Revert "Bump go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp"#954
Open
jpinsonneau wants to merge 2 commits intonetobserv:mainfrom
Open
Revert "Bump go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp"#954jpinsonneau wants to merge 2 commits intonetobserv:mainfrom
jpinsonneau wants to merge 2 commits intonetobserv:mainfrom
Conversation
…etrichttp" This reverts commit d4015fd.
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
📝 WalkthroughWalkthroughThis PR downgrades OpenTelemetry modules from v1.43.0 to v1.42.0, gRPC from v1.80.0 to v1.79.3, and removes several experimental features (per-series start timestamps, cardinality limit selection APIs, random trace flags). Multiple internal implementations are refactored including attribute value handling, atomic operations, and buffer pooling. Changes
Estimated code review effort🎯 4 (Complex) | ⏱️ ~50 minutes Possibly related PRs
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 inconclusive)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Member
Author
|
/test ebpf-node-density-heavy-25nodes |
Member
Author
|
/test ebpf-node-density-heavy-25nodes |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 3
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (2)
vendor/go.opentelemetry.io/otel/sdk/metric/internal/aggregate/exponential_histogram.go (1)
1-493:⚠️ Potential issue | 🔴 CriticalVendor tree inconsistency — blocking issue for merge.
go.mod correctly pins otel modules to v1.42.0, but vendor/modules.txt still declares v1.43.0 for:
- go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.43.0
- go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.43.0
Run
go mod tidy && go mod vendorto regenerate the vendor tree. If the issue persists, investigate whether those two modules are actually needed or if they should also be downgraded to v1.42.0.Also note: PR title says "Revert gRPC bump" but also downgrades all otel modules (v1.43.0 → v1.42.0) and removes experimental features. If the regression hypothesis is specific to gRPC v1.80.0 → v1.79.3, revert only gRPC to isolate the variable — otherwise you won't know which dependency caused the improvement.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@vendor/go.opentelemetry.io/otel/sdk/metric/internal/aggregate/exponential_histogram.go` around lines 1 - 493, Vendor tree lists otel modules at v1.43.0 while go.mod pins v1.42.0 causing a blocker; run go mod tidy && go mod vendor to regenerate the vendor directory, then verify vendor/modules.txt reflects v1.42.0 for go.opentelemetry.io/otel/exporters/otlp/otlptrace and otlptracehttp (or remove/downgrade those two modules if not needed). If this PR intends to only "Revert gRPC bump" rather than downgrade otel, restore otel modules to v1.42.0 in go.mod and only change the gRPC dependency so the regression can be isolated (investigate changes to grpc version history instead of blanket downgrades).vendor/modules.txt (1)
707-768:⚠️ Potential issue | 🟠 MajorRun
go mod vendorto resolve inconsistent vendoring.The vendor directory is out of sync with go.mod: golang.org/x/sys has mismatched versions (v0.42.0 in go.mod vs v0.43.0 in vendor/modules.txt), and OpenTelemetry exporters similarly conflict (v1.42.0 vs v1.43.0). The genproto versions are correct indirect dependencies from gRPC v1.79.3, but the broader vendoring inconsistency must be resolved.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@vendor/modules.txt` around lines 707 - 768, vendor/modules.txt is out of sync with go.mod (mismatched golang.org/x/sys and OpenTelemetry exporter versions); update go.mod to the desired module versions (e.g., align golang.org/x/sys to the version you intend) then run go mod tidy and re-run vendoring to regenerate vendor/modules.txt so it matches go.mod, verify that google.golang.org/grpc v1.79.3 and its genproto indirects remain unchanged, and commit the updated vendor/modules.txt; reference files/symbols: vendor/modules.txt, go.mod, golang.org/x/sys, OpenTelemetry exporter modules, google.golang.org/grpc.
