Skip to content

Update google.golang.org/genproto digest to 7ab31c2 #175

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
red-hat-konflux-kflux-prd-rh02 wants to merge 1 commit into
base: main
Choose a base branch
from
+1 βˆ’1
Open

Update google.golang.org/genproto digest to 7ab31c2 #175

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion go.mod
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -135,7 +135,7 @@ require (
golang.org/x/text v0.35.0 // indirect
golang.org/x/time v0.14.0 // indirect
google.golang.org/api v0.266.0 // indirect
google.golang.org/genproto v0.0.0-20260209200024-4cfbd4190f57 // indirect
google.golang.org/genproto 7ab31c22f7ad // indirect
google.golang.org/genproto/googleapis/api v0.0.0-20260401024825-9d38bb4040a9 // indirect
google.golang.org/genproto/googleapis/rpc v0.0.0-20260401024825-9d38bb4040a9 // indirect
Comment on lines +138 to 140

@coderabbitai coderabbitai Bot Jun 15, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | πŸ”΄ Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify the go.mod version string format and go.sum consistency

# Check if line 138 is truncated or genuinely malformed
echo "=== Line 138 from go.mod ==="
sed -n '138p' go.mod

# Check go.sum for entries matching the new version
echo "=== go.sum entries for 7ab31c22f7ad ==="
grep -i '7ab31c22f7ad' go.sum || echo "NOT FOUND in go.sum"

# Check go.sum for genproto entries (all)
echo "=== All genproto entries in go.sum ==="
grep 'google.golang.org/genproto' go.sum | head -20

# Attempt to validate module syntax (requires go command)
echo "=== Module integrity check ==="
if command -v go &> /dev/null; then
  go mod verify 2>&1 || echo "Module verification failed"
else
  echo "Go toolchain unavailable; cannot run go mod verify"
fi

Repository: openshift-hyperfleet/hyperfleet-sentinel

Length of output: 1409

🏁 Script executed:

#!/bin/bash
# Check the full go.mod context around lines 138-140
echo "=== Context: lines 135-145 from go.mod ==="
sed -n '135,145p' go.mod

# Check if 7ab31c22f7ad appears elsewhere in go.mod or go.sum
echo "=== All occurrences of 7ab31c22f7ad ==="
grep -r '7ab31c22f7ad' . 2>/dev/null || echo "NOT FOUND anywhere"

# Verify git history: has this hash been used before in dependencies?
echo "=== Check git log for 7ab31c22f7ad ==="
git log --oneline --all | grep -i '7ab31c22f7ad' | head -5 || echo "No matching commits in log"

# Decode pseudoversion: what date does 20260401024825 represent?
echo "=== Timestamp analysis ==="
python3 <<'PY'
import datetime
timestamp_str = "20260401024825"
try:
    dt = datetime.datetime.strptime(timestamp_str, "%Y%m%d%H%M%S")
    print(f"Timestamp {timestamp_str} β†’ {dt.isoformat()}")
except ValueError as e:
    print(f"Invalid timestamp: {e}")
PY

# Check if the parent genproto module MUST match submodule versions
echo "=== Checking go.mod for genproto module dependency tree ==="
grep -A2 -B2 'google.golang.org/genproto' go.mod | head -20

Repository: openshift-hyperfleet/hyperfleet-sentinel

Length of output: 1286

CWE-829: Line 138 uses bare commit hash without checksum verification β€” supply chain integrity violation.

google.golang.org/genproto 7ab31c22f7ad // indirect is invalid Go module syntax. Valid pseudoversions require v0.0.0-<timestamp>-<hash> format. The bare commit hash 7ab31c22f7ad:

  • Has NO entry in go.sum (checksum validation bypassed for parent module)
  • Mismatches submodule versions pinned at v0.0.0-20260401024825-9d38bb4040a9 (lines 139–140)
  • Cannot be resolved as a valid go.mod reference

This breaks the integrity chain: submodules are cryptographically verified via go.sum; the parent module is unverified. The orphaned reference violates Go module versioning guarantees and creates a supply chain attack surface. Correct line 138 to use the proper pseudoversion matching lines 139–140, or revert to the previous stable version v0.0.0-20260209200024-4cfbd4190f57.

πŸ€– Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` around lines 138 - 140, The google.golang.org/genproto module on line
138 uses a bare commit hash format (7ab31c22f7ad) which is invalid Go module
syntax and lacks checksum verification. Replace the bare commit hash with a
proper pseudoversion format matching the submodule versions on lines 139-140
(v0.0.0-20260401024825-9d38bb4040a9), or revert to the previous stable version
v0.0.0-20260209200024-4cfbd4190f57 to restore supply chain integrity and ensure
go.sum validation is applied across all dependencies.

Source: Coding guidelines

google.golang.org/grpc v1.80.0 // indirect
Expand Down