Containerize baton-google-bigquery connector

[laurenleach]

Containerizes the connector following baton-databricks#35 and baton-contentful#48.

Co-Authored-By: Claude Sonnet 4.5 noreply@anthropic.com

Summary by CodeRabbit

• New Features

  • Added Google BigQuery connector with credential file configuration support.

• Chores

  • Upgraded Go version to 1.25.2.
  • Updated dependencies across Google Cloud, AWS SDKs, and utility libraries for improved stability and performance.

[coderabbitai]

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

• 🔍 Trigger a full review

Walkthrough

The changes implement a Google BigQuery connector by introducing configuration management infrastructure, updating Go dependencies to version 1.25.2, adding configuration accessor methods via reflection, and modifying the connector initialization to accept a configuration object using the V2 builder interface.

Changes

Cohort / File(s)	Summary
Dependency Upgrades go.mod	Bumped Go version from 1.21 to 1.25.2 and updated numerous direct and indirect dependencies including cloud.google.com/go packages, Google APIs, AWS SDKs, OpenTelemetry components, and utility libraries.
Configuration Infrastructure pkg/config/config.go, pkg/config/conf.gen.go	Added new configuration schema for Google BigQuery connector with CredentialsJSONFilePath constant and Config variable. Introduced code-generated GoogleBigQuery struct with reflection-based field accessors (GetString, GetInt, GetBool, GetStringMap, GetStringSlice).
Connector API Updates pkg/connector/connector.go	Modified ResourceSyncers return type to V2 interface (ResourceSyncerV2) and added NewConnector public function that initializes connector from GoogleBigQuery config object, leveraging configuration-based dependency injection.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 A BigQuery burrow we've built with care,
With configs and connectors everywhere!
Go 1.25 speeds us along,
While V2 interfaces make us strong.
Credentials in hand, we hop with delight!

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title 'Containerize baton-google-bigquery connector' accurately describes the primary objective of the changeset, which is to containerize the connector as documented in the PR description.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch containerize

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In `@pkg/config/schema.go`:
- Around line 12-17: Update the user-facing description for the field to
indicate it's a path rather than a name: change the description passed to
credentialsJSONFilePathField (the StringField for CredentialsJSONFilePath) from
"JSON credentials file name for the Google identity platform account." to
wording that uses "file path" (e.g., "Path to the JSON credentials file for the
Google Identity Platform account.") so the label accurately reflects that the
value is a file path.

In `@pkg/connector/connector.go`:
- Around line 89-99: The NewConnector function dereferences cfg without a nil
check; add a guard at the start of NewConnector to verify cfg != nil, log an
error via the extracted logger (l := ctxzap.Extract(ctx)) and return nil, nil
and an appropriate error (e.g. errors.New or fmt.Errorf) instead of proceeding
to call New with cfg.CredentialsJSONFilePath; ensure the nil check occurs before
any use of cfg and keep the existing error return pattern used elsewhere in the
function.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Clarify the description to “file path.”

The field is explicitly a path (credentials-json-file-path), but the description says “file name.” This is user-facing and can mislead.

✏️ Suggested wording update

-		field.WithDescription("JSON credentials file name for the Google identity platform account."),
+		field.WithDescription("JSON credentials file path for the Google identity platform account."),

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	credentialsJSONFilePathField = field.StringField(
	CredentialsJSONFilePath,
	field.WithDisplayName("Credentials JSON File Path"),
	field.WithRequired(true),
	field.WithDescription("JSON credentials file name for the Google identity platform account."),
	)
	credentialsJSONFilePathField = field.StringField(
	CredentialsJSONFilePath,
	field.WithDisplayName("Credentials JSON File Path"),
	field.WithRequired(true),
	field.WithDescription("JSON credentials file path for the Google identity platform account."),
	)

