opentelemetry-collector icon indicating copy to clipboard operation
opentelemetry-collector copied to clipboard

Published 20 hours ago verified publisher icon open-telemetry

[fips140][`cmd/builder`] Unit tests: Add `GODEBUG=tlsmklem=0` if `GODEBUG=fips140=only` is set

Open ycombinator opened this issue 4 weeks ago • 1 comments
trafficstars

Description

When https://github.com/open-telemetry/opentelemetry-collector/pull/13926 is merged, all unit tests in this repository will be run with GODEBUG=fips140=only to help surface any FIPS-140 violations in all the Go modules in this repository.

The cmd/builder module is not used when running the OpenTelemetry Collector. It is a tool used to build OpenTelemetry Collector distributions. As such, strictly speaking, we do not need to worry about FIPS-140 violations in this module.

However, since unit tests for all modules will be run with GODEBUG=fips140=only, it is convenient to address any FIPS-140 violations in this module as well.

The module is responsible for building OpenTelemetry Collector distributions from a configuration file. The configuration file lists Go modules which are then downloaded in order to compile the distribution. During the download, if GODEBUG=fips140=only is set, the following error will be thrown:

crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode

To suppress this error, we append tlsmklem=0 to the GODEBUG environment variable. This is OK to do because a) we are only doing this from unit test code, not the module's code itself and b) as mentioned above, this particular module is not involved in the running of the OpenTelemetry Collector itself, i.e. we are not suppressing a legitimate FIPS violation in OpenTelemetry Collector code.

Link to tracking issue

Fixes #13997

Testing

Run the existing unit tests in the cmd/builder module with Go >= 1.24.6 and GODEBUG=fips140=only.

cd cmd/builder
GODEBUG=fips140=only go test -v ./... -count 1

ycombinator avatar Oct 22 '25 19:10 ycombinator

Codecov Report

:white_check_mark: All modified and coverable lines are covered by tests. :white_check_mark: Project coverage is 91.64%. Comparing base (71418b6) to head (e659400). :warning: Report is 26 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main   #14068      +/-   ##
==========================================
+ Coverage   91.61%   91.64%   +0.02%     
==========================================
  Files         655      656       +1     
  Lines       42793    42801       +8     
==========================================
+ Hits        39205    39225      +20     
+ Misses       2765     2757       -8     
+ Partials      823      819       -4

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.

:rocket: New features to boost your workflow:
  • :snowflake: Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

codecov[bot] avatar Oct 22 '25 19:10 codecov[bot]