upgrade to test v1 CRIOCredentialProviderConfig

[QiWang19]

Summary by CodeRabbit

• Chores

  • Updated dependency versions including OpenShift API, Kubernetes modules, Go standard library packages, and OpenAPI libraries to their latest releases. Adjusted package resolution directives.

• Tests

  • Updated test suite to use the stable configuration API version instead of the alpha version for credential provider configuration testing.

[openshift-merge-bot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: automatic mode

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: QiWang19
Once this PR has been reviewed and has the lgtm label, please assign mkowalski for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Walkthrough

Updates go.mod to bump github.com/openshift/api, several golang.org/x/* packages, Kubernetes modules, go-openapi/swag, and spf13/pflag, with replace directives redirecting openshift/api and openshift/client-go to a fork. Tests and the ConfigV1ClientShim are updated to use the v1 (non-alpha) API for CRIOCredentialProviderConfig.

Changes

CRIOCredentialProviderConfig v1 API Migration

Layer / File(s)	Summary
Dependency updates and fork replace directives go.mod	Bumps github.com/openshift/api, github.com/spf13/pflag, golang.org/x/* modules, k8s.io/* modules, and github.com/go-openapi/swag to newer versions; sets replace directives to point openshift/api and openshift/client-go at github.com/QiWang19 fork versions.
CRIOCredentialProviderConfig test and shim migrated to v1 test/extended/node/criocredentialprovider.go, test/extended/util/configv1shim.go	Imports switch from apicfgv1alpha1 to apicfgv1; updateCRIOCredentialProviderConfig uses []apicfgv1.MatchImage and reads/writes via ConfigV1().CRIOCredentialProviderConfigs(); verifyWorkerNodeCRIOCredentialProviderConfig asserts using apicfgv1.MatchImage(...). ConfigV1ClientShim gains a CRIOCredentialProviderConfigs() method with a v1Kinds gate.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 10 | ❌ 5

❌ Failed checks (5 warnings)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Test Structure And Quality	⚠️ Warning	DescribeTable test (lines 63-78) has multiple test scenarios with conditional branching violating single responsibility. The "private mirror" test (lines 100-148) combines multiple unrelated behavi...	Split DescribeTable conditional logic into separate test entries; extract private mirror test into smaller focused tests with single responsibilities.
Microshift Test Compatibility	⚠️ Warning	New test file test/extended/node/criocredentialprovider.go uses config.openshift.io/v1 APIs (CRIOCredentialProviderConfig, ImageDigestMirrorSets) not available on MicroShift, with no protection mec...	Add [apigroup:config.openshift.io] tag to test name, or add [Skipped:MicroShift] label, or wrap in exutil.IsMicroShiftCluster() check with g.Skip() to ensure MicroShift CI jobs skip this test automatically.
Single Node Openshift (Sno) Test Compatibility	⚠️ Warning	New test file test/extended/node/criocredentialprovider.go assumes worker nodes exist and schedules pods to specific nodes (workerNodes[0]) without SNO compatibility protection.	Add [Skipped:SingleReplicaTopology] label to test name or guard with exutil.IsSingleNode() check as documented in SNO compatibility requirements.
Ipv6 And Disconnected Network Test Compatibility	⚠️ Warning	Test requires external connectivity to docker.io for image pulling but lacks [Skipped:Disconnected] marker needed for IPv6-only disconnected CI environments.	Add [Skipped:Disconnected] to the test name "Should execute crio credential provider if private mirror configured" or use internal registry mirrors instead of docker.io.

✅ Passed checks (10 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly indicates the main change: upgrading to test the v1 CRIOCredentialProviderConfig API instead of v1alpha1, which is directly reflected in the file changes.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	All Ginkgo test names in the PR are stable and deterministic. Test titles use static, descriptive strings without dynamic content like generated identifiers, timestamps, node names, or pod names.
Topology-Aware Scheduling Compatibility	✅ Passed	PR contains only test code and dependency updates. No deployment manifests, operator code, or scheduling constraints are introduced that would require topology-awareness checks.
Ote Binary Stdout Contract	✅ Passed	No OTE Binary Stdout Contract violations found. All changes are in test code (test/extended/node/ and test/extended/util/) with no process-level code writing to stdout. klog and fmt usage are only...
No-Weak-Crypto	✅ Passed	PR contains no MD5, SHA1, DES, RC4, 3DES, Blowfish, ECB usage; no custom crypto implementations; no unsafe secret comparisons. Changes limited to test files and dependency updates.
Container-Privileges	✅ Passed	No container privilege issues found. PR contains only Go source files and dependency configuration—no Kubernetes manifests with privileged, hostPID, hostNetwork, hostIPC, SYS_ADMIN, or allowPrivile...
No-Sensitive-Data-In-Logs	✅ Passed	PR changes only dependency versions in go.mod, API type name changes from v1alpha1 to v1 in test code. No new logging of sensitive data (passwords, tokens, keys, PII) is introduced; existing test l...