🧹 Nitpick comments (1)
vendor/google.golang.org/grpc/version.go (1)
22-22: Investigation-only revert — make it easy to undo.Since the stated goal is to check whether the gRPC bump caused a perf regression, please:
- Fill in the PR checklist (or link the perf reproduction / benchmark numbers) before merging, so the revert is grounded in evidence rather than a hunch.
- Open a tracking issue to re-apply the bump once the regression is root-caused, so this doesn't silently become permanent technical debt (gRPC 1.80+ contains further fixes beyond 1.79.3).
- Coordinate with
netobserv-operatorandflowlogs-pipeline, which also vendorotlpmetrichttp/grpc; if the perf issue manifests there, reverting only this repo may not suffice.Note: v1.79.3 is the patched release for CVE-2026-33186, so this downgrade does not reintroduce that advisory.
Want me to draft the tracking issue body?
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@vendor/google.golang.org/grpc/version.go` at line 22, The revert to gRPC Version constant (Version in vendor/google.golang.org/grpc/version.go) must be accompanied by evidence and tracking: update the PR description/checklist to include the perf-reproduction steps and benchmark numbers (or a link to them), create and link a tracking issue that documents the regression investigation and the plan to re-apply the bump once root cause is fixed, and add coordination notes referencing the sibling repos (netobserv-operator and flowlogs-pipeline) that also vendor otlpmetrichttp/grpc so teams can verify if the issue surfaces there; ensure the commit/PR message references the new tracking issue and includes the perf test links for easy undo and auditing.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@go.mod`:
- Around line 124-133: The go.mod currently pins go.opentelemetry.io/otel/sdk at
v1.42.0 which is vulnerable (CVE-2026-39883); update the otel/sdk dependency to
v1.43.0 (or later) in go.mod, ensure related otel modules (e.g.,
go.opentelemetry.io/otel, go.opentelemetry.io/otel/trace,
go.opentelemetry.io/otel/metric, and any otlp exporters) are version-aligned as
needed, run go mod tidy to reconcile changes and then run tests; if you
intentionally need v1.42.0 for a narrow gRPC regression test, restrict the
downgrade to only the minimal package required and add a comment/PR note
documenting the accepted risk and planned mitigation.
In
`@vendor/go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp/client.go`:
- Around line 177-178: The response body is being fully copied into respData via
io.Copy(&respData, resp.Body) (and in the error path) with no size bound, which
can OOM; change these reads to wrap resp.Body with io.LimitReader (e.g.
io.LimitReader(resp.Body, maxRespBodyBytes)) before copying so you cap
buffering, define a reasonable constant like maxRespBodyBytes, and handle the
case where the limit is hit (return a clear error or truncate with a logged
warning) in the functions that perform the copy (the code that populates
respData from resp.Body and the analogous error-path copy).
In `@vendor/google.golang.org/grpc/picker_wrapper.go`:
- Line 195: The unconditional logger.Infof inside blockingPicker (the "the
picked transport is not ready, loop back to repick" message) is on the hot
repick path and should be either removed or guarded by a log-level check to
avoid high-volume info logging; locate the Infof invocation in blockingPicker in
picker_wrapper.go and replace it with a conditional log that only emits at a
verbose/debug level (e.g., use the logger's verbosity check or a Warning/Error
level) or drop it entirely so it doesn't execute on every repick iteration.
---
Outside diff comments:
In
`@vendor/go.opentelemetry.io/otel/sdk/metric/internal/aggregate/exponential_histogram.go`:
- Around line 1-493: Vendor tree lists otel modules at v1.43.0 while go.mod pins
v1.42.0 causing a blocker; run go mod tidy && go mod vendor to regenerate the
vendor directory, then verify vendor/modules.txt reflects v1.42.0 for
go.opentelemetry.io/otel/exporters/otlp/otlptrace and otlptracehttp (or
remove/downgrade those two modules if not needed). If this PR intends to only
"Revert gRPC bump" rather than downgrade otel, restore otel modules to v1.42.0
in go.mod and only change the gRPC dependency so the regression can be isolated
(investigate changes to grpc version history instead of blanket downgrades).
