[release-4.12] OCPBUGS-79754: Bump google.golang.org/grpc to v1.79.3

[ocp-sustaining-admins]

This is an automated PR from the ARC system.

Go version used: go1.19.13

Patch applied: github.com/openshift-sustaining/[email protected]

Modules affected: .

The commands used to generate this PR were:

go mod edit -replace google.golang.org/grpc=github.com/openshift-sustaining/[email protected]
go mod tidy
go mod vendor

A member of the Red Hat Openshift Sustaining Team will review the PR and take appropriate action.

Summary by CodeRabbit

• Chores
  • Updated Go module dependencies to newer versions, including security updates for gRPC and other core libraries.

[openshift-ci-robot]

@ocp-sustaining-admins: This pull request references Jira Issue OCPBUGS-79754, which is invalid:

• expected the bug to be open, but it isn't
• expected the bug to be in one of the following states: NEW, ASSIGNED, POST, but it is Closed (Not a Bug) instead
• release note text must be set and not match the template OR release note type must be set to "Release Note Not Required". For more information you can reference the OpenShift Bug Process.
• expected Jira Issue OCPBUGS-79754 to depend on a bug targeting a version in 4.13.0, 4.13.z and in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA), but no dependents were found

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

This is an automated PR from the ARC system.

Go version used: go1.19.13

Patch applied: github.com/openshift-sustaining/[email protected]

Modules affected: .

The commands used to generate this PR were:

go mod edit -replace google.golang.org/grpc=github.com/openshift-sustaining/[email protected]
go mod tidy
go mod vendor

A member of the Red Hat Openshift Sustaining Team will review the PR and take appropriate action.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Walkthrough

This PR updates multiple indirect dependencies in go.mod across logging, system utilities, hashing, protobuf tooling, compression, Prometheus, testing, and Go standard library extensions. Additionally, a replace directive pins google.golang.org/grpc to an OpenShift-sustaining fork at version v1.64.1-sec.1.

Changes

Dependency Refresh

Layer / File(s)

Summary

Dependency version updates and replace directive go.mod

Multiple indirect dependencies updated: github.com/go-logr/logr (v1.2.3 → v1.4.1), golang.org/x/sys (v0.13.0 → v0.21.0), github.com/cespare/xxhash/v2 (v2.1.2 → v2.2.0), github.com/chzyer/readline (v0.0.0-... → v1.5.0), protobuf/utility modules, compression, Prometheus/test utilities, and numerous golang.org/x/* and google.golang.org/* libraries. New indirect dependency google.golang.org/genproto/googleapis/rpc added. Replace directive added for google.golang.org/grpc pointing to github.com/openshift-sustaining/grpc-go v1.64.1-sec.1.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~15 minutes

---

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error)

Check name	Status	Explanation	Resolution
Ote Binary Stdout Contract	❌ Error	cmd/main.go contains 4 fmt.Print/Printf/Println calls to stdout in main() violating OTE Binary Stdout Contract. These unredirected writes break CI JSON test listing.	Redirect stdout to stderr: replace fmt.Print calls with fmt.Fprint(os.Stderr, ...) on lines 35, 54, 61, 113, or configure klog.SetOutput(os.Stderr).

✅ Passed checks (11 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The pull request title clearly identifies the main change: bumping google.golang.org/grpc and addresses a specific issue (OCPBUGS-79754), which aligns with the changeset's primary objective of updating the grpc dependency via a replace directive.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	Not applicable. PR only updates go.mod/go.sum and vendored code. All tests use standard Go testing, not Ginkgo. No Ginkgo test declarations found.
Test Structure And Quality	✅ Passed	Not applicable: PR contains only standard Go tests, not Ginkgo tests. Ginkgo is not in dependencies.
Microshift Test Compatibility	✅ Passed	No Ginkgo e2e tests were added in this PR. The PR only modifies go.mod/go.sum dependency versions. The MicroShift Test Compatibility check is not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR does not add any Ginkgo e2e tests. Only unit tests using standard Go testing package. SNO check applies only to new Ginkgo e2e tests, so not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	PR modifies only go.mod dependencies and go.sum. No deployment manifests, operator code, or controller scheduling constraints are added or modified. Check is not applicable.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	This PR only modifies go.mod with dependency updates and replace directives. No new Ginkgo e2e tests (It(), Describe(), Context(), etc.) are added. The custom check is not applicable.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

Hi @ocp-sustaining-admins. Thanks for your PR.

