Skip to content

OCPBUGS-80970: Add Ignition v3.6 support to Machine Config Server #5815

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
zaneb wants to merge 1 commit into from
Closed

OCPBUGS-80970: Add Ignition v3.6 support to Machine Config Server #5815

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
38 changes: 19 additions & 19 deletions go.mod
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ require (
github.com/coreos/go-semver v0.3.1
github.com/coreos/ign-converter v0.0.0-20241125185625-2f773079ca81
github.com/coreos/ignition v0.35.0
github.com/coreos/ignition/v2 v2.20.0
github.com/coreos/ignition/v2 v2.26.0
github.com/coreos/rpmostree-client-go v0.0.0-20230914135003-fae0786302f7
github.com/coreos/stream-metadata-go v0.4.10-0.20250806142651-4a7d280a6c7b
github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc
Expand All @@ -44,15 +44,15 @@ require (
github.com/prometheus/client_golang v1.23.2
github.com/rs/zerolog v1.34.0
github.com/spf13/cobra v1.10.0
github.com/spf13/pflag v1.0.9
github.com/spf13/pflag v1.0.10
github.com/stretchr/testify v1.11.1
github.com/tidwall/gjson v1.18.0
github.com/tidwall/sjson v1.2.5
github.com/vincent-petithory/dataurl v1.0.0
github.com/vmware/govmomi v0.45.1
golang.org/x/net v0.47.0
golang.org/x/time v0.11.0
google.golang.org/grpc v1.72.2
golang.org/x/net v0.49.0
golang.org/x/time v0.14.0
google.golang.org/grpc v1.78.0

@coderabbitai coderabbitai Bot Mar 27, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "Querying OSV for google.golang.org/grpc@v1.78.0 ..."
curl -sS https://api.osv.dev/v1/query \
  -H 'Content-Type: application/json' \
  -d '{"package":{"name":"google.golang.org/grpc","ecosystem":"Go"},"version":"v1.78.0"}' \
  | jq '{vulns: [.vulns[]? | {id, aliases, summary, modified}]}'

echo
echo "Fetching GHSA details for GHSA-p77j-4mvh-x3m3 ..."
curl -sS https://api.osv.dev/v1/vulns/GHSA-p77j-4mvh-x3m3 \
  | jq '{id, aliases, summary, affected}'

Repository: openshift/machine-config-operator

Length of output: 1204

Bump gRPC-Go to v1.79.3 or later; v1.78.0 contains a critical authorization bypass vulnerability (GHSA-p77j-4mvh-x3m3 / CVE-2026-33186).

The current version is vulnerable to an authorization bypass via missing leading slash validation in the :path header. This must be fixed before merge.

🧰 Tools
🪛 OSV Scanner (2.3.5)

[CRITICAL] 55-55: google.golang.org/grpc 1.78.0: gRPC-Go has an authorization bypass via missing leading slash in :path

(GHSA-p77j-4mvh-x3m3)

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@go.mod` at line 55, Update the gRPC-Go dependency to v1.79.3 or later to
address CVE-2026-33186: change the google.golang.org/grpc version in go.mod (the
dependency entry for google.golang.org/grpc) to v1.79.3+, run `go get
google.golang.org/grpc@v1.79.3` (or newer), then run `go mod tidy` to update
go.sum and ensure the module graph is clean, run the test suite and any CI
vulnerability checks, and commit the updated go.mod and go.sum (and vendor files
if your repo vendors dependencies).