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands.}

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@go.mod`:
- Around line 444-445: Remove the replace directives in go.mod that redirect
github.com/openshift/api and github.com/openshift/client-go packages to the
QiWang19 personal fork. If the fork patches are necessary for functionality,
first work to upstream those patches to the original openshift repositories,
then revert these replace directives to use the official packages instead. If
these forks must remain for production, add formal documentation and
justification to the pull request explaining the supply chain security
implications and how they meet provenance and signing requirements.
- Line 68: Multiple critical security vulnerabilities have been identified in
the golang.org/x and k8s.io dependencies in the go.mod file. Update
golang.org/x/crypto from v0.48.0 to v0.52.0 or later, upgrade golang.org/x/net
from v0.50.0 to v0.55.0 or later, and upgrade all k8s.io/* dependencies from
v0.35.1 to v1.35.5 or later. Use go get to fetch these updated versions and
ensure the go.mod and go.sum files are properly updated with the new versions.

In `@test/extended/util/configv1shim.go`:
- Around line 464-470: The CRIOCredentialProviderConfigs method in
ConfigV1ClientShim has an unnecessary panic guard that checks if
"CRIOCredentialProviderConfig" exists in v1Kinds. Since this method simply
delegates to the real client via c.configv1.CRIOCredentialProviderConfigs()
without any special shim handling or transformation logic, the panic check is
overly defensive and can be removed. Replace the entire method body with just
the single return statement that delegates to
c.configv1.CRIOCredentialProviderConfigs(), eliminating the if condition that
panics.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: e9a5bf72-1fb7-4897-ae34-d8da4254e641

📥 Commits

Reviewing files that changed from the base of the PR and between b717a65 and 3c0ea2a.

⛔ Files ignored due to path filters (297)

• go.sum is excluded by !**/*.sum
• vendor/github.com/go-openapi/swag/.codecov.yml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/.golangci.yml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/.mockery.yml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/README.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/SECURITY.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/cmdutils/LICENSE is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/cmdutils/cmd_utils.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/cmdutils/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/cmdutils_iface.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/conv/LICENSE is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/conv/convert.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/conv/convert_types.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/conv/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/conv/format.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/conv/sizeof.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/conv/type_constraints.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/conv_iface.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/convert.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/convert_types.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/errors.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/file.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/fileutils/LICENSE is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/fileutils/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/fileutils/file.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/fileutils/path.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/fileutils_iface.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/go.work is excluded by !**/*.work, !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/go.work.sum is excluded by !**/*.sum, !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/initialism_index.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/json.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/jsonname/LICENSE is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/jsonname/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/jsonname/name_provider.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/jsonname_iface.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/jsonutils/LICENSE is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/jsonutils/README.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/jsonutils/adapters/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/jsonutils/adapters/ifaces/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/jsonutils/adapters/ifaces/ifaces.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/jsonutils/adapters/ifaces/registry_iface.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/jsonutils/adapters/registry.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/jsonutils/adapters/stdlib/json/adapter.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/jsonutils/adapters/stdlib/json/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/jsonutils/adapters/stdlib/json/lexer.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/jsonutils/adapters/stdlib/json/ordered_map.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/jsonutils/adapters/stdlib/json/pool.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/jsonutils/adapters/stdlib/json/register.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/jsonutils/adapters/stdlib/json/writer.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/jsonutils/concat.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/jsonutils/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/jsonutils/json.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/jsonutils/ordered_map.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/jsonutils_iface.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/loading/LICENSE is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/loading/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/loading/errors.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/loading/json.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/loading/loading.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/loading/options.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/loading/yaml.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/loading_iface.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/mangling/BENCHMARK.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/mangling/LICENSE is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/mangling/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/mangling/initialism_index.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/mangling/name_lexem.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/mangling/name_mangler.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/mangling/options.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/mangling/pools.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/mangling/split.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/mangling/string_bytes.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/mangling/util.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/mangling_iface.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/name_lexem.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/net.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/netutils/LICENSE is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/netutils/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/netutils/net.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/netutils_iface.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/split.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/stringutils/LICENSE is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/stringutils/collection_formats.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/stringutils/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/stringutils/strings.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/stringutils_iface.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/typeutils/LICENSE is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/typeutils/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/typeutils/types.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/typeutils_iface.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/util.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/yaml.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/yamlutils/LICENSE is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/yamlutils/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/yamlutils/errors.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/yamlutils/ordered_map.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/yamlutils/yaml.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-openapi/swag/yamlutils_iface.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/josharian/intern/README.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/josharian/intern/intern.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/josharian/intern/license.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/mailru/easyjson/LICENSE is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/mailru/easyjson/buffer/pool.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/mailru/easyjson/jlexer/bytestostr.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/mailru/easyjson/jlexer/bytestostr_nounsafe.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/mailru/easyjson/jlexer/error.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/mailru/easyjson/jlexer/lexer.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/mailru/easyjson/jwriter/writer.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/.ci-operator.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/Dockerfile.ocp is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/Makefile is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/apiextensions/v1alpha1/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/apiextensions/v1alpha1/zz_generated.model_name.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/apiserver/v1/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/apiserver/v1/zz_generated.model_name.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/apps/v1/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/apps/v1/zz_generated.model_name.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/authorization/v1/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/authorization/v1/zz_generated.model_name.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/build/v1/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/build/v1/zz_generated.model_name.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/cloudnetwork/v1/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/cloudnetwork/v1/zz_generated.model_name.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/config/v1/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1/register.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1/types_crio_credential_provider_config.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1/zz_generated.deepcopy.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/config/v1/zz_generated.featuregated-crd-manifests.yaml is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/config/v1/zz_generated.model_name.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/config/v1alpha1/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1alpha1/types_cluster_monitoring.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1alpha1/zz_generated.deepcopy.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/config/v1alpha1/zz_generated.model_name.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/config/v1alpha1/zz_generated.swagger_doc_generated.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/config/v1alpha2/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1alpha2/zz_generated.model_name.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/console/v1/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/console/v1/zz_generated.model_name.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/etcd/v1/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/etcd/v1/zz_generated.model_name.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/etcd/v1alpha1/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/etcd/v1alpha1/zz_generated.model_name.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/features.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/features/features.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/helm/v1beta1/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/helm/v1beta1/zz_generated.model_name.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/image/v1/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/image/v1/zz_generated.model_name.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/imageregistry/v1/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/imageregistry/v1/zz_generated.model_name.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/kubecontrolplane/v1/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/kubecontrolplane/v1/zz_generated.model_name.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/legacyconfig/v1/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/legacyconfig/v1/zz_generated.model_name.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/machine/v1/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/machine/v1/zz_generated.model_name.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/machine/v1alpha1/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/machine/v1alpha1/zz_generated.model_name.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/machine/v1beta1/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/machine/v1beta1/zz_generated.model_name.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/machineconfiguration/v1/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/machineconfiguration/v1/types.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.model_name.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/machineconfiguration/v1alpha1/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/machineconfiguration/v1alpha1/zz_generated.model_name.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/monitoring/v1/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/monitoring/v1/zz_generated.model_name.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/network/v1/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/network/v1/zz_generated.model_name.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/network/v1alpha1/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/network/v1alpha1/zz_generated.model_name.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/networkoperator/v1/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/networkoperator/v1/zz_generated.model_name.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/oauth/v1/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/oauth/v1/zz_generated.model_name.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/openshiftcontrolplane/v1/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/openshiftcontrolplane/v1/zz_generated.model_name.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/operator/v1/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/operator/v1/types_authentication.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/operator/v1/types_etcd.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/operator/v1/types_ingresscontroller.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/operator/v1/types_kmsencryption.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/operator/v1/types_kubeapiserver.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/operator/v1/types_openshiftapiserver.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/operator/v1/zz_generated.deepcopy.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/operator/v1/zz_generated.featuregated-crd-manifests.yaml is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/operator/v1/zz_generated.model_name.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/operator/v1/zz_generated.swagger_doc_generated.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/operator/v1alpha1/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/operator/v1alpha1/zz_generated.model_name.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/operatorcontrolplane/v1alpha1/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/operatorcontrolplane/v1alpha1/zz_generated.model_name.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/operatoringress/v1/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/operatoringress/v1/zz_generated.model_name.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/osin/v1/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/osin/v1/zz_generated.model_name.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/project/v1/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/project/v1/zz_generated.model_name.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/quota/v1/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/quota/v1/zz_generated.model_name.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/route/v1/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/route/v1/zz_generated.model_name.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/samples/v1/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/samples/v1/zz_generated.model_name.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/security/v1/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/security/v1/types.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/security/v1/zz_generated.model_name.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/servicecertsigner/v1alpha1/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/servicecertsigner/v1alpha1/zz_generated.model_name.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/sharedresource/v1alpha1/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/sharedresource/v1alpha1/zz_generated.model_name.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/template/v1/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/template/v1/zz_generated.model_name.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/user/v1/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/user/v1/zz_generated.model_name.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/client-go/apiserver/applyconfigurations/internal/internal.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/apps/applyconfigurations/internal/internal.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/authorization/applyconfigurations/internal/internal.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/build/applyconfigurations/internal/internal.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/cloudnetwork/applyconfigurations/internal/internal.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/criocredentialproviderconfig.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/criocredentialproviderconfigspec.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/criocredentialproviderconfigstatus.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/clustermonitoringspec.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/kubestatemetricsconfig.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/kubestatemetricsresourcelabels.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/prometheusconfig.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/retention.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/internal/internal.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/utils.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/config_client.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/criocredentialproviderconfig.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/fake/fake_config_client.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/fake/fake_criocredentialproviderconfig.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/generated_expansion.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/criocredentialproviderconfig.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/interface.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/informers/externalversions/generic.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/listers/config/v1/criocredentialproviderconfig.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/listers/config/v1/expansion_generated.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/console/applyconfigurations/internal/internal.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/image/applyconfigurations/internal/internal.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/machine/applyconfigurations/internal/internal.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/machineconfiguration/applyconfigurations/internal/internal.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/network/applyconfigurations/internal/internal.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/oauth/applyconfigurations/internal/internal.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/operator/applyconfigurations/internal/internal.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/operator/applyconfigurations/operator/v1/etcdspec.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/operator/applyconfigurations/operator/v1/kmsencryptionstatus.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/operator/applyconfigurations/operator/v1/kmspluginhealthreport.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/operator/applyconfigurations/operator/v1/kubeapiserverstatus.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/operator/applyconfigurations/operator/v1/oauthapiserverstatus.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/operator/applyconfigurations/operator/v1/openshiftapiserverstatus.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/operatoringress/applyconfigurations/internal/internal.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/project/applyconfigurations/internal/internal.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/quota/applyconfigurations/internal/internal.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/route/applyconfigurations/internal/internal.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/security/applyconfigurations/internal/internal.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/template/applyconfigurations/internal/internal.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/user/applyconfigurations/internal/internal.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/spf13/pflag/flag.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/crypto/chacha20poly1305/chacha20poly1305.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/crypto/chacha20poly1305/fips140only_compat.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/crypto/chacha20poly1305/fips140only_go1.26.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/crypto/chacha20poly1305/xchacha20poly1305.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/mod/modfile/print.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/mod/modfile/read.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/mod/modfile/rule.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/mod/module/module.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/mod/semver/semver.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/html/node.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/html/nodetype_string.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/http2/client_priority_go126.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/http2/client_priority_go127.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/http2/frame.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/http2/http2.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/http2/server.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/http2/transport.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/http2/writesched_priority_rfc7540.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/http2/writesched_priority_rfc9218.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/internal/httpsfv/httpsfv.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/trace/events.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/websocket/hybi.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sync/errgroup/errgroup.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/cpu/cpu.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/cpu/cpu_arm64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/cpu/cpu_arm64.s is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/cpu/cpu_gc_arm64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/cpu/cpu_gccgo_arm64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/cpu/cpu_netbsd_arm64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/cpu/cpu_openbsd_arm64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/cpu/cpu_other_arm64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/cpu/cpu_windows_arm64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/cpu/cpu_x86.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/ioctl_signed.go is excluded by !**/vendor/**, !vendor/**

📒 Files selected for processing (3)

• go.mod
• test/extended/node/criocredentialprovider.go
• test/extended/util/configv1shim.go

[coderabbitai]

🔒 Security & Privacy | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check for known vulnerabilities in updated dependencies

# Install osv-scanner if available, or use GitHub API to check advisories
echo "Checking for vulnerabilities in updated Go modules..."

# Check a few key updated packages for GitHub security advisories
for pkg in "spf13/pflag" "go-openapi/swag"; do
  echo "Checking $pkg..."
  gh api graphql -f query="
  {
    securityVulnerabilities(first: 5, ecosystem: GO, package: \"$pkg\") {
      nodes {
        advisory {
          summary
          severity
          publishedAt
        }
        vulnerableVersionRange
        firstPatchedVersion {
          identifier
        }
      }
    }
  }" 2>/dev/null || echo "Could not check $pkg"
done

# Check golang.org/x/crypto and golang.org/x/net specifically as they often have security updates
for module in "golang.org/x/crypto" "golang.org/x/net"; do
  echo "Checking $module..."
  curl -s "https://pkg.go.dev/vuln?q=$module" | grep -i "vulnerability" || echo "No obvious vulnerabilities found in web search"
done

Repository: openshift/origin

Length of output: 513

---

🏁 Script executed:

# First, let's examine the go.mod file at the specified line ranges
head -n 500 go.mod | tail -n +65 | head -n 8
echo "---"
head -n 90 go.mod | tail -n +82 | head -n 8
echo "---"
head -n 110 go.mod | tail -n +94 | head -n 16
echo "---"
head -n 135 go.mod | tail -n +115 | head -n 20
echo "---"
head -n 260 go.mod | tail -n +235 | head -n 25
echo "---"
head -n 410 go.mod | tail -n +395 | head -n 20

Repository: openshift/origin

Length of output: 4245

---

🏁 Script executed:

# Check the specific versions and use osv-scanner if available
# First, let's install osv-scanner and check for vulnerabilities
echo "Attempting to use osv-scanner for comprehensive vulnerability check..."

