build(deps): bump the golang group across 1 directory with 7 updates

[dependabot]

Bumps the golang group with 5 updates in the / directory:

Package	From	To
github.com/Microsoft/hcsshim	0.14.0	0.14.1
github.com/buger/jsonparser	1.1.2	1.2.0
github.com/mattn/go-shellwords	1.0.12	1.0.13
github.com/onsi/ginkgo/v2	2.28.1	2.29.0
github.com/opencontainers/selinux	1.13.1	1.15.1

Updates github.com/Microsoft/hcsshim from 0.14.0 to 0.14.1

Release notes

Sourced from github.com/Microsoft/hcsshim's releases.

v0.14.1

What's Changed

fb5aa2e94 - Maksim An (2026-04-07): upgrade dependencies to fix CI 9a434d6e1 - Dawei Wei (2026-03-06): shim: skip SandboxPlatform validation when platform is not explicitly set (#2620) 98d74bb52 - Cory Snider (2026-02-10): WCOW: restore support for client-mounted roots (#2595)

Full Changelog: microsoft/hcsshim@v0.14.0...v0.14.1

Commits

• fb5aa2e upgrade dependencies to fix CI
• 9a434d6 shim: skip SandboxPlatform validation when platform is not explicitly set (#2...
• 98d74bb WCOW: restore support for client-mounted roots (#2595)
• See full diff in compare view

Updates github.com/buger/jsonparser from 1.1.2 to 1.2.0

Release notes

Sourced from github.com/buger/jsonparser's releases.

v1.2.0

What's Changed

• Fix 2 bugs, remove 7 dead code blocks, add formal verification using ReqProof by @​buger in buger/jsonparser#281
• Add support for tinygo by @​buger in buger/jsonparser#269

Full Changelog: buger/jsonparser@v1.1.2...v1.2.0

Commits

• c172c16 Merge pull request #269 from buger/tinygo
• 680cd2e Merge pull request #281 from buger/reqproof-assurance-hardening
• 9dce61c Migrate review storage from reviews/ folder to per-requirement timestamps
• c03b9ef feat: add property-based obligation classes with 24 new SYS-REQs
• 9c46110 chore: fix spec lint warnings — remove stale parent field, set review metadata
• 8bbb8a8 Close coverage gaps: SYS-REQ-007/008/010 fuzz harness coverage to 100%
• 552e93b Install Z3 via apt before audit
• 98133b4 Remove manual Z3 pre-download, now handled by proof-action
• 1b70ead Debug Z3 pre-download: remove output suppression
• aac1fbc Pre-download Z3 solver before audit
• Additional commits viewable in compare view

Updates github.com/mattn/go-shellwords from 1.0.12 to 1.0.13

Commits

• fd1aa6c Run gofmt: add missing //go:build directives and trailing newlines
• e73986e Treat bare ')' as syntax error regardless of ParseBacktick
• 9a78803 Merge pull request #60 from scumfrog/security-fix-cve
• b074fa0 fix: preserve parser compatibility for unmatched ')' handling
• 735b5e8 Implement tests for shellwords parser functionality
• e2951fc Fix dollarQuote state management in shellwords.go
• 551a1d0 Update CI: Go 1.25/1.26 and latest GitHub Actions
• f3bbb6f Merge pull request #53 from ndeloof/master
• f6737fe parse \t as TAB, not escaped t
• See full diff in compare view

Updates github.com/onsi/ginkgo/v2 from 2.28.1 to 2.29.0

Release notes

Sourced from github.com/onsi/ginkgo/v2's releases.

v2.29.0

2.29.0

GinkgoHelperGo makes it easier to write test helpers that need to run in goroutines. Specifically, it makes managing the failure state and capturing failure panics correctly straightforward.

ginkgo outline now includes entries defined in DescribeTableSubtree

v2.28.3

2.28.3

Maintenance

Bump all dependencies

v2.28.2

2.28.2

• Add ArtifactDir() to support Go 1.26 testing.TB interface [f3a36b6]
• Implement shell completion [94151c8]
• Add asan CLI option mirroring msan implementation [4d21dbb]
• Bump uri from 1.0.3 to 1.0.4 in /docs (#1630) [c102161]
• fix aspect ratio [9619647]
• update logos [5779304]

Changelog

Sourced from github.com/onsi/ginkgo/v2's changelog.