k8s.io/api v0.35.1
k8s.io/apiextensions-apiserver v0.35.1
k8s.io/apimachinery v0.35.1
Expand Down Expand Up @@ -89,7 +89,7 @@ require (
github.com/antlr4-go/antlr/v4 v4.13.1 // indirect
github.com/armon/circbuf v0.0.0-20190214190532-5111143e8da2 // indirect
github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
github.com/aws/aws-sdk-go v1.55.6 // indirect
github.com/aws/aws-sdk-go-v2 v1.41.1 // indirect
github.com/bombsimon/wsl/v4 v4.5.0 // indirect
github.com/butuzov/mirror v1.3.0 // indirect
github.com/catenacyber/perfsprint v0.7.1 // indirect
Expand All @@ -113,7 +113,7 @@ require (
github.com/fxamacker/cbor/v2 v2.9.0 // indirect
github.com/ghostiam/protogetter v0.3.8 // indirect
github.com/go-errors/errors v1.4.2 // indirect
github.com/go-jose/go-jose/v4 v4.0.5 // indirect
github.com/go-jose/go-jose/v4 v4.1.3 // indirect
github.com/go-logr/stdr v1.2.2 // indirect
github.com/go-logr/zapr v1.3.0 // indirect
github.com/go-openapi/analysis v0.23.0 // indirect
Expand Down Expand Up @@ -198,7 +198,7 @@ require (
go.mongodb.org/mongo-driver v1.14.0 // indirect
go.opentelemetry.io/auto/sdk v1.2.1 // indirect
go.opentelemetry.io/contrib/instrumentation/github.com/emicklei/go-restful/otelrestful v0.44.0 // indirect
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.60.0 // indirect
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.63.0 // indirect
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0 // indirect
go.opentelemetry.io/otel v1.40.0 // indirect
go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.34.0 // indirect
Expand All @@ -211,8 +211,8 @@ require (
go.uber.org/automaxprocs v1.6.0 // indirect
go.yaml.in/yaml/v2 v2.4.3 // indirect
go.yaml.in/yaml/v3 v3.0.4 // indirect
google.golang.org/genproto/googleapis/api v0.0.0-20250303144028-a0af3efb3deb // indirect
google.golang.org/genproto/googleapis/rpc v0.0.0-20250528174236-200df99c418a // indirect
google.golang.org/genproto/googleapis/api v0.0.0-20251202230838-ff82c1b0f217 // indirect
google.golang.org/genproto/googleapis/rpc v0.0.0-20251222181119-0a764e51fe1b // indirect
gopkg.in/DATA-DOG/go-sqlmock.v1 v1.3.0 // indirect
gopkg.in/evanphx/json-patch.v4 v4.13.0 // indirect
gopkg.in/natefinch/lumberjack.v2 v2.2.1 // indirect
Expand Down Expand Up @@ -260,7 +260,7 @@ require (
github.com/containers/ocicrypt v1.2.1 // indirect
github.com/coreos/go-json v0.0.0-20230131223807-18775e0fb4fb // indirect
github.com/coreos/go-systemd v0.0.0-20190719114852-fd7a80b32e1f // indirect
github.com/coreos/go-systemd/v22 v22.5.1-0.20231103132048-7d375ecc2b09
github.com/coreos/go-systemd/v22 v22.6.0
github.com/coreos/vcontext v0.0.0-20231102161604-685dc7299dc5 // indirect
github.com/curioswitch/go-reassign v0.3.0 // indirect
github.com/daixiang0/gci v0.13.5 // indirect
Expand Down Expand Up @@ -393,17 +393,17 @@ require (
go.uber.org/multierr v1.11.0 // indirect
go.uber.org/zap v1.27.0 // indirect
go4.org v0.0.0-20200104003542-c7e774b10ea0 // indirect
golang.org/x/crypto v0.45.0
golang.org/x/crypto v0.47.0
golang.org/x/exp v0.0.0-20250103183323-7d7fa50e5329
golang.org/x/exp/typeparams v0.0.0-20241108190413-2d47ceb2692f // indirect
golang.org/x/mod v0.29.0 // indirect
golang.org/x/oauth2 v0.30.0 // indirect
golang.org/x/sync v0.18.0
golang.org/x/mod v0.31.0 // indirect
golang.org/x/oauth2 v0.34.0 // indirect
golang.org/x/sync v0.19.0
golang.org/x/sys v0.40.0
golang.org/x/term v0.37.0 // indirect
golang.org/x/text v0.31.0 // indirect
golang.org/x/tools v0.38.0 // indirect
google.golang.org/protobuf v1.36.8 // indirect
golang.org/x/term v0.39.0 // indirect
golang.org/x/text v0.33.0 // indirect
golang.org/x/tools v0.40.0 // indirect
google.golang.org/protobuf v1.36.11 // indirect
gopkg.in/inf.v0 v0.9.1 // indirect
gopkg.in/yaml.v2 v2.4.0
gopkg.in/yaml.v3 v3.0.1
Expand Down
Loading