mirror of https://github.com/open-telemetry/opentelemetry-go.git synced 2026-06-03 18:35:08 +02:00

T

renovate[bot] a18614cbc2 chore(deps): update module github.com/securego/gosec/v2 to v2.24.7 (#7988 )

This PR contains the following updates:

| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/) |
[Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
|
[github.com/securego/gosec/v2](https://redirect.github.com/securego/gosec)
| `v2.23.0` → `v2.24.7` |
![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2fsecurego%2fgosec%2fv2/v2.24.7?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/go/github.com%2fsecurego%2fgosec%2fv2/v2.23.0/v2.24.7?slim=true)
|

---

> [!WARNING]
> Some dependencies could not be looked up. Check the [Dependency
Dashboard](../issues/5322) for more information.

---

### Release Notes

<details>
<summary>securego/gosec (github.com/securego/gosec/v2)</summary>

###
[`v2.24.7`](https://redirect.github.com/securego/gosec/releases/tag/v2.24.7)

[Compare
Source](https://redirect.github.com/securego/gosec/compare/v2.24.6...v2.24.7)

#### Changelog

-
[`bb17e42`](https://redirect.github.com/securego/gosec/commit/bb17e422fc34bf4c0a2e5cab9d07dc45a68c040c)
Ignore nosec comments in action integration workflow to generate some
warnings
([#&#8203;1573](https://redirect.github.com/securego/gosec/issues/1573))
-
[`e1502ad`](https://redirect.github.com/securego/gosec/commit/e1502ad21653d1c6717e33f1221c3ce2d5c8581f)
Add a workflow for action integration test
([#&#8203;1571](https://redirect.github.com/securego/gosec/issues/1571))
-
[`f8691bd`](https://redirect.github.com/securego/gosec/commit/f8691bd77bab5430ccb538e6f253275e82577afc)
fix(sarif): avoid invalid null relationships in SARIF output
([#&#8203;1569](https://redirect.github.com/securego/gosec/issues/1569))
-
[`ade1d0e`](https://redirect.github.com/securego/gosec/commit/ade1d0e0a04ec8ae98da98614d42524621d40df2)
chore: migrate gosec container image references to GHCR
([#&#8203;1567](https://redirect.github.com/securego/gosec/issues/1567))

###
[`v2.24.6`](https://redirect.github.com/securego/gosec/releases/tag/v2.24.6)

[Compare
Source](https://redirect.github.com/securego/gosec/compare/v2.24.5...v2.24.6)

#### Changelog

-
[`88835e8`](https://redirect.github.com/securego/gosec/commit/88835e86bba381290c2f60a1c73610995b1502eb)
Update gorelease to use the latest cosign bundle argument
([#&#8203;1565](https://redirect.github.com/securego/gosec/issues/1565))

###
[`v2.24.5`](https://redirect.github.com/securego/gosec/compare/v2.24.4...v2.24.5)

[Compare
Source](https://redirect.github.com/securego/gosec/compare/v2.24.4...v2.24.5)

###
[`v2.24.4`](https://redirect.github.com/securego/gosec/compare/v2.24.3...v2.24.4)

[Compare
Source](https://redirect.github.com/securego/gosec/compare/v2.24.3...v2.24.4)

###
[`v2.24.3`](https://redirect.github.com/securego/gosec/compare/v2.24.2...v2.24.3)

[Compare
Source](https://redirect.github.com/securego/gosec/compare/v2.24.2...v2.24.3)

###
[`v2.24.2`](https://redirect.github.com/securego/gosec/compare/v2.24.1...v2.24.2)

[Compare
Source](https://redirect.github.com/securego/gosec/compare/v2.24.1...v2.24.2)

###
[`v2.24.1`](https://redirect.github.com/securego/gosec/compare/v2.24.0...v2.24.1)

[Compare
Source](https://redirect.github.com/securego/gosec/compare/v2.24.0...v2.24.1)

###
[`v2.24.0`](https://redirect.github.com/securego/gosec/releases/tag/v2.24.0)

[Compare
Source](https://redirect.github.com/securego/gosec/compare/v2.23.0...v2.24.0)

#### Changelog

-
[`271492b`](https://redirect.github.com/securego/gosec/commit/271492bcd930ef72dfb9d00e5bb9544b3b407fb5)
fix: G704 false positive on const URL
([#&#8203;1551](https://redirect.github.com/securego/gosec/issues/1551))
-
[`1341aea`](https://redirect.github.com/securego/gosec/commit/1341aeadb4c334014c4834c745344edb9dcf85b0)
fix(G705): eliminate false positive for non-HTTP io.Writer
([#&#8203;1550](https://redirect.github.com/securego/gosec/issues/1550))
-
[`f2262c8`](https://redirect.github.com/securego/gosec/commit/f2262c88ffdfc9eb7be8444db19caa17cc71810f)
G120: avoid false positive when MaxBytesReader is applied in middleware
([#&#8203;1547](https://redirect.github.com/securego/gosec/issues/1547))
-
[`5b580c7`](https://redirect.github.com/securego/gosec/commit/5b580c76e4714fa553b2ceb8169a071e45bf6428)
Fix G602 regression coverage for issue
[#&#8203;1545](https://redirect.github.com/securego/gosec/issues/1545)
and stabilize G117 TOML test dependency
([#&#8203;1546](https://redirect.github.com/securego/gosec/issues/1546))
-
[`eba2d15`](https://redirect.github.com/securego/gosec/commit/eba2d1582b13e37d5b6c991b643827bc60e58156)
taint: skip `context.Context` arguments during taint propagation to fix
false positives
([#&#8203;1543](https://redirect.github.com/securego/gosec/issues/1543))
-
[`a6381c1`](https://redirect.github.com/securego/gosec/commit/a6381c1e2fe9a9a33ef105c76bea3191402ea4b3)
test: add missing rules to formatter report tests
([#&#8203;1540](https://redirect.github.com/securego/gosec/issues/1540))
-
[`fea9725`](https://redirect.github.com/securego/gosec/commit/fea9725934065d3dd5c96352f89f75d117ac12f6)
chore(deps): update all dependencies
([#&#8203;1541](https://redirect.github.com/securego/gosec/issues/1541))
-
[`f3e2fac`](https://redirect.github.com/securego/gosec/commit/f3e2fac4d58b7eca54307cd40ce2a836a12e4d95)
Regenrate the TLS config rule
([#&#8203;1539](https://redirect.github.com/securego/gosec/issues/1539))
-
[`200461f`](https://redirect.github.com/securego/gosec/commit/200461fcf74ed836305bf95f72568c20925730c5)
Improve documentation
([#&#8203;1538](https://redirect.github.com/securego/gosec/issues/1538))
-
[`078a62a`](https://redirect.github.com/securego/gosec/commit/078a62afc3331206fec1cd9a03637983ec4f9fc8)
Expand analyzer-core test coverage for orchestration, go/analysis
adapter logic, and taint integration
([#&#8203;1537](https://redirect.github.com/securego/gosec/issues/1537))
-
[`ffdc620`](https://redirect.github.com/securego/gosec/commit/ffdc6205c82278cee0b62923814141923794219e)
Add unit tests for CLI orchestration, TLS config generation, and SSA
cache behavior
([#&#8203;1536](https://redirect.github.com/securego/gosec/issues/1536))
-
[`c13a486`](https://redirect.github.com/securego/gosec/commit/c13a48626bc160ef1caa293679044b5667d4d8ef)
Add G707 taint analyzer for SMTP command/header injection
([#&#8203;1535](https://redirect.github.com/securego/gosec/issues/1535))
-
[`f61ed31`](https://redirect.github.com/securego/gosec/commit/f61ed314c2467116ec3a5126150cb2b29a623406)
Add G123 analyzer for tls.VerifyPeerCertificate resumption bypass risk
([#&#8203;1534](https://redirect.github.com/securego/gosec/issues/1534))
-
[`b568aa1`](https://redirect.github.com/securego/gosec/commit/b568aa1445e110ed12abe5c2433b3cfbcd0a5935)
Add G122 SSA analyzer for filepath.Walk/WalkDir symlink TOCTOU race
risks
([#&#8203;1532](https://redirect.github.com/securego/gosec/issues/1532))
-
[`1735e5a`](https://redirect.github.com/securego/gosec/commit/1735e5a9acd155702b8c6137d323df886c0252b5)
fix(G602): avoid false positives for range-over-array indexing
([#&#8203;1531](https://redirect.github.com/securego/gosec/issues/1531))
-
[`caf93d0`](https://redirect.github.com/securego/gosec/commit/caf93d07f10ef7d07006011b17f1d9bd218b5a9d)
Improve taint analyzer performance with shared SSA cache, parallel
analyzer execution, and CI regression guard
([#&#8203;1530](https://redirect.github.com/securego/gosec/issues/1530))
-
[`bd11fbe`](https://redirect.github.com/securego/gosec/commit/bd11fbe2bacb0abf1e541df8b6ec6b040bbe2723)
fix: taint analysis false positives with G703,G705
([#&#8203;1522](https://redirect.github.com/securego/gosec/issues/1522))
-
[`e34e8dd`](https://redirect.github.com/securego/gosec/commit/e34e8dd8e880694cfa801d79977e2d9973df3fa1)
Extend the G117 rule to cover other types of serialization such as
yaml/xml/toml
([#&#8203;1529](https://redirect.github.com/securego/gosec/issues/1529))
-
[`b940702`](https://redirect.github.com/securego/gosec/commit/b940702d5e385d1a68def10326b1658e780655fe)
Fix the G117 rule to take the JSON serialization into account
([#&#8203;1528](https://redirect.github.com/securego/gosec/issues/1528))
-
[`4f84627`](https://redirect.github.com/securego/gosec/commit/4f846273804abaf7e040f77b26bf2866336e8af9)
(docs) fix justification format
([#&#8203;1524](https://redirect.github.com/securego/gosec/issues/1524))
-
[`36ba72b`](https://redirect.github.com/securego/gosec/commit/36ba72bb7f91306f5210a821f409696c03dcbf2b)
Add G121 analyzer for unsafe CORS bypass patterns in
CrossOriginProtection
([#&#8203;1521](https://redirect.github.com/securego/gosec/issues/1521))
-
[`238f982`](https://redirect.github.com/securego/gosec/commit/238f9823256b1c4a6d7b0ccd7fa0f2ce1123c820)
Add G120 SSA analyzer for unbounded form parsing in HTTP handlers
([#&#8203;1520](https://redirect.github.com/securego/gosec/issues/1520))
-
[`89cde27`](https://redirect.github.com/securego/gosec/commit/89cde277b5e2b4a5dc47eb710911c51a0cb33b63)
Add G119 analyzer for unsafe redirect header propagation in
CheckRedirect callbacks
([#&#8203;1519](https://redirect.github.com/securego/gosec/issues/1519))
-
[`14fdd9c`](https://redirect.github.com/securego/gosec/commit/14fdd9cb07c02ab1506fcc336f49c84bf27a5c2d)
Fix G115 false positives and negatives (Issue
[#&#8203;1501](https://redirect.github.com/securego/gosec/issues/1501))
([#&#8203;1518](https://redirect.github.com/securego/gosec/issues/1518))
-
[`cec54ec`](https://redirect.github.com/securego/gosec/commit/cec54ec685eda3083e2ab1adf72b6b7ec6cfdb6e)
chore(deps): update all dependencies
([#&#8203;1517](https://redirect.github.com/securego/gosec/issues/1517))
-
[`2b2077e`](https://redirect.github.com/securego/gosec/commit/2b2077e921b56c7ce6545cccceea0556ff8d5d91)
Add G118 SSA analyzer for context propagation failures that can cause
goroutine/resource leaks
([#&#8203;1516](https://redirect.github.com/securego/gosec/issues/1516))
-
[`a7666f3`](https://redirect.github.com/securego/gosec/commit/a7666f3c70c94d07dfb03e81613fed34bccc89ae)
Add G113: Detect HTTP Request Smuggling via conflicting headers
(CVE-2025-22891, CWE-444)
([#&#8203;1515](https://redirect.github.com/securego/gosec/issues/1515))
-
[`47f8b52`](https://redirect.github.com/securego/gosec/commit/47f8b52fb8700c7ba017ffcc0ea6a32c83e33115)
Add G408: SSH PublicKeyCallback Authentication Bypass Analyzer
([#&#8203;1513](https://redirect.github.com/securego/gosec/issues/1513))
-
[`4f1f362`](https://redirect.github.com/securego/gosec/commit/4f1f362671654660f7145c3c8655ffeaed037d55)
Add more unit tests to improve coverage
([#&#8203;1512](https://redirect.github.com/securego/gosec/issues/1512))
-
[`9344582`](https://redirect.github.com/securego/gosec/commit/9344582ee4bd87b8fa5bc2e483d90fa661f8aa71)
Improve test coverage in various areas
([#&#8203;1511](https://redirect.github.com/securego/gosec/issues/1511))
-
[`8d1b2c6`](https://redirect.github.com/securego/gosec/commit/8d1b2c63ae44e315fb0232813e535891ff0568fc)
Imprve the test coverage
([#&#8203;1510](https://redirect.github.com/securego/gosec/issues/1510))
-
[`993c1c4`](https://redirect.github.com/securego/gosec/commit/993c1c4da2d4426f7567591e23f53ee9f613d07c)
Fix incorrect detection of fixed iv in G407
([#&#8203;1509](https://redirect.github.com/securego/gosec/issues/1509))
-
[`8668b74`](https://redirect.github.com/securego/gosec/commit/8668b748925d8995cf7712d22bde62cbc96f2304)
Add support for go 1.26.x and removed support for go 1.24.x
([#&#8203;1508](https://redirect.github.com/securego/gosec/issues/1508))
-
[`514225c`](https://redirect.github.com/securego/gosec/commit/514225c8cb01a6bab714db1dd557aeb0d7ab9dc9)
Fix the sonar report to follow the latest schema
([#&#8203;1507](https://redirect.github.com/securego/gosec/issues/1507))
-
[`000384e`](https://redirect.github.com/securego/gosec/commit/000384e510a84a1e2a1118e0fbc56518d290113d)
fix: broken taint analysis causing false positives
([#&#8203;1506](https://redirect.github.com/securego/gosec/issues/1506))
-
[`616192c`](https://redirect.github.com/securego/gosec/commit/616192c9d92792998e2ff38530c080cd0fe293a8)
fix: panic on float constants in overflow analyzer
([#&#8203;1505](https://redirect.github.com/securego/gosec/issues/1505))
-
[`79956a3`](https://redirect.github.com/securego/gosec/commit/79956a3b4cdedc9a4cde5f567c57fc8b367448cf)
fix: panic when scanning multi-module repos from root
([#&#8203;1504](https://redirect.github.com/securego/gosec/issues/1504))
-
[`5736e8b`](https://redirect.github.com/securego/gosec/commit/5736e8b88b6ca97fc7e09ef1bf24b205ab35fd9c)
fix: G602 false positive for array element access
([#&#8203;1499](https://redirect.github.com/securego/gosec/issues/1499))
-
[`1b7e1e9`](https://redirect.github.com/securego/gosec/commit/1b7e1e94bc2077fc1adccfc1358399fad2958d5a)
Update gosec to version v2.23.0 in the Github action
([#&#8203;1496](https://redirect.github.com/securego/gosec/issues/1496))

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined),
Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR is behind base branch, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/open-telemetry/opentelemetry-go).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My40OC4xIiwidXBkYXRlZEluVmVyIjoiNDMuNDguMSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiU2tpcCBDaGFuZ2Vsb2ciLCJkZXBlbmRlbmNpZXMiXX0=-->

---------

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: Tyler Yahn <codingalias@gmail.com>
Co-authored-by: Tyler Yahn <MrAlias@users.noreply.github.com>

2026-03-03 11:59:53 -08:00

.github

Refactor benchmark CI (#7873 )

2026-03-03 10:42:54 -08:00

attribute

attribute: add TestNotEquivalence and equality operator tests (#7979 )

2026-03-03 14:36:44 +01:00

baggage

Comply with W3C Baggage specification limits (#7880 )

2026-02-28 20:15:17 +01:00

bridge

fix(deps): update golang.org/x (#7907 )

2026-03-02 13:54:20 -08:00

codes

Modernize (#7089 )

2025-07-29 10:19:11 +02:00

exporters

chore(deps): update module github.com/securego/gosec/v2 to v2.24.7 (#7988 )

2026-03-03 11:59:53 -08:00

internal

chore(deps): update module github.com/securego/gosec/v2 to v2.24.7 (#7988 )

2026-03-03 11:59:53 -08:00

log

Drop support for Go 1.24 (#7984 )

2026-03-02 22:25:05 +01:00

metric

Drop support for Go 1.24 (#7984 )

2026-03-02 22:25:05 +01:00

propagation

Comply with W3C Baggage specification limits (#7880 )

2026-02-28 20:15:17 +01:00

schema

Drop support for Go 1.24 (#7984 )

2026-03-02 22:25:05 +01:00

sdk

chore(deps): update module github.com/securego/gosec/v2 to v2.24.7 (#7988 )

2026-03-03 11:59:53 -08:00

semconv

Revert "Revert "Generate semconv/v1.40.0"" (#7985 )

2026-03-03 07:32:17 +01:00

trace

chore(deps): update module github.com/securego/gosec/v2 to v2.24.7 (#7988 )

2026-03-03 11:59:53 -08:00

.clomonitor.yml

Add a CLO monitor exemption for Artifact Hub (#6853 )

2025-05-30 08:53:57 +02:00

.codespellignore

Encapsulate stdouttrace.Exporter instrumentation in internal package (#7307 )

2025-09-09 12:11:08 -07:00

.codespellrc

…

.gitattributes

…

.gitignore

…

.golangci.yml

chore(deps): update module github.com/mgechev/revive to v1.14.0 (#7895 )

2026-02-28 20:30:22 +01:00

.lycheeignore

Add the internal/observ package to otlptracegrpc (#7404 )

2025-10-06 11:08:29 -07:00

.markdownlint.yaml

…

CHANGELOG.md

support stdlib request.GetBody on metrics (#7931 )

2026-03-03 10:23:05 +01:00

CODEOWNERS

Add Flc as an approver (#7053 )

2025-07-23 17:51:03 -07:00

CONTRIBUTING.md

Bump semconv from v1.37.0 to v1.39.0 (#7789 )

2026-01-21 10:42:41 +01:00

dependencies.Dockerfile

chore(deps): update otel/weaver docker tag to v0.21.2 (#7870 )

2026-02-03 14:06:37 -08:00

doc.go

…

error_handler.go

…

go.mod

Drop support for Go 1.24 (#7984 )

2026-03-02 22:25:05 +01:00

go.sum

Replace fnv with xxhash (#7497 )

2025-11-19 11:06:20 +01:00

handler_test.go

…

handler.go

…

internal_logging_test.go

…

internal_logging.go

…

LICENSE

Add contents of the Go license (#6955 )

2025-07-02 09:38:02 +02:00

Makefile

Refactor benchmark CI (#7873 )

2026-03-03 10:42:54 -08:00

metric_test.go

chore: enable unused-parameter rule from revive (#7122 )

2025-08-04 12:48:04 -07:00

metric.go

Fix typos and linguistic errors in documentation / hacktoberfest (#7494 )

2025-10-13 15:57:14 -07:00

propagation.go

…

README.md

Drop support for Go 1.24 (#7984 )

2026-03-02 22:25:05 +01:00

RELEASING.md

docs: sign artifacts before releasing (#7567 )

2025-11-04 07:03:34 +01:00

renovate.json

…

requirements.txt

…

SECURITY-INSIGHTS.yml

Add security insights document to repository (#7129 )

2025-08-06 14:30:59 -07:00

trace_test.go

chore: enable unused-parameter rule from revive (#7122 )

2025-08-04 12:48:04 -07:00

trace.go

…

verify_released_changelog.sh

…

version_test.go

…

version.go

Release 1.41.0/0.63.0/0.17.0/0.0.15 (#7977 )

2026-03-02 19:39:57 +01:00

VERSIONING.md

Fix typos and linguistic errors in documentation / hacktoberfest (#7494 )

2025-10-13 15:57:14 -07:00

versions.yaml

Release 1.41.0/0.63.0/0.17.0/0.0.15 (#7977 )

2026-03-02 19:39:57 +01:00

README.md

OpenTelemetry-Go

OpenTelemetry-Go is the Go implementation of OpenTelemetry. It provides a set of APIs to directly measure performance and behavior of your software and send this data to observability platforms.

Project Status

Signal	Status
Traces	Stable
Metrics	Stable
Logs	Beta¹

Progress and status specific to this repository is tracked in our project boards and milestones.

Project versioning information and stability guarantees can be found in the versioning documentation.

Compatibility

OpenTelemetry-Go ensures compatibility with the current supported versions of the Go language:

Each major Go release is supported until there are two newer major releases. For example, Go 1.5 was supported until the Go 1.7 release, and Go 1.6 was supported until the Go 1.8 release.

For versions of Go that are no longer supported upstream, opentelemetry-go will stop ensuring compatibility with these versions in the following manner:

A minor release of opentelemetry-go will be made to add support for the new supported release of Go.
The following minor release of opentelemetry-go will remove compatibility testing for the oldest (now archived upstream) version of Go. This, and future, releases of opentelemetry-go may include features only supported by the currently supported versions of Go.

Currently, this project supports the following environments.

OS	Go Version	Architecture
Ubuntu	1.26	amd64
Ubuntu	1.25	amd64
Ubuntu	1.26	386
Ubuntu	1.25	386
Ubuntu	1.26	arm64
Ubuntu	1.25	arm64
macOS	1.26	amd64
macOS	1.25	amd64
macOS	1.26	arm64
macOS	1.25	arm64
Windows	1.26	amd64
Windows	1.25	amd64
Windows	1.26	386
Windows	1.25	386

While this project should work for other systems, no compatibility guarantees are made for those systems currently.

Getting Started

You can find a getting started guide on opentelemetry.io.

OpenTelemetry's goal is to provide a single set of APIs to capture distributed traces and metrics from your application and send them to an observability platform. This project allows you to do just that for applications written in Go. There are two steps to this process: instrument your application, and configure an exporter.

Instrumentation

To start capturing distributed traces and metric events from your application it first needs to be instrumented. The easiest way to do this is by using an instrumentation library for your code. Be sure to check out the officially supported instrumentation libraries.

If you need to extend the telemetry an instrumentation library provides or want to build your own instrumentation for your application directly you will need to use the Go otel package. The examples are a good way to see some practical uses of this process.

Export

Now that your application is instrumented to collect telemetry, it needs an export pipeline to send that telemetry to an observability platform.

All officially supported exporters for the OpenTelemetry project are contained in the exporters directory.

Exporter	Logs	Metrics	Traces
OTLP	✓	✓	✓
Prometheus		✓
stdout	✓	✓	✓
Zipkin			✓

Contributing

See the contributing documentation.

https://github.com/orgs/open-telemetry/projects/43 ↩︎