I'm waiting for a openshift member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Tip

We noticed you've done this a few times! Consider joining the org to skip this step and gain /lgtm and other bot rights. We recommend asking approvers on your previous PRs to sponsor you.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: ocp-sustaining-admins
Once this PR has been reviewed and has the lgtm label, please assign sayan-biswas for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[kunalmemane]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 3

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

go.mod (1)

206-206: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Remove or justify the golang.org/x/net version pinning.

Line 206 pins golang.org/x/net to v0.17.0 via a replace directive, overriding the v0.26.0 update on line 162. Verification confirms v0.17.0 contains multiple unpatched security vulnerabilities (XSS, IPv6 proxy bypass, header limit bypass, and others) that are fixed in v0.26.0 and later versions. Without a documented reason for this downgrade, the replace directive introduces known security risks. Either remove it or add a comment explaining the necessity.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` at line 206, The replace directive pinning golang.org/x/net to
v0.17.0 must be removed or justified: either delete the "golang.org/x/net =>
golang.org/x/net v0.17.0" replace entry so the module can use the newer v0.26.0+
release, or add a clear comment immediately adjacent to that replace explaining
exactly why v0.17.0 is required (including any compatibility constraints, CVE
mitigation tradeoffs, and a plan/timestamp for revisiting), and add a security
reviewer approval note; search for the replace string "golang.org/x/net =>
golang.org/x/net v0.17.0" to locate the entry to update.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@go.mod`:
- Line 163: Update the golang.org/x/oauth2 module from v0.18.0 to a safe
upstream release (>= v0.27.0, ideally v0.36.0) in go.mod and then run the Go
module commands to fetch and tidy dependencies (e.g., go get
golang.org/x/[email protected] && go mod tidy) so the project builds with the
patched library; ensure any code importing oauth2 (import path
"golang.org/x/oauth2") is compatible and run unit tests to validate no
breakages.
- Line 137: Update the logrus dependency from v1.9.0 to v1.9.4 to address the
DoS vulnerabilities: edit the go.mod entry for github.com/sirupsen/logrus and
set the version to v1.9.4, then run go get github.com/sirupsen/[email protected] (or
go get ./... if you prefer) and go mod tidy to refresh go.sum; finally run your
test suite or build to ensure no import or API breakages in code using
logrus.Entry or Entry.Writer().
- Line 236: The PR title and the go.mod replace directive disagree: the title
says gRPC v1.79.3 but go.mod contains the replace of google.golang.org/grpc to
github.com/openshift-sustaining/grpc-go v1.64.1-sec.1; decide which is correct
and either (A) update the PR title/description to reflect that the intended bump
is to the OpenShift sustaining fork v1.64.1-sec.1, or (B) change the replace
directive to point to the actual v1.79.3 module you intended (or remove the
replace if not needed). Locate the replace line in go.mod (the line with
"replace google.golang.org/grpc => github.com/openshift-sustaining/grpc-go
v1.64.1-sec.1") and make the version/title consistent.