2.29.0

GinkgoHelperGo makes it easier to write test helpers that need to run in goroutines. Specifically, it makes managing the failure state and capturing failure panics correctly straightforward.

ginkgo outline now includes entries defined in DescribeTableSubtree

2.28.3

Maintenance

Bump all dependencies

2.28.2

• Add ArtifactDir() to support Go 1.26 testing.TB interface [f3a36b6]
• Implement shell completion [94151c8]
• Add asan CLI option mirroring msan implementation [4d21dbb]
• Bump uri from 1.0.3 to 1.0.4 in /docs (#1630) [c102161]
• fix aspect ratio [9619647]
• update logos [5779304]

Commits

• 04b5bcb v2.29.0
• 124232a docs: GinkgoHelperGo
• ad9cee8 feat: GinkgoHelperGo, with integration tests
• 9e56a0a chore: refactor devcontainer for better maintenance
• 3d235a9 chore: ignore internal/tmp_*/ integration suite temporary dirs
• 782666a feat: devcontainer configuration with local pkgsite and GH pages
• 009dd04 Support DescribeTableSubtree in ginkgo outline
• 5de9c15 v2.28.3
• 7e2fa19 bump dependencies
• 1a81912 v2.28.2
• Additional commits viewable in compare view

Updates github.com/onsi/gomega from 1.39.1 to 1.40.0

Release notes

Sourced from github.com/onsi/gomega's releases.

v1.40.0

1.40.0

We're adopting a new release strategy to minimize dependency bloat in projects that consume Gomega. It is a limitation of the go mod toolchain that test subdependencies of your project's direct dependencies get pulled in as indirect dependencies. In the case of Gomega, this ends up pulling in all of Ginkgo into your go.mod even if you are only using Gomega (Gomega uses Ginkgo for its own tests).

Going forward, releases will strip out all tests, tidy up the go.mod and then push this stripped down version to a new master-lite branch. These stripped-down versions will receive the vx.y.z git tag and will be picked up by the go toolchain.

Please open an issue if this new release process causes unexpected changes for your projects.

Changelog

Sourced from github.com/onsi/gomega's changelog.

1.40.0

We're adopting a new release strategy to minimize dependency bloat in projects that consume Gomega. It is a limitation of the go mod toolchain that test subdependencies of your project's direct dependencies get pulled in as indirect dependencies. In the case of Gomega, this ends up pulling in all of Ginkgo into your go.mod even if you are only using Gomega (Gomega uses Ginkgo for its own tests).

Going forward, releases will strip out all tests, tidy up the go.mod and then push this stripped down version to a new master-lite branch. These stripped-down versions will receive the vx.y.z git tag and will be picked up by the go toolchain.

Please open an issue if this new release process causes unexpected changes for your projects.

Commits

• 87ee9d3 v1.40.0
• ea66027 v1.40.0 (full)
• e3fd789 update docs to reflect new versioning strategy
• 7d4ee30 first push to master-lite
• e4a82d1 Bump github/codeql-action from 3 to 4 (#875)
• af62723 Bump rexml from 3.4.0 to 3.4.2 in /docs (#870)
• e164221 Bump github.com/onsi/ginkgo/v2 from 2.28.0 to 2.28.1 (#895)
• 334a282 Bump faraday from 2.12.2 to 2.14.1 in /docs (#896)
• See full diff in compare view

Updates github.com/opencontainers/selinux from 1.13.1 to 1.15.1

Release notes

Sourced from github.com/opencontainers/selinux's releases.

v1.15.1

What's Changed

• ReserveLabelV2: ignore labels without MCS by @​kolyshkin in opencontainers/selinux#272

Full Changelog: opencontainers/selinux@v1.15.0...v1.15.1

v1.15.0

This release adds a new function, SetProcessKind, which is to be used instead of KVMProcessLabel[s] and InitProcessLabel[s] in case the user only wants to change the type of the existing label, not generate a new one. It also fixes an CI issue and optimizes label.InitLabels for a few common cases.

What's Changed

• ci: set timeout for vm jobs by @​kolyshkin in opencontainers/selinux#270
• label.InitLabels: optimize by @​kolyshkin in opencontainers/selinux#269
• Add SetProcessKind by @​kolyshkin in opencontainers/selinux#271

Full Changelog: opencontainers/selinux@v1.14.1...v1.15.0

v1.14.1

This release mostly fixes label.InitLabels regression introduced in v1.14.0.

What's Changed

• README: rm travis, add gha badge by @​kolyshkin in opencontainers/selinux#268
• Fix label.InitLabels regression in v1.14.0; amend ReserveLabelV2 doc by @​kolyshkin in opencontainers/selinux#267

Full Changelog: opencontainers/selinux@v1.14.0...v1.14.1

v1.14.0

This release fixes a regression in ExecLabel, bumps the minimal Go version to 1.22, and deprecates several functions in favor of improved API.

Fixed

• ExecLabel was using an incorrect path (regression in v1.13.0). (opencontainers/selinux#253)

Deprecated

• CategoryRange is deprecated; use SetCategoryRange instead. (opencontainers/selinux#262)
• KVMContainerLabels is deprecated; use KVMContainerLabel instead. (opencontainers/selinux#262)
• InitContainerLabels is deprecated; use InitContainerLabel instead. (opencontainers/selinux#262)
• ReserveLabel is deprecated; use ReserveLabelV2 instead. (opencontainers/selinux#262)
• ROFileLabel is deprecated; if you use it, open a new issue. (opencontainers/selinux#262)
• ContainerLabels is deprecated, if you use it, open a new issue. (opencontainers/selinux#262)

Added

• SEUserByName. (opencontainers/selinux#232, opencontainers/selinux#251)
• CheckLabel. (opencontainers/selinux#250)
• SetCategoryRange, KVMContainerLabel, InitContainerLabel, ReserveLabelV2. (opencontainers/selinux#262)

Changed

• Switch to Go 1.22 as the minimally supported version (opencontainers/selinux#256)
• Update GetDefaultContextWithLevel to fall back to failsafe context (opencontainers/selinux#232)
• Use math/rand/v2 rather than crypto/rand for MCS label generation (opencontainers/selinux#257)

Miscellaneous

... (truncated)

Commits

• 9801d53 Merge pull request #272 from kolyshkin/add-mcs-nit
• cf4e440 ReserveLabelV2: ignore labels without MCS
• 84683a6 Merge pull request #271 from kolyshkin/change-type
• 8889f6e Add SetProcessKind
• fb9b5b2 Merge pull request #269 from kolyshkin/init-labels-opt
• 74873e2 label.InitLabels: optimize
• c8bf19e Merge pull request #270 from kolyshkin/timeout
• a55d914 ci: set timeout for vm jobs
• 89b039b Merge pull request #267 from kolyshkin/damage-control
• 8c517ef Merge pull request #268 from kolyshkin/readme
• Additional commits viewable in compare view

Updates golang.org/x/sys from 0.42.0 to 0.43.0

Commits

• f33a730 windows: support nil security descriptor on GetNamedSecurityInfo
• 493d172 cpu: add runtime import in cpu_darwin_arm64_other.go
• 2c2be75 windows: use syscall.SyscallN in Proc.Call
• a76ec62 cpu: roll back "use IsProcessorFeaturePresent to calculate ARM64 on windows"
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

Summary by CodeRabbit

• Chores
  • Upgraded multiple dependencies including testing frameworks and system libraries to improve stability, security, and performance.

