[release-ocm-2.13] ACM-35866: CVE-2026-39828 Bump golang.org/x/crypto to v0.52.0 using replace directive (api module)#10614
Conversation
…eplace directive
|
Pipeline controller notification For optional jobs, comment This repository is configured in: LGTM mode |
|
@shay23bra: This pull request references ACM-35866 which is a valid jira issue. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
Important Review skippedAuto reviews are disabled on base/target branches other than the default branch. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Repository: openshift/coderabbit/.coderabbit.yaml Review profile: CHILL Plan: Enterprise Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
|
/retest |
1 similar comment
|
/retest |
|
/retest-required |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## release-ocm-2.13 #10614 +/- ##
====================================================
+ Coverage 42.77% 42.84% +0.06%
====================================================
Files 346 347 +1
Lines 65935 66297 +362
====================================================
+ Hits 28204 28404 +200
- Misses 35196 35337 +141
- Partials 2535 2556 +21 🚀 New features to boost your workflow:
|
|
/override ci/prow/e2e-ai-operator-disconnected-capi |
|
@gamli75: Overrode contexts on behalf of gamli75: ci/prow/e2e-ai-operator-disconnected-capi DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
/retest |
|
/approve |
|
Pipeline controller notification No second-stage tests were triggered for this PR. This can happen when:
Use |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: gamli75, shay23bra The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/override ci/prow/edge-e2e-ai-operator-disconnected-capi |
|
@gamli75: /override requires failed status contexts, check run or a prowjob name to operate on.
Only the following failed contexts/checkruns were expected:
If you are trying to override a checkrun that has a space in it, you must put a double quote on the context. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
/retest |
|
/override ci/prow/e2e-ai-operator-disconnected-capi |
|
@gamli75: Overrode contexts on behalf of gamli75: ci/prow/e2e-ai-operator-disconnected-capi DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
@shay23bra: The following tests failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
Bump
golang.org/x/cryptotov0.52.0to fixCVE-2026-39828using a replace directiveStrategy Selection
Strategies Not Applicable
Direct dependency version bump
Not applicable: dependency is indirect. Direct version bumps only work for explicitly required modules.
Direct dependency major version upgrade
Not applicable: dependency is indirect. Major version upgrades only apply to direct dependencies.
Indirect dependency fix via parent update
k8s.io/client-go@v1.5.2github.com/gogo/protobufgithub.com/onsi/ginkgogithub.com/openshift/custom-resource-statusgithub.com/go-openapi/loadsgithub.com/go-openapi/strfmtgithub.com/openshift/hive/apisgithub.com/go-openapi/analysisgoogle.golang.org/appenginegithub.com/go-openapi/validategithub.com/openshift/assisted-servicegithub.com/openshift/apik8s.io/apik8s.io/apimachineryk8s.io/component-basesigs.k8s.io/controller-runtimek8s.io/apiextensions-apiservergolang.org/x/netgo.mongodb.org/mongo-driverIndirect to direct dependency conversion
Attempted to pin golang.org/x/crypto to a fixed version, but Go reverted it to indirect at v0.35.0. No other module requires this version directly, so the explicit requirement was automatically removed by Go's module resolution.
✓ Successful Strategy: Replace directive workaround
Added replace directive to override module resolution. Used as last resort when standard updates fail.
https://redhat.atlassian.net/browse/ACM-35866
This PR was automatically generated by the CVE Automation tool.
For questions or issues, reach out in #cve-automation.