Fix: Update related kind labels and bump dependencies

[matthyx]

Summary by CodeRabbit

• Chores
  • Updated numerous third‑party dependencies across core Go libraries, observability, RPC, and container tooling for compatibility and stability.
  • Refined metadata label handling and validation for more consistent resource metadata (normalized kinds and cloud account identifiers) without changing public APIs.
  • Added additional informational logging when container profiles are enqueued/saved to improve observability.
• Tests
  • Added unit tests covering case‑insensitive prefix trimming behavior.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR bumps multiple Go module versions and changes object cache label handling: it uses RelatedKindMetadataKey/RelatedNameMetadataKey, trims a leading "ECS" prefix when deriving kind, switches label validation to content.IsLabelValue, and adjusts the cloud account label key.

Changes

Cohort / File(s)	Summary
Dependency updates go.mod, go.sum	Bumped numerous direct and indirect Go modules (e.g., github.com/armosec/armoapi-go, github.com/kubescape/*, golang.org/x/*, google.golang.org/grpc, OpenTelemetry, etc.) and updated checksums.
Object cache label handling pkg/objectcache/shared_container_data.go	Switched label keys to RelatedKindMetadataKey/RelatedNameMetadataKey, derive kind by trimming "ECS" prefix case-insensitively and normalizing certain kinds, changed validation from validation.IsValidLabelValue to content.IsLabelValue, and replaced AWS account key with CloudAccountIdentifierMetadataKey. Added trimPrefixIgnoreCase.
Container profile logging pkg/containerprofilemanager/v1/monitoring.go	Added apName derivation and an Info-level structured log including apName, profile slug, namespace, instanceID, wlid, annotations, and labels after enqueuing/saving a container profile.
Tests pkg/objectcache/shared_container_data_test.go	Added Test_trimPrefixIgnoreCase covering multiple prefix/trimming/corner cases.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• add new metadata to CPs #745 — Modifies GetLabels in pkg/objectcache/shared_container_data.go (cloud-derived labels/metadata) and overlaps with label-handling changes.
• bump: update armoapi-go dependency to v0.0.671 #702 — Earlier dependency bump for github.com/armosec/armoapi-go, related to the module version updates.
• bump: update dependencies for backend, storage, and OpenAPI packages #704 — Related dependency version bumps in go.mod (overlapping modules updated).

Suggested labels

release

Poem

🐇 I hopped through go.mod, nudged versions with care,
Trimmed a sneaky "ECS" and made labels more fair.
I validate with content, log names all in line,
Tests snug as a burrow — the cache feels just fine! 🥕

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the two main changes: updating label keys from 'Kind/Name' to 'RelatedKind/RelatedName' and bumping Go module dependencies.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch backend-integration

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@go.mod`:
- Around line 403-414: The go.mod contains mismatched OpenTelemetry versions:
core modules (go.opentelemetry.io/otel, /trace, /metric, /sdk, etc.) are at
v1.42.0 while OTLP exporters
(go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp,
/otlpmetric/otlpmetrichttp, /otlptrace, /otlptrace/otlptracehttp) are still at
v1.38.0; update those exporter module versions to v1.42.0 to align with the core
modules (or alternatively downgrade the core modules to v1.38.0 if that is
required), ensuring go.mod entries for otlploghttp, otlpmetrichttp, otlptrace,
and otlptracehttp match the chosen version and then run go mod tidy to apply the
changes.

In `@pkg/objectcache/shared_container_data.go`:
- Around line 102-108: The code may produce empty normalized related labels
(e.g., labels[i] becomes "") after the switch on
helpersv1.RelatedKindMetadataKey / helpersv1.RelatedNameMetadataKey using
wlid.GetKindFromWlid or wlid.GetNameFromWlid; add a post-switch guard that
checks if labels[i] == "" and, if so, skip validation/processing for that entry
(same cleanup behavior as earlier) before calling content.IsLabelValue so you
don't emit incomplete metadata. Locate the switch block that assigns labels[i],
insert the empty-string check immediately after it, and return/continue/omit
that label from further validation/emit paths referenced by
content.IsLabelValue.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: a456c779-5c9b-483d-92e9-e0297b8a5a79

📥 Commits

Reviewing files that changed from the base of the PR and between f673d45 and c0e73f7.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (2)

• go.mod
• pkg/objectcache/shared_container_data.go

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Guard against empty related labels after normalization.