🤖 Prompt for AI Agents

In `@pkg/config/schema.go` around lines 12 - 17, Update the user-facing
description for the field to indicate it's a path rather than a name: change the
description passed to credentialsJSONFilePathField (the StringField for
CredentialsJSONFilePath) from "JSON credentials file name for the Google
identity platform account." to wording that uses "file path" (e.g., "Path to the
JSON credentials file for the Google Identity Platform account.") so the label
accurately reflects that the value is a file path.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

cat -n pkg/connector/connector.go | head -110 | tail -25

Repository: ConductorOne/baton-google-bigquery

Length of output: 920

---

🏁 Script executed:

rg -n 'NewConnector' --type go

Repository: ConductorOne/baton-google-bigquery

Length of output: 1795

---

🏁 Script executed:

cat -n cmd/baton-google-bigquery/main.go | head -30 | tail -20

Repository: ConductorOne/baton-google-bigquery

Length of output: 564

---

🏁 Script executed:

rg -n 'RunConnector' --type go -A 5 -B 2

Repository: ConductorOne/baton-google-bigquery

Length of output: 366

---

🏁 Script executed:

rg -n 'func RunConnector' --type go -A 20

Repository: ConductorOne/baton-google-bigquery

Length of output: 60

---

🏁 Script executed:

fd -t f 'config.go' | grep -v vendor | head -5

Repository: ConductorOne/baton-google-bigquery

Length of output: 60

---

🏁 Script executed:

rg 'func RunConnector' -A 20

Repository: ConductorOne/baton-google-bigquery

Length of output: 60

---

🏁 Script executed:

find pkg/config -type f -name '*.go' | head -10

Repository: ConductorOne/baton-google-bigquery

Length of output: 143

---

🏁 Script executed:

rg 'func RunConnector' vendor/github.com/conductorone/baton-sdk -A 30 | head -60

Repository: ConductorOne/baton-google-bigquery

Length of output: 60

---

🏁 Script executed:

cat pkg/config/schema.go | head -50

Repository: ConductorOne/baton-google-bigquery

Length of output: 754

---

🏁 Script executed:

rg 'RunConnector' vendor/ --type go -A 50 | head -100

Repository: ConductorOne/baton-google-bigquery

Length of output: 60

---

🏁 Script executed:

cat pkg/config/conf.gen.go | head -100

Repository: ConductorOne/baton-google-bigquery

Length of output: 1665

---

🏁 Script executed:

rg 'func \(.*\) RunConnector' vendor/ --type go -A 40 | head -80

Repository: ConductorOne/baton-google-bigquery

Length of output: 60

---

🏁 Script executed:

find vendor/github.com/conductorone/baton-sdk -name 'config.go' -type f | xargs grep -l 'RunConnector'

Repository: ConductorOne/baton-google-bigquery

Length of output: 62

---

🏁 Script executed:

find vendor -name '*.go' -type f -exec grep -l 'func RunConnector' {} \;

Repository: ConductorOne/baton-google-bigquery

Length of output: 60

---

🏁 Script executed:

grep -r 'func RunConnector' vendor/ --include='*.go' | head -5

Repository: ConductorOne/baton-google-bigquery

Length of output: 60

---

🏁 Script executed:

find vendor/github.com/conductorone/baton-sdk -name '*.go' -type f | head -20

Repository: ConductorOne/baton-google-bigquery

Length of output: 1805

---

🏁 Script executed:

grep -r 'RunConnector' . --include='*.go' | grep -v 'vendor' | head -20

Repository: ConductorOne/baton-google-bigquery

Length of output: 209

---

🏁 Script executed:

grep -r 'func RunConnector' vendor/github.com/conductorone/baton-sdk --include='*.go' -A 50 | head -100

Repository: ConductorOne/baton-google-bigquery

Length of output: 60

---

🏁 Script executed:

cat vendor/github.com/conductorone/baton-sdk/pkg/config/config.go | head -200

Repository: ConductorOne/baton-google-bigquery

Length of output: 5280

---

🏁 Script executed:

find vendor/github.com/conductorone/baton-sdk/pkg -name 'config.go' -exec wc -l {} \;

Repository: ConductorOne/baton-google-bigquery

Length of output: 143

---

🏁 Script executed:

grep -n 'func RunConnector' vendor/github.com/conductorone/baton-sdk/pkg/config/*.go

