Report the use of components with vulnerabilities in argo-cd

[HouqiyuA]

Dear Team Members:
Greetings! Our team is very interested in your project. we performed source code perspective security analysis (SCA) and vulnerability library association analysis on this project and found that components with vulnerabilities are still being used into this project.We would like to report this issue to you,so that you can fix and improve it accordingly. I add the details in json file below. Please confirm whether this problem really exists and confirm with us. Looking forward to hearing from you and discussing more details with us, thank you very much for your time and attention.

Note: Each "affect_components" field in the report represents the vulnerable component introduced by this project. The other is the vulnerability information associated with it.

Qiyu Hou

argo-cd-master_report.json

[crenshaw-dev]

Hi! Analyzing security scanner output and remediating each reported vulnerability is beyond what the Argo CD team can provide.

We run our own Snyk scans weekly and target remediating any Critical or High severity vulnerabilities in the currently-supported release range.

If you would like to request that a certain dependency vulnerability be resolved, please report it as its own issue along with the severity according to Snyk and the affected Argo CD version(s) (if they are in the currently supported version range).

If Snyk evaluates the vulnerability to be less than High severity, and you would still like the vulnerability to be remediated, please provide an explanation of why the vulnerability poses a real (and not just theoretical) threat to users.

Finally, pull requests are appreciated and will likely be addressed more quickly than issues.