chore: Update OpenTelemetry dependencies to v1.44.0#230
Conversation
📝 WalkthroughWalkthroughUpdates Go version references across build, CI, lint, and docs files, switches the CI lint installer to a pinned script, changes the vuln check target to scan packages, and bumps module dependencies in the main and SDK go.mod files. ChangesGo version, CI, and dependency updates
Estimated code review effort: 2 (Simple) | ~10 minutes 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Comment |
|
There are some vulnerabilities in the CI govul check, could you update them also. |
Bump indirect OpenTelemetry API/SDK modules in the agent and vendored SDK module to address reported CVEs, including the SDK module's required Go directive update for OTel v1.44.0. Update golang image to include latest update of the os package The vuln target scanned bin/fleetint with -mode=binary. The binary is built with -ldflags '-s', which strips the symbol table, so govulncheck cannot tell which packages are linked and falls back to module-level matching. GO-2026-5932 marks the x/crypto openpgp packages as unmaintained in every version with no fixed release, so the check failed even though nothing in the agent imports openpgp. Switch to source mode (govulncheck ./...), which does precise import and call-graph analysis. It reports GO-2026-5932 as informational only and still fails the build if code actually reaches a vulnerable symbol. The fleetint prerequisite is dropped since the binary is no longer needed for the scan. Signed-off-by: Rodrigo Sampaio Vaz <rvaz@nvidia.com>
88d3603 to
fa18130
Compare
There was a problem hiding this comment.
🧹 Nitpick comments (1)
Makefile (1)
155-159: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick winPin the
govulncheckversion.Using
@latestmakes vulnerability results and tool behavior non-reproducible, while an already-installed version bypasses installation entirely. Define a repository-owned version and install/check that exact version so CI and local runs use the same scanner.+GOVULNCHECK_VERSION := vX.Y.Z + vuln: ## run vulnerability check `@echo` "Running vulnerability check..." `@if` ! command -v govulncheck >/dev/null 2>&1; then \ echo "Installing govulncheck..."; \ - $(GO) install golang.org/x/vuln/cmd/govulncheck@latest; \ + $(GO) install golang.org/x/vuln/cmd/govulncheck@$(GOVULNCHECK_VERSION); \ fi `@govulncheck` ./...Also consider validating the installed version rather than only checking whether the binary exists.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@Makefile` around lines 155 - 159, The govulncheck install in the Makefile is non-reproducible because it uses `@latest` and only checks for the binary’s presence. Introduce a repository-owned govulncheck version constant in the Makefile, install that exact version in the existing govulncheck target, and update the check to verify the installed version matches the pinned one before skipping installation. Keep the existing govulncheck invocation, but ensure CI and local runs use the same scanner version.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Nitpick comments:
In `@Makefile`:
- Around line 155-159: The govulncheck install in the Makefile is
non-reproducible because it uses `@latest` and only checks for the binary’s
presence. Introduce a repository-owned govulncheck version constant in the
Makefile, install that exact version in the existing govulncheck target, and
update the check to verify the installed version matches the pinned one before
skipping installation. Keep the existing govulncheck invocation, but ensure CI
and local runs use the same scanner version.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Enterprise
Run ID: 59673478-d20c-4083-a6c3-d8ed4c1cda77
⛔ Files ignored due to path filters (2)
go.sumis excluded by!**/*.sumthird_party/fleet-intelligence-sdk/go.sumis excluded by!**/*.sum
📒 Files selected for processing (10)
.github/workflows/ci.yml.github/workflows/release.yml.golangci.ymlCONTRIBUTING.mdDockerfileDockerfile.citestsMakefiledocs/development.mdgo.modthird_party/fleet-intelligence-sdk/go.mod
✅ Files skipped from review due to trivial changes (6)
- docs/development.md
- Dockerfile
- CONTRIBUTING.md
- .github/workflows/ci.yml
- .golangci.yml
- .github/workflows/release.yml
🚧 Files skipped from review as they are similar to previous changes (3)
- Dockerfile.citests
- third_party/fleet-intelligence-sdk/go.mod
- go.mod
Bump indirect OpenTelemetry API/SDK modules in the agent and vendored SDK module to address reported CVEs, including the SDK module's required Go directive update for OTel v1.44.0.
Description
Checklist
Summary by CodeRabbit
./...) instead of scanning the built binary only.