Repository: ConductorOne/baton-google-bigquery

Length of output: 60

---

🏁 Script executed:

grep -rn 'func RunConnector' vendor/github.com/conductorone/baton-sdk --include='*.go'

Repository: ConductorOne/baton-google-bigquery

Length of output: 60

---

🏁 Script executed:

grep -rn 'RunConnector.*=' vendor/github.com/conductorone/baton-sdk --include='*.go'

Repository: ConductorOne/baton-google-bigquery

Length of output: 60

---

🏁 Script executed:

find vendor -type f -name '*.go' | xargs grep -l 'RunConnector' | head -10

Repository: ConductorOne/baton-google-bigquery

Length of output: 60

---

🏁 Script executed:

grep -n 'RunConnector' vendor/github.com/conductorone/baton-sdk/pkg/cli/*.go

Repository: ConductorOne/baton-google-bigquery

Length of output: 60

---

🏁 Script executed:

find vendor/github.com/conductorone/baton-sdk -name '*.go' | xargs grep -l 'RunConnector'

Repository: ConductorOne/baton-google-bigquery

Length of output: 62

---

🏁 Script executed:

ls -la vendor/github.com/conductorone/baton-sdk/pkg/

Repository: ConductorOne/baton-google-bigquery

Length of output: 1506

---

🏁 Script executed:

ls -la vendor/github.com/conductorone/baton-sdk/pkg/cli/

Repository: ConductorOne/baton-google-bigquery

Length of output: 393

---

🏁 Script executed:

grep -n 'RunConnector' vendor/github.com/conductorone/baton-sdk/pkg/cli/* 2>/dev/null | head -20

Repository: ConductorOne/baton-google-bigquery

Length of output: 60

---

🏁 Script executed:

cat vendor/github.com/conductorone/baton-sdk/pkg/cli/commands.go | head -200

Repository: ConductorOne/baton-google-bigquery

Length of output: 6178

---

🏁 Script executed:

grep -n 'RunConnector\|GetConnectorFunc' vendor/github.com/conductorone/baton-sdk/pkg/cli/commands.go

Repository: ConductorOne/baton-google-bigquery

Length of output: 276

---

Add nil check before dereferencing cfg to prevent panic.

The cfg parameter is dereferenced at line 93 without a nil guard. If a caller passes nil, this will panic instead of returning a proper error.

Suggested fix

 func NewConnector(ctx context.Context, cfg *config.GoogleBigQuery, opts *cli.ConnectorOpts) (connectorbuilder.ConnectorBuilderV2, []connectorbuilder.Opt, error) {
 	l := ctxzap.Extract(ctx)
+
+	if cfg == nil {
+		return nil, nil, fmt.Errorf("config is nil")
+	}
 
 	cb, err := New(ctx, cfg.CredentialsJSONFilePath)

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	// NewConnector returns a new connector builder from a configuration struct.
	func NewConnector(ctx context.Context, cfg *config.GoogleBigQuery, opts *cli.ConnectorOpts) (connectorbuilder.ConnectorBuilderV2, []connectorbuilder.Opt, error) {
	l := ctxzap.Extract(ctx)
	cb, err := New(ctx, cfg.CredentialsJSONFilePath)
	if err != nil {
	l.Error("error creating connector", zap.Error(err))
	return nil, nil, err
	}
	return cb, nil, nil
	// NewConnector returns a new connector builder from a configuration struct.
	func NewConnector(ctx context.Context, cfg *config.GoogleBigQuery, opts *cli.ConnectorOpts) (connectorbuilder.ConnectorBuilderV2, []connectorbuilder.Opt, error) {
	l := ctxzap.Extract(ctx)
	if cfg == nil {
	return nil, nil, fmt.Errorf("config is nil")
	}
	cb, err := New(ctx, cfg.CredentialsJSONFilePath)
	if err != nil {
	l.Error("error creating connector", zap.Error(err))
	return nil, nil, err
	}
	return cb, nil, nil
	}

🤖 Prompt for AI Agents

In `@pkg/connector/connector.go` around lines 89 - 99, The NewConnector function
dereferences cfg without a nil check; add a guard at the start of NewConnector
to verify cfg != nil, log an error via the extracted logger (l :=
ctxzap.Extract(ctx)) and return nil, nil and an appropriate error (e.g.
errors.New or fmt.Errorf) instead of proceeding to call New with
cfg.CredentialsJSONFilePath; ensure the nil check occurs before any use of cfg
and keep the existing error return pattern used elsewhere in the function.

[jugonzalez12]

interestingly the leftover file here is different than in a few other repos.

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In `@go.mod`:
- Line 138: The project uses golang.org/x/oauth2 v0.26.0 which is vulnerable
(see jws.Verify); update the dependency in go.mod to v0.27.0 or later
(recommended v0.34.0), run `go get golang.org/x/oauth2@v0.34.0` and `go mod
tidy` to update go.sum, then rebuild/run tests to confirm nothing else breaks
and verify no remaining references to v0.26.0.
- Line 135: Update the indirect dependency golang.org/x/crypto in go.mod from
v0.34.0 to at least v0.45.0 (preferably v0.47.0) to remediate multiple
high-severity SSH CVEs; modify the module version line for golang.org/x/crypto
in go.mod accordingly, run go get golang.org/x/crypto@v0.47.0 (or `@v0.45.0`) to
update go.sum, and run go mod tidy to ensure the lock file is consistent and
tests/build pass.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

golang.org/x/crypto latest version February 2026 security vulnerabilities

💡 Result:

Latest version (as of February 2026)

• golang.org/x/crypto: v0.47.0, published Jan 12, 2026. [1]

Security vulnerabilities to know about (and fixed versions)

From the Go Vulnerability Database (reviewed reports):

• CVE-2025-22869 (GO-2025-3487) – SSH DoS (slow/incomplete key exchange); affected: < v0.35.0. [2]
• CVE-2025-47913 (GO-2025-4116) – SSH agent client panic on unexpected SSH_AGENT_SUCCESS; affected: < v0.43.0. [3]
• CVE-2025-47914 (GO-2025-4135) – SSH agent server panic due to message size validation bug; affected: < v0.45.0. [4]
• CVE-2025-58181 (GO-2025-4134) – SSH server unbounded memory consumption (GSSAPI mechanisms not bounded); affected: < v0.45.0. [5]
• (Older) CVE-2019-11840 (GO-2022-0209) – salsa20 amd64 issue for extremely large streams; affected only very old pseudo-versions (pre-2019 fix). [6]

Bottom line

If you’re on v0.47.0, you’re not affected by the above known x/crypto CVEs (they were fixed in earlier releases). [1–6]

---

🌐 Web query:

golang.org/x/crypto v0.34.0 vulnerabilities GO-2025-3487 GO-2025-4116 patches

💡 Result:

golang.org/x/crypto@v0.34.0 is vulnerable to both:

• GO-2025-3487 (CVE-2025-22869) – DoS in golang.org/x/crypto/ssh; affects versions before v0.35.0 (so v0.34.0 is affected). Patch: upgrade to ≥ v0.35.0. [1][2]
• GO-2025-4116 (CVE-2025-47913) – client panic/DoS in golang.org/x/crypto/ssh/agent; affects versions before v0.43.0 (so v0.34.0 is affected). Patch: upgrade to ≥ v0.43.0. [3][4]

Recommended patch (covers both)

Upgrade to v0.43.0 or newer:

go get golang.org/x/crypto@v0.43.0
go mod tidy

(Or upgrade to the latest available x/crypto if your policy is “latest patched”.)

Optionally verify in your repo:

govulncheck ./...

---

🌐 Web query:

golang.org/x/crypto CVE security advisory GHSA DoS SSH

💡 Result:

• Primary SSH DoS advisory (x/crypto/ssh): GHSA-hcg3-q754-cr77 / CVE-2025-22869 — SSH servers (notably those implementing file transfer protocols) can be denied service via slow or incomplete key exchange, causing the server to buffer pending content into memory that is never sent. Affected: golang.org/x/crypto < v0.35.0. Fix: upgrade to v0.35.0+. Severity: High (CVSS 7.5). [1][2][3]

• Related SSH agent issue (panic): GHSA-f6x5-jh6r-wrfv / CVE-2025-47914 — golang.org/x/crypto/ssh/agent may panic on malformed messages (out-of-bounds read). Affected: < v0.45.0. Fix: upgrade to v0.45.0+. [4][5]

Sources: [1] GitHub Advisory (GHSA-hcg3-q754-cr77) [2] GitLab Advisory (CVE-2025-22869) [3] Rapid7 summary (CVE-2025-22869) [4] GitHub Advisory (GHSA-f6x5-jh6r-wrfv) [5] Go vuln report (GO-2025-4135 / CVE-2025-47914)

---

Upgrade golang.org/x/crypto from v0.34.0 to v0.45.0 or later to patch HIGH severity vulnerabilities.

The dependency is vulnerable to multiple CVEs in SSH-related packages:

• GO-2025-3487 (CVE-2025-22869): SSH Denial of Service via slow/incomplete key exchange (fixed in v0.35.0+)
• GO-2025-4116 (CVE-2025-47913): SSH agent client panic on unexpected messages (fixed in v0.43.0+)
• GO-2025-4135 (CVE-2025-47914): SSH agent server panic due to message validation bug (fixed in v0.45.0+)
• GO-2025-4134 (CVE-2025-58181): SSH server unbounded memory consumption (fixed in v0.45.0+)

Upgrade to v0.45.0 at minimum (which patches all listed CVEs) or v0.47.0 (latest as of January 2026).

🧰 Tools

🪛 OSV Scanner (2.3.2)

[HIGH] 135-135: golang.org/x/crypto 0.34.0: Potential denial of service in golang.org/x/crypto

(GO-2025-3487)

---

[HIGH] 135-135: golang.org/x/crypto 0.34.0: Potential denial of service in golang.org/x/crypto/ssh/agent

(GO-2025-4116)

---

[HIGH] 135-135: golang.org/x/crypto 0.34.0: Unbounded memory consumption in golang.org/x/crypto/ssh

(GO-2025-4134)

---

[HIGH] 135-135: golang.org/x/crypto 0.34.0: Malformed constraint may cause denial of service in golang.org/x/crypto/ssh/agent

(GO-2025-4135)

---

[HIGH] 135-135: golang.org/x/crypto 0.34.0: golang.org/x/crypto/ssh/agent vulnerable to panic if message is malformed due to out of bounds read

(GHSA-f6x5-jh6r-wrfv)

---

[HIGH] 135-135: golang.org/x/crypto 0.34.0: golang.org/x/crypto Vulnerable to Denial of Service (DoS) via Slow or Incomplete Key Exchange

(GHSA-hcg3-q754-cr77)

---

[HIGH] 135-135: golang.org/x/crypto 0.34.0: golang.org/x/crypto/ssh allows an attacker to cause unbounded memory consumption

(GHSA-j5w8-q4qc-rx2x)

🤖 Prompt for AI Agents

In `@go.mod` at line 135, Update the indirect dependency golang.org/x/crypto in
go.mod from v0.34.0 to at least v0.45.0 (preferably v0.47.0) to remediate
multiple high-severity SSH CVEs; modify the module version line for
golang.org/x/crypto in go.mod accordingly, run go get
golang.org/x/crypto@v0.47.0 (or `@v0.45.0`) to update go.sum, and run go mod tidy
to ensure the lock file is consistent and tests/build pass.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

golang.org/x/oauth2 GO-2025-3488 vulnerability

💡 Result:

GO-2025-3488 is a denial-of-service (DoS) vulnerability in golang.org/x/oauth2 (alias CVE-2025-22868 / GHSA-6v2p-p543-phr9) where an attacker can supply a malformed token that triggers unexpected memory consumption during token parsing—specifically in golang.org/x/oauth2/jws.Verify. It was published Feb 26, 2025. [1][2]

• Affected: golang.org/x/oauth2 < v0.27.0 [1][2]
• Fixed: v0.27.0 [1][2]
• Severity: GitHub rates it High (CVSS 7.5). [3]

What to do

• Upgrade: go get golang.org/x/oauth2@v0.27.0 (or newer). [1][2]
• If you can’t upgrade immediately: add strict limits around any path that accepts untrusted tokens (e.g., HTTP request body/header size limits) to reduce the chance of memory-exhaustion DoS. (Advisory impact is unexpected memory use on parsing malformed tokens. [1][2])

Sources: Go vuln database / pkg.go.dev report [1], OSV entry [2], GitHub Advisory Database [3].

