thecooldrop
commented
1 week ago Hello @christianh814 I would like to work on this issue.
Open peadarom opened 2 weeks ago
thecooldrop
commented
1 week ago Hello @christianh814 I would like to work on this issue.
christianh814
commented
1 week ago @thecooldrop Yes, feel free to work on this!
peadarom
commented
1 week ago Thank you!!
jannfis
commented
1 week ago The latest version of Argo CD 2.10 branch is built with Go 1.21.3
Not sure where your scanner results come from, but I believe it's a false positive.
thecooldrop
commented
1 week ago Looking at Dockerfile and go.mod file in release 2.10 branch it seems that 1.21 version of go is used.
I will try to replicate the issue with xray scanner soon and will get back to you
crenshaw-dev
commented
1 week ago I think it's because of an old version of git-lfs, which is built with an old version of go.
crenshaw-dev
commented
1 week ago 
agaudreault
commented
1 week ago Closing as duplicate of #18723 and #18278 ?
Checklist:
Describe the bug
ArgoCD ships with a version of Golang that is a few years old - version 1.18.1 and that version contains lots of CVEs.
Details ArgoCD ships with a version of Golang that is a few years ago - version 1.18.1 and that version contains lots of CVEs. Scanners such as XRAY are able to detect lots of CVEs in the latest version of ArgoCD, whereas Snyk is unable to because Snyk is presently unable to detect issues with the Go Standard Library.
I have read your security notice regarding scanners and CVEs, but I believe you may not know about these ones because Snyk doesn't have the capability to detect issues with the Go Standard Library, which is why I am bringing this to your attention.
To Reproduce
Scan ArgoCD with XRAY using
jf docker scan quay.io/argoproj/argocd:v2.10.12to see the results.Expected behavior
Go is bumped to the latest version.
Screenshots