Skip to content

Revert "fix(deps): upgrade otel/sdk to v1.43.0 in extras/dagger to re…#3179

Merged
migmartri merged 1 commit into
chainloop-dev:mainfrom
migmartri:revert-dagger
Jun 9, 2026
Merged

Revert "fix(deps): upgrade otel/sdk to v1.43.0 in extras/dagger to re…#3179
migmartri merged 1 commit into
chainloop-dev:mainfrom
migmartri:revert-dagger

Conversation

@migmartri

Copy link
Copy Markdown
Member

The upgrade broke generation

onnect DONE [30.3s]
10  : load module: github.com/chainloop-dev/chainloop
11  : ┆ finding module configuration
11  : ┆ finding module configuration DONE [5.5s]
12  : ┆ initializing module
13  : ┆ ┆ ModuleSource.asModule: Module!
14  : ┆ ┆ ┆ withExec codegen generate-typedefs --module-source-path /src/extras/dagger --module-name chainloop --introspection-json-path /schema.json --output typedefs.json (
14  : ┆ ┆ ┆ ┆ experimentalPrivilegedNesting: true
14  : ┆ ┆ ┆ ┆ execMD: "{\"ClientID\":\"krkgdrwqjxet71eyl343drx8y\",\"SessionID\":\"\",\"SecretToken\":\"\",\"Hostname\":\"\",\"ClientStableID\":\"\",\"ExecID\":\"ncdln3d1jc56a8njzoft3wuzw\",\"Internal\":true,\"CallID\":\"ChV4eGgzOjk1ODdjMTg4NmVlZWNkNWQShQEKFXh4aDM6NmY1YjI5YmZkOTNkYjI3YhJsEhAKDE1vZHVsZVNvdXJjZRgBGgxtb2R1bGVTb3VyY2UiMQoJcmVmU3RyaW5nEiQ6ImdpdGh1Yi5jb20vY2hhaW5sb29wLWRldi9jaGFpbmxvb3BKFXh4aDM6NmY1YjI5YmZkOTNkYjI3YlgBEl0KFXh4aDM6OTU4N2MxODg2ZWVlY2Q1ZBJEChV4eGgzOjZmNWIyOWJmZDkzZGIyN2ISCgoGTW9kdWxlGAEaCGFzTW9kdWxlShV4eGgzOjk1ODdjMTg4NmVlZWNkNWQ=\",\"EncodedModuleID\":\"ChV4eGgzOmQyMzU2OWU0ZWFkYmQxNTgShQEKFXh4aDM6NmY1YjI5YmZkOTNkYjI3YhJsEhAKDE1vZHVsZVNvdXJjZRgBGgxtb2R1bGVTb3VyY2UiMQoJcmVmU3RyaW5nEiQ6ImdpdGh1Yi5jb20vY2hhaW5sb29wLWRldi9jaGFpbmxvb3BKFXh4aDM6NmY1YjI5YmZkOTNkYjI3YlgBEl8KFXh4aDM6ZDIzNTY5ZTRlYWRiZDE1OBJGChV4eGgzOjZmNWIyOWJmZDkzZGIyN2ISCgoGTW9kdWxlGAEaCGFzTW9kdWxlShV4eGgzOmQyMzU2OWU0ZWFkYmQxNThYAQ==\",\"EncodedFunctionCall\":null,\"CallerClientID\":\"\",\"Pa
14  : ┆ ┆ ┆ )
14  : ┆ ┆ ┆ [0.1s] | 2026/06/09 13:42:10 INFO generate type definition language=go module-name=chainloop
14  : ┆ ┆ ┆ [0.2s] | 2026/06/09 13:42:10 INFO generating go typedefs
14  : ┆ ┆ ┆ [0.3s] | 2026/06/09 13:42:10 INFO creating directory [skipped] path=.
14  : ┆ ┆ ┆ [0.3s] | 2026/06/09 13:42:10 INFO writing path=dagger.gen.go
14  : ┆ ┆ ┆ [0.3s] | 2026/06/09 13:42:10 INFO writing [skipped] path=go.mod
14  : ┆ ┆ ┆ [0.3s] | 2026/06/09 13:42:10 INFO writing path=go.sum
14  : ┆ ┆ ┆ [0.3s] | 2026/06/09 13:42:10 INFO creating directory path=internal
14  : ┆ ┆ ┆ [0.3s] | 2026/06/09 13:42:10 INFO creating directory path=internal/dagger
14  : ┆ ┆ ┆ [0.3s] | 2026/06/09 13:42:10 INFO writing path=internal/dagger/dagger.gen.go
14  : ┆ ┆ ┆ [0.3s] | 2026/06/09 13:42:10 INFO creating directory path=internal/querybuilder
14  : ┆ ┆ ┆ [0.3s] | 2026/06/09 13:42:10 INFO writing path=internal/querybuilder/marshal.go
14  : ┆ ┆ ┆ [0.3s] | 2026/06/09 13:42:10 INFO writing path=internal/querybuilder/querybuilder.go
14  : ┆ ┆ ┆ [0.3s] | 2026/06/09 13:42:10 INFO needs another pass...
14  : ┆ ┆ ┆ [0.3s] | starting GOROOT= GOPATH=/go GO111MODULE=off GOPROXY= *** go list -e -f {{context.ReleaseTags}} -- unsafe
14  : ┆ ┆ ┆ [0.3s] | starting GOROOT= GOPATH=/go GO111MODULE= GOPROXY= *** go list -f "{{context.GOARCH}} {{context.Compiler}}" -- unsafe
14  : ┆ ┆ ┆ [0.3s] | 3.912612ms for GOROOT= GOPATH=/go GO111MODULE=off GOPROXY= *** go list -e -f {{context.ReleaseTags}} -- unsafe
14  : ┆ ┆ ┆ [0.3s] | starting GOROOT= GOPATH=/go GO111MODULE= GOPROXY= *** go list -e -json=Name,ImportPath,Error,Dir,GoFiles,IgnoredGoFiles,IgnoredOtherFiles,CFiles,CgoFiles,CXXFiles,MFiles,HFiles,FFiles,SFiles,SwigFiles,SwigCXXFiles,SysoFiles,CompiledGoFiles,DepOnly,Imports,ImportMap,Export,Module -compiled=true -test=false -export=true -deps=true -find=false -pgo=off -- .
14  : ┆ ┆ ┆ [0.3s] | 7.880296ms for GOROOT= GOPATH=/go GO111MODULE= GOPROXY= *** go list -f "{{context.GOARCH}} {{context.Compiler}}" -- unsafe
14  : ┆ ┆ ┆ [0.8s] | 495.098898ms for GOROOT= GOPATH=/go GO111MODULE= GOPROXY= *** go list -e -json=Name,ImportPath,Error,Dir,GoFiles,IgnoredGoFiles,IgnoredOtherFiles,CFiles,CgoFiles,CXXFiles,MFiles,HFiles,FFiles,SFiles,SwigFiles,SwigCXXFiles,SysoFiles,CompiledGoFiles,DepOnly,Imports,ImportMap,Export,Module -compiled=true -test=false -export=true -deps=true -find=false -pgo=off -- .
14  : ┆ ┆ ┆ [0.8s] | Error: load package ".": no packages found in . [traceparent:7fb46510c1b0a5cf6141fea83133302b-fd014f36892a4985]
15  : ┆ ┆ ┆ ┆ loadPackage
15  : ┆ ┆ ┆ ┆ loadPackage ERROR [0.5s]
15  : ┆ ┆ ┆ ┆ ! no packages found in .
14  : ┆ ┆ ┆ Container.withExec ERROR [0.9s]
16  : ┆ ┆ ┆ Container.file(path: "typedefs.json"): File!
16  : ┆ ┆ ┆ Container.file ERROR [0.9s]
16  : ┆ ┆ ┆ ! exit code: 1
13  : ┆ ┆ ModuleSource.asModule ERROR [8.1s]
13  : ┆ ┆ ! failed to initialize module: failed to get type defs json during module sdk codegen: exit code: 1
12  : ┆ initializing module ERROR [8.2s]
12  : ┆ ! failed to initialize module: failed to get type defs json during module sdk codegen: exit code: 1
10  : load module: github.com/chainloop-dev/chainloop ERROR [13.7s]
10  : ! failed to serve module: failed to initialize module: failed to get type defs json during module sdk codegen: exit code: 1
Setup tracing at https://dagger.cloud/traces/setup. To hide set DAGGER_NO_NAG=1
Error: failed to serve module: failed to initialize module: failed to get type defs json during modu

…solve GHSA-9h8m-3fm2-qjrq"

This reverts commit 31212a8.

@migmartri migmartri requested a review from a team June 9, 2026 13:43
…solve GHSA-9h8m-3fm2-qjrq"

This reverts commit 31212a8.

Signed-off-by: Miguel Martinez Trivino <miguel@chainloop.dev>
@migmartri migmartri enabled auto-merge (squash) June 9, 2026 13:44
@kusari-inspector

kusari-inspector Bot commented Jun 9, 2026

Copy link
Copy Markdown

Kusari Inspector

Kusari Analysis Results:

Do not proceed without addressing issues

Caution

Flagged Issues Detected
These changes contain flagged issues that may introduce security risks.

The code analysis found no issues in the changed files (go.mod and go.sum) — no exposed secrets, no insecure patterns, and no workflow concerns. However, the dependency analysis identified a serious security regression introduced by this PR, which downgrades 10 OpenTelemetry packages from v1.43.0 to v1.38.0. The downgraded versions carry multiple HIGH severity CVEs that were not present in the prior versions: (1) CVE-2026-29181 (CVSS AV:N/AC:L/PR:N/UI:N/A:H) — a remotely exploitable DoS in go.opentelemetry.io/otel v1.38.0 caused by excessive allocations during multi-value baggage header parsing, requiring no authentication; (2) CVE-2026-39882 — unbounded HTTP response body reads in both the OTLP trace and metric HTTP exporters, allowing a malicious or MitM collector to cause OOM crashes; (3) CVE-2026-24051 and CVE-2026-39883 — local arbitrary code execution vulnerabilities in the SDK via PATH hijacking of platform utilities (ioreg on macOS, kenv on BSD/Solaris). The remote DoS in particular represents a critical network-exploitable risk with no authentication barrier. The clean code scan does not offset these dependency risks, as they are independent concerns. If the Dagger revert motivating this PR is necessary, we strongly recommend pinning all affected OpenTelemetry packages to v1.44.0 (patched) rather than v1.38.0 before merging.

Note

View full detailed analysis result for more information on the output and the checks that were run.

Required Dependency Mitigations

  • go.opentelemetry.io/otel v1.38.0 - CVE-2026-29181 (HIGH, CVSS AV:N/AC:L/PR:N/UI:N/A:H): Multi-value baggage header extraction causes excessive allocations via repeated parsing, enabling a remote DoS amplification attack with no authentication required. This is the most critical finding as it is network-exploitable with low complexity. Fix: go get go.opentelemetry.io/otel@v1.44.0
  • go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.38.0 - CVE-2026-39882 (HIGH): OTLP HTTP exporter reads unbounded HTTP response bodies into memory with no size cap, allowing a malicious or MitM collector endpoint to cause OOM and crash the process. Fix: go get go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp@v1.44.0
  • go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.38.0 - CVE-2026-39882 (HIGH): Same unbounded HTTP response body issue as otlptracehttp. Fix: go get go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp@v1.44.0
  • go.opentelemetry.io/otel/sdk v1.38.0 - CVE-2026-24051 (HIGH, local ACE on macOS via PATH hijacking of ioreg) and CVE-2026-39883 (HIGH, local ACE on BSD/Solaris via PATH hijacking of kenv). Both allow arbitrary code execution if an attacker can control the PATH environment variable on the host. Fix: go get go.opentelemetry.io/otel/sdk@v1.44.0

@kusari-inspector rerun - Trigger a re-analysis of this PR
@kusari-inspector feedback [your message] - Send feedback to our AI and team
See Kusari's documentation for setup and configuration.
Commit: ea73c57, performed at: 2026-06-09T13:44:34Z

Found this helpful? Give it a 👍 or 👎 reaction!

@kusari-inspector

Copy link
Copy Markdown

Kusari PR Analysis rerun based on - ea73c57 performed at: 2026-06-09T13:45:19Z - link to updated analysis

@migmartri migmartri disabled auto-merge June 9, 2026 13:49
@migmartri migmartri merged commit f708b6c into chainloop-dev:main Jun 9, 2026
13 of 14 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants