Request for fixing identified vulnerabilites in dependencies in ArgoCD 2.9.3

[rafariossaa]

Checklist:

• I've searched in the docs and FAQ for my answer: https://bit.ly/argocd-faq.
• I've included steps to reproduce the bug.
• I've pasted the output of argocd version.

Describe the bug

When running trivy on the ArgoCD 2.9.3 image, it reported the following CVEs in the modules used.

To Reproduce
Run:

trivy image --vuln-type library quay.io/argoproj/argocd:v2.9.3

Screenshots

Version

2.9.3

[mfreeman451]

the critical one in go-git has been addressed with #16822 and #16908

[crenshaw-dev]

@rafariossaa please see our notes on security scanner results.

I know a lot of compliance requirements these days say "you have to open an issue to track," so if that's the purpose, I understand.

But if the intent is to actually ask for these issues to be fixed, then I would as that:

1. You investigate each reported CVE
2. For each CVE which you believe is actually relevant, open an issue describing the relevance to and the impact on Argo CD
3. (Extra credit) For each issue, open a PR bumping the dependency

I do realize that those three steps aren't in SECURITY.md and that I should update that document. 🙂

[mfreeman451]

What is the release cadence for argocd?

[crenshaw-dev]

@mfreeman451

https://argo-cd.readthedocs.io/en/latest/developer-guide/release-process-and-cadence/