Argo CD is being flagged as vulnerable by Trivy

[je-munobia]

Checklist:

• I've searched in the docs and FAQ for my answer: https://bit.ly/argocd-faq.
• I've included steps to reproduce the bug.
• I've pasted the output of argocd version.

Describe the bug
Argo CD is being flagged as vulnerable by Trivy and Qualsys since July and there is still no version of Argo CD that fixes the problem. I understand that it may be some bundled product that causes this vulnerability, but this is still important for your users that actually scan for vulnerabilities. This causes all sorts of issues for all shops with stringent security requirements.

(Note: Issue looks related to upgrade of indirect dependencies that was done last year in #9932 due to issue #10233)

To Reproduce

Just run Trivy on Argo CD latest version.

Expected behavior

No reported vulnerabilities by Trivy.

Screenshots

Version

root@backend-cicdagents-scaledjob-pm5jk-4x5dm:/azp# argocd version
argocd: v2.8.4+c279299
  BuildDate: 2023-09-13T19:43:37Z
  GitCommit: c27929928104dc37b937764baf65f38b78930e59
  GitTreeState: clean
  GoVersion: go1.20.7
  Compiler: gc
  Platform: linux/amd64
FATA[0000] Argo CD server address unspecified           

Logs
Trivy scan output :

usr/local/bin/argocd (gobinary)
===============================
Total: 4 (UNKNOWN: 0, LOW: 0, MEDIUM: 4, HIGH: 0, CRITICAL: 0)

┌───────────────────┬───────────────┬──────────┬────────┬───────────────────┬──────────────────────────────────┬───────────────────────────────────────────────────────────┐
│      Library      │ Vulnerability │ Severity │ Status │ Installed Version │          Fixed Version           │                           Title                           │
├───────────────────┼───────────────┼──────────┼────────┼───────────────────┼──────────────────────────────────┼───────────────────────────────────────────────────────────┤
│ k8s.io/apiserver  │ CVE-2020-8552 │ MEDIUM   │ fixed  │ v0.24.2           │ 1.15.10, 1.16.7, 1.17.3          │ kubernetes: Use of unbounded 'client' label in            │
│                   │               │          │        │                   │                                  │ apiserver_request_total allows for memory exhaustion...   │
│                   │               │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2020-8552                 │
├───────────────────┼───────────────┤          │        ├───────────────────┼──────────────────────────────────┼───────────────────────────────────────────────────────────┤
│ k8s.io/kubernetes │ CVE-2023-2431 │          │        │ v1.24.2           │ 1.24.14, 1.25.10, 1.26.5, 1.27.2 │ Bypass of seccomp profile enforcement                     │
│                   │               │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2023-2431                 │
│                   ├───────────────┤          │        │                   ├──────────────────────────────────┼───────────────────────────────────────────────────────────┤
│                   │ CVE-2023-2727 │          │        │                   │ 1.27.3, 1.26.6, 1.25.11, 1.24.15 │ Bypassing policies imposed by the ImagePolicyWebhook      │
│                   │               │          │        │                   │                                  │ admission plugin                                          │
│                   │               │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2023-2727                 │
│                   ├───────────────┤          │        │                   │                                  ├───────────────────────────────────────────────────────────┤
│                   │ CVE-2023-2728 │          │        │                   │                                  │ Bypassing enforce mountable secrets policy imposed by the │
│                   │               │          │        │                   │                                  │ ServiceAccount admission plugin...                        │
│                   │               │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2023-2728                 │
└───────────────────┴───────────────┴──────────┴────────┴───────────────────┴──────────────────────────────────┴───────────────────────────────────────────────────────────┘

[crenshaw-dev]

Would you mind opening a PR to upgrade k8s.io/kubernetes to 1.24.17 and k8s.io/apiserver to 0.24.17?

[je-munobia]

@crenshaw-dev I need to estimate the effort and have a discussion with my team before proceeding. I have not really coded in Go, but I guess it should be ok if the change are not much more than two go get commands and a reasonable contrib ceremony. BTW: Where can I found your contrib guidelines?

[crenshaw-dev]

@je-munobia I believe that would indeed be the process. I think if it were me I'd start with find/replace in go.mod and then run go mod tidy, but either should work.

Here's the contributing doc: https://argo-cd.readthedocs.io/en/latest/developer-guide/code-contributions/

[reegnz]

@crenshaw-dev I willl open a PR for this one as this is also being flagged in our aqua scans.
I'll also open a separate one for patching vulnerabilities in helm as well, those are also flagged.

[reegnz]

@crenshaw-dev pushed a PR to upgrade.

[crenshaw-dev]

Please see #16915 (comment)