# Try to run osv-scanner on go.mod if available
if command -v osv-scanner &> /dev/null; then
  osv-scanner --lockfile=go.mod
else
  echo "osv-scanner not available. Checking specific high-risk packages..."
  # Extract the versions from go.mod for key packages that were updated
  echo "Extracting k8s.io and golang.org/x package versions..."
  rg "k8s\.io|golang\.org/x" go.mod | head -20
fi

Repository: openshift/origin

Length of output: 507

---

🏁 Script executed:

# Since osv-scanner was killed, let's check the OSV database directly for the key packages
# Check specific versions of packages mentioned in the review

# Extract key package versions from go.mod
echo "Key packages to check:"
rg "golang\.org/x/(crypto|net|sync|oauth2|exp|mod)|spf13/pflag|go-openapi/swag|k8s\.io" go.mod | grep -E "^\s+[a-z]" | head -30

Repository: openshift/origin

Length of output: 1150

---

🌐 Web query:

OSV.dev vulnerabilities golang.org/x/crypto v0.48.0 golang.org/x/net v0.50.0

💡 Result:

Both golang.org/x/crypto v0.48.0 and golang.org/x/net v0.50.0 contain multiple known security vulnerabilities as recorded in the OSV database as of June 23, 2026. golang.org/x/crypto v0.48.0 This version is affected by several vulnerabilities, many of which were addressed in version v0.52.0 [1][2]. Known issues include: - GO-2026-5013 (CVE-2026-46597): Byte arithmetic causing underflow and panic in SSH [3]. - GO-2026-5017 (CVE-2026-39830): Client-side resource leak/deadlock in SSH [4]. - GO-2026-5019 (CVE-2026-39831): Bypass of FIDO/U2F physical interaction requirements [5]. - GO-2026-5021 (CVE-2026-42508): Authentication bypass via unenforced @revoked status [6]. - Other advisories listed for this version include GO-2026-5005, GO-2026-5006, GO-2026-5014, GO-2026-5015, GO-2026-5016, GO-2026-5018, GO-2026-5020, GO-2026-5023, and GO-2026-5033 [1][7]. golang.org/x/net v0.50.0 This version is also subject to multiple security advisories [8], including: - GO-2026-4559 (CVE-2026-27141): HTTP/2 frame handling causing server panic (fixed in v0.51.0) [9][8]. - GO-2026-4918: Infinite loop in HTTP/2 transport when processing invalid SETTINGS frames (fixed in v0.53.0) [10]. - GO-2026-5028 (CVE-2026-25680): Denial of service during HTML parsing (fixed in v0.55.0) [11]. - GO-2026-5030 (CVE-2026-27136): XSS vulnerability via duplicate HTML attributes (fixed in v0.55.0) [12]. - Other advisories associated with this version include GO-2026-5025, GO-2026-5026, GO-2026-5027, and GO-2026-5029 [8]. Users are advised to check the OSV.dev database or the Go vulnerability database (pkg.go.dev/vuln) for the latest patching information and to upgrade to the most recent stable versions to remediate these issues [1][8].

Citations:

• 1: https://pkg.go.dev/golang.org/x/crypto@v0.48.0
• 2: https://www.openwall.com/lists/oss-security/2026/05/22/6
• 3: https://osv.dev/vulnerability/CVE-2026-46597
• 4: https://osv.dev/vulnerability/GO-2026-5017
• 5: https://osv.dev/vulnerability/CVE-2026-39831
• 6: https://osv.dev/vulnerability/GO-2026-5021
• 7: https://deps.dev/go/golang.org%2Fx%2Fcrypto/v0.48.0
• 8: https://pkg.go.dev/golang.org/x/net@v0.50.0
• 9: https://osv.dev/vulnerability/CVE-2026-27141
• 10: https://osv.dev/vulnerability/GO-2026-4918
• 11: https://osv.dev/vulnerability/CVE-2026-25680
• 12: https://osv.dev/vulnerability/GO-2026-5030

---

🌐 Web query:

osv.dev k8s.io v0.35.1 kubernetes vulnerabilities

💡 Result:

The k8s.io modules at version v0.35.1 (which correspond to the Kubernetes v1.35.1 release cycle) are associated with several security vulnerabilities, as Kubernetes libraries are part of the larger k8s.io/kubernetes repository [1][2][3][4][5]. If you are using these dependencies, please note the following: 1. Vulnerability Landscape: The k8s.io/kubernetes package (and its associated staged modules like k8s.io/api, k8s.io/apiserver, etc.) has been subject to various vulnerabilities tracked in the Open Source Vulnerability (OSV) database [1][2][3][4]. Specific examples affecting the k8s.io/kubernetes ecosystem include: - Race conditions in kube-apiserver (e.g., GO-2025-3547) [1]. - Inadvertent local repository access in GitRepo volumes (e.g., GO-2025-3521) [2]. - Command injection vulnerabilities affecting Windows nodes (e.g., GO-2025-3522) [4]. - Server-Side Request Forgery (SSRF) in kube-controller-manager (e.g., GO-2025-4240) [3]. 2. Patching and Updates: Version v0.35.1 was released on February 10, 2026, as part of the Kubernetes 1.35.1 patch [6][7]. The Kubernetes project actively releases patch versions (e.g., v1.35.x series) to address security concerns and bugs [6]. It is strongly recommended to upgrade to the latest available patch release within the 1.35.x series (e.g., v1.35.5 as of June 2026) to incorporate the latest security fixes [8][6]. 3. Verification: You can track specific CVEs and their resolution in the official Kubernetes CHANGELOG for the corresponding release version [8][6]. Additionally, tools like osv.dev and deps.dev can be used to query your specific dependency tree for known vulnerabilities associated with older k8s.io versions [1][9]. Always refer to the official Kubernetes release page for the most current information regarding supported versions and security patches [6].

Citations:

• 1: https://osv.dev/vulnerability/GO-2025-3547
• 2: https://osv.dev/vulnerability/GO-2025-3521
• 3: https://osv.dev/vulnerability/GO-2025-4240
• 4: https://osv.dev/vulnerability/GO-2025-3522
• 5: https://pkg.go.dev/k8s.io/api@v0.35.1
• 6: https://kubernetes.io/releases/1.35/
• 7: kubernetes/client-go@v0.35.0...v0.35.1
• 8: https://github.com/kubernetes/kubernetes/blob/release-1.35/CHANGELOG/CHANGELOG-1.35.md
• 9: https://pkg.go.dev/k8s.io/client-go@v0.35.1

---

Multiple critical CVEs found in updated golang.org/x and k8s.io dependencies—upgrade required.

The following dependencies contain known security vulnerabilities:

• golang.org/x/crypto v0.48.0: Multiple CVEs including GO-2026-5013 (SSH byte arithmetic underflow), GO-2026-5017 (SSH resource leak), GO-2026-5019 (FIDO/U2F bypass), GO-2026-5021 (authentication bypass), and others. Upgrade to v0.52.0+.
• golang.org/x/net v0.50.0: Multiple CVEs including GO-2026-4559 (HTTP/2 panic), GO-2026-4918 (HTTP/2 infinite loop), GO-2026-5028 (HTML parsing DoS), GO-2026-5030 (XSS). Upgrade to v0.55.0+.
• k8s.io/ v0.35.1*: Multiple vulnerabilities documented including race conditions, command injection, and SSRF issues. Upgrade to latest patch release (v1.35.5 or later as of June 2026).

No CVEs found in spf13/pflag v1.0.10 or go-openapi/swag v0.25.4.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` at line 68, Multiple critical security vulnerabilities have been
identified in the golang.org/x and k8s.io dependencies in the go.mod file.
Update golang.org/x/crypto from v0.48.0 to v0.52.0 or later, upgrade
golang.org/x/net from v0.50.0 to v0.55.0 or later, and upgrade all k8s.io/*
dependencies from v0.35.1 to v1.35.5 or later. Use go get to fetch these updated
versions and ensure the go.mod and go.sum files are properly updated with the
new versions.

Source: Path instructions

[coderabbitai]

🔒 Security & Privacy | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify if the fork versions have corresponding upstream commits

echo "Checking QiWang19/api fork version..."
curl -s "https://api.github.com/repos/QiWang19/api/commits/c85beac32742" | jq -r '.sha // "Not found"'

echo "Checking QiWang19/client-go fork version..."
curl -s "https://api.github.com/repos/QiWang19/client-go/commits/64bcee5935da" | jq -r '.sha // "Not found"'

echo "Checking if openshift/api has the changes..."
git log --oneline --all | grep -i "criocredentialprovider" | head -20 || echo "Need to search upstream"

