OCPBUGS-80619: Bump google.golang.org/grpc to v1.79.3

[ocp-sustaining-admins]

This PR is part of an automated process.

The commands used to generate this PR were:

go get google.golang.org/grpc@v1.79.3 toolchain@none
go mod tidy
go mod vendor

A member of the Red Hat Openshift Sustaining Team will review the PR and take appropriate action.

[openshift-ci-robot]

@ocp-sustaining-admins: This pull request references Jira Issue OCPBUGS-80619, which is invalid:

• release note text must be set and not match the template OR release note type must be set to "Release Note Not Required". For more information you can reference the OpenShift Bug Process.
• expected Jira Issue OCPBUGS-80619 to depend on a bug targeting a version in 4.21.0, 4.21.z and in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA), but no dependents were found

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

This PR is part of an automated process.

The commands used to generate this PR were:

go get google.golang.org/grpc@v1.79.3 toolchain@none
go mod tidy
go mod vendor

A member of the Red Hat Openshift Sustaining Team will review the PR and take appropriate action.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Walkthrough

Updated Go toolchain from version 1.22.8 to 1.24.0 and upgraded multiple module dependencies across the project, including standard library modules (sys, crypto, net, sync, term, text), third-party libraries (logr, go-cmp, testify, go-jose), Google packages (grpc, protobuf, genproto), and OpenTelemetry modules. Added one new indirect dependency.

Changes

Cohort / File(s)

Summary

Go Module Updates go.mod

Upgraded Go toolchain to v1.24.0. Updated dependencies: github.com/go-logr/logr (v1.4.2→v1.4.3), golang.org/x/sys (v0.29.0→v0.39.0), github.com/google/go-cmp (v0.6.0→v0.7.0), github.com/stretchr/testify (v1.10.0→v1.11.1), golang.org/x/crypto, x/mod, x/net, x/oauth2, x/sync, x/term, x/text (newer versions), google.golang.org/grpc (v1.69.4→v1.79.3), google.golang.org/protobuf (v1.36.2→v1.36.10), github.com/go-jose/go-jose/v4 (v4.0.5→v4.1.3), OpenTelemetry modules (→v1.39.0), and google.golang.org/genproto/googleapis/rpc. Added go.opentelemetry.io/auto/sdk v1.2.1 as indirect dependency.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

Hi @ocp-sustaining-admins. Thanks for your PR.

I'm waiting for a openshift member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: ocp-sustaining-admins
Once this PR has been reviewed and has the lgtm label, please assign bparees for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[kunalmemane]

/ok-to-test

[openshift-ci]

@ocp-sustaining-admins: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/security	1413dce	link	false	/test security
ci/prow/e2e-aws-ovn-builds	1413dce	link	true	/test e2e-aws-ovn-builds
ci/prow/unit	1413dce	link	true	/test unit

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[kunalmemane]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@go.mod`:
- Line 165: The dependency go-jose/go-jose/v4 is vulnerable (CVE-2026-34986);
update the module version in go.mod from v4.1.3 to v4.1.4 to pick up the patch.
Ensure you run `go get github.com/go-jose/go-jose/v4@v4.1.4` (or update the
go.mod entry) and run `go mod tidy`/rebuild; this addresses the panic in
cipher.KeyUnwrap() that can be triggered via ParseEncrypted() and DecryptMulti()
in containers/ocicrypt/keywrap/jwe/keywrapper_jwe.go when handling untrusted JWE
input.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 3edc3ce0-1366-4ba9-a7a2-ed5624eb2030

📥 Commits

Reviewing files that changed from the base of the PR and between 35afa30 and 1413dce.

⛔ Files ignored due to path filters (299)

• go.sum is excluded by !**/*.sum
• vendor/github.com/go-jose/go-jose/v4/CHANGELOG.md is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-jose/go-jose/v4/README.md is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-jose/go-jose/v4/crypter.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-jose/go-jose/v4/jwe.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-jose/go-jose/v4/jwk.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-jose/go-jose/v4/jws.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-jose/go-jose/v4/shared.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-jose/go-jose/v4/signing.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-jose/go-jose/v4/symmetric.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-logr/logr/.golangci.yaml is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-logr/logr/funcr/funcr.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/go-cmp/cmp/internal/function/func.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/go-cmp/cmp/options.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/stretchr/testify/assert/assertion_compare.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/stretchr/testify/assert/assertion_format.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/stretchr/testify/assert/assertion_forward.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/stretchr/testify/assert/assertion_order.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/stretchr/testify/assert/assertions.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/stretchr/testify/assert/doc.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/stretchr/testify/assert/http_assertions.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/stretchr/testify/assert/yaml/yaml_custom.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/stretchr/testify/assert/yaml/yaml_default.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/stretchr/testify/assert/yaml/yaml_fail.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/auto/sdk/CONTRIBUTING.md is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/auto/sdk/LICENSE is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/auto/sdk/VERSIONING.md is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/auto/sdk/doc.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/auto/sdk/internal/telemetry/attr.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/auto/sdk/internal/telemetry/doc.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/auto/sdk/internal/telemetry/id.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/auto/sdk/internal/telemetry/number.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/auto/sdk/internal/telemetry/resource.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/auto/sdk/internal/telemetry/scope.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/auto/sdk/internal/telemetry/span.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/auto/sdk/internal/telemetry/status.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/auto/sdk/internal/telemetry/traces.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/auto/sdk/internal/telemetry/value.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/auto/sdk/limit.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/auto/sdk/span.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/auto/sdk/tracer.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/auto/sdk/tracer_provider.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/.clomonitor.yml is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/.codespellignore is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/.gitignore is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/.golangci.yml is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/.lycheeignore is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/CHANGELOG.md is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/CODEOWNERS is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/CONTRIBUTING.md is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/LICENSE is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/Makefile is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/README.md is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/RELEASING.md is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/SECURITY-INSIGHTS.yml is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/VERSIONING.md is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/attribute/encoder.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/attribute/filter.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/attribute/hash.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/attribute/internal/attribute.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/attribute/internal/xxhash/xxhash.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/attribute/iterator.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/attribute/key.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/attribute/kv.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/attribute/rawhelpers.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/attribute/set.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/attribute/type_string.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/attribute/value.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/baggage/baggage.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/codes/codes.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/dependencies.Dockerfile is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/get_main_pkgs.sh is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/internal/gen.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/internal/global/handler.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/internal/global/instruments.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/internal/global/internal_logging.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/internal/global/meter.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/internal/global/trace.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/internal/rawhelpers.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/metric.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/metric/LICENSE is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/metric/asyncfloat64.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/metric/asyncint64.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/metric/config.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/metric/instrument.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/metric/meter.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/metric/noop/noop.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/propagation/baggage.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/propagation/propagation.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/propagation/trace_context.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/renovate.json is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/requirements.txt is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/semconv/v1.37.0/MIGRATION.md is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/semconv/v1.37.0/README.md is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/semconv/v1.37.0/attribute_group.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/semconv/v1.37.0/doc.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/semconv/v1.37.0/error_type.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/semconv/v1.37.0/exception.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/semconv/v1.37.0/schema.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/trace/LICENSE is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/trace/auto.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/trace/config.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/trace/hex.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/trace/internal/telemetry/attr.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/trace/internal/telemetry/doc.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/trace/internal/telemetry/id.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/trace/internal/telemetry/number.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/trace/internal/telemetry/resource.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/trace/internal/telemetry/scope.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/trace/internal/telemetry/span.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/trace/internal/telemetry/status.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/trace/internal/telemetry/traces.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/trace/internal/telemetry/value.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/trace/noop.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/trace/noop/README.md is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/trace/noop/noop.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/trace/span.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/trace/trace.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/trace/tracestate.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/verify_readmes.sh is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/version.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/versions.yaml is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/crypto/argon2/argon2.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/crypto/blake2b/blake2x.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/crypto/blake2b/go125.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/crypto/chacha20/chacha_arm64.s is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/crypto/cryptobyte/asn1.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/crypto/curve25519/curve25519.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/crypto/internal/poly1305/mac_noasm.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/crypto/internal/poly1305/sum_asm.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/crypto/internal/poly1305/sum_loong64.s is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/crypto/internal/poly1305/sum_ppc64x.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/crypto/openpgp/s2k/s2k.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/crypto/salsa20/salsa/hsalsa20.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/crypto/sha3/doc.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/crypto/sha3/hashes.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/crypto/sha3/hashes_noasm.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/crypto/sha3/keccakf_amd64.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/crypto/sha3/keccakf_amd64.s is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/crypto/sha3/legacy_hash.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/crypto/sha3/legacy_keccakf.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/crypto/sha3/sha3_s390x.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/crypto/sha3/sha3_s390x.s is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/crypto/sha3/shake.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/crypto/sha3/shake_noasm.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/crypto/ssh/agent/client.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/crypto/ssh/agent/keyring.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/crypto/ssh/agent/server.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/crypto/ssh/certs.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/crypto/ssh/cipher.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/crypto/ssh/client.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/crypto/ssh/client_auth.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/crypto/ssh/common.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/crypto/ssh/connection.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/crypto/ssh/doc.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/crypto/ssh/handshake.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/crypto/ssh/kex.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/crypto/ssh/keys.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/crypto/ssh/mac.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/crypto/ssh/messages.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/crypto/ssh/mlkem.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/crypto/ssh/server.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/crypto/ssh/ssh_gss.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/crypto/ssh/streamlocal.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/crypto/ssh/tcpip.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/crypto/ssh/transport.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/crypto/xts/xts.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/mod/modfile/read.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/mod/modfile/rule.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/mod/modfile/work.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/mod/module/module.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/mod/semver/semver.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/net/context/context.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/net/context/go17.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/net/context/go19.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/net/context/pre_go17.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/net/context/pre_go19.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/net/html/atom/table.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/net/html/escape.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/net/html/parse.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/net/html/render.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/net/html/token.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/net/http2/config.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/net/http2/config_go124.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/net/http2/config_go125.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/net/http2/config_go126.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/net/http2/config_pre_go124.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/net/http2/frame.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/net/http2/gotrack.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/net/http2/http2.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/net/http2/server.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/net/http2/timer.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/net/http2/transport.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/net/http2/write.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/net/http2/writesched.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/net/http2/writesched_priority_rfc7540.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/net/http2/writesched_priority_rfc9218.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/net/http2/writesched_roundrobin.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/net/internal/httpcommon/ascii.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/net/internal/httpcommon/headermap.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/net/internal/httpcommon/request.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/net/internal/socks/socks.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/net/proxy/per_host.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/net/trace/events.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/net/websocket/websocket.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/oauth2/deviceauth.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/oauth2/internal/doc.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/oauth2/internal/oauth2.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/oauth2/internal/token.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/oauth2/internal/transport.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/oauth2/oauth2.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/oauth2/pkce.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/oauth2/token.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/oauth2/transport.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sync/errgroup/errgroup.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sync/errgroup/go120.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sync/errgroup/pre_go120.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/cpu/cpu.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/cpu/cpu_arm64.s is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/cpu/cpu_linux_loong64.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/cpu/cpu_linux_noinit.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/cpu/cpu_linux_riscv64.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/cpu/cpu_loong64.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/cpu/cpu_loong64.s is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/cpu/cpu_riscv64.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/cpu/cpu_x86.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/cpu/parse.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/plan9/pwd_go15_plan9.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/plan9/pwd_plan9.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/affinity_linux.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/auxv.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/auxv_unsupported.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/fdset.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/ifreq_linux.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/mkall.sh is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/mkerrors.sh is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/syscall_darwin.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/syscall_linux.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/syscall_netbsd.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/syscall_solaris.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_386.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_amd64.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_arm.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_arm64.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_loong64.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_mips.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_mips64.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_mips64le.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_mipsle.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_ppc.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_ppc64.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_ppc64le.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_riscv64.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_s390x.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_sparc64.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zsyscall_darwin_amd64.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zsyscall_darwin_amd64.s is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zsyscall_darwin_arm64.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zsyscall_darwin_arm64.s is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zsyscall_linux.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zsyscall_solaris_amd64.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zsysnum_linux_386.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zsysnum_linux_amd64.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zsysnum_linux_arm.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zsysnum_linux_arm64.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zsysnum_linux_loong64.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zsysnum_linux_mips.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zsysnum_linux_mips64.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zsysnum_linux_mips64le.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zsysnum_linux_mipsle.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zsysnum_linux_ppc.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zsysnum_linux_ppc64.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zsysnum_linux_ppc64le.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zsysnum_linux_riscv64.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zsysnum_linux_s390x.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/zsysnum_linux_sparc64.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/ztypes_linux.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/ztypes_linux_386.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/ztypes_linux_amd64.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/ztypes_linux_arm.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/ztypes_linux_arm64.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/ztypes_linux_loong64.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/ztypes_linux_mips.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/ztypes_linux_mips64.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/ztypes_linux_mips64le.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/ztypes_linux_mipsle.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/ztypes_linux_ppc.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/ztypes_linux_ppc64.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/ztypes_linux_ppc64le.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/ztypes_linux_riscv64.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/ztypes_linux_s390x.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/ztypes_linux_sparc64.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/ztypes_netbsd_arm.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/windows/registry/key.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/windows/registry/value.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/windows/registry/zsyscall_windows.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/windows/security_windows.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/windows/syscall_windows.go is excluded by !vendor/**, !**/vendor/**

📒 Files selected for processing (1)

• go.mod

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== Confirm pinned version in go.mod =="
rg -n 'github.com/go-jose/go-jose/v4' go.mod

echo
echo "== Find imports/usages in repository =="
rg -n --type=go -C2 'go-jose/go-jose/v4|jose\.ParseEncrypted|\.Decrypt\('

echo
echo "== Check if go-jose is only transitive or also directly imported =="
rg -n --type=go -C1 'import .*go-jose/go-jose/v4|go-jose/go-jose/v4'

Repository: openshift/builder

Length of output: 20101

---

🌐 Web query:

GHSA-78h2-9frx-2jm8 go-jose vulnerability JWE panic

💡 Result:

GHSA-78h2-9frx-2jm8 (CVE-2026-34986) is a denial-of-service (panic) bug in go-jose/go-jose during JWE decryption.

• Trigger: A crafted JWE where the protected header alg is a key-wrapping algorithm (ends with KW, except A128GCMKW, A192GCMKW, A256GCMKW) and the encrypted_key field is empty can cause a panic in cipher.KeyUnwrap() (slice allocation with invalid length). This is reachable via ParseEncrypted*() followed by Decrypt(). [1]
• Affected versions / fixed versions:
  • github.com/go-jose/go-jose/v4: < 4.1.4 affected; upgrade to 4.1.4. [1]
  • github.com/go-jose/go-jose/v3: < 3.0.5 affected; upgrade to 3.0.5. [1]
  • Legacy github.com/go-jose/go-jose (no /vN): versions <= 2.6.3 are listed as affected. [1]
• Workarounds/mitigations (if you can’t upgrade immediately):
  • If you do not allow any *KW key management algorithms in the keyAlgorithms list passed to ParseEncrypted*(), the vulnerable parse/decrypt path is not reachable. [1]
  • If you must support key wrapping, pre-validate that encrypted_key is non-empty (for compact JWE, ensure the segment between the first and second . is non-empty). [1]

Sources: GitHub Advisory Database entry for GHSA-78h2-9frx-2jm8 / CVE-2026-34986. [1]

References

• [1] (github.com)

Citations:

• 1: GHSA-78h2-9frx-2jm8

---

🏁 Script executed:

#!/bin/bash
# Check the full context around ParseEncrypted call in ocicrypt
sed -n '65,85p' vendor/github.com/containers/ocicrypt/keywrap/jwe/keywrapper_jwe.go

Repository: openshift/builder

Length of output: 1095

---

🏁 Script executed:

#!/bin/bash
# Check if Decrypt() is called after ParseEncrypted in the same function
sed -n '85,105p' vendor/github.com/containers/ocicrypt/keywrap/jwe/keywrapper_jwe.go

Repository: openshift/builder

Length of output: 640

---

Upgrade go-jose/v4 from v4.1.3 to v4.1.4 to patch GHSA-78h2-9frx-2jm8 (CVE-2026-34986).

The vulnerable version is reachable: containers/ocicrypt/keywrap/jwe/keywrapper_jwe.go explicitly accepts KW-based key algorithms and calls ParseEncrypted() followed by DecryptMulti() on untrusted JWE input from encrypted container layer metadata. A crafted JWE token with a key-wrapping algorithm and empty encrypted_key field triggers a panic in cipher.KeyUnwrap(), enabling DoS attacks on image decryption operations.

🧰 Tools

🪛 OSV Scanner (2.3.5)

[HIGH] 165-165: github.com/go-jose/go-jose/v4 4.1.3: Go JOSE Panics in JWE decryption

(GHSA-78h2-9frx-2jm8)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@go.mod` at line 165, The dependency go-jose/go-jose/v4 is vulnerable
(CVE-2026-34986); update the module version in go.mod from v4.1.3 to v4.1.4 to
pick up the patch. Ensure you run `go get github.com/go-jose/go-jose/v4@v4.1.4`
(or update the go.mod entry) and run `go mod tidy`/rebuild; this addresses the
panic in cipher.KeyUnwrap() that can be triggered via ParseEncrypted() and
DecryptMulti() in containers/ocicrypt/keywrap/jwe/keywrapper_jwe.go when
handling untrusted JWE input.