argoproj
Additional version affected ranges for GHSA-274v-mgcv-cm8j
https://github.com/argoproj/gitops-engine/security/advisories/GHSA-274v-mgcv-cm8j
the above security lists argocd version ranges as affected product, but not his project / go module.
Please consider updating this advisory to include:
0.7.1-0.20250129155113-7e21b91e9d0f as the fixed version <= 0.7.1-0.20250124211812-d78929e7f6c7 as the affected versions
Because it is tripping up GO vulnerability scanners (Snyk and Twistlock) due to no advisories being published for the argocd 2.14 onwards; and the gitops-engine go module versions have no declared fixed version as above.
The module versions above were generated with go get on the commit that fixes the advisory and the one before it; and matches the module update version that got merged into argocd.
Also see:
- https://github.com/github/advisory-database/pull/5689
- https://github.com/github/advisory-database/pull/5721
- https://github.com/github/advisory-database/pull/5723
- https://github.com/argoproj/gitops-engine/issues/736
- https://github.com/golang/vulndb/issues/3760
Argocd upstream => due to inability to resolve branches of the pseudoversion can you please consider tagging v0.7.2 in argoproj/gitops-engine project master branches, such that once enough things upgrade to a newer snapshot we would move past this.
Or like tag v0.7.2 at 7e21b91e9d0f
Wait tag v0.7.2 would be too low. It likely needs to be v0.7.4.11,v0.7.4.12, v0.7.4.13, v0.7.4.14, v0.7.4.15 on each of the release branches at the commits that fixed the CVE.
Then it would be trivial to see that anything tagged v0.7.4.11 or higher is remediated.
@crenshaw-dev @jannfis @leoluz this is directly related to this issue and the GHSA update I suggested.
The github published advisory advisories/GHSA-274v-mgcv-cm8j has been updated with version ranges that are accurate and usable by scanners.
Please consider updating gitops advisory argoproj/gitops-engine/security/advisories/GHSA-274v-mgcv-cm8j to match