From dbc94ba13f9ce72ccfbfc68990eba4733c77d14d Mon Sep 17 00:00:00 2001 From: Nitish Kumar Date: Tue, 24 Sep 2024 13:06:19 +0530 Subject: [PATCH 01/38] fix: fix broken link (#20070) * fix broken link Signed-off-by: nitishfy * fix broken link Signed-off-by: nitishfy --------- Signed-off-by: nitishfy --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index bea5c645c328c..b369043821010 100644 --- a/README.md +++ b/README.md @@ -56,7 +56,7 @@ Participation in the Argo CD project is governed by the [CNCF Code of Conduct](h ### Blogs and Presentations 1. [Awesome-Argo: A Curated List of Awesome Projects and Resources Related to Argo](https://github.com/terrytangyuan/awesome-argo) -1. [Unveil the Secret Ingredients of Continuous Delivery at Enterprise Scale with Argo CD](https://akuity.io/blog/unveil-the-secret-ingredients-of-continuous-delivery-at-enterprise-scale-with-argocd-kubecon-china-2021/) +1. [Unveil the Secret Ingredients of Continuous Delivery at Enterprise Scale with Argo CD](https://akuity.io/blog/secret-ingredients-of-continuous-delivery-at-enterprise-scale-with-argocd/) 1. [GitOps Without Pipelines With ArgoCD Image Updater](https://youtu.be/avPUQin9kzU) 1. [Combining Argo CD (GitOps), Crossplane (Control Plane), And KubeVela (OAM)](https://youtu.be/eEcgn_gU3SM) 1. [How to Apply GitOps to Everything - Combining Argo CD and Crossplane](https://youtu.be/yrj4lmScKHQ) From 0710ff91036d7120c6be64528ef01c51939f6169 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 24 Sep 2024 14:51:58 +0300 Subject: [PATCH 02/38] chore(deps): bump go.uber.org/automaxprocs from 1.5.3 to 1.6.0 (#20068) --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index abf53a9e97f95..2d020f68e928a 100644 --- a/go.mod +++ b/go.mod @@ -275,7 +275,7 @@ require ( go.opentelemetry.io/otel/metric v1.30.0 // indirect go.opentelemetry.io/otel/trace v1.30.0 // indirect go.opentelemetry.io/proto/otlp v1.3.1 // indirect - go.uber.org/automaxprocs v1.5.3 + go.uber.org/automaxprocs v1.6.0 gomodules.xyz/envconfig v1.3.1-0.20190308184047-426f31af0d45 // indirect gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect gomodules.xyz/notify v0.1.1 // indirect diff --git a/go.sum b/go.sum index 6ddbba6376a3f..74da7903bd3dd 100644 --- a/go.sum +++ b/go.sum @@ -994,8 +994,8 @@ go.uber.org/atomic v1.3.2/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE= go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE= go.uber.org/atomic v1.5.0/go.mod h1:sABNBOSYdrvTF6hTgEIbc7YasKWGhgEQZyfxyTvoXHQ= go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc= -go.uber.org/automaxprocs v1.5.3 h1:kWazyxZUrS3Gs4qUpbwo5kEIMGe/DAvi5Z4tl2NW4j8= -go.uber.org/automaxprocs v1.5.3/go.mod h1:eRbA25aqJrxAbsLO0xy5jVwPt7FQnRgjW+efnwa1WM0= +go.uber.org/automaxprocs v1.6.0 h1:O3y2/QNTOdbF+e/dpXNNW7Rx2hZ4sTIPyybbxyNqTUs= +go.uber.org/automaxprocs v1.6.0/go.mod h1:ifeIMSnPZuznNm6jmdzmU3/bfk01Fe2fotchwEFJ8r8= go.uber.org/goleak v1.1.10/go.mod h1:8a7PlsEVH3e/a/GLqe5IIrQx6GzcnRmZEufDUTk4A7A= go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto= go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE= From e1429f8ea68fec0384a963297fb2f3af245b6e92 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Tue, 24 Sep 2024 14:42:31 +0000 Subject: [PATCH 03/38] [Bot] docs: Update Snyk reports (#20052) Signed-off-by: CI Co-authored-by: CI --- docs/snyk/index.md | 28 +- docs/snyk/master/argocd-iac-install.html | 2 +- .../master/argocd-iac-namespace-install.html | 2 +- docs/snyk/master/argocd-test.html | 89 +- .../master/ghcr.io_dexidp_dex_v2.41.1.html | 2 +- ..._docker_library_haproxy_2.6.17-alpine.html | 2 +- ...ws_docker_library_redis_7.0.15-alpine.html | 2 +- .../quay.io_argoproj_argocd_latest.html | 136 +- docs/snyk/master/redis_7.0.15-alpine.html | 2 +- docs/snyk/v2.10.16/argocd-iac-install.html | 2 +- .../argocd-iac-namespace-install.html | 2 +- docs/snyk/v2.10.16/argocd-test.html | 168 +- .../v2.10.16/ghcr.io_dexidp_dex_v2.37.0.html | 2 +- docs/snyk/v2.10.16/haproxy_2.6.14-alpine.html | 2 +- .../quay.io_argoproj_argocd_v2.10.16.html | 141 +- docs/snyk/v2.10.16/redis_7.0.15-alpine.html | 2 +- docs/snyk/v2.11.8/argocd-iac-install.html | 2 +- .../v2.11.8/argocd-iac-namespace-install.html | 2 +- docs/snyk/v2.11.8/argocd-test.html | 168 +- .../v2.11.8/ghcr.io_dexidp_dex_v2.38.0.html | 2 +- docs/snyk/v2.11.8/haproxy_2.6.14-alpine.html | 2 +- .../quay.io_argoproj_argocd_v2.11.8.html | 141 +- docs/snyk/v2.11.8/redis_7.0.15-alpine.html | 2 +- docs/snyk/v2.12.3/argocd-iac-install.html | 2 +- .../v2.12.3/argocd-iac-namespace-install.html | 2 +- docs/snyk/v2.12.3/argocd-test.html | 168 +- .../v2.12.3/ghcr.io_dexidp_dex_v2.38.0.html | 2 +- ..._docker_library_haproxy_2.6.17-alpine.html | 2 +- ...ws_docker_library_redis_7.0.15-alpine.html | 2 +- .../quay.io_argoproj_argocd_v2.12.3.html | 4 +- docs/snyk/v2.12.3/redis_7.0.15-alpine.html | 2 +- docs/snyk/v2.13.0-rc2/argocd-iac-install.html | 2891 +++++++++++++++++ .../argocd-iac-namespace-install.html | 2845 ++++++++++++++++ docs/snyk/v2.13.0-rc2/argocd-test.html | 745 +++++ .../ghcr.io_dexidp_dex_v2.41.1.html | 709 ++++ ..._docker_library_haproxy_2.6.17-alpine.html | 1305 ++++++++ ...ws_docker_library_redis_7.0.15-alpine.html | 484 +++ .../quay.io_argoproj_argocd_v2.13.0-rc2.html | 2012 ++++++++++++ .../snyk/v2.13.0-rc2/redis_7.0.15-alpine.html | 484 +++ 39 files changed, 12311 insertions(+), 251 deletions(-) create mode 100644 docs/snyk/v2.13.0-rc2/argocd-iac-install.html create mode 100644 docs/snyk/v2.13.0-rc2/argocd-iac-namespace-install.html create mode 100644 docs/snyk/v2.13.0-rc2/argocd-test.html create mode 100644 docs/snyk/v2.13.0-rc2/ghcr.io_dexidp_dex_v2.41.1.html create mode 100644 docs/snyk/v2.13.0-rc2/public.ecr.aws_docker_library_haproxy_2.6.17-alpine.html create mode 100644 docs/snyk/v2.13.0-rc2/public.ecr.aws_docker_library_redis_7.0.15-alpine.html create mode 100644 docs/snyk/v2.13.0-rc2/quay.io_argoproj_argocd_v2.13.0-rc2.html create mode 100644 docs/snyk/v2.13.0-rc2/redis_7.0.15-alpine.html diff --git a/docs/snyk/index.md b/docs/snyk/index.md index b56336b32e637..b9e7582682786 100644 --- a/docs/snyk/index.md +++ b/docs/snyk/index.md @@ -14,21 +14,35 @@ recent minor releases. | | Critical | High | Medium | Low | |---:|:--------:|:----:|:------:|:---:| | [go.mod](master/argocd-test.html) | 0 | 0 | 1 | 0 | -| [ui/yarn.lock](master/argocd-test.html) | 0 | 0 | 2 | 0 | +| [ui/yarn.lock](master/argocd-test.html) | 0 | 0 | 1 | 0 | | [dex:v2.41.1](master/ghcr.io_dexidp_dex_v2.41.1.html) | 0 | 0 | 0 | 1 | | [haproxy:2.6.17-alpine](master/public.ecr.aws_docker_library_haproxy_2.6.17-alpine.html) | 0 | 0 | 2 | 3 | | [redis:7.0.15-alpine](master/public.ecr.aws_docker_library_redis_7.0.15-alpine.html) | 0 | 0 | 0 | 0 | -| [argocd:latest](master/quay.io_argoproj_argocd_latest.html) | 0 | 0 | 4 | 8 | +| [argocd:latest](master/quay.io_argoproj_argocd_latest.html) | 0 | 0 | 3 | 8 | | [redis:7.0.15-alpine](master/redis_7.0.15-alpine.html) | 0 | 0 | 0 | 0 | | [install.yaml](master/argocd-iac-install.html) | - | - | - | - | | [namespace-install.yaml](master/argocd-iac-namespace-install.html) | - | - | - | - | +### v2.13.0-rc2 + +| | Critical | High | Medium | Low | +|---:|:--------:|:----:|:------:|:---:| +| [go.mod](v2.13.0-rc2/argocd-test.html) | 0 | 0 | 1 | 0 | +| [ui/yarn.lock](v2.13.0-rc2/argocd-test.html) | 0 | 0 | 1 | 0 | +| [dex:v2.41.1](v2.13.0-rc2/ghcr.io_dexidp_dex_v2.41.1.html) | 0 | 0 | 0 | 1 | +| [haproxy:2.6.17-alpine](v2.13.0-rc2/public.ecr.aws_docker_library_haproxy_2.6.17-alpine.html) | 0 | 0 | 2 | 3 | +| [redis:7.0.15-alpine](v2.13.0-rc2/public.ecr.aws_docker_library_redis_7.0.15-alpine.html) | 0 | 0 | 0 | 0 | +| [argocd:v2.13.0-rc2](v2.13.0-rc2/quay.io_argoproj_argocd_v2.13.0-rc2.html) | 0 | 0 | 3 | 8 | +| [redis:7.0.15-alpine](v2.13.0-rc2/redis_7.0.15-alpine.html) | 0 | 0 | 0 | 0 | +| [install.yaml](v2.13.0-rc2/argocd-iac-install.html) | - | - | - | - | +| [namespace-install.yaml](v2.13.0-rc2/argocd-iac-namespace-install.html) | - | - | - | - | + ### v2.12.3 | | Critical | High | Medium | Low | |---:|:--------:|:----:|:------:|:---:| | [go.mod](v2.12.3/argocd-test.html) | 0 | 0 | 2 | 0 | -| [ui/yarn.lock](v2.12.3/argocd-test.html) | 0 | 0 | 2 | 0 | +| [ui/yarn.lock](v2.12.3/argocd-test.html) | 0 | 1 | 2 | 0 | | [dex:v2.38.0](v2.12.3/ghcr.io_dexidp_dex_v2.38.0.html) | 0 | 0 | 6 | 6 | | [haproxy:2.6.17-alpine](v2.12.3/public.ecr.aws_docker_library_haproxy_2.6.17-alpine.html) | 0 | 0 | 2 | 3 | | [redis:7.0.15-alpine](v2.12.3/public.ecr.aws_docker_library_redis_7.0.15-alpine.html) | 0 | 0 | 0 | 0 | @@ -42,10 +56,10 @@ recent minor releases. | | Critical | High | Medium | Low | |---:|:--------:|:----:|:------:|:---:| | [go.mod](v2.11.8/argocd-test.html) | 0 | 1 | 3 | 0 | -| [ui/yarn.lock](v2.11.8/argocd-test.html) | 0 | 0 | 2 | 0 | +| [ui/yarn.lock](v2.11.8/argocd-test.html) | 0 | 1 | 2 | 0 | | [dex:v2.38.0](v2.11.8/ghcr.io_dexidp_dex_v2.38.0.html) | 0 | 0 | 6 | 6 | | [haproxy:2.6.14-alpine](v2.11.8/haproxy_2.6.14-alpine.html) | 0 | 1 | 7 | 6 | -| [argocd:v2.11.8](v2.11.8/quay.io_argoproj_argocd_v2.11.8.html) | 0 | 0 | 7 | 16 | +| [argocd:v2.11.8](v2.11.8/quay.io_argoproj_argocd_v2.11.8.html) | 0 | 0 | 8 | 16 | | [redis:7.0.15-alpine](v2.11.8/redis_7.0.15-alpine.html) | 0 | 0 | 0 | 0 | | [install.yaml](v2.11.8/argocd-iac-install.html) | - | - | - | - | | [namespace-install.yaml](v2.11.8/argocd-iac-namespace-install.html) | - | - | - | - | @@ -55,10 +69,10 @@ recent minor releases. | | Critical | High | Medium | Low | |---:|:--------:|:----:|:------:|:---:| | [go.mod](v2.10.16/argocd-test.html) | 0 | 1 | 4 | 0 | -| [ui/yarn.lock](v2.10.16/argocd-test.html) | 0 | 0 | 2 | 0 | +| [ui/yarn.lock](v2.10.16/argocd-test.html) | 0 | 1 | 2 | 0 | | [dex:v2.37.0](v2.10.16/ghcr.io_dexidp_dex_v2.37.0.html) | 1 | 1 | 10 | 6 | | [haproxy:2.6.14-alpine](v2.10.16/haproxy_2.6.14-alpine.html) | 0 | 1 | 7 | 6 | -| [argocd:v2.10.16](v2.10.16/quay.io_argoproj_argocd_v2.10.16.html) | 0 | 0 | 11 | 20 | +| [argocd:v2.10.16](v2.10.16/quay.io_argoproj_argocd_v2.10.16.html) | 0 | 0 | 12 | 20 | | [redis:7.0.15-alpine](v2.10.16/redis_7.0.15-alpine.html) | 0 | 0 | 0 | 0 | | [install.yaml](v2.10.16/argocd-iac-install.html) | - | - | - | - | | [namespace-install.yaml](v2.10.16/argocd-iac-namespace-install.html) | - | - | - | - | diff --git a/docs/snyk/master/argocd-iac-install.html b/docs/snyk/master/argocd-iac-install.html index c4531da3f93ef..4ffca011eadd2 100644 --- a/docs/snyk/master/argocd-iac-install.html +++ b/docs/snyk/master/argocd-iac-install.html @@ -456,7 +456,7 @@

Snyk test report

-

September 15th 2024, 12:20:57 am (UTC+00:00)

+

September 22nd 2024, 12:21:06 am (UTC+00:00)

Scanned the following path: diff --git a/docs/snyk/master/argocd-iac-namespace-install.html b/docs/snyk/master/argocd-iac-namespace-install.html index 020a13bf79f07..a78881186e589 100644 --- a/docs/snyk/master/argocd-iac-namespace-install.html +++ b/docs/snyk/master/argocd-iac-namespace-install.html @@ -456,7 +456,7 @@

Snyk test report

-

September 15th 2024, 12:21:06 am (UTC+00:00)

+

September 22nd 2024, 12:21:16 am (UTC+00:00)

Scanned the following path: diff --git a/docs/snyk/master/argocd-test.html b/docs/snyk/master/argocd-test.html index 33e1e7ab43d33..0c91d6f1cb159 100644 --- a/docs/snyk/master/argocd-test.html +++ b/docs/snyk/master/argocd-test.html @@ -7,7 +7,7 @@ Snyk test report - + @@ -456,7 +456,7 @@

Snyk test report

-

September 15th 2024, 12:18:53 am (UTC+00:00)

+

September 22nd 2024, 12:18:54 am (UTC+00:00)

Scanned the following paths: @@ -467,8 +467,8 @@

Snyk test report

-
3 known vulnerabilities
-
5 vulnerable dependency paths
+
2 known vulnerabilities
+
4 vulnerable dependency paths
2132 dependencies
@@ -561,7 +561,7 @@

Detailed paths

Overview

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) when including multiple regular expression parameters in a single segment, which will produce the regular expression /^\/([^\/]+?)-([^\/]+?)\/?$/, if two parameters within a single segment are separated by a character other than a / or .. Poor performance will block the event loop and can lead to a DoS.

Note: - Version 0.1.10 is patched to mitigate this but is also vulnerable if custom regular expressions are used. Due to the existence of this attack vector, the Snyk security team have decided to err on the side of caution in considering the very widely-used v0 branch vulnerable, while the 8.0.0 release has completely eliminated the vulnerable functionality.

+ While the 8.0.0 release has completely eliminated the vulnerable functionality, prior versions that have received the patch to mitigate backtracking may still be vulnerable if custom regular expressions are used. So it is strongly recommended for regular expression input to be controlled to avoid malicious performance degradation in those versions. This behavior is enforced as of version 7.1.0 via the strict option, which returns an error if a dangerous regular expression is detected.

Workaround

This vulnerability can be avoided by using a custom regular expression for parameters after the first in a segment, which excludes - and /.

PoC

@@ -629,11 +629,13 @@

Details

By the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.

Remediation

-

Upgrade path-to-regexp to version 8.0.0 or higher.

+

Upgrade path-to-regexp to version 0.1.10, 1.9.0, 3.3.0, 6.3.0, 8.0.0 or higher.

References

@@ -735,81 +737,6 @@

References

-
-

Template Injection

-
- -
- medium severity -
- -
- -
    -
  • - Manifest file: /argo-cd ui/yarn.lock -
    • -
  • - Package Manager: npm -
    • -
  • - Vulnerable module: - - dompurify -
    • - -
  • Introduced through: - - - argo-cd-ui@1.0.0, redoc@2.0.0-rc.64 and others -
    • -
- -
- - -

Detailed paths

- -
    -
  • - Introduced through: - argo-cd-ui@1.0.0 - - redoc@2.0.0-rc.64 - - dompurify@2.3.6 - - - -
    • -
- -
- -
- -

Overview

-

dompurify is a DOM-only XSS sanitizer for HTML, MathML and SVG.

-

Affected versions of this package are vulnerable to Template Injection in purify.js, due to inconsistencies in the parsing of XML and HTML tags. Executable code can be injected in HTML inside XML CDATA blocks.

-

PoC

- 
<![CDATA[ ><img src onerror=alert(1)> ]]>
-
-

Remediation

-

Upgrade dompurify to version 2.4.9, 3.0.11 or higher.

-

References

- - -
- -
-

More about this vulnerability

-
- -
diff --git a/docs/snyk/master/ghcr.io_dexidp_dex_v2.41.1.html b/docs/snyk/master/ghcr.io_dexidp_dex_v2.41.1.html index 238af83a261bc..55eb2fcbe954b 100644 --- a/docs/snyk/master/ghcr.io_dexidp_dex_v2.41.1.html +++ b/docs/snyk/master/ghcr.io_dexidp_dex_v2.41.1.html @@ -456,7 +456,7 @@

Snyk test report

-

September 15th 2024, 12:19:03 am (UTC+00:00)

+

September 22nd 2024, 12:19:01 am (UTC+00:00)

Scanned the following paths: diff --git a/docs/snyk/master/public.ecr.aws_docker_library_haproxy_2.6.17-alpine.html b/docs/snyk/master/public.ecr.aws_docker_library_haproxy_2.6.17-alpine.html index cd8be9cb54423..d9db5c2fc73c8 100644 --- a/docs/snyk/master/public.ecr.aws_docker_library_haproxy_2.6.17-alpine.html +++ b/docs/snyk/master/public.ecr.aws_docker_library_haproxy_2.6.17-alpine.html @@ -456,7 +456,7 @@

Snyk test report

-

September 15th 2024, 12:19:08 am (UTC+00:00)

+

September 22nd 2024, 12:19:15 am (UTC+00:00)

Scanned the following path: diff --git a/docs/snyk/master/public.ecr.aws_docker_library_redis_7.0.15-alpine.html b/docs/snyk/master/public.ecr.aws_docker_library_redis_7.0.15-alpine.html index b897f3e78df7d..ccf5d62549670 100644 --- a/docs/snyk/master/public.ecr.aws_docker_library_redis_7.0.15-alpine.html +++ b/docs/snyk/master/public.ecr.aws_docker_library_redis_7.0.15-alpine.html @@ -456,7 +456,7 @@

Snyk test report

-

September 15th 2024, 12:19:12 am (UTC+00:00)

+

September 22nd 2024, 12:19:21 am (UTC+00:00)

Scanned the following paths: diff --git a/docs/snyk/master/quay.io_argoproj_argocd_latest.html b/docs/snyk/master/quay.io_argoproj_argocd_latest.html index e1b0381827449..b01bd7de71714 100644 --- a/docs/snyk/master/quay.io_argoproj_argocd_latest.html +++ b/docs/snyk/master/quay.io_argoproj_argocd_latest.html @@ -7,7 +7,7 @@ Snyk test report - + @@ -456,7 +456,7 @@

Snyk test report

-

September 15th 2024, 12:19:30 am (UTC+00:00)

+

September 22nd 2024, 12:19:38 am (UTC+00:00)

Scanned the following paths: @@ -470,8 +470,8 @@

Snyk test report

-
12 known vulnerabilities
-
66 vulnerable dependency paths
+
11 known vulnerabilities
+
65 vulnerable dependency paths
2355 dependencies
@@ -588,7 +588,7 @@

Detailed paths

git@1:2.43.0-1ubuntu7.1 - curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.3 + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.4 libssh/libssh-4@0.10.6-2build2 @@ -603,7 +603,7 @@

Detailed paths

git@1:2.43.0-1ubuntu7.1 - curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.3 + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.4 krb5/libgssapi-krb5-2@1.20.1-6ubuntu2.1 @@ -620,7 +620,7 @@

Detailed paths

git@1:2.43.0-1ubuntu7.1 - curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.3 + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.4 openldap/libldap2@2.6.7+dfsg-1~exp1ubuntu8 @@ -883,7 +883,7 @@

Detailed paths

git@1:2.43.0-1ubuntu7.1 - curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.3 + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.4 krb5/libgssapi-krb5-2@1.20.1-6ubuntu2.1 @@ -898,7 +898,7 @@

Detailed paths

git@1:2.43.0-1ubuntu7.1 - curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.3 + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.4 krb5/libgssapi-krb5-2@1.20.1-6ubuntu2.1 @@ -915,7 +915,7 @@

Detailed paths

git@1:2.43.0-1ubuntu7.1 - curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.3 + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.4 krb5/libgssapi-krb5-2@1.20.1-6ubuntu2.1 @@ -930,7 +930,7 @@

Detailed paths

git@1:2.43.0-1ubuntu7.1 - curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.3 + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.4 krb5/libgssapi-krb5-2@1.20.1-6ubuntu2.1 @@ -947,7 +947,7 @@

Detailed paths

git@1:2.43.0-1ubuntu7.1 - curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.3 + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.4 krb5/libgssapi-krb5-2@1.20.1-6ubuntu2.1 @@ -966,7 +966,7 @@

Detailed paths

git@1:2.43.0-1ubuntu7.1 - curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.3 + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.4 krb5/libgssapi-krb5-2@1.20.1-6ubuntu2.1 @@ -992,7 +992,7 @@

Detailed paths

git@1:2.43.0-1ubuntu7.1 - curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.3 + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.4 krb5/libgssapi-krb5-2@1.20.1-6ubuntu2.1 @@ -1005,7 +1005,7 @@

Detailed paths

git@1:2.43.0-1ubuntu7.1 - curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.3 + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.4 libssh/libssh-4@0.10.6-2build2 @@ -1048,80 +1048,6 @@

References

More about this vulnerability

-
-
-

CVE-2024-8096

-
- -
- medium severity -
- -
- -
    -
  • - Manifest file: quay.io/argoproj/argocd:latest/argoproj/argocd Dockerfile -
    • -
  • - Package Manager: ubuntu:24.04 -
    • -
  • - Vulnerable module: - - curl/libcurl3t64-gnutls -
    • - -
  • Introduced through: - - - docker-image|quay.io/argoproj/argocd@latest, git@1:2.43.0-1ubuntu7.1 and others -
    • -
- -
- - -

Detailed paths

- -
    -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@latest - - git@1:2.43.0-1ubuntu7.1 - - curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.3 - - - -
    • -
- -
- -
- -

NVD Description

-

Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Ubuntu. - See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

-

When curl is told to use the Certificate Status Request TLS extension, often referred to as OCSP stapling, to verify that the server certificate is valid, it might fail to detect some OCSP problems and instead wrongly consider the response as fine. If the returned status reports another error than 'revoked' (like for example 'unauthorized') it is not treated as a bad certficate.

-

Remediation

-

There is no fixed version for Ubuntu:24.04 curl.

-

References

- - -
- -
-

More about this vulnerability

-
-

Release of Invalid Pointer or Reference

@@ -1310,7 +1236,7 @@

Detailed paths

git@1:2.43.0-1ubuntu7.1 - curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.3 + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.4 krb5/libgssapi-krb5-2@1.20.1-6ubuntu2.1 @@ -1325,7 +1251,7 @@

Detailed paths

git@1:2.43.0-1ubuntu7.1 - curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.3 + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.4 krb5/libgssapi-krb5-2@1.20.1-6ubuntu2.1 @@ -1342,7 +1268,7 @@

Detailed paths

git@1:2.43.0-1ubuntu7.1 - curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.3 + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.4 krb5/libgssapi-krb5-2@1.20.1-6ubuntu2.1 @@ -1357,7 +1283,7 @@

Detailed paths

git@1:2.43.0-1ubuntu7.1 - curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.3 + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.4 krb5/libgssapi-krb5-2@1.20.1-6ubuntu2.1 @@ -1374,7 +1300,7 @@

Detailed paths

git@1:2.43.0-1ubuntu7.1 - curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.3 + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.4 krb5/libgssapi-krb5-2@1.20.1-6ubuntu2.1 @@ -1393,7 +1319,7 @@

Detailed paths

git@1:2.43.0-1ubuntu7.1 - curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.3 + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.4 krb5/libgssapi-krb5-2@1.20.1-6ubuntu2.1 @@ -1419,7 +1345,7 @@

Detailed paths

git@1:2.43.0-1ubuntu7.1 - curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.3 + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.4 krb5/libgssapi-krb5-2@1.20.1-6ubuntu2.1 @@ -1432,7 +1358,7 @@

Detailed paths

git@1:2.43.0-1ubuntu7.1 - curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.3 + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.4 libssh/libssh-4@0.10.6-2build2 @@ -1518,7 +1444,7 @@

Detailed paths

git@1:2.43.0-1ubuntu7.1 - curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.3 + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.4 krb5/libgssapi-krb5-2@1.20.1-6ubuntu2.1 @@ -1533,7 +1459,7 @@

Detailed paths

git@1:2.43.0-1ubuntu7.1 - curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.3 + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.4 krb5/libgssapi-krb5-2@1.20.1-6ubuntu2.1 @@ -1550,7 +1476,7 @@

Detailed paths

git@1:2.43.0-1ubuntu7.1 - curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.3 + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.4 krb5/libgssapi-krb5-2@1.20.1-6ubuntu2.1 @@ -1565,7 +1491,7 @@

Detailed paths

git@1:2.43.0-1ubuntu7.1 - curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.3 + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.4 krb5/libgssapi-krb5-2@1.20.1-6ubuntu2.1 @@ -1582,7 +1508,7 @@

Detailed paths

git@1:2.43.0-1ubuntu7.1 - curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.3 + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.4 krb5/libgssapi-krb5-2@1.20.1-6ubuntu2.1 @@ -1601,7 +1527,7 @@

Detailed paths

git@1:2.43.0-1ubuntu7.1 - curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.3 + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.4 krb5/libgssapi-krb5-2@1.20.1-6ubuntu2.1 @@ -1627,7 +1553,7 @@

Detailed paths

git@1:2.43.0-1ubuntu7.1 - curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.3 + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.4 krb5/libgssapi-krb5-2@1.20.1-6ubuntu2.1 @@ -1640,7 +1566,7 @@

Detailed paths

git@1:2.43.0-1ubuntu7.1 - curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.3 + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.4 libssh/libssh-4@0.10.6-2build2 diff --git a/docs/snyk/master/redis_7.0.15-alpine.html b/docs/snyk/master/redis_7.0.15-alpine.html index 4048f7704e169..86330360ca083 100644 --- a/docs/snyk/master/redis_7.0.15-alpine.html +++ b/docs/snyk/master/redis_7.0.15-alpine.html @@ -456,7 +456,7 @@

Snyk test report

-

September 15th 2024, 12:19:34 am (UTC+00:00)

+

September 22nd 2024, 12:19:42 am (UTC+00:00)

Scanned the following paths: diff --git a/docs/snyk/v2.10.16/argocd-iac-install.html b/docs/snyk/v2.10.16/argocd-iac-install.html index f962a3756de76..caf0aceb5972f 100644 --- a/docs/snyk/v2.10.16/argocd-iac-install.html +++ b/docs/snyk/v2.10.16/argocd-iac-install.html @@ -456,7 +456,7 @@

Snyk test report

-

September 15th 2024, 12:27:49 am (UTC+00:00)

+

September 22nd 2024, 12:30:18 am (UTC+00:00)

Scanned the following path: diff --git a/docs/snyk/v2.10.16/argocd-iac-namespace-install.html b/docs/snyk/v2.10.16/argocd-iac-namespace-install.html index c2f25c827ce3a..1a15c2d0c5416 100644 --- a/docs/snyk/v2.10.16/argocd-iac-namespace-install.html +++ b/docs/snyk/v2.10.16/argocd-iac-namespace-install.html @@ -456,7 +456,7 @@

Snyk test report

-

September 15th 2024, 12:27:58 am (UTC+00:00)

+

September 22nd 2024, 12:30:27 am (UTC+00:00)

Scanned the following path: diff --git a/docs/snyk/v2.10.16/argocd-test.html b/docs/snyk/v2.10.16/argocd-test.html index 7cd0e72a8b29b..82f63569dbd39 100644 --- a/docs/snyk/v2.10.16/argocd-test.html +++ b/docs/snyk/v2.10.16/argocd-test.html @@ -7,7 +7,7 @@ Snyk test report - + @@ -456,7 +456,7 @@

Snyk test report

-

September 15th 2024, 12:25:54 am (UTC+00:00)

+

September 22nd 2024, 12:28:24 am (UTC+00:00)

Scanned the following paths: @@ -467,8 +467,8 @@

Snyk test report

-
7 known vulnerabilities
-
163 vulnerable dependency paths
+
8 known vulnerabilities
+
164 vulnerable dependency paths
2042 dependencies
@@ -3139,6 +3139,160 @@

References

More about this vulnerability

+
+
+

Prototype Pollution

+
+ +
+ high severity +
+ +
+ +
    +
  • + Manifest file: /argo-cd ui/yarn.lock +
    • +
  • + Package Manager: npm +
    • +
  • + Vulnerable module: + + dompurify +
    • + +
  • Introduced through: + + + argo-cd-ui@1.0.0, redoc@2.0.0-rc.64 and others +
    • +
+ +
+ + +

Detailed paths

+ +
    +
  • + Introduced through: + argo-cd-ui@1.0.0 + + redoc@2.0.0-rc.64 + + dompurify@2.3.6 + + + +
    • +
+ +
+ +
+ +

Overview

+

dompurify is a DOM-only XSS sanitizer for HTML, MathML and SVG.

+

Affected versions of this package are vulnerable to Prototype Pollution due to improper user input sanitization through the depth-checking mechanism, an attacker can exploit this vulnerability by using special nesting techniques to create a malicious HTML file.

+

Details

+

Prototype Pollution is a vulnerability affecting JavaScript. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, including their magical attributes such as __proto__, constructor and prototype. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. Properties on the Object.prototype are then inherited by all the JavaScript objects through the prototype chain. When that happens, this leads to either denial of service by triggering JavaScript exceptions, or it tampers with the application source code to force the code path that the attacker injects, thereby leading to remote code execution.

+

There are two main ways in which the pollution of prototypes occurs:

+
    +

  • Unsafe Object recursive merge

    +
    • +

  • Property definition by path

    +
    • +
+

Unsafe Object recursive merge

+

The logic of a vulnerable recursive merge function follows the following high-level model:

+ 
merge (target, source)
+        
+          foreach property of source
+        
+            if property exists and is an object on both the target and the source
+        
+              merge(target[property], source[property])
+        
+            else
+        
+              target[property] = source[property]
+
+
+ +

When the source object contains a property named __proto__ defined with Object.defineProperty() , the condition that checks if the property exists and is an object on both the target and the source passes and the merge recurses with the target, being the prototype of Object and the source of Object as defined by the attacker. Properties are then copied on the Object prototype.

+

Clone operations are a special sub-class of unsafe recursive merges, which occur when a recursive merge is conducted on an empty object: merge({},source).

+

lodash and Hoek are examples of libraries susceptible to recursive merge attacks.

+

Property definition by path

+

There are a few JavaScript libraries that use an API to define property values on an object based on a given path. The function that is generally affected contains this signature: theFunction(object, path, value)

+

If the attacker can control the value of “path”, they can set this value to __proto__.myValue. myValue is then assigned to the prototype of the class of the object.

+

Types of attacks

+

There are a few methods by which Prototype Pollution can be manipulated:

+ + + + + + + + + + + + + + + + + + + + + + + +
TypeOriginShort description
Denial of service (DoS)ClientThis is the most likely attack.
DoS occurs when Object holds generic functions that are implicitly called for various operations (for example, toString and valueOf).
The attacker pollutes Object.prototype.someattr and alters its state to an unexpected value such as Int or Object. In this case, the code fails and is likely to cause a denial of service.
For example: if an attacker pollutes Object.prototype.toString by defining it as an integer, if the codebase at any point was reliant on someobject.toString() it would fail.
Remote Code ExecutionClientRemote code execution is generally only possible in cases where the codebase evaluates a specific attribute of an object, and then executes that evaluation.
For example: eval(someobject.someattr). In this case, if the attacker pollutes Object.prototype.someattr they are likely to be able to leverage this in order to execute code.
Property InjectionClientThe attacker pollutes properties that the codebase relies on for their informative value, including security properties such as cookies or tokens.
For example: if a codebase checks privileges for someuser.isAdmin, then when the attacker pollutes Object.prototype.isAdmin and sets it to equal true, they can then achieve admin privileges.
+

Affected environments

+

The following environments are susceptible to a Prototype Pollution attack:

+
    +

  • Application server

    +
    • +

  • Web server

    +
    • +

  • Web browser

    +
    • +
+

How to prevent

+
    +

  1. Freeze the prototype— use Object.freeze (Object.prototype).

    +
    2. +

  2. Require schema validation of JSON input.

    +
    3. +

  3. Avoid using unsafe recursive merge functions.

    +
    4. +

  4. Consider using objects without prototypes (for example, Object.create(null)), breaking the prototype chain and preventing pollution.

    +
    5. +

  5. As a best practice use Map instead of Object.

    +
    6. +
+

For more information on this vulnerability type:

+

Arteau, Oliver. “JavaScript prototype pollution attack in NodeJS application.” GitHub, 26 May 2018

+

Remediation

+

Upgrade dompurify to version 2.5.4, 3.1.3 or higher.

+

References

+ + +
+ +
+

More about this vulnerability

+
+

Regular Expression Denial of Service (ReDoS)

@@ -3224,7 +3378,7 @@

Detailed paths

Overview

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) when including multiple regular expression parameters in a single segment, which will produce the regular expression /^\/([^\/]+?)-([^\/]+?)\/?$/, if two parameters within a single segment are separated by a character other than a / or .. Poor performance will block the event loop and can lead to a DoS.

Note: - Version 0.1.10 is patched to mitigate this but is also vulnerable if custom regular expressions are used. Due to the existence of this attack vector, the Snyk security team have decided to err on the side of caution in considering the very widely-used v0 branch vulnerable, while the 8.0.0 release has completely eliminated the vulnerable functionality.

+ While the 8.0.0 release has completely eliminated the vulnerable functionality, prior versions that have received the patch to mitigate backtracking may still be vulnerable if custom regular expressions are used. So it is strongly recommended for regular expression input to be controlled to avoid malicious performance degradation in those versions. This behavior is enforced as of version 7.1.0 via the strict option, which returns an error if a dangerous regular expression is detected.

Workaround

This vulnerability can be avoided by using a custom regular expression for parameters after the first in a segment, which excludes - and /.

PoC

@@ -3292,11 +3446,13 @@

Details

By the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.

Remediation

-

Upgrade path-to-regexp to version 8.0.0 or higher.

+

Upgrade path-to-regexp to version 0.1.10, 1.9.0, 3.3.0, 6.3.0, 8.0.0 or higher.

References

diff --git a/docs/snyk/v2.10.16/ghcr.io_dexidp_dex_v2.37.0.html b/docs/snyk/v2.10.16/ghcr.io_dexidp_dex_v2.37.0.html index d2889ac440c76..f6beb50189acb 100644 --- a/docs/snyk/v2.10.16/ghcr.io_dexidp_dex_v2.37.0.html +++ b/docs/snyk/v2.10.16/ghcr.io_dexidp_dex_v2.37.0.html @@ -456,7 +456,7 @@

Snyk test report

-

September 15th 2024, 12:26:01 am (UTC+00:00)

+

September 22nd 2024, 12:28:32 am (UTC+00:00)

Scanned the following paths: diff --git a/docs/snyk/v2.10.16/haproxy_2.6.14-alpine.html b/docs/snyk/v2.10.16/haproxy_2.6.14-alpine.html index bb20c3cb21a3c..9020dc61d54b1 100644 --- a/docs/snyk/v2.10.16/haproxy_2.6.14-alpine.html +++ b/docs/snyk/v2.10.16/haproxy_2.6.14-alpine.html @@ -456,7 +456,7 @@

Snyk test report

-

September 15th 2024, 12:26:05 am (UTC+00:00)

+

September 22nd 2024, 12:28:38 am (UTC+00:00)

Scanned the following path: diff --git a/docs/snyk/v2.10.16/quay.io_argoproj_argocd_v2.10.16.html b/docs/snyk/v2.10.16/quay.io_argoproj_argocd_v2.10.16.html index 92b035cf413d0..8ba1cd553e6c1 100644 --- a/docs/snyk/v2.10.16/quay.io_argoproj_argocd_v2.10.16.html +++ b/docs/snyk/v2.10.16/quay.io_argoproj_argocd_v2.10.16.html @@ -7,7 +7,7 @@ Snyk test report - + @@ -456,7 +456,7 @@

Snyk test report

-

September 15th 2024, 12:26:23 am (UTC+00:00)

+

September 22nd 2024, 12:28:55 am (UTC+00:00)

Scanned the following paths: @@ -470,8 +470,8 @@

Snyk test report

-
34 known vulnerabilities
-
236 vulnerable dependency paths
+
35 known vulnerabilities
+
241 vulnerable dependency paths
2278 dependencies
@@ -1985,6 +1985,131 @@

References

More about this vulnerability

+
+
+

CVE-2023-4039

+
+ +
+ medium severity +
+ +
+ +
    +
  • + Manifest file: quay.io/argoproj/argocd:v2.10.16/argoproj/argocd Dockerfile +
    • +
  • + Package Manager: ubuntu:22.04 +
    • +
  • + Vulnerable module: + + gcc-12/libstdc++6 +
    • + +
  • Introduced through: + + docker-image|quay.io/argoproj/argocd@v2.10.16 and gcc-12/libstdc++6@12.3.0-1ubuntu1~22.04 + +
    • +
+ +
+ + +

Detailed paths

+ +
    +
  • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.10.16 + + gcc-12/libstdc++6@12.3.0-1ubuntu1~22.04 + + + +
    • +
  • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.10.16 + + apt@2.4.12 + + gcc-12/libstdc++6@12.3.0-1ubuntu1~22.04 + + + +
    • +
  • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.10.16 + + apt@2.4.12 + + apt/libapt-pkg6.0@2.4.12 + + gcc-12/libstdc++6@12.3.0-1ubuntu1~22.04 + + + +
    • +
  • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.10.16 + + gcc-12/gcc-12-base@12.3.0-1ubuntu1~22.04 + + + +
    • +
  • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.10.16 + + gcc-12/libgcc-s1@12.3.0-1ubuntu1~22.04 + + + +
    • +
+ +
+ +
+ +

NVD Description

+

Note: Versions mentioned in the description apply only to the upstream gcc-12 package and not the gcc-12 package as distributed by Ubuntu. + See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

+

DISPUTEDA failure in the -fstack-protector feature in GCC-based toolchains + that target AArch64 allows an attacker to exploit an existing buffer + overflow in dynamically-sized local variables in your application + without this being detected. This stack-protector failure only applies + to C99-style dynamically-sized local variables or those created using + alloca(). The stack-protector operates as intended for statically-sized + local variables.

+

The default behavior when the stack-protector + detects an overflow is to terminate your application, resulting in + controlled loss of availability. An attacker who can exploit a buffer + overflow without triggering the stack-protector might be able to change + program flow control to cause an uncontrolled loss of availability or to + go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself.

+

Remediation

+

There is no fixed version for Ubuntu:22.04 gcc-12.

+

References

+ + +
+ +
+

More about this vulnerability

+
+

Integer Overflow or Wraparound

@@ -2044,7 +2169,7 @@

NVD Description

See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

An issue was discovered in libexpat before 2.6.3. dtdCopy in xmlparse.c can have an integer overflow for nDefaultAtts on 32-bit platforms (where UINT_MAX equals SIZE_MAX).

Remediation

-

There is no fixed version for Ubuntu:22.04 expat.

+

Upgrade Ubuntu:22.04 expat to version 2.4.7-1ubuntu0.4 or higher.

References

  • http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-45491
    • @@ -2117,7 +2242,7 @@

    NVD Description

    See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

    An issue was discovered in libexpat before 2.6.3. xmlparse.c does not reject a negative length for XML_ParseBuffer.

    Remediation

    -

    There is no fixed version for Ubuntu:22.04 expat.

    +

    Upgrade Ubuntu:22.04 expat to version 2.4.7-1ubuntu0.4 or higher.

    References

    • http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-45490
      • @@ -2190,7 +2315,7 @@

      NVD Description

      See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

      An issue was discovered in libexpat before 2.6.3. nextScaffoldPart in xmlparse.c can have an integer overflow for m_groupSize on 32-bit platforms (where UINT_MAX equals SIZE_MAX).

      Remediation

      -

      There is no fixed version for Ubuntu:22.04 expat.

      +

      Upgrade Ubuntu:22.04 expat to version 2.4.7-1ubuntu0.4 or higher.

      References

      • http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-45492
        • @@ -2345,7 +2470,7 @@

        NVD Description

        See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

        When curl is told to use the Certificate Status Request TLS extension, often referred to as OCSP stapling, to verify that the server certificate is valid, it might fail to detect some OCSP problems and instead wrongly consider the response as fine. If the returned status reports another error than 'revoked' (like for example 'unauthorized') it is not treated as a bad certficate.

        Remediation

        -

        There is no fixed version for Ubuntu:22.04 curl.

        +

        Upgrade Ubuntu:22.04 curl to version 7.81.0-1ubuntu1.18 or higher.

        References

        • http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-8096
          • diff --git a/docs/snyk/v2.10.16/redis_7.0.15-alpine.html b/docs/snyk/v2.10.16/redis_7.0.15-alpine.html index dace95d6e4de1..a425e2171384a 100644 --- a/docs/snyk/v2.10.16/redis_7.0.15-alpine.html +++ b/docs/snyk/v2.10.16/redis_7.0.15-alpine.html @@ -456,7 +456,7 @@

          Snyk test report

          -

          September 15th 2024, 12:26:27 am (UTC+00:00)

          +

          September 22nd 2024, 12:28:59 am (UTC+00:00)

          Scanned the following paths: diff --git a/docs/snyk/v2.11.8/argocd-iac-install.html b/docs/snyk/v2.11.8/argocd-iac-install.html index d1f9777c282dd..e3753708b8045 100644 --- a/docs/snyk/v2.11.8/argocd-iac-install.html +++ b/docs/snyk/v2.11.8/argocd-iac-install.html @@ -456,7 +456,7 @@

          Snyk test report

          -

          September 15th 2024, 12:25:35 am (UTC+00:00)

          +

          September 22nd 2024, 12:28:02 am (UTC+00:00)

          Scanned the following path: diff --git a/docs/snyk/v2.11.8/argocd-iac-namespace-install.html b/docs/snyk/v2.11.8/argocd-iac-namespace-install.html index 712325c01faa0..1e254b4038b83 100644 --- a/docs/snyk/v2.11.8/argocd-iac-namespace-install.html +++ b/docs/snyk/v2.11.8/argocd-iac-namespace-install.html @@ -456,7 +456,7 @@

          Snyk test report

          -

          September 15th 2024, 12:25:43 am (UTC+00:00)

          +

          September 22nd 2024, 12:28:10 am (UTC+00:00)

          Scanned the following path: diff --git a/docs/snyk/v2.11.8/argocd-test.html b/docs/snyk/v2.11.8/argocd-test.html index c47bbee9440bb..ed53a51bfbfd9 100644 --- a/docs/snyk/v2.11.8/argocd-test.html +++ b/docs/snyk/v2.11.8/argocd-test.html @@ -7,7 +7,7 @@ Snyk test report - + @@ -456,7 +456,7 @@

          Snyk test report

          -

          September 15th 2024, 12:23:42 am (UTC+00:00)

          +

          September 22nd 2024, 12:26:11 am (UTC+00:00)

          Scanned the following paths: @@ -467,8 +467,8 @@

          Snyk test report

          -
          6 known vulnerabilities
          -
          157 vulnerable dependency paths
          +
          7 known vulnerabilities
          +
          158 vulnerable dependency paths
          2041 dependencies
          @@ -3139,6 +3139,160 @@

          References

          More about this vulnerability

          +
          +
          +

          Prototype Pollution

          +
          + +
          + high severity +
          + +
          + +
            +
          • + Manifest file: /argo-cd ui/yarn.lock +
            • +
          • + Package Manager: npm +
            • +
          • + Vulnerable module: + + dompurify +
            • + +
          • Introduced through: + + + argo-cd-ui@1.0.0, redoc@2.0.0-rc.64 and others +
            • +
          + +
          + + +

          Detailed paths

          + +
            +
          • + Introduced through: + argo-cd-ui@1.0.0 + + redoc@2.0.0-rc.64 + + dompurify@2.3.6 + + + +
            • +
          + +
          + +
          + +

          Overview

          +

          dompurify is a DOM-only XSS sanitizer for HTML, MathML and SVG.

          +

          Affected versions of this package are vulnerable to Prototype Pollution due to improper user input sanitization through the depth-checking mechanism, an attacker can exploit this vulnerability by using special nesting techniques to create a malicious HTML file.

          +

          Details

          +

          Prototype Pollution is a vulnerability affecting JavaScript. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, including their magical attributes such as __proto__, constructor and prototype. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. Properties on the Object.prototype are then inherited by all the JavaScript objects through the prototype chain. When that happens, this leads to either denial of service by triggering JavaScript exceptions, or it tampers with the application source code to force the code path that the attacker injects, thereby leading to remote code execution.

          +

          There are two main ways in which the pollution of prototypes occurs:

          +
            +

          • Unsafe Object recursive merge

            +
            • +

          • Property definition by path

            +
            • +
          +

          Unsafe Object recursive merge

          +

          The logic of a vulnerable recursive merge function follows the following high-level model:

          + 
          merge (target, source)
+        
+          foreach property of source
+        
+            if property exists and is an object on both the target and the source
+        
+              merge(target[property], source[property])
+        
+            else
+        
+              target[property] = source[property]
+
          +
          + +

          When the source object contains a property named __proto__ defined with Object.defineProperty() , the condition that checks if the property exists and is an object on both the target and the source passes and the merge recurses with the target, being the prototype of Object and the source of Object as defined by the attacker. Properties are then copied on the Object prototype.

          +

          Clone operations are a special sub-class of unsafe recursive merges, which occur when a recursive merge is conducted on an empty object: merge({},source).

          +

          lodash and Hoek are examples of libraries susceptible to recursive merge attacks.

          +

          Property definition by path

          +

          There are a few JavaScript libraries that use an API to define property values on an object based on a given path. The function that is generally affected contains this signature: theFunction(object, path, value)

          +

          If the attacker can control the value of “path”, they can set this value to __proto__.myValue. myValue is then assigned to the prototype of the class of the object.

          +

          Types of attacks

          +

          There are a few methods by which Prototype Pollution can be manipulated:

          + + + + + + + + + + + + + + + + + + + + + + + +
          TypeOriginShort description
          Denial of service (DoS)ClientThis is the most likely attack.
          DoS occurs when Object holds generic functions that are implicitly called for various operations (for example, toString and valueOf).
          The attacker pollutes Object.prototype.someattr and alters its state to an unexpected value such as Int or Object. In this case, the code fails and is likely to cause a denial of service.
          For example: if an attacker pollutes Object.prototype.toString by defining it as an integer, if the codebase at any point was reliant on someobject.toString() it would fail.
          Remote Code ExecutionClientRemote code execution is generally only possible in cases where the codebase evaluates a specific attribute of an object, and then executes that evaluation.
          For example: eval(someobject.someattr). In this case, if the attacker pollutes Object.prototype.someattr they are likely to be able to leverage this in order to execute code.
          Property InjectionClientThe attacker pollutes properties that the codebase relies on for their informative value, including security properties such as cookies or tokens.
          For example: if a codebase checks privileges for someuser.isAdmin, then when the attacker pollutes Object.prototype.isAdmin and sets it to equal true, they can then achieve admin privileges.
          +

          Affected environments

          +

          The following environments are susceptible to a Prototype Pollution attack:

          +
            +

          • Application server

            +
            • +

          • Web server

            +
            • +

          • Web browser

            +
            • +
          +

          How to prevent

          +
            +

          1. Freeze the prototype— use Object.freeze (Object.prototype).

            +
            2. +

          2. Require schema validation of JSON input.

            +
            3. +

          3. Avoid using unsafe recursive merge functions.

            +
            4. +

          4. Consider using objects without prototypes (for example, Object.create(null)), breaking the prototype chain and preventing pollution.

            +
            5. +

          5. As a best practice use Map instead of Object.

            +
            6. +
          +

          For more information on this vulnerability type:

          +

          Arteau, Oliver. “JavaScript prototype pollution attack in NodeJS application.” GitHub, 26 May 2018

          +

          Remediation

          +

          Upgrade dompurify to version 2.5.4, 3.1.3 or higher.

          +

          References

          + + +
          + +
          +

          More about this vulnerability

          +
          +

          Regular Expression Denial of Service (ReDoS)

          @@ -3224,7 +3378,7 @@

          Detailed paths

          Overview

          Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) when including multiple regular expression parameters in a single segment, which will produce the regular expression /^\/([^\/]+?)-([^\/]+?)\/?$/, if two parameters within a single segment are separated by a character other than a / or .. Poor performance will block the event loop and can lead to a DoS.

          Note: - Version 0.1.10 is patched to mitigate this but is also vulnerable if custom regular expressions are used. Due to the existence of this attack vector, the Snyk security team have decided to err on the side of caution in considering the very widely-used v0 branch vulnerable, while the 8.0.0 release has completely eliminated the vulnerable functionality.

          + While the 8.0.0 release has completely eliminated the vulnerable functionality, prior versions that have received the patch to mitigate backtracking may still be vulnerable if custom regular expressions are used. So it is strongly recommended for regular expression input to be controlled to avoid malicious performance degradation in those versions. This behavior is enforced as of version 7.1.0 via the strict option, which returns an error if a dangerous regular expression is detected.

          Workaround

          This vulnerability can be avoided by using a custom regular expression for parameters after the first in a segment, which excludes - and /.

          PoC

          @@ -3292,11 +3446,13 @@

          Details

          By the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.

          Remediation

          -

          Upgrade path-to-regexp to version 8.0.0 or higher.

          +

          Upgrade path-to-regexp to version 0.1.10, 1.9.0, 3.3.0, 6.3.0, 8.0.0 or higher.

          References

          diff --git a/docs/snyk/v2.11.8/ghcr.io_dexidp_dex_v2.38.0.html b/docs/snyk/v2.11.8/ghcr.io_dexidp_dex_v2.38.0.html index af51282d2e037..3c41c7b540880 100644 --- a/docs/snyk/v2.11.8/ghcr.io_dexidp_dex_v2.38.0.html +++ b/docs/snyk/v2.11.8/ghcr.io_dexidp_dex_v2.38.0.html @@ -456,7 +456,7 @@

          Snyk test report

          -

          September 15th 2024, 12:23:48 am (UTC+00:00)

          +

          September 22nd 2024, 12:26:16 am (UTC+00:00)

          Scanned the following paths: diff --git a/docs/snyk/v2.11.8/haproxy_2.6.14-alpine.html b/docs/snyk/v2.11.8/haproxy_2.6.14-alpine.html index ce97669944805..51e9cc5e39b95 100644 --- a/docs/snyk/v2.11.8/haproxy_2.6.14-alpine.html +++ b/docs/snyk/v2.11.8/haproxy_2.6.14-alpine.html @@ -456,7 +456,7 @@

          Snyk test report

          -

          September 15th 2024, 12:23:53 am (UTC+00:00)

          +

          September 22nd 2024, 12:26:22 am (UTC+00:00)

          Scanned the following path: diff --git a/docs/snyk/v2.11.8/quay.io_argoproj_argocd_v2.11.8.html b/docs/snyk/v2.11.8/quay.io_argoproj_argocd_v2.11.8.html index 55093f719c826..0a77724bd2238 100644 --- a/docs/snyk/v2.11.8/quay.io_argoproj_argocd_v2.11.8.html +++ b/docs/snyk/v2.11.8/quay.io_argoproj_argocd_v2.11.8.html @@ -7,7 +7,7 @@ Snyk test report - + @@ -456,7 +456,7 @@

          Snyk test report

          -

          September 15th 2024, 12:24:11 am (UTC+00:00)

          +

          September 22nd 2024, 12:26:39 am (UTC+00:00)

          Scanned the following paths: @@ -470,8 +470,8 @@

          Snyk test report

          -
          26 known vulnerabilities
          -
          168 vulnerable dependency paths
          +
          27 known vulnerabilities
          +
          173 vulnerable dependency paths
          2280 dependencies
          @@ -1347,6 +1347,131 @@

          References

          More about this vulnerability

          +
          +
          +

          CVE-2023-4039

          +
          + +
          + medium severity +
          + +
          + +
            +
          • + Manifest file: quay.io/argoproj/argocd:v2.11.8/argoproj/argocd Dockerfile +
            • +
          • + Package Manager: ubuntu:22.04 +
            • +
          • + Vulnerable module: + + gcc-12/libstdc++6 +
            • + +
          • Introduced through: + + docker-image|quay.io/argoproj/argocd@v2.11.8 and gcc-12/libstdc++6@12.3.0-1ubuntu1~22.04 + +
            • +
          + +
          + + +

          Detailed paths

          + +
            +
          • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.11.8 + + gcc-12/libstdc++6@12.3.0-1ubuntu1~22.04 + + + +
            • +
          • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.11.8 + + apt@2.4.13 + + gcc-12/libstdc++6@12.3.0-1ubuntu1~22.04 + + + +
            • +
          • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.11.8 + + apt@2.4.13 + + apt/libapt-pkg6.0@2.4.13 + + gcc-12/libstdc++6@12.3.0-1ubuntu1~22.04 + + + +
            • +
          • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.11.8 + + gcc-12/gcc-12-base@12.3.0-1ubuntu1~22.04 + + + +
            • +
          • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.11.8 + + gcc-12/libgcc-s1@12.3.0-1ubuntu1~22.04 + + + +
            • +
          + +
          + +
          + +

          NVD Description

          +

          Note: Versions mentioned in the description apply only to the upstream gcc-12 package and not the gcc-12 package as distributed by Ubuntu. + See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

          +

          DISPUTEDA failure in the -fstack-protector feature in GCC-based toolchains + that target AArch64 allows an attacker to exploit an existing buffer + overflow in dynamically-sized local variables in your application + without this being detected. This stack-protector failure only applies + to C99-style dynamically-sized local variables or those created using + alloca(). The stack-protector operates as intended for statically-sized + local variables.

          +

          The default behavior when the stack-protector + detects an overflow is to terminate your application, resulting in + controlled loss of availability. An attacker who can exploit a buffer + overflow without triggering the stack-protector might be able to change + program flow control to cause an uncontrolled loss of availability or to + go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself.

          +

          Remediation

          +

          There is no fixed version for Ubuntu:22.04 gcc-12.

          +

          References

          + + +
          + +
          +

          More about this vulnerability

          +
          +

          Integer Overflow or Wraparound

          @@ -1406,7 +1531,7 @@

          NVD Description

          See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

          An issue was discovered in libexpat before 2.6.3. dtdCopy in xmlparse.c can have an integer overflow for nDefaultAtts on 32-bit platforms (where UINT_MAX equals SIZE_MAX).

          Remediation

          -

          There is no fixed version for Ubuntu:22.04 expat.

          +

          Upgrade Ubuntu:22.04 expat to version 2.4.7-1ubuntu0.4 or higher.

          References

          • http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-45491
            • @@ -1479,7 +1604,7 @@

            NVD Description

            See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

            An issue was discovered in libexpat before 2.6.3. xmlparse.c does not reject a negative length for XML_ParseBuffer.

            Remediation

            -

            There is no fixed version for Ubuntu:22.04 expat.

            +

            Upgrade Ubuntu:22.04 expat to version 2.4.7-1ubuntu0.4 or higher.

            References

            • http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-45490
              • @@ -1552,7 +1677,7 @@

              NVD Description

              See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

              An issue was discovered in libexpat before 2.6.3. nextScaffoldPart in xmlparse.c can have an integer overflow for m_groupSize on 32-bit platforms (where UINT_MAX equals SIZE_MAX).

              Remediation

              -

              There is no fixed version for Ubuntu:22.04 expat.

              +

              Upgrade Ubuntu:22.04 expat to version 2.4.7-1ubuntu0.4 or higher.

              References

              • http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-45492
                • @@ -1625,7 +1750,7 @@

                NVD Description

                See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

                When curl is told to use the Certificate Status Request TLS extension, often referred to as OCSP stapling, to verify that the server certificate is valid, it might fail to detect some OCSP problems and instead wrongly consider the response as fine. If the returned status reports another error than 'revoked' (like for example 'unauthorized') it is not treated as a bad certficate.

                Remediation

                -

                There is no fixed version for Ubuntu:22.04 curl.

                +

                Upgrade Ubuntu:22.04 curl to version 7.81.0-1ubuntu1.18 or higher.

                References

                • http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-8096
                  • diff --git a/docs/snyk/v2.11.8/redis_7.0.15-alpine.html b/docs/snyk/v2.11.8/redis_7.0.15-alpine.html index 3f02438fedc1d..1a6806f71cefa 100644 --- a/docs/snyk/v2.11.8/redis_7.0.15-alpine.html +++ b/docs/snyk/v2.11.8/redis_7.0.15-alpine.html @@ -456,7 +456,7 @@

                  Snyk test report

                  -

                  September 15th 2024, 12:24:16 am (UTC+00:00)

                  +

                  September 22nd 2024, 12:26:43 am (UTC+00:00)

                  Scanned the following paths: diff --git a/docs/snyk/v2.12.3/argocd-iac-install.html b/docs/snyk/v2.12.3/argocd-iac-install.html index a5698e85b8c0e..268b77b876e08 100644 --- a/docs/snyk/v2.12.3/argocd-iac-install.html +++ b/docs/snyk/v2.12.3/argocd-iac-install.html @@ -456,7 +456,7 @@

                  Snyk test report

                  -

                  September 15th 2024, 12:23:20 am (UTC+00:00)

                  +

                  September 22nd 2024, 12:25:50 am (UTC+00:00)

                  Scanned the following path: diff --git a/docs/snyk/v2.12.3/argocd-iac-namespace-install.html b/docs/snyk/v2.12.3/argocd-iac-namespace-install.html index 7fbc95ed64a61..aab9b5b3686cb 100644 --- a/docs/snyk/v2.12.3/argocd-iac-namespace-install.html +++ b/docs/snyk/v2.12.3/argocd-iac-namespace-install.html @@ -456,7 +456,7 @@

                  Snyk test report

                  -

                  September 15th 2024, 12:23:29 am (UTC+00:00)

                  +

                  September 22nd 2024, 12:25:59 am (UTC+00:00)

                  Scanned the following path: diff --git a/docs/snyk/v2.12.3/argocd-test.html b/docs/snyk/v2.12.3/argocd-test.html index 876ce2850c30d..c5ace95defe54 100644 --- a/docs/snyk/v2.12.3/argocd-test.html +++ b/docs/snyk/v2.12.3/argocd-test.html @@ -7,7 +7,7 @@ Snyk test report - + @@ -456,7 +456,7 @@

                  Snyk test report

                  -

                  September 15th 2024, 12:21:28 am (UTC+00:00)

                  +

                  September 22nd 2024, 12:23:57 am (UTC+00:00)

                  Scanned the following paths: @@ -467,8 +467,8 @@

                  Snyk test report

                  -
                  4 known vulnerabilities
                  -
                  6 vulnerable dependency paths
                  +
                  5 known vulnerabilities
                  +
                  7 vulnerable dependency paths
                  2061 dependencies
                  @@ -477,6 +477,160 @@

                  Snyk test report

                  +
                  +

                  Prototype Pollution

                  +
                  + +
                  + high severity +
                  + +
                  + +
                    +
                  • + Manifest file: /argo-cd ui/yarn.lock +
                    • +
                  • + Package Manager: npm +
                    • +
                  • + Vulnerable module: + + dompurify +
                    • + +
                  • Introduced through: + + + argo-cd-ui@1.0.0, redoc@2.0.0-rc.64 and others +
                    • +
                  + +
                  + + +

                  Detailed paths

                  + +
                    +
                  • + Introduced through: + argo-cd-ui@1.0.0 + + redoc@2.0.0-rc.64 + + dompurify@2.3.6 + + + +
                    • +
                  + +
                  + +
                  + +

                  Overview

                  +

                  dompurify is a DOM-only XSS sanitizer for HTML, MathML and SVG.

                  +

                  Affected versions of this package are vulnerable to Prototype Pollution due to improper user input sanitization through the depth-checking mechanism, an attacker can exploit this vulnerability by using special nesting techniques to create a malicious HTML file.

                  +

                  Details

                  +

                  Prototype Pollution is a vulnerability affecting JavaScript. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, including their magical attributes such as __proto__, constructor and prototype. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. Properties on the Object.prototype are then inherited by all the JavaScript objects through the prototype chain. When that happens, this leads to either denial of service by triggering JavaScript exceptions, or it tampers with the application source code to force the code path that the attacker injects, thereby leading to remote code execution.

                  +

                  There are two main ways in which the pollution of prototypes occurs:

                  +
                    +

                  • Unsafe Object recursive merge

                    +
                    • +

                  • Property definition by path

                    +
                    • +
                  +

                  Unsafe Object recursive merge

                  +

                  The logic of a vulnerable recursive merge function follows the following high-level model:

                  + 
                  merge (target, source)
+        
+          foreach property of source
+        
+            if property exists and is an object on both the target and the source
+        
+              merge(target[property], source[property])
+        
+            else
+        
+              target[property] = source[property]
+
                  +
                  + +

                  When the source object contains a property named __proto__ defined with Object.defineProperty() , the condition that checks if the property exists and is an object on both the target and the source passes and the merge recurses with the target, being the prototype of Object and the source of Object as defined by the attacker. Properties are then copied on the Object prototype.

                  +

                  Clone operations are a special sub-class of unsafe recursive merges, which occur when a recursive merge is conducted on an empty object: merge({},source).

                  +

                  lodash and Hoek are examples of libraries susceptible to recursive merge attacks.

                  +

                  Property definition by path

                  +

                  There are a few JavaScript libraries that use an API to define property values on an object based on a given path. The function that is generally affected contains this signature: theFunction(object, path, value)

                  +

                  If the attacker can control the value of “path”, they can set this value to __proto__.myValue. myValue is then assigned to the prototype of the class of the object.

                  +

                  Types of attacks

                  +

                  There are a few methods by which Prototype Pollution can be manipulated:

                  + + + + + + + + + + + + + + + + + + + + + + + +
                  TypeOriginShort description
                  Denial of service (DoS)ClientThis is the most likely attack.
                  DoS occurs when Object holds generic functions that are implicitly called for various operations (for example, toString and valueOf).
                  The attacker pollutes Object.prototype.someattr and alters its state to an unexpected value such as Int or Object. In this case, the code fails and is likely to cause a denial of service.
                  For example: if an attacker pollutes Object.prototype.toString by defining it as an integer, if the codebase at any point was reliant on someobject.toString() it would fail.
                  Remote Code ExecutionClientRemote code execution is generally only possible in cases where the codebase evaluates a specific attribute of an object, and then executes that evaluation.
                  For example: eval(someobject.someattr). In this case, if the attacker pollutes Object.prototype.someattr they are likely to be able to leverage this in order to execute code.
                  Property InjectionClientThe attacker pollutes properties that the codebase relies on for their informative value, including security properties such as cookies or tokens.
                  For example: if a codebase checks privileges for someuser.isAdmin, then when the attacker pollutes Object.prototype.isAdmin and sets it to equal true, they can then achieve admin privileges.
                  +

                  Affected environments

                  +

                  The following environments are susceptible to a Prototype Pollution attack:

                  +
                    +

                  • Application server

                    +
                    • +

                  • Web server

                    +
                    • +

                  • Web browser

                    +
                    • +
                  +

                  How to prevent

                  +
                    +

                  1. Freeze the prototype— use Object.freeze (Object.prototype).

                    +
                    2. +

                  2. Require schema validation of JSON input.

                    +
                    3. +

                  3. Avoid using unsafe recursive merge functions.

                    +
                    4. +

                  4. Consider using objects without prototypes (for example, Object.create(null)), breaking the prototype chain and preventing pollution.

                    +
                    5. +

                  5. As a best practice use Map instead of Object.

                    +
                    6. +
                  +

                  For more information on this vulnerability type:

                  +

                  Arteau, Oliver. “JavaScript prototype pollution attack in NodeJS application.” GitHub, 26 May 2018

                  +

                  Remediation

                  +

                  Upgrade dompurify to version 2.5.4, 3.1.3 or higher.

                  +

                  References

                  + + +
                  + +
                  +

                  More about this vulnerability

                  +
                  + +

                  Regular Expression Denial of Service (ReDoS)

                  @@ -561,7 +715,7 @@

                  Detailed paths

                  Overview

                  Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) when including multiple regular expression parameters in a single segment, which will produce the regular expression /^\/([^\/]+?)-([^\/]+?)\/?$/, if two parameters within a single segment are separated by a character other than a / or .. Poor performance will block the event loop and can lead to a DoS.

                  Note: - Version 0.1.10 is patched to mitigate this but is also vulnerable if custom regular expressions are used. Due to the existence of this attack vector, the Snyk security team have decided to err on the side of caution in considering the very widely-used v0 branch vulnerable, while the 8.0.0 release has completely eliminated the vulnerable functionality.

                  + While the 8.0.0 release has completely eliminated the vulnerable functionality, prior versions that have received the patch to mitigate backtracking may still be vulnerable if custom regular expressions are used. So it is strongly recommended for regular expression input to be controlled to avoid malicious performance degradation in those versions. This behavior is enforced as of version 7.1.0 via the strict option, which returns an error if a dangerous regular expression is detected.

                  Workaround

                  This vulnerability can be avoided by using a custom regular expression for parameters after the first in a segment, which excludes - and /.

                  PoC

                  @@ -629,11 +783,13 @@

                  Details

                  By the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.

                  Remediation

                  -

                  Upgrade path-to-regexp to version 8.0.0 or higher.

                  +

                  Upgrade path-to-regexp to version 0.1.10, 1.9.0, 3.3.0, 6.3.0, 8.0.0 or higher.

                  References

                  diff --git a/docs/snyk/v2.12.3/ghcr.io_dexidp_dex_v2.38.0.html b/docs/snyk/v2.12.3/ghcr.io_dexidp_dex_v2.38.0.html index 3c557de6a1064..c40058cb449a2 100644 --- a/docs/snyk/v2.12.3/ghcr.io_dexidp_dex_v2.38.0.html +++ b/docs/snyk/v2.12.3/ghcr.io_dexidp_dex_v2.38.0.html @@ -456,7 +456,7 @@

                  Snyk test report

                  -

                  September 15th 2024, 12:21:35 am (UTC+00:00)

                  +

                  September 22nd 2024, 12:24:06 am (UTC+00:00)

                  Scanned the following paths: diff --git a/docs/snyk/v2.12.3/public.ecr.aws_docker_library_haproxy_2.6.17-alpine.html b/docs/snyk/v2.12.3/public.ecr.aws_docker_library_haproxy_2.6.17-alpine.html index c072d3a72b314..bed01faa336f7 100644 --- a/docs/snyk/v2.12.3/public.ecr.aws_docker_library_haproxy_2.6.17-alpine.html +++ b/docs/snyk/v2.12.3/public.ecr.aws_docker_library_haproxy_2.6.17-alpine.html @@ -456,7 +456,7 @@

                  Snyk test report

                  -

                  September 15th 2024, 12:21:38 am (UTC+00:00)

                  +

                  September 22nd 2024, 12:24:09 am (UTC+00:00)

                  Scanned the following path: diff --git a/docs/snyk/v2.12.3/public.ecr.aws_docker_library_redis_7.0.15-alpine.html b/docs/snyk/v2.12.3/public.ecr.aws_docker_library_redis_7.0.15-alpine.html index da43180e99e7c..dbc79e2e50588 100644 --- a/docs/snyk/v2.12.3/public.ecr.aws_docker_library_redis_7.0.15-alpine.html +++ b/docs/snyk/v2.12.3/public.ecr.aws_docker_library_redis_7.0.15-alpine.html @@ -456,7 +456,7 @@

                  Snyk test report

                  -

                  September 15th 2024, 12:21:42 am (UTC+00:00)

                  +

                  September 22nd 2024, 12:24:12 am (UTC+00:00)

                  Scanned the following paths: diff --git a/docs/snyk/v2.12.3/quay.io_argoproj_argocd_v2.12.3.html b/docs/snyk/v2.12.3/quay.io_argoproj_argocd_v2.12.3.html index ec4329b79d670..0bd0879c74d78 100644 --- a/docs/snyk/v2.12.3/quay.io_argoproj_argocd_v2.12.3.html +++ b/docs/snyk/v2.12.3/quay.io_argoproj_argocd_v2.12.3.html @@ -456,7 +456,7 @@

                  Snyk test report

                  -

                  September 15th 2024, 12:21:58 am (UTC+00:00)

                  +

                  September 22nd 2024, 12:24:27 am (UTC+00:00)

                  Scanned the following paths: @@ -1654,7 +1654,7 @@

                  NVD Description

                  See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

                  When curl is told to use the Certificate Status Request TLS extension, often referred to as OCSP stapling, to verify that the server certificate is valid, it might fail to detect some OCSP problems and instead wrongly consider the response as fine. If the returned status reports another error than 'revoked' (like for example 'unauthorized') it is not treated as a bad certficate.

                  Remediation

                  -

                  There is no fixed version for Ubuntu:24.04 curl.

                  +

                  Upgrade Ubuntu:24.04 curl to version 8.5.0-2ubuntu10.4 or higher.

                  References

                  • http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-8096
                    • diff --git a/docs/snyk/v2.12.3/redis_7.0.15-alpine.html b/docs/snyk/v2.12.3/redis_7.0.15-alpine.html index 222dff64476b7..e3cc28e76700f 100644 --- a/docs/snyk/v2.12.3/redis_7.0.15-alpine.html +++ b/docs/snyk/v2.12.3/redis_7.0.15-alpine.html @@ -456,7 +456,7 @@

                    Snyk test report

                    -

                    September 15th 2024, 12:22:01 am (UTC+00:00)

                    +

                    September 22nd 2024, 12:24:31 am (UTC+00:00)

                    Scanned the following paths: diff --git a/docs/snyk/v2.13.0-rc2/argocd-iac-install.html b/docs/snyk/v2.13.0-rc2/argocd-iac-install.html new file mode 100644 index 0000000000000..1fb9ff7afdb66 --- /dev/null +++ b/docs/snyk/v2.13.0-rc2/argocd-iac-install.html @@ -0,0 +1,2891 @@ + + + + + + + + + Snyk test report + + + + + + + + + +
                    +
                    +
                    +
                    + + + Snyk - Open Source Security + + + + + + + +
                    +

                    Snyk test report

                    + +

                    September 22nd 2024, 12:23:23 am (UTC+00:00)

                    +
                    +
                    + Scanned the following path: +
                      +
                    • /argo-cd/manifests/install.yaml (Kubernetes)
                      • +
                    +
                    + +
                    +
                    44 total issues
                    +
                    +
                    +
                    +
                    + +
                    + + + + + + +
                    Project manifests/install.yaml
                    Path /argo-cd/manifests/install.yaml
                    Project Type Kubernetes
                    +
                    +
                    +
                    +

                    Role or ClusterRole with dangerous permissions

                    +
                    + +
                    + high severity +
                    + +
                    + +
                      +
                    • + Public ID: SNYK-CC-K8S-47 +
                      • + +
                    • Introduced through: + [DocId: 17] + + rules[5] + + resources + +
                      • + +
                    • + Line number: 22389 +
                      • +
                    + +
                    + +

                    Impact

                    +

                    Using this role grants dangerous permissions. For a ClusterRole this would be considered high severity.

                    + +

                    Remediation

                    +

                    Consider removing these permissions

                    + + +
                    +
                    + +
                    +

                    More about this issue

                    +
                    + +
                    +
                    +

                    Role or ClusterRole with dangerous permissions

                    +
                    + +
                    + medium severity +
                    + +
                    + +
                      +
                    • + Public ID: SNYK-CC-K8S-47 +
                      • + +
                    • Introduced through: + [DocId: 10] + + rules[0] + + resources + +
                      • + +
                    • + Line number: 22070 +
                      • +
                    + +
                    + +

                    Impact

                    +

                    Using this role grants dangerous permissions. For a ClusterRole this would be considered high severity.

                    + +

                    Remediation

                    +

                    Consider removing these permissions

                    + + +
                    +
                    + +
                    +

                    More about this issue

                    +
                    + +
                    +
                    +

                    Role or ClusterRole with dangerous permissions

                    +
                    + +
                    + medium severity +
                    + +
                    + +
                      +
                    • + Public ID: SNYK-CC-K8S-47 +
                      • + +
                    • Introduced through: + [DocId: 11] + + rules[4] + + resources + +
                      • + +
                    • + Line number: 22157 +
                      • +
                    + +
                    + +

                    Impact

                    +

                    Using this role grants dangerous permissions. For a ClusterRole this would be considered high severity.

                    + +

                    Remediation

                    +

                    Consider removing these permissions

                    + + +
                    +
                    + +
                    +

                    More about this issue

                    +
                    + +
                    +
                    +

                    Role or ClusterRole with dangerous permissions

                    +
                    + +
                    + medium severity +
                    + +
                    + +
                      +
                    • + Public ID: SNYK-CC-K8S-47 +
                      • + +
                    • Introduced through: + [DocId: 12] + + rules[0] + + resources + +
                      • + +
                    • + Line number: 22185 +
                      • +
                    + +
                    + +

                    Impact

                    +

                    Using this role grants dangerous permissions. For a ClusterRole this would be considered high severity.

                    + +

                    Remediation

                    +

                    Consider removing these permissions

                    + + +
                    +
                    + +
                    +

                    More about this issue

                    +
                    + +
                    +
                    +

                    Role or ClusterRole with dangerous permissions

                    +
                    + +
                    + medium severity +
                    + +
                    + +
                      +
                    • + Public ID: SNYK-CC-K8S-47 +
                      • + +
                    • Introduced through: + [DocId: 13] + + rules[1] + + resources + +
                      • + +
                    • + Line number: 22215 +
                      • +
                    + +
                    + +

                    Impact

                    +

                    Using this role grants dangerous permissions. For a ClusterRole this would be considered high severity.

                    + +

                    Remediation

                    +

                    Consider removing these permissions

                    + + +
                    +
                    + +
                    +

                    More about this issue

                    +
                    + +
                    +
                    +

                    Role or ClusterRole with dangerous permissions

                    +
                    + +
                    + medium severity +
                    + +
                    + +
                      +
                    • + Public ID: SNYK-CC-K8S-47 +
                      • + +
                    • Introduced through: + [DocId: 13] + + rules[3] + + resources + +
                      • + +
                    • + Line number: 22233 +
                      • +
                    + +
                    + +

                    Impact

                    +

                    Using this role grants dangerous permissions. For a ClusterRole this would be considered high severity.

                    + +

                    Remediation

                    +

                    Consider removing these permissions

                    + + +
                    +
                    + +
                    +

                    More about this issue

                    +
                    + +
                    +
                    +

                    Role or ClusterRole with dangerous permissions

                    +
                    + +
                    + medium severity +
                    + +
                    + +
                      +
                    • + Public ID: SNYK-CC-K8S-47 +
                      • + +
                    • Introduced through: + [DocId: 14] + + rules[0] + + resources + +
                      • + +
                    • + Line number: 22251 +
                      • +
                    + +
                    + +

                    Impact

                    +

                    Using this role grants dangerous permissions. For a ClusterRole this would be considered high severity.

                    + +

                    Remediation

                    +

                    Consider removing these permissions

                    + + +
                    +
                    + +
                    +

                    More about this issue

                    +
                    + +
                    +
                    +

                    Role or ClusterRole with dangerous permissions

                    +
                    + +
                    + medium severity +
                    + +
                    + +
                      +
                    • + Public ID: SNYK-CC-K8S-47 +
                      • + +
                    • Introduced through: + [DocId: 15] + + rules[0] + + resources + +
                      • + +
                    • + Line number: 22273 +
                      • +
                    + +
                    + +

                    Impact

                    +

                    Using this role grants dangerous permissions. For a ClusterRole this would be considered high severity.

                    + +

                    Remediation

                    +

                    Consider removing these permissions

                    + + +
                    +
                    + +
                    +

                    More about this issue

                    +
                    + +
                    +
                    +

                    Container could be running with outdated image

                    +
                    + +
                    + low severity +
                    + +
                    + +
                      +
                    • + Public ID: SNYK-CC-K8S-42 +
                      • + +
                    • Introduced through: + [DocId: 48] + + spec + + template + + spec + + initContainers[secret-init] + + imagePullPolicy + +
                      • + +
                    • + Line number: 23345 +
                      • +
                    + +
                    + +

                    Impact

                    +

                    The container may run with outdated or unauthorized image

                    + +

                    Remediation

                    +

                    Set `imagePullPolicy` attribute to `Always`

                    + + +
                    +
                    + +
                    +

                    More about this issue

                    +
                    + +
                    +
                    +

                    Container could be running with outdated image

                    +
                    + +
                    + low severity +
                    + +
                    + +
                      +
                    • + Public ID: SNYK-CC-K8S-42 +
                      • + +
                    • Introduced through: + [DocId: 49] + + spec + + template + + spec + + initContainers[copyutil] + + imagePullPolicy + +
                      • + +
                    • + Line number: 23644 +
                      • +
                    + +
                    + +

                    Impact

                    +

                    The container may run with outdated or unauthorized image

                    + +

                    Remediation

                    +

                    Set `imagePullPolicy` attribute to `Always`

                    + + +
                    +
                    + +
                    +

                    More about this issue

                    +
                    + +
                    +
                    +

                    Container has no CPU limit

                    +
                    + +
                    + low severity +
                    + +
                    + +
                      +
                    • + Public ID: SNYK-CC-K8S-5 +
                      • + +
                    • Introduced through: + [DocId: 45] + + input + + spec + + template + + spec + + containers[argocd-applicationset-controller] + + resources + + limits + + cpu + +
                      • + +
                    • + Line number: 22882 +
                      • +
                    + +
                    + +

                    Impact

                    +

                    CPU limits can prevent containers from consuming valuable compute time for no benefit (e.g. inefficient code) that might lead to unnecessary costs. It is advisable to also configure CPU requests to ensure application stability.

                    + +

                    Remediation

                    +

                    Add `resources.limits.cpu` field with required CPU limit value

                    + + +
                    +
                    + +
                    +

                    More about this issue

                    +
                    + +
                    +
                    +

                    Container has no CPU limit

                    +
                    + +
                    + low severity +
                    + +
                    + +
                      +
                    • + Public ID: SNYK-CC-K8S-5 +
                      • + +
                    • Introduced through: + [DocId: 46] + + input + + spec + + template + + spec + + initContainers[copyutil] + + resources + + limits + + cpu + +
                      • + +
                    • + Line number: 23151 +
                      • +
                    + +
                    + +

                    Impact

                    +

                    CPU limits can prevent containers from consuming valuable compute time for no benefit (e.g. inefficient code) that might lead to unnecessary costs. It is advisable to also configure CPU requests to ensure application stability.

                    + +

                    Remediation

                    +

                    Add `resources.limits.cpu` field with required CPU limit value

                    + + +
                    +
                    + +
                    +

                    More about this issue

                    +
                    + +
                    +
                    +

                    Container has no CPU limit

                    +
                    + +
                    + low severity +
                    + +
                    + +
                      +
                    • + Public ID: SNYK-CC-K8S-5 +
                      • + +
                    • Introduced through: + [DocId: 46] + + input + + spec + + template + + spec + + containers[dex] + + resources + + limits + + cpu + +
                      • + +
                    • + Line number: 23105 +
                      • +
                    + +
                    + +

                    Impact

                    +

                    CPU limits can prevent containers from consuming valuable compute time for no benefit (e.g. inefficient code) that might lead to unnecessary costs. It is advisable to also configure CPU requests to ensure application stability.

                    + +

                    Remediation

                    +

                    Add `resources.limits.cpu` field with required CPU limit value

                    + + +
                    +
                    + +
                    +

                    More about this issue

                    +
                    + +
                    +
                    +

                    Container has no CPU limit

                    +
                    + +
                    + low severity +
                    + +
                    + +
                      +
                    • + Public ID: SNYK-CC-K8S-5 +
                      • + +
                    • Introduced through: + [DocId: 47] + + input + + spec + + template + + spec + + containers[argocd-notifications-controller] + + resources + + limits + + cpu + +
                      • + +
                    • + Line number: 23211 +
                      • +
                    + +
                    + +

                    Impact

                    +

                    CPU limits can prevent containers from consuming valuable compute time for no benefit (e.g. inefficient code) that might lead to unnecessary costs. It is advisable to also configure CPU requests to ensure application stability.

                    + +

                    Remediation

                    +

                    Add `resources.limits.cpu` field with required CPU limit value

                    + + +
                    +
                    + +
                    +

                    More about this issue

                    +
                    + +
                    +
                    +

                    Container has no CPU limit

                    +
                    + +
                    + low severity +
                    + +
                    + +
                      +
                    • + Public ID: SNYK-CC-K8S-5 +
                      • + +
                    • Introduced through: + [DocId: 48] + + input + + spec + + template + + spec + + containers[redis] + + resources + + limits + + cpu + +
                      • + +
                    • + Line number: 23316 +
                      • +
                    + +
                    + +

                    Impact

                    +

                    CPU limits can prevent containers from consuming valuable compute time for no benefit (e.g. inefficient code) that might lead to unnecessary costs. It is advisable to also configure CPU requests to ensure application stability.

                    + +

                    Remediation

                    +

                    Add `resources.limits.cpu` field with required CPU limit value

                    + + +
                    +
                    + +
                    +

                    More about this issue

                    +
                    + +
                    +
                    +

                    Container has no CPU limit

                    +
                    + +
                    + low severity +
                    + +
                    + +
                      +
                    • + Public ID: SNYK-CC-K8S-5 +
                      • + +
                    • Introduced through: + [DocId: 48] + + input + + spec + + template + + spec + + initContainers[secret-init] + + resources + + limits + + cpu + +
                      • + +
                    • + Line number: 23340 +
                      • +
                    + +
                    + +

                    Impact

                    +

                    CPU limits can prevent containers from consuming valuable compute time for no benefit (e.g. inefficient code) that might lead to unnecessary costs. It is advisable to also configure CPU requests to ensure application stability.

                    + +

                    Remediation

                    +

                    Add `resources.limits.cpu` field with required CPU limit value

                    + + +
                    +
                    + +
                    +

                    More about this issue

                    +
                    + +
                    +
                    +

                    Container has no CPU limit

                    +
                    + +
                    + low severity +
                    + +
                    + +
                      +
                    • + Public ID: SNYK-CC-K8S-5 +
                      • + +
                    • Introduced through: + [DocId: 49] + + input + + spec + + template + + spec + + initContainers[copyutil] + + resources + + limits + + cpu + +
                      • + +
                    • + Line number: 23644 +
                      • +
                    + +
                    + +

                    Impact

                    +

                    CPU limits can prevent containers from consuming valuable compute time for no benefit (e.g. inefficient code) that might lead to unnecessary costs. It is advisable to also configure CPU requests to ensure application stability.

                    + +

                    Remediation

                    +

                    Add `resources.limits.cpu` field with required CPU limit value

                    + + +
                    +
                    + +
                    +

                    More about this issue

                    +
                    + +
                    +
                    +

                    Container has no CPU limit

                    +
                    + +
                    + low severity +
                    + +
                    + +
                      +
                    • + Public ID: SNYK-CC-K8S-5 +
                      • + +
                    • Introduced through: + [DocId: 49] + + input + + spec + + template + + spec + + containers[argocd-repo-server] + + resources + + limits + + cpu + +
                      • + +
                    • + Line number: 23397 +
                      • +
                    + +
                    + +

                    Impact

                    +

                    CPU limits can prevent containers from consuming valuable compute time for no benefit (e.g. inefficient code) that might lead to unnecessary costs. It is advisable to also configure CPU requests to ensure application stability.

                    + +

                    Remediation

                    +

                    Add `resources.limits.cpu` field with required CPU limit value

                    + + +
                    +
                    + +
                    +

                    More about this issue

                    +
                    + +
                    +
                    +

                    Container has no CPU limit

                    +
                    + +
                    + low severity +
                    + +
                    + +
                      +
                    • + Public ID: SNYK-CC-K8S-5 +
                      • + +
                    • Introduced through: + [DocId: 50] + + input + + spec + + template + + spec + + containers[argocd-server] + + resources + + limits + + cpu + +
                      • + +
                    • + Line number: 23729 +
                      • +
                    + +
                    + +

                    Impact

                    +

                    CPU limits can prevent containers from consuming valuable compute time for no benefit (e.g. inefficient code) that might lead to unnecessary costs. It is advisable to also configure CPU requests to ensure application stability.

                    + +

                    Remediation

                    +

                    Add `resources.limits.cpu` field with required CPU limit value

                    + + +
                    +
                    + +
                    +

                    More about this issue

                    +
                    + +
                    +
                    +

                    Container has no CPU limit

                    +
                    + +
                    + low severity +
                    + +
                    + +
                      +
                    • + Public ID: SNYK-CC-K8S-5 +
                      • + +
                    • Introduced through: + [DocId: 51] + + input + + spec + + template + + spec + + containers[argocd-application-controller] + + resources + + limits + + cpu + +
                      • + +
                    • + Line number: 24119 +
                      • +
                    + +
                    + +

                    Impact

                    +

                    CPU limits can prevent containers from consuming valuable compute time for no benefit (e.g. inefficient code) that might lead to unnecessary costs. It is advisable to also configure CPU requests to ensure application stability.

                    + +

                    Remediation

                    +

                    Add `resources.limits.cpu` field with required CPU limit value

                    + + +
                    +
                    + +
                    +

                    More about this issue

                    +
                    + +
                    +
                    +

                    Container is running with multiple open ports

                    +
                    + +
                    + low severity +
                    + +
                    + +
                      +
                    • + Public ID: SNYK-CC-K8S-36 +
                      • + +
                    • Introduced through: + [DocId: 46] + + spec + + template + + spec + + containers[dex] + + ports + +
                      • + +
                    • + Line number: 23131 +
                      • +
                    + +
                    + +

                    Impact

                    +

                    Increases the attack surface of the application and the container.

                    + +

                    Remediation

                    +

                    Reduce `ports` count to 2

                    + + +
                    +
                    + +
                    +

                    More about this issue

                    +
                    + +
                    +
                    +

                    Container is running without liveness probe

                    +
                    + +
                    + low severity +
                    + +
                    + +
                      +
                    • + Public ID: SNYK-CC-K8S-41 +
                      • + +
                    • Introduced through: + [DocId: 45] + + spec + + template + + spec + + containers[argocd-applicationset-controller] + + livenessProbe + +
                      • + +
                    • + Line number: 22882 +
                      • +
                    + +
                    + +

                    Impact

                    +

                    Kubernetes will not be able to detect if application is able to service requests, and will not restart unhealthy pods

                    + +

                    Remediation

                    +

                    Add `livenessProbe` attribute

                    + + +
                    +
                    + +
                    +

                    More about this issue

                    +
                    + +
                    +
                    +

                    Container is running without liveness probe

                    +
                    + +
                    + low severity +
                    + +
                    + +
                      +
                    • + Public ID: SNYK-CC-K8S-41 +
                      • + +
                    • Introduced through: + [DocId: 46] + + spec + + template + + spec + + containers[dex] + + livenessProbe + +
                      • + +
                    • + Line number: 23105 +
                      • +
                    + +
                    + +

                    Impact

                    +

                    Kubernetes will not be able to detect if application is able to service requests, and will not restart unhealthy pods

                    + +

                    Remediation

                    +

                    Add `livenessProbe` attribute

                    + + +
                    +
                    + +
                    +

                    More about this issue

                    +
                    + +
                    +
                    +

                    Container is running without liveness probe

                    +
                    + +
                    + low severity +
                    + +
                    + +
                      +
                    • + Public ID: SNYK-CC-K8S-41 +
                      • + +
                    • Introduced through: + [DocId: 48] + + spec + + template + + spec + + containers[redis] + + livenessProbe + +
                      • + +
                    • + Line number: 23316 +
                      • +
                    + +
                    + +

                    Impact

                    +

                    Kubernetes will not be able to detect if application is able to service requests, and will not restart unhealthy pods

                    + +

                    Remediation

                    +

                    Add `livenessProbe` attribute

                    + + +
                    +
                    + +
                    +

                    More about this issue

                    +
                    + +
                    +
                    +

                    Container is running without memory limit

                    +
                    + +
                    + low severity +
                    + +
                    + +
                      +
                    • + Public ID: SNYK-CC-K8S-4 +
                      • + +
                    • Introduced through: + [DocId: 45] + + input + + spec + + template + + spec + + containers[argocd-applicationset-controller] + + resources + + limits + + memory + +
                      • + +
                    • + Line number: 22882 +
                      • +
                    + +
                    + +

                    Impact

                    +

                    Containers without memory limits are more likely to be terminated when the node runs out of memory

                    + +

                    Remediation

                    +

                    Set `resources.limits.memory` value

                    + + +
                    +
                    + +
                    +

                    More about this issue

                    +
                    + +
                    +
                    +

                    Container is running without memory limit

                    +
                    + +
                    + low severity +
                    + +
                    + +
                      +
                    • + Public ID: SNYK-CC-K8S-4 +
                      • + +
                    • Introduced through: + [DocId: 46] + + input + + spec + + template + + spec + + containers[dex] + + resources + + limits + + memory + +
                      • + +
                    • + Line number: 23105 +
                      • +
                    + +
                    + +

                    Impact

                    +

                    Containers without memory limits are more likely to be terminated when the node runs out of memory

                    + +

                    Remediation

                    +

                    Set `resources.limits.memory` value

                    + + +
                    +
                    + +
                    +

                    More about this issue

                    +
                    + +
                    +
                    +

                    Container is running without memory limit

                    +
                    + +
                    + low severity +
                    + +
                    + +
                      +
                    • + Public ID: SNYK-CC-K8S-4 +
                      • + +
                    • Introduced through: + [DocId: 46] + + input + + spec + + template + + spec + + initContainers[copyutil] + + resources + + limits + + memory + +
                      • + +
                    • + Line number: 23151 +
                      • +
                    + +
                    + +

                    Impact

                    +

                    Containers without memory limits are more likely to be terminated when the node runs out of memory

                    + +

                    Remediation

                    +

                    Set `resources.limits.memory` value

                    + + +
                    +
                    + +
                    +

                    More about this issue

                    +
                    + +
                    +
                    +

                    Container is running without memory limit

                    +
                    + +
                    + low severity +
                    + +
                    + +
                      +
                    • + Public ID: SNYK-CC-K8S-4 +
                      • + +
                    • Introduced through: + [DocId: 47] + + input + + spec + + template + + spec + + containers[argocd-notifications-controller] + + resources + + limits + + memory + +
                      • + +
                    • + Line number: 23211 +
                      • +
                    + +
                    + +

                    Impact

                    +

                    Containers without memory limits are more likely to be terminated when the node runs out of memory

                    + +

                    Remediation

                    +

                    Set `resources.limits.memory` value

                    + + +
                    +
                    + +
                    +

                    More about this issue

                    +
                    + +
                    +
                    +

                    Container is running without memory limit

                    +
                    + +
                    + low severity +
                    + +
                    + +
                      +
                    • + Public ID: SNYK-CC-K8S-4 +
                      • + +
                    • Introduced through: + [DocId: 48] + + input + + spec + + template + + spec + + containers[redis] + + resources + + limits + + memory + +
                      • + +
                    • + Line number: 23316 +
                      • +
                    + +
                    + +

                    Impact

                    +

                    Containers without memory limits are more likely to be terminated when the node runs out of memory

                    + +

                    Remediation

                    +

                    Set `resources.limits.memory` value

                    + + +
                    +
                    + +
                    +

                    More about this issue

                    +
                    + +
                    +
                    +

                    Container is running without memory limit

                    +
                    + +
                    + low severity +
                    + +
                    + +
                      +
                    • + Public ID: SNYK-CC-K8S-4 +
                      • + +
                    • Introduced through: + [DocId: 48] + + input + + spec + + template + + spec + + initContainers[secret-init] + + resources + + limits + + memory + +
                      • + +
                    • + Line number: 23340 +
                      • +
                    + +
                    + +

                    Impact

                    +

                    Containers without memory limits are more likely to be terminated when the node runs out of memory

                    + +

                    Remediation

                    +

                    Set `resources.limits.memory` value

                    + + +
                    +
                    + +
                    +

                    More about this issue

                    +
                    + +
                    +
                    +

                    Container is running without memory limit

                    +
                    + +
                    + low severity +
                    + +
                    + +
                      +
                    • + Public ID: SNYK-CC-K8S-4 +
                      • + +
                    • Introduced through: + [DocId: 49] + + input + + spec + + template + + spec + + initContainers[copyutil] + + resources + + limits + + memory + +
                      • + +
                    • + Line number: 23644 +
                      • +
                    + +
                    + +

                    Impact

                    +

                    Containers without memory limits are more likely to be terminated when the node runs out of memory

                    + +

                    Remediation

                    +

                    Set `resources.limits.memory` value

                    + + +
                    +
                    + +
                    +

                    More about this issue

                    +
                    + +
                    +
                    +

                    Container is running without memory limit

                    +
                    + +
                    + low severity +
                    + +
                    + +
                      +
                    • + Public ID: SNYK-CC-K8S-4 +
                      • + +
                    • Introduced through: + [DocId: 49] + + input + + spec + + template + + spec + + containers[argocd-repo-server] + + resources + + limits + + memory + +
                      • + +
                    • + Line number: 23397 +
                      • +
                    + +
                    + +

                    Impact

                    +

                    Containers without memory limits are more likely to be terminated when the node runs out of memory

                    + +

                    Remediation

                    +

                    Set `resources.limits.memory` value

                    + + +
                    +
                    + +
                    +

                    More about this issue

                    +
                    + +
                    +
                    +

                    Container is running without memory limit

                    +
                    + +
                    + low severity +
                    + +
                    + +
                      +
                    • + Public ID: SNYK-CC-K8S-4 +
                      • + +
                    • Introduced through: + [DocId: 50] + + input + + spec + + template + + spec + + containers[argocd-server] + + resources + + limits + + memory + +
                      • + +
                    • + Line number: 23729 +
                      • +
                    + +
                    + +

                    Impact

                    +

                    Containers without memory limits are more likely to be terminated when the node runs out of memory

                    + +

                    Remediation

                    +

                    Set `resources.limits.memory` value

                    + + +
                    +
                    + +
                    +

                    More about this issue

                    +
                    + +
                    +
                    +

                    Container is running without memory limit

                    +
                    + +
                    + low severity +
                    + +
                    + +
                      +
                    • + Public ID: SNYK-CC-K8S-4 +
                      • + +
                    • Introduced through: + [DocId: 51] + + input + + spec + + template + + spec + + containers[argocd-application-controller] + + resources + + limits + + memory + +
                      • + +
                    • + Line number: 24119 +
                      • +
                    + +
                    + +

                    Impact

                    +

                    Containers without memory limits are more likely to be terminated when the node runs out of memory

                    + +

                    Remediation

                    +

                    Set `resources.limits.memory` value

                    + + +
                    +
                    + +
                    +

                    More about this issue

                    +
                    + +
                    +
                    +

                    Container's or Pod's UID could clash with host's UID

                    +
                    + +
                    + low severity +
                    + +
                    + +
                      +
                    • + Public ID: SNYK-CC-K8S-11 +
                      • + +
                    • Introduced through: + [DocId: 45] + + input + + spec + + template + + spec + + containers[argocd-applicationset-controller] + + securityContext + + runAsUser + +
                      • + +
                    • + Line number: 23029 +
                      • +
                    + +
                    + +

                    Impact

                    +

                    UID of the container processes could clash with host's UIDs and lead to unintentional authorization bypass

                    + +

                    Remediation

                    +

                    Set `securityContext.runAsUser` value to greater or equal than 10'000. SecurityContext can be set on both `pod` and `container` level. If both are set, then the container level takes precedence

                    + + +
                    +
                    + +
                    +

                    More about this issue

                    +
                    + +
                    +
                    +

                    Container's or Pod's UID could clash with host's UID

                    +
                    + +
                    + low severity +
                    + +
                    + +
                      +
                    • + Public ID: SNYK-CC-K8S-11 +
                      • + +
                    • Introduced through: + [DocId: 46] + + input + + spec + + template + + spec + + initContainers[copyutil] + + securityContext + + runAsUser + +
                      • + +
                    • + Line number: 23159 +
                      • +
                    + +
                    + +

                    Impact

                    +

                    UID of the container processes could clash with host's UIDs and lead to unintentional authorization bypass

                    + +

                    Remediation

                    +

                    Set `securityContext.runAsUser` value to greater or equal than 10'000. SecurityContext can be set on both `pod` and `container` level. If both are set, then the container level takes precedence

                    + + +
                    +
                    + +
                    +

                    More about this issue

                    +
                    + +
                    +
                    +

                    Container's or Pod's UID could clash with host's UID

                    +
                    + +
                    + low severity +
                    + +
                    + +
                      +
                    • + Public ID: SNYK-CC-K8S-11 +
                      • + +
                    • Introduced through: + [DocId: 46] + + input + + spec + + template + + spec + + containers[dex] + + securityContext + + runAsUser + +
                      • + +
                    • + Line number: 23134 +
                      • +
                    + +
                    + +

                    Impact

                    +

                    UID of the container processes could clash with host's UIDs and lead to unintentional authorization bypass

                    + +

                    Remediation

                    +

                    Set `securityContext.runAsUser` value to greater or equal than 10'000. SecurityContext can be set on both `pod` and `container` level. If both are set, then the container level takes precedence

                    + + +
                    +
                    + +
                    +

                    More about this issue

                    +
                    + +
                    +
                    +

                    Container's or Pod's UID could clash with host's UID

                    +
                    + +
                    + low severity +
                    + +
                    + +
                      +
                    • + Public ID: SNYK-CC-K8S-11 +
                      • + +
                    • Introduced through: + [DocId: 47] + + input + + spec + + template + + spec + + containers[argocd-notifications-controller] + + securityContext + + runAsUser + +
                      • + +
                    • + Line number: 23250 +
                      • +
                    + +
                    + +

                    Impact

                    +

                    UID of the container processes could clash with host's UIDs and lead to unintentional authorization bypass

                    + +

                    Remediation

                    +

                    Set `securityContext.runAsUser` value to greater or equal than 10'000. SecurityContext can be set on both `pod` and `container` level. If both are set, then the container level takes precedence

                    + + +
                    +
                    + +
                    +

                    More about this issue

                    +
                    + +
                    +
                    +

                    Container's or Pod's UID could clash with host's UID

                    +
                    + +
                    + low severity +
                    + +
                    + +
                      +
                    • + Public ID: SNYK-CC-K8S-11 +
                      • + +
                    • Introduced through: + [DocId: 48] + + input + + spec + + template + + spec + + containers[redis] + + securityContext + + runAsUser + +
                      • + +
                    • + Line number: 23333 +
                      • +
                    + +
                    + +

                    Impact

                    +

                    UID of the container processes could clash with host's UIDs and lead to unintentional authorization bypass

                    + +

                    Remediation

                    +

                    Set `securityContext.runAsUser` value to greater or equal than 10'000. SecurityContext can be set on both `pod` and `container` level. If both are set, then the container level takes precedence

                    + + +
                    +
                    + +
                    +

                    More about this issue

                    +
                    + +
                    +
                    +

                    Container's or Pod's UID could clash with host's UID

                    +
                    + +
                    + low severity +
                    + +
                    + +
                      +
                    • + Public ID: SNYK-CC-K8S-11 +
                      • + +
                    • Introduced through: + [DocId: 48] + + input + + spec + + template + + spec + + initContainers[secret-init] + + securityContext + + runAsUser + +
                      • + +
                    • + Line number: 23347 +
                      • +
                    + +
                    + +

                    Impact

                    +

                    UID of the container processes could clash with host's UIDs and lead to unintentional authorization bypass

                    + +

                    Remediation

                    +

                    Set `securityContext.runAsUser` value to greater or equal than 10'000. SecurityContext can be set on both `pod` and `container` level. If both are set, then the container level takes precedence

                    + + +
                    +
                    + +
                    +

                    More about this issue

                    +
                    + +
                    +
                    +

                    Container's or Pod's UID could clash with host's UID

                    +
                    + +
                    + low severity +
                    + +
                    + +
                      +
                    • + Public ID: SNYK-CC-K8S-11 +
                      • + +
                    • Introduced through: + [DocId: 49] + + input + + spec + + template + + spec + + initContainers[copyutil] + + securityContext + + runAsUser + +
                      • + +
                    • + Line number: 23651 +
                      • +
                    + +
                    + +

                    Impact

                    +

                    UID of the container processes could clash with host's UIDs and lead to unintentional authorization bypass

                    + +

                    Remediation

                    +

                    Set `securityContext.runAsUser` value to greater or equal than 10'000. SecurityContext can be set on both `pod` and `container` level. If both are set, then the container level takes precedence

                    + + +
                    +
                    + +
                    +

                    More about this issue

                    +
                    + +
                    +
                    +

                    Container's or Pod's UID could clash with host's UID

                    +
                    + +
                    + low severity +
                    + +
                    + +
                      +
                    • + Public ID: SNYK-CC-K8S-11 +
                      • + +
                    • Introduced through: + [DocId: 49] + + input + + spec + + template + + spec + + containers[argocd-repo-server] + + securityContext + + runAsUser + +
                      • + +
                    • + Line number: 23617 +
                      • +
                    + +
                    + +

                    Impact

                    +

                    UID of the container processes could clash with host's UIDs and lead to unintentional authorization bypass

                    + +

                    Remediation

                    +

                    Set `securityContext.runAsUser` value to greater or equal than 10'000. SecurityContext can be set on both `pod` and `container` level. If both are set, then the container level takes precedence

                    + + +
                    +
                    + +
                    +

                    More about this issue

                    +
                    + +
                    +
                    +

                    Container's or Pod's UID could clash with host's UID

                    +
                    + +
                    + low severity +
                    + +
                    + +
                      +
                    • + Public ID: SNYK-CC-K8S-11 +
                      • + +
                    • Introduced through: + [DocId: 50] + + input + + spec + + template + + spec + + containers[argocd-server] + + securityContext + + runAsUser + +
                      • + +
                    • + Line number: 24020 +
                      • +
                    + +
                    + +

                    Impact

                    +

                    UID of the container processes could clash with host's UIDs and lead to unintentional authorization bypass

                    + +

                    Remediation

                    +

                    Set `securityContext.runAsUser` value to greater or equal than 10'000. SecurityContext can be set on both `pod` and `container` level. If both are set, then the container level takes precedence

                    + + +
                    +
                    + +
                    +

                    More about this issue

                    +
                    + +
                    +
                    +

                    Container's or Pod's UID could clash with host's UID

                    +
                    + +
                    + low severity +
                    + +
                    + +
                      +
                    • + Public ID: SNYK-CC-K8S-11 +
                      • + +
                    • Introduced through: + [DocId: 51] + + input + + spec + + template + + spec + + containers[argocd-application-controller] + + securityContext + + runAsUser + +
                      • + +
                    • + Line number: 24320 +
                      • +
                    + +
                    + +

                    Impact

                    +

                    UID of the container processes could clash with host's UIDs and lead to unintentional authorization bypass

                    + +

                    Remediation

                    +

                    Set `securityContext.runAsUser` value to greater or equal than 10'000. SecurityContext can be set on both `pod` and `container` level. If both are set, then the container level takes precedence

                    + + +
                    +
                    + +
                    +

                    More about this issue

                    +
                    + +
                    +
                    +
                    + +
                    + + + diff --git a/docs/snyk/v2.13.0-rc2/argocd-iac-namespace-install.html b/docs/snyk/v2.13.0-rc2/argocd-iac-namespace-install.html new file mode 100644 index 0000000000000..ecec28af1a8cd --- /dev/null +++ b/docs/snyk/v2.13.0-rc2/argocd-iac-namespace-install.html @@ -0,0 +1,2845 @@ + + + + + + + + + Snyk test report + + + + + + + + + +
                    +
                    +
                    +
                    + + + Snyk - Open Source Security + + + + + + + +
                    +

                    Snyk test report

                    + +

                    September 22nd 2024, 12:23:32 am (UTC+00:00)

                    +
                    +
                    + Scanned the following path: +
                      +
                    • /argo-cd/manifests/namespace-install.yaml (Kubernetes)
                      • +
                    +
                    + +
                    +
                    43 total issues
                    +
                    +
                    +
                    +
                    + +
                    + + + + + + +
                    Project manifests/namespace-install.yaml
                    Path /argo-cd/manifests/namespace-install.yaml
                    Project Type Kubernetes
                    +
                    +
                    +
                    +

                    Role or ClusterRole with dangerous permissions

                    +
                    + +
                    + medium severity +
                    + +
                    + +
                      +
                    • + Public ID: SNYK-CC-K8S-47 +
                      • + +
                    • Introduced through: + [DocId: 7] + + rules[0] + + resources + +
                      • + +
                    • + Line number: 77 +
                      • +
                    + +
                    + +

                    Impact

                    +

                    Using this role grants dangerous permissions. For a ClusterRole this would be considered high severity.

                    + +

                    Remediation

                    +

                    Consider removing these permissions

                    + + +
                    +
                    + +
                    +

                    More about this issue

                    +
                    + +
                    +
                    +

                    Role or ClusterRole with dangerous permissions

                    +
                    + +
                    + medium severity +
                    + +
                    + +
                      +
                    • + Public ID: SNYK-CC-K8S-47 +
                      • + +
                    • Introduced through: + [DocId: 8] + + rules[4] + + resources + +
                      • + +
                    • + Line number: 164 +
                      • +
                    + +
                    + +

                    Impact

                    +

                    Using this role grants dangerous permissions. For a ClusterRole this would be considered high severity.

                    + +

                    Remediation

                    +

                    Consider removing these permissions

                    + + +
                    +
                    + +
                    +

                    More about this issue

                    +
                    + +
                    +
                    +

                    Role or ClusterRole with dangerous permissions

                    +
                    + +
                    + medium severity +
                    + +
                    + +
                      +
                    • + Public ID: SNYK-CC-K8S-47 +
                      • + +
                    • Introduced through: + [DocId: 9] + + rules[0] + + resources + +
                      • + +
                    • + Line number: 192 +
                      • +
                    + +
                    + +

                    Impact

                    +

                    Using this role grants dangerous permissions. For a ClusterRole this would be considered high severity.

                    + +

                    Remediation

                    +

                    Consider removing these permissions

                    + + +
                    +
                    + +
                    +

                    More about this issue

                    +
                    + +
                    +
                    +

                    Role or ClusterRole with dangerous permissions

                    +
                    + +
                    + medium severity +
                    + +
                    + +
                      +
                    • + Public ID: SNYK-CC-K8S-47 +
                      • + +
                    • Introduced through: + [DocId: 10] + + rules[1] + + resources + +
                      • + +
                    • + Line number: 222 +
                      • +
                    + +
                    + +

                    Impact

                    +

                    Using this role grants dangerous permissions. For a ClusterRole this would be considered high severity.

                    + +

                    Remediation

                    +

                    Consider removing these permissions

                    + + +
                    +
                    + +
                    +

                    More about this issue

                    +
                    + +
                    +
                    +

                    Role or ClusterRole with dangerous permissions

                    +
                    + +
                    + medium severity +
                    + +
                    + +
                      +
                    • + Public ID: SNYK-CC-K8S-47 +
                      • + +
                    • Introduced through: + [DocId: 10] + + rules[3] + + resources + +
                      • + +
                    • + Line number: 240 +
                      • +
                    + +
                    + +

                    Impact

                    +

                    Using this role grants dangerous permissions. For a ClusterRole this would be considered high severity.

                    + +

                    Remediation

                    +

                    Consider removing these permissions

                    + + +
                    +
                    + +
                    +

                    More about this issue

                    +
                    + +
                    +
                    +

                    Role or ClusterRole with dangerous permissions

                    +
                    + +
                    + medium severity +
                    + +
                    + +
                      +
                    • + Public ID: SNYK-CC-K8S-47 +
                      • + +
                    • Introduced through: + [DocId: 11] + + rules[0] + + resources + +
                      • + +
                    • + Line number: 258 +
                      • +
                    + +
                    + +

                    Impact

                    +

                    Using this role grants dangerous permissions. For a ClusterRole this would be considered high severity.

                    + +

                    Remediation

                    +

                    Consider removing these permissions

                    + + +
                    +
                    + +
                    +

                    More about this issue

                    +
                    + +
                    +
                    +

                    Role or ClusterRole with dangerous permissions

                    +
                    + +
                    + medium severity +
                    + +
                    + +
                      +
                    • + Public ID: SNYK-CC-K8S-47 +
                      • + +
                    • Introduced through: + [DocId: 12] + + rules[0] + + resources + +
                      • + +
                    • + Line number: 280 +
                      • +
                    + +
                    + +

                    Impact

                    +

                    Using this role grants dangerous permissions. For a ClusterRole this would be considered high severity.

                    + +

                    Remediation

                    +

                    Consider removing these permissions

                    + + +
                    +
                    + +
                    +

                    More about this issue

                    +
                    + +
                    +
                    +

                    Container could be running with outdated image

                    +
                    + +
                    + low severity +
                    + +
                    + +
                      +
                    • + Public ID: SNYK-CC-K8S-42 +
                      • + +
                    • Introduced through: + [DocId: 39] + + spec + + template + + spec + + initContainers[secret-init] + + imagePullPolicy + +
                      • + +
                    • + Line number: 1138 +
                      • +
                    + +
                    + +

                    Impact

                    +

                    The container may run with outdated or unauthorized image

                    + +

                    Remediation

                    +

                    Set `imagePullPolicy` attribute to `Always`

                    + + +
                    +
                    + +
                    +

                    More about this issue

                    +
                    + +
                    +
                    +

                    Container could be running with outdated image

                    +
                    + +
                    + low severity +
                    + +
                    + +
                      +
                    • + Public ID: SNYK-CC-K8S-42 +
                      • + +
                    • Introduced through: + [DocId: 40] + + spec + + template + + spec + + initContainers[copyutil] + + imagePullPolicy + +
                      • + +
                    • + Line number: 1437 +
                      • +
                    + +
                    + +

                    Impact

                    +

                    The container may run with outdated or unauthorized image

                    + +

                    Remediation

                    +

                    Set `imagePullPolicy` attribute to `Always`

                    + + +
                    +
                    + +
                    +

                    More about this issue

                    +
                    + +
                    +
                    +

                    Container has no CPU limit

                    +
                    + +
                    + low severity +
                    + +
                    + +
                      +
                    • + Public ID: SNYK-CC-K8S-5 +
                      • + +
                    • Introduced through: + [DocId: 36] + + input + + spec + + template + + spec + + containers[argocd-applicationset-controller] + + resources + + limits + + cpu + +
                      • + +
                    • + Line number: 675 +
                      • +
                    + +
                    + +

                    Impact

                    +

                    CPU limits can prevent containers from consuming valuable compute time for no benefit (e.g. inefficient code) that might lead to unnecessary costs. It is advisable to also configure CPU requests to ensure application stability.