---

Outside diff comments:
In `@go.mod`:
- Line 206: The replace directive pinning golang.org/x/net to v0.17.0 must be
removed or justified: either delete the "golang.org/x/net => golang.org/x/net
v0.17.0" replace entry so the module can use the newer v0.26.0+ release, or add
a clear comment immediately adjacent to that replace explaining exactly why
v0.17.0 is required (including any compatibility constraints, CVE mitigation
tradeoffs, and a plan/timestamp for revisiting), and add a security reviewer
approval note; search for the replace string "golang.org/x/net =>
golang.org/x/net v0.17.0" to locate the entry to update.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 378f3823-5a39-42ed-a44e-ff08ed64a2f0

📥 Commits

Reviewing files that changed from the base of the PR and between e355452 and 6a77625.

⛔ Files ignored due to path filters (299)

• go.sum is excluded by !**/*.sum
• vendor/github.com/cespare/xxhash/v2/README.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/cespare/xxhash/v2/testall.sh is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/cespare/xxhash/v2/xxhash.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/cespare/xxhash/v2/xxhash_amd64.s is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/cespare/xxhash/v2/xxhash_arm64.s is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/cespare/xxhash/v2/xxhash_asm.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/cespare/xxhash/v2/xxhash_other.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/cespare/xxhash/v2/xxhash_safe.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/cespare/xxhash/v2/xxhash_unsafe.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-logr/logr/.golangci.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-logr/logr/README.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-logr/logr/SECURITY.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-logr/logr/context.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-logr/logr/context_noslog.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-logr/logr/context_slog.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-logr/logr/discard.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-logr/logr/logr.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-logr/logr/sloghandler.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-logr/logr/slogr.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-logr/logr/slogsink.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/golang/protobuf/jsonpb/decode.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/golang/protobuf/jsonpb/encode.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/golang/protobuf/jsonpb/json.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/golang/protobuf/ptypes/any.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/go-cmp/cmp/compare.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/go-cmp/cmp/export.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/go-cmp/cmp/export_panic.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/go-cmp/cmp/internal/diff/diff.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/go-cmp/cmp/internal/value/pointer.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/go-cmp/cmp/internal/value/pointer_purego.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/go-cmp/cmp/internal/value/zero.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/go-cmp/cmp/options.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/go-cmp/cmp/path.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/go-cmp/cmp/report_compare.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/go-cmp/cmp/report_reflect.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/go-cmp/cmp/report_slices.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/go-cmp/cmp/report_text.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/uuid/.travis.yml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/uuid/CHANGELOG.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/uuid/CONTRIBUTING.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/uuid/README.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/uuid/hash.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/uuid/node_js.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/uuid/time.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/uuid/uuid.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/uuid/version6.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/uuid/version7.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/.goreleaser.yml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/README.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/SECURITY.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/flate/deflate.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/flate/dict_decoder.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/flate/fast_encoder.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/flate/huffman_bit_writer.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/flate/huffman_code.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/flate/huffman_sortByFreq.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/flate/level1.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/flate/level2.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/flate/level3.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/flate/level4.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/flate/level5.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/flate/level6.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/flate/stateless.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/fse/compress.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/fse/decompress.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/huff0/bitreader.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/huff0/bitwriter.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/huff0/compress.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/huff0/decompress.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/huff0/decompress_amd64.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/huff0/decompress_amd64.s is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/huff0/decompress_generic.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/internal/snapref/encode_other.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/README.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/blockdec.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/blockenc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/bytebuf.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/decodeheader.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/decoder.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/decoder_options.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/dict.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/enc_base.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/enc_best.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/enc_better.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/enc_dfast.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/enc_fast.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/encoder.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/encoder_options.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/framedec.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/fse_decoder_amd64.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/fse_decoder_amd64.s is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/history.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/internal/xxhash/README.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/internal/xxhash/xxhash.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/internal/xxhash/xxhash_amd64.s is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/internal/xxhash/xxhash_arm64.s is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/internal/xxhash/xxhash_asm.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/internal/xxhash/xxhash_other.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/matchlen_amd64.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/matchlen_amd64.s is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/matchlen_generic.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/seqdec.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/seqdec_amd64.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/seqdec_amd64.s is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/seqdec_generic.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/zstd.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/prometheus/client_model/go/metrics.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/spf13/afero/.travis.yml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/spf13/afero/README.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/spf13/afero/afero.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/spf13/afero/appveyor.yml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/spf13/afero/basepath.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/spf13/afero/cacheOnReadFs.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/spf13/afero/const_bsds.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/spf13/afero/const_win_unix.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/spf13/afero/copyOnWriteFs.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/spf13/afero/httpFs.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/spf13/afero/internal/common/adapters.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/spf13/afero/iofs.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/spf13/afero/ioutil.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/spf13/afero/mem/file.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/spf13/afero/memmap.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/spf13/afero/regexpfs.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/spf13/afero/symlink.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/spf13/afero/unionFile.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/spf13/afero/util.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/stretchr/testify/assert/assertion_compare.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/stretchr/testify/assert/assertion_format.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/stretchr/testify/assert/assertion_forward.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/stretchr/testify/assert/assertion_order.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/stretchr/testify/assert/assertions.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/stretchr/testify/assert/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/stretchr/testify/assert/http_assertions.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opencensus.io/Makefile is excluded by !**/vendor/**, !vendor/**
• vendor/go.opencensus.io/opencensus.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opencensus.io/trace/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opencensus.io/trace/lrumap.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opencensus.io/trace/trace_go11.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opencensus.io/trace/trace_nongo11.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/mod/internal/lazyregexp/lazyre.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/mod/modfile/print.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/mod/modfile/read.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/mod/modfile/rule.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/mod/modfile/work.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/mod/module/module.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/mod/module/pseudo.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/mod/semver/semver.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/context/ctxhttp/ctxhttp.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/oauth2/AUTHORS is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/oauth2/CONTRIBUTORS is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/oauth2/README.md is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/oauth2/deviceauth.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/oauth2/internal/client_appengine.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/oauth2/internal/oauth2.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/oauth2/internal/token.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/oauth2/oauth2.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/oauth2/pkce.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/oauth2/token.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sync/errgroup/errgroup.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sync/errgroup/go120.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sync/errgroup/pre_go120.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sync/semaphore/semaphore.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/cpu/asm_aix_ppc64.s is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/cpu/cpu.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/cpu/cpu_aix.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/cpu/cpu_arm64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/cpu/cpu_arm64.s is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/cpu/cpu_gc_arm64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/cpu/cpu_gc_s390x.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/cpu/cpu_gc_x86.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/cpu/cpu_gccgo_arm64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/cpu/cpu_gccgo_s390x.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/cpu/cpu_gccgo_x86.c is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/cpu/cpu_gccgo_x86.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/cpu/cpu_linux.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/cpu/cpu_linux_arm64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/cpu/cpu_linux_mips64x.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/cpu/cpu_linux_noinit.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/cpu/cpu_linux_ppc64x.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/cpu/cpu_loong64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/cpu/cpu_mips64x.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/cpu/cpu_mipsx.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/cpu/cpu_other_arm.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/cpu/cpu_other_arm64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/cpu/cpu_other_mips64x.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/cpu/cpu_other_ppc64x.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/cpu/cpu_other_riscv64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/cpu/cpu_ppc64x.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/cpu/cpu_riscv64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/cpu/cpu_s390x.s is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/cpu/cpu_wasm.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/cpu/cpu_x86.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/cpu/cpu_x86.s is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/cpu/endian_big.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/cpu/endian_little.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/cpu/proc_cpuinfo_linux.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/cpu/runtime_auxv_go121.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/cpu/syscall_aix_gccgo.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/cpu/syscall_aix_ppc64_gc.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/execabs/execabs_go118.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/execabs/execabs_go119.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/plan9/pwd_go15_plan9.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/plan9/pwd_plan9.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/plan9/race.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/plan9/race0.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/plan9/str.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/plan9/syscall.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/plan9/zsyscall_plan9_386.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/plan9/zsyscall_plan9_amd64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/plan9/zsyscall_plan9_arm.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/aliases.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/asm_aix_ppc64.s is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/asm_bsd_386.s is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/asm_bsd_amd64.s is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/asm_bsd_arm.s is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/asm_bsd_arm64.s is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/asm_bsd_ppc64.s is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/asm_bsd_riscv64.s is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/asm_linux_386.s is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/asm_linux_amd64.s is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/asm_linux_arm.s is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/asm_linux_arm64.s is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/asm_linux_loong64.s is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/asm_linux_mips64x.s is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/asm_linux_mipsx.s is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/asm_linux_ppc64x.s is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/asm_linux_riscv64.s is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/asm_linux_s390x.s is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/asm_openbsd_mips64.s is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/asm_solaris_amd64.s is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/asm_zos_s390x.s is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/bpxsvc_zos.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/bpxsvc_zos.s is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/cap_freebsd.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/constants.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/dev_aix_ppc.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/dev_aix_ppc64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/dev_zos.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/dirent.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/endian_big.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/endian_little.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/env_unix.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/epoll_zos.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/fcntl.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/fcntl_linux_32bit.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/fdset.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/fstatfs_zos.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/gccgo.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/gccgo_c.c is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/gccgo_linux_amd64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/ifreq_linux.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/ioctl_linux.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/ioctl_signed.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/ioctl_unsigned.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/ioctl_zos.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/mkerrors.sh is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/mmap_nomremap.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/mremap.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/pagesize_unix.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/pledge_openbsd.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/ptrace_darwin.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/ptrace_ios.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/race.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/race0.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/readdirent_getdents.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/readdirent_getdirentries.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/sockcmsg_unix.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/sockcmsg_unix_other.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/sockcmsg_zos.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/symaddr_zos_s390x.s is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/syscall.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/syscall_aix.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/syscall_aix_ppc.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/syscall_aix_ppc64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/syscall_bsd.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/syscall_darwin_amd64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/syscall_darwin_arm64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/syscall_darwin_libSystem.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/syscall_dragonfly_amd64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/syscall_freebsd.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/syscall_freebsd_386.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/syscall_freebsd_amd64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/syscall_freebsd_arm.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/syscall_freebsd_arm64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/syscall_freebsd_riscv64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/syscall_hurd.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/syscall_hurd_386.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/syscall_illumos.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/syscall_linux.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/syscall_linux_386.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/syscall_linux_alarm.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/syscall_linux_amd64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/syscall_linux_amd64_gc.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/syscall_linux_arm.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/syscall_linux_arm64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/syscall_linux_gc.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/syscall_linux_gc_386.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/syscall_linux_gc_arm.go is excluded by !**/vendor/**, !vendor/**

📒 Files selected for processing (1)

• go.mod

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check what is using logrus and if we can upgrade
echo "=== Direct dependencies requiring logrus ==="
rg "github.com/sirupsen/logrus" go.mod -A 1 -B 1

# Check for latest logrus version and security advisories
curl -s https://pypi.org/pypi/logrus/json 2>/dev/null || echo "Not a Python package"
curl -s https://proxy.golang.org/github.com/sirupsen/logrus/@v/list | tail -5

Repository: openshift/builder

Length of output: 14947

---

🌐 Web query:

What is the latest version of github.com/sirupsen/logrus and does it fix the DoS vulnerabilities GO-2025-4188 and GHSA-4f99-4q7p-p3gh?

💡 Result:

Latest github.com/sirupsen/logrus version (as of 2026-05-14): v1.9.4 [1][2][3]. Does v1.9.4 fix the DoS vulnerabilities GO-2025-4188 and GHSA-4f99-4q7p-p3gh? Yes. These advisories describe a DoS when using Entry.Writer/Writer (or Entry.writerScanner) with a single-line payload >64KB without newlines, affecting logrus versions < 1.8.3 and specific 1.9.x ranges [4][5][6]. They state the issue is fixed in 1.8.3/1.9.1/1.9.3+ (i.e., versions at or above those fix releases) [4][6][5]. Since v1.9.4 is 1.9.3+ (and the logrus changelog notes repeated fixes for the >64KB single-line Writer DoS in 1.9.1/1.9.3) [7], v1.9.4 should be fixed for GHSA-4f99-4q7p-p3gh and thus also for GO-2025-4188 (which lists the GHSA as an alias/reference) [4].

Citations:

• 1: https://github.com/sirupsen/logrus?tab=readme-ov-file
• 2: https://github.com/sirupsen/logrus
• 3: https://pkg.go.dev/github.com/sirupsen/logrus
• 4: https://pkg.go.dev/vuln/GO-2025-4188
• 5: https://nvd.nist.gov/vuln/detail/CVE-2025-65637
• 6: x/vulndb: potential Go vuln in github.com/sirupsen/logrus: GHSA-4f99-4q7p-p3gh golang/vulndb#4188
• 7: https://github.com/sirupsen/logrus/blob/master/CHANGELOG.md

---

Upgrade logrus to v1.9.4 to fix HIGH severity DoS vulnerabilities.

github.com/sirupsen/logrus v1.9.0 contains two HIGH severity DoS vulnerabilities:

• GO-2025-4188: DoS when using Entry.writerScanner with large single-line payloads (>64KB without newlines)
• GHSA-4f99-4q7p-p3gh: DoS when using Entry.Writer() with the same payload conditions

These are fixed in v1.9.4. Update the dependency to patch the vulnerability.

🧰 Tools

🪛 OSV Scanner (2.3.8)

[HIGH] 137-137: github.com/sirupsen/logrus 1.9.0: Logrus is vulnerable to DoS when using Entry.writerScanner in github.com/sirupsen/logrus

(GO-2025-4188)

---

[HIGH] 137-137: github.com/sirupsen/logrus 1.9.0: Logrus is vulnerable to DoS when using Entry.Writer()

(GHSA-4f99-4q7p-p3gh)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` at line 137, Update the logrus dependency from v1.9.0 to v1.9.4 to
address the DoS vulnerabilities: edit the go.mod entry for
github.com/sirupsen/logrus and set the version to v1.9.4, then run go get
github.com/sirupsen/[email protected] (or go get ./... if you prefer) and go mod
tidy to refresh go.sum; finally run your test suite or build to ensure no import
or API breakages in code using logrus.Entry or Entry.Writer().

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check latest oauth2 version
curl -s https://proxy.golang.org/golang.org/x/oauth2/@v/list | tail -5

# Check what requires oauth2
echo -e "\n=== Dependencies requiring oauth2 ==="
rg "golang.org/x/oauth2" go.mod -B 2 -A 2

Repository: openshift/builder

Length of output: 333

---

🌐 Web query:

What is the latest version of golang.org/x/oauth2 and does it fix vulnerabilities GO-2025-3488 and GHSA-6v2p-p543-phr9?

💡 Result:

The latest version of golang.org/x/oauth2 (as of 2026-05-14) is v0.36.0. [1] Does the latest version fix vulnerabilities GO-2025-3488 and GHSA-6v2p-p543-phr9? Yes. Both GO-2025-3488 and GHSA-6v2p-p543-phr9 are described as being fixed starting in golang.org/x/oauth2 v0.27.0 (affected “before v0.27.0”). [2][3] Since v0.36.0 is greater than v0.27.0, upgrading to v0.36.0 addresses these issues. [1][2][3] Supporting details: - GO-2025-3488 affects golang.org/x/oauth2 versions “before v0.27.0”. [2] - GHSA-6v2p-p543-phr9 affects golang.org/x/oauth2 versions “before v0.27.0”. [3] - The oauth2 v0.27.0 tag includes a fix commit “jws: split token into fixed number of parts” and references fixes for CVE-2025-22868 / GO-2025-3488. [4]

Citations:

• 1: https://pkg.go.dev/golang.org/x/[email protected]
• 2: https://pkg.go.dev/vuln/GO-2025-3488
• 3: https://osv.dev/vulnerability/GHSA-6v2p-p543-phr9
• 4: https://go.googlesource.com/oauth2/+/refs/tags/v0.27.0

---

Upgrade golang.org/x/oauth2 to v0.27.0 or later (currently v0.18.0).

The current version has HIGH severity vulnerabilities:

• GO-2025-3488: Unexpected memory consumption during token parsing
• GHSA-6v2p-p543-phr9: Improper Validation of Syntactic Correctness of Input

Both are fixed in v0.27.0+. Latest version is v0.36.0.

🧰 Tools

🪛 OSV Scanner (2.3.8)

[HIGH] 163-163: golang.org/x/oauth2 0.18.0: Unexpected memory consumption during token parsing in golang.org/x/oauth2

(GO-2025-3488)

---

[HIGH] 163-163: golang.org/x/oauth2 0.18.0: golang.org/x/oauth2 Improper Validation of Syntactic Correctness of Input vulnerability

(GHSA-6v2p-p543-phr9)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` at line 163, Update the golang.org/x/oauth2 module from v0.18.0 to a
safe upstream release (>= v0.27.0, ideally v0.36.0) in go.mod and then run the
Go module commands to fetch and tidy dependencies (e.g., go get
golang.org/x/[email protected] && go mod tidy) so the project builds with the
patched library; ensure any code importing oauth2 (import path
"golang.org/x/oauth2") is compatible and run unit tests to validate no
breakages.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check if the openshift-sustaining fork and version exist and gather release information
gh api repos/openshift-sustaining/grpc-go/tags --jq '.[] | select(.name | contains("v1.64.1-sec")) | {name: .name, commit: .commit.sha}'

# Check for any security-related information in the fork
gh api repos/openshift-sustaining/grpc-go/releases --jq '.[] | select(.tag_name | contains("v1.64.1-sec")) | {tag: .tag_name, name: .name, body: .body}'

Repository: openshift/builder

Length of output: 450

---

🌐 Web query:

Does grpc-go v1.64.1-sec.1 from openshift-sustaining fork correspond to google.golang.org/grpc v1.79.3 or address CVE-2026-33186?

💡 Result:

No, grpc-go v1.64.1-sec.1 from the openshift-sustaining fork does not correspond to google.golang.org/grpc v1.79.3, and it does not address CVE-2026-33186.[1][2]

Citations:

• 1: https://nvd.nist.gov/vuln/detail/CVE-2026-33186
• 2: security: CVE-2026-33186 — google.golang.org/grpc Authorization Bypass (CVSS 9.1 Critical) DataDog/datadog-agent#48151

---

Update PR title or explain the version discrepancy.

The PR title claims to bump gRPC to v1.79.3, but the replace directive uses github.com/openshift-sustaining/grpc-go v1.64.1-sec.1. While the OpenShift sustaining fork's v1.64.1-sec.1 release does address CVE-2026-33186 (as documented in its official release notes), these are different versions. Clarify whether the title is incorrect or if v1.64.1-sec.1 is the intended version.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` at line 236, The PR title and the go.mod replace directive disagree:
the title says gRPC v1.79.3 but go.mod contains the replace of
google.golang.org/grpc to github.com/openshift-sustaining/grpc-go v1.64.1-sec.1;
decide which is correct and either (A) update the PR title/description to
reflect that the intended bump is to the OpenShift sustaining fork
v1.64.1-sec.1, or (B) change the replace directive to point to the actual
v1.79.3 module you intended (or remove the replace if not needed). Locate the
replace line in go.mod (the line with "replace google.golang.org/grpc =>
github.com/openshift-sustaining/grpc-go v1.64.1-sec.1") and make the
version/title consistent.