chore: bump CVE concerned libraries

[Lune-Mercier]

Fix the following CVEs :
CVE-2024-25621
CVE-2024-25621
CVE-2025-52565
CVE-2025-52881
CVE-2025-66506
CVE-2025-58183
CVE-2025-61729

[coderabbitai]

Walkthrough

Go module dependencies updated across the entire go.mod file, including Go toolchain version bump from 1.24.0 to 1.24.11. Multiple packages upgraded: container runtime libraries, Docker client, OpenTelemetry, Google Cloud, protocol buffers, and cryptography utilities. No changes to public API declarations.

Changes

Cohort / File(s)

Summary

Go Toolchain & Core Dependencies go.mod

Go version upgraded from 1.24.0 to 1.24.11; multiple direct and indirect dependencies bumped across container ecosystem (containers/image/storage, moby/buildkit, opencontainers/image-spec), Docker client (fsouza/go-dockerclient, docker-credential-helpers v0.9.3), cryptography (ocicrypt v1.2.1), observability (opentelemetry/otel v1.38.0, otel/trace v1.38.0), protocol buffers (google.golang.org/protobuf, genproto), Google Cloud packages, and utility libraries (klauspost/compress v1.18.1, go-containerregistry v0.20.3, go-logr/logr v1.4.3). Various indirect dependency restructuring with consolidated and removed entries.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

Hi @Lune-Mercier. Thanks for your PR.

I'm waiting for a openshift member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: Lune-Mercier
Once this PR has been reviewed and has the lgtm label, please assign ingvagabund for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between 6d61f76 and 40a3fb1.

⛔ Files ignored due to path filters (299)

• go.sum is excluded by !**/*.sum
• vendor/github.com/asaskevich/govalidator/.gitignore is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/asaskevich/govalidator/.travis.yml is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/asaskevich/govalidator/CODE_OF_CONDUCT.md is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/asaskevich/govalidator/CONTRIBUTING.md is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/asaskevich/govalidator/LICENSE is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/asaskevich/govalidator/README.md is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/asaskevich/govalidator/arrays.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/asaskevich/govalidator/converter.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/asaskevich/govalidator/doc.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/asaskevich/govalidator/error.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/asaskevich/govalidator/numerics.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/asaskevich/govalidator/patterns.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/asaskevich/govalidator/types.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/asaskevich/govalidator/utils.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/asaskevich/govalidator/validator.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/asaskevich/govalidator/wercker.yml is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/containerd/typeurl/v2/README.md is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/containerd/typeurl/v2/types.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/containerd/typeurl/v2/types_gogo.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/containers/image/v5/internal/manifest/docker_schema2_list.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/containers/image/v5/internal/manifest/oci_index.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/containers/image/v5/internal/pkg/platform/platform_matcher.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/containers/image/v5/internal/private/private.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/containers/image/v5/internal/set/set.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/containers/image/v5/manifest/docker_schema1.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/containers/image/v5/manifest/oci.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/containers/image/v5/pkg/compression/internal/types.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/containers/image/v5/pkg/docker/config/config.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/containers/image/v5/pkg/sysregistriesv2/paths_common.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/containers/image/v5/pkg/sysregistriesv2/paths_freebsd.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/containers/image/v5/pkg/sysregistriesv2/shortnames.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/containers/image/v5/pkg/sysregistriesv2/system_registries_v2.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/containers/image/v5/signature/fulcio_cert.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/containers/image/v5/signature/fulcio_cert_stub.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/containers/image/v5/signature/internal/errors.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/containers/image/v5/signature/internal/rekor_api_types.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/containers/image/v5/signature/internal/rekor_set.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/containers/image/v5/signature/internal/rekor_set_stub.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/containers/image/v5/signature/internal/sigstore_payload.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/containers/image/v5/signature/mechanism_gpgme.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/containers/image/v5/signature/mechanism_openpgp.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/containers/image/v5/signature/pki_cert.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/containers/image/v5/signature/policy_config.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/containers/image/v5/signature/policy_config_sigstore.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/containers/image/v5/signature/policy_eval_sigstore.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/containers/image/v5/signature/policy_paths_common.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/containers/image/v5/signature/policy_paths_freebsd.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/containers/image/v5/signature/policy_reference_match.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/containers/image/v5/signature/policy_types.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/containers/image/v5/signature/simple.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/containers/image/v5/transports/transports.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/containers/image/v5/types/types.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/containers/image/v5/version/version.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/containers/storage/internal/rawfilelock/rawfilelock.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/containers/storage/internal/rawfilelock/rawfilelock_unix.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/containers/storage/internal/rawfilelock/rawfilelock_windows.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/containers/storage/pkg/lockfile/lockfile.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/containers/storage/pkg/lockfile/lockfile_unix.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/containers/storage/pkg/lockfile/lockfile_windows.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/docker/docker-credential-helpers/client/command.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/fsouza/go-dockerclient/.golangci.yaml is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/fsouza/go-dockerclient/container.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/fsouza/go-dockerclient/container_update.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/fsouza/go-dockerclient/event.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/fsouza/go-dockerclient/image.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/fsouza/go-dockerclient/misc.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/fsouza/go-dockerclient/tar.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-logr/logr/.golangci.yaml is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/analysis/.codecov.yml is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/analysis/.gitattributes is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/analysis/.gitignore is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/analysis/.golangci.yml is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/analysis/CODE_OF_CONDUCT.md is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/analysis/README.md is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/analysis/analyzer.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/analysis/debug.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/analysis/doc.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/analysis/fixer.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/analysis/flatten.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/analysis/flatten_name.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/analysis/flatten_options.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/analysis/internal/debug/debug.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/analysis/internal/flatten/normalize/normalize.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/analysis/internal/flatten/operations/operations.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/analysis/internal/flatten/replace/replace.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/analysis/internal/flatten/schutils/flatten_schema.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/analysis/internal/flatten/sortref/keys.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/analysis/internal/flatten/sortref/sort_ref.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/analysis/mixin.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/analysis/schema.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/errors/.gitattributes is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/errors/.gitignore is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/errors/.golangci.yml is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/errors/CODE_OF_CONDUCT.md is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/errors/README.md is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/errors/api.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/errors/auth.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/errors/doc.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/errors/headers.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/errors/middleware.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/errors/parsing.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/errors/schema.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/loads/.editorconfig is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/loads/.gitignore is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/loads/.golangci.yml is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/loads/.travis.yml is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/loads/CODE_OF_CONDUCT.md is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/loads/LICENSE is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/loads/README.md is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/loads/doc.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/loads/loaders.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/loads/options.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/loads/spec.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/runtime/.editorconfig is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/runtime/.gitattributes is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/runtime/.gitignore is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/runtime/.golangci.yml is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/runtime/CODE_OF_CONDUCT.md is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/runtime/LICENSE is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/runtime/README.md is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/runtime/bytestream.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/runtime/client_auth_info.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/runtime/client_operation.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/runtime/client_request.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/runtime/client_response.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/runtime/constants.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/runtime/csv.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/runtime/csv_options.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/runtime/discard.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/runtime/file.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/runtime/headers.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/runtime/interfaces.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/runtime/json.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/runtime/request.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/runtime/statuses.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/runtime/text.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/runtime/values.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/runtime/xml.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/spec/.editorconfig is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/spec/.gitignore is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/spec/.golangci.yml is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/spec/CODE_OF_CONDUCT.md is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/spec/LICENSE is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/spec/README.md is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/spec/cache.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/spec/contact_info.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/spec/debug.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/spec/embed.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/spec/errors.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/spec/expander.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/spec/external_docs.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/spec/header.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/spec/info.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/spec/items.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/spec/license.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/spec/normalizer.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/spec/normalizer_nonwindows.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/spec/normalizer_windows.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/spec/operation.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/spec/parameter.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/spec/path_item.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/spec/paths.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/spec/properties.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/spec/ref.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/spec/resolver.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/spec/response.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/spec/responses.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/spec/schema.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/spec/schema_loader.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/spec/schemas/jsonschema-draft-04.json is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/spec/schemas/v2/schema.json is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/spec/security_scheme.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/spec/spec.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/spec/swagger.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/spec/tag.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/spec/url_go19.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/spec/validations.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/spec/xml_object.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/strfmt/.editorconfig is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/strfmt/.gitattributes is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/strfmt/.gitignore is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/strfmt/.golangci.yml is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/strfmt/CODE_OF_CONDUCT.md is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/strfmt/LICENSE is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/strfmt/README.md is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/strfmt/bson.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/strfmt/date.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/strfmt/default.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/strfmt/doc.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/strfmt/duration.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/strfmt/format.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/strfmt/time.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/strfmt/ulid.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/validate/.editorconfig is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/validate/.gitattributes is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/validate/.gitignore is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/validate/.golangci.yml is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/validate/BENCHMARK.md is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/validate/CODE_OF_CONDUCT.md is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/validate/LICENSE is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/validate/README.md is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/validate/context.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/validate/debug.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/validate/default_validator.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/validate/doc.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/validate/example_validator.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/validate/formats.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/validate/helpers.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/validate/object_validator.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/validate/options.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/validate/pools.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/validate/pools_debug.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/validate/result.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/validate/rexp.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/validate/schema.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/validate/schema_messages.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/validate/schema_option.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/validate/schema_props.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/validate/slice_validator.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/validate/spec.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/validate/spec_messages.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/validate/type.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/validate/update-fixtures.sh is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/validate/validator.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/validate/values.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/go-containerregistry/pkg/name/ref.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/pprof/profile/merge.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/pprof/profile/profile.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/pprof/profile/prune.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/klauspost/compress/fse/bitwriter.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/klauspost/compress/fse/compress.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/klauspost/compress/huff0/bitwriter.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/klauspost/compress/huff0/compress.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/klauspost/compress/huff0/decompress.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/klauspost/compress/huff0/decompress_amd64.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/klauspost/compress/huff0/huff0.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/klauspost/compress/internal/le/unsafe_disabled.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/klauspost/compress/internal/le/unsafe_enabled.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/klauspost/compress/internal/snapref/decode.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/klauspost/compress/internal/snapref/encode.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/klauspost/compress/zstd/bitwriter.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/klauspost/compress/zstd/blockdec.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/klauspost/compress/zstd/decoder.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/klauspost/compress/zstd/dict.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/klauspost/compress/zstd/enc_base.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/klauspost/compress/zstd/enc_best.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/klauspost/compress/zstd/enc_better.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/klauspost/compress/zstd/enc_dfast.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/klauspost/compress/zstd/enc_fast.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/klauspost/compress/zstd/framedec.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/klauspost/compress/zstd/fse_encoder.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/klauspost/compress/zstd/seqdec.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/klauspost/compress/zstd/seqdec_amd64.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/klauspost/compress/zstd/simple_go124.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/klauspost/compress/zstd/snappy.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/klauspost/compress/zstd/zip.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/klauspost/compress/zstd/zstd.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/letsencrypt/boulder/core/objects.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/letsencrypt/boulder/core/util.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/letsencrypt/boulder/goodkey/good_key.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/mitchellh/mapstructure/CHANGELOG.md is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/mitchellh/mapstructure/LICENSE is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/mitchellh/mapstructure/README.md is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/mitchellh/mapstructure/decode_hooks.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/mitchellh/mapstructure/error.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/mitchellh/mapstructure/mapstructure.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/moby/buildkit/AUTHORS is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/moby/buildkit/frontend/dockerfile/parser/directives.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/moby/buildkit/frontend/dockerfile/parser/errors.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/moby/buildkit/frontend/dockerfile/parser/line_parsers.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/moby/buildkit/frontend/dockerfile/parser/parser.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/moby/buildkit/frontend/dockerfile/parser/split_command.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/moby/buildkit/frontend/dockerfile/shell/equal_env_unix.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/moby/buildkit/frontend/dockerfile/shell/equal_env_windows.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/moby/buildkit/frontend/dockerfile/shell/lex.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/moby/buildkit/util/stack/compress.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/moby/buildkit/util/stack/generate.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/moby/buildkit/util/stack/stack.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/moby/buildkit/util/stack/stack.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/github.com/moby/buildkit/util/stack/stack.proto is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/moby/buildkit/util/stack/stack_vtproto.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/github.com/oklog/ulid/.gitignore is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/oklog/ulid/.travis.yml is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/oklog/ulid/AUTHORS.md is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/oklog/ulid/CHANGELOG.md is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/oklog/ulid/CONTRIBUTING.md is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/oklog/ulid/Gopkg.lock is excluded by !**/*.lock, !vendor/**, !**/vendor/**
• vendor/github.com/oklog/ulid/Gopkg.toml is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/oklog/ulid/LICENSE is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/oklog/ulid/README.md is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/oklog/ulid/ulid.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/opencontainers/image-spec/specs-go/version.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/planetscale/vtprotobuf/LICENSE is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/planetscale/vtprotobuf/protohelpers/protohelpers.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/proglottis/gpgme/.gitignore is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/proglottis/gpgme/callbacks.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/proglottis/gpgme/data.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/proglottis/gpgme/go_gpgme.c is excluded by !vendor/**, !**/vendor/**

📒 Files selected for processing (1)

• go.mod

🧰 Additional context used

📓 Path-based instructions (1)

**

⚙️ CodeRabbit configuration file

-Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity.

Files:

• go.mod

🪛 OSV Scanner (2.3.1)

go.mod

[HIGH] 178-178: github.com/sigstore/fulcio 1.6.6: Fulcio allocates excessive memory during token parsing in github.com/sigstore/fulcio

(GO-2025-4193)

---

[HIGH] 178-178: github.com/sigstore/fulcio 1.6.6: Fulcio allocates excessive memory during token parsing

(GHSA-f83f-xpx7-ffpw)

🔇 Additional comments (1)

go.mod (1)

3-3: Dependency updates align with CVE remediation strategy.

The overall approach of bumping the Go toolchain (1.24.0 → 1.24.11) and container/crypto ecosystem libraries is appropriate for addressing CVE concerns. Most updates (containers/image, storage, buildkit, OpenTelemetry, protobuf, golang.org/x libraries) are standard security-focused version increments.

However, resolve the sigstore/fulcio v1.6.6 HIGH severity issue before merging. Once addressed, the remaining updates appear sound.

Optional suggestion: For traceability and review clarity, consider adding a brief mapping in the PR description showing which CVEs are addressed by which version bumps (e.g., "CVE-2025-52565 → golang.org/x/crypto v0.45.0"). This aids future audits.

Also applies to: 19-20, 29-36, 40-40, 51-56, 186-195

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🌐 Web query:

GO-2025-4193 sigstore fulcio vulnerability

💡 Result:

Summary — GO-2025-4193 (Fulcio)

• ID / aliases: GO-2025-4193; CVE-2025-66506; GHSA-f83f-xpx7-ffpw. [1][2]
• Issue: Fulcio's identity.extractIssuerURL uses strings.Split on untrusted token data, allowing an attacker to craft tokens with many '.' characters that cause excessive memory allocations (resource exhaustion / DoS). [1][3]
• Affected versions: github.com/sigstore/fulcio versions before v1.8.3. [1][2][3]
• Fix / mitigation: upgrade fulcio to v1.8.3 or later (patch commit available in upstream). [1][3]
  References
• Go vulnerability entry (GO-2025-4193). [1]
• OSV / vulnerability metadata (GO-2025-4193 / CVE-2025-66506). [2]
• Snyk advisory / details and recommended upgrade. [3]

---

🌐 Web query:

GHSA-f83f-xpx7-ffpw sigstore fulcio

💡 Result:

Summary: GHSA-f83f-xpx7-ffpw (CVE-2025-66506) is a high-severity resource-exhaustion vulnerability in Sigstore Fulcio where identity.extractIssuerURL can allocate excessive memory when parsing a malicious OIDC token (DoS/amplification). It affects Fulcio <= 1.8.2 and is fixed in 1.8.3. Mitigation: upgrade Fulcio to v1.8.3 (or later). See the GitHub advisory and fix commit for details. [1][2][3]

Sources

• Sigstore GitHub security advisory and fix commit. [1]
• OSV / package-vuln entries (CVE-2025-66506 / GO-2025-4193) confirming affected range and fix. [2][3]

---

🌐 Web query:

sigstore/fulcio v1.6.6 security vulnerability

💡 Result:

Short answer: Yes — fulcio v1.6.6 is affected by a high-severity vulnerability (CVE-2025-66506) that allows excessive memory allocation during token parsing. Upgrade to fulcio >= 1.8.3 to fix it. [1][2][3]

Details & actions:

• Vulnerability: excessive allocations in identity.extractIssuerURL when parsing untrusted OIDC tokens (can be triggered remotely). Published as CVE-2025-66506 on Dec 4, 2025. [1][3]
• Affected versions: fulcio < 1.8.3 (includes v1.6.6). [1][3]
• Fix: upgrade to fulcio v1.8.3 or later. [2][4]

Sources:
[1] CVE summary (CVE-2025-66506) — CVE/ security aggregation.
[2] sigstore/fulcio releases (GitHub).
[3] Snyk advisory for the vuln (SNYK-GOLANG-GITHUBCOMSIGSTOREFULCIOPKGIDENTITY-14220411).

---

🏁 Script executed:

#!/bin/bash
# Check Go module information for sigstore/fulcio
curl -s 'https://pkg.go.dev/api/packages/github.com/sigstore/fulcio' | jq '.Versions[0:10] | .[] | {Path, Version, CommitTime}' 2>/dev/null || echo "pkg.go.dev unavailable"

# Try alternative: check GitHub API for releases
echo "=== GitHub Releases ==="
curl -s 'https://api.github.com/repos/sigstore/fulcio/releases?per_page=10' 2>/dev/null | jq '.[] | {tag_name, published_at, prerelease}' | head -30 || echo "GitHub API unavailable"

Repository: openshift/oc

Length of output: 654

---

⚠️ Critical: sigstore/fulcio v1.6.6 has a documented HIGH severity vulnerability (CVE-2025-66506).

The version being bumped (v1.6.6) is affected by a memory exhaustion vulnerability in token parsing (GO-2025-4193 / GHSA-f83f-xpx7-ffpw). This contradicts the PR's objective to address CVEs.

Update to sigstore/fulcio v1.8.3 or later (v1.8.4 is the latest stable release). All versions before v1.8.3 are vulnerable to this remote-triggerable DoS attack.

🧰 Tools

🪛 OSV Scanner (2.3.1)

[HIGH] 178-178: github.com/sigstore/fulcio 1.6.6: Fulcio allocates excessive memory during token parsing in github.com/sigstore/fulcio

(GO-2025-4193)

---

[HIGH] 178-178: github.com/sigstore/fulcio 1.6.6: Fulcio allocates excessive memory during token parsing

(GHSA-f83f-xpx7-ffpw)

🤖 Prompt for AI Agents

In go.mod around line 178, the dependency github.com/sigstore/fulcio is pinned
to v1.6.6 which is vulnerable (CVE-2025-66506); update the module requirement to
a fixed release (at least v1.8.3, preferably v1.8.4). Edit go.mod to replace the
version with v1.8.4 (or v1.8.3+) and then run `go get
github.com/sigstore/fulcio@v1.8.4` followed by `go mod tidy` and run tests/build
to ensure no breakage.