[WIP] CORENET-6561: CNO Rebase k8s to 1.35.0

[yingwang-0320]

-> rg 'k8s.io|openshift' go.mod | rg -v 'indirect|module' | awk '{print "go get -u",$1}'
go get -u github.com/openshift/build-machinery-go
go get -u k8s.io/api
go get -u k8s.io/apimachinery
go get -u k8s.io/code-generator
go get -u k8s.io/component-base
go get -u k8s.io/klog/v2
go get -u k8s.io/kube-proxy
go get -u k8s.io/utils
go get -u sigs.k8s.io/controller-runtime
go get -u github.com/openshift/api
go get -u github.com/openshift/client-go
go get -u github.com/openshift/library-go
go get -u github.com/openshift/machine-config-operator
go get -u k8s.io/apiextensions-apiserver
go get -u k8s.io/client-go
go get -u sigs.k8s.io/controller-tools
-> rg 'k8s.io|openshift' go.mod | rg -v 'indirect|module' | awk '{print "go get -u",$1}' | sh
-> go mod tidy; go mod vendor

Summary by CodeRabbit

Release Notes

• Chores
  • Updated Go toolchain from version 1.24 to 1.25
  • Updated OpenShift base image from 4.21 to 4.22
  • Updated build infrastructure and dependencies for improved compatibility and stability

[coderabbitai]

Important

Review skipped

Review was skipped due to path filters

⛔ Files ignored due to path filters (1)

• vendor/github.com/openshift/api/.golangci.yaml is excluded by !**/vendor/**, !vendor/**

CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including **/dist/** will override the default block on the dist directory, by removing the pattern from both the lists.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

Walkthrough

This pull request updates the project infrastructure and dependencies to newer versions: Go from 1.24 to 1.25, OpenShift from 4.21 to 4.22, and bumps numerous direct and indirect module dependencies. A code change in mtu.go switches from using netlink.FAMILY_ALL to nl.FAMILY_ALL.

Changes

Cohort / File(s)	Summary
Build and CI Configuration .ci-operator.yaml, Dockerfile	Updated builder and base image references from golang-1.24-openshift-4.21 to golang-1.25-openshift-4.22, aligning the build environment versions.
Go Module Dependencies go.mod	Bumped Go toolchain from 1.24.4 to 1.25.0; updated 67 direct and indirect dependencies including Kubernetes modules, OpenShift client tooling, Prometheus, OpenTelemetry, and various utility libraries to newer minor/patch versions.
Generated Manifest Configuration manifests/0000_70_cluster-network-operator_01_pki_crd.yaml	Updated CRD metadata annotation controller-gen.kubebuilder.io/version from v0.19.0 to v0.20.0.
Network MTU Logic pkg/network/mtu.go	Added import of github.com/vishvananda/netlink/nl and switched RouteList call to use nl.FAMILY_ALL instead of netlink.FAMILY_ALL.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly identifies the main objective as rebasing Kubernetes to 1.35.0, which aligns with the primary changes (Go version upgrades, Kubernetes module updates, builder/base image updates) shown across multiple files.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Stable And Deterministic Test Names	✅ Passed	This pull request does not modify any test files containing test declarations. The PR exclusively updates build configuration, Docker images, Go module dependencies, and a network utility function, none of which contain test title declarations.
Test Structure And Quality	✅ Passed	This custom check for test structure and quality is not applicable to this pull request. The PR modifies only five files: .ci-operator.yaml, Dockerfile, go.mod, a CRD manifest file, and pkg/network/mtu.go. None of these are test files. The modified pkg/network/mtu.go contains only a source code change adding an import and updating a function call, with no corresponding test code included. Since there are no test code changes in this PR, the custom check requirements do not apply.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: yingwang-0320
Once this PR has been reviewed and has the lgtm label, please assign jacobtanenbaum for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[yingwang-0320]

Make build failed. Modified 'cluster-network-operator/pkg/network/mtu.go' to import "github.com/vishvananda/netlink/nl"

[yingwang-0320]

/retest

[openshift-ci-robot]

@yingwang-0320: This pull request references CORENET-6561 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

-> rg 'k8s.io|openshift' go.mod | rg -v 'indirect|module' | awk '{print "go get -u",$1}'
go get -u github.com/openshift/build-machinery-go
go get -u k8s.io/api
go get -u k8s.io/apimachinery
go get -u k8s.io/code-generator
go get -u k8s.io/component-base
go get -u k8s.io/klog/v2
go get -u k8s.io/kube-proxy
go get -u k8s.io/utils
go get -u sigs.k8s.io/controller-runtime
go get -u github.com/openshift/api
go get -u github.com/openshift/client-go
go get -u github.com/openshift/library-go
go get -u github.com/openshift/machine-config-operator
go get -u k8s.io/apiextensions-apiserver
go get -u k8s.io/client-go
go get -u sigs.k8s.io/controller-tools
-> rg 'k8s.io|openshift' go.mod | rg -v 'indirect|module' | awk '{print "go get -u",$1}' | sh
-> go mod tidy; go mod vendor

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[yingwang-0320]

/retest

[yingwang-0320]

/retest

[yingwang-0320]

/retest

[openshift-ci-robot]

@yingwang-0320: This pull request references CORENET-6561 which is a valid jira issue.

Details

In response to this:

-> rg 'k8s.io|openshift' go.mod | rg -v 'indirect|module' | awk '{print "go get -u",$1}'
go get -u github.com/openshift/build-machinery-go
go get -u k8s.io/api
go get -u k8s.io/apimachinery
go get -u k8s.io/code-generator
go get -u k8s.io/component-base
go get -u k8s.io/klog/v2
go get -u k8s.io/kube-proxy
go get -u k8s.io/utils
go get -u sigs.k8s.io/controller-runtime
go get -u github.com/openshift/api
go get -u github.com/openshift/client-go
go get -u github.com/openshift/library-go
go get -u github.com/openshift/machine-config-operator
go get -u k8s.io/apiextensions-apiserver
go get -u k8s.io/client-go
go get -u sigs.k8s.io/controller-tools
-> rg 'k8s.io|openshift' go.mod | rg -v 'indirect|module' | awk '{print "go get -u",$1}' | sh
-> go mod tidy; go mod vendor

Summary by CodeRabbit

Release Notes

• Chores
• Updated Go toolchain from version 1.24 to 1.25
• Updated OpenShift base image from 4.21 to 4.22
• Updated build infrastructure and dependencies for improved compatibility and stability

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

Dockerfile (1)

6-15: ⚠️ Potential issue | 🟠 Major

Set an explicit non-root runtime user in the final stage.

The final image currently has no USER directive, so it defaults to root. OpenShift's default restricted Security Context Constraints (SCC) require containers to run as non-root with a numeric UID. Please set a non-root UID explicitly.

🔧 Proposed fix

 FROM registry.ci.openshift.org/ocp/4.22:base-rhel9
 COPY --from=builder  /go/src/github.com/openshift/cluster-network-operator/cluster-network-operator /usr/bin/
 COPY --from=builder  /go/src/github.com/openshift/cluster-network-operator/cluster-network-check-endpoints /usr/bin/
 COPY --from=builder  /go/src/github.com/openshift/cluster-network-operator/cluster-network-check-target /usr/bin/
 
 COPY manifests /manifests
 COPY bindata /bindata
+USER 65532
 ENV OPERATOR_NAME=cluster-network-operator
 CMD ["/usr/bin/cluster-network-operator"]
 LABEL io.openshift.release.operator true

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@Dockerfile` around lines 6 - 15, The final Docker image runs as root because
there's no USER directive; add an explicit non-root numeric UID (for example
USER 1001) to the final stage so the container runs with a non-root runtime uid
required by OpenShift SCCs; ensure the installed binaries
(/usr/bin/cluster-network-operator, /usr/bin/cluster-network-check-endpoints,
/usr/bin/cluster-network-check-target) and copied dirs (/manifests, /bindata)
are readable/executable by that UID if needed (adjust ownership in the builder
stage or add a chown step before switching USER) and keep CMD
["/usr/bin/cluster-network-operator"] and ENV OPERATOR_NAME unchanged.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@go.mod`:
- Line 8: Update the vulnerable module versions in go.mod by bumping
github.com/containernetworking/cni to v0.8.1 or later and
go.opentelemetry.io/otel/sdk to v1.40.0 or later; after changing the version
lines for these modules (github.com/containernetworking/cni and
go.opentelemetry.io/otel/sdk) run the usual Go module update commands (e.g., go
get <module>@<version> and go mod tidy) and re-run tests/build to ensure nothing
breaks.

---

Outside diff comments:
In `@Dockerfile`:
- Around line 6-15: The final Docker image runs as root because there's no USER
directive; add an explicit non-root numeric UID (for example USER 1001) to the
final stage so the container runs with a non-root runtime uid required by
OpenShift SCCs; ensure the installed binaries
(/usr/bin/cluster-network-operator, /usr/bin/cluster-network-check-endpoints,
/usr/bin/cluster-network-check-target) and copied dirs (/manifests, /bindata)
are readable/executable by that UID if needed (adjust ownership in the builder
stage or add a chown step before switching USER) and keep CMD
["/usr/bin/cluster-network-operator"] and ENV OPERATOR_NAME unchanged.

---

ℹ️ Review info

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to data retention organization setting

📥 Commits

Reviewing files that changed from the base of the PR and between 1c1a097 and b635fde.

⛔ Files ignored due to path filters (295)

• go.sum is excluded by !**/*.sum
• vendor/github.com/go-openapi/jsonpointer/.cliff.toml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/jsonpointer/.gitignore is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/jsonpointer/.golangci.yml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/jsonpointer/CONTRIBUTORS.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/jsonpointer/LICENSE is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/jsonpointer/NOTICE is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/jsonpointer/README.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/jsonpointer/SECURITY.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/jsonpointer/errors.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/jsonpointer/pointer.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/jsonreference/.cliff.toml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/jsonreference/.editorconfig is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/jsonreference/.golangci.yml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/jsonreference/CONTRIBUTORS.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/jsonreference/NOTICE is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/jsonreference/README.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/jsonreference/SECURITY.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/jsonreference/internal/normalize_url.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/jsonreference/reference.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/.golangci.yml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/README.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/SECURITY.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/TODO.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/cmdutils/cmd_utils.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/cmdutils/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/cmdutils_iface.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/conv/convert.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/conv/convert_types.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/conv/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/conv/format.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/conv/sizeof.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/conv/type_constraints.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/conv_iface.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/fileutils/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/fileutils/file.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/fileutils/path.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/fileutils_iface.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/go.work.sum is excluded by !**/*.sum, !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/jsonname/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/jsonname/name_provider.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/jsonname_iface.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/jsonutils/README.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/jsonutils/adapters/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/jsonutils/adapters/ifaces/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/jsonutils/adapters/ifaces/ifaces.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/jsonutils/adapters/ifaces/registry_iface.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/jsonutils/adapters/registry.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/jsonutils/adapters/stdlib/json/adapter.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/jsonutils/adapters/stdlib/json/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/jsonutils/adapters/stdlib/json/lexer.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/jsonutils/adapters/stdlib/json/ordered_map.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/jsonutils/adapters/stdlib/json/pool.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/jsonutils/adapters/stdlib/json/register.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/jsonutils/adapters/stdlib/json/writer.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/jsonutils/concat.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/jsonutils/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/jsonutils/json.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/jsonutils/ordered_map.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/jsonutils_iface.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/loading/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/loading/errors.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/loading/json.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/loading/loading.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/loading/options.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/loading/yaml.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/loading_iface.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/mangling/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/mangling/initialism_index.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/mangling/name_lexem.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/mangling/name_mangler.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/mangling/options.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/mangling/pools.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/mangling/split.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/mangling/string_bytes.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/mangling/util.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/mangling_iface.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/netutils/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/netutils/net.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/netutils_iface.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/stringutils/collection_formats.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/stringutils/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/stringutils/strings.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/stringutils_iface.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/typeutils/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/typeutils/types.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/typeutils_iface.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/yamlutils/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/yamlutils/errors.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/yamlutils/ordered_map.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/yamlutils/yaml.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/yamlutils_iface.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/gnostic-models/extensions/extension.proto is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/gnostic-models/openapiv2/OpenAPIv2.proto is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/gnostic-models/openapiv3/OpenAPIv3.proto is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/gnostic-models/openapiv3/annotations.proto is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/grpc-ecosystem/grpc-gateway/v2/protoc-gen-openapiv2/options/openapiv2.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/grpc-ecosystem/grpc-gateway/v2/protoc-gen-openapiv2/options/openapiv2.proto is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/grpc-ecosystem/grpc-gateway/v2/protoc-gen-openapiv2/options/openapiv2_protoopaque.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/onsi/gomega/CHANGELOG.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/onsi/gomega/format/format.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/onsi/gomega/gomega_dsl.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/onsi/gomega/matchers.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/onsi/gomega/matchers/have_key_matcher.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/onsi/gomega/matchers/have_key_with_value_matcher.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/onsi/gomega/matchers/support/goraph/edge/edge.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/.golangci.go-validated.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/.golangci.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1/types_infrastructure.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/config/v1alpha1/types_backup.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/console/v1/types_console_sample.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/prometheus/common/expfmt/expfmt.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/prometheus/common/expfmt/fuzz.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/sirupsen/logrus/.golangci.yml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/sirupsen/logrus/CHANGELOG.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/sirupsen/logrus/README.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/sirupsen/logrus/appveyor.yml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/sirupsen/logrus/entry.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/sirupsen/logrus/hooks.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/sirupsen/logrus/logger.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/sirupsen/logrus/logrus.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/sirupsen/logrus/terminal_check_bsd.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/sirupsen/logrus/terminal_check_unix.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/sirupsen/logrus/terminal_check_wasi.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/sirupsen/logrus/terminal_check_wasip1.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/sirupsen/logrus/text_formatter.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/spf13/cast/map.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/spf13/cobra/.golangci.yml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/spf13/cobra/command.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.etcd.io/etcd/api/v3/version/version.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc/config.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc/metadata_supplier.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc/stats_handler.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc/version.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/client.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/config.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/handler.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/semconv/client.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/semconv/env.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/semconv/gen.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/semconv/httpconv.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/semconv/server.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/version.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/.codespellignore is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/.golangci.yml is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/.lycheeignore is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/CHANGELOG.md is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/CONTRIBUTING.md is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/Makefile is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/README.md is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/RELEASING.md is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/VERSIONING.md is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/attribute/encoder.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/attribute/hash.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/attribute/internal/xxhash/xxhash.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/attribute/set.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/attribute/type_string.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/baggage/baggage.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/dependencies.Dockerfile is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/internal/tracetransform/span.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc/client.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc/internal/counter/counter.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc/internal/gen.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc/internal/observ/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc/internal/observ/instrumentation.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc/internal/observ/target.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc/internal/partialsuccess.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc/internal/retry/retry.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc/internal/version.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc/internal/x/README.md is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc/internal/x/observ.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc/internal/x/x.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/version.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/internal/global/meter.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/metric.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/metric/config.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/propagation/trace_context.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/internal/x/features.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/internal/x/x.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/host_id_bsd.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/host_id_linux.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/host_id_unsupported.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/host_id_windows.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/os_release_unix.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/os_unix.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/os_unsupported.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/batch_span_processor.