Line 103 can normalize to an empty string, but empty-value cleanup currently happens earlier (Line 96). Add a post-switch empty check before validation to avoid emitting incomplete metadata.

💡 Suggested patch

 			switch i {
 			case helpersv1.RelatedKindMetadataKey:
 				labels[i] = strings.TrimPrefix(wlid.GetKindFromWlid(watchedContainer.Wlid), "ECS")
 			case helpersv1.RelatedNameMetadataKey:
 				labels[i] = wlid.GetNameFromWlid(watchedContainer.Wlid)
 			}
+			if labels[i] == "" {
+				delete(labels, i)
+				continue
+			}
 			errs := content.IsLabelValue(labels[i])

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/objectcache/shared_container_data.go` around lines 102 - 108, The code
may produce empty normalized related labels (e.g., labels[i] becomes "") after
the switch on helpersv1.RelatedKindMetadataKey /
helpersv1.RelatedNameMetadataKey using wlid.GetKindFromWlid or
wlid.GetNameFromWlid; add a post-switch guard that checks if labels[i] == ""
and, if so, skip validation/processing for that entry (same cleanup behavior as
earlier) before calling content.IsLabelValue so you don't emit incomplete
metadata. Locate the switch block that assigns labels[i], insert the
empty-string check immediately after it, and return/continue/omit that label
from further validation/emit paths referenced by content.IsLabelValue.

[coderabbitai]

♻️ Duplicate comments (1)

pkg/objectcache/shared_container_data.go (1)

102-108: ⚠️ Potential issue | 🟡 Minor

Add a post-normalization empty-value guard.

After Line 102-Line 105, a normalized related value can become empty (for example, kind "ECS" → ""), but empty cleanup currently happens only before the switch. Add a second empty check before Line 107 validation.

💡 Proposed patch

 			switch i {
 			case helpersv1.RelatedKindMetadataKey:
 				labels[i] = strings.TrimPrefix(wlid.GetKindFromWlid(watchedContainer.Wlid), "ECS")
 			case helpersv1.RelatedNameMetadataKey:
 				labels[i] = wlid.GetNameFromWlid(watchedContainer.Wlid)
 			}
+			if labels[i] == "" {
+				delete(labels, i)
+				continue
+			}
 			errs := content.IsLabelValue(labels[i])

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/objectcache/shared_container_data.go` around lines 102 - 108, After you
normalize the related value inside the switch (the cases using
wlid.GetKindFromWlid(watchedContainer.Wlid) and
wlid.GetNameFromWlid(watchedContainer.Wlid) that assign to labels[i]), add a
post-normalization guard that skips validation if labels[i] is now empty (e.g.,
if strings.TrimPrefix returned an empty string) before calling
content.IsLabelValue(labels[i]); in short, ensure labels[i] is checked for == ""
right after the switch and return/continue or skip adding errors so
content.IsLabelValue is not run on an empty normalized value.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In `@pkg/objectcache/shared_container_data.go`:
- Around line 102-108: After you normalize the related value inside the switch
(the cases using wlid.GetKindFromWlid(watchedContainer.Wlid) and
wlid.GetNameFromWlid(watchedContainer.Wlid) that assign to labels[i]), add a
post-normalization guard that skips validation if labels[i] is now empty (e.g.,
if strings.TrimPrefix returned an empty string) before calling
content.IsLabelValue(labels[i]); in short, ensure labels[i] is checked for == ""
right after the switch and return/continue or skip adding errors so
content.IsLabelValue is not run on an empty normalized value.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: b4af0e9e-5088-4032-9e82-46cd79cc48ee

📥 Commits

Reviewing files that changed from the base of the PR and between c0e73f7 and 4eab851.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (2)

• go.mod
• pkg/objectcache/shared_container_data.go

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@go.mod`:
- Line 58: Update the pinned dependency for google.golang.org/grpc from v1.79.2
to v1.79.3 (or newer) in go.mod to address GHSA-p77j-4mvh-x3m3, then refresh
module metadata by re-resolving modules (e.g., run the equivalent of go get to
the new version and run go mod tidy) so go.sum is updated; target the dependency
named google.golang.org/grpc and ensure no other code references a stricter
version constraint.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: f03f7af7-9862-436e-9914-1cf08fc68a31

📥 Commits

Reviewing files that changed from the base of the PR and between 4eab851 and 386e450.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (2)

• go.mod
• pkg/objectcache/shared_container_data.go

🚧 Files skipped from review as they are similar to previous changes (1)

• pkg/objectcache/shared_container_data.go

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify whether google.golang.org/grpc@v1.79.2 is affected and identify fixed versions via OSV.
set -euo pipefail

payload='{
  "package": {"ecosystem": "Go", "name": "google.golang.org/grpc"},
  "version": "1.79.2"
}'

curl -sS https://api.osv.dev/v1/query -d "$payload" \
| jq '{
    affected: (.vulns // [] | map({id, summary, aliases, fixed: ([.affected[]?.ranges[]?.events[]?.fixed] | flatten | unique)}))
  }'

Repository: kubescape/node-agent

Length of output: 334

---

Upgrade vulnerable google.golang.org/grpc version before merge.

Line 58 pins google.golang.org/grpc v1.79.2, which contains GHSA-p77j-4mvh-x3m3 (authorization bypass via missing leading slash in :path). Upgrade to v1.79.3 or newer and re-tidy modules.

🧰 Tools

🪛 OSV Scanner (2.3.3)

[CRITICAL] 58-58: google.golang.org/grpc 1.79.2: gRPC-Go has an authorization bypass via missing leading slash in :path

(GHSA-p77j-4mvh-x3m3)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@go.mod` at line 58, Update the pinned dependency for google.golang.org/grpc
from v1.79.2 to v1.79.3 (or newer) in go.mod to address GHSA-p77j-4mvh-x3m3,
then refresh module metadata by re-resolving modules (e.g., run the equivalent
of go get to the new version and run go mod tidy) so go.sum is updated; target
the dependency named google.golang.org/grpc and ensure no other code references
a stricter version constraint.

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (1)

go.mod (1)

58-58: ⚠️ Potential issue | 🔴 Critical

Upgrade vulnerable google.golang.org/grpc before merge.

Line 58 still pins google.golang.org/grpc v1.79.2, which is affected by GHSA-p77j-4mvh-x3m3. Please bump to v1.79.3 or newer and re-run module tidy.

🔧 Proposed fix

-	google.golang.org/grpc v1.79.2
+	google.golang.org/grpc v1.79.3

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@go.mod` at line 58, Update the pinned module google.golang.org/grpc from
v1.79.2 to v1.79.3 (or newer) in the go.mod entry and then run `go mod tidy` to
refresh go.sum and ensure dependencies are consistent; verify the updated
version is committed so the GHSA-p77j-4mvh-x3m3 vulnerability is resolved.

🧹 Nitpick comments (1)

pkg/objectcache/shared_container_data_test.go (1)

133-140: Test case name is misleading.

The name "no match case sensitivity" suggests the prefix shouldn't match, but the expected result "o world" shows that "Hell" does match "Hello" case-insensitively. Consider renaming to something like "partial word prefix match" or "prefix matches start of word".

✏️ Suggested name fix

 		{
-			name: "no match case sensitivity",
+			name: "partial word prefix match",
 			args: args{
 				s:      "Hello world",
 				prefix: "Hell",
 			},
 			want: "o world",
 		},

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/objectcache/shared_container_data_test.go` around lines 133 - 140, Rename
the misleading test case name "no match case sensitivity" in the table-driven
test in shared_container_data_test.go to accurately reflect the behavior (e.g.,
"prefix matches start of word" or "partial word prefix match"); update the name
field of the specific test entry that has args {s: "Hello world", prefix:
"Hell"} and want "o world" so the test name matches the expected outcome and
clarifies intent for future readers.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@pkg/containerprofilemanager/v1/monitoring.go`:
- Around line 204-208: The Info log message contains a developer name and should
be removed or replaced; remove or rename the logger.L().Info call that logs
"Matthias container profile saved successfully" and instead emit a neutral
message (e.g., "container profile saved successfully") or drop the log entirely;
also stop discarding the error from watchedContainer.InstanceID.GetSlug(true) —
capture the returned error from GetSlug(true) and, if non-nil, log it at Debug
level (or handle appropriately) before using apName, referencing
watchedContainer.InstanceID.GetSlug, logger.L().Info, and
watchedContainer.InstanceID.GetStringFormatted to locate the code to change.

---

Duplicate comments:
In `@go.mod`:
- Line 58: Update the pinned module google.golang.org/grpc from v1.79.2 to
v1.79.3 (or newer) in the go.mod entry and then run `go mod tidy` to refresh
go.sum and ensure dependencies are consistent; verify the updated version is
committed so the GHSA-p77j-4mvh-x3m3 vulnerability is resolved.

---

Nitpick comments:
In `@pkg/objectcache/shared_container_data_test.go`:
- Around line 133-140: Rename the misleading test case name "no match case
sensitivity" in the table-driven test in shared_container_data_test.go to
accurately reflect the behavior (e.g., "prefix matches start of word" or
"partial word prefix match"); update the name field of the specific test entry
that has args {s: "Hello world", prefix: "Hell"} and want "o world" so the test
name matches the expected outcome and clarifies intent for future readers.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 1ae0caab-0090-4bd0-aec3-6c0ef676be74

📥 Commits

Reviewing files that changed from the base of the PR and between 386e450 and e3beadf.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (4)

• go.mod
• pkg/containerprofilemanager/v1/monitoring.go
• pkg/objectcache/shared_container_data.go
• pkg/objectcache/shared_container_data_test.go

🚧 Files skipped from review as they are similar to previous changes (1)

• pkg/objectcache/shared_container_data.go

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Remove debug log with developer name before merging.

This appears to be a development/debug log that was accidentally included. The message "Matthias container profile saved successfully" contains a developer name and should not be committed to the codebase.

Additionally, the error from GetSlug(true) is silently discarded. If this logging is intended to remain (with a proper message), consider at least logging the error at Debug level if it occurs.

Suggested fix: Remove the debug log

 	logger.L().Debug("container profile saved successfully",
 		helpers.String("containerID", watchedContainer.ContainerID),
 		helpers.String("containerName", container.Runtime.ContainerName),
 		helpers.String("podName", container.K8s.PodName))
-	apName, _ := watchedContainer.InstanceID.GetSlug(true)
-	logger.L().Info("Matthias container profile saved successfully",
-		helpers.String("apName", apName), helpers.String("name", slug),
-		helpers.String("namespace", container.K8s.Namespace), helpers.String("instanceID", watchedContainer.InstanceID.GetStringFormatted()),
-		helpers.String("wlid", watchedContainer.Wlid), helpers.Interface("annotations", containerProfile.ObjectMeta.Annotations), helpers.Interface("labels", containerProfile.ObjectMeta.Labels))

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	apName, _ := watchedContainer.InstanceID.GetSlug(true)
	logger.L().Info("Matthias container profile saved successfully",
	helpers.String("apName", apName), helpers.String("name", slug),
	helpers.String("namespace", container.K8s.Namespace), helpers.String("instanceID", watchedContainer.InstanceID.GetStringFormatted()),
	helpers.String("wlid", watchedContainer.Wlid), helpers.Interface("annotations", containerProfile.ObjectMeta.Annotations), helpers.Interface("labels", containerProfile.ObjectMeta.Labels))

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/containerprofilemanager/v1/monitoring.go` around lines 204 - 208, The
Info log message contains a developer name and should be removed or replaced;
remove or rename the logger.L().Info call that logs "Matthias container profile
saved successfully" and instead emit a neutral message (e.g., "container profile
saved successfully") or drop the log entirely; also stop discarding the error
from watchedContainer.InstanceID.GetSlug(true) — capture the returned error from
GetSlug(true) and, if non-nil, log it at Debug level (or handle appropriately)
before using apName, referencing watchedContainer.InstanceID.GetSlug,
logger.L().Info, and watchedContainer.InstanceID.GetStringFormatted to locate
the code to change.