argo-cd
argo-cd copied to clipboard
chore: upgrade git-url-parse to avoid CVE-2022-0624
Before:
snyk output before change
$ snyk test --org=argoproj --all-projects --exclude=docs,site --severity-threshold=high --policy-path=.snyk
Testing /Users/mcrenshaw/go/src/github.com/argoproj/argo-cd...
Organization: argoproj
Package manager: gomodules
Target file: go.mod
Project name: github.com/argoproj/argo-cd/v2
Open source: no
Project path: /Users/mcrenshaw/go/src/github.com/argoproj/argo-cd
Local Snyk policy: found
Licenses: enabled
✔ Tested 1360 dependencies for known issues, no vulnerable paths found.
Next steps:
- Run `snyk monitor` to be notified about new related vulnerabilities.
- Run `snyk test` as part of your CI/test.
-------------------------------------------------------
Testing /Users/mcrenshaw/go/src/github.com/argoproj/argo-cd...
Tested 356 dependencies for known issues, found 1 issue, 1 vulnerable path.
Issues to fix by upgrading:
Upgrade [email protected] to [email protected] to fix
✗ Authorization Bypass Through User-Controlled Key (new) [High Severity][https://snyk.io/vuln/SNYK-JS-PARSEPATH-2936439] in [email protected]
introduced by [email protected] > [email protected] > [email protected] > [email protected]
Organization: argoproj
Package manager: yarn
Target file: ui/yarn.lock
Project name: argo-cd-ui
Open source: no
Project path: /Users/mcrenshaw/go/src/github.com/argoproj/argo-cd
Local Snyk policy: found
Licenses: enabled
-------------------------------------------------------
Testing /Users/mcrenshaw/go/src/github.com/argoproj/argo-cd...
Organization: argoproj
Package manager: yarn
Target file: ui-test/yarn.lock
Project name: ui-test
Open source: no
Project path: /Users/mcrenshaw/go/src/github.com/argoproj/argo-cd
Local Snyk policy: found
Licenses: enabled
✔ Tested 116 dependencies for known issues, no vulnerable paths found.
Next steps:
- Run `snyk monitor` to be notified about new related vulnerabilities.
- Run `snyk test` as part of your CI/test.
Tested 3 projects, 1 contained vulnerable paths.
After:
snyk output after change
$ snyk test --org=argoproj --all-projects --exclude=docs,site --severity-threshold=high --policy-path=.snyk
Testing /Users/mcrenshaw/go/src/github.com/argoproj/argo-cd...
Organization: argoproj
Package manager: gomodules
Target file: go.mod
Project name: github.com/argoproj/argo-cd/v2
Open source: no
Project path: /Users/mcrenshaw/go/src/github.com/argoproj/argo-cd
Local Snyk policy: found
Licenses: enabled
✔ Tested 1360 dependencies for known issues, no vulnerable paths found.
Next steps:
- Run `snyk monitor` to be notified about new related vulnerabilities.
- Run `snyk test` as part of your CI/test.
-------------------------------------------------------
Testing /Users/mcrenshaw/go/src/github.com/argoproj/argo-cd...
Organization: argoproj
Package manager: yarn
Target file: ui/yarn.lock
Project name: argo-cd-ui
Open source: no
Project path: /Users/mcrenshaw/go/src/github.com/argoproj/argo-cd
Local Snyk policy: found
Licenses: enabled
✔ Tested 350 dependencies for known issues, no vulnerable paths found.
Next steps:
- Run `snyk monitor` to be notified about new related vulnerabilities.
- Run `snyk test` as part of your CI/test.
-------------------------------------------------------
Testing /Users/mcrenshaw/go/src/github.com/argoproj/argo-cd...
Organization: argoproj
Package manager: yarn
Target file: ui-test/yarn.lock
Project name: ui-test
Open source: no
Project path: /Users/mcrenshaw/go/src/github.com/argoproj/argo-cd
Local Snyk policy: found
Licenses: enabled
✔ Tested 116 dependencies for known issues, no vulnerable paths found.
Next steps:
- Run `snyk monitor` to be notified about new related vulnerabilities.
- Run `snyk test` as part of your CI/test.
Tested 3 projects, no vulnerable paths were found.
This upgrade needs to wait at least until this is merged / released: https://github.com/IonicaBizau/parse-url/pull/50
Will reopen when a git-up version is cut with the fix.