[coderabbitai]

Walkthrough

This PR updates the Go module dependencies in go.mod. Direct dependencies including hcsshim, jsonparser, go-shellwords, ginkgo/v2, gomega, opencontainers/selinux, and golang.org/x/sys are bumped to newer versions. Indirect dependencies google/pprof and several golang.org/x modules are also upgraded to newer pseudo-versions.

Changes

Dependency Version Upgrades

Layer / File(s)	Summary
Direct dependency upgrades go.mod	Primary require block dependencies hcsshim (v0.14.0→v0.14.1), jsonparser (v1.1.2→v1.2.0), go-shellwords (v1.0.12→v1.0.13), ginkgo/v2 (v2.28.1→v2.29.0), gomega (v1.39.1→v1.40.0), opencontainers/selinux (v1.13.1→v1.15.1), and golang.org/x/sys (v0.42.0→v0.43.0) are updated to newer versions.
Indirect dependency upgrades go.mod	Indirect dependencies google/pprof is updated to a newer pseudo-version; multiple golang.org/x modules (mod, net, sync, text, tools) are each upgraded to newer pseudo-versions.

🎯 2 (Simple) | ⏱️ ~10 minutes

---

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error)

Check name	Status	Explanation	Resolution
Stable And Deterministic Test Names	❌ Error	Repository contains 109+ Ginkgo test names using fmt.Sprintf with dynamic variables (ver, i) in 18+ test files across plugins/main and plugins/meta, violating the stable test name requirement.	Replace fmt.Sprintf dynamic test names with static descriptive strings (e.g., "[v1.0.0] creates a bridge" instead of fmt.Sprintf("[%s] creates a bridge", ver)). Move dynamic values to test bodies for assertions, not titles.

✅ Passed checks (14 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: a dependency update to Go modules via Dependabot, matching the PR's primary purpose of bumping multiple golang-related dependencies.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Test Structure And Quality	✅ Passed	This PR only updates Go module dependencies in go.mod/go.sum; no test files are modified. The test quality check is not applicable to dependency-only updates.
Microshift Test Compatibility	✅ Passed	This PR only updates Go module versions in go.mod (+13/-13 lines); no new Ginkgo e2e tests are added. The MicroShift compatibility check applies only to new tests, not dependency updates.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	This PR is a dependency update (go.mod/go.sum) with no new Ginkgo tests added. The SNO test compatibility check applies only when new tests are introduced, making it not applicable here.
Topology-Aware Scheduling Compatibility	✅ Passed	PR only updates Go module dependencies in go.mod; contains no deployment manifests, operator code, or controllers. Custom check for topology-aware scheduling is not applicable.
Ote Binary Stdout Contract	✅ Passed	PR only updates go.mod/go.sum dependencies with no code changes; cannot introduce stdout violations.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR only modifies go.mod/go.sum with dependency updates; no new Ginkgo e2e tests added, so check is not applicable.
No-Weak-Crypto	✅ Passed	PR only updates Go module dependencies in go.mod/go.sum; no weak crypto (MD5, SHA1, DES, RC4, 3DES, Blowfish, ECB), custom implementations, or unsafe secret comparisons found.
Container-Privileges	✅ Passed	PR updates only Go dependencies (go.mod/go.sum); contains no Kubernetes manifests or container configurations with privileged settings. Check not applicable to dependency updates.
No-Sensitive-Data-In-Logs	✅ Passed	PR updates Go module dependencies. All logging statements in code log safe info (metrics, interface names, container IPs) without exposing passwords, tokens, API keys, or PII.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch dependabot/go_modules/golang-8c0e3e6507

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: dependabot[bot]
Once this PR has been reviewed and has the lgtm label, please assign dougbtv for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

Hi @dependabot[bot]. Thanks for your PR.

I'm waiting for a openshift member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

go.mod (1)

1-59: ⚠️ Potential issue | 🟠 Major

Add/enable SBOM/provenance attestations and artifact signing in release CI

go.mod alone can’t satisfy the policy. The current workflows only build and publish tarballs + sha256/sha512 checksums (.github/workflows/release.yaml) and run lint/tests (.github/workflows/test.yaml); there are no steps for SBOM generation (syft/cyclonedx/spdx) and no Sigstore/cosign signing or provenance/attestation tooling (cosign/sigstore/slsa/in-toto/rekor/provenance).

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` around lines 1 - 59, The repo is missing SBOM generation and artifact
signing/provenance in CI; update the release workflow (referenced as
.github/workflows/release.yaml) to run SBOM tooling (e.g., syft to emit
CycloneDX and SPDX), attach those SBOM artifacts alongside the tarballs and
checksum files, and run cosign to sign both the release artifacts and the SBOMs
(and push signatures to Rekor); also add a provenance/attestation step
(in-toto/slsa/cosign attest) that produces and uploads provenance metadata, and
add any small dev-tool entries (if needed) to go.mod or a tools.go so the build
matrix knows required versions—ensure tests workflow
(.github/workflows/test.yaml) optionally verifies SBOM and signature validity as
part of CI.

Source: Coding guidelines

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@go.mod`:
- Around line 6-8: Update the vulnerable module versions listed in go.mod:
change the golang.org/x/sys entry to v0.44.0 and the golang.org/x/net entry to
v0.55.0, then re-resolve dependencies so go.sum and the module graph are updated
(ensure the new versions are downloaded/validated and any transitive upgrades
applied); reference the module names golang.org/x/sys and golang.org/x/net to
locate the lines to edit and confirm there are no breakages in builds or tests
after the bump.

---

Outside diff comments:
In `@go.mod`:
- Around line 1-59: The repo is missing SBOM generation and artifact
signing/provenance in CI; update the release workflow (referenced as
.github/workflows/release.yaml) to run SBOM tooling (e.g., syft to emit
CycloneDX and SPDX), attach those SBOM artifacts alongside the tarballs and
checksum files, and run cosign to sign both the release artifacts and the SBOMs
(and push signatures to Rekor); also add a provenance/attestation step
(in-toto/slsa/cosign attest) that produces and uploads provenance metadata, and
add any small dev-tool entries (if needed) to go.mod or a tools.go so the build
matrix knows required versions—ensure tests workflow
(.github/workflows/test.yaml) optionally verifies SBOM and signature validity as
part of CI.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: a54d68f9-4449-4591-8854-c8df029125d4

📥 Commits

Reviewing files that changed from the base of the PR and between d6f7395 and 3754c40.

⛔ Files ignored due to path filters (59)