                    + +

                    Remediation

                    +

                    Add `resources.limits.cpu` field with required CPU limit value

                    + + +
                    +
                    + +
                    +

                    More about this issue

                    +
                    + +
                    +
                    +

                    Container has no CPU limit

                    +
                    + +
                    + low severity +
                    + +
                    + +
                      +
                    • + Public ID: SNYK-CC-K8S-5 +
                      • + +
                    • Introduced through: + [DocId: 37] + + input + + spec + + template + + spec + + initContainers[copyutil] + + resources + + limits + + cpu + +
                      • + +
                    • + Line number: 944 +
                      • +
                    + +
                    + +

                    Impact

                    +

                    CPU limits can prevent containers from consuming valuable compute time for no benefit (e.g. inefficient code) that might lead to unnecessary costs. It is advisable to also configure CPU requests to ensure application stability.

                    + +

                    Remediation

                    +

                    Add `resources.limits.cpu` field with required CPU limit value

                    + + +
                    +
                    + +
                    +

                    More about this issue

                    +
                    + +
                    +
                    +

                    Container has no CPU limit

                    +
                    + +
                    + low severity +
                    + +
                    + +
                      +
                    • + Public ID: SNYK-CC-K8S-5 +
                      • + +
                    • Introduced through: + [DocId: 37] + + input + + spec + + template + + spec + + containers[dex] + + resources + + limits + + cpu + +
                      • + +
                    • + Line number: 898 +
                      • +
                    + +
                    + +

                    Impact

                    +

                    CPU limits can prevent containers from consuming valuable compute time for no benefit (e.g. inefficient code) that might lead to unnecessary costs. It is advisable to also configure CPU requests to ensure application stability.

                    + +

                    Remediation

                    +

                    Add `resources.limits.cpu` field with required CPU limit value

                    + + +
                    +
                    + +
                    +

                    More about this issue

                    +
                    + +
                    +
                    +

                    Container has no CPU limit

                    +
                    + +
                    + low severity +
                    + +
                    + +
                      +
                    • + Public ID: SNYK-CC-K8S-5 +
                      • + +
                    • Introduced through: + [DocId: 38] + + input + + spec + + template + + spec + + containers[argocd-notifications-controller] + + resources + + limits + + cpu + +
                      • + +
                    • + Line number: 1004 +
                      • +
                    + +
                    + +

                    Impact

                    +

                    CPU limits can prevent containers from consuming valuable compute time for no benefit (e.g. inefficient code) that might lead to unnecessary costs. It is advisable to also configure CPU requests to ensure application stability.

                    + +

                    Remediation

                    +

                    Add `resources.limits.cpu` field with required CPU limit value

                    + + +
                    +
                    + +
                    +

                    More about this issue

                    +
                    + +
                    +
                    +

                    Container has no CPU limit

                    +
                    + +
                    + low severity +
                    + +
                    + +
                      +
                    • + Public ID: SNYK-CC-K8S-5 +
                      • + +
                    • Introduced through: + [DocId: 39] + + input + + spec + + template + + spec + + containers[redis] + + resources + + limits + + cpu + +
                      • + +
                    • + Line number: 1109 +
                      • +
                    + +
                    + +

                    Impact

                    +

                    CPU limits can prevent containers from consuming valuable compute time for no benefit (e.g. inefficient code) that might lead to unnecessary costs. It is advisable to also configure CPU requests to ensure application stability.

                    + +

                    Remediation

                    +

                    Add `resources.limits.cpu` field with required CPU limit value

                    + + +
                    +
                    + +
                    +

                    More about this issue

                    +
                    + +
                    +
                    +

                    Container has no CPU limit

                    +
                    + +
                    + low severity +
                    + +
                    + +
                      +
                    • + Public ID: SNYK-CC-K8S-5 +
                      • + +
                    • Introduced through: + [DocId: 39] + + input + + spec + + template + + spec + + initContainers[secret-init] + + resources + + limits + + cpu + +
                      • + +
                    • + Line number: 1133 +
                      • +
                    + +
                    + +

                    Impact

                    +

                    CPU limits can prevent containers from consuming valuable compute time for no benefit (e.g. inefficient code) that might lead to unnecessary costs. It is advisable to also configure CPU requests to ensure application stability.

                    + +

                    Remediation

                    +

                    Add `resources.limits.cpu` field with required CPU limit value

                    + + +
                    +
                    + +
                    +

                    More about this issue

                    +
                    + +
                    +
                    +

                    Container has no CPU limit

                    +
                    + +
                    + low severity +
                    + +
                    + +
                      +
                    • + Public ID: SNYK-CC-K8S-5 +
                      • + +
                    • Introduced through: + [DocId: 40] + + input + + spec + + template + + spec + + initContainers[copyutil] + + resources + + limits + + cpu + +
                      • + +
                    • + Line number: 1437 +
                      • +
                    + +
                    + +

                    Impact

                    +

                    CPU limits can prevent containers from consuming valuable compute time for no benefit (e.g. inefficient code) that might lead to unnecessary costs. It is advisable to also configure CPU requests to ensure application stability.

                    + +

                    Remediation

                    +

                    Add `resources.limits.cpu` field with required CPU limit value

                    + + +
                    +
                    + +
                    +

                    More about this issue

                    +
                    + +
                    +
                    +

                    Container has no CPU limit

                    +
                    + +
                    + low severity +
                    + +
                    + +
                      +
                    • + Public ID: SNYK-CC-K8S-5 +
                      • + +
                    • Introduced through: + [DocId: 40] + + input + + spec + + template + + spec + + containers[argocd-repo-server] + + resources + + limits + + cpu + +
                      • + +
                    • + Line number: 1190 +
                      • +
                    + +
                    + +

                    Impact

                    +

                    CPU limits can prevent containers from consuming valuable compute time for no benefit (e.g. inefficient code) that might lead to unnecessary costs. It is advisable to also configure CPU requests to ensure application stability.

                    + +

                    Remediation

                    +

                    Add `resources.limits.cpu` field with required CPU limit value

                    + + +
                    +
                    + +
                    +

                    More about this issue

                    +
                    + +
                    +
                    +

                    Container has no CPU limit

                    +
                    + +
                    + low severity +
                    + +
                    + +
                      +
                    • + Public ID: SNYK-CC-K8S-5 +
                      • + +
                    • Introduced through: + [DocId: 41] + + input + + spec + + template + + spec + + containers[argocd-server] + + resources + + limits + + cpu + +
                      • + +
                    • + Line number: 1522 +
                      • +
                    + +
                    + +

                    Impact

                    +

                    CPU limits can prevent containers from consuming valuable compute time for no benefit (e.g. inefficient code) that might lead to unnecessary costs. It is advisable to also configure CPU requests to ensure application stability.

                    + +

                    Remediation

                    +

                    Add `resources.limits.cpu` field with required CPU limit value

                    + + +
                    +
                    + +
                    +

                    More about this issue

                    +
                    + +
                    +
                    +

                    Container has no CPU limit

                    +
                    + +
                    + low severity +
                    + +
                    + +
                      +
                    • + Public ID: SNYK-CC-K8S-5 +
                      • + +
                    • Introduced through: + [DocId: 42] + + input + + spec + + template + + spec + + containers[argocd-application-controller] + + resources + + limits + + cpu + +
                      • + +
                    • + Line number: 1912 +
                      • +
                    + +
                    + +

                    Impact

                    +

                    CPU limits can prevent containers from consuming valuable compute time for no benefit (e.g. inefficient code) that might lead to unnecessary costs. It is advisable to also configure CPU requests to ensure application stability.

                    + +

                    Remediation

                    +

                    Add `resources.limits.cpu` field with required CPU limit value

                    + + +
                    +
                    + +
                    +

                    More about this issue

                    +
                    + +
                    +
                    +

                    Container is running with multiple open ports

                    +
                    + +
                    + low severity +
                    + +
                    + +
                      +
                    • + Public ID: SNYK-CC-K8S-36 +
                      • + +
                    • Introduced through: + [DocId: 37] + + spec + + template + + spec + + containers[dex] + + ports + +
                      • + +
                    • + Line number: 924 +
                      • +
                    + +
                    + +

                    Impact

                    +

                    Increases the attack surface of the application and the container.

                    + +

                    Remediation

                    +

                    Reduce `ports` count to 2

                    + + +
                    +
                    + +
                    +

                    More about this issue

                    +
                    + +
                    +
                    +

                    Container is running without liveness probe

                    +
                    + +
                    + low severity +
                    + +
                    + +
                      +
                    • + Public ID: SNYK-CC-K8S-41 +
                      • + +
                    • Introduced through: + [DocId: 36] + + spec + + template + + spec + + containers[argocd-applicationset-controller] + + livenessProbe + +
                      • + +
                    • + Line number: 675 +
                      • +
                    + +
                    + +

                    Impact

                    +

                    Kubernetes will not be able to detect if application is able to service requests, and will not restart unhealthy pods

                    + +

                    Remediation

                    +

                    Add `livenessProbe` attribute

                    + + +
                    +
                    + +
                    +

                    More about this issue

                    +
                    + +
                    +
                    +

                    Container is running without liveness probe

                    +
                    + +
                    + low severity +
                    + +
                    + +
                      +
                    • + Public ID: SNYK-CC-K8S-41 +
                      • + +
                    • Introduced through: + [DocId: 37] + + spec + + template + + spec + + containers[dex] + + livenessProbe + +
                      • + +
                    • + Line number: 898 +
                      • +
                    + +
                    + +

                    Impact

                    +

                    Kubernetes will not be able to detect if application is able to service requests, and will not restart unhealthy pods

                    + +

                    Remediation

                    +

                    Add `livenessProbe` attribute

                    + + +
                    +
                    + +
                    +

                    More about this issue

                    +
                    + +
                    +
                    +

                    Container is running without liveness probe

                    +
                    + +
                    + low severity +
                    + +
                    + +
                      +
                    • + Public ID: SNYK-CC-K8S-41 +
                      • + +
                    • Introduced through: + [DocId: 39] + + spec + + template + + spec + + containers[redis] + + livenessProbe + +
                      • + +
                    • + Line number: 1109 +
                      • +
                    + +
                    + +

                    Impact

                    +

                    Kubernetes will not be able to detect if application is able to service requests, and will not restart unhealthy pods

                    + +

                    Remediation

                    +

                    Add `livenessProbe` attribute

                    + + +
                    +
                    + +
                    +

                    More about this issue

                    +
                    + +
                    +
                    +

                    Container is running without memory limit

                    +
                    + +
                    + low severity +
                    + +
                    + +
                      +
                    • + Public ID: SNYK-CC-K8S-4 +
                      • + +
                    • Introduced through: + [DocId: 36] + + input + + spec + + template + + spec + + containers[argocd-applicationset-controller] + + resources + + limits + + memory + +
                      • + +
                    • + Line number: 675 +
                      • +
                    + +
                    + +

                    Impact

                    +

                    Containers without memory limits are more likely to be terminated when the node runs out of memory

                    + +

                    Remediation

                    +

                    Set `resources.limits.memory` value

                    + + +
                    +
                    + +
                    +

                    More about this issue

                    +
                    + +
                    +
                    +

                    Container is running without memory limit

                    +
                    + +
                    + low severity +
                    + +
                    + +
                      +
                    • + Public ID: SNYK-CC-K8S-4 +
                      • + +
                    • Introduced through: + [DocId: 37] + + input + + spec + + template + + spec + + containers[dex] + + resources + + limits + + memory + +
                      • + +
                    • + Line number: 898 +
                      • +
                    + +
                    + +

                    Impact

                    +

                    Containers without memory limits are more likely to be terminated when the node runs out of memory

                    + +

                    Remediation

                    +

                    Set `resources.limits.memory` value

                    + + +
                    +
                    + +
                    +

                    More about this issue

                    +
                    + +
                    +
                    +

                    Container is running without memory limit

                    +
                    + +
                    + low severity +
                    + +
                    + +
                      +
                    • + Public ID: SNYK-CC-K8S-4 +
                      • + +
                    • Introduced through: + [DocId: 37] + + input + + spec + + template + + spec + + initContainers[copyutil] + + resources + + limits + + memory + +
                      • + +
                    • + Line number: 944 +
                      • +
                    + +
                    + +

                    Impact

                    +

                    Containers without memory limits are more likely to be terminated when the node runs out of memory

                    + +

                    Remediation

                    +

                    Set `resources.limits.memory` value

                    + + +
                    +
                    + +
                    +

                    More about this issue

                    +
                    + +
                    +
                    +

                    Container is running without memory limit

                    +
                    + +
                    + low severity +
                    + +
                    + +
                      +
                    • + Public ID: SNYK-CC-K8S-4 +
                      • + +
                    • Introduced through: + [DocId: 38] + + input + + spec + + template + + spec + + containers[argocd-notifications-controller] + + resources + + limits + + memory + +
                      • + +
                    • + Line number: 1004 +
                      • +
                    + +
                    + +

                    Impact

                    +

                    Containers without memory limits are more likely to be terminated when the node runs out of memory

                    + +

                    Remediation

                    +

                    Set `resources.limits.memory` value

                    + + +
                    +
                    + +
                    +

                    More about this issue

                    +
                    + +
                    +
                    +

                    Container is running without memory limit

                    +
                    + +
                    + low severity +
                    + +
                    + +
                      +
                    • + Public ID: SNYK-CC-K8S-4 +
                      • + +
                    • Introduced through: + [DocId: 39] + + input + + spec + + template + + spec + + containers[redis] + + resources + + limits + + memory + +
                      • + +
                    • + Line number: 1109 +
                      • +
                    + +
                    + +

                    Impact

                    +

                    Containers without memory limits are more likely to be terminated when the node runs out of memory

                    + +

                    Remediation

                    +

                    Set `resources.limits.memory` value

                    + + +
                    +
                    + +
                    +

                    More about this issue

                    +
                    + +
                    +
                    +

                    Container is running without memory limit

                    +
                    + +
                    + low severity +
                    + +
                    + +
                      +
                    • + Public ID: SNYK-CC-K8S-4 +
                      • + +
                    • Introduced through: + [DocId: 39] + + input + + spec + + template + + spec + + initContainers[secret-init] + + resources + + limits + + memory + +
                      • + +
                    • + Line number: 1133 +
                      • +
                    + +
                    + +

                    Impact

                    +

                    Containers without memory limits are more likely to be terminated when the node runs out of memory

                    + +

                    Remediation

                    +

                    Set `resources.limits.memory` value

                    + + +
                    +
                    + +
                    +

                    More about this issue

                    +
                    + +
                    +
                    +

                    Container is running without memory limit

                    +
                    + +
                    + low severity +
                    + +
                    + +
                      +
                    • + Public ID: SNYK-CC-K8S-4 +
                      • + +
                    • Introduced through: + [DocId: 40] + + input + + spec + + template + + spec + + initContainers[copyutil] + + resources + + limits + + memory + +
                      • + +
                    • + Line number: 1437 +
                      • +
                    + +
                    + +

                    Impact

                    +

                    Containers without memory limits are more likely to be terminated when the node runs out of memory

                    + +

                    Remediation

                    +

                    Set `resources.limits.memory` value

                    + + +
                    +
                    + +
                    +

                    More about this issue

                    +
                    + +
                    +
                    +

                    Container is running without memory limit

                    +
                    + +
                    + low severity +
                    + +
                    + +
                      +
                    • + Public ID: SNYK-CC-K8S-4 +
                      • + +
                    • Introduced through: + [DocId: 40] + + input + + spec + + template + + spec + + containers[argocd-repo-server] + + resources + + limits + + memory + +
                      • + +
                    • + Line number: 1190 +
                      • +
                    + +
                    + +

                    Impact

                    +

                    Containers without memory limits are more likely to be terminated when the node runs out of memory

                    + +

                    Remediation

                    +

                    Set `resources.limits.memory` value

                    + + +
                    +
                    + +
                    +

                    More about this issue

                    +
                    + +
                    +
                    +

                    Container is running without memory limit

                    +
                    + +
                    + low severity +
                    + +
                    + +
                      +
                    • + Public ID: SNYK-CC-K8S-4 +
                      • + +
                    • Introduced through: + [DocId: 41] + + input + + spec + + template + + spec + + containers[argocd-server] + + resources + + limits + + memory + +
                      • + +
                    • + Line number: 1522 +
                      • +
                    + +
                    + +

                    Impact

                    +

                    Containers without memory limits are more likely to be terminated when the node runs out of memory

                    + +

                    Remediation

                    +

                    Set `resources.limits.memory` value

                    + + +
                    +
                    + +
                    +

                    More about this issue

                    +
                    + +
                    +
                    +

                    Container is running without memory limit

                    +
                    + +
                    + low severity +
                    + +
                    + +
                      +
                    • + Public ID: SNYK-CC-K8S-4 +
                      • + +
                    • Introduced through: + [DocId: 42] + + input + + spec + + template + + spec + + containers[argocd-application-controller] + + resources + + limits + + memory + +
                      • + +
                    • + Line number: 1912 +
                      • +
                    + +
                    + +

                    Impact

                    +

                    Containers without memory limits are more likely to be terminated when the node runs out of memory

                    + +

                    Remediation

                    +

                    Set `resources.limits.memory` value

                    + + +
                    +
                    + +
                    +

                    More about this issue

                    +
                    + +
                    +
                    +

                    Container's or Pod's UID could clash with host's UID

                    +
                    + +
                    + low severity +
                    + +
                    + +
                      +
                    • + Public ID: SNYK-CC-K8S-11 +
                      • + +
                    • Introduced through: + [DocId: 36] + + input + + spec + + template + + spec + + containers[argocd-applicationset-controller] + + securityContext + + runAsUser + +
                      • + +
                    • + Line number: 822 +
                      • +
                    + +
                    + +

                    Impact

                    +

                    UID of the container processes could clash with host's UIDs and lead to unintentional authorization bypass

                    + +

                    Remediation

                    +

                    Set `securityContext.runAsUser` value to greater or equal than 10'000. SecurityContext can be set on both `pod` and `container` level. If both are set, then the container level takes precedence

                    + + +
                    +
                    + +
                    +

                    More about this issue

                    +
                    + +
                    +
                    +

                    Container's or Pod's UID could clash with host's UID

                    +
                    + +
                    + low severity +
                    + +
                    + +
                      +
                    • + Public ID: SNYK-CC-K8S-11 +
                      • + +
                    • Introduced through: + [DocId: 37] + + input + + spec + + template + + spec + + initContainers[copyutil] + + securityContext + + runAsUser + +
                      • + +
                    • + Line number: 952 +
                      • +
                    + +
                    + +

                    Impact

                    +

                    UID of the container processes could clash with host's UIDs and lead to unintentional authorization bypass

                    + +

                    Remediation

                    +

                    Set `securityContext.runAsUser` value to greater or equal than 10'000. SecurityContext can be set on both `pod` and `container` level. If both are set, then the container level takes precedence

                    + + +
                    +
                    + +
                    +

                    More about this issue

                    +
                    + +
                    +
                    +

                    Container's or Pod's UID could clash with host's UID

                    +
                    + +
                    + low severity +
                    + +
                    + +
                      +
                    • + Public ID: SNYK-CC-K8S-11 +
                      • + +
                    • Introduced through: + [DocId: 37] + + input + + spec + + template + + spec + + containers[dex] + + securityContext + + runAsUser + +
                      • + +
                    • + Line number: 927 +
                      • +
                    + +
                    + +

                    Impact

                    +

                    UID of the container processes could clash with host's UIDs and lead to unintentional authorization bypass

                    + +

                    Remediation

                    +

                    Set `securityContext.runAsUser` value to greater or equal than 10'000. SecurityContext can be set on both `pod` and `container` level. If both are set, then the container level takes precedence

                    + + +
                    +
                    + +
                    +

                    More about this issue

                    +
                    + +
                    +
                    +

                    Container's or Pod's UID could clash with host's UID

                    +
                    + +
                    + low severity +
                    + +
                    + +
                      +
                    • + Public ID: SNYK-CC-K8S-11 +
                      • + +
                    • Introduced through: + [DocId: 38] + + input + + spec + + template + + spec + + containers[argocd-notifications-controller] + + securityContext + + runAsUser + +
                      • + +
                    • + Line number: 1043 +
                      • +
                    + +
                    + +

                    Impact

                    +

                    UID of the container processes could clash with host's UIDs and lead to unintentional authorization bypass

                    + +

                    Remediation

                    +

                    Set `securityContext.runAsUser` value to greater or equal than 10'000. SecurityContext can be set on both `pod` and `container` level. If both are set, then the container level takes precedence

                    + + +
                    +
                    + +
                    +

                    More about this issue

                    +
                    + +
                    +
                    +

                    Container's or Pod's UID could clash with host's UID

                    +
                    + +
                    + low severity +
                    + +
                    + +
                      +
                    • + Public ID: SNYK-CC-K8S-11 +
                      • + +
                    • Introduced through: + [DocId: 39] + + input + + spec + + template + + spec + + containers[redis] + + securityContext + + runAsUser + +
                      • + +
                    • + Line number: 1126 +
                      • +
                    + +
                    + +

                    Impact

                    +

                    UID of the container processes could clash with host's UIDs and lead to unintentional authorization bypass

                    + +

                    Remediation

                    +

                    Set `securityContext.runAsUser` value to greater or equal than 10'000. SecurityContext can be set on both `pod` and `container` level. If both are set, then the container level takes precedence

                    + + +
                    +
                    + +
                    +

                    More about this issue

                    +
                    + +
                    +
                    +

                    Container's or Pod's UID could clash with host's UID

                    +
                    + +
                    + low severity +
                    + +
                    + +
                      +
                    • + Public ID: SNYK-CC-K8S-11 +
                      • + +
                    • Introduced through: + [DocId: 39] + + input + + spec + + template + + spec + + initContainers[secret-init] + + securityContext + + runAsUser + +
                      • + +
                    • + Line number: 1140 +
                      • +
                    + +
                    + +

                    Impact

                    +

                    UID of the container processes could clash with host's UIDs and lead to unintentional authorization bypass

                    + +

                    Remediation

                    +

                    Set `securityContext.runAsUser` value to greater or equal than 10'000. SecurityContext can be set on both `pod` and `container` level. If both are set, then the container level takes precedence

                    + + +
                    +
                    + +
                    +

                    More about this issue

                    +
                    + +
                    +
                    +

                    Container's or Pod's UID could clash with host's UID

                    +
                    + +
                    + low severity +
                    + +
                    + +
                      +
                    • + Public ID: SNYK-CC-K8S-11 +
                      • + +
                    • Introduced through: + [DocId: 40] + + input + + spec + + template + + spec + + initContainers[copyutil] + + securityContext + + runAsUser + +
                      • + +
                    • + Line number: 1444 +
                      • +
                    + +
                    + +

                    Impact

                    +

                    UID of the container processes could clash with host's UIDs and lead to unintentional authorization bypass

                    + +

                    Remediation

                    +

                    Set `securityContext.runAsUser` value to greater or equal than 10'000. SecurityContext can be set on both `pod` and `container` level. If both are set, then the container level takes precedence

                    + + +
                    +
                    + +
                    +

                    More about this issue

                    +
                    + +
                    +
                    +

                    Container's or Pod's UID could clash with host's UID

                    +
                    + +
                    + low severity +
                    + +
                    + +
                      +
                    • + Public ID: SNYK-CC-K8S-11 +
                      • + +
                    • Introduced through: + [DocId: 40] + + input + + spec + + template + + spec + + containers[argocd-repo-server] + + securityContext + + runAsUser + +
                      • + +
                    • + Line number: 1410 +
                      • +
                    + +
                    + +

                    Impact

                    +

                    UID of the container processes could clash with host's UIDs and lead to unintentional authorization bypass

                    + +

                    Remediation

                    +

                    Set `securityContext.runAsUser` value to greater or equal than 10'000. SecurityContext can be set on both `pod` and `container` level. If both are set, then the container level takes precedence

                    + + +
                    +
                    + +
                    +

                    More about this issue

                    +
                    + +
                    +
                    +

                    Container's or Pod's UID could clash with host's UID

                    +
                    + +
                    + low severity +
                    + +
                    + +
                      +
                    • + Public ID: SNYK-CC-K8S-11 +
                      • + +
                    • Introduced through: + [DocId: 41] + + input + + spec + + template + + spec + + containers[argocd-server] + + securityContext + + runAsUser + +
                      • + +
                    • + Line number: 1813 +
                      • +
                    + +
                    + +

                    Impact

                    +

                    UID of the container processes could clash with host's UIDs and lead to unintentional authorization bypass

                    + +

                    Remediation

                    +

                    Set `securityContext.runAsUser` value to greater or equal than 10'000. SecurityContext can be set on both `pod` and `container` level. If both are set, then the container level takes precedence

                    + + +
                    +
                    + +
                    +

                    More about this issue

                    +
                    + +
                    +
                    +

                    Container's or Pod's UID could clash with host's UID

                    +
                    + +
                    + low severity +
                    + +
                    + +
                      +
                    • + Public ID: SNYK-CC-K8S-11 +
                      • + +
                    • Introduced through: + [DocId: 42] + + input + + spec + + template + + spec + + containers[argocd-application-controller] + + securityContext + + runAsUser + +
                      • + +
                    • + Line number: 2113 +
                      • +
                    + +
                    + +

                    Impact

                    +

                    UID of the container processes could clash with host's UIDs and lead to unintentional authorization bypass

                    + +

                    Remediation

                    +

                    Set `securityContext.runAsUser` value to greater or equal than 10'000. SecurityContext can be set on both `pod` and `container` level. If both are set, then the container level takes precedence

                    + + +
                    +
                    + +
                    +

                    More about this issue

                    +
                    + +
                    +
                    +
                    + +
                    + + + diff --git a/docs/snyk/v2.13.0-rc2/argocd-test.html b/docs/snyk/v2.13.0-rc2/argocd-test.html new file mode 100644 index 0000000000000..339b8e739fba1 --- /dev/null +++ b/docs/snyk/v2.13.0-rc2/argocd-test.html @@ -0,0 +1,745 @@ + + + + + + + + + Snyk test report + + + + + + + + + +
                    +
                    +
                    +
                    + + + Snyk - Open Source Security + + + + + + + +
                    +

                    Snyk test report

                    + +

                    September 22nd 2024, 12:21:26 am (UTC+00:00)

                    +
                    +
                    + Scanned the following paths: +
                      +
                    • /argo-cd/argoproj/argo-cd/v2/go.mod (gomodules)
                      • +
                    • /argo-cd/ui/yarn.lock (yarn)
                      • +
                    +
                    + +
                    +
                    2 known vulnerabilities
                    +
                    4 vulnerable dependency paths
                    +
                    2132 dependencies
                    +
                    +
                    +
                    +
                    + +
                    +
                    +
                    +

                    Regular Expression Denial of Service (ReDoS)

                    +
                    + +
                    + medium severity +
                    + +
                    + +
                      +
                    • + Manifest file: /argo-cd ui/yarn.lock +
                      • +
                    • + Package Manager: npm +
                      • +
                    • + Vulnerable module: + + path-to-regexp +
                      • + +
                    • Introduced through: + + + argo-cd-ui@1.0.0, react-router@4.3.1 and others +
                      • +
                    + +
                    + + +

                    Detailed paths

                    + +
                      +
                    • + Introduced through: + argo-cd-ui@1.0.0 + + react-router@4.3.1 + + path-to-regexp@1.8.0 + + + +
                      • +
                    • + Introduced through: + argo-cd-ui@1.0.0 + + react-router-dom@4.3.1 + + react-router@4.3.1 + + path-to-regexp@1.8.0 + + + +
                      • +
                    • + Introduced through: + argo-cd-ui@1.0.0 + + argo-ui@1.0.0 + + react-router-dom@4.3.1 + + react-router@4.3.1 + + path-to-regexp@1.8.0 + + + +
                      • +
                    + +
                    + +
                    + +

                    Overview

                    +

                    Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) when including multiple regular expression parameters in a single segment, which will produce the regular expression /^\/([^\/]+?)-([^\/]+?)\/?$/, if two parameters within a single segment are separated by a character other than a / or .. Poor performance will block the event loop and can lead to a DoS.

                    +

                    Note: + While the 8.0.0 release has completely eliminated the vulnerable functionality, prior versions that have received the patch to mitigate backtracking may still be vulnerable if custom regular expressions are used. So it is strongly recommended for regular expression input to be controlled to avoid malicious performance degradation in those versions. This behavior is enforced as of version 7.1.0 via the strict option, which returns an error if a dangerous regular expression is detected.

                    +

                    Workaround

                    +

                    This vulnerability can be avoided by using a custom regular expression for parameters after the first in a segment, which excludes - and /.

                    +

                    PoC

                    + 
                    /a${'-a'.repeat(8_000)}/a
+
                    +

                    Details

                    +

                    Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.

                    +

                    The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.

                    +

                    Let’s take the following regular expression as an example:

                    + 
                    regex = /A(B|C+)+D/
+
                    +

                    This regular expression accomplishes the following:

                    +
                      +
                    • A The string must start with the letter 'A'
                      • +
                    • (B|C+)+ The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the + matches one or more times). The + at the end of this section states that we can look for one or more matches of this section.
                      • +
                    • D Finally, we ensure this section of the string ends with a 'D'
                      • +
                    +

                    The expression would match inputs such as ABBD, ABCCCCD, ABCBCCCD and ACCCCCD

                    +

                    It most cases, it doesn't take very long for a regex engine to find a match:

                    + 
                    $ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD")'
+        0.04s user 0.01s system 95% cpu 0.052 total
+        
+        $ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX")'
+        1.79s user 0.02s system 99% cpu 1.812 total
+
                    +

                    The entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.

                    +

                    Most Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as catastrophic backtracking.

                    +

                    Let's look at how our expression runs into this problem, using a shorter string: "ACCCX". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:

                    +
                      +
                    1. CCC
                      2. +
                    2. CC+C
                      3. +
                    3. C+CC
                      4. +
                    4. C+C+C.
                      5. +
                    +

                    The engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use RegEx 101 debugger to see the engine has to take a total of 38 steps before it can determine the string doesn't match.

                    +

                    From there, the number of steps the engine must use to validate a string just continues to grow.

                    + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
                    StringNumber of C'sNumber of steps
                    ACCCX338
                    ACCCCX471
                    ACCCCCX5136
                    ACCCCCCCCCCCCCCX1465,553
                    +

                    By the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.

                    +

                    Remediation

                    +

                    Upgrade path-to-regexp to version 0.1.10, 1.9.0, 3.3.0, 6.3.0, 8.0.0 or higher.

                    +

                    References

                    + + +
                    + +
                    +

                    More about this vulnerability

                    +
                    + +
                    +
                    +

                    Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

                    +
                    + +
                    + medium severity +
                    + +
                    + +
                      +
                    • + Manifest file: /argo-cd/argoproj/argo-cd/v2 go.mod +
                      • +
                    • + Package Manager: golang +
                      • +
                    • + Vulnerable module: + + github.com/Azure/azure-sdk-for-go/sdk/azidentity +
                      • + +
                    • Introduced through: + + + github.com/argoproj/argo-cd/v2@0.0.0, github.com/Azure/kubelogin/pkg/token@0.0.20 and others +
                      • +
                    + +
                    + + +

                    Detailed paths

                    + +
                      +
                    • + Introduced through: + github.com/argoproj/argo-cd/v2@0.0.0 + + github.com/Azure/kubelogin/pkg/token@0.0.20 + + github.com/Azure/azure-sdk-for-go/sdk/azidentity@1.1.0 + + + +
                      • +
                    + +
                    + +
                    + +

                    Overview

                    +

                    github.com/Azure/azure-sdk-for-go/sdk/azidentity is a module that provides Microsoft Entra ID (formerly Azure Active Directory) token authentication support across the Azure SDK. It includes a set of TokenCredential implementations, which can be used with Azure SDK clients supporting token authentication.

                    +

                    Affected versions of this package are vulnerable to Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') in the authentication process. An attacker can elevate privileges by exploiting race conditions during the token validation steps. This is only exploitable if the application is configured to use multiple threads or processes for handling authentication requests.

                    +

                    Notes:

                    +
                      +

                    1. An attacker who successfully exploited the vulnerability could elevate privileges and read any file on the file system with SYSTEM access permissions;

                      +
                      2. +

                    2. An attacker who successfully exploits this vulnerability can only obtain read access to the system files by exploiting this vulnerability. The attacker cannot perform write or delete operations on the files;

                      +
                      3. +

                    3. The vulnerability exists in the following credential types: DefaultAzureCredential and ManagedIdentityCredential;

                      +
                      4. +

                    4. The vulnerability exists in the following credential types:

                      +
                      5. +
                    +

                    ManagedIdentityApplication (.NET)

                    +

                    ManagedIdentityApplication (Java)

                    +

                    ManagedIdentityApplication (Node.js)

                    +

                    Remediation

                    +

                    Upgrade github.com/Azure/azure-sdk-for-go/sdk/azidentity to version 1.6.0 or higher.

                    +

                    References

                    + + +
                    + +
                    +

                    More about this vulnerability

                    +
                    + +
                    +
                    +
                    +
                    + + + diff --git a/docs/snyk/v2.13.0-rc2/ghcr.io_dexidp_dex_v2.41.1.html b/docs/snyk/v2.13.0-rc2/ghcr.io_dexidp_dex_v2.41.1.html new file mode 100644 index 0000000000000..6a121eec05819 --- /dev/null +++ b/docs/snyk/v2.13.0-rc2/ghcr.io_dexidp_dex_v2.41.1.html @@ -0,0 +1,709 @@ + + + + + + + + + Snyk test report + + + + + + + + + +
                    +
                    +
                    +
                    + + + Snyk - Open Source Security + + + + + + + +
                    +

                    Snyk test report

                    + +

                    September 22nd 2024, 12:21:32 am (UTC+00:00)

                    +
                    +
                    + Scanned the following paths: +
                      +
                    • ghcr.io/dexidp/dex:v2.41.1/dexidp/dex (apk)
                      • +
                    • ghcr.io/dexidp/dex:v2.41.1/hairyhenderson/gomplate/v4//usr/local/bin/gomplate (gomodules)
                      • +
                    • ghcr.io/dexidp/dex:v2.41.1/dexidp/dex//usr/local/bin/docker-entrypoint (gomodules)
                      • +
                    • ghcr.io/dexidp/dex:v2.41.1/dexidp/dex//usr/local/bin/dex (gomodules)
                      • +
                    +
                    + +
                    +
                    2 known vulnerabilities
                    +
                    8 vulnerable dependency paths
                    +
                    969 dependencies
                    +
                    +
                    +
                    +
                    + +
                    +
                    +
                    +

                    Insertion of Sensitive Information into Log File

                    +
                    + +
                    + medium severity +
                    + +
                    + +
                      +
                    • + Manifest file: ghcr.io/dexidp/dex:v2.41.1/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate +
                      • +
                    • + Package Manager: golang +
                      • +
                    • + Vulnerable module: + + google.golang.org/grpc/metadata +
                      • + +
                    • Introduced through: + + github.com/hairyhenderson/gomplate/v4@* and google.golang.org/grpc/metadata@v1.64.0 + +
                      • +
                    + +
                    + + +

                    Detailed paths

                    + +
                      +
                    • + Introduced through: + github.com/hairyhenderson/gomplate/v4@* + + google.golang.org/grpc/metadata@v1.64.0 + + + +
                      • +
                    + +
                    + +
                    + +

                    Overview

                    +

                    google.golang.org/grpc/metadata is a package that defines the structure of the metadata supported by the gRPC library

                    +

                    Affected versions of this package are vulnerable to Insertion of Sensitive Information into Log File in the form of gRPC metadata. If the metadata contains sensitive information an attacker can expose it.

                    +

                    Remediation

                    +

                    Upgrade google.golang.org/grpc/metadata to version 1.64.1 or higher.

                    +

                    References

                    + + +
                    + +
                    +

                    More about this vulnerability

                    +
                    + +
                    +
                    +

                    CVE-2024-6119

                    +
                    + +
                    + low severity +
                    + +
                    + +
                      +
                    • + Package Manager: alpine:3.20 +
                      • +
                    • + Vulnerable module: + + openssl/libcrypto3 +
                      • + +
                    • Introduced through: + + docker-image|ghcr.io/dexidp/dex@v2.41.1 and openssl/libcrypto3@3.3.1-r3 + +
                      • +
                    + +
                    + + +

                    Detailed paths

                    + +
                      +
                    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.41.1 + + openssl/libcrypto3@3.3.1-r3 + + + +
                      • +
                    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.41.1 + + apk-tools/apk-tools@2.14.4-r0 + + openssl/libcrypto3@3.3.1-r3 + + + +
                      • +
                    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.41.1 + + busybox/ssl_client@1.36.1-r29 + + openssl/libcrypto3@3.3.1-r3 + + + +
                      • +
                    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.41.1 + + apk-tools/apk-tools@2.14.4-r0 + + openssl/libssl3@3.3.1-r3 + + openssl/libcrypto3@3.3.1-r3 + + + +
                      • +
                    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.41.1 + + openssl/libssl3@3.3.1-r3 + + + +
                      • +
                    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.41.1 + + apk-tools/apk-tools@2.14.4-r0 + + openssl/libssl3@3.3.1-r3 + + + +
                      • +
                    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.41.1 + + busybox/ssl_client@1.36.1-r29 + + openssl/libssl3@3.3.1-r3 + + + +
                      • +
                    + +
                    + +
                    + +

                    NVD Description

                    +

                    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.20 relevant fixed versions and status.

                    +

                    Issue summary: Applications performing certificate name checks (e.g., TLS + clients checking server certificates) may attempt to read an invalid memory + address resulting in abnormal termination of the application process.

                    +

                    Impact summary: Abnormal termination of an application can a cause a denial of + service.

                    +

                    Applications performing certificate name checks (e.g., TLS clients checking + server certificates) may attempt to read an invalid memory address when + comparing the expected name with an otherName subject alternative name of an + X.509 certificate. This may result in an exception that terminates the + application program.

                    +

                    Note that basic certificate chain validation (signatures, dates, ...) is not + affected, the denial of service can occur only when the application also + specifies an expected DNS name, Email address or IP address.

                    +

                    TLS servers rarely solicit client certificates, and even when they do, they + generally don't perform a name check against a reference identifier (expected + identity), but rather extract the presented identity after checking the + certificate chain. So TLS servers are generally not affected and the severity + of the issue is Moderate.

                    +

                    The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.

                    +

                    Remediation

                    +

                    Upgrade Alpine:3.20 openssl to version 3.3.2-r0 or higher.

                    +

                    References

                    + + +
                    + +
                    +

                    More about this vulnerability

                    +
                    + +
                    +
                    +
                    +
                    + + + diff --git a/docs/snyk/v2.13.0-rc2/public.ecr.aws_docker_library_haproxy_2.6.17-alpine.html b/docs/snyk/v2.13.0-rc2/public.ecr.aws_docker_library_haproxy_2.6.17-alpine.html new file mode 100644 index 0000000000000..8197e5ec4909e --- /dev/null +++ b/docs/snyk/v2.13.0-rc2/public.ecr.aws_docker_library_haproxy_2.6.17-alpine.html @@ -0,0 +1,1305 @@ + + + + + + + + + Snyk test report + + + + + + + + + +
                    +
                    +
                    +
                    + + + Snyk - Open Source Security + + + + + + + +
                    +

                    Snyk test report

                    + +

                    September 22nd 2024, 12:21:37 am (UTC+00:00)

                    +
                    +
                    + Scanned the following path: +
                      +
                    • public.ecr.aws/docker/library/haproxy:2.6.17-alpine/docker/library/haproxy (apk)
                      • +
                    +
                    + +
                    +
                    5 known vulnerabilities
                    +
                    42 vulnerable dependency paths
                    +
                    18 dependencies
                    +
                    +
                    +
                    +
                    +
                    + + + + + + + +
                    Project docker-image|public.ecr.aws/docker/library/haproxy
                    Path public.ecr.aws/docker/library/haproxy:2.6.17-alpine/docker/library/haproxy
                    Package Manager apk
                    +
                    +
                    +
                    +
                    +

                    Use After Free

                    +
                    + +
                    + medium severity +
                    + +
                    + +
                      +
                    • + Package Manager: alpine:3.20 +
                      • +
                    • + Vulnerable module: + + busybox/busybox +
                      • + +
                    • Introduced through: + + docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine and busybox/busybox@1.36.1-r28 + +
                      • +
                    + +
                    + + +

                    Detailed paths

                    + +
                      +
                    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine + + busybox/busybox@1.36.1-r28 + + + +
                      • +
                    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine + + alpine-baselayout/alpine-baselayout@3.6.5-r0 + + busybox/busybox-binsh@1.36.1-r28 + + busybox/busybox@1.36.1-r28 + + + +
                      • +
                    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine + + busybox/busybox-binsh@1.36.1-r28 + + + +
                      • +
                    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine + + alpine-baselayout/alpine-baselayout@3.6.5-r0 + + busybox/busybox-binsh@1.36.1-r28 + + + +
                      • +
                    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine + + ca-certificates/ca-certificates@20240226-r0 + + busybox/busybox-binsh@1.36.1-r28 + + + +
                      • +
                    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine + + busybox/ssl_client@1.36.1-r28 + + + +
                      • +
                    + +
                    + +
                    + +

                    NVD Description

                    +

                    Note: Versions mentioned in the description apply only to the upstream busybox package and not the busybox package as distributed by Alpine. + See How to fix? for Alpine:3.20 relevant fixed versions and status.

                    +

                    A use-after-free vulnerability in BusyBox v.1.36.1 allows attackers to cause a denial of service via a crafted awk pattern in the awk.c evaluate function.

                    +

                    Remediation

                    +

                    Upgrade Alpine:3.20 busybox to version 1.36.1-r29 or higher.

                    +

                    References

                    + + +
                    + +
                    +

                    More about this vulnerability

                    +
                    + +
                    +
                    +

                    Use After Free

                    +
                    + +
                    + medium severity +
                    + +
                    + +
                      +
                    • + Package Manager: alpine:3.20 +
                      • +
                    • + Vulnerable module: + + busybox/busybox +
                      • + +
                    • Introduced through: + + docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine and busybox/busybox@1.36.1-r28 + +
                      • +
                    + +
                    + + +

                    Detailed paths

                    + +
                      +
                    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine + + busybox/busybox@1.36.1-r28 + + + +
                      • +
                    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine + + alpine-baselayout/alpine-baselayout@3.6.5-r0 + + busybox/busybox-binsh@1.36.1-r28 + + busybox/busybox@1.36.1-r28 + + + +
                      • +
                    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine + + busybox/busybox-binsh@1.36.1-r28 + + + +
                      • +
                    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine + + alpine-baselayout/alpine-baselayout@3.6.5-r0 + + busybox/busybox-binsh@1.36.1-r28 + + + +
                      • +
                    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine + + ca-certificates/ca-certificates@20240226-r0 + + busybox/busybox-binsh@1.36.1-r28 + + + +
                      • +
                    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine + + busybox/ssl_client@1.36.1-r28 + + + +
                      • +
                    + +
                    + +
                    + +

                    NVD Description

                    +

                    Note: Versions mentioned in the description apply only to the upstream busybox package and not the busybox package as distributed by Alpine. + See How to fix? for Alpine:3.20 relevant fixed versions and status.

                    +

                    A use-after-free vulnerability was discovered in BusyBox v.1.36.1 via a crafted awk pattern in the awk.c copyvar function.

                    +

                    Remediation

                    +

                    Upgrade Alpine:3.20 busybox to version 1.36.1-r29 or higher.

                    +

                    References

                    + + +
                    + +
                    +

                    More about this vulnerability

                    +
                    + +
                    +
                    +

                    CVE-2024-4741

                    +
                    + +
                    + low severity +
                    + +
                    + +
                      +
                    • + Package Manager: alpine:3.20 +
                      • +
                    • + Vulnerable module: + + openssl/libcrypto3 +
                      • + +
                    • Introduced through: + + docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine and openssl/libcrypto3@3.3.0-r2 + +
                      • +
                    + +
                    + + +

                    Detailed paths

                    + +
                      +
                    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine + + openssl/libcrypto3@3.3.0-r2 + + + +
                      • +
                    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine + + .haproxy-rundeps@20240524.005458 + + openssl/libcrypto3@3.3.0-r2 + + + +
                      • +
                    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine + + apk-tools/apk-tools@2.14.4-r0 + + openssl/libcrypto3@3.3.0-r2 + + + +
                      • +
                    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine + + busybox/ssl_client@1.36.1-r28 + + openssl/libcrypto3@3.3.0-r2 + + + +
                      • +
                    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine + + ca-certificates/ca-certificates@20240226-r0 + + openssl/libcrypto3@3.3.0-r2 + + + +
                      • +
                    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine + + .haproxy-rundeps@20240524.005458 + + openssl/libssl3@3.3.0-r2 + + openssl/libcrypto3@3.3.0-r2 + + + +
                      • +
                    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine + + openssl/libssl3@3.3.0-r2 + + + +
                      • +
                    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine + + .haproxy-rundeps@20240524.005458 + + openssl/libssl3@3.3.0-r2 + + + +
                      • +
                    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine + + apk-tools/apk-tools@2.14.4-r0 + + openssl/libssl3@3.3.0-r2 + + + +
                      • +
                    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine + + busybox/ssl_client@1.36.1-r28 + + openssl/libssl3@3.3.0-r2 + + + +
                      • +
                    + +
                    + +
                    + +

                    NVD Description

                    +

                    This vulnerability has not been analyzed by NVD yet.

                    +

                    Remediation

                    +

                    Upgrade Alpine:3.20 openssl to version 3.3.0-r3 or higher.

                    + +
                    + +
                    +

                    More about this vulnerability

                    +
                    + +
                    +
                    +

                    CVE-2024-5535

                    +
                    + +
                    + low severity +
                    + +
                    + +
                      +
                    • + Package Manager: alpine:3.20 +
                      • +
                    • + Vulnerable module: + + openssl/libcrypto3 +
                      • + +
                    • Introduced through: + + docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine and openssl/libcrypto3@3.3.0-r2 + +
                      • +
                    + +
                    + + +

                    Detailed paths

                    + +
                      +
                    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine + + openssl/libcrypto3@3.3.0-r2 + + + +
                      • +
                    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine + + .haproxy-rundeps@20240524.005458 + + openssl/libcrypto3@3.3.0-r2 + + + +
                      • +
                    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine + + apk-tools/apk-tools@2.14.4-r0 + + openssl/libcrypto3@3.3.0-r2 + + + +
                      • +
                    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine + + busybox/ssl_client@1.36.1-r28 + + openssl/libcrypto3@3.3.0-r2 + + + +
                      • +
                    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine + + ca-certificates/ca-certificates@20240226-r0 + + openssl/libcrypto3@3.3.0-r2 + + + +
                      • +
                    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine + + .haproxy-rundeps@20240524.005458 + + openssl/libssl3@3.3.0-r2 + + openssl/libcrypto3@3.3.0-r2 + + + +
                      • +
                    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine + + openssl/libssl3@3.3.0-r2 + + + +
                      • +
                    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine + + .haproxy-rundeps@20240524.005458 + + openssl/libssl3@3.3.0-r2 + + + +
                      • +
                    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine + + apk-tools/apk-tools@2.14.4-r0 + + openssl/libssl3@3.3.0-r2 + + + +
                      • +
                    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine + + busybox/ssl_client@1.36.1-r28 + + openssl/libssl3@3.3.0-r2 + + + +
                      • +
                    + +
                    + +
                    + +

                    NVD Description

                    +

                    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.20 relevant fixed versions and status.

                    +

                    Issue summary: Calling the OpenSSL API function SSL_select_next_proto with an + empty supported client protocols buffer may cause a crash or memory contents to + be sent to the peer.

                    +

                    Impact summary: A buffer overread can have a range of potential consequences + such as unexpected application beahviour or a crash. In particular this issue + could result in up to 255 bytes of arbitrary private data from memory being sent + to the peer leading to a loss of confidentiality. However, only applications + that directly call the SSL_select_next_proto function with a 0 length list of + supported client protocols are affected by this issue. This would normally never + be a valid scenario and is typically not under attacker control but may occur by + accident in the case of a configuration or programming error in the calling + application.

                    +

                    The OpenSSL API function SSL_select_next_proto is typically used by TLS + applications that support ALPN (Application Layer Protocol Negotiation) or NPN + (Next Protocol Negotiation). NPN is older, was never standardised and + is deprecated in favour of ALPN. We believe that ALPN is significantly more + widely deployed than NPN. The SSL_select_next_proto function accepts a list of + protocols from the server and a list of protocols from the client and returns + the first protocol that appears in the server list that also appears in the + client list. In the case of no overlap between the two lists it returns the + first item in the client list. In either case it will signal whether an overlap + between the two lists was found. In the case where SSL_select_next_proto is + called with a zero length client list it fails to notice this condition and + returns the memory immediately following the client list pointer (and reports + that there was no overlap in the lists).

                    +

                    This function is typically called from a server side application callback for + ALPN or a client side application callback for NPN. In the case of ALPN the list + of protocols supplied by the client is guaranteed by libssl to never be zero in + length. The list of server protocols comes from the application and should never + normally be expected to be of zero length. In this case if the + SSL_select_next_proto function has been called as expected (with the list + supplied by the client passed in the client/client_len parameters), then the + application will not be vulnerable to this issue. If the application has + accidentally been configured with a zero length server list, and has + accidentally passed that zero length server list in the client/client_len + parameters, and has additionally failed to correctly handle a "no overlap" + response (which would normally result in a handshake failure in ALPN) then it + will be vulnerable to this problem.

                    +

                    In the case of NPN, the protocol permits the client to opportunistically select + a protocol when there is no overlap. OpenSSL returns the first client protocol + in the no overlap case in support of this. The list of client protocols comes + from the application and should never normally be expected to be of zero length. + However if the SSL_select_next_proto function is accidentally called with a + client_len of 0 then an invalid memory pointer will be returned instead. If the + application uses this output as the opportunistic protocol then the loss of + confidentiality will occur.

                    +

                    This issue has been assessed as Low severity because applications are most + likely to be vulnerable if they are using NPN instead of ALPN - but NPN is not + widely used. It also requires an application configuration or programming error. + Finally, this issue would not typically be under attacker control making active + exploitation unlikely.

                    +

                    The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.

                    +

                    Due to the low severity of this issue we are not issuing new releases of + OpenSSL at this time. The fix will be included in the next releases when they + become available.

                    +

                    Remediation

                    +

                    Upgrade Alpine:3.20 openssl to version 3.3.1-r1 or higher.

                    +

                    References

                    + + +
                    + +
                    +

                    More about this vulnerability

                    +
                    + +
                    +
                    +

                    CVE-2024-6119

                    +
                    + +
                    + low severity +
                    + +
                    + +
                      +
                    • + Package Manager: alpine:3.20 +
                      • +
                    • + Vulnerable module: + + openssl/libcrypto3 +
                      • + +
                    • Introduced through: + + docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine and openssl/libcrypto3@3.3.0-r2 + +
                      • +
                    + +
                    + + +

                    Detailed paths

                    + +
                      +
                    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine + + openssl/libcrypto3@3.3.0-r2 + + + +
                      • +
                    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine + + .haproxy-rundeps@20240524.005458 + + openssl/libcrypto3@3.3.0-r2 + + + +
                      • +
                    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine + + apk-tools/apk-tools@2.14.4-r0 + + openssl/libcrypto3@3.3.0-r2 + + + +
                      • +
                    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine + + busybox/ssl_client@1.36.1-r28 + + openssl/libcrypto3@3.3.0-r2 + + + +
                      • +
                    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine + + ca-certificates/ca-certificates@20240226-r0 + + openssl/libcrypto3@3.3.0-r2 + + + +
                      • +
                    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine + + .haproxy-rundeps@20240524.005458 + + openssl/libssl3@3.3.0-r2 + + openssl/libcrypto3@3.3.0-r2 + + + +
                      • +
                    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine + + openssl/libssl3@3.3.0-r2 + + + +
                      • +
                    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine + + .haproxy-rundeps@20240524.005458 + + openssl/libssl3@3.3.0-r2 + + + +
                      • +
                    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine + + apk-tools/apk-tools@2.14.4-r0 + + openssl/libssl3@3.3.0-r2 + + + +
                      • +
                    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@2.6.17-alpine + + busybox/ssl_client@1.36.1-r28 + + openssl/libssl3@3.3.0-r2 + + + +
                      • +
                    + +
                    + +
                    + +

                    NVD Description

                    +

                    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.20 relevant fixed versions and status.

                    +

                    Issue summary: Applications performing certificate name checks (e.g., TLS + clients checking server certificates) may attempt to read an invalid memory + address resulting in abnormal termination of the application process.

                    +

                    Impact summary: Abnormal termination of an application can a cause a denial of + service.

                    +

                    Applications performing certificate name checks (e.g., TLS clients checking + server certificates) may attempt to read an invalid memory address when + comparing the expected name with an otherName subject alternative name of an + X.509 certificate. This may result in an exception that terminates the + application program.

                    +

                    Note that basic certificate chain validation (signatures, dates, ...) is not + affected, the denial of service can occur only when the application also + specifies an expected DNS name, Email address or IP address.

                    +

                    TLS servers rarely solicit client certificates, and even when they do, they + generally don't perform a name check against a reference identifier (expected + identity), but rather extract the presented identity after checking the + certificate chain. So TLS servers are generally not affected and the severity + of the issue is Moderate.

                    +

                    The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.

                    +

                    Remediation

                    +

                    Upgrade Alpine:3.20 openssl to version 3.3.2-r0 or higher.

                    +

                    References

                    + + +
                    + +
                    +

                    More about this vulnerability

                    +
                    + +
                    +
                    +
                    +
                    + + + diff --git a/docs/snyk/v2.13.0-rc2/public.ecr.aws_docker_library_redis_7.0.15-alpine.html b/docs/snyk/v2.13.0-rc2/public.ecr.aws_docker_library_redis_7.0.15-alpine.html new file mode 100644 index 0000000000000..26e6ff3618a3f --- /dev/null +++ b/docs/snyk/v2.13.0-rc2/public.ecr.aws_docker_library_redis_7.0.15-alpine.html @@ -0,0 +1,484 @@ + + + + + + + + + Snyk test report + + + + + + + + + +
                    +
                    +
                    +
                    + + + Snyk - Open Source Security + + + + + + + +
                    +

                    Snyk test report

                    + +

                    September 22nd 2024, 12:21:40 am (UTC+00:00)

                    +
                    +
                    + Scanned the following paths: +
                      +
                    • public.ecr.aws/docker/library/redis:7.0.15-alpine/docker/library/redis (apk)
                      • +
                    • public.ecr.aws/docker/library/redis:7.0.15-alpine/tianon/gosu//usr/local/bin/gosu (gomodules)
                      • +
                    +
                    + +
                    +
                    0 known vulnerabilities
                    +
                    0 vulnerable dependency paths
                    +
                    18 dependencies
                    +
                    +
                    +
                    +
                    + +
                    + No known vulnerabilities detected. +
                    +
                    + + + diff --git a/docs/snyk/v2.13.0-rc2/quay.io_argoproj_argocd_v2.13.0-rc2.html b/docs/snyk/v2.13.0-rc2/quay.io_argoproj_argocd_v2.13.0-rc2.html new file mode 100644 index 0000000000000..043d857a863c8 --- /dev/null +++ b/docs/snyk/v2.13.0-rc2/quay.io_argoproj_argocd_v2.13.0-rc2.html @@ -0,0 +1,2012 @@ + + + + + + + + + Snyk test report + + + + + + + + + +
                    +
                    +
                    +
                    + + + Snyk - Open Source Security + + + + + + + +
                    +

                    Snyk test report

                    + +

                    September 22nd 2024, 12:21:56 am (UTC+00:00)

                    +
                    +
                    + Scanned the following paths: +
                      +
                    • quay.io/argoproj/argocd:v2.13.0-rc2/argoproj/argocd/Dockerfile (deb)
                      • +
                    • quay.io/argoproj/argocd:v2.13.0-rc2/argoproj/argo-cd/v2//usr/local/bin/argocd (gomodules)
                      • +
                    • quay.io/argoproj/argocd:v2.13.0-rc2//usr/local/bin/kustomize (gomodules)
                      • +
                    • quay.io/argoproj/argocd:v2.13.0-rc2/helm/v3//usr/local/bin/helm (gomodules)
                      • +
                    • quay.io/argoproj/argocd:v2.13.0-rc2/git-lfs/git-lfs//usr/bin/git-lfs (gomodules)
                      • +
                    +
                    + +
                    +
                    11 known vulnerabilities
                    +
                    65 vulnerable dependency paths
                    +
                    2355 dependencies
                    +
                    +
                    +
                    +
                    + +
                    +
                    +
                    +

                    CVE-2024-41996

                    +
                    + +
                    + medium severity +
                    + +
                    + +
                      +
                    • + Manifest file: quay.io/argoproj/argocd:v2.13.0-rc2/argoproj/argocd Dockerfile +
                      • +
                    • + Package Manager: ubuntu:24.04 +
                      • +
                    • + Vulnerable module: + + openssl/libssl3t64 +
                      • + +
                    • Introduced through: + + docker-image|quay.io/argoproj/argocd@v2.13.0-rc2 and openssl/libssl3t64@3.0.13-0ubuntu3.4 + +
                      • +
                    + +
                    + + +

                    Detailed paths

                    + +
                      +
                    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.13.0-rc2 + + openssl/libssl3t64@3.0.13-0ubuntu3.4 + + + +
                      • +
                    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.13.0-rc2 + + coreutils@9.4-3ubuntu6 + + openssl/libssl3t64@3.0.13-0ubuntu3.4 + + + +
                      • +
                    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.13.0-rc2 + + cyrus-sasl2/libsasl2-modules@2.1.28+dfsg1-5ubuntu3.1 + + openssl/libssl3t64@3.0.13-0ubuntu3.4 + + + +
                      • +
                    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.13.0-rc2 + + libfido2/libfido2-1@1.14.0-1build3 + + openssl/libssl3t64@3.0.13-0ubuntu3.4 + + + +
                      • +
                    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.13.0-rc2 + + openssh/openssh-client@1:9.6p1-3ubuntu13.5 + + openssl/libssl3t64@3.0.13-0ubuntu3.4 + + + +
                      • +
                    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.13.0-rc2 + + ca-certificates@20240203 + + openssl@3.0.13-0ubuntu3.4 + + openssl/libssl3t64@3.0.13-0ubuntu3.4 + + + +
                      • +
                    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.13.0-rc2 + + git@1:2.43.0-1ubuntu7.1 + + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.4 + + libssh/libssh-4@0.10.6-2build2 + + openssl/libssl3t64@3.0.13-0ubuntu3.4 + + + +
                      • +
                    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.13.0-rc2 + + git@1:2.43.0-1ubuntu7.1 + + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.4 + + krb5/libgssapi-krb5-2@1.20.1-6ubuntu2.1 + + krb5/libkrb5-3@1.20.1-6ubuntu2.1 + + openssl/libssl3t64@3.0.13-0ubuntu3.4 + + + +
                      • +
                    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.13.0-rc2 + + git@1:2.43.0-1ubuntu7.1 + + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.4 + + openldap/libldap2@2.6.7+dfsg-1~exp1ubuntu8 + + cyrus-sasl2/libsasl2-2@2.1.28+dfsg1-5ubuntu3.1 + + openssl/libssl3t64@3.0.13-0ubuntu3.4 + + + +
                      • +
                    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.13.0-rc2 + + openssl@3.0.13-0ubuntu3.4 + + + +
                      • +
                    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.13.0-rc2 + + ca-certificates@20240203 + + openssl@3.0.13-0ubuntu3.4 + + + +
                      • +
                    + +
                    + +
                    + +

                    NVD Description

                    +

                    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Ubuntu. + See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

                    +

                    Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key.

                    +

                    Remediation

                    +

                    There is no fixed version for Ubuntu:24.04 openssl.

                    +

                    References

                    + + +
                    + +
                    +

                    More about this vulnerability

                    +
                    + +
                    +
                    +

                    Information Exposure

                    +
                    + +
                    + medium severity +
                    + +
                    + +
                      +
                    • + Manifest file: quay.io/argoproj/argocd:v2.13.0-rc2/argoproj/argocd Dockerfile +
                      • +
                    • + Package Manager: ubuntu:24.04 +
                      • +
                    • + Vulnerable module: + + libgcrypt20 +
                      • + +
                    • Introduced through: + + docker-image|quay.io/argoproj/argocd@v2.13.0-rc2 and libgcrypt20@1.10.3-2build1 + +
                      • +
                    + +
                    + + +

                    Detailed paths

                    + +
                      +
                    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.13.0-rc2 + + libgcrypt20@1.10.3-2build1 + + + +
                      • +
                    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.13.0-rc2 + + gnupg2/dirmngr@2.4.4-2ubuntu17 + + libgcrypt20@1.10.3-2build1 + + + +
                      • +
                    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.13.0-rc2 + + gnupg2/gpg@2.4.4-2ubuntu17 + + libgcrypt20@1.10.3-2build1 + + + +
                      • +
                    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.13.0-rc2 + + gnupg2/gpg-agent@2.4.4-2ubuntu17 + + libgcrypt20@1.10.3-2build1 + + + +
                      • +
                    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.13.0-rc2 + + apt@2.7.14build2 + + apt/libapt-pkg6.0t64@2.7.14build2 + + libgcrypt20@1.10.3-2build1 + + + +
                      • +
                    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.13.0-rc2 + + apt@2.7.14build2 + + gnupg2/gpgv@2.4.4-2ubuntu17 + + libgcrypt20@1.10.3-2build1 + + + +
                      • +
                    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.13.0-rc2 + + gnupg2/gpg@2.4.4-2ubuntu17 + + gnupg2/gpgconf@2.4.4-2ubuntu17 + + libgcrypt20@1.10.3-2build1 + + + +
                      • +
                    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.13.0-rc2 + + apt@2.7.14build2 + + adduser@3.137ubuntu1 + + shadow/passwd@1:4.13+dfsg1-4ubuntu3 + + pam/libpam-modules@1.5.3-5ubuntu5.1 + + systemd/libsystemd0@255.4-1ubuntu8.4 + + libgcrypt20@1.10.3-2build1 + + + +
                      • +
                    + +
                    + +
                    + +

                    NVD Description

                    +

                    Note: Versions mentioned in the description apply only to the upstream libgcrypt20 package and not the libgcrypt20 package as distributed by Ubuntu. + See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

                    +

                    A timing-based side-channel flaw was found in libgcrypt's RSA implementation. This issue may allow a remote attacker to initiate a Bleichenbacher-style attack, which can lead to the decryption of RSA ciphertexts.

                    +

                    Remediation

                    +

                    There is no fixed version for Ubuntu:24.04 libgcrypt20.

                    +

                    References

                    + + +
                    + +
                    +

                    More about this vulnerability

                    +
                    + +
                    +
                    +

                    CVE-2024-26462

                    +
                    + +
                    + medium severity +
                    + +
                    + +
                      +
                    • + Manifest file: quay.io/argoproj/argocd:v2.13.0-rc2/argoproj/argocd Dockerfile +
                      • +
                    • + Package Manager: ubuntu:24.04 +
                      • +
                    • + Vulnerable module: + + krb5/libk5crypto3 +
                      • + +
                    • Introduced through: + + + docker-image|quay.io/argoproj/argocd@v2.13.0-rc2, git@1:2.43.0-1ubuntu7.1 and others +
                      • +
                    + +
                    + + +

                    Detailed paths

                    + +
                      +
                    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.13.0-rc2 + + git@1:2.43.0-1ubuntu7.1 + + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.4 + + krb5/libgssapi-krb5-2@1.20.1-6ubuntu2.1 + + krb5/libk5crypto3@1.20.1-6ubuntu2.1 + + + +
                      • +
                    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.13.0-rc2 + + git@1:2.43.0-1ubuntu7.1 + + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.4 + + krb5/libgssapi-krb5-2@1.20.1-6ubuntu2.1 + + krb5/libkrb5-3@1.20.1-6ubuntu2.1 + + krb5/libk5crypto3@1.20.1-6ubuntu2.1 + + + +
                      • +
                    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.13.0-rc2 + + git@1:2.43.0-1ubuntu7.1 + + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.4 + + krb5/libgssapi-krb5-2@1.20.1-6ubuntu2.1 + + krb5/libkrb5support0@1.20.1-6ubuntu2.1 + + + +
                      • +
                    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.13.0-rc2 + + git@1:2.43.0-1ubuntu7.1 + + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.4 + + krb5/libgssapi-krb5-2@1.20.1-6ubuntu2.1 + + krb5/libkrb5-3@1.20.1-6ubuntu2.1 + + krb5/libkrb5support0@1.20.1-6ubuntu2.1 + + + +
                      • +
                    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.13.0-rc2 + + git@1:2.43.0-1ubuntu7.1 + + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.4 + + krb5/libgssapi-krb5-2@1.20.1-6ubuntu2.1 + + krb5/libkrb5-3@1.20.1-6ubuntu2.1 + + krb5/libk5crypto3@1.20.1-6ubuntu2.1 + + krb5/libkrb5support0@1.20.1-6ubuntu2.1 + + + +
                      • +
                    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.13.0-rc2 + + git@1:2.43.0-1ubuntu7.1 + + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.4 + + krb5/libgssapi-krb5-2@1.20.1-6ubuntu2.1 + + krb5/libkrb5-3@1.20.1-6ubuntu2.1 + + + +
                      • +
                    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.13.0-rc2 + + openssh/openssh-client@1:9.6p1-3ubuntu13.5 + + krb5/libgssapi-krb5-2@1.20.1-6ubuntu2.1 + + + +
                      • +
                    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.13.0-rc2 + + git@1:2.43.0-1ubuntu7.1 + + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.4 + + krb5/libgssapi-krb5-2@1.20.1-6ubuntu2.1 + + + +
                      • +
                    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.13.0-rc2 + + git@1:2.43.0-1ubuntu7.1 + + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.4 + + libssh/libssh-4@0.10.6-2build2 + + krb5/libgssapi-krb5-2@1.20.1-6ubuntu2.1 + + + +
                      • +
                    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.13.0-rc2 + + krb5/krb5-locales@1.20.1-6ubuntu2.1 + + + +
                      • +
                    + +
                    + +
                    + +

                    NVD Description

                    +

                    Note: Versions mentioned in the description apply only to the upstream krb5 package and not the krb5 package as distributed by Ubuntu. + See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

                    +

                    Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/kdc/ndr.c.

                    +

                    Remediation

                    +

                    There is no fixed version for Ubuntu:24.04 krb5.

                    +

                    References

                    + + +
                    + +
                    +

                    More about this vulnerability

                    +
                    + +
                    +
                    +

                    Release of Invalid Pointer or Reference

                    +
                    + +
                    + low severity +
                    + +
                    + +
                      +
                    • + Manifest file: quay.io/argoproj/argocd:v2.13.0-rc2/argoproj/argocd Dockerfile +
                      • +
                    • + Package Manager: ubuntu:24.04 +
                      • +
                    • + Vulnerable module: + + patch +
                      • + +
                    • Introduced through: + + docker-image|quay.io/argoproj/argocd@v2.13.0-rc2 and patch@2.7.6-7build3 + +
                      • +
                    + +
                    + + +

                    Detailed paths

                    + +
                      +
                    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.13.0-rc2 + + patch@2.7.6-7build3 + + + +
                      • +
                    + +
                    + +
                    + +

                    NVD Description

                    +

                    Note: Versions mentioned in the description apply only to the upstream patch package and not the patch package as distributed by Ubuntu. + See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

                    +

                    An Invalid Pointer vulnerability exists in GNU patch 2.7 via the another_hunk function, which causes a Denial of Service.

                    +

                    Remediation

                    +

                    There is no fixed version for Ubuntu:24.04 patch.

                    +

                    References

                    + + +
                    + +
                    +

                    More about this vulnerability

                    +
                    + +
                    +
                    +

                    Double Free

                    +
                    + +
                    + low severity +
                    + +
                    + +
                      +
                    • + Manifest file: quay.io/argoproj/argocd:v2.13.0-rc2/argoproj/argocd Dockerfile +
                      • +
                    • + Package Manager: ubuntu:24.04 +
                      • +
                    • + Vulnerable module: + + patch +
                      • + +
                    • Introduced through: + + docker-image|quay.io/argoproj/argocd@v2.13.0-rc2 and patch@2.7.6-7build3 + +
                      • +
                    + +
                    + + +

                    Detailed paths

                    + +
                      +
                    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.13.0-rc2 + + patch@2.7.6-7build3 + + + +
                      • +
                    + +
                    + +
                    + +

                    NVD Description

                    +

                    Note: Versions mentioned in the description apply only to the upstream patch package and not the patch package as distributed by Ubuntu. + See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

                    +

                    A double free exists in the another_hunk function in pch.c in GNU patch through 2.7.6.

                    +

                    Remediation

                    +

                    There is no fixed version for Ubuntu:24.04 patch.

                    +

                    References

                    + + +
                    + +
                    +

                    More about this vulnerability

                    +
                    + +
                    +
                    +

                    CVE-2024-26458

                    +
                    + +
                    + low severity +
                    + +
                    + +
                      +
                    • + Manifest file: quay.io/argoproj/argocd:v2.13.0-rc2/argoproj/argocd Dockerfile +
                      • +
                    • + Package Manager: ubuntu:24.04 +
                      • +
                    • + Vulnerable module: + + krb5/libk5crypto3 +
                      • + +
                    • Introduced through: + + + docker-image|quay.io/argoproj/argocd@v2.13.0-rc2, git@1:2.43.0-1ubuntu7.1 and others +
                      • +
                    + +
                    + + +

                    Detailed paths

                    + +
                      +
                    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.13.0-rc2 + + git@1:2.43.0-1ubuntu7.1 + + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.4 + + krb5/libgssapi-krb5-2@1.20.1-6ubuntu2.1 + + krb5/libk5crypto3@1.20.1-6ubuntu2.1 + + + +
                      • +
                    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.13.0-rc2 + + git@1:2.43.0-1ubuntu7.1 + + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.4 + + krb5/libgssapi-krb5-2@1.20.1-6ubuntu2.1 + + krb5/libkrb5-3@1.20.1-6ubuntu2.1 + + krb5/libk5crypto3@1.20.1-6ubuntu2.1 + + + +
                      • +
                    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.13.0-rc2 + + git@1:2.43.0-1ubuntu7.1 + + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.4 + + krb5/libgssapi-krb5-2@1.20.1-6ubuntu2.1 + + krb5/libkrb5support0@1.20.1-6ubuntu2.1 + + + +
                      • +
                    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.13.0-rc2 + + git@1:2.43.0-1ubuntu7.1 + + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.4 + + krb5/libgssapi-krb5-2@1.20.1-6ubuntu2.1 + + krb5/libkrb5-3@1.20.1-6ubuntu2.1 + + krb5/libkrb5support0@1.20.1-6ubuntu2.1 + + + +
                      • +
                    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.13.0-rc2 + + git@1:2.43.0-1ubuntu7.1 + + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.4 + + krb5/libgssapi-krb5-2@1.20.1-6ubuntu2.1 + + krb5/libkrb5-3@1.20.1-6ubuntu2.1 + + krb5/libk5crypto3@1.20.1-6ubuntu2.1 + + krb5/libkrb5support0@1.20.1-6ubuntu2.1 + + + +
                      • +
                    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.13.0-rc2 + + git@1:2.43.0-1ubuntu7.1 + + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.4 + + krb5/libgssapi-krb5-2@1.20.1-6ubuntu2.1 + + krb5/libkrb5-3@1.20.1-6ubuntu2.1 + + + +
                      • +
                    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.13.0-rc2 + + openssh/openssh-client@1:9.6p1-3ubuntu13.5 + + krb5/libgssapi-krb5-2@1.20.1-6ubuntu2.1 + + + +
                      • +
                    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.13.0-rc2 + + git@1:2.43.0-1ubuntu7.1 + + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.4 + + krb5/libgssapi-krb5-2@1.20.1-6ubuntu2.1 + + + +
                      • +
                    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.13.0-rc2 + + git@1:2.43.0-1ubuntu7.1 + + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.4 + + libssh/libssh-4@0.10.6-2build2 + + krb5/libgssapi-krb5-2@1.20.1-6ubuntu2.1 + + + +
                      • +
                    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.13.0-rc2 + + krb5/krb5-locales@1.20.1-6ubuntu2.1 + + + +
                      • +
                    + +
                    + +
                    + +

                    NVD Description

                    +

                    Note: Versions mentioned in the description apply only to the upstream krb5 package and not the krb5 package as distributed by Ubuntu. + See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

                    +

                    Kerberos 5 (aka krb5) 1.21.2 contains a memory leak in /krb5/src/lib/rpc/pmap_rmt.c.

                    +

                    Remediation

                    +

                    There is no fixed version for Ubuntu:24.04 krb5.

                    +

                    References

                    + + +
                    + +
                    +

                    More about this vulnerability

                    +
                    + +
                    +
                    +

                    CVE-2024-26461

                    +
                    + +
                    + low severity +
                    + +
                    + +
                      +
                    • + Manifest file: quay.io/argoproj/argocd:v2.13.0-rc2/argoproj/argocd Dockerfile +
                      • +
                    • + Package Manager: ubuntu:24.04 +
                      • +
                    • + Vulnerable module: + + krb5/libk5crypto3 +
                      • + +
                    • Introduced through: + + + docker-image|quay.io/argoproj/argocd@v2.13.0-rc2, git@1:2.43.0-1ubuntu7.1 and others +
                      • +
                    + +
                    + + +

                    Detailed paths

                    + +
                      +
                    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.13.0-rc2 + + git@1:2.43.0-1ubuntu7.1 + + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.4 + + krb5/libgssapi-krb5-2@1.20.1-6ubuntu2.1 + + krb5/libk5crypto3@1.20.1-6ubuntu2.1 + + + +
                      • +
                    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.13.0-rc2 + + git@1:2.43.0-1ubuntu7.1 + + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.4 + + krb5/libgssapi-krb5-2@1.20.1-6ubuntu2.1 + + krb5/libkrb5-3@1.20.1-6ubuntu2.1 + + krb5/libk5crypto3@1.20.1-6ubuntu2.1 + + + +
                      • +
                    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.13.0-rc2 + + git@1:2.43.0-1ubuntu7.1 + + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.4 + + krb5/libgssapi-krb5-2@1.20.1-6ubuntu2.1 + + krb5/libkrb5support0@1.20.1-6ubuntu2.1 + + + +
                      • +
                    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.13.0-rc2 + + git@1:2.43.0-1ubuntu7.1 + + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.4 + + krb5/libgssapi-krb5-2@1.20.1-6ubuntu2.1 + + krb5/libkrb5-3@1.20.1-6ubuntu2.1 + + krb5/libkrb5support0@1.20.1-6ubuntu2.1 + + + +
                      • +
                    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.13.0-rc2 + + git@1:2.43.0-1ubuntu7.1 + + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.4 + + krb5/libgssapi-krb5-2@1.20.1-6ubuntu2.1 + + krb5/libkrb5-3@1.20.1-6ubuntu2.1 + + krb5/libk5crypto3@1.20.1-6ubuntu2.1 + + krb5/libkrb5support0@1.20.1-6ubuntu2.1 + + + +
                      • +
                    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.13.0-rc2 + + git@1:2.43.0-1ubuntu7.1 + + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.4 + + krb5/libgssapi-krb5-2@1.20.1-6ubuntu2.1 + + krb5/libkrb5-3@1.20.1-6ubuntu2.1 + + + +
                      • +
                    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.13.0-rc2 + + openssh/openssh-client@1:9.6p1-3ubuntu13.5 + + krb5/libgssapi-krb5-2@1.20.1-6ubuntu2.1 + + + +
                      • +
                    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.13.0-rc2 + + git@1:2.43.0-1ubuntu7.1 + + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.4 + + krb5/libgssapi-krb5-2@1.20.1-6ubuntu2.1 + + + +
                      • +
                    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.13.0-rc2 + + git@1:2.43.0-1ubuntu7.1 + + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.4 + + libssh/libssh-4@0.10.6-2build2 + + krb5/libgssapi-krb5-2@1.20.1-6ubuntu2.1 + + + +
                      • +
                    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.13.0-rc2 + + krb5/krb5-locales@1.20.1-6ubuntu2.1 + + + +
                      • +
                    + +
                    + +
                    + +

                    NVD Description

                    +

                    Note: Versions mentioned in the description apply only to the upstream krb5 package and not the krb5 package as distributed by Ubuntu. + See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

                    +

                    Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/lib/gssapi/krb5/k5sealv3.c.

                    +

                    Remediation

                    +

                    There is no fixed version for Ubuntu:24.04 krb5.

                    +

                    References

                    + + +
                    + +
                    +

                    More about this vulnerability

                    +
                    + +
                    +
                    +

                    Out-of-bounds Write

                    +
                    + +
                    + low severity +
                    + +
                    + +
                      +
                    • + Manifest file: quay.io/argoproj/argocd:v2.13.0-rc2/argoproj/argocd Dockerfile +
                      • +
                    • + Package Manager: ubuntu:24.04 +
                      • +
                    • + Vulnerable module: + + gnupg2/gpgv +
                      • + +
                    • Introduced through: + + docker-image|quay.io/argoproj/argocd@v2.13.0-rc2 and gnupg2/gpgv@2.4.4-2ubuntu17 + +
                      • +
                    + +
                    + + +

                    Detailed paths

                    + +
                      +
                    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.13.0-rc2 + + gnupg2/gpgv@2.4.4-2ubuntu17 + + + +
                      • +
                    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.13.0-rc2 + + apt@2.7.14build2 + + gnupg2/gpgv@2.4.4-2ubuntu17 + + + +
                      • +
                    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.13.0-rc2 + + gnupg2/dirmngr@2.4.4-2ubuntu17 + + gnupg2/gpgconf@2.4.4-2ubuntu17 + + + +
                      • +
                    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.13.0-rc2 + + gnupg2/gpg-agent@2.4.4-2ubuntu17 + + gnupg2/gpgconf@2.4.4-2ubuntu17 + + + +
                      • +
                    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.13.0-rc2 + + gnupg2/gpg@2.4.4-2ubuntu17 + + gnupg2/gpgconf@2.4.4-2ubuntu17 + + + +
                      • +
                    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.13.0-rc2 + + gnupg2/dirmngr@2.4.4-2ubuntu17 + + + +
                      • +
                    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.13.0-rc2 + + gnupg2/gpg@2.4.4-2ubuntu17 + + + +
                      • +
                    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.13.0-rc2 + + gnupg2/gpg-agent@2.4.4-2ubuntu17 + + + +
                      • +
                    + +
                    + +
                    + +

                    NVD Description

                    +

                    Note: Versions mentioned in the description apply only to the upstream gnupg2 package and not the gnupg2 package as distributed by Ubuntu. + See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

                    +

                    GnuPG can be made to spin on a relatively small input by (for example) crafting a public key with thousands of signatures attached, compressed down to just a few KB.

                    +

                    Remediation

                    +

                    There is no fixed version for Ubuntu:24.04 gnupg2.

                    +

                    References

                    + + +
                    + +
                    +

                    More about this vulnerability

                    +
                    + +
                    +
                    +

                    Allocation of Resources Without Limits or Throttling

                    +
                    + +
                    + low severity +
                    + +
                    + +
                      +
                    • + Manifest file: quay.io/argoproj/argocd:v2.13.0-rc2/argoproj/argocd Dockerfile +
                      • +
                    • + Package Manager: ubuntu:24.04 +
                      • +
                    • + Vulnerable module: + + glibc/libc-bin +
                      • + +
                    • Introduced through: + + docker-image|quay.io/argoproj/argocd@v2.13.0-rc2 and glibc/libc-bin@2.39-0ubuntu8.3 + +
                      • +
                    + +
                    + + +

                    Detailed paths

                    + +
                      +
                    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.13.0-rc2 + + glibc/libc-bin@2.39-0ubuntu8.3 + + + +
                      • +
                    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.13.0-rc2 + + glibc/libc6@2.39-0ubuntu8.3 + + + +
                      • +
                    + +
                    + +
                    + +

                    NVD Description

                    +

                    Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Ubuntu. + See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

                    +

                    sha256crypt and sha512crypt through 0.6 allow attackers to cause a denial of service (CPU consumption) because the algorithm's runtime is proportional to the square of the length of the password.

                    +

                    Remediation

                    +

                    There is no fixed version for Ubuntu:24.04 glibc.

                    +

                    References

                    + + +
                    + +
                    +

                    More about this vulnerability

                    +
                    + +
                    +
                    +

                    Improper Input Validation

                    +
                    + +
                    + low severity +
                    + +
                    + +
                      +
                    • + Manifest file: quay.io/argoproj/argocd:v2.13.0-rc2/argoproj/argocd Dockerfile +
                      • +
                    • + Package Manager: ubuntu:24.04 +
                      • +
                    • + Vulnerable module: + + git/git-man +
                      • + +
                    • Introduced through: + + + docker-image|quay.io/argoproj/argocd@v2.13.0-rc2, git@1:2.43.0-1ubuntu7.1 and others +
                      • +
                    + +
                    + + +

                    Detailed paths

                    + +
                      +
                    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.13.0-rc2 + + git@1:2.43.0-1ubuntu7.1 + + git/git-man@1:2.43.0-1ubuntu7.1 + + + +
                      • +
                    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.13.0-rc2 + + git@1:2.43.0-1ubuntu7.1 + + + +
                      • +
                    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.13.0-rc2 + + git-lfs@3.4.1-1ubuntu0.1 + + git@1:2.43.0-1ubuntu7.1 + + + +
                      • +
                    + +
                    + +
                    + +

                    NVD Description

                    +

                    Note: Versions mentioned in the description apply only to the upstream git package and not the git package as distributed by Ubuntu. + See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

                    +

                    GIT version 2.15.1 and earlier contains a Input Validation Error vulnerability in Client that can result in problems including messing up terminal configuration to RCE. This attack appear to be exploitable via The user must interact with a malicious git server, (or have their traffic modified in a MITM attack).

                    +

                    Remediation

                    +

                    There is no fixed version for Ubuntu:24.04 git.

                    +

                    References

                    + + +
                    + +
                    +

                    More about this vulnerability

                    +
                    + +
                    +
                    +

                    Improper Input Validation

                    +
                    + +
                    + low severity +
                    + +
                    + +
                      +
                    • + Manifest file: quay.io/argoproj/argocd:v2.13.0-rc2/argoproj/argocd Dockerfile +
                      • +
                    • + Package Manager: ubuntu:24.04 +
                      • +
                    • + Vulnerable module: + + coreutils +
                      • + +
                    • Introduced through: + + docker-image|quay.io/argoproj/argocd@v2.13.0-rc2 and coreutils@9.4-3ubuntu6 + +
                      • +
                    + +
                    + + +

                    Detailed paths

                    + +
                      +
                    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.13.0-rc2 + + coreutils@9.4-3ubuntu6 + + + +
                      • +
                    + +
                    + +
                    + +

                    NVD Description

                    +

                    Note: Versions mentioned in the description apply only to the upstream coreutils package and not the coreutils package as distributed by Ubuntu. + See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

                    +

                    chroot in GNU coreutils, when used with --userspec, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.

                    +

                    Remediation

                    +

                    There is no fixed version for Ubuntu:24.04 coreutils.

                    +

                    References

                    + + +
                    + +
                    +

                    More about this vulnerability

                    +
                    + +
                    +
                    +
                    +
                    + + + diff --git a/docs/snyk/v2.13.0-rc2/redis_7.0.15-alpine.html b/docs/snyk/v2.13.0-rc2/redis_7.0.15-alpine.html new file mode 100644 index 0000000000000..9ce4786034705 --- /dev/null +++ b/docs/snyk/v2.13.0-rc2/redis_7.0.15-alpine.html @@ -0,0 +1,484 @@ + + + + + + + + + Snyk test report + + + + + + + + + +
                    +
                    +
                    +
                    + + + Snyk - Open Source Security + + + + + + + +
                    +

                    Snyk test report

                    + +

                    September 22nd 2024, 12:22:00 am (UTC+00:00)

                    +
                    +
                    + Scanned the following paths: +
                      +
                    • redis:7.0.15-alpine (apk)
                      • +
                    • redis:7.0.15-alpine/tianon/gosu//usr/local/bin/gosu (gomodules)
                      • +
                    +
                    + +
                    +
                    0 known vulnerabilities
                    +
                    0 vulnerable dependency paths
                    +
                    18 dependencies
                    +
                    +
                    +
                    +
                    + +
                    + No known vulnerabilities detected. +
                    +
                    + + + From b8249567ae1afe657f3d2f235dc3724880c91370 Mon Sep 17 00:00:00 2001 From: Javier Solana Date: Tue, 24 Sep 2024 18:14:02 +0200 Subject: [PATCH 04/38] feat: transmit manifest-generate-path resources to the cmp-server for plugin-based applications (#19209) * chore: transmit manifest-generate-path resources to the cmp-server for plugin-based applications Signed-off-by: Javier Solana * use SecureJoin Signed-off-by: Javier Solana * make cmp manifests generation using manifest generate path annotation configurable by environment variable Signed-off-by: Javier Solana * fix missing doc running codegen-local Signed-off-by: Javier Solana * set reposerver.plugin.enable.manifests.generation.using.annotations false by default Signed-off-by: Javier Solana * define ARGOCD_REPO_SERVER_PLUGIN_ENABLE_GENERATE_MANIFESTS_USING_MANIFEST_GENERATE_PATHS_ANNOTATION properly Signed-off-by: Javier Solana * define ARGOCD_REPO_SERVER_PLUGIN_ENABLE_GENERATE_MANIFESTS_USING_MANIFEST_GENERATE_PATHS_ANNOTATION properly Signed-off-by: Javier Solana * Fix conflict Signed-off-by: Javier Solana * autogenerate install manifests Signed-off-by: Javier Solana * add note about common root path calculation for manifest paths annotation Signed-off-by: Javier Solana * log common root path calculated Signed-off-by: Javier Solana * app path must be the lower common path Signed-off-by: Javier Solana * tweaks Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com> --------- Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com> Co-authored-by: Javier Solana Co-authored-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com> --- .../commands/argocd_repo_server.go | 3 + cmd/argocd/commands/app.go | 23 +- controller/state.go | 43 +-- .../operator-manual/argocd-cmd-params-cm.yaml | 2 + .../config-management-plugins.md | 10 + docs/operator-manual/high_availability.md | 3 + .../server-commands/argocd-repo-server.md | 1 + .../argocd-repo-server-deployment.yaml | 6 + manifests/core-install.yaml | 6 + manifests/ha/install.yaml | 5 + manifests/ha/namespace-install.yaml | 5 + manifests/install.yaml | 6 + manifests/namespace-install.yaml | 6 + pkg/apis/application/v1alpha1/types.go | 12 + reposerver/apiclient/repository.pb.go | 357 ++++++++++-------- reposerver/repository/repository.go | 33 +- reposerver/repository/repository.proto | 2 + reposerver/repository/utils.go | 85 +++++ reposerver/repository/utils_test.go | 46 +++ server/application/application.go | 70 ++-- util/argo/argo.go | 45 ++- util/cmp/stream.go | 16 +- 22 files changed, 528 insertions(+), 257 deletions(-) create mode 100644 reposerver/repository/utils.go create mode 100644 reposerver/repository/utils_test.go diff --git a/cmd/argocd-repo-server/commands/argocd_repo_server.go b/cmd/argocd-repo-server/commands/argocd_repo_server.go index ec863c26647f0..f8bb868f0bd0f 100644 --- a/cmd/argocd-repo-server/commands/argocd_repo_server.go +++ b/cmd/argocd-repo-server/commands/argocd_repo_server.go @@ -75,6 +75,7 @@ func NewCommand() *cobra.Command { helmRegistryMaxIndexSize string disableManifestMaxExtractedSize bool includeHiddenDirectories bool + cmpUseManifestGeneratePaths bool ) command := cobra.Command{ Use: cliName, @@ -136,6 +137,7 @@ func NewCommand() *cobra.Command { HelmManifestMaxExtractedSize: helmManifestMaxExtractedSizeQuantity.ToDec().Value(), HelmRegistryMaxIndexSize: helmRegistryMaxIndexSizeQuantity.ToDec().Value(), IncludeHiddenDirectories: includeHiddenDirectories, + CMPUseManifestGeneratePaths: cmpUseManifestGeneratePaths, }, askPassServer) errors.CheckError(err) @@ -241,6 +243,7 @@ func NewCommand() *cobra.Command { command.Flags().StringVar(&helmRegistryMaxIndexSize, "helm-registry-max-index-size", env.StringFromEnv("ARGOCD_REPO_SERVER_HELM_MANIFEST_MAX_INDEX_SIZE", "1G"), "Maximum size of registry index file") command.Flags().BoolVar(&disableManifestMaxExtractedSize, "disable-helm-manifest-max-extracted-size", env.ParseBoolFromEnv("ARGOCD_REPO_SERVER_DISABLE_HELM_MANIFEST_MAX_EXTRACTED_SIZE", false), "Disable maximum size of helm manifest archives when extracted") command.Flags().BoolVar(&includeHiddenDirectories, "include-hidden-directories", env.ParseBoolFromEnv("ARGOCD_REPO_SERVER_INCLUDE_HIDDEN_DIRECTORIES", false), "Include hidden directories from Git") + command.Flags().BoolVar(&cmpUseManifestGeneratePaths, "plugin-use-manifest-generate-paths", env.ParseBoolFromEnv("ARGOCD_REPO_SERVER_PLUGIN_USE_MANIFEST_GENERATE_PATHS", false), "Pass the resources described in argocd.argoproj.io/manifest-generate-paths value to the cmpserver to generate the application manifests.") tlsConfigCustomizerSrc = tls.AddTLSFlagsToCmd(&command) cacheSrc = reposervercache.AddCacheFlagsToCmd(&command, cacheutil.Options{ OnClientCreated: func(client *redis.Client) { diff --git a/cmd/argocd/commands/app.go b/cmd/argocd/commands/app.go index 00c5c14834e2f..500c0ada88260 100644 --- a/cmd/argocd/commands/app.go +++ b/cmd/argocd/commands/app.go @@ -1080,17 +1080,18 @@ func getLocalObjectsString(ctx context.Context, app *argoappv1.Application, proj ) []string { source := app.Spec.GetSource() res, err := repository.GenerateManifests(ctx, local, localRepoRoot, source.TargetRevision, &repoapiclient.ManifestRequest{ - Repo: &argoappv1.Repository{Repo: source.RepoURL}, - AppLabelKey: appLabelKey, - AppName: app.Name, - Namespace: app.Spec.Destination.Namespace, - ApplicationSource: &source, - KustomizeOptions: kustomizeOptions, - KubeVersion: kubeVersion, - ApiVersions: apiVersions, - TrackingMethod: trackingMethod, - ProjectName: proj.Name, - ProjectSourceRepos: proj.Spec.SourceRepos, + Repo: &argoappv1.Repository{Repo: source.RepoURL}, + AppLabelKey: appLabelKey, + AppName: app.Name, + Namespace: app.Spec.Destination.Namespace, + ApplicationSource: &source, + KustomizeOptions: kustomizeOptions, + KubeVersion: kubeVersion, + ApiVersions: apiVersions, + TrackingMethod: trackingMethod, + ProjectName: proj.Name, + ProjectSourceRepos: proj.Spec.SourceRepos, + AnnotationManifestGeneratePaths: app.GetAnnotation(argoappv1.AnnotationKeyManifestGeneratePaths), }, true, &git.NoopCredsStore{}, resource.MustParse("0"), nil) errors.CheckError(err) diff --git a/controller/state.go b/controller/state.go index bcac67961781c..5b59f411dafb1 100644 --- a/controller/state.go +++ b/controller/state.go @@ -249,27 +249,28 @@ func (m *appStateManager) GetRepoObjs(app *v1alpha1.Application, sources []v1alp log.Debugf("Generating Manifest for source %s revision %s", source, revision) manifestInfo, err := repoClient.GenerateManifest(context.Background(), &apiclient.ManifestRequest{ - Repo: repo, - Repos: permittedHelmRepos, - Revision: revision, - NoCache: noCache, - NoRevisionCache: noRevisionCache, - AppLabelKey: appLabelKey, - AppName: app.InstanceName(m.namespace), - Namespace: app.Spec.Destination.Namespace, - ApplicationSource: &source, - KustomizeOptions: kustomizeOptions, - KubeVersion: serverVersion, - ApiVersions: argo.APIResourcesToStrings(apiResources, true), - VerifySignature: verifySignature, - HelmRepoCreds: permittedHelmCredentials, - TrackingMethod: string(argo.GetTrackingMethod(m.settingsMgr)), - EnabledSourceTypes: enabledSourceTypes, - HelmOptions: helmOptions, - HasMultipleSources: app.Spec.HasMultipleSources(), - RefSources: refSources, - ProjectName: proj.Name, - ProjectSourceRepos: proj.Spec.SourceRepos, + Repo: repo, + Repos: permittedHelmRepos, + Revision: revision, + NoCache: noCache, + NoRevisionCache: noRevisionCache, + AppLabelKey: appLabelKey, + AppName: app.InstanceName(m.namespace), + Namespace: app.Spec.Destination.Namespace, + ApplicationSource: &source, + KustomizeOptions: kustomizeOptions, + KubeVersion: serverVersion, + ApiVersions: argo.APIResourcesToStrings(apiResources, true), + VerifySignature: verifySignature, + HelmRepoCreds: permittedHelmCredentials, + TrackingMethod: string(argo.GetTrackingMethod(m.settingsMgr)), + EnabledSourceTypes: enabledSourceTypes, + HelmOptions: helmOptions, + HasMultipleSources: app.Spec.HasMultipleSources(), + RefSources: refSources, + ProjectName: proj.Name, + ProjectSourceRepos: proj.Spec.SourceRepos, + AnnotationManifestGeneratePaths: app.GetAnnotation(v1alpha1.AnnotationKeyManifestGeneratePaths), }) if err != nil { return nil, nil, false, fmt.Errorf("failed to generate manifest for source %d of %d: %w", i+1, len(sources), err) diff --git a/docs/operator-manual/argocd-cmd-params-cm.yaml b/docs/operator-manual/argocd-cmd-params-cm.yaml index b97ba1605a4c0..348677b1cb065 100644 --- a/docs/operator-manual/argocd-cmd-params-cm.yaml +++ b/docs/operator-manual/argocd-cmd-params-cm.yaml @@ -171,6 +171,8 @@ data: reposerver.max.combined.directory.manifests.size: '10M' # Paths to be excluded from the tarball streamed to plugins. Separate with ; reposerver.plugin.tar.exclusions: "" + # Enable the repo server to use the 'argocd.argoproj.io/manifest-generate-paths' annotation to guide manifest generation. + reposerver.plugin.use.manifest.generate.paths: "false" # Allow repositories to contain symlinks that leave the boundaries of the repository. # Changing this to "true" will not allow _all_ out-of-bounds symlinks. Those will still be blocked for things like values # files in Helm charts. But symlinks which are not explicitly blocked by other checks will be allowed. diff --git a/docs/operator-manual/config-management-plugins.md b/docs/operator-manual/config-management-plugins.md index d37c514493d37..1d115261db643 100644 --- a/docs/operator-manual/config-management-plugins.md +++ b/docs/operator-manual/config-management-plugins.md @@ -359,6 +359,16 @@ You can set it one of three ways: For option 1, the flag can be repeated multiple times. For option 2 and 3, you can specify multiple globs by separating them with semicolons. +## Application manifests generation using argocd.argoproj.io/manifest-generate-paths + +To enhance the application manifests generation process, you can enable the use of the `argocd.argoproj.io/manifest-generate-paths` annotation. When this flag is enabled, the resources specified by this annotation will be passed to the CMP server for generating application manifests, rather than sending the entire repository. This can be particularly useful for monorepos. + +You can set it one of three ways: + +1. The `--plugin-use-manifest-generate-paths` argument on the repo server. +2. The `reposerver.plugin.use.manifest.generate.paths` key if you are using `argocd-cmd-params-cm` +3. Directly setting `ARGOCD_REPO_SERVER_PLUGIN_USE_MANIFEST_GENERATE_PATHS` environment variable on the repo server to `true`. + ## Migrating from argocd-cm plugins Installing plugins by modifying the argocd-cm ConfigMap is deprecated as of v2.4 and has been completely removed starting in v2.8. diff --git a/docs/operator-manual/high_availability.md b/docs/operator-manual/high_availability.md index 7808bfd677bfd..ddcce80fab25a 100644 --- a/docs/operator-manual/high_availability.md +++ b/docs/operator-manual/high_availability.md @@ -277,6 +277,9 @@ spec: # ... ``` +!!! note + If application manifest generation using the `argocd.argoproj.io/manifest-generate-paths` annotation feature is enabled, only the resources specified by this annotation will be sent to the CMP server for manifest generation, rather than the entire repository. To determine the appropriate resources, a common root path is calculated based on the paths provided in the annotation. The application path serves as the deepest path that can be selected as the root. + ### Application Sync Timeout & Jitter Argo CD has a timeout for application syncs. It will trigger a refresh for each application periodically when the timeout expires. diff --git a/docs/operator-manual/server-commands/argocd-repo-server.md b/docs/operator-manual/server-commands/argocd-repo-server.md index 3532fc6c30b4a..12e4d34d14028 100644 --- a/docs/operator-manual/server-commands/argocd-repo-server.md +++ b/docs/operator-manual/server-commands/argocd-repo-server.md @@ -35,6 +35,7 @@ argocd-repo-server [flags] --otlp-insecure OpenTelemetry collector insecure mode (default true) --parallelismlimit int Limit on number of concurrent manifests generate requests. Any value less the 1 means no limit. --plugin-tar-exclude stringArray Globs to filter when sending tarballs to plugins. + --plugin-use-manifest-generate-paths Pass the resources described in argocd.argoproj.io/manifest-generate-paths value to the cmpserver to generate the application manifests. --port int Listen on given port for incoming connections (default 8081) --redis string Redis server hostname and port (e.g. argocd-redis:6379). --redis-ca-certificate string Path to Redis server CA certificate (e.g. /etc/certs/redis/ca.crt). If not specified, system trusted CAs will be used for server certificate validation. diff --git a/manifests/base/repo-server/argocd-repo-server-deployment.yaml b/manifests/base/repo-server/argocd-repo-server-deployment.yaml index 0e86acd3e3b5e..f6a073c32d6e9 100644 --- a/manifests/base/repo-server/argocd-repo-server-deployment.yaml +++ b/manifests/base/repo-server/argocd-repo-server-deployment.yaml @@ -149,6 +149,12 @@ spec: name: argocd-cmd-params-cm key: reposerver.plugin.tar.exclusions optional: true + - name: ARGOCD_REPO_SERVER_PLUGIN_USE_MANIFEST_GENERATE_PATHS + valueFrom: + configMapKeyRef: + key: reposerver.plugin.use.manifest.generate.paths + name: argocd-cmd-params-cm + optional: true - name: ARGOCD_REPO_SERVER_ALLOW_OUT_OF_BOUNDS_SYMLINKS valueFrom: configMapKeyRef: diff --git a/manifests/core-install.yaml b/manifests/core-install.yaml index f558902d4692d..b9d59aae424d0 100644 --- a/manifests/core-install.yaml +++ b/manifests/core-install.yaml @@ -22857,6 +22857,12 @@ spec: key: reposerver.plugin.tar.exclusions name: argocd-cmd-params-cm optional: true + - configMapKeyRef: + key: reposerver.plugin.use.manifest.generate.paths + name: argocd-cmd-params-cm + optional: true + name: ARGOCD_REPO_SERVER_PLUGIN_USE_MANIFEST_GENERATE_PATHS + valueFrom: null - name: ARGOCD_REPO_SERVER_ALLOW_OUT_OF_BOUNDS_SYMLINKS valueFrom: configMapKeyRef: diff --git a/manifests/ha/install.yaml b/manifests/ha/install.yaml index ba37a63431b6b..334b2befea9f1 100644 --- a/manifests/ha/install.yaml +++ b/manifests/ha/install.yaml @@ -24452,6 +24452,11 @@ spec: key: reposerver.plugin.tar.exclusions name: argocd-cmd-params-cm optional: true + - configMapKeyRef: + key: reposerver.plugin.use.manifest.generate.paths + name: argocd-cmd-params-cm + optional: true + name: ARGOCD_REPO_SERVER_PLUGIN_USE_MANIFEST_GENERATE_PATHS - name: ARGOCD_REPO_SERVER_ALLOW_OUT_OF_BOUNDS_SYMLINKS valueFrom: configMapKeyRef: diff --git a/manifests/ha/namespace-install.yaml b/manifests/ha/namespace-install.yaml index deefe124a2048..eb8efee763024 100644 --- a/manifests/ha/namespace-install.yaml +++ b/manifests/ha/namespace-install.yaml @@ -2245,6 +2245,11 @@ spec: key: reposerver.plugin.tar.exclusions name: argocd-cmd-params-cm optional: true + - configMapKeyRef: + key: reposerver.plugin.use.manifest.generate.paths + name: argocd-cmd-params-cm + optional: true + name: ARGOCD_REPO_SERVER_PLUGIN_USE_MANIFEST_GENERATE_PATHS - name: ARGOCD_REPO_SERVER_ALLOW_OUT_OF_BOUNDS_SYMLINKS valueFrom: configMapKeyRef: diff --git a/manifests/install.yaml b/manifests/install.yaml index 6fd35145cb0ca..868793d2f8e52 100644 --- a/manifests/install.yaml +++ b/manifests/install.yaml @@ -23522,6 +23522,12 @@ spec: key: reposerver.plugin.tar.exclusions name: argocd-cmd-params-cm optional: true + - configMapKeyRef: + key: reposerver.plugin.use.manifest.generate.paths + name: argocd-cmd-params-cm + optional: true + name: ARGOCD_REPO_SERVER_PLUGIN_USE_MANIFEST_GENERATE_PATHS + valueFrom: null - name: ARGOCD_REPO_SERVER_ALLOW_OUT_OF_BOUNDS_SYMLINKS valueFrom: configMapKeyRef: diff --git a/manifests/namespace-install.yaml b/manifests/namespace-install.yaml index 0d9c0816cfe30..905bd717f05b9 100644 --- a/manifests/namespace-install.yaml +++ b/manifests/namespace-install.yaml @@ -1315,6 +1315,12 @@ spec: key: reposerver.plugin.tar.exclusions name: argocd-cmd-params-cm optional: true + - configMapKeyRef: + key: reposerver.plugin.use.manifest.generate.paths + name: argocd-cmd-params-cm + optional: true + name: ARGOCD_REPO_SERVER_PLUGIN_USE_MANIFEST_GENERATE_PATHS + valueFrom: null - name: ARGOCD_REPO_SERVER_ALLOW_OUT_OF_BOUNDS_SYMLINKS valueFrom: configMapKeyRef: diff --git a/pkg/apis/application/v1alpha1/types.go b/pkg/apis/application/v1alpha1/types.go index 0112ac161782e..1337bd8c72772 100644 --- a/pkg/apis/application/v1alpha1/types.go +++ b/pkg/apis/application/v1alpha1/types.go @@ -3279,3 +3279,15 @@ func (a *Application) QualifiedName() string { func (a *Application) RBACName(defaultNS string) string { return security.RBACName(defaultNS, a.Spec.GetProject(), a.Namespace, a.Name) } + +// GetAnnotation returns the value of the specified annotation if it exists, +// e.g., a.GetAnnotation("argocd.argoproj.io/manifest-generate-paths"). +// If the annotation does not exist, it returns an empty string. +func (a *Application) GetAnnotation(annotation string) string { + v, exists := a.Annotations[annotation] + if !exists { + return "" + } + + return v +} diff --git a/reposerver/apiclient/repository.pb.go b/reposerver/apiclient/repository.pb.go index 0c3e12d811eb7..61c14068bdd18 100644 --- a/reposerver/apiclient/repository.pb.go +++ b/reposerver/apiclient/repository.pb.go @@ -59,10 +59,12 @@ type ManifestRequest struct { // This is used to surface "source not permitted" errors for Helm repositories ProjectSourceRepos []string `protobuf:"bytes,24,rep,name=projectSourceRepos,proto3" json:"projectSourceRepos,omitempty"` // This is used to surface "source not permitted" errors for Helm repositories - ProjectName string `protobuf:"bytes,25,opt,name=projectName,proto3" json:"projectName,omitempty"` - XXX_NoUnkeyedLiteral struct{} `json:"-"` - XXX_unrecognized []byte `json:"-"` - XXX_sizecache int32 `json:"-"` + ProjectName string `protobuf:"bytes,25,opt,name=projectName,proto3" json:"projectName,omitempty"` + // argocd.argoproj.io/manifest-generate-paths annotation value of the Application to allow optimize which resources propagated to cmpserver + AnnotationManifestGeneratePaths string `protobuf:"bytes,26,opt,name=AnnotationManifestGeneratePaths,proto3" json:"AnnotationManifestGeneratePaths,omitempty"` + XXX_NoUnkeyedLiteral struct{} `json:"-"` + XXX_unrecognized []byte `json:"-"` + XXX_sizecache int32 `json:"-"` } func (m *ManifestRequest) Reset() { *m = ManifestRequest{} } @@ -252,6 +254,13 @@ func (m *ManifestRequest) GetProjectName() string { return "" } +func (m *ManifestRequest) GetAnnotationManifestGeneratePaths() string { + if m != nil { + return m.AnnotationManifestGeneratePaths + } + return "" +} + type ManifestRequestWithFiles struct { // Types that are valid to be assigned to Part: // *ManifestRequestWithFiles_Request @@ -2449,153 +2458,154 @@ func init() { } var fileDescriptor_dd8723cfcc820480 = []byte{ - // 2332 bytes of a gzipped FileDescriptorProto - 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xdc, 0x5a, 0xcd, 0x73, 0x1c, 0x47, - 0x15, 0xd7, 0x7e, 0x6a, 0xf7, 0xad, 0x2c, 0xad, 0xda, 0xb6, 0x3c, 0xde, 0xd8, 0x2a, 0x65, 0xc0, - 0x2e, 0xc7, 0x4e, 0x76, 0xcb, 0x72, 0x25, 0x06, 0x27, 0x84, 0x52, 0x14, 0x5b, 0x72, 0x6c, 0xd9, - 0x62, 0xec, 0x84, 0x32, 0x18, 0xa8, 0xde, 0xd9, 0xde, 0xd9, 0xc9, 0xce, 0x47, 0x7b, 0xa6, 0x47, - 0x61, 0x5d, 0xc5, 0x09, 0x8a, 0x0b, 0x77, 0x0e, 0x5c, 0xf9, 0x1b, 0x28, 0x8e, 0x1c, 0x28, 0x0a, - 0x8e, 0x14, 0x17, 0xaa, 0xb8, 0x40, 0xf9, 0xc8, 0x5f, 0x41, 0x75, 0x4f, 0xcf, 0xe7, 0xce, 0xae, - 0x15, 0xd6, 0x56, 0x20, 0x17, 0x69, 0xfa, 0x75, 0xf7, 0x7b, 0xaf, 0x5f, 0xbf, 0xf7, 0xfa, 0xf7, - 0xba, 0x17, 0x2e, 0x7b, 0x84, 0xba, 0x3e, 0xf1, 0x8e, 0x88, 0xd7, 0x13, 0x9f, 0x26, 0x73, 0xbd, - 0x49, 0xea, 0xb3, 0x4b, 0x3d, 0x97, 0xb9, 0x08, 0x12, 0x4a, 0xe7, 0xbe, 0x61, 0xb2, 0x51, 0xd0, - 0xef, 0xea, 0xae, 0xdd, 0xc3, 0x9e, 0xe1, 0x52, 0xcf, 0xfd, 0x5c, 0x7c, 0xbc, 0xa3, 0x0f, 0x7a, - 0x47, 0xdb, 0x3d, 0x3a, 0x36, 0x7a, 0x98, 0x9a, 0x7e, 0x0f, 0x53, 0x6a, 0x99, 0x3a, 0x66, 0xa6, - 0xeb, 0xf4, 0x8e, 0xae, 0x63, 0x8b, 0x8e, 0xf0, 0xf5, 0x9e, 0x41, 0x1c, 0xe2, 0x61, 0x46, 0x06, - 0x21, 0xe7, 0xce, 0x1b, 0x86, 0xeb, 0x1a, 0x16, 0xe9, 0x89, 0x56, 0x3f, 0x18, 0xf6, 0x88, 0x4d, - 0x99, 0x14, 0xab, 0xfe, 0x7b, 0x05, 0xd6, 0x0e, 0xb0, 0x63, 0x0e, 0x89, 0xcf, 0x34, 0xf2, 0x2c, - 0x20, 0x3e, 0x43, 0x4f, 0xa1, 0xca, 0x95, 0x51, 0x4a, 0x5b, 0xa5, 0x2b, 0xad, 0xed, 0xfd, 0x6e, - 0xa2, 0x4d, 0x37, 0xd2, 0x46, 0x7c, 0xfc, 0x44, 0x1f, 0x74, 0x8f, 0xb6, 0xbb, 0x74, 0x6c, 0x74, - 0xb9, 0x36, 0xdd, 0x94, 0x36, 0xdd, 0x48, 0x9b, 0xae, 0x16, 0x2f, 0x4b, 0x13, 0x5c, 0x51, 0x07, - 0x1a, 0x1e, 0x39, 0x32, 0x7d, 0xd3, 0x75, 0x94, 0xf2, 0x56, 0xe9, 0x4a, 0x53, 0x8b, 0xdb, 0x48, - 0x81, 0x65, 0xc7, 0xdd, 0xc5, 0xfa, 0x88, 0x28, 0x95, 0xad, 0xd2, 0x95, 0x86, 0x16, 0x35, 0xd1, - 0x16, 0xb4, 0x30, 0xa5, 0xf7, 0x71, 0x9f, 0x58, 0xf7, 0xc8, 0x44, 0xa9, 0x8a, 0x89, 0x69, 0x12, - 0x9f, 0x8b, 0x29, 0x7d, 0x80, 0x6d, 0xa2, 0xd4, 0x44, 0x6f, 0xd4, 0x44, 0x17, 0xa0, 0xe9, 0x60, - 0x9b, 0xf8, 0x14, 0xeb, 0x44, 0x69, 0x88, 0xbe, 0x84, 0x80, 0x7e, 0x06, 0xeb, 0x29, 0xc5, 0x1f, - 0xb9, 0x81, 0xa7, 0x13, 0x05, 0xc4, 0xd2, 0x1f, 0x2e, 0xb6, 0xf4, 0x9d, 0x3c, 0x5b, 0x6d, 0x5a, - 0x12, 0xfa, 0x31, 0xd4, 0xc4, 0xce, 0x2b, 0xad, 0xad, 0xca, 0x2b, 0xb5, 0x76, 0xc8, 0x16, 0x39, - 0xb0, 0x4c, 0xad, 0xc0, 0x30, 0x1d, 0x5f, 0x59, 0x11, 0x12, 0x1e, 0x2f, 0x26, 0x61, 0xd7, 0x75, - 0x86, 0xa6, 0x71, 0x80, 0x1d, 0x6c, 0x10, 0x9b, 0x38, 0xec, 0x50, 0x30, 0xd7, 0x22, 0x21, 0xe8, - 0x39, 0xb4, 0xc7, 0x81, 0xcf, 0x5c, 0xdb, 0x7c, 0x4e, 0x1e, 0x52, 0x3e, 0xd7, 0x57, 0x4e, 0x09, - 0x6b, 0x3e, 0x58, 0x4c, 0xf0, 0xbd, 0x1c, 0x57, 0x6d, 0x4a, 0x0e, 0x77, 0x92, 0x71, 0xd0, 0x27, - 0x9f, 0x11, 0x4f, 0x78, 0xd7, 0x6a, 0xe8, 0x24, 0x29, 0x52, 0xe8, 0x46, 0xa6, 0x6c, 0xf9, 0xca, - 0xda, 0x56, 0x25, 0x74, 0xa3, 0x98, 0x84, 0xae, 0xc0, 0xda, 0x11, 0xf1, 0xcc, 0xe1, 0xe4, 0x91, - 0x69, 0x38, 0x98, 0x05, 0x1e, 0x51, 0xda, 0xc2, 0x15, 0xf3, 0x64, 0x64, 0xc3, 0xa9, 0x11, 0xb1, - 0x6c, 0x6e, 0xf2, 0x5d, 0x8f, 0x0c, 0x7c, 0x65, 0x5d, 0xd8, 0x77, 0x6f, 0xf1, 0x1d, 0x14, 0xec, - 0xb4, 0x2c, 0x77, 0xae, 0x98, 0xe3, 0x6a, 0x32, 0x52, 0xc2, 0x18, 0x41, 0xa1, 0x62, 0x39, 0x32, - 0xba, 0x0c, 0xab, 0xcc, 0xc3, 0xfa, 0xd8, 0x74, 0x8c, 0x03, 0xc2, 0x46, 0xee, 0x40, 0x39, 0x2d, - 0x2c, 0x91, 0xa3, 0x22, 0x1d, 0x10, 0x71, 0x70, 0xdf, 0x22, 0x83, 0xd0, 0x17, 0x1f, 0x4f, 0x28, - 0xf1, 0x95, 0x33, 0x62, 0x15, 0x37, 0xba, 0xa9, 0x0c, 0x95, 0x4b, 0x10, 0xdd, 0xdb, 0x53, 0xb3, - 0x6e, 0x3b, 0xcc, 0x9b, 0x68, 0x05, 0xec, 0xd0, 0x18, 0x5a, 0x7c, 0x1d, 0x91, 0x2b, 0x9c, 0x15, - 0xae, 0x70, 0x77, 0x31, 0x1b, 0xed, 0x27, 0x0c, 0xb5, 0x34, 0x77, 0xd4, 0x05, 0x34, 0xc2, 0xfe, - 0x41, 0x60, 0x31, 0x93, 0x5a, 0x24, 0x54, 0xc3, 0x57, 0x36, 0x84, 0x99, 0x0a, 0x7a, 0xd0, 0x3d, - 0x00, 0x8f, 0x0c, 0xa3, 0x71, 0xe7, 0xc4, 0xca, 0xaf, 0xcd, 0x5b, 0xb9, 0x16, 0x8f, 0x0e, 0x57, - 0x9c, 0x9a, 0xce, 0x85, 0xf3, 0x65, 0x10, 0x9d, 0xc9, 0x68, 0x17, 0x61, 0xad, 0x08, 0x17, 0x2b, - 0xe8, 0xe1, 0xbe, 0x28, 0xa9, 0x22, 0x69, 0x9d, 0x0f, 0xbd, 0x35, 0x45, 0xea, 0xdc, 0x86, 0x73, - 0x33, 0x4c, 0x8d, 0xda, 0x50, 0x19, 0x93, 0x89, 0x48, 0xd1, 0x4d, 0x8d, 0x7f, 0xa2, 0x33, 0x50, - 0x3b, 0xc2, 0x56, 0x40, 0x44, 0x52, 0x6d, 0x68, 0x61, 0xe3, 0x56, 0xf9, 0x5b, 0xa5, 0xce, 0x2f, - 0x4b, 0xb0, 0x96, 0x53, 0xbc, 0x60, 0xfe, 0x8f, 0xd2, 0xf3, 0x5f, 0x81, 0x1b, 0x0f, 0x1f, 0x63, - 0xcf, 0x20, 0x2c, 0xa5, 0x88, 0xfa, 0xb7, 0x12, 0x28, 0x39, 0x8b, 0x7e, 0xdf, 0x64, 0xa3, 0x3b, - 0xa6, 0x45, 0x7c, 0x74, 0x13, 0x96, 0xbd, 0x90, 0x26, 0x0f, 0x9e, 0x37, 0xe6, 0x6c, 0xc4, 0xfe, - 0x92, 0x16, 0x8d, 0x46, 0x1f, 0x42, 0xc3, 0x26, 0x0c, 0x0f, 0x30, 0xc3, 0x52, 0xf7, 0xad, 0xa2, - 0x99, 0x5c, 0xca, 0x81, 0x1c, 0xb7, 0xbf, 0xa4, 0xc5, 0x73, 0xd0, 0xbb, 0x50, 0xd3, 0x47, 0x81, - 0x33, 0x16, 0x47, 0x4e, 0x6b, 0xfb, 0xe2, 0xac, 0xc9, 0xbb, 0x7c, 0xd0, 0xfe, 0x92, 0x16, 0x8e, - 0xfe, 0xa8, 0x0e, 0x55, 0x8a, 0x3d, 0xa6, 0xde, 0x81, 0x33, 0x45, 0x22, 0xf8, 0x39, 0xa7, 0x8f, - 0x88, 0x3e, 0xf6, 0x03, 0x5b, 0x9a, 0x39, 0x6e, 0x23, 0x04, 0x55, 0xdf, 0x7c, 0x1e, 0x9a, 0xba, - 0xa2, 0x89, 0x6f, 0xf5, 0x2d, 0x58, 0x9f, 0x92, 0xc6, 0x37, 0x35, 0xd4, 0x8d, 0x73, 0x58, 0x91, - 0xa2, 0xd5, 0x00, 0xce, 0x3e, 0x16, 0xb6, 0x88, 0x93, 0xfd, 0x49, 0x9c, 0xdc, 0xea, 0x3e, 0x6c, - 0xe4, 0xc5, 0xfa, 0xd4, 0x75, 0x7c, 0xc2, 0x5d, 0x5f, 0x64, 0x47, 0x93, 0x0c, 0x92, 0x5e, 0xa1, - 0x45, 0x43, 0x2b, 0xe8, 0x51, 0x7f, 0x5b, 0x86, 0x0d, 0x8d, 0xf8, 0xae, 0x75, 0x44, 0xa2, 0xd4, - 0x75, 0x32, 0xe0, 0xe3, 0x87, 0x50, 0xc1, 0x94, 0x4a, 0x37, 0xb9, 0xfb, 0xca, 0x8e, 0x77, 0x8d, - 0x73, 0x45, 0x6f, 0xc3, 0x3a, 0xb6, 0xfb, 0xa6, 0x11, 0xb8, 0x81, 0x1f, 0x2d, 0x4b, 0x38, 0x55, - 0x53, 0x9b, 0xee, 0xe0, 0xe1, 0xef, 0x8b, 0x88, 0xbc, 0xeb, 0x0c, 0xc8, 0x4f, 0x05, 0xa2, 0xa9, - 0x68, 0x69, 0x92, 0xaa, 0xc3, 0xb9, 0x29, 0x23, 0x49, 0x83, 0xa7, 0x41, 0x54, 0x29, 0x07, 0xa2, - 0x0a, 0xd5, 0x28, 0xcf, 0x50, 0x43, 0x7d, 0x51, 0x82, 0x76, 0x12, 0x5c, 0x92, 0xfd, 0x05, 0x68, - 0xda, 0x92, 0xe6, 0x2b, 0x25, 0x91, 0xc1, 0x12, 0x42, 0x16, 0x4f, 0x95, 0xf3, 0x78, 0x6a, 0x03, - 0xea, 0x21, 0xdc, 0x95, 0x4b, 0x97, 0xad, 0x8c, 0xca, 0xd5, 0x9c, 0xca, 0x9b, 0x00, 0x7e, 0x9c, - 0xe1, 0x94, 0xba, 0xe8, 0x4d, 0x51, 0x90, 0x0a, 0x2b, 0xe1, 0xe9, 0xab, 0x11, 0x3f, 0xb0, 0x98, - 0xb2, 0x2c, 0x46, 0x64, 0x68, 0x22, 0xde, 0x5c, 0xdb, 0xc6, 0xce, 0xc0, 0x57, 0x1a, 0x42, 0xe5, - 0xb8, 0xad, 0xba, 0xb0, 0x76, 0xdf, 0xe4, 0xeb, 0x1b, 0xfa, 0x27, 0x13, 0x2a, 0xef, 0x41, 0x95, - 0x0b, 0xe3, 0x4a, 0xf5, 0x3d, 0xec, 0xe8, 0x23, 0x12, 0xd9, 0x31, 0x6e, 0xf3, 0x24, 0xc0, 0xb0, - 0xe1, 0x2b, 0x65, 0x41, 0x17, 0xdf, 0xea, 0xef, 0xcb, 0xa1, 0xa6, 0x3b, 0x94, 0xfa, 0x5f, 0x3d, - 0x1c, 0x2f, 0x06, 0x08, 0x95, 0x69, 0x80, 0x90, 0x53, 0xf9, 0xcb, 0x00, 0x84, 0x57, 0x74, 0xc8, - 0xa9, 0x01, 0x2c, 0xef, 0x50, 0xca, 0x15, 0x41, 0xd7, 0xa1, 0x8a, 0x29, 0x0d, 0x0d, 0x9e, 0xcb, - 0xe7, 0x72, 0x08, 0xff, 0x2f, 0x55, 0x12, 0x43, 0x3b, 0x37, 0xa1, 0x19, 0x93, 0x5e, 0x26, 0xb6, - 0x99, 0x16, 0xbb, 0x05, 0x10, 0x22, 0xe0, 0xbb, 0xce, 0xd0, 0xe5, 0x5b, 0xca, 0x03, 0x41, 0x4e, - 0x15, 0xdf, 0xea, 0xad, 0x68, 0x84, 0xd0, 0xed, 0x6d, 0xa8, 0x99, 0x8c, 0xd8, 0x91, 0x72, 0x1b, - 0x69, 0xe5, 0x12, 0x46, 0x5a, 0x38, 0x48, 0xfd, 0x73, 0x03, 0xce, 0xf3, 0x1d, 0x7b, 0x24, 0x42, - 0x68, 0x87, 0xd2, 0x8f, 0x09, 0xc3, 0xa6, 0xe5, 0x7f, 0x2f, 0x20, 0xde, 0xe4, 0x35, 0x3b, 0x86, - 0x01, 0xf5, 0x30, 0x02, 0x65, 0xb6, 0x7c, 0xe5, 0xc5, 0x90, 0x64, 0x9f, 0x54, 0x40, 0x95, 0xd7, - 0x53, 0x01, 0x15, 0x55, 0x24, 0xd5, 0x13, 0xaa, 0x48, 0x66, 0x17, 0xa5, 0xa9, 0x52, 0xb7, 0x9e, - 0x2d, 0x75, 0x0b, 0x80, 0xfe, 0xf2, 0x71, 0x81, 0x7e, 0xa3, 0x10, 0xe8, 0xdb, 0x85, 0x71, 0xdc, - 0x14, 0xe6, 0xfe, 0x4e, 0xda, 0x03, 0x67, 0xfa, 0xda, 0x22, 0x90, 0x1f, 0x5e, 0x2b, 0xe4, 0xff, - 0x34, 0x03, 0xe1, 0xc3, 0x22, 0xfa, 0xdd, 0xe3, 0xad, 0x69, 0x0e, 0x98, 0xff, 0xda, 0x41, 0xef, - 0x5f, 0x08, 0xc4, 0x45, 0xdd, 0xc4, 0x06, 0xf1, 0x61, 0xcf, 0xcf, 0x21, 0x7e, 0xec, 0xca, 0xa4, - 0xc5, 0xbf, 0xd1, 0x35, 0xa8, 0x72, 0x23, 0x4b, 0x48, 0x7c, 0x2e, 0x6d, 0x4f, 0xbe, 0x13, 0x3b, - 0x94, 0x3e, 0xa2, 0x44, 0xd7, 0xc4, 0x20, 0x74, 0x0b, 0x9a, 0xb1, 0xe3, 0xcb, 0xc8, 0xba, 0x90, - 0x9e, 0x11, 0xc7, 0x49, 0x34, 0x2d, 0x19, 0xce, 0xe7, 0x0e, 0x4c, 0x8f, 0xe8, 0x02, 0x30, 0xd6, - 0xa6, 0xe7, 0x7e, 0x1c, 0x75, 0xc6, 0x73, 0xe3, 0xe1, 0xe8, 0x3a, 0xd4, 0xc3, 0x5b, 0x07, 0x11, - 0x41, 0xad, 0xed, 0xf3, 0xd3, 0xc9, 0x34, 0x9a, 0x25, 0x07, 0xaa, 0x7f, 0x2a, 0xc1, 0x9b, 0x89, - 0x43, 0x44, 0xd1, 0x14, 0x61, 0xf6, 0xaf, 0xfe, 0xc4, 0xbd, 0x0c, 0xab, 0xa2, 0x48, 0x48, 0x2e, - 0x1f, 0xc2, 0x7b, 0xb0, 0x1c, 0x55, 0xfd, 0x5d, 0x09, 0x2e, 0x4d, 0xaf, 0x63, 0x77, 0x84, 0x3d, - 0x16, 0x6f, 0xef, 0x49, 0xac, 0x25, 0x3a, 0xf0, 0xca, 0xc9, 0x81, 0x97, 0x59, 0x5f, 0x25, 0xbb, - 0x3e, 0xf5, 0x0f, 0x65, 0x68, 0xa5, 0x1c, 0xa8, 0xe8, 0xc0, 0xe4, 0x60, 0x50, 0xf8, 0xad, 0x28, - 0x0b, 0xc5, 0xa1, 0xd0, 0xd4, 0x52, 0x14, 0x34, 0x06, 0xa0, 0xd8, 0xc3, 0x36, 0x61, 0xc4, 0xe3, - 0x99, 0x9c, 0x47, 0xfc, 0xbd, 0xc5, 0xb3, 0xcb, 0x61, 0xc4, 0x53, 0x4b, 0xb1, 0xe7, 0x68, 0x56, - 0x88, 0xf6, 0x65, 0xfe, 0x96, 0x2d, 0xf4, 0x05, 0xac, 0x0e, 0x4d, 0x8b, 0x1c, 0x26, 0x8a, 0xd4, - 0x85, 0x22, 0x0f, 0x17, 0x57, 0xe4, 0x4e, 0x9a, 0xaf, 0x96, 0x13, 0xa3, 0x5e, 0x85, 0x76, 0x3e, - 0x9e, 0xb8, 0x92, 0xa6, 0x8d, 0x8d, 0xd8, 0x5a, 0xb2, 0xa5, 0x22, 0x68, 0xe7, 0xe3, 0x47, 0xfd, - 0x67, 0x19, 0xce, 0xc6, 0xec, 0x76, 0x1c, 0xc7, 0x0d, 0x1c, 0x5d, 0x5c, 0xe4, 0x15, 0xee, 0xc5, - 0x19, 0xa8, 0x31, 0x93, 0x59, 0x31, 0xf0, 0x11, 0x0d, 0x7e, 0x76, 0x31, 0xd7, 0xb5, 0x98, 0x49, - 0xe5, 0x06, 0x47, 0xcd, 0x70, 0xef, 0x9f, 0x05, 0xa6, 0x47, 0x06, 0x22, 0x13, 0x34, 0xb4, 0xb8, - 0xcd, 0xfb, 0x38, 0xaa, 0x11, 0x10, 0x3f, 0x34, 0x66, 0xdc, 0x16, 0x7e, 0xef, 0x5a, 0x16, 0xd1, - 0xb9, 0x39, 0x52, 0x45, 0x40, 0x8e, 0x2a, 0x8a, 0x0b, 0xe6, 0x99, 0x8e, 0x21, 0x4b, 0x00, 0xd9, - 0xe2, 0x7a, 0x62, 0xcf, 0xc3, 0x13, 0x89, 0xfc, 0xc3, 0x06, 0xfa, 0x00, 0x2a, 0x36, 0xa6, 0xf2, - 0xa0, 0xbb, 0x9a, 0xc9, 0x0e, 0x45, 0x16, 0xe8, 0x1e, 0x60, 0x1a, 0x9e, 0x04, 0x7c, 0x5a, 0xe7, - 0x3d, 0x68, 0x44, 0x84, 0x2f, 0x05, 0x09, 0x3f, 0x87, 0x53, 0x99, 0xe4, 0x83, 0x9e, 0xc0, 0x46, - 0xe2, 0x51, 0x69, 0x81, 0x12, 0x04, 0xbe, 0xf9, 0x52, 0xcd, 0xb4, 0x19, 0x0c, 0xd4, 0x67, 0xb0, - 0xce, 0x5d, 0x46, 0x04, 0xfe, 0x09, 0x95, 0x36, 0xef, 0x43, 0x33, 0x16, 0x59, 0xe8, 0x33, 0x1d, - 0x68, 0x1c, 0x45, 0x17, 0xac, 0x61, 0x6d, 0x13, 0xb7, 0xd5, 0x1d, 0x40, 0x69, 0x7d, 0xe5, 0x09, - 0x74, 0x2d, 0x0b, 0x8a, 0xcf, 0xe6, 0x8f, 0x1b, 0x31, 0x3c, 0xc2, 0xc4, 0x7f, 0x2f, 0xc3, 0xda, - 0x9e, 0x29, 0xee, 0x48, 0x4e, 0x28, 0xc9, 0x5d, 0x85, 0xb6, 0x1f, 0xf4, 0x6d, 0x77, 0x10, 0x58, - 0x44, 0x82, 0x02, 0x79, 0xd2, 0x4f, 0xd1, 0xe7, 0x25, 0x3f, 0x6e, 0x2c, 0x8a, 0xd9, 0x48, 0x56, - 0xbf, 0xe2, 0x1b, 0x7d, 0x00, 0xe7, 0x1f, 0x90, 0x2f, 0xe4, 0x7a, 0xf6, 0x2c, 0xb7, 0xdf, 0x37, - 0x1d, 0x23, 0x12, 0x52, 0x13, 0x42, 0x66, 0x0f, 0x28, 0x82, 0x8a, 0xf5, 0x62, 0xa8, 0x18, 0x57, - 0xd0, 0xbb, 0xae, 0x6d, 0x9b, 0x4c, 0x22, 0xca, 0x0c, 0x4d, 0xfd, 0x79, 0x09, 0xda, 0x89, 0x65, - 0xe5, 0xde, 0xdc, 0x0c, 0x63, 0x28, 0xdc, 0x99, 0x4b, 0xe9, 0x9d, 0xc9, 0x0f, 0xfd, 0xef, 0xc3, - 0x67, 0x25, 0x1d, 0x3e, 0xbf, 0x2a, 0xc3, 0xd9, 0x3d, 0x93, 0x45, 0x89, 0xcb, 0xfc, 0x7f, 0xdb, - 0xe5, 0x82, 0x3d, 0xa9, 0x1e, 0x6f, 0x4f, 0x6a, 0x05, 0x7b, 0xd2, 0x85, 0x8d, 0xbc, 0x31, 0xe4, - 0xc6, 0x9c, 0x81, 0x1a, 0xf7, 0xa0, 0xe8, 0x5e, 0x21, 0x6c, 0xa8, 0xff, 0xa8, 0xc3, 0xc5, 0x4f, - 0xe9, 0x00, 0xb3, 0xf8, 0xce, 0xe8, 0x8e, 0xeb, 0x1d, 0xf2, 0xae, 0x93, 0xb1, 0x62, 0xee, 0x9d, - 0xae, 0x3c, 0xf7, 0x9d, 0xae, 0x32, 0xe7, 0x9d, 0xae, 0x7a, 0xac, 0x77, 0xba, 0xda, 0x89, 0xbd, - 0xd3, 0x4d, 0xd7, 0x5a, 0xf5, 0xc2, 0x5a, 0xeb, 0x49, 0xa6, 0x1e, 0x59, 0x16, 0x61, 0xf3, 0xed, - 0x74, 0xd8, 0xcc, 0xdd, 0x9d, 0xb9, 0x0f, 0x0c, 0xb9, 0xe7, 0xad, 0xc6, 0x4b, 0x9f, 0xb7, 0x9a, - 0xd3, 0xcf, 0x5b, 0xc5, 0x2f, 0x24, 0x30, 0xf3, 0x85, 0xe4, 0x32, 0xac, 0xfa, 0x13, 0x47, 0x27, - 0x83, 0xf8, 0x26, 0xb1, 0x15, 0x2e, 0x3b, 0x4b, 0xcd, 0x44, 0xc4, 0x4a, 0x2e, 0x22, 0x62, 0x4f, - 0x3d, 0x95, 0xf2, 0xd4, 0xa2, 0x38, 0x59, 0x2d, 0x8c, 0x93, 0xff, 0x9d, 0x22, 0xea, 0x33, 0xd8, - 0x9c, 0xb5, 0x7b, 0x32, 0x28, 0x15, 0x58, 0xd6, 0x47, 0xd8, 0x31, 0xc4, 0x75, 0x9f, 0xa8, 0xea, - 0x65, 0x73, 0x1e, 0xea, 0xdf, 0xfe, 0x23, 0xc0, 0x7a, 0x82, 0xe6, 0xf9, 0x5f, 0x53, 0x27, 0xe8, - 0x21, 0xb4, 0xf7, 0xe4, 0x53, 0x7e, 0x74, 0x41, 0x8b, 0xe6, 0xbd, 0x89, 0x74, 0x2e, 0x14, 0x77, - 0x86, 0xaa, 0xa9, 0x4b, 0x48, 0x87, 0xf3, 0x79, 0x86, 0xc9, 0xf3, 0xcb, 0x37, 0xe7, 0x70, 0x8e, - 0x47, 0xbd, 0x4c, 0xc4, 0x95, 0x12, 0x7a, 0x02, 0xab, 0xd9, 0x47, 0x02, 0x94, 0x81, 0x37, 0x85, - 0xef, 0x16, 0x1d, 0x75, 0xde, 0x90, 0x58, 0xff, 0xa7, 0xdc, 0x0d, 0x32, 0xf7, 0xe1, 0x48, 0xcd, - 0x56, 0xfa, 0x45, 0x2f, 0x0a, 0x9d, 0x6f, 0xcc, 0x1d, 0x13, 0x73, 0x7f, 0x1f, 0x1a, 0xd1, 0x1d, - 0x71, 0xd6, 0xcc, 0xb9, 0x9b, 