argoproj
argo-events:v1.9.6 includes outdated argo CLI that reintroduces CVE from argo-events:v1.9.1
Describe the bug
The argo-events release v1.9.6 includes a fix for the critical vulnerability reported in GHSA-hmp7-x699-cvhq. The argo-events binary itself is correctly built from v1.9.6, and this fix is reflected in the binary metadata.
However, the Dockerfile still downloads and installs the Argo Workflows CLI (argo) using the following lines:
ENV ARGO_VERSION=v3.6.5
RUN wget -q https://github.com/argoproj/argo-workflows/releases/download/${ARGO_VERSION}/argo-linux-${ARCH}.gz
The argo CLI binary from Argo Workflows v3.6.5 statically links an older version of argo-events (v1.9.1) as a dependency, which still includes the critical CVE.
As a result:
- Even though
/bin/argo-eventsis clean,/usr/local/bin/argostill reflects the outdated and vulnerable argo-events dependency. - Tools like Trivy report the vulnerability as still present, due to static analysis of
/usr/local/bin/argo. - In organizations with automated CVE policies, it prevents retrieving or using the image due to the presence of a critical vulnerability.
To Reproduce
trivy image quay.io/argoproj/argo-events:v1.9.6
Expected behavior No critical CVEs in the image.
Suggestion Use a version of Argo Workflows CLI that no longer pulls in the vulnerable dependency.
Environment (please complete the following information):
- not applicable / not relevant
Additional context See also https://quay.io/repository/argoproj/argo-events/manifest/sha256:fc13b08a6539b9f80d645b40207c81e05c4112cb24f2b4ec97f0fddbd54d763e?tab=vulnerabilities
Message from the maintainers:
If you wish to see this enhancement implemented please add a 👍 reaction to this issue! We often sort issues this way to know what to prioritize.