• go.sum is excluded by !**/*.sum
• vendor/github.com/buger/jsonparser/.gitignore is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/buger/jsonparser/README.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/buger/jsonparser/bytes.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/buger/jsonparser/bytes_safe.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/buger/jsonparser/bytes_unsafe.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/buger/jsonparser/escape.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/buger/jsonparser/fuzz.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/buger/jsonparser/parser.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/buger/jsonparser/proof.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/mattn/go-shellwords/shellwords.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/mattn/go-shellwords/util_posix.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/mattn/go-shellwords/util_windows.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/onsi/ginkgo/v2/.gitignore is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/onsi/ginkgo/v2/CHANGELOG.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/onsi/ginkgo/v2/README.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/onsi/ginkgo/v2/ginkgo/command/program.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/onsi/ginkgo/v2/ginkgo/main.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/onsi/ginkgo/v2/ginkgo/outline/ginkgo.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/onsi/ginkgo/v2/ginkgo/outline/outline.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/onsi/ginkgo/v2/ginkgo_t_dsl.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/onsi/ginkgo/v2/helpergo_dsl.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/onsi/ginkgo/v2/internal/testingtproxy/testing_t_proxy.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/onsi/ginkgo/v2/types/config.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/onsi/ginkgo/v2/types/flags.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/onsi/ginkgo/v2/types/version.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/onsi/gomega/CHANGELOG.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/onsi/gomega/gomega_dsl.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/opencontainers/selinux/go-selinux/selinux.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/opencontainers/selinux/pkg/pwalkdir/pwalkdir.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/html/iter.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/html/node.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/html/nodetype_string.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/windows/dll_windows.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/windows/security_windows.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/go/ast/inspector/cursor.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/go/ast/inspector/inspector.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/go/ast/inspector/iter.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/go/packages/golist.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/go/packages/packages.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/go/types/objectpath/objectpath.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/aliases/aliases.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/aliases/aliases_go122.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/event/core/event.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/event/keys/keys.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/event/label/label.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/gcimporter/iexport.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/gcimporter/iimport.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/gcimporter/ureader.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/gocommand/version.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/pkgbits/version.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/stdlib/deps.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/typeparams/coretype.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/typeparams/free.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/typesinternal/types.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/versions/features.go is excluded by !**/vendor/**, !vendor/**
• vendor/modules.txt is excluded by !**/vendor/**, !vendor/**

📒 Files selected for processing (1)

• go.mod

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Verify vulnerability status of bumped modules/versions via OSV API (read-only).
mods=(
  "github.com/Microsoft/hcsshim@0.14.1"
  "github.com/buger/jsonparser@1.2.0"
  "github.com/mattn/go-shellwords@1.0.13"
  "github.com/onsi/ginkgo/v2@2.29.0"
  "github.com/onsi/gomega@1.40.0"
  "github.com/opencontainers/selinux@1.15.1"
  "golang.org/x/sys@0.43.0"
  "github.com/google/pprof@0.0.0-20260402051712-545e8a4df936"
  "golang.org/x/mod@0.35.0"
  "golang.org/x/net@0.53.0"
  "golang.org/x/sync@0.20.0"
  "golang.org/x/text@0.36.0"
  "golang.org/x/tools@0.44.0"
)

for m in "${mods[@]}"; do
  name="${m%@*}"
  ver="${m#*@}"
  echo "=== $name $ver ==="
  payload=$(jq -n --arg n "$name" --arg v "$ver" \
    '{package:{ecosystem:"Go",name:$n},version:$v}')
  curl -sSf https://api.osv.dev/v1/query -d "$payload" | jq .
done

Repository: openshift/containernetworking-plugins

Length of output: 15814

---

OSV reports known vulnerabilities in bumped deps; update go.mod before merge

• golang.org/x/sys v0.43.0 has GO-2026-5024 (alias CVE-2026-39824); OSV indicates fixed in 0.44.0.
• golang.org/x/net v0.53.0 has multiple vulns (GO-2026-5025–GO-2026-5030, e.g., CVE-2026-42506, CVE-2026-39821, CVE-2026-42502, CVE-2026-25680, CVE-2026-25681, CVE-2026-27136); OSV indicates fixed in 0.55.0.
  Bump these modules to the OSV-fixed versions (or provide a clear justification/mitigation for staying on the vulnerable versions).

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` around lines 6 - 8, Update the vulnerable module versions listed in
go.mod: change the golang.org/x/sys entry to v0.44.0 and the golang.org/x/net
entry to v0.55.0, then re-resolve dependencies so go.sum and the module graph
are updated (ensure the new versions are downloaded/validated and any transitive
upgrades applied); reference the module names golang.org/x/sys and
golang.org/x/net to locate the lines to edit and confirm there are no breakages
in builds or tests after the bump.

Source: Coding guidelines