Repository: openshift/origin

Length of output: 467

---

🏁 Script executed:

cd /tmp && find . -name "go.mod" -type f 2>/dev/null | head -5

Repository: openshift/origin

Length of output: 154

---

🏁 Script executed:

# Find and examine the go.mod file
find . -name "go.mod" -type f | head -1 | xargs head -100

Repository: openshift/origin

Length of output: 223

---

🏁 Script executed:

# Get the exact go.mod content around the replace directives
sed -n '440,450p' go.mod

Repository: openshift/origin

Length of output: 1112

---

🏁 Script executed:

# Check what upstream versions of openshift/api and openshift/client-go are referenced
rg "github.com/openshift/api|github.com/openshift/client-go" go.mod | head -20

Repository: openshift/origin

Length of output: 548

---

🌐 Web query:

CVE vulnerabilities openshift/api openshift/client-go 2026

💡 Result:

As of June 23, 2026, several CVE vulnerabilities have been identified and addressed within the Red Hat OpenShift ecosystem. There is no single master list for vulnerabilities specific to openshift/api or openshift/client-go; rather, these components often inherit vulnerabilities from their upstream dependencies (e.g., Go standard library, Kubernetes libraries, or Moby components) [1][2][3][4]. Key vulnerabilities and security updates relevant to OpenShift components in 2026 include: 1. CVE-2026-35469: An allocation of resources vulnerability (CWE-770) in the moby/spdystream dependency, which affected the openshift-apiserver [1][2]. This was addressed in multiple OpenShift releases (e.g., 4.19, 4.22) by updating spdystream to v0.5.1 [1][2][3]. 2. CVE-2026-46579: An authentication bypass vulnerability in the OpenShift Router (haproxy-router), where improper header handling allowed impersonation of client certificate identities [5]. 3. Dependency-Level Vulnerabilities: OpenShift frequently issues security updates (RHSA) to address vulnerabilities in underlying Go packages, such as: - Go net/url parsing issues (e.g., CVE-2026-25679) [4]. - Go crypto/x509/tls denial-of-service flaws related to certificate chain building (e.g., CVE-2026-32280) [4]. 4. Client-Specific Concerns: While Snyk lists entries like CVE-2026-33811 and CVE-2026-34986 for packages labeled openshift-clients, these are often related to broader Go library issues (e.g., CGO DNS resolver, buffer calculations) rather than unique flaws in the OpenShift client-go code itself [6][7]. For the most accurate and up-to-date information, you should monitor the official Red Hat Security Advisory (RHSA) portal. Red Hat regularly publishes errata updates (e.g., RHSA-2026:25180, RHSA-2026:23240) that bundle fixes for these vulnerabilities across different OpenShift Container Platform (OCP) versions [8][9][4]. You can search the Red Hat Security Advisories portal for specific advisories related to your installed OCP version [10].

Citations:

• 1: [release-4.22] OCPBUGS-84454: Address CVE-2026-35469 openshift-apiserver#651
• 2: NO-ISSUE: bump github.com/moby/spdystream v0.5.0 to v0.5.1 to fix CVE-2026-35469 openshift-apiserver#650
• 3: [release-4.19] OCPBUGS-82820: Address CVE-2026-35469 openshift-apiserver#647
• 4: https://access.redhat.com/errata/RHSA-2026:25180
• 5: https://nvd.nist.gov/vuln/detail/CVE-2026-46579
• 6: https://security.snyk.io/vuln/SNYK-RHEL7-OPENSHIFTCLIENTS-17099510
• 7: https://security.snyk.io/vuln/SNYK-RHEL10-OPENSHIFTCLIENTS-15962378
• 8: https://access.redhat.com/errata/RHSA-2026:23240
• 9: https://access.redhat.com/errata/RHSA-2026:25044
• 10: https://access.redhat.com/security/security-updates/security-advisories

---

Document and plan removal of fork replace directives before merging to production.

The replace directives redirect critical openshift/api and openshift/client-go packages to a personal fork (QiWang19), using versions with more recent timestamps than the original upstream versions. While acceptable in a draft PR for development and testing, this poses a supply chain security risk and lacks the required provenance attestations and artifact signing per the supply chain security guidelines.

Ensure these replace directives are removed or formally justified before merging to production branches. If the fork patches are required, work toward upstreaming them and reverting to the original dependencies.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` around lines 444 - 445, Remove the replace directives in go.mod that
redirect github.com/openshift/api and github.com/openshift/client-go packages to
the QiWang19 personal fork. If the fork patches are necessary for functionality,
first work to upstream those patches to the original openshift repositories,
then revert these replace directives to use the official packages instead. If
these forks must remain for production, add formal documentation and
justification to the pull request explaining the supply chain security
implications and how they meet provenance and signing requirements.

Source: Path instructions

[coderabbitai]

🎯 Functional Correctness | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Find where v1Kinds is initialized and check if CRIOCredentialProviderConfig is added

echo "Searching for v1Kinds initialization..."
rg -n -A5 -B5 'v1Kinds\s*[:=].*\{' test/extended/

echo -e "\nSearching for assignments to v1Kinds..."
rg -n 'v1Kinds\[' test/extended/

echo -e "\nSearching for CRIOCredentialProviderConfig string in v1Kinds context..."
rg -n -C3 'CRIOCredentialProviderConfig.*v1Kinds|v1Kinds.*CRIOCredentialProviderConfig' test/extended/

Repository: openshift/origin

Length of output: 2556

---

🏁 Script executed:

#!/bin/bash
# Get context around line 1096 where v1Kinds is populated
echo "Context around line 1096 (v1Kinds population):"
sed -n '1080,1110p' test/extended/util/configv1shim.go

echo -e "\n\nSearching for the function containing line 1096:"
sed -n '1050,1100p' test/extended/util/configv1shim.go | head -60

echo -e "\n\nSearching for where this function is called:"
rg -n 'v1Kinds\[objectKind' test/extended/util/configv1shim.go -B10 | head -40

echo -e "\n\nSearching for test code that calls CRIOCredentialProviderConfigs:"
rg -rn 'CRIOCredentialProviderConfigs\(' test/extended/ --include='*.go'

Repository: openshift/origin

Length of output: 3470

---

🏁 Script executed:

#!/bin/bash
# Correct rg syntax for file type filtering
echo "Searching for test code calling CRIOCredentialProviderConfigs:"
rg -t go 'CRIOCredentialProviderConfigs' test/extended/

echo -e "\n\nSearching for CRIOCredentialProviderConfig objects being created:"
rg -t go 'CRIOCredentialProviderConfig\s*\{' test/extended/

echo -e "\n\nSearching for NewConfigClientShim calls with objects:"
rg -t go -A10 'NewConfigClientShim' test/extended/ | head -50

Repository: openshift/origin

Length of output: 4178

---

🏁 Script executed:

#!/bin/bash
# Check if criocredentialprovider.go uses the shim or real client
echo "Checking criocredentialprovider.go context and imports:"
head -50 test/extended/node/criocredentialprovider.go

echo -e "\n\nSearching for where AdminConfigClient comes from:"
rg -t go -B5 'AdminConfigClient\(\)' test/extended/node/criocredentialprovider.go | head -30

echo -e "\n\nSearching for uses of ConfigClientShim in tests:"
rg -t go 'ConfigClientShim|ConfigV1ClientShim' test/extended/ -l

Repository: openshift/origin

Length of output: 3410

---

🏁 Script executed:

#!/bin/bash
# Check client.go to see if AdminConfigClient uses the shim or real client
echo "Checking where ConfigClientShim is instantiated in client.go:"
rg -t go -A15 -B5 'ConfigClientShim' test/extended/util/client.go | head -80

echo -e "\n\nSearching for AdminConfigClient definition:"
rg -t go -A10 'func.*AdminConfigClient' test/extended/util/client.go | head -40

Repository: openshift/origin

Length of output: 1330

---

🏁 Script executed:

#!/bin/bash
# Check how c.configObjects is initialized
echo "Searching for configObjects initialization in client.go:"
rg -t go -B10 -A10 'configObjects' test/extended/util/client.go | head -60

echo -e "\n\nSearching for where configObjects gets set/populated:"
rg -t go 'configObjects\s*=' test/extended/util/client.go

Repository: openshift/origin

Length of output: 1948

---

Review the necessity of the panic guard for CRIOCredentialProviderConfigs().

The method panics if v1Kinds["CRIOCredentialProviderConfig"] is true, which only happens if a CRIOCredentialProviderConfig object exists in the static config manifests. Currently, no such objects are present in tests, so this is not an immediate issue. However, since criocredentialprovider.go does call this method via AdminConfigClient(), and the method simply delegates to the real client without special shim logic, consider whether the panic check is necessary. If no special shim handling is required for this kind, the panic guard may be overly defensive and could be removed to match the actual implementation's minimal responsibility.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/extended/util/configv1shim.go` around lines 464 - 470, The
CRIOCredentialProviderConfigs method in ConfigV1ClientShim has an unnecessary
panic guard that checks if "CRIOCredentialProviderConfig" exists in v1Kinds.
Since this method simply delegates to the real client via
c.configv1.CRIOCredentialProviderConfigs() without any special shim handling or
transformation logic, the panic check is overly defensive and can be removed.
Replace the entire method body with just the single return statement that
delegates to c.configv1.CRIOCredentialProviderConfigs(), eliminating the if
condition that panics.