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/internal/env/env.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/internal/observ/batch_span_processor.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/internal/observ/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/internal/observ/simple_span_processor.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/internal/observ/tracer.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/provider.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/simple_span_processor.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/span.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/span_limits.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/tracer.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/version.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/semconv/internal/http.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/semconv/v1.37.0/error_type.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/semconv/v1.37.0/httpconv/metric.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/semconv/v1.37.0/otelconv/metric.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/semconv/v1.37.0/rpcconv/metric.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/trace/config.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/trace/span.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/version.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/versions.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/go.uber.org/zap/.golangci.yml is excluded by !**/vendor/**, !vendor/**
• vendor/go.uber.org/zap/CHANGELOG.md is excluded by !**/vendor/**, !vendor/**
• vendor/go.uber.org/zap/CODE_OF_CONDUCT.md is excluded by !**/vendor/**, !vendor/**
• vendor/go.uber.org/zap/LICENSE is excluded by !**/vendor/**, !vendor/**
• vendor/go.uber.org/zap/Makefile is excluded by !**/vendor/**, !vendor/**
• vendor/go.uber.org/zap/field.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.uber.org/zap/http_handler.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.uber.org/zap/logger.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.uber.org/zap/options.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.uber.org/zap/sink.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.uber.org/zap/zapcore/buffered_write_syncer.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.uber.org/zap/zapcore/console_encoder.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.uber.org/zap/zapcore/entry.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.uber.org/zap/zapcore/lazy_with.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.uber.org/zap/zapcore/level.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/mod/module/module.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/mod/semver/semver.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/http2/transport.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/http2/writesched_priority_rfc9218.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/trace/events.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/websocket/hybi.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/oauth2/deviceauth.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/oauth2/oauth2.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/oauth2/pkce.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/oauth2/token.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/oauth2/transport.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sync/errgroup/errgroup.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/cpu/cpu.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/cpu/cpu_arm64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/cpu/cpu_arm64.s is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/cpu/cpu_gc_arm64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/cpu/cpu_gccgo_arm64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/cpu/cpu_netbsd_arm64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/cpu/cpu_openbsd_arm64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/cpu/cpu_x86.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/mkerrors.sh is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_386.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_amd64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_arm.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_arm64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_loong64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_mips.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_mips64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_mips64le.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_mipsle.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_ppc.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_ppc64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_ppc64le.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_riscv64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_s390x.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_sparc64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/ztypes_netbsd_arm.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/term/terminal.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/text/encoding/japanese/eucjp.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/text/encoding/japanese/iso2022jp.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/text/encoding/japanese/shiftjis.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/text/encoding/korean/euckr.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/text/encoding/simplifiedchinese/gbk.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/text/encoding/simplifiedchinese/hzgb2312.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/text/encoding/traditionalchinese/big5.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/text/encoding/unicode/unicode.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/go/ast/astutil/imports.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/go/ast/inspector/cursor.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/go/packages/packages.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/go/packages/visit.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/go/types/objectpath/objectpath.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/go/types/typeutil/callee.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/go/types/typeutil/map.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/imports/forward.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/event/core/export.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/event/label/label.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/gcimporter/bimport.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/gcimporter/iexport.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/gcimporter/iimport.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/imports/sortimports.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/modindex/index.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/modindex/lookup.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/stdlib/deps.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/stdlib/import.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/stdlib/manifest.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/stdlib/stdlib.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/typeparams/normalize.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/typesinternal/classify_call.go is excluded by !**/vendor/**, !vendor/**

