cause authorization bypass in golang.org/x/crypto

(GHSA-v778-237x-gjrc)

---

[HIGH] 121-121: golang.org/x/oauth2 0.18.0: Unexpected memory consumption during token parsing in golang.org/x/oauth2

(GO-2025-3488)

---

[HIGH] 121-121: golang.org/x/oauth2 0.18.0: golang.org/x/oauth2 Improper Validation of Syntactic Correctness of Input vulnerability

(GHSA-6v2p-p543-phr9)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` around lines 118 - 121, Update the vulnerable indirect module pins in
go.mod for golang.org/x/crypto and golang.org/x/oauth2 to patched releases:
replace the current versions for the symbols golang.org/x/crypto and
golang.org/x/oauth2 with the latest security-patched tags, run go get
<module>@<patched-version> and go mod tidy to update go.sum, then run your test
suite and static analyses; if you cannot upgrade, add a documented suppression
with reachability evidence and justification referencing those exact module
symbols.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Show grpc require+replace entries proving effective dependency mapping.
set -euo pipefail
rg -n 'google\.golang\.org/grpc|openshift-sustaining/grpc-go' go.mod

Repository: openshift/builder

Length of output: 201

---

🌐 Web query:

Does github.com/openshift-sustaining/grpc-go tag v1.64.1-sec.1 include the fix for CVE-2026-33186, and what upstream grpc-go base version does it map to?

💡 Result:

No definitive evidence was found that the tag github.com/openshift-sustaining/grpc-go v1.64.1-sec.1 includes the specific fix for CVE-2026-33186, nor what upstream google.golang.org/grpc version that tag maps to. What the sources do show: CVE-2026-33186 is fixed in google.golang.org/grpc v1.79.3 [1][2]. Multiple OpenShift Sustaining changes that remediate the CVE do so by bumping google.golang.org/grpc to v1.79.3 [3][4]. However, none of the retrieved sources contains information mapping the specific OpenShift Sustaining fork/tag v1.64.1-sec.1 to an upstream grpc-go base version, or confirms that that particular tag contains the CVE-2026-33186 patch.

Citations:

• 1: https://www.suse.com/security/cve/CVE-2026-33186.html
• 2: https://nvd.nist.gov/vuln/detail/CVE-2026-33186
• 3: OCPBUGS-80847,OCPBUGS-80848,OCPBUGS-80849: Bump google.golang.org/grpc to v1.79.3 for CVE-2026-33186[Release-4.21] operator-framework-olm#1289
• 4: OCPBUGS-81554: CVE-2026-33186 - bump google.golang.org/grpc to v1.79.3 cluster-monitoring-operator#2872

---

🏁 Script executed:

# Check if there's any documentation or reference in the repository about this fork
rg -n 'v1\.64\.1-sec|openshift-sustaining|CVE-2026-33186' --type-list | head -5
rg -n 'v1\.64\.1-sec|openshift-sustaining|CVE-2026-33186' -i

Repository: openshift/builder

Length of output: 1022

---

🌐 Web query:

What is the github.com/openshift-sustaining/grpc-go v1.64.1-sec.1 fork and what upstream gRPC version does it patch?

💡 Result:

The repository github.com/openshift-sustaining/grpc-go (example tag v1.64.1-sec.1) is an OpenShift Sustaining-Team fork of the upstream gRPC Go implementation, used to carry security/patch changes while OpenShift is not yet ready to move to the corresponding upstream gRPC release train. However, in the sources I found, I could not locate a definitive upstream-version mapping specifically for tag v1.64.1-sec.1. What I can say with source-backed evidence: - OpenShift has used the openshift-sustaining/grpc-go fork in place of google.golang.org/grpc for CVE-related fixes (example PRs) [1]. - OpenShift PRs that reference “openshift-sustaining/grpc-go … sec” show the fork is used to avoid bumping to a newer upstream version immediately (example: “Replace google.golang.org/grpc with github.com/openshift-sustaining/grpc-go … to avoid go version bump and fix CVE-2026-33186”) [1]. But the specific question you asked—“what upstream gRPC version does v1.64.1-sec.1 patch?”—requires a direct statement from the fork (tag release notes/README/changelog) or from a PR that explicitly states the upstream base version. The sources I retrieved did not include such a statement for v1.64.1-sec.1. If you want, I can do another targeted search specifically for the tag/release notes for v1.64.1-sec.1 inside openshift-sustaining/grpc-go, or look for an OpenShift PR that mentions exactly “v1.64.1-sec.1” and names the upstream base version.

Citations:

• 1: OCPBUGS-80434: Replace google.golang.org/grpc with github.com/openshift-sustaining/grpc-go v1.75.1-sec.1 to avoid go version bump and fix CVE-2026-33186 csi-driver-nfs#178

---

🌐 Web query:

OpenShift sustaining grpc-go v1.64.1-sec.1 CVE-2026-33186 security patch details

💡 Result:

CVE-2026-33186 is a critical authorization bypass vulnerability (CVSS 9.1) in google.golang.org/grpc versions prior to 1.79.3, caused by improper validation of the HTTP/2:path pseudo-header lacking a leading slash (e.g., "Service/Method" instead of "/Service/Method"). This allows bypassing path-based authorization interceptors like grpc/authz when deny rules use canonical paths and a fallback allow exists[1][2]. The official fix rejects non-slash paths with codes.Unimplemented[1].

Citations:

• 1: https://nvd.nist.gov/vuln/detail/CVE-2026-33186
• 2: security: CVE-2026-33186 — google.golang.org/grpc Authorization Bypass (CVSS 9.1 Critical) DataDog/datadog-agent#48151

---

Version mismatch: PR title claims v1.79.3, but go.mod deploys v1.64.1-sec.1 fork.

The replace directive (line 240) points to github.com/openshift-sustaining/grpc-go v1.64.1-sec.1, a patched fork apparently based on upstream v1.64.1 (not v1.79.3 where CVE-2026-33186 is officially fixed). Confirm that this fork includes the intended security fix and update PR metadata to reflect the actual shipped version lineage.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` at line 127, The go.mod currently uses a replace directive pointing
to github.com/openshift-sustaining/grpc-go v1.64.1-sec.1 (a fork based on
v1.64.1) while the PR title claims v1.79.3; inspect the replace entry in go.mod
and verify whether that fork backports the CVE-2026-33186 fix from upstream
v1.79.3—if it does, update the PR title/description to state the actual forked
version and include proof (commit hash or changelog); if it does not, either
switch the dependency to upstream google.golang.org/grpc v1.79.3 or vendor a
proper patched fork that contains the fix, then update the go.mod
replace/directive and PR metadata accordingly.