Vulnerable golang version used to package applicationset-controller

[rimasgo]

Hello,

Applicationset-controller packaged using old golang version which contains vulnerabilities.

{ "name": "go", "version": "1.17.6", "path": "/usr/local/bin/applicationset-controller", "layerTime": 1646920413, "knownVulnerabilities": 55 },

CVEs:

CVE-2022-23806 | critical | | go | 1.17.6 | fixed in 1.17.7, 1.16.14 | 11-Feb-2022 00:00 | 21-Mar-2022 13:11 CVE-2022-24921 | high | | go | 1.17.6 | fixed in 1.17.8, 1.16.15 | 03-Mar-2022 00:00 | 21-Mar-2022 13:11 CVE-2022-23773 | high | | go | 1.17.6 | fixed in 1.17.7, 1.16.14 | 18-Nov-2019 00:00 | 21-Mar-2022 13:11 CVE-2022-23772 | high | | go | 1.17.6 | fixed in 1.17.7, 1.16.14 | 19-Jan-2022 00:00 | 21-Mar-2022 13:11

I have raised similar ticket for argocd package.

https://github.com/argoproj/argo-cd/issues/8853

It was fixed under https://github.com/argoproj/argo-cd/pull/8866

Could you please repackage the applicationset-controller and release new image with binary built with latest golang version?

Thanks!

[rishabh625]

@wtam2018 @jgwest : should we have to re release older version?

[jgwest]

None of the CVEs impact APIs that are consumed by the applicationset controller, AFAIK.