📒 Files selected for processing (5)

• .ci-operator.yaml
• Dockerfile
• go.mod
• manifests/0000_70_cluster-network-operator_01_pki_crd.yaml
• pkg/network/mtu.go

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== Checking go.mod content ==="
cat -n go.mod | head -80

echo -e "\n=== Current pins in go.mod ==="
rg -n 'github.com/containernetworking/cni v|go.opentelemetry.io/otel/sdk v' go.mod

echo -e "\n=== OSV check: github.com/containernetworking/cni@0.8.0 ==="
curl -s https://api.osv.dev/v1/query \
  -H 'Content-Type: application/json' \
  -d '{"package":{"name":"github.com/containernetworking/cni","ecosystem":"Go"},"version":"0.8.0"}' \
| jq '.'

echo -e "\n=== OSV check: go.opentelemetry.io/otel/sdk@1.39.0 ==="
curl -s https://api.osv.dev/v1/query \
  -H 'Content-Type: application/json' \
  -d '{"package":{"name":"go.opentelemetry.io/otel/sdk","ecosystem":"Go"},"version":"1.39.0"}' \
| jq '.'

Repository: openshift/cluster-network-operator

Length of output: 14337

---

Update containernetworking/cni to v0.8.1+ and otel/sdk to v1.40.0+ to resolve HIGH severity vulnerabilities.

Line 8 (github.com/containernetworking/cni v0.8.0) has GHSA-xjqr-g762-pxwp (CVE-2021-20206), an improper path limitation vulnerability allowing directory traversal attacks. Line 75 (go.opentelemetry.io/otel/sdk v1.39.0) has GHSA-9h8m-3fm2-qjrq (CVE-2026-24051), arbitrary code execution via PATH hijacking on macOS/Darwin. Both are HIGH severity and patched: upgrade to v0.8.1+ and v1.40.0+ respectively.

🧰 Tools

🪛 OSV Scanner (2.3.3)

[HIGH] 8-8: github.com/containernetworking/cni 0.8.0: Improper limitation of path name in github.com/containernetworking/cni

(GO-2022-0230)

---

[HIGH] 8-8: github.com/containernetworking/cni 0.8.0: containernetworking/cni improper limitation of path name

(GHSA-xjqr-g762-pxwp)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@go.mod` at line 8, Update the vulnerable module versions in go.mod by bumping
github.com/containernetworking/cni to v0.8.1 or later and
go.opentelemetry.io/otel/sdk to v1.40.0 or later; after changing the version
lines for these modules (github.com/containernetworking/cni and
go.opentelemetry.io/otel/sdk) run the usual Go module update commands (e.g., go
get <module>@<version> and go mod tidy) and re-run tests/build to ensure nothing
breaks.

[yingwang-0320]

/retest

[openshift-ci]

@yingwang-0320: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws-ovn-serial-1of2	6228f96	link	true	/test e2e-aws-ovn-serial-1of2
ci/prow/e2e-aws-ovn-hypershift-conformance	6228f96	link	true	/test e2e-aws-ovn-hypershift-conformance
ci/prow/e2e-metal-ipi-ovn-dualstack-bgp-local-gw	6228f96	link	true	/test e2e-metal-ipi-ovn-dualstack-bgp-local-gw
ci/prow/lint	6228f96	link	true	/test lint
ci/prow/e2e-metal-ipi-ovn-ipv6-ipsec	6228f96	link	true	/test e2e-metal-ipi-ovn-ipv6-ipsec
ci/prow/hypershift-e2e-aks	6228f96	link	true	/test hypershift-e2e-aks
ci/prow/4.22-upgrade-from-stable-4.21-e2e-azure-ovn-upgrade	6228f96	link	false	/test 4.22-upgrade-from-stable-4.21-e2e-azure-ovn-upgrade
ci/prow/security	6228f96	link	false	/test security
ci/prow/e2e-ovn-ipsec-step-registry	6228f96	link	true	/test e2e-ovn-ipsec-step-registry
ci/prow/e2e-aws-ovn-upgrade	6228f96	link	true	/test e2e-aws-ovn-upgrade
ci/prow/e2e-metal-ipi-ovn-dualstack-bgp	6228f96	link	true	/test e2e-metal-ipi-ovn-dualstack-bgp

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[jluhrsen]

Can you please update the commit message for this commit with the steps you took to generate this? My guess is that it's what you also have in the main PR description.

[jluhrsen]

why did we need this? maybe it should have been in the initial commit of this PR?

[jluhrsen]

this file is something that get's auto updated. you can revert this

[jluhrsen]

same. this will get updated by an ART bot

[jluhrsen]

did you mean to update this? the commit message looks like you mean to just bump the dockerfile. thinking you don't need this commit at all.

[jluhrsen]

is this needed? if so, please make sure the commit message explains it.

[jluhrsen]

Hi @yingwang-0320 , looks like this PR got a little jumbled, but I left some comments for now. LMK how I can help.

[yingwang-0320]

Thank you @jluhrsen for your comments. I've made some experimental changes to address the CI job failures. However, due to conflicts with recent commits, the PR history has become a bit messy. I will either clean it up or close this one and open a fresh PR shortly.