Skip to content

deps(go): bump golang.org/x/crypto to v0.52.0 (AROSLSRE-1455)#6000

Open
raelga wants to merge 2 commits into
Azure:mainfrom
raelga:bump-go-crypto-cves
Open

deps(go): bump golang.org/x/crypto to v0.52.0 (AROSLSRE-1455)#6000
raelga wants to merge 2 commits into
Azure:mainfrom
raelga:bump-go-crypto-cves

Conversation

@raelga

@raelga raelga commented Jul 9, 2026

Copy link
Copy Markdown
Collaborator

AROSLSRE-1455

What

Bump golang.org/x/crypto from v0.51.0 to v0.52.0 across all 23 affected workspace modules (2 direct importers, the rest indirect), regenerated with make all-tidy.

Why

Resolves 286 open Dependabot alerts — by far the largest single source of open alerts on the repo (the other ~22 open alerts are unrelated packages). These stem from 13 distinct golang.org/x/crypto advisories (7 critical, 2 high, 4 medium) fanned out across the 23 affected workspace modules. Highlights: auth bypass via unenforced @revoked status (CVE-2026-42508), agent constraint / key-constraint bypasses (CVE-2026-39832/39833), and several SSH server DoS issues.

CVEs fixed

CVE-2026-42508, CVE-2026-39831, CVE-2026-39832, CVE-2026-39833, CVE-2026-39834, CVE-2026-39830, CVE-2026-46595, CVE-2026-46597, CVE-2026-39829, CVE-2026-39828, CVE-2026-39835, CVE-2026-46598, CVE-2026-39827

Alert search: open Dependabot alerts for golang.org/x/crypto

Testing

  • make all-tidy (per-module go mod tidy + go work sync + fmt + licenses) — clean.
  • go build ./... passes for all 23 affected modules.

Special notes for your reviewer

Dependency-only change; diff is limited to go.mod / go.sum / go.work.sum. No source edits. Part of the go.work-aware Dependabot remediation effort (AROSLSRE-1448).

Closes #5964
Closes #5965

PR Checklist

  • PR is scoped to a single task (no mixed concerns)
  • Title follows Conventional Commits format
  • Summary explains the "Why" behind the change
  • Linked to relevant ticket/issue
  • Screenshots included (if graph/UI/metrics changes)
  • Self-reviewed the diff
  • CI/CD checks are passing (ignore Tide)
  • Commit history is clean (rebased/squashed)

Fixes 13 advisories (7 critical, 2 high, 4 medium) reported by Dependabot
across 23 workspace modules. Ran make all-tidy (go mod tidy per module +
go work sync + fmt + licenses); go build ./... passes for all affected modules.
Copilot AI review requested due to automatic review settings July 9, 2026 16:32
@openshift-ci openshift-ci Bot requested review from avollmer-redhat and bennerv July 9, 2026 16:32
@openshift-ci openshift-ci Bot added the approved label Jul 9, 2026

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the repository’s Go workspace modules to use golang.org/x/crypto v0.52.0, addressing multiple security advisories while keeping the change scoped to dependency metadata (go.mod/go.sum).

Changes:

  • Bump golang.org/x/crypto from v0.51.0v0.52.0 across the affected workspace modules.
  • Refresh module checksum files (go.sum) to match the updated dependency graph.
  • Add/update indirect requirements where needed to reflect the new resolved version.

Reviewed changes

Copilot reviewed 23 out of 46 changed files in this pull request and generated no comments.

Show a summary per file
File Description
tooling/tenant-quota/go.mod Bump golang.org/x/crypto to v0.52.0 (indirect).
tooling/tenant-quota/go.sum Update checksums for golang.org/x/crypto v0.52.0.
tooling/templatize/go.mod Bump golang.org/x/crypto to v0.52.0 (indirect).
tooling/templatize/go.sum Update checksums for golang.org/x/crypto v0.52.0.
tooling/secret-sync/go.mod Bump golang.org/x/crypto to v0.52.0 (indirect).
tooling/secret-sync/go.sum Update checksums for golang.org/x/crypto v0.52.0.
tooling/prometheus-rules/go.mod Add/update golang.org/x/crypto v0.52.0 (indirect).
tooling/prometheus-rules/go.sum Update checksums for golang.org/x/crypto v0.52.0.
tooling/kustoctl/go.mod Bump golang.org/x/crypto to v0.52.0 (indirect).
tooling/kustoctl/go.sum Update checksums for golang.org/x/crypto v0.52.0.
tooling/image-updater/go.mod Bump golang.org/x/crypto to v0.52.0 (indirect).
tooling/image-updater/go.sum Update checksums for golang.org/x/crypto v0.52.0.
tooling/helmtest/go.mod Bump golang.org/x/crypto to v0.52.0 (indirect).
tooling/helmtest/go.sum Update checksums for golang.org/x/crypto v0.52.0.
tooling/hcpctl/go.mod Bump golang.org/x/crypto to v0.52.0 (indirect).
tooling/hcpctl/go.sum Update checksums for golang.org/x/crypto v0.52.0.
tooling/grafanactl/go.mod Bump golang.org/x/crypto to v0.52.0 (indirect).
tooling/grafanactl/go.sum Update checksums for golang.org/x/crypto v0.52.0.
tooling/cleanup-sweeper/go.mod Bump golang.org/x/crypto to v0.52.0 (indirect).
tooling/cleanup-sweeper/go.sum Update checksums for golang.org/x/crypto v0.52.0.
tooling/aro-hcp-exporter/go.mod Bump golang.org/x/crypto to v0.52.0 (indirect).
tooling/aro-hcp-exporter/go.sum Update checksums for golang.org/x/crypto v0.52.0.
test/go.mod Bump direct golang.org/x/crypto dependency to v0.52.0.
test/go.sum Update checksums for golang.org/x/crypto v0.52.0.
test-integration/go.mod Bump golang.org/x/crypto to v0.52.0 (indirect).
test-integration/go.sum Update checksums for golang.org/x/crypto v0.52.0.
sessiongate/go.mod Bump golang.org/x/crypto to v0.52.0 (indirect).
sessiongate/go.sum Update checksums for golang.org/x/crypto v0.52.0.
mgmt-agent/go.mod Bump golang.org/x/crypto to v0.52.0 (indirect).
mgmt-agent/go.sum Update checksums for golang.org/x/crypto v0.52.0.
kube-applier/go.mod Bump golang.org/x/crypto to v0.52.0 (indirect).
kube-applier/go.sum Update checksums for golang.org/x/crypto v0.52.0.
internal/go.mod Bump golang.org/x/crypto to v0.52.0 (indirect).
internal/go.sum Update checksums for golang.org/x/crypto v0.52.0.
frontend/go.mod Bump golang.org/x/crypto to v0.52.0 (indirect).
frontend/go.sum Update checksums for golang.org/x/crypto v0.52.0.
fleet/go.mod Bump golang.org/x/crypto to v0.52.0 (indirect).
fleet/go.sum Update checksums for golang.org/x/crypto v0.52.0.
dev-infrastructure/scripts/postgres-access/go.mod Bump golang.org/x/crypto to v0.52.0 (indirect).
dev-infrastructure/scripts/postgres-access/go.sum Update checksums for golang.org/x/crypto v0.52.0.
backend/go.mod Bump golang.org/x/crypto to v0.52.0 (indirect).
backend/go.sum Update checksums for golang.org/x/crypto v0.52.0.
admin/server/go.mod Bump golang.org/x/crypto to v0.52.0 (indirect).
admin/server/go.sum Update checksums for golang.org/x/crypto v0.52.0.
admin/client/go.mod Bump direct golang.org/x/crypto dependency to v0.52.0.
admin/client/go.sum Update checksums for golang.org/x/crypto v0.52.0.

Copilot AI review requested due to automatic review settings July 9, 2026 16:58
@raelga

raelga commented Jul 9, 2026

Copy link
Copy Markdown
Collaborator Author

Pushed bd8ae13 to fix a genuine, in-scope ci/prow/verify failure (verify-deepcopy).

Failure: the job showed go.sum drift in tooling/prometheus-rules/go.sum — the golang.org/x/crypto v0.52.0/go.mod hash line was missing (only the h1: line was present). This is the mechanical consequence of the x/crypto bump for that module; my local make all-tidy had regenerated the other 22 modules but this module's go.mod hash only materializes when a build resolves it inside that module (which the CI make deepcopy step does).

Fix: go mod tidy in tooling/prometheus-rules, then make all-tidy to confirm no siblings drifted — only that one go.sum line changed. Diff remains dependency-only.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 23 out of 46 changed files in this pull request and generated 1 comment.

Comment thread backend/go.mod
@raelga

raelga commented Jul 9, 2026

Copy link
Copy Markdown
Collaborator Author

/test periodic-healthcheck-images

Retesting: this is an environmental/network flake, not caused by this PR. The aro-hcp-e2e-tests image build failed while downloading the Bicep CLI:

az bicep build ...
ERROR: Error while attempting to download Bicep CLI: <urlopen error [Errno -2] Name or service not known>
make: *** [Makefile:14: .../cluster.json] Error 1

That's a DNS-resolution failure inside the build sandbox (Name or service not known) — a transient infra issue. This PR only bumps golang.org/x/crypto go.mod/go.sum hashes and cannot affect Bicep CLI download. Re-running on a healthier node.

@avollmer-redhat avollmer-redhat left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

Dep-only change: golang.org/x/crypto v0.51.0 → v0.52.0 across all 23 workspace modules. Fixes 13 CVEs (286 Dependabot alerts). go.mod/go.sum only, no source changes. e2e-parallel failure is unrelated to a transitive crypto bump.

@openshift-ci

openshift-ci Bot commented Jul 9, 2026

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: avollmer-redhat, raelga

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-merge-bot

Copy link
Copy Markdown
Contributor

/retest-required

Remaining retests: 0 against base HEAD da52c18 and 2 for PR HEAD bd8ae13 in total

@openshift-merge-bot

Copy link
Copy Markdown
Contributor

/retest-required

Remaining retests: 0 against base HEAD ccc61d2 and 1 for PR HEAD bd8ae13 in total

@openshift-merge-bot

Copy link
Copy Markdown
Contributor

/retest-required

Remaining retests: 0 against base HEAD e1b1907 and 0 for PR HEAD bd8ae13 in total

@openshift-ci

openshift-ci Bot commented Jul 10, 2026

Copy link
Copy Markdown

@raelga: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-parallel bd8ae13 link true /test e2e-parallel

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@openshift-merge-bot

Copy link
Copy Markdown
Contributor

/hold

Revision bd8ae13 was retested 3 times: holding

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants