-
Notifications
You must be signed in to change notification settings - Fork 5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Argo CD is being flagged as vulnerable by Trivy #15628
Comments
Would you mind opening a PR to upgrade k8s.io/kubernetes to |
@crenshaw-dev I need to estimate the effort and have a discussion with my team before proceeding. I have not really coded in Go, but I guess it should be ok if the change are not much more than two |
@je-munobia I believe that would indeed be the process. I think if it were me I'd start with find/replace in go.mod and then run Here's the contributing doc: https://argo-cd.readthedocs.io/en/latest/developer-guide/code-contributions/ |
Fixes argoproj#15628 Signed-off-by: Shyukri Shyukriev <shyukri.shyukriev@mariadb.com>
Fixes argoproj#15628 Signed-off-by: Shyukri Shyukriev <shyukri.shyukriev@mariadb.com>
Fixes argoproj#15628 Signed-off-by: Shyukri Shyukriev <shyukri.shyukriev@mariadb.com>
Fixes argoproj#15628 Signed-off-by: Shyukri Shyukriev <shyukri.shyukriev@mariadb.com>
Fixes argoproj#15628 Signed-off-by: Shyukri Shyukriev <shyukri.shyukriev@mariadb.com>
@crenshaw-dev I willl open a PR for this one as this is also being flagged in our aqua scans. |
The new version fixes several well known CVE-s that tools like trivy alert for. Fixes argoproj#15628
The new version fixes several well known CVE-s that tools like trivy alert for. Fixes argoproj#15628 Signed-off-by: Zoltán Reegn <zoltan.reegn@gmail.com>
@crenshaw-dev pushed a PR to upgrade. |
The new version fixes several well known CVE-s that tools like trivy alert for. Fixes #15628 Signed-off-by: Zoltán Reegn <zoltan.reegn@gmail.com>
Please see #16915 (comment) |
Checklist:
argocd version
.Describe the bug
Argo CD is being flagged as vulnerable by Trivy and Qualsys since July and there is still no version of Argo CD that fixes the problem. I understand that it may be some bundled product that causes this vulnerability, but this is still important for your users that actually scan for vulnerabilities. This causes all sorts of issues for all shops with stringent security requirements.
(Note: Issue looks related to upgrade of indirect dependencies that was done last year in #9932 due to issue #10233)
To Reproduce
Just run Trivy on Argo CD latest version.
Expected behavior
No reported vulnerabilities by Trivy.
Screenshots
Version
Logs
Trivy scan output :
The text was updated successfully, but these errors were encountered: