VULN-63051: version upgrade for opentelemetry-go from v1.33 to 1.40.0

[kupratyu-splunk]

Description

This PR upgrades OpenTelemetry-related dependencies and adds a bounded timeout and skip when the cluster is unreachable so e2e specs do not block indefinitely

OpenTelemetry-Go is the Go implementation of OpenTelemetry. The OpenTelemetry Go SDK in version v1.20.0-1.39.0 is vulnerable to Path Hijacking (Untrusted Search Paths) on macOS/Darwin systems. The resource detection code in sdk/resource/host_id.go executes the ioreg system command using a search path. An attacker with the ability to locally modify the PATH environment variable can achieve Arbitrary Code Execution (ACE) within the context of the application. A fix was released with v1.40.0.

Related Issues

• Related to #

Type of Change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Documentation update
• Refactoring (no functional changes)
• Performance improvement
• Test improvement
• CI/CD improvement
• Chore (dependency updates, etc.)

Changes Made

Testing Performed

• Unit tests pass (make test)
• Linting passes (make lint)
• Integration tests pass (if applicable)
• E2E tests pass (if applicable)
• Manual testing performed

Test Environment

• Kubernetes Version:
• Cloud Provider:
• Deployment Method:

Test Steps

Documentation

• Updated inline code comments
• Updated README.md (if adding features)
• Updated API documentation
• Updated deployment guides
• Updated CHANGELOG.md
• No documentation needed

Checklist

• My code follows the project's style guidelines
• I have performed a self-review of my code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• My changes generate no new warnings
• I have added tests that prove my fix is effective or that my feature works
• New and existing unit tests pass locally with my changes
• Any dependent changes have been merged and published
• I have updated the Helm chart version (if applicable)
• I have updated CRD schemas (if applicable)

Breaking Changes

Impact:

Migration Path:

Screenshots/Recordings

Additional Notes

Reviewer Notes

Please pay special attention to:

---

Commit Message Convention: This PR follows Conventional Commits

[Copilot]

Pull request overview

Updates Go module dependencies to remediate the OpenTelemetry-Go SDK macOS PATH hijacking vulnerability by moving to go.opentelemetry.io/otel v1.40.0, and tweaks test suites to be skippable when required external dependencies (cluster / envtest assets) are unavailable so go test ./... can succeed in more environments.

Changes:

• Bump OpenTelemetry-Go (and related transitive deps) to v1.40.0.
• Update additional Go dependencies as part of the module resolution/tidy.
• Add “skip if prerequisites missing” logic to e2e and controller Ginkgo suites.

Reviewed changes

Copilot reviewed 3 out of 4 changed files in this pull request and generated 3 comments.

File	Description
go.mod	Updates OTel + other dependency versions to pick up the vulnerability fix.
go.sum	Refreshes module checksums to match the upgraded dependency graph.
test/e2e/specs/spec_suite_test.go	Skips the e2e suite when kubectl cluster-info fails (intended to allow go test ./... without a live cluster).
internal/controller/suite_test.go	Skips controller envtest suite when envtest binaries aren’t present and KUBEBUILDER_ASSETS is unset; avoids teardown when setup didn’t run.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[coveralls]

Pull Request Test Coverage Report for Build 22839939213

Details

• 0 of 0 changed or added relevant lines in 0 files are covered.
• No unchanged relevant lines lost coverage.
• Overall coverage remained the same at 36.876%

---

Totals
Change from base Build 20390744785:	0.0%
Covered Lines:	2342
Relevant Lines:	6351

---

💛 - Coveralls

[Copilot]

Pull request overview

Copilot reviewed 4 out of 5 changed files in this pull request and generated 1 comment.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.