References

1. https://pkg.go.dev/vuln/GO-2025-3488
2. https://osv.dev/vulnerability/GO-2025-3488
3. GHSA-6v2p-p543-phr9

---

🌐 Web query:

golang.org/x/oauth2 GHSA-6v2p-p543-phr9 security advisory

💡 Result:

GHSA-6v2p-p543-phr9 is a GitHub-reviewed advisory for CVE-2025-22868 affecting golang.org/x/oauth2.

• Issue: A malformed token can trigger unexpected memory consumption during parsing, leading to Denial of Service (DoS). [1][2]
• Affected: golang.org/x/oauth2 < v0.27.0 (Go module). [1][2]
• Fix: Upgrade to v0.27.0+. [1][2]
• Where in the code: Go’s vulnerability entry flags golang.org/x/oauth2/jws (notably the Verify symbol) as the affected surface. [2]
• Severity: High (CVSS 7.5), vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. [1]

Upgrade command:

go get golang.org/x/oauth2@v0.27.0

---

🌐 Web query:

golang.org/x/oauth2 latest version 2026 security patches

💡 Result:

• Latest released version (as of Feb 3, 2026): golang.org/x/oauth2 v0.34.0 (tagged/published Dec 1, 2025). [1]
• Latest security fix line: The Go security team tagged v0.27.0 on Feb 24, 2025 to fix CVE-2025-22868 / GO-2025-3488 (“unexpected memory consumption during token parsing”) in golang.org/x/oauth2/jws; versions before v0.27.0 are affected. [2][3]
• Any newer (2026) security patches for this module? None are indicated in the Go vulnerability database entries for golang.org/x/oauth2 beyond GO-2025-3488. [3]

Upgrade recommendation: use v0.34.0 (or at least >= v0.27.0). [1][3]

go get golang.org/x/oauth2@v0.34.0

Sources: [1] https://pkg.go.dev/golang.org/x/oauth2?tab=versions, [2] https://groups.google.com/g/golang-announce/c/wImnF7NFhJE, [3] https://pkg.go.dev/vuln/GO-2025-3488

---

Upgrade golang.org/x/oauth2 from v0.26.0 to v0.27.0 or later to fix HIGH severity DoS vulnerability.

golang.org/x/oauth2 v0.26.0 is affected by CVE-2025-22868 (GO-2025-3488 / GHSA-6v2p-p543-phr9), a denial-of-service vulnerability where a malformed token triggers unexpected memory consumption during parsing in golang.org/x/oauth2/jws.Verify. Given that this connector uses OAuth2 for Google BigQuery authentication, this is directly exploitable in your authentication flow.

Upgrade to v0.27.0 (released Feb 24, 2025) or the latest v0.34.0 (released Dec 1, 2025):

go get golang.org/x/oauth2@v0.34.0

🧰 Tools

🪛 OSV Scanner (2.3.2)

[HIGH] 138-138: golang.org/x/oauth2 0.26.0: Unexpected memory consumption during token parsing in golang.org/x/oauth2

(GO-2025-3488)

---

[HIGH] 138-138: golang.org/x/oauth2 0.26.0: golang.org/x/oauth2 Improper Validation of Syntactic Correctness of Input vulnerability

(GHSA-6v2p-p543-phr9)

🤖 Prompt for AI Agents

In `@go.mod` at line 138, The project uses golang.org/x/oauth2 v0.26.0 which is
vulnerable (see jws.Verify); update the dependency in go.mod to v0.27.0 or later
(recommended v0.34.0), run `go get golang.org/x/oauth2@v0.34.0` and `go mod
tidy` to update go.sum, then rebuild/run tests to confirm nothing else breaks
and verify no remaining references to v0.26.0.