Running docker scout on a built software reports a different version than it should

[gergelyfabian]

I built ArgoCD from source:

mkdir argocd_build && \
    cd argocd_build && \
    mkdir gocache && \
    mkdir gopath && \
    export GOCACHE="$(realpath gocache)" && \
    export GOPATH="$(realpath gopath)" && \
    git clone https://github.com/argoproj/argo-cd  &&  \
    cd argo-cd && \
    git checkout master && \
    make clean && \
    make BIN_NAME=argocd-linux-amd64 GOOS=linux argocd-all

Built from 08cd54775046c6ca7071ebe4f5d817f2658cd3c9 (current master).

Docker Scout reports a CVE on it:

   1C     0H     0M     0L  github.com/argoproj/argo-cd/v3 3.0.0-20250826192237-08cd54775046
pkg:golang/github.com/argoproj/[email protected]#v3

18: sha256:1326df62499f5e3478c1d5872b8acf7bbc3fad28394319df5c4a2327961e826f
/usr/local/bin/argocd (evident by)

    ✗ CRITICAL CVE-2025-47933 [Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')]
      https://scout.docker.com/v/CVE-2025-47933
      Affected range : <3.0.4                                        
      Fixed version  : 3.0.4                                         
      CVSS Score     : 9.0                                           
      CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H  

Even though in the image it says:

$ /usr/local/bin/argocd version
argocd: v3.2.0+08cd547
  BuildDate: 2025-08-27T07:08:37Z
  GitCommit: 08cd54775046c6ca7071ebe4f5d817f2658cd3c9
  GitTreeState: clean
  GoVersion: go1.25.0
  Compiler: gc
  Platform: linux/amd64
{"level":"fatal","msg":"Argo CD server address unspecified","time":"2025-08-27T07:38:40Z"}

If I build from ArgoCD's newest tag (v3.1.1) then I cannot reproduce this issue.