opentelemetry-collector
opentelemetry-collector copied to clipboard
Published
20 hours ago •
open-telemetry
open-telemetry
[ci] Run Go unit tests with `GODEBUG=fips140=only`
trafficstars
Description
This PR runs all Golang unit tests in this repository with the GODEBUG=fips140=only environment set. This is useful to detect any FIPS-140 violations of code covered by these unit tests.
To achieve the above, this PR introduces a new gotest-fips140-only target in Makefile and a corresponding test-fips140-only target in Makefile.Common.
Link to tracking issue
Relates to #13925
Testing
Documentation
Codecov Report
:white_check_mark: All modified and coverable lines are covered by tests.
:white_check_mark: Project coverage is 92.24%. Comparing base (f2bced2) to head (fd1a96e).
Additional details and impacted files
@@ Coverage Diff @@
## main #13926 +/- ##
==========================================
- Coverage 92.28% 92.24% -0.05%
==========================================
Files 657 657
Lines 41111 41111
==========================================
- Hits 37939 37921 -18
- Misses 2171 2183 +12
- Partials 1001 1007 +6
:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.
:rocket: New features to boost your workflow:
- :snowflake: Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
![codecov[bot] avatar](https://avatars.githubusercontent.com/in/254?v=4 "Published by a pub.dev verified publisher"){kind=small}
Running make gotest-fips140-only fails fast, so instead I'm running make test-fips140-only in each module, with Golang 1.25.0, like so:
$ go version
go version go1.25.0 linux/arm64
$ for m in $(find . -iname go.mod); do d=$(dirname $m); cd $d; make test-fips140-only; cd -; done
Ignoring passing and skipped tests, here are the failures:
=== Failed
=== FAIL: internal/builder TestVersioning/defaults (0.16s)
2025-10-09T23:03:01.172-0700 INFO builder/main.go:99 Sources created {"path": "/tmp/otelcol-distribution2818115018"}
main_test.go:220:
Error Trace: /home/shaunak/development/github/opentelemetry-collector/cmd/builder/internal/builder/main_test.go:220
Error: Target error should be in err chain:
expected: ""
in chain: "failed to update go.mod: go subcommand failed with args '[mod tidy -compat=1.24]': exit status 1, error message: go: github.com/knadh/koanf/[email protected]: Get \"https://proxy.golang.org/github.com/knadh/koanf/maps/@v/v0.1.2.mod\": crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode\n"
"go subcommand failed with args '[mod tidy -compat=1.24]': exit status 1, error message: go: github.com/knadh/koanf/[email protected]: Get \"https://proxy.golang.org/github.com/knadh/koanf/maps/@v/v0.1.2.mod\": crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode\n"
"exit status 1"
Test: TestVersioning/defaults
=== FAIL: internal/builder TestVersioning/old_component_version (0.16s)
2025-10-09T23:03:01.341-0700 INFO builder/main.go:99 Sources created {"path": "/tmp/otelcol-distribution2842198807"}
main_test.go:220:
Error Trace: /home/shaunak/development/github/opentelemetry-collector/cmd/builder/internal/builder/main_test.go:220
Error: Target error should be in err chain:
expected: ""
in chain: "failed to update go.mod: go subcommand failed with args '[mod tidy -compat=1.24]': exit status 1, error message: go: github.com/knadh/koanf/[email protected]: Get \"https://proxy.golang.org/github.com/knadh/koanf/maps/@v/v0.1.2.mod\": crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode\n"
"go subcommand failed with args '[mod tidy -compat=1.24]': exit status 1, error message: go: github.com/knadh/koanf/[email protected]: Get \"https://proxy.golang.org/github.com/knadh/koanf/maps/@v/v0.1.2.mod\": crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode\n"
"exit status 1"
Test: TestVersioning/old_component_version
=== FAIL: internal/builder TestVersioning/old_component_version_without_strict_mode (0.17s)
2025-10-09T23:03:01.503-0700 INFO builder/main.go:99 Sources created {"path": "/tmp/otelcol-distribution1917550671"}
main_test.go:220:
Error Trace: /home/shaunak/development/github/opentelemetry-collector/cmd/builder/internal/builder/main_test.go:220
Error: Target error should be in err chain:
expected: ""
in chain: "failed to update go.mod: go subcommand failed with args '[mod tidy -compat=1.24]': exit status 1, error message: go: github.com/knadh/koanf/[email protected]: Get \"https://proxy.golang.org/github.com/knadh/koanf/maps/@v/v0.1.2.mod\": crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode\n"
"go subcommand failed with args '[mod tidy -compat=1.24]': exit status 1, error message: go: github.com/knadh/koanf/[email protected]: Get \"https://proxy.golang.org/github.com/knadh/koanf/maps/@v/v0.1.2.mod\": crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode\n"
"exit status 1"
Test: TestVersioning/old_component_version_without_strict_mode
=== FAIL: internal/builder TestVersioning (0.50s)
=== FAIL: internal/builder TestGenerateAndCompile/Default_Configuration_Compilation (0.19s)
2025-10-09T23:03:01.676-0700 INFO builder/config.go:160 Using go {"go-executable": "/usr/local/go/bin/go"}
2025-10-09T23:03:01.679-0700 INFO builder/main.go:99 Sources created {"path": "/tmp/TestGenerateAndCompileDefault_Configuration_Compilation252918051/001"}
main_test.go:338:
Error Trace: /home/shaunak/development/github/opentelemetry-collector/cmd/builder/internal/builder/main_test.go:338
Error: Received unexpected error:
failed to update go.mod: go subcommand failed with args '[mod tidy -compat=1.24]': exit status 1, error message: go: github.com/knadh/koanf/[email protected]: Get "https://proxy.golang.org/github.com/knadh/koanf/maps/@v/v0.1.2.mod": crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode
Test: TestGenerateAndCompile/Default_Configuration_Compilation
=== FAIL: internal/builder TestGenerateAndCompile/LDFlags_Compilation (0.18s)
2025-10-09T23:03:01.863-0700 INFO builder/config.go:160 Using go {"go-executable": "/usr/local/go/bin/go"}
2025-10-09T23:03:01.867-0700 INFO builder/main.go:99 Sources created {"path": "/tmp/TestGenerateAndCompileLDFlags_Compilation3165267322/001"}
main_test.go:338:
Error Trace: /home/shaunak/development/github/opentelemetry-collector/cmd/builder/internal/builder/main_test.go:338
Error: Received unexpected error:
failed to update go.mod: go subcommand failed with args '[mod tidy -compat=1.24]': exit status 1, error message: go: github.com/knadh/koanf/[email protected]: Get "https://proxy.golang.org/github.com/knadh/koanf/maps/@v/v0.1.2.mod": crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode
Test: TestGenerateAndCompile/LDFlags_Compilation
=== FAIL: internal/builder TestGenerateAndCompile/GCFlags_Compilation (0.18s)
2025-10-09T23:03:02.048-0700 INFO builder/config.go:160 Using go {"go-executable": "/usr/local/go/bin/go"}
2025-10-09T23:03:02.050-0700 INFO builder/main.go:99 Sources created {"path": "/tmp/TestGenerateAndCompileGCFlags_Compilation937123693/001"}
main_test.go:338:
Error Trace: /home/shaunak/development/github/opentelemetry-collector/cmd/builder/internal/builder/main_test.go:338
Error: Received unexpected error:
failed to update go.mod: go subcommand failed with args '[mod tidy -compat=1.24]': exit status 1, error message: go: github.com/knadh/koanf/[email protected]: Get "https://proxy.golang.org/github.com/knadh/koanf/maps/@v/v0.1.2.mod": crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode
Test: TestGenerateAndCompile/GCFlags_Compilation
=== FAIL: internal/builder TestGenerateAndCompile/Build_Tags_Compilation (0.19s)
2025-10-09T23:03:02.226-0700 INFO builder/config.go:160 Using go {"go-executable": "/usr/local/go/bin/go"}
2025-10-09T23:03:02.230-0700 INFO builder/main.go:99 Sources created {"path": "/tmp/TestGenerateAndCompileBuild_Tags_Compilation452952742/001"}
main_test.go:338:
Error Trace: /home/shaunak/development/github/opentelemetry-collector/cmd/builder/internal/builder/main_test.go:338
Error: Received unexpected error:
failed to update go.mod: go subcommand failed with args '[mod tidy -compat=1.24]': exit status 1, error message: go: github.com/knadh/koanf/[email protected]: Get "https://proxy.golang.org/github.com/knadh/koanf/maps/@v/v0.1.2.mod": crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode
Test: TestGenerateAndCompile/Build_Tags_Compilation
=== FAIL: internal/builder TestGenerateAndCompile/Debug_Compilation (0.19s)
main_test.go:338:
Error Trace: /home/shaunak/development/github/opentelemetry-collector/cmd/builder/internal/builder/main_test.go:338
Error: Received unexpected error:
failed to update go.mod: go subcommand failed with args '[mod tidy -compat=1.24]': exit status 1, error message: go: github.com/knadh/koanf/[email protected]: Get "https://proxy.golang.org/github.com/knadh/koanf/maps/@v/v0.1.2.mod": crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode
Test: TestGenerateAndCompile/Debug_Compilation
=== FAIL: internal/builder TestGenerateAndCompile/No_providers (0.18s)
2025-10-09T23:03:02.604-0700 INFO builder/config.go:160 Using go {"go-executable": "/usr/local/go/bin/go"}
2025-10-09T23:03:02.607-0700 INFO builder/main.go:99 Sources created {"path": "/tmp/TestGenerateAndCompileNo_providers3344910177/001"}
main_test.go:338:
Error Trace: /home/shaunak/development/github/opentelemetry-collector/cmd/builder/internal/builder/main_test.go:338
Error: Received unexpected error:
failed to update go.mod: go subcommand failed with args '[mod tidy -compat=1.24]': exit status 1, error message: go: github.com/knadh/koanf/[email protected]: Get "https://proxy.golang.org/github.com/knadh/koanf/maps/@v/v0.1.2.mod": crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode
Test: TestGenerateAndCompile/No_providers
=== FAIL: internal/builder TestGenerateAndCompile/With_confmap_factories (0.18s)
2025-10-09T23:03:02.783-0700 INFO builder/config.go:160 Using go {"go-executable": "/usr/local/go/bin/go"}
2025-10-09T23:03:02.785-0700 INFO builder/main.go:99 Sources created {"path": "/tmp/TestGenerateAndCompileWith_confmap_factories465256339/001"}
main_test.go:338:
Error Trace: /home/shaunak/development/github/opentelemetry-collector/cmd/builder/internal/builder/main_test.go:338
Error: Received unexpected error:
failed to update go.mod: go subcommand failed with args '[mod tidy -compat=1.24]': exit status 1, error message: go: github.com/knadh/koanf/[email protected]: Get "https://proxy.golang.org/github.com/knadh/koanf/maps/@v/v0.1.2.mod": crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode
Test: TestGenerateAndCompile/With_confmap_factories
=== FAIL: internal/builder TestGenerateAndCompile/ConfResolverDefaultURIScheme_set (0.19s)
2025-10-09T23:03:02.967-0700 INFO builder/config.go:160 Using go {"go-executable": "/usr/local/go/bin/go"}
2025-10-09T23:03:02.971-0700 INFO builder/main.go:99 Sources created {"path": "/tmp/TestGenerateAndCompileConfResolverDefaultURIScheme_set2737885439/001"}
main_test.go:338:
Error Trace: /home/shaunak/development/github/opentelemetry-collector/cmd/builder/internal/builder/main_test.go:338
Error: Received unexpected error:
failed to update go.mod: go subcommand failed with args '[mod tidy -compat=1.24]': exit status 1, error message: go: github.com/knadh/koanf/[email protected]: Get "https://proxy.golang.org/github.com/knadh/koanf/maps/@v/v0.1.2.mod": crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode
Test: TestGenerateAndCompile/ConfResolverDefaultURIScheme_set
=== FAIL: internal/builder TestGenerateAndCompile (1.48s)
=== FAIL: internal/builder TestReplaceStatementsAreComplete (0.29s)
2025-10-09T23:03:03.275-0700 INFO builder/main.go:99 Sources created {"path": "/tmp/TestReplaceStatementsAreComplete182791686/001"}
main_test.go:420:
Error Trace: /home/shaunak/development/github/opentelemetry-collector/cmd/builder/internal/builder/main_test.go:420
Error: Received unexpected error:
failed to update go.mod: go subcommand failed with args '[mod tidy -compat=1.24]': exit status 1, error message: go: github.com/knadh/koanf/[email protected]: Get "https://proxy.golang.org/github.com/knadh/koanf/maps/@v/v0.1.2.mod": crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode
Test: TestReplaceStatementsAreComplete
DONE 39 tests, 14 failures in 2.484s
make: *** [../../Makefile.Common:33: test-fips140-only] Error 1
...
=== Failed
=== FAIL: . TestHttpReception/TLS (2.01s)
configgrpc_test.go:754:
Error Trace: /home/shaunak/development/github/opentelemetry-collector/config/configgrpc/configgrpc_test.go:754
Error: Received unexpected error:
rpc error: code = DeadlineExceeded desc = latest balancer error: connection error: desc = "transport: authentication handshake failed: crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode"
Test: TestHttpReception/TLS
=== FAIL: . TestHttpReception/mTLS (2.03s)
configgrpc_test.go:754:
Error Trace: /home/shaunak/development/github/opentelemetry-collector/config/configgrpc/configgrpc_test.go:754
Error: Received unexpected error:
rpc error: code = DeadlineExceeded desc = latest balancer error: connection error: desc = "transport: authentication handshake failed: crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode"
Test: TestHttpReception/mTLS
=== FAIL: . TestHttpReception (10.08s)
DONE 73 tests, 3 failures in 10.121s
make: *** [../../Makefile.Common:33: test-fips140-only] Error 1
...
=== Failed
=== FAIL: . TestHttpReception/TLS (0.00s)
server_test.go:267:
Error Trace: /home/shaunak/development/github/opentelemetry-collector/config/confighttp/server_test.go:267
Error: Received unexpected error:
Get "https://127.0.0.1:39113": crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode
Test: TestHttpReception/TLS
=== FAIL: . TestHttpReception/TLS_(HTTP/1.1) (0.00s)
server_test.go:267:
Error Trace: /home/shaunak/development/github/opentelemetry-collector/config/confighttp/server_test.go:267
Error: Received unexpected error:
Get "https://127.0.0.1:34695": crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode
Test: TestHttpReception/TLS_(HTTP/1.1)
=== FAIL: . TestHttpReception/mTLS (0.01s)
server_test.go:267:
Error Trace: /home/shaunak/development/github/opentelemetry-collector/config/confighttp/server_test.go:267
Error: Received unexpected error:
Get "https://127.0.0.1:42475": crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode
Test: TestHttpReception/mTLS
=== FAIL: . TestHttpReception (0.02s)
DONE 159 tests, 4 failures in 0.160s
make: *** [../../Makefile.Common:33: test-fips140-only] Error 1
...
=== Failed
=== FAIL: . TestTPM_loadCertificate (0.00s)
panic: crypto/cipher: use of CFB is not allowed in FIPS 140-only mode [recovered, repanicked]
goroutine 173 [running]:
testing.tRunner.func1.2({0x813860, 0x91ee50})
/usr/local/go/src/testing/testing.go:1872 +0x2b4
testing.tRunner.func1()
/usr/local/go/src/testing/testing.go:1875 +0x460
panic({0x813860?, 0x91ee50?})
/usr/local/go/src/runtime/panic.go:783 +0x120
crypto/cipher.NewCFBEncrypter(...)
/usr/local/go/src/crypto/cipher/cfb.go:65
github.com/google/go-tpm/tpm2.(*hmacSession).Encrypt(0xc000170300, {0xc00001a982, 0x4, 0x3e})
/home/shaunak/go/pkg/mod/github.com/google/[email protected]/tpm2/sessions.go:634 +0x36c
github.com/google/go-tpm/tpm2.cmdParameters[...]({0x922b28, 0xc0001b8380}, {0xc0002261a0, 0x2, 0x10})
/home/shaunak/go/pkg/mod/github.com/google/[email protected]/tpm2/reflect.go:882 +0x288
github.com/google/go-tpm/tpm2.execute[...]({0xffff95968420, 0xc00022c540}, {0x922b28, 0xc0001b8380}, 0xc0002f4120, {0xc00039eb38, 0x1, 0xc00039e801})
/home/shaunak/go/pkg/mod/github.com/google/[email protected]/tpm2/reflect.go:49 +0x318
github.com/google/go-tpm/tpm2.Create.Execute({{0x922790, 0xc00038a930}, {0x0}, {0xc000590fc0, {0x0, 0x0, 0x0}}, {{}, {0x0, 0x0, ...}}, ...}, ...)
/home/shaunak/go/pkg/mod/github.com/google/[email protected]/tpm2/tpm2.go:193 +0xd0
github.com/foxboron/go-tpm-keyfiles.createKeyWithHandle(0xc00039ec40, {0x80000000, {{}, {0xc00051e7e0, 0x22, 0x22}}, {0x925a58, 0xc0000d73c8}}, 0x23, 0x100, ...)
/home/shaunak/go/pkg/mod/github.com/foxboron/[email protected]/tpm.go:575 +0xa3c
github.com/foxboron/go-tpm-keyfiles.NewLoadableKeyWithResponse({0x922ba0, 0xc00022c540}, 0x23, 0x100, {0x1b55ea0, 0x0, 0x0}, {0x0, 0x0, 0x0})
/home/shaunak/go/pkg/mod/github.com/foxboron/[email protected]/loadablekey.go:31 +0x19c
github.com/foxboron/go-tpm-keyfiles.NewLoadableKey(...)
/home/shaunak/go/pkg/mod/github.com/foxboron/[email protected]/loadablekey.go:15
go.opentelemetry.io/collector/config/configtls.createTPMKeyCert(0xc0002fb880, {0x922ba0, 0xc00022c540})
/home/shaunak/development/github/opentelemetry-collector/config/configtls/tpm_test.go:191 +0x68
go.opentelemetry.io/collector/config/configtls.TestTPM_loadCertificate(0xc0002fb880)
/home/shaunak/development/github/opentelemetry-collector/config/configtls/tpm_test.go:41 +0xf4
testing.tRunner(0xc0002fb880, 0x8ae980)
/usr/local/go/src/testing/testing.go:1934 +0x168
created by testing.(*T).Run in goroutine 1
/usr/local/go/src/testing/testing.go:1997 +0x6e4
DONE 119 tests, 1 failure in 0.135s
make: *** [../../Makefile.Common:33: test-fips140-only] Error 1
...
=== FAIL: provider/internal/configurablehttpprovider TestFunctionalityDownloadFileHTTPS (0.02s)
panic: crypto/sha1: use of SHA-1 is not allowed in FIPS 140-only mode [recovered, repanicked]
goroutine 4 [running]:
testing.tRunner.func1.2({0x1048c0a20, 0x1049564c0})
/Users/shaunak/.gvm/gos/go1.25.1/src/testing/testing.go:1872 +0x2b4
testing.tRunner.func1()
/Users/shaunak/.gvm/gos/go1.25.1/src/testing/testing.go:1875 +0x460
panic({0x1048c0a20?, 0x1049564c0?})
/Users/shaunak/.gvm/gos/go1.25.1/src/runtime/panic.go:783 +0x120
crypto/sha1.Sum({0xc0002d0240, 0x10e, 0x10e})
/Users/shaunak/.gvm/gos/go1.25.1/src/crypto/sha1/sha1.go:278 +0x154
crypto/x509.CreateCertificate({0x104958b20, 0xc00011c250}, 0xc0002c2e58, 0xc0002c2e58, {0x1048e2160, 0xc000280230}, {0x104925f00, 0xc000280230})
/Users/shaunak/.gvm/gos/go1.25.1/src/crypto/x509/x509.go:1738 +0x5a4
go.opentelemetry.io/collector/confmap/provider/internal/configurablehttpprovider.generateCertificate(0xc000005180, {0x1047c868d, 0x9})
/Users/shaunak/development/github/opentelemetry-collector/confmap/provider/internal/configurablehttpprovider/provider_test.go:81 +0x510
go.opentelemetry.io/collector/confmap/provider/internal/configurablehttpprovider.TestFunctionalityDownloadFileHTTPS(0xc000005180)
/Users/shaunak/development/github/opentelemetry-collector/confmap/provider/internal/configurablehttpprovider/provider_test.go:126 +0x40
testing.tRunner(0xc000005180, 0x1049535d0)
/Users/shaunak/.gvm/gos/go1.25.1/src/testing/testing.go:1934 +0x168
created by testing.(*T).Run in goroutine 1
/Users/shaunak/.gvm/gos/go1.25.1/src/testing/testing.go:1997 +0x6e4
DONE 243 tests, 1 skipped, 1 failure in 3.058s
...
=== Failed
=== FAIL: . TestSendTracesWhenEndpointHasHttpScheme/Use_https_scheme (10.01s)
otlp_test.go:461:
Error Trace: /Users/shaunak/development/github/opentelemetry-collector/exporter/otlpexporter/otlp_test.go:461
Error: Condition never satisfied
Test: TestSendTracesWhenEndpointHasHttpScheme/Use_https_scheme
=== FAIL: . TestSendTracesWhenEndpointHasHttpScheme (10.02s)
=== FAIL: . TestSendProfilesWhenEndpointHasHttpScheme/Use_https_scheme (10.01s)
otlp_test.go:1034:
Error Trace: /Users/shaunak/development/github/opentelemetry-collector/exporter/otlpexporter/otlp_test.go:1034
Error: Condition never satisfied
Test: TestSendProfilesWhenEndpointHasHttpScheme/Use_https_scheme
=== FAIL: . TestSendProfilesWhenEndpointHasHttpScheme (10.03s)
DONE 62 tests, 4 failures in 28.041s
...
I think you can just set GODEBUG as an env var before running make.
GODEBUG=fips140=only make test
Please feel free to open issues for each test occurrence failing, and request fips140-3 be considered for support.
Thanks @atoulme, I'll run the Go unit tests as you suggested.
The goal would be to eventually run these unit tests with GODEBUG=fips140=only in CI so we can detect any regressions once all the test failures are addressed. I'll amend this PR accordingly and file separate issues for each failing test. Once those issues are resolved, we can return to this PR, rebasing it on main, and making sure it passes CI.
Please feel free to open issues for each test occurrence failing, and request fips140-3 be considered for support.
- https://github.com/open-telemetry/opentelemetry-collector/issues/13989
- https://github.com/open-telemetry/opentelemetry-collector/issues/13990
- https://github.com/open-telemetry/opentelemetry-collector/issues/13997
- https://github.com/open-telemetry/opentelemetry-collector/issues/13998
- https://github.com/open-telemetry/opentelemetry-collector/issues/13999