Open peadarom opened 2 weeks ago
Hello @christianh814 I would like to work on this issue.
@thecooldrop Yes, feel free to work on this!
Thank you!!
The latest version of Argo CD 2.10 branch is built with Go 1.21.3
Not sure where your scanner results come from, but I believe it's a false positive.
Looking at Dockerfile and go.mod file in release 2.10 branch it seems that 1.21 version of go is used.
I will try to replicate the issue with xray scanner soon and will get back to you
I think it's because of an old version of git-lfs, which is built with an old version of go.
Closing as duplicate of #18723 and #18278 ?
Checklist:
Describe the bug
ArgoCD ships with a version of Golang that is a few years old - version 1.18.1 and that version contains lots of CVEs.
Details ArgoCD ships with a version of Golang that is a few years ago - version 1.18.1 and that version contains lots of CVEs. Scanners such as XRAY are able to detect lots of CVEs in the latest version of ArgoCD, whereas Snyk is unable to because Snyk is presently unable to detect issues with the Go Standard Library.
I have read your security notice regarding scanners and CVEs, but I believe you may not know about these ones because Snyk doesn't have the capability to detect issues with the Go Standard Library, which is why I am bringing this to your attention.
To Reproduce
Scan ArgoCD with XRAY using
jf docker scan quay.io/argoproj/argocd:v2.10.12
to see the results.Expected behavior
Go is bumped to the latest version.
Screenshots