In `@vendor/modules.txt`:
- Around line 707-768: vendor/modules.txt is out of sync with go.mod (mismatched
golang.org/x/sys and OpenTelemetry exporter versions); update go.mod to the
desired module versions (e.g., align golang.org/x/sys to the version you intend)
then run go mod tidy and re-run vendoring to regenerate vendor/modules.txt so it
matches go.mod, verify that google.golang.org/grpc v1.79.3 and its genproto
indirects remain unchanged, and commit the updated vendor/modules.txt; reference
files/symbols: vendor/modules.txt, go.mod, golang.org/x/sys, OpenTelemetry
exporter modules, google.golang.org/grpc.
---
Nitpick comments:
In `@vendor/google.golang.org/grpc/version.go`:
- Line 22: The revert to gRPC Version constant (Version in
vendor/google.golang.org/grpc/version.go) must be accompanied by evidence and
tracking: update the PR description/checklist to include the perf-reproduction
steps and benchmark numbers (or a link to them), create and link a tracking
issue that documents the regression investigation and the plan to re-apply the
bump once root cause is fixed, and add coordination notes referencing the
sibling repos (netobserv-operator and flowlogs-pipeline) that also vendor
otlpmetrichttp/grpc so teams can verify if the issue surfaces there; ensure the
commit/PR message references the new tracking issue and includes the perf test
links for easy undo and auditing.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: cab3d80c-587b-4958-aeb4-c86a026b0bbf
⛔ Files ignored due to path filters (13)
go.sumis excluded by!**/*.sumvendor/go.opentelemetry.io/proto/otlp/common/v1/common.pb.gois excluded by!**/*.pb.go,!**/*.pb.govendor/go.opentelemetry.io/proto/otlp/logs/v1/logs.pb.gois excluded by!**/*.pb.go,!**/*.pb.govendor/google.golang.org/genproto/googleapis/api/httpbody/httpbody.pb.gois excluded by!**/*.pb.go,!**/*.pb.govendor/google.golang.org/genproto/googleapis/rpc/errdetails/error_details.pb.gois excluded by!**/*.pb.go,!**/*.pb.govendor/google.golang.org/genproto/googleapis/rpc/status/status.pb.gois excluded by!**/*.pb.go,!**/*.pb.govendor/google.golang.org/grpc/binarylog/grpc_binarylog_v1/binarylog.pb.gois excluded by!**/*.pb.go,!**/*.pb.govendor/google.golang.org/grpc/health/grpc_health_v1/health.pb.gois excluded by!**/*.pb.go,!**/*.pb.govendor/google.golang.org/grpc/health/grpc_health_v1/health_grpc.pb.gois excluded by!**/*.pb.go,!**/*.pb.go,!**/*_grpc.pb.govendor/google.golang.org/grpc/reflection/grpc_reflection_v1/reflection.pb.gois excluded by!**/*.pb.go,!**/*.pb.govendor/google.golang.org/grpc/reflection/grpc_reflection_v1/reflection_grpc.pb.gois excluded by!**/*.pb.go,!**/*.pb.go,!**/*_grpc.pb.govendor/google.golang.org/grpc/reflection/grpc_reflection_v1alpha/reflection.pb.gois excluded by!**/*.pb.go,!**/*.pb.govendor/google.golang.org/grpc/reflection/grpc_reflection_v1alpha/reflection_grpc.pb.gois excluded by!**/*.pb.go,!**/*.pb.go,!**/*_grpc.pb.go
📒 Files selected for processing (63)
go.modvendor/go.opentelemetry.io/otel/.golangci.ymlvendor/go.opentelemetry.io/otel/CHANGELOG.mdvendor/go.opentelemetry.io/otel/Makefilevendor/go.opentelemetry.io/otel/RELEASING.mdvendor/go.opentelemetry.io/otel/attribute/encoder.govendor/go.opentelemetry.io/otel/attribute/hash.govendor/go.opentelemetry.io/otel/attribute/internal/attribute.govendor/go.opentelemetry.io/otel/attribute/kv.govendor/go.opentelemetry.io/otel/attribute/type_string.govendor/go.opentelemetry.io/otel/attribute/value.govendor/go.opentelemetry.io/otel/dependencies.Dockerfilevendor/go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp/client.govendor/go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp/doc.govendor/go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp/internal/transform/attribute.govendor/go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp/version.govendor/go.opentelemetry.io/otel/sdk/internal/x/features.govendor/go.opentelemetry.io/otel/sdk/metric/config.govendor/go.opentelemetry.io/otel/sdk/metric/internal/aggregate/exponential_histogram.govendor/go.opentelemetry.io/otel/sdk/metric/internal/aggregate/histogram.govendor/go.opentelemetry.io/otel/sdk/metric/internal/aggregate/lastvalue.govendor/go.opentelemetry.io/otel/sdk/metric/internal/aggregate/sum.govendor/go.opentelemetry.io/otel/sdk/metric/manual_reader.govendor/go.opentelemetry.io/otel/sdk/metric/periodic_reader.govendor/go.opentelemetry.io/otel/sdk/metric/pipeline.govendor/go.opentelemetry.io/otel/sdk/metric/reader.govendor/go.opentelemetry.io/otel/sdk/metric/version.govendor/go.opentelemetry.io/otel/sdk/resource/config.govendor/go.opentelemetry.io/otel/sdk/resource/host_id.govendor/go.opentelemetry.io/otel/sdk/resource/resource.govendor/go.opentelemetry.io/otel/sdk/trace/batch_span_processor.govendor/go.opentelemetry.io/otel/sdk/trace/internal/observ/tracer.govendor/go.opentelemetry.io/otel/sdk/trace/provider.govendor/go.opentelemetry.io/otel/sdk/trace/sampling.govendor/go.opentelemetry.io/otel/sdk/version.govendor/go.opentelemetry.io/otel/trace/trace.govendor/go.opentelemetry.io/otel/version.govendor/go.opentelemetry.io/otel/versions.yamlvendor/golang.org/x/net/http2/http2.govendor/golang.org/x/net/http2/server.govendor/golang.org/x/net/http2/transport.govendor/golang.org/x/net/http2/writesched.govendor/golang.org/x/net/http2/writesched_priority_rfc7540.govendor/golang.org/x/net/http2/writesched_random.govendor/google.golang.org/grpc/attributes/attributes.govendor/google.golang.org/grpc/balancer/balancer.govendor/google.golang.org/grpc/balancer/base/balancer.govendor/google.golang.org/grpc/balancer/endpointsharding/endpointsharding.govendor/google.golang.org/grpc/balancer/pickfirst/pickfirst.govendor/google.golang.org/grpc/credentials/tls.govendor/google.golang.org/grpc/dialoptions.govendor/google.golang.org/grpc/internal/envconfig/envconfig.govendor/google.golang.org/grpc/internal/mem/buffer_pool.govendor/google.golang.org/grpc/internal/transport/defaults.govendor/google.golang.org/grpc/internal/transport/http2_client.govendor/google.golang.org/grpc/internal/transport/http2_server.govendor/google.golang.org/grpc/mem/buffer_pool.govendor/google.golang.org/grpc/picker_wrapper.govendor/google.golang.org/grpc/resolver/map.govendor/google.golang.org/grpc/rpc_util.govendor/google.golang.org/grpc/server.govendor/google.golang.org/grpc/version.govendor/modules.txt
💤 Files with no reviewable changes (17)
- vendor/golang.org/x/net/http2/writesched_random.go
- vendor/google.golang.org/grpc/internal/transport/defaults.go
- vendor/google.golang.org/grpc/server.go
- vendor/go.opentelemetry.io/otel/sdk/internal/x/features.go
- vendor/go.opentelemetry.io/otel/sdk/resource/config.go
