gitops-engine icon indicating copy to clipboard operation
gitops-engine copied to clipboard
verified publisher icon argoproj

Lack of tagging causing issues with CVE Scanners

Open kbsteere opened this issue 7 months ago • 3 comments

Version tagging appears to have stopped at v0.7.3 which is causing issues with scanners and Argo-CD not being able to pull in a newer version tag that can be recognized.

Specifically github.com/argoproj/gitops-engine v0.7.1-0.20250129155113-faf5a4e5c37d is the referenced tag in Argo-CD but GO-2025-3437, GHSA-274v-mgcv-cm8j, show an issue with that version because v0.7.x tags all have not been updated in 3+ years and it appears that gitops-engine has switched to syncing versions with Argo-CD itself. Example release-2.1x but not tags are generated for these so everyone is still using the tag mentioned above. I have submitted a GHSA-274v-mgcv-cm8j vuln enrichment change but my question is there any plan to generate new tags for GitOps-Engine?

Say 2.1x tags when a new release branch is generated? Or when the Argo-CD repo release is generated GitOps-Engine also generates a new one if required?

kbsteere avatar Jun 04 '25 22:06 kbsteere

Another reason to do this: https://github.com/argoproj/argo-cd/issues/10774

crenshaw-dev avatar Jun 05 '25 15:06 crenshaw-dev

@crenshaw-dev yeah that's another option. I guess it depends on how many external users use just GitOps Engine by itself and it that matters to the Argo team or not.

kbsteere avatar Jun 06 '25 01:06 kbsteere

@jannfis could you review the GHSA update as well: https://github.com/github/advisory-database/pull/5689

kbsteere avatar Jun 12 '25 19:06 kbsteere