- vendor/go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp/internal/transform/attribute.go
- vendor/golang.org/x/net/http2/server.go
- vendor/golang.org/x/net/http2/writesched_priority_rfc7540.go
- vendor/go.opentelemetry.io/otel/.golangci.yml
- vendor/go.opentelemetry.io/otel/Makefile
- vendor/golang.org/x/net/http2/writesched.go
- vendor/go.opentelemetry.io/otel/trace/trace.go
- vendor/go.opentelemetry.io/otel/sdk/metric/reader.go
- vendor/go.opentelemetry.io/otel/sdk/trace/internal/observ/tracer.go
- vendor/google.golang.org/grpc/resolver/map.go
- vendor/go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp/doc.go
- vendor/google.golang.org/grpc/internal/mem/buffer_pool.go
Comment on lines
+124
to
+133
| go.opentelemetry.io/otel v1.42.0 // indirect | ||
| go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.42.0 // indirect | ||
| go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.43.0 // indirect | ||
| go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.43.0 // indirect | ||
| go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.42.0 // indirect | ||
| go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.42.0 // indirect | ||
| go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.42.0 // indirect | ||
| go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.43.0 // indirect | ||
| go.opentelemetry.io/otel/metric v1.43.0 // indirect | ||
| go.opentelemetry.io/otel/sdk v1.43.0 // indirect | ||
| go.opentelemetry.io/otel/sdk/metric v1.43.0 // indirect | ||
| go.opentelemetry.io/otel/trace v1.43.0 // indirect | ||
| go.opentelemetry.io/proto/otlp v1.10.0 // indirect | ||
| go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.42.0 // indirect | ||
| go.opentelemetry.io/otel/metric v1.42.0 // indirect | ||
| go.opentelemetry.io/otel/sdk v1.42.0 // indirect | ||
| go.opentelemetry.io/otel/sdk/metric v1.42.0 // indirect | ||
| go.opentelemetry.io/otel/trace v1.42.0 // indirect |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Check go.mod for otel/sdk versions and the broader context
cat -n go.mod | head -150 | tail -50Repository: netobserv/netobserv-ebpf-agent
Length of output: 3043
🌐 Web query:
GHSA-hfvc-g4fc-pqhx OpenTelemetry security advisory
💡 Result:
GHSA-hfvc-g4fc-pqhx is a HIGH severity security advisory (CVE-2026-39883) affecting go.opentelemetry.io/otel/sdk versions from 1.15.0 to 1.42.0. Summary: Incomplete fix for previous vulnerability GHSA-9h8m-3fm2-qjrq (CVE-2026-24051). The prior fix used an absolute path for the Darwin 'ioreg' command but left the BSD 'kenv' command using a bare name, enabling PATH hijacking on BSD (DragonFly BSD, FreeBSD, NetBSD, OpenBSD) and Solaris platforms. Root cause: In sdk/resource/host_id.go, execCommand("kenv", ...) searches $PATH if /etc/hostid does not exist (common on FreeBSD). Attack: Local attacker places malicious 'kenv' binary in $PATH earlier than system path. When OpenTelemetry resource detection runs at startup, it executes the malicious binary, leading to arbitrary code execution in the application's context. CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N (HIGH) Fix: Upgrade to v1.43.0, which uses absolute path "/bin/kenv". Published: 2026-04-08. References: Official advisory at GHSA-hfvc-g4fc-pqhx, NVD https://nvd.nist.gov/vuln/detail/CVE-2026-39883, GitHub advisory database.
Citations:
- 1: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-hfvc-g4fc-pqhx/GHSA-hfvc-g4fc-pqhx.json
- 2: GHSA-hfvc-g4fc-pqhx
- 3: GHSA-hfvc-g4fc-pqhx
- 4: https://nvd.nist.gov/vuln/detail/CVE-2026-39883
- 5: https://github.com/open-telemetry/opentelemetry-go/releases/tag/v1.43.0
🌐 Web query:
CVE-2026-39883 OpenTelemetry otel/sdk
💡 Result:
CVE-2026-39883 (OpenTelemetry-Go / otel/sdk) is an incomplete fix for a prior macOS PATH-hijacking issue that leaves the BSD/Solaris path hijacking for the “kenv” command still possible. What’s vulnerable - Product/component: OpenTelemetry-Go (Go implementation of OpenTelemetry), specifically the SDK resource detection code. - Affected versions: from 1.15.0 up to (excluding) 1.43.0. - Weakness class: Untrusted Search Path (CWE-426). - Mechanism: the BSD kenv command is executed without using an absolute path, so an attacker who can influence $PATH (e.g., place a malicious “kenv” earlier in PATH) can get the attacker’s binary executed when host ID detection runs on BSD or Solaris systems where /etc/hostid is absent. Impact - Local attacker (requires local access / ability to manipulate PATH in the running context) can potentially execute attacker-controlled code, compromising the running process. Fix / mitigation - Upgrade OpenTelemetry-Go / otel/sdk to 1.43.0 or later. Suggested practical checks - Find any deployed services using go.opentelemetry.io/otel/sdk (or github.com/open-telemetry/opentelemetry-go/sdk/resource) with versions < 1.43.0. - If upgrading immediately isn’t possible, ensure PATH can’t be influenced by lower-privileged attackers and avoid running the vulnerable host-ID detection in environments where PATH injection is feasible.
Citations:
- 1: https://nvd.nist.gov/vuln/detail/CVE-2026-39883
- 2: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMOPENTELEMETRYOPENTELEMETRYGOSDKRESOURCE-15954213
- 3: https://github.com/open-telemetry/opentelemetry-go/releases/tag/v1.43.0
- 4: open-telemetry/opentelemetry-go@v1.42.0...v1.43.0
- 5: https://www.github.com/open-telemetry/opentelemetry-go/security/advisories
This downgrade reintroduces a known otel/sdk vulnerability.
go.opentelemetry.io/otel/sdk v1.42.0 is affected by GHSA-hfvc-g4fc-pqhx (CVE-2026-39883), a BSD/Solaris PATH-hijack issue where the unabsolute kenv command path allows local code execution. Upgrade to v1.43.0 fixes it. If the goal is only to test the gRPC regression, keep the downgrade narrower or document why accepting this vulnerability is acceptable.
🧰 Tools
🪛 OSV Scanner (2.3.5)
[HIGH] 131-131: go.opentelemetry.io/otel/sdk 1.42.0: opentelemetry-go: BSD kenv command not using absolute path enables PATH hijacking
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@go.mod` around lines 124 - 133, The go.mod currently pins
go.opentelemetry.io/otel/sdk at v1.42.0 which is vulnerable (CVE-2026-39883);
update the otel/sdk dependency to v1.43.0 (or later) in go.mod, ensure related
otel modules (e.g., go.opentelemetry.io/otel, go.opentelemetry.io/otel/trace,
go.opentelemetry.io/otel/metric, and any otlp exporters) are version-aligned as
needed, run go mod tidy to reconcile changes and then run tests; if you
intentionally need v1.42.0 for a narrow gRPC regression test, restrict the
downgrade to only the minimal package required and add a comment/PR note
documenting the accepted risk and planned mitigation.
|
@jpinsonneau: The following tests failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This reverts commit d4015fd.
Description
Revert gRPC bump to check if this PR caused perf regression.
If this is identified as the root cause, we should also revert netobserv/flowlogs-pipeline#1241
Dependencies
n/a
Checklist
If you are not familiar with our processes or don't know what to answer in the list below, let us know in a comment: the maintainers will take care of that.
To run a perfscale test, comment with:
/test ebpf-node-density-heavy-25nodesSummary by CodeRabbit
Bug Fixes
Chores
Revert