0xe3, 0x4e, 0x3b, 0xcb, 0x6f, 0xe8, 0xab, 0x4b, 0xe8, 0xc3, 0x70, - 0xf2, 0x0e, 0xa5, 0x05, 0x93, 0x53, 0x37, 0xa3, 0x9d, 0xd3, 0x05, 0xb7, 0x91, 0xea, 0x12, 0xfa, - 0x2e, 0xb4, 0xf8, 0xd7, 0xa1, 0x7c, 0x44, 0xdf, 0xe8, 0x86, 0xbf, 0xd9, 0xe8, 0x46, 0xbf, 0xd9, - 0xe8, 0xde, 0xb6, 0x29, 0x9b, 0x74, 0x0a, 0xae, 0x0b, 0x25, 0x83, 0xa7, 0x70, 0x6a, 0x8f, 0xb0, - 0xa4, 0xba, 0x47, 0x97, 0x8e, 0x75, 0x07, 0xd2, 0x51, 0xf3, 0xc3, 0xa6, 0x2f, 0x08, 0xd4, 0x25, - 0xf4, 0xeb, 0x12, 0x9c, 0xde, 0x23, 0x2c, 0x5f, 0x2f, 0xa3, 0x77, 0x8a, 0x85, 0xcc, 0xa8, 0xab, - 0x3b, 0x0f, 0x16, 0x8d, 0xc9, 0x2c, 0x5b, 0x75, 0x09, 0xfd, 0xa6, 0x04, 0xe7, 0x52, 0x8a, 0xa5, - 0x0b, 0x60, 0x74, 0x7d, 0xbe, 0x72, 0x05, 0xc5, 0x72, 0xe7, 0x93, 0x05, 0x7f, 0x1b, 0x91, 0x62, - 0xa9, 0x2e, 0xa1, 0x43, 0xb1, 0x27, 0x09, 0xde, 0x45, 0x17, 0x0b, 0x81, 0x6d, 0x2c, 0x7d, 0x73, - 0x56, 0x77, 0xbc, 0x0f, 0x9f, 0x40, 0x6b, 0x8f, 0xb0, 0x08, 0x78, 0x65, 0x3d, 0x2d, 0x87, 0x89, - 0xb3, 0xa1, 0x9a, 0xc7, 0x6a, 0xc2, 0x63, 0xd6, 0x43, 0x5e, 0x29, 0x70, 0x91, 0x8d, 0xd5, 0x42, - 0x14, 0x96, 0xf5, 0x98, 0x62, 0x6c, 0xa2, 0x2e, 0xa1, 0x67, 0xb0, 0x51, 0x9c, 0x2a, 0xd1, 0x5b, - 0xc7, 0x3e, 0x0c, 0x3b, 0x57, 0x8f, 0x33, 0x34, 0x12, 0xf9, 0xd1, 0xce, 0x5f, 0x5e, 0x6c, 0x96, - 0xfe, 0xfa, 0x62, 0xb3, 0xf4, 0xaf, 0x17, 0x9b, 0xa5, 0x1f, 0xdc, 0x78, 0xc9, 0x6f, 0xa8, 0x52, - 0x3f, 0xcb, 0xc2, 0xd4, 0xd4, 0x2d, 0x93, 0x38, 0xac, 0x5f, 0x17, 0xf1, 0x76, 0xe3, 0x3f, 0x01, - 0x00, 0x00, 0xff, 0xff, 0xe6, 0x4d, 0x67, 0x16, 0xb5, 0x25, 0x00, 0x00, + // 2352 bytes of a gzipped FileDescriptorProto + 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xdc, 0x1a, 0x4d, 0x73, 0x1c, 0x47, + 0x55, 0xfb, 0xa9, 0xdd, 0x27, 0xeb, 0xab, 0x6d, 0xcb, 0xe3, 0x8d, 0x2d, 0x94, 0x01, 0xbb, 0x1c, + 0x3b, 0x59, 0x95, 0xe5, 0x4a, 0x0c, 0x4e, 0x08, 0xa5, 0x28, 0xb6, 0xe4, 0xd8, 0xb2, 0xc5, 0xd8, + 0x09, 0x65, 0x30, 0x50, 0xbd, 0xb3, 0xad, 0xd9, 0x89, 0xe6, 0xa3, 0x3d, 0xd3, 0xa3, 0xb0, 0xae, + 0xe2, 0x04, 0xc5, 0x85, 0x3b, 0x07, 0xae, 0xfc, 0x05, 0x28, 0x8e, 0x1c, 0x28, 0x0a, 0x8e, 0x14, + 0x17, 0xaa, 0xb8, 0x40, 0xf9, 0x97, 0x50, 0xfd, 0x31, 0x9f, 0x3b, 0xbb, 0x52, 0x58, 0x59, 0x01, + 0x2e, 0xd2, 0xf4, 0xeb, 0xd7, 0xef, 0xbd, 0x7e, 0x5f, 0xfd, 0x5e, 0xf7, 0xc2, 0xd5, 0x80, 0x50, + 0x3f, 0x24, 0xc1, 0x21, 0x09, 0xd6, 0xc5, 0xa7, 0xcd, 0xfc, 0x60, 0x98, 0xf9, 0xec, 0xd2, 0xc0, + 0x67, 0x3e, 0x82, 0x14, 0xd2, 0x79, 0x68, 0xd9, 0x6c, 0x10, 0xf5, 0xba, 0xa6, 0xef, 0xae, 0xe3, + 0xc0, 0xf2, 0x69, 0xe0, 0x7f, 0x2e, 0x3e, 0xde, 0x31, 0xfb, 0xeb, 0x87, 0x1b, 0xeb, 0xf4, 0xc0, + 0x5a, 0xc7, 0xd4, 0x0e, 0xd7, 0x31, 0xa5, 0x8e, 0x6d, 0x62, 0x66, 0xfb, 0xde, 0xfa, 0xe1, 0x4d, + 0xec, 0xd0, 0x01, 0xbe, 0xb9, 0x6e, 0x11, 0x8f, 0x04, 0x98, 0x91, 0xbe, 0xa4, 0xdc, 0x79, 0xc3, + 0xf2, 0x7d, 0xcb, 0x21, 0xeb, 0x62, 0xd4, 0x8b, 0xf6, 0xd7, 0x89, 0x4b, 0x99, 0x62, 0xab, 0xff, + 0x76, 0x1e, 0x16, 0x77, 0xb1, 0x67, 0xef, 0x93, 0x90, 0x19, 0xe4, 0x45, 0x44, 0x42, 0x86, 0x9e, + 0x43, 0x9d, 0x0b, 0xa3, 0x55, 0xd6, 0x2a, 0xd7, 0xe6, 0x36, 0x76, 0xba, 0xa9, 0x34, 0xdd, 0x58, + 0x1a, 0xf1, 0xf1, 0x63, 0xb3, 0xdf, 0x3d, 0xdc, 0xe8, 0xd2, 0x03, 0xab, 0xcb, 0xa5, 0xe9, 0x66, + 0xa4, 0xe9, 0xc6, 0xd2, 0x74, 0x8d, 0x64, 0x5b, 0x86, 0xa0, 0x8a, 0x3a, 0xd0, 0x0a, 0xc8, 0xa1, + 0x1d, 0xda, 0xbe, 0xa7, 0x55, 0xd7, 0x2a, 0xd7, 0xda, 0x46, 0x32, 0x46, 0x1a, 0xcc, 0x7a, 0xfe, + 0x16, 0x36, 0x07, 0x44, 0xab, 0xad, 0x55, 0xae, 0xb5, 0x8c, 0x78, 0x88, 0xd6, 0x60, 0x0e, 0x53, + 0xfa, 0x10, 0xf7, 0x88, 0xf3, 0x80, 0x0c, 0xb5, 0xba, 0x58, 0x98, 0x05, 0xf1, 0xb5, 0x98, 0xd2, + 0x47, 0xd8, 0x25, 0x5a, 0x43, 0xcc, 0xc6, 0x43, 0x74, 0x09, 0xda, 0x1e, 0x76, 0x49, 0x48, 0xb1, + 0x49, 0xb4, 0x96, 0x98, 0x4b, 0x01, 0xe8, 0xa7, 0xb0, 0x9c, 0x11, 0xfc, 0x89, 0x1f, 0x05, 0x26, + 0xd1, 0x40, 0x6c, 0xfd, 0xf1, 0x74, 0x5b, 0xdf, 0x2c, 0x92, 0x35, 0x46, 0x39, 0xa1, 0x1f, 0x41, + 0x43, 0x58, 0x5e, 0x9b, 0x5b, 0xab, 0x9d, 0xa8, 0xb6, 0x25, 0x59, 0xe4, 0xc1, 0x2c, 0x75, 0x22, + 0xcb, 0xf6, 0x42, 0xed, 0x8c, 0xe0, 0xf0, 0x74, 0x3a, 0x0e, 0x5b, 0xbe, 0xb7, 0x6f, 0x5b, 0xbb, + 0xd8, 0xc3, 0x16, 0x71, 0x89, 0xc7, 0xf6, 0x04, 0x71, 0x23, 0x66, 0x82, 0x5e, 0xc2, 0xd2, 0x41, + 0x14, 0x32, 0xdf, 0xb5, 0x5f, 0x92, 0xc7, 0x94, 0xaf, 0x0d, 0xb5, 0x79, 0xa1, 0xcd, 0x47, 0xd3, + 0x31, 0x7e, 0x50, 0xa0, 0x6a, 0x8c, 0xf0, 0xe1, 0x4e, 0x72, 0x10, 0xf5, 0xc8, 0x67, 0x24, 0x10, + 0xde, 0xb5, 0x20, 0x9d, 0x24, 0x03, 0x92, 0x6e, 0x64, 0xab, 0x51, 0xa8, 0x2d, 0xae, 0xd5, 0xa4, + 0x1b, 0x25, 0x20, 0x74, 0x0d, 0x16, 0x0f, 0x49, 0x60, 0xef, 0x0f, 0x9f, 0xd8, 0x96, 0x87, 0x59, + 0x14, 0x10, 0x6d, 0x49, 0xb8, 0x62, 0x11, 0x8c, 0x5c, 0x98, 0x1f, 0x10, 0xc7, 0xe5, 0x2a, 0xdf, + 0x0a, 0x48, 0x3f, 0xd4, 0x96, 0x85, 0x7e, 0xb7, 0xa7, 0xb7, 0xa0, 0x20, 0x67, 0xe4, 0xa9, 0x73, + 0xc1, 0x3c, 0xdf, 0x50, 0x91, 0x22, 0x63, 0x04, 0x49, 0xc1, 0x0a, 0x60, 0x74, 0x15, 0x16, 0x58, + 0x80, 0xcd, 0x03, 0xdb, 0xb3, 0x76, 0x09, 0x1b, 0xf8, 0x7d, 0xed, 0xac, 0xd0, 0x44, 0x01, 0x8a, + 0x4c, 0x40, 0xc4, 0xc3, 0x3d, 0x87, 0xf4, 0xa5, 0x2f, 0x3e, 0x1d, 0x52, 0x12, 0x6a, 0xe7, 0xc4, + 0x2e, 0x6e, 0x75, 0x33, 0x19, 0xaa, 0x90, 0x20, 0xba, 0x77, 0x47, 0x56, 0xdd, 0xf5, 0x58, 0x30, + 0x34, 0x4a, 0xc8, 0xa1, 0x03, 0x98, 0xe3, 0xfb, 0x88, 0x5d, 0xe1, 0xbc, 0x70, 0x85, 0xfb, 0xd3, + 0xe9, 0x68, 0x27, 0x25, 0x68, 0x64, 0xa9, 0xa3, 0x2e, 0xa0, 0x01, 0x0e, 0x77, 0x23, 0x87, 0xd9, + 0xd4, 0x21, 0x52, 0x8c, 0x50, 0x5b, 0x11, 0x6a, 0x2a, 0x99, 0x41, 0x0f, 0x00, 0x02, 0xb2, 0x1f, + 0xe3, 0x5d, 0x10, 0x3b, 0xbf, 0x31, 0x69, 0xe7, 0x46, 0x82, 0x2d, 0x77, 0x9c, 0x59, 0xce, 0x99, + 0xf3, 0x6d, 0x10, 0x93, 0xa9, 0x68, 0x17, 0x61, 0xad, 0x09, 0x17, 0x2b, 0x99, 0xe1, 0xbe, 0xa8, + 0xa0, 0x22, 0x69, 0x5d, 0x94, 0xde, 0x9a, 0x01, 0xa1, 0x1d, 0xf8, 0xda, 0xa6, 0xe7, 0xf9, 0x4c, + 0x6c, 0x3f, 0x16, 0x65, 0x5b, 0xa5, 0xf7, 0x3d, 0xcc, 0x06, 0xa1, 0xd6, 0x11, 0xab, 0x8e, 0x42, + 0xeb, 0xdc, 0x85, 0x0b, 0x63, 0x8c, 0x86, 0x96, 0xa0, 0x76, 0x40, 0x86, 0x22, 0xd9, 0xb7, 0x0d, + 0xfe, 0x89, 0xce, 0x41, 0xe3, 0x10, 0x3b, 0x11, 0x11, 0xe9, 0xb9, 0x65, 0xc8, 0xc1, 0x9d, 0xea, + 0x37, 0x2b, 0x9d, 0x5f, 0x54, 0x60, 0xb1, 0xa0, 0x82, 0x92, 0xf5, 0x3f, 0xcc, 0xae, 0x3f, 0x81, + 0x80, 0xd8, 0x7f, 0x8a, 0x03, 0x8b, 0xb0, 0x8c, 0x20, 0xfa, 0xdf, 0x2a, 0xa0, 0x15, 0x6c, 0xf3, + 0x3d, 0x9b, 0x0d, 0xee, 0xd9, 0x0e, 0x09, 0xd1, 0x6d, 0x98, 0x0d, 0x24, 0x4c, 0x1d, 0x61, 0x6f, + 0x4c, 0x30, 0xe9, 0xce, 0x8c, 0x11, 0x63, 0xa3, 0x0f, 0xa1, 0xe5, 0x12, 0x86, 0xfb, 0x98, 0x61, + 0x25, 0xfb, 0x5a, 0xd9, 0x4a, 0xce, 0x65, 0x57, 0xe1, 0xed, 0xcc, 0x18, 0xc9, 0x1a, 0xf4, 0x2e, + 0x34, 0xcc, 0x41, 0xe4, 0x1d, 0x88, 0xc3, 0x6b, 0x6e, 0xe3, 0xf2, 0xb8, 0xc5, 0x5b, 0x1c, 0x69, + 0x67, 0xc6, 0x90, 0xd8, 0x1f, 0x35, 0xa1, 0x4e, 0x71, 0xc0, 0xf4, 0x7b, 0x70, 0xae, 0x8c, 0x05, + 0x3f, 0x31, 0xcd, 0x01, 0x31, 0x0f, 0xc2, 0xc8, 0x55, 0x6a, 0x4e, 0xc6, 0x08, 0x41, 0x3d, 0xb4, + 0x5f, 0x4a, 0x55, 0xd7, 0x0c, 0xf1, 0xad, 0xbf, 0x05, 0xcb, 0x23, 0xdc, 0xb8, 0x51, 0xa5, 0x6c, + 0x9c, 0xc2, 0x19, 0xc5, 0x5a, 0x8f, 0xe0, 0xfc, 0x53, 0xa1, 0x8b, 0xe4, 0xd8, 0x38, 0x8d, 0x1a, + 0x40, 0xdf, 0x81, 0x95, 0x22, 0xdb, 0x90, 0xfa, 0x5e, 0x48, 0x78, 0x10, 0x89, 0x3c, 0x6b, 0x93, + 0x7e, 0x3a, 0x2b, 0xa4, 0x68, 0x19, 0x25, 0x33, 0xfa, 0x6f, 0xaa, 0xb0, 0x62, 0x90, 0xd0, 0x77, + 0x0e, 0x49, 0x9c, 0x04, 0x4f, 0xa7, 0x8c, 0xf9, 0x01, 0xd4, 0x30, 0xa5, 0xca, 0x4d, 0xee, 0x9f, + 0x58, 0xa1, 0x60, 0x70, 0xaa, 0xe8, 0x6d, 0x58, 0xc6, 0x6e, 0xcf, 0xb6, 0x22, 0x3f, 0x0a, 0xe3, + 0x6d, 0x09, 0xa7, 0x6a, 0x1b, 0xa3, 0x13, 0x3c, 0x91, 0x84, 0x22, 0x22, 0xef, 0x7b, 0x7d, 0xf2, + 0x13, 0x51, 0x1b, 0xd5, 0x8c, 0x2c, 0x48, 0x37, 0xe1, 0xc2, 0x88, 0x92, 0x94, 0xc2, 0xb3, 0xe5, + 0x58, 0xa5, 0x50, 0x8e, 0x95, 0x8a, 0x51, 0x1d, 0x23, 0x86, 0xfe, 0xaa, 0x02, 0x4b, 0x69, 0x70, + 0x29, 0xf2, 0x97, 0xa0, 0xed, 0x2a, 0x58, 0xa8, 0x55, 0x44, 0x2e, 0x4c, 0x01, 0xf9, 0xca, 0xac, + 0x5a, 0xac, 0xcc, 0x56, 0xa0, 0x29, 0x0b, 0x67, 0xb5, 0x75, 0x35, 0xca, 0x89, 0x5c, 0x2f, 0x88, + 0xbc, 0x0a, 0x10, 0x26, 0x19, 0x4e, 0x6b, 0x8a, 0xd9, 0x0c, 0x04, 0xe9, 0x70, 0x46, 0x9e, 0xe3, + 0x06, 0x09, 0x23, 0x87, 0x69, 0xb3, 0x02, 0x23, 0x07, 0x13, 0xf1, 0xe6, 0xbb, 0x2e, 0xf6, 0xfa, + 0xa1, 0xd6, 0x12, 0x22, 0x27, 0x63, 0xdd, 0x87, 0xc5, 0x87, 0x36, 0xdf, 0xdf, 0x7e, 0x78, 0x3a, + 0xa1, 0xf2, 0x1e, 0xd4, 0x39, 0x33, 0x2e, 0x54, 0x2f, 0xc0, 0x9e, 0x39, 0x20, 0xb1, 0x1e, 0x93, + 0x31, 0x4f, 0x02, 0x0c, 0x5b, 0xa1, 0x56, 0x15, 0x70, 0xf1, 0xad, 0xff, 0xbe, 0x2a, 0x25, 0xdd, + 0xa4, 0x34, 0xfc, 0xea, 0x0b, 0xfb, 0xf2, 0x52, 0xa3, 0x36, 0x5a, 0x6a, 0x14, 0x44, 0xfe, 0x32, + 0xa5, 0xc6, 0x09, 0x1d, 0x72, 0x7a, 0x04, 0xb3, 0x9b, 0x94, 0x72, 0x41, 0xd0, 0x4d, 0xa8, 0x63, + 0x4a, 0xa5, 0xc2, 0x0b, 0xf9, 0x5c, 0xa1, 0xf0, 0xff, 0x4a, 0x24, 0x81, 0xda, 0xb9, 0x0d, 0xed, + 0x04, 0x74, 0x14, 0xdb, 0x76, 0x96, 0xed, 0x1a, 0x80, 0xac, 0xa5, 0xef, 0x7b, 0xfb, 0x3e, 0x37, + 0x29, 0x0f, 0x04, 0xb5, 0x54, 0x7c, 0xeb, 0x77, 0x62, 0x0c, 0x21, 0xdb, 0xdb, 0xd0, 0xb0, 0x19, + 0x71, 0x63, 0xe1, 0x56, 0xb2, 0xc2, 0xa5, 0x84, 0x0c, 0x89, 0xa4, 0xff, 0xb9, 0x05, 0x17, 0xb9, + 0xc5, 0x9e, 0x88, 0x10, 0xda, 0xa4, 0xf4, 0x63, 0xc2, 0xb0, 0xed, 0x84, 0xdf, 0x8d, 0x48, 0x30, + 0x7c, 0xcd, 0x8e, 0x61, 0x41, 0x53, 0x46, 0xa0, 0xca, 0x96, 0x27, 0xde, 0x56, 0x29, 0xf2, 0x69, + 0x2f, 0x55, 0x7b, 0x3d, 0xbd, 0x54, 0x59, 0x6f, 0x53, 0x3f, 0xa5, 0xde, 0x66, 0x7c, 0x7b, 0x9b, + 0x69, 0x9a, 0x9b, 0xf9, 0xa6, 0xb9, 0xa4, 0x65, 0x98, 0x3d, 0x6e, 0xcb, 0xd0, 0x2a, 0x6d, 0x19, + 0xdc, 0xd2, 0x38, 0x6e, 0x0b, 0x75, 0x7f, 0x3b, 0xeb, 0x81, 0x63, 0x7d, 0x6d, 0x9a, 0xe6, 0x01, + 0x5e, 0x6b, 0xf3, 0xf0, 0x69, 0xae, 0x19, 0x90, 0xed, 0xf8, 0xbb, 0xc7, 0xdb, 0xd3, 0x84, 0xb6, + 0xe0, 0xff, 0xae, 0xf4, 0xfe, 0xb9, 0xa8, 0xb8, 0xa8, 0x9f, 0xea, 0x20, 0x39, 0xec, 0xf9, 0x39, + 0xc4, 0x8f, 0x5d, 0x95, 0xb4, 0xf8, 0x37, 0xba, 0x01, 0x75, 0xae, 0x64, 0x55, 0x12, 0x5f, 0xc8, + 0xea, 0x93, 0x5b, 0x62, 0x93, 0xd2, 0x27, 0x94, 0x98, 0x86, 0x40, 0x42, 0x77, 0xa0, 0x9d, 0x38, + 0xbe, 0x8a, 0xac, 0x4b, 0xd9, 0x15, 0x49, 0x9c, 0xc4, 0xcb, 0x52, 0x74, 0xbe, 0xb6, 0x6f, 0x07, + 0xc4, 0x14, 0x05, 0x63, 0x63, 0x74, 0xed, 0xc7, 0xf1, 0x64, 0xb2, 0x36, 0x41, 0x47, 0x37, 0xa1, + 0x29, 0xef, 0x2f, 0x44, 0x04, 0xcd, 0x6d, 0x5c, 0x1c, 0x4d, 0xa6, 0xf1, 0x2a, 0x85, 0xa8, 0xff, + 0xa9, 0x02, 0x6f, 0xa6, 0x0e, 0x11, 0x47, 0x53, 0x5c, 0xb3, 0x7f, 0xf5, 0x27, 0xee, 0x55, 0x58, + 0x10, 0x4d, 0x42, 0x7a, 0x8d, 0x21, 0x6f, 0xd4, 0x0a, 0x50, 0xfd, 0x77, 0x15, 0xb8, 0x32, 0xba, + 0x8f, 0xad, 0x01, 0x0e, 0x58, 0x62, 0xde, 0xd3, 0xd8, 0x4b, 0x7c, 0xe0, 0x55, 0xd3, 0x03, 0x2f, + 0xb7, 0xbf, 0x5a, 0x7e, 0x7f, 0xfa, 0x1f, 0xaa, 0x30, 0x97, 0x71, 0xa0, 0xb2, 0x03, 0x93, 0x17, + 0x83, 0xc2, 0x6f, 0x45, 0x5b, 0x28, 0x0e, 0x85, 0xb6, 0x91, 0x81, 0xa0, 0x03, 0x00, 0x8a, 0x03, + 0xec, 0x12, 0x46, 0x02, 0x9e, 0xc9, 0x79, 0xc4, 0x3f, 0x98, 0x3e, 0xbb, 0xec, 0xc5, 0x34, 0x8d, + 0x0c, 0x79, 0x5e, 0xcd, 0x0a, 0xd6, 0xa1, 0xca, 0xdf, 0x6a, 0x84, 0xbe, 0x80, 0x85, 0x7d, 0xdb, + 0x21, 0x7b, 0xa9, 0x20, 0x4d, 0x21, 0xc8, 0xe3, 0xe9, 0x05, 0xb9, 0x97, 0xa5, 0x6b, 0x14, 0xd8, + 0xe8, 0xd7, 0x61, 0xa9, 0x18, 0x4f, 0x5c, 0x48, 0xdb, 0xc5, 0x56, 0xa2, 0x2d, 0x35, 0xd2, 0x11, + 0x2c, 0x15, 0xe3, 0x47, 0xff, 0x67, 0x15, 0xce, 0x27, 0xe4, 0x36, 0x3d, 0xcf, 0x8f, 0x3c, 0x53, + 0x5c, 0x09, 0x96, 0xda, 0xe2, 0x1c, 0x34, 0x98, 0xcd, 0x9c, 0xa4, 0xf0, 0x11, 0x03, 0x7e, 0x76, + 0x31, 0xdf, 0x77, 0x98, 0x4d, 0x95, 0x81, 0xe3, 0xa1, 0xb4, 0xfd, 0x8b, 0xc8, 0x0e, 0x48, 0x5f, + 0x64, 0x82, 0x96, 0x91, 0x8c, 0xf9, 0x1c, 0xaf, 0x6a, 0x44, 0x89, 0x2f, 0x95, 0x99, 0x8c, 0x85, + 0xdf, 0xfb, 0x8e, 0x43, 0x4c, 0xae, 0x8e, 0x4c, 0x13, 0x50, 0x80, 0x8a, 0xe6, 0x82, 0x05, 0xb6, + 0x67, 0xa9, 0x16, 0x40, 0x8d, 0xb8, 0x9c, 0x38, 0x08, 0xf0, 0x50, 0x55, 0xfe, 0x72, 0x80, 0x3e, + 0x80, 0x9a, 0x8b, 0xa9, 0x3a, 0xe8, 0xae, 0xe7, 0xb2, 0x43, 0x99, 0x06, 0xba, 0xbb, 0x98, 0xca, + 0x93, 0x80, 0x2f, 0xeb, 0xbc, 0x07, 0xad, 0x18, 0xf0, 0xa5, 0x4a, 0xc2, 0xcf, 0x61, 0x3e, 0x97, + 0x7c, 0xd0, 0x33, 0x58, 0x49, 0x3d, 0x2a, 0xcb, 0x50, 0x15, 0x81, 0x6f, 0x1e, 0x29, 0x99, 0x31, + 0x86, 0x80, 0xfe, 0x02, 0x96, 0xb9, 0xcb, 0x88, 0xc0, 0x3f, 0xa5, 0xd6, 0xe6, 0x7d, 0x68, 0x27, + 0x2c, 0x4b, 0x7d, 0xa6, 0x03, 0xad, 0xc3, 0xf8, 0xaa, 0x56, 0xf6, 0x36, 0xc9, 0x58, 0xdf, 0x04, + 0x94, 0x95, 0x57, 0x9d, 0x40, 0x37, 0xf2, 0x45, 0xf1, 0xf9, 0xe2, 0x71, 0x23, 0xd0, 0xe3, 0x9a, + 0xf8, 0xef, 0x55, 0x58, 0xdc, 0xb6, 0xc5, 0x1d, 0xc9, 0x29, 0x25, 0xb9, 0xeb, 0xb0, 0x14, 0x46, + 0x3d, 0xd7, 0xef, 0x47, 0x0e, 0x51, 0x45, 0x81, 0x3a, 0xe9, 0x47, 0xe0, 0x93, 0x92, 0x1f, 0x57, + 0x16, 0xc5, 0x6c, 0xa0, 0xba, 0x5f, 0xf1, 0x8d, 0x3e, 0x80, 0x8b, 0x8f, 0xc8, 0x17, 0x6a, 0x3f, + 0xdb, 0x8e, 0xdf, 0xeb, 0xd9, 0x9e, 0x15, 0x33, 0x69, 0x08, 0x26, 0xe3, 0x11, 0xca, 0x4a, 0xc5, + 0x66, 0x79, 0xa9, 0x98, 0x74, 0xd0, 0x5b, 0xbe, 0xeb, 0xda, 0x4c, 0x55, 0x94, 0x39, 0x98, 0xfe, + 0xb3, 0x0a, 0x2c, 0xa5, 0x9a, 0x55, 0xb6, 0xb9, 0x2d, 0x63, 0x48, 0x5a, 0xe6, 0x4a, 0xd6, 0x32, + 0x45, 0xd4, 0xff, 0x3c, 0x7c, 0xce, 0x64, 0xc3, 0xe7, 0x97, 0x55, 0x38, 0xbf, 0x6d, 0xb3, 0x38, + 0x71, 0xd9, 0xff, 0x6b, 0x56, 0x2e, 0xb1, 0x49, 0xfd, 0x78, 0x36, 0x69, 0x94, 0xd8, 0xa4, 0x0b, + 0x2b, 0x45, 0x65, 0x28, 0xc3, 0x9c, 0x83, 0x06, 0x15, 0x97, 0xc9, 0xf2, 0x5e, 0x41, 0x0e, 0xf4, + 0x7f, 0x34, 0xe1, 0xf2, 0xa7, 0xb4, 0x8f, 0x59, 0x72, 0x67, 0x74, 0xcf, 0x0f, 0xc4, 0x6d, 0xf2, + 0xe9, 0x68, 0xb1, 0xf0, 0xe2, 0x57, 0x9d, 0xf8, 0xe2, 0x57, 0x9b, 0xf0, 0xe2, 0x57, 0x3f, 0xd6, + 0x8b, 0x5f, 0xe3, 0xd4, 0x5e, 0xfc, 0x46, 0x7b, 0xad, 0x66, 0x69, 0xaf, 0xf5, 0x2c, 0xd7, 0x8f, + 0xcc, 0x8a, 0xb0, 0xf9, 0x56, 0x36, 0x6c, 0x26, 0x5a, 0x67, 0xe2, 0x53, 0x45, 0xe1, 0xa1, 0xac, + 0x75, 0xe4, 0x43, 0x59, 0x7b, 0xf4, 0xa1, 0xac, 0xfc, 0xad, 0x05, 0xc6, 0xbe, 0xb5, 0x5c, 0x85, + 0x85, 0x70, 0xe8, 0x99, 0xa4, 0x9f, 0xdc, 0x24, 0xce, 0xc9, 0x6d, 0xe7, 0xa1, 0xb9, 0x88, 0x38, + 0x53, 0x88, 0x88, 0xc4, 0x53, 0xe7, 0x33, 0x9e, 0x5a, 0x16, 0x27, 0x0b, 0xa5, 0x71, 0xf2, 0xdf, + 0xd3, 0x44, 0x7d, 0x06, 0xab, 0xe3, 0xac, 0xa7, 0x82, 0x52, 0x83, 0x59, 0x73, 0x80, 0x3d, 0x4b, + 0x5c, 0xf7, 0x89, 0xae, 0x5e, 0x0d, 0x27, 0x55, 0xfd, 0x1b, 0x7f, 0x04, 0x58, 0x4e, 0xab, 0x79, + 0xfe, 0xd7, 0x36, 0x09, 0x7a, 0x0c, 0x4b, 0xf1, 0x73, 0x50, 0x7c, 0x41, 0x8b, 0x26, 0xbd, 0x89, + 0x74, 0x2e, 0x95, 0x4f, 0x4a, 0xd1, 0xf4, 0x19, 0x64, 0xc2, 0xc5, 0x22, 0xc1, 0xf4, 0xf9, 0xe5, + 0x1b, 0x13, 0x28, 0x27, 0x58, 0x47, 0xb1, 0xb8, 0x56, 0x41, 0xcf, 0x60, 0x21, 0xff, 0x48, 0x80, + 0x72, 0xe5, 0x4d, 0xe9, 0xbb, 0x45, 0x47, 0x9f, 0x84, 0x92, 0xc8, 0xff, 0x9c, 0xbb, 0x41, 0xee, + 0x3e, 0x1c, 0xe9, 0xf9, 0x4e, 0xbf, 0xec, 0x45, 0xa1, 0xf3, 0xf5, 0x89, 0x38, 0x09, 0xf5, 0xf7, + 0xa1, 0x15, 0xdf, 0x11, 0xe7, 0xd5, 0x5c, 0xb8, 0x39, 0xee, 0x2c, 0xe5, 0xe9, 0xed, 0x87, 0xfa, + 0x0c, 0xfa, 0x50, 0x2e, 0xde, 0xa4, 0xb4, 0x64, 0x71, 0xe6, 0x66, 0xb4, 0x73, 0xb6, 0xe4, 0x36, + 0x52, 0x9f, 0x41, 0xdf, 0x81, 0x39, 0xfe, 0xb5, 0xa7, 0x9e, 0xe3, 0x57, 0xba, 0xf2, 0xd7, 0x1f, + 0xdd, 0xf8, 0xd7, 0x1f, 0xdd, 0xbb, 0x2e, 0x65, 0xc3, 0x4e, 0xc9, 0x75, 0xa1, 0x22, 0xf0, 0x1c, + 0xe6, 0xb7, 0x09, 0x4b, 0xbb, 0x7b, 0x74, 0xe5, 0x58, 0x77, 0x20, 0x1d, 0xbd, 0x88, 0x36, 0x7a, + 0x41, 0xa0, 0xcf, 0xa0, 0x5f, 0x55, 0xe0, 0xec, 0x36, 0x61, 0xc5, 0x7e, 0x19, 0xbd, 0x53, 0xce, + 0x64, 0x4c, 0x5f, 0xdd, 0x79, 0x34, 0x6d, 0x4c, 0xe6, 0xc9, 0xea, 0x33, 0xe8, 0xd7, 0x15, 0xb8, + 0x90, 0x11, 0x2c, 0xdb, 0x00, 0xa3, 0x9b, 0x93, 0x85, 0x2b, 0x69, 0x96, 0x3b, 0x9f, 0x4c, 0xf9, + 0x2b, 0x8b, 0x0c, 0x49, 0x7d, 0x06, 0xed, 0x09, 0x9b, 0xa4, 0xf5, 0x2e, 0xba, 0x5c, 0x5a, 0xd8, + 0x26, 0xdc, 0x57, 0xc7, 0x4d, 0x27, 0x76, 0xf8, 0x04, 0xe6, 0xb6, 0x09, 0x8b, 0x0b, 0xaf, 0xbc, + 0xa7, 0x15, 0x6a, 0xe2, 0x7c, 0xa8, 0x16, 0x6b, 0x35, 0xe1, 0x31, 0xcb, 0x92, 0x56, 0xa6, 0xb8, + 0xc8, 0xc7, 0x6a, 0x69, 0x15, 0x96, 0xf7, 0x98, 0xf2, 0xda, 0x44, 0x9f, 0x41, 0x2f, 0x60, 0xa5, + 0x3c, 0x55, 0xa2, 0xb7, 0x8e, 0x7d, 0x18, 0x76, 0xae, 0x1f, 0x07, 0x35, 0x66, 0xf9, 0xd1, 0xe6, + 0x5f, 0x5e, 0xad, 0x56, 0xfe, 0xfa, 0x6a, 0xb5, 0xf2, 0xaf, 0x57, 0xab, 0x95, 0xef, 0xdf, 0x3a, + 0xe2, 0xd7, 0x58, 0x99, 0x1f, 0x78, 0x61, 0x6a, 0x9b, 0x8e, 0x4d, 0x3c, 0xd6, 0x6b, 0x8a, 0x78, + 0xbb, 0xf5, 0xef, 0x00, 0x00, 0x00, 0xff, 0xff, 0xed, 0x52, 0xaa, 0xcc, 0xff, 0x25, 0x00, 0x00, } // Reference imports to suppress errors if they are not otherwise used. @@ -3233,6 +3243,15 @@ func (m *ManifestRequest) MarshalToSizedBuffer(dAtA []byte) (int, error) { i -= len(m.XXX_unrecognized) copy(dAtA[i:], m.XXX_unrecognized) } + if len(m.AnnotationManifestGeneratePaths) > 0 { + i -= len(m.AnnotationManifestGeneratePaths) + copy(dAtA[i:], m.AnnotationManifestGeneratePaths) + i = encodeVarintRepository(dAtA, i, uint64(len(m.AnnotationManifestGeneratePaths))) + i-- + dAtA[i] = 0x1 + i-- + dAtA[i] = 0xd2 + } if len(m.ProjectName) > 0 { i -= len(m.ProjectName) copy(dAtA[i:], m.ProjectName) @@ -5565,6 +5584,10 @@ func (m *ManifestRequest) Size() (n int) { if l > 0 { n += 2 + l + sovRepository(uint64(l)) } + l = len(m.AnnotationManifestGeneratePaths) + if l > 0 { + n += 2 + l + sovRepository(uint64(l)) + } if m.XXX_unrecognized != nil { n += len(m.XXX_unrecognized) } @@ -7342,6 +7365,38 @@ func (m *ManifestRequest) Unmarshal(dAtA []byte) error { } m.ProjectName = string(dAtA[iNdEx:postIndex]) iNdEx = postIndex + case 26: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field AnnotationManifestGeneratePaths", wireType) + } + var stringLen uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowRepository + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + stringLen |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + intStringLen := int(stringLen) + if intStringLen < 0 { + return ErrInvalidLengthRepository + } + postIndex := iNdEx + intStringLen + if postIndex < 0 { + return ErrInvalidLengthRepository + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.AnnotationManifestGeneratePaths = string(dAtA[iNdEx:postIndex]) + iNdEx = postIndex default: iNdEx = preIndex skippy, err := skipRepository(dAtA[iNdEx:]) diff --git a/reposerver/repository/repository.go b/reposerver/repository/repository.go index e387a5bf93380..7115c1bedd9aa 100644 --- a/reposerver/repository/repository.go +++ b/reposerver/repository/repository.go @@ -113,6 +113,7 @@ type RepoServerInitConstants struct { HelmRegistryMaxIndexSize int64 DisableHelmManifestMaxExtractedSize bool IncludeHiddenDirectories bool + CMPUseManifestGeneratePaths bool } // NewService returns a new instance of the Manifest service @@ -805,7 +806,7 @@ func (s *Service) runManifestGenAsync(ctx context.Context, repoRoot, commitSHA, } } - manifestGenResult, err = GenerateManifests(ctx, opContext.appPath, repoRoot, commitSHA, q, false, s.gitCredsStore, s.initConstants.MaxCombinedDirectoryManifestsSize, s.gitRepoPaths, WithCMPTarDoneChannel(ch.tarDoneCh), WithCMPTarExcludedGlobs(s.initConstants.CMPTarExcludedGlobs)) + manifestGenResult, err = GenerateManifests(ctx, opContext.appPath, repoRoot, commitSHA, q, false, s.gitCredsStore, s.initConstants.MaxCombinedDirectoryManifestsSize, s.gitRepoPaths, WithCMPTarDoneChannel(ch.tarDoneCh), WithCMPTarExcludedGlobs(s.initConstants.CMPTarExcludedGlobs), WithCMPUseManifestGeneratePaths(s.initConstants.CMPUseManifestGeneratePaths)) } refSourceCommitSHAs := make(map[string]string) if len(repoRefs) > 0 { @@ -1376,8 +1377,9 @@ func getRepoCredential(repoCredentials []*v1alpha1.RepoCreds, repoURL string) *v type ( GenerateManifestOpt func(*generateManifestOpt) generateManifestOpt struct { - cmpTarDoneCh chan<- bool - cmpTarExcludedGlobs []string + cmpTarDoneCh chan<- bool + cmpTarExcludedGlobs []string + cmpUseManifestGeneratePaths bool } ) @@ -1406,6 +1408,14 @@ func WithCMPTarExcludedGlobs(excludedGlobs []string) GenerateManifestOpt { } } +// WithCMPUseManifestGeneratePaths enables or disables the use of the +// 'argocd.argoproj.io/manifest-generate-paths' annotation for manifest generation instead of transmit the whole repository. +func WithCMPUseManifestGeneratePaths(enabled bool) GenerateManifestOpt { + return func(o *generateManifestOpt) { + o.cmpUseManifestGeneratePaths = enabled + } +} + // GenerateManifests generates manifests from a path. Overrides are applied as a side effect on the given ApplicationSource. func GenerateManifests(ctx context.Context, appPath, repoRoot, revision string, q *apiclient.ManifestRequest, isLocal bool, gitCredsStore git.CredsStore, maxCombinedManifestQuantity resource.Quantity, gitRepoPaths io.TempPaths, opts ...GenerateManifestOpt) (*apiclient.ManifestResponse, error) { opt := newGenerateManifestOpt(opts...) @@ -1447,7 +1457,7 @@ func GenerateManifests(ctx context.Context, appPath, repoRoot, revision string, pluginName = q.ApplicationSource.Plugin.Name } // if pluginName is provided it has to be `-` or just `` if plugin version is empty - targetObjs, err = runConfigManagementPluginSidecars(ctx, appPath, repoRoot, pluginName, env, q, opt.cmpTarDoneCh, opt.cmpTarExcludedGlobs) + targetObjs, err = runConfigManagementPluginSidecars(ctx, appPath, repoRoot, pluginName, env, q, opt.cmpTarDoneCh, opt.cmpTarExcludedGlobs, opt.cmpUseManifestGeneratePaths) if err != nil { err = fmt.Errorf("plugin sidecar failed. %s", err.Error()) } @@ -1964,7 +1974,7 @@ func getPluginParamEnvs(envVars []string, plugin *v1alpha1.ApplicationSourcePlug return env, nil } -func runConfigManagementPluginSidecars(ctx context.Context, appPath, repoPath, pluginName string, envVars *v1alpha1.Env, q *apiclient.ManifestRequest, tarDoneCh chan<- bool, tarExcludedGlobs []string) ([]*unstructured.Unstructured, error) { +func runConfigManagementPluginSidecars(ctx context.Context, appPath, repoPath, pluginName string, envVars *v1alpha1.Env, q *apiclient.ManifestRequest, tarDoneCh chan<- bool, tarExcludedGlobs []string, useManifestGeneratePaths bool) ([]*unstructured.Unstructured, error) { // compute variables. env, err := getPluginEnvs(envVars, q) if err != nil { @@ -1978,8 +1988,15 @@ func runConfigManagementPluginSidecars(ctx context.Context, appPath, repoPath, p } defer io.Close(conn) + rootPath := repoPath + if useManifestGeneratePaths { + // Transmit the files under the common root path for all paths related to the manifest generate paths annotation. + rootPath = getApplicationRootPath(q, appPath, repoPath) + log.Debugf("common root path calculated for application %s: %s", q.AppName, rootPath) + } + // generate manifests using commands provided in plugin config file in detected cmp-server sidecar - cmpManifests, err := generateManifestsCMP(ctx, appPath, repoPath, env, cmpClient, tarDoneCh, tarExcludedGlobs) + cmpManifests, err := generateManifestsCMP(ctx, appPath, rootPath, env, cmpClient, tarDoneCh, tarExcludedGlobs) if err != nil { return nil, fmt.Errorf("error generating manifests in cmp: %w", err) } @@ -2002,7 +2019,7 @@ func runConfigManagementPluginSidecars(ctx context.Context, appPath, repoPath, p // generateManifestsCMP will send the appPath files to the cmp-server over a gRPC stream. // The cmp-server will generate the manifests. Returns a response object with the generated // manifests. -func generateManifestsCMP(ctx context.Context, appPath, repoPath string, env []string, cmpClient pluginclient.ConfigManagementPluginServiceClient, tarDoneCh chan<- bool, tarExcludedGlobs []string) (*pluginclient.ManifestResponse, error) { +func generateManifestsCMP(ctx context.Context, appPath, rootPath string, env []string, cmpClient pluginclient.ConfigManagementPluginServiceClient, tarDoneCh chan<- bool, tarExcludedGlobs []string) (*pluginclient.ManifestResponse, error) { generateManifestStream, err := cmpClient.GenerateManifest(ctx, grpc_retry.Disable()) if err != nil { return nil, fmt.Errorf("error getting generateManifestStream: %w", err) @@ -2011,7 +2028,7 @@ func generateManifestsCMP(ctx context.Context, appPath, repoPath string, env []s cmp.WithTarDoneChan(tarDoneCh), } - err = cmp.SendRepoStream(generateManifestStream.Context(), appPath, repoPath, generateManifestStream, env, tarExcludedGlobs, opts...) + err = cmp.SendRepoStream(generateManifestStream.Context(), appPath, rootPath, generateManifestStream, env, tarExcludedGlobs, opts...) if err != nil { return nil, fmt.Errorf("error sending file to cmp-server: %w", err) } diff --git a/reposerver/repository/repository.proto b/reposerver/repository/repository.proto index 12f27a3f421f3..631ab2787171a 100644 --- a/reposerver/repository/repository.proto +++ b/reposerver/repository/repository.proto @@ -38,6 +38,8 @@ message ManifestRequest { repeated string projectSourceRepos = 24; // This is used to surface "source not permitted" errors for Helm repositories string projectName = 25; + // argocd.argoproj.io/manifest-generate-paths annotation value of the Application to allow optimize which resources propagated to cmpserver + string AnnotationManifestGeneratePaths = 26; } message ManifestRequestWithFiles { diff --git a/reposerver/repository/utils.go b/reposerver/repository/utils.go new file mode 100644 index 0000000000000..d77bef728d92a --- /dev/null +++ b/reposerver/repository/utils.go @@ -0,0 +1,85 @@ +package repository + +import ( + "path/filepath" + "strings" + + securejoin "github.com/cyphar/filepath-securejoin" + log "github.com/sirupsen/logrus" + + "github.com/argoproj/argo-cd/v2/reposerver/apiclient" + "github.com/argoproj/argo-cd/v2/util/io/files" +) + +// getApplicationRootPath returns the common root path (shortest shared structure between all paths) among a +// set of application-related paths for manifest generation. AppPath is the lower possible value +func getApplicationRootPath(q *apiclient.ManifestRequest, appPath, repoPath string) string { + paths := getPaths(q, appPath, repoPath) + + if len(paths) == 0 { + // backward compatibility, by default the root path is the repoPath + return repoPath + } + + // the app path must be the lower possible value + commonParts := strings.Split(appPath, string(filepath.Separator)) + + var disjoint bool + for _, path := range paths { + parts := strings.Split(path, string(filepath.Separator)) + // find the minimum length between the current common parts and the current path + minLen := func(a, b int) int { + if a < b { + return a + } + return b + }(len(commonParts), len(parts)) + + // check if diverge /disjoint in some point + for i := 0; i < minLen; i++ { + if commonParts[i] != parts[i] { + commonParts = commonParts[:i] + disjoint = true + break + } + } + + // for non-disjoint paths + if !disjoint && minLen < len(commonParts) { + commonParts = commonParts[:minLen] + } + } + return string(filepath.Separator) + filepath.Join(commonParts...) +} + +// getPaths retrieves all absolute paths associated with the generation of application manifests. +func getPaths(q *apiclient.ManifestRequest, appPath, repoPath string) []string { + var paths []string + for _, annotationPath := range strings.Split(q.AnnotationManifestGeneratePaths, ";") { + if annotationPath == "" { + continue + } + var err error + var path, unsafePath string + + if filepath.IsAbs(annotationPath) { + unsafePath = filepath.Clean(annotationPath) + } else { + appRelPath, err := files.RelativePath(appPath, repoPath) + if err != nil { + log.Errorf("error building app relative path: %v", err) + continue + } + unsafePath = filepath.Clean(filepath.Join(appRelPath, annotationPath)) + } + + path, err = securejoin.SecureJoin(repoPath, unsafePath) + if err != nil { + log.Errorf("error joining repoPath %q and absolute unsafePath %q: %v", repoPath, unsafePath, err) + continue + } + + paths = append(paths, path) + } + return paths +} diff --git a/reposerver/repository/utils_test.go b/reposerver/repository/utils_test.go new file mode 100644 index 0000000000000..3eb2428f09c03 --- /dev/null +++ b/reposerver/repository/utils_test.go @@ -0,0 +1,46 @@ +package repository + +import ( + "testing" + + "github.com/stretchr/testify/assert" + + "github.com/argoproj/argo-cd/v2/reposerver/apiclient" +) + +func TestGetCommonRootPath(t *testing.T) { + t.Parallel() + + repoRoot := "/tmp/_argocd-repo/7a58c52a-0030-4fd9-8cc5-35b2d8b4e731" + + tests := []struct { + name string + annotation string + appPath string + expectedRootPath string + }{ + {"app path", ".", "/tmp/_argocd-repo/7a58c52a-0030-4fd9-8cc5-35b2d8b4e731/services/helloworld", "/tmp/_argocd-repo/7a58c52a-0030-4fd9-8cc5-35b2d8b4e731/services/helloworld"}, + {"app path and relative", "../../overlays;.", "/tmp/_argocd-repo/7a58c52a-0030-4fd9-8cc5-35b2d8b4e731/services/helloworld", repoRoot}, + {"app path and absolute path", "/services;.", "/tmp/_argocd-repo/7a58c52a-0030-4fd9-8cc5-35b2d8b4e731/services/helloworld", "/tmp/_argocd-repo/7a58c52a-0030-4fd9-8cc5-35b2d8b4e731/services"}, + {"several relative paths", "../../;..;.", "/tmp/_argocd-repo/7a58c52a-0030-4fd9-8cc5-35b2d8b4e731/services/team/helloworld", "/tmp/_argocd-repo/7a58c52a-0030-4fd9-8cc5-35b2d8b4e731/services"}, + // backward compatibility test + {"no annotation", "", "/tmp/_argocd-repo/7a58c52a-0030-4fd9-8cc5-35b2d8b4e731/services/helloworld", repoRoot}, + // appPath should be the lower calculated root path + {"relative subdir", "./manifests", "/tmp/_argocd-repo/7a58c52a-0030-4fd9-8cc5-35b2d8b4e731/services/team/helloworld", "/tmp/_argocd-repo/7a58c52a-0030-4fd9-8cc5-35b2d8b4e731/services/team/helloworld"}, + // glob pattern + {"glob", "/services/shared/*-secret.yaml", "/tmp/_argocd-repo/7a58c52a-0030-4fd9-8cc5-35b2d8b4e731/services/helloworld", "/tmp/_argocd-repo/7a58c52a-0030-4fd9-8cc5-35b2d8b4e731/services"}, + {"relative glob", "../*", "/tmp/_argocd-repo/7a58c52a-0030-4fd9-8cc5-35b2d8b4e731/services/helloworld", "/tmp/_argocd-repo/7a58c52a-0030-4fd9-8cc5-35b2d8b4e731/services"}, + {"duplicate slashes", "//services/shared/*-secret.yaml", "/tmp/_argocd-repo/7a58c52a-0030-4fd9-8cc5-35b2d8b4e731/services/helloworld", "/tmp/_argocd-repo/7a58c52a-0030-4fd9-8cc5-35b2d8b4e731/services"}, + } + + for _, tt := range tests { + tt := tt + t.Run(tt.name, func(t *testing.T) { + t.Parallel() + + req := &apiclient.ManifestRequest{AnnotationManifestGeneratePaths: tt.annotation} + rootPath := getApplicationRootPath(req, tt.appPath, repoRoot) + assert.Equal(t, tt.expectedRootPath, rootPath, "input and output should match") + }) + } +} diff --git a/server/application/application.go b/server/application/application.go index 9e2c39a2060a9..08a8ab19d008b 100644 --- a/server/application/application.go +++ b/server/application/application.go @@ -512,24 +512,25 @@ func (s *Server) GetManifests(ctx context.Context, q *application.ApplicationMan } manifestInfo, err := client.GenerateManifest(ctx, &apiclient.ManifestRequest{ - Repo: repo, - Revision: source.TargetRevision, - AppLabelKey: appInstanceLabelKey, - AppName: a.InstanceName(s.ns), - Namespace: a.Spec.Destination.Namespace, - ApplicationSource: &source, - Repos: helmRepos, - KustomizeOptions: kustomizeOptions, - KubeVersion: serverVersion, - ApiVersions: argo.APIResourcesToStrings(apiResources, true), - HelmRepoCreds: helmCreds, - HelmOptions: helmOptions, - TrackingMethod: string(argoutil.GetTrackingMethod(s.settingsMgr)), - EnabledSourceTypes: enableGenerateManifests, - ProjectName: proj.Name, - ProjectSourceRepos: proj.Spec.SourceRepos, - HasMultipleSources: a.Spec.HasMultipleSources(), - RefSources: refSources, + Repo: repo, + Revision: source.TargetRevision, + AppLabelKey: appInstanceLabelKey, + AppName: a.InstanceName(s.ns), + Namespace: a.Spec.Destination.Namespace, + ApplicationSource: &source, + Repos: helmRepos, + KustomizeOptions: kustomizeOptions, + KubeVersion: serverVersion, + ApiVersions: argo.APIResourcesToStrings(apiResources, true), + HelmRepoCreds: helmCreds, + HelmOptions: helmOptions, + TrackingMethod: string(argoutil.GetTrackingMethod(s.settingsMgr)), + EnabledSourceTypes: enableGenerateManifests, + ProjectName: proj.Name, + ProjectSourceRepos: proj.Spec.SourceRepos, + HasMultipleSources: a.Spec.HasMultipleSources(), + RefSources: refSources, + AnnotationManifestGeneratePaths: a.GetAnnotation(v1alpha1.AnnotationKeyManifestGeneratePaths), }) if err != nil { return fmt.Errorf("error generating manifests: %w", err) @@ -630,22 +631,23 @@ func (s *Server) GetManifestsWithFiles(stream application.ApplicationService_Get } req := &apiclient.ManifestRequest{ - Repo: repo, - Revision: source.TargetRevision, - AppLabelKey: appInstanceLabelKey, - AppName: a.Name, - Namespace: a.Spec.Destination.Namespace, - ApplicationSource: &source, - Repos: helmRepos, - KustomizeOptions: kustomizeOptions, - KubeVersion: serverVersion, - ApiVersions: argo.APIResourcesToStrings(apiResources, true), - HelmRepoCreds: helmCreds, - HelmOptions: helmOptions, - TrackingMethod: string(argoutil.GetTrackingMethod(s.settingsMgr)), - EnabledSourceTypes: enableGenerateManifests, - ProjectName: proj.Name, - ProjectSourceRepos: proj.Spec.SourceRepos, + Repo: repo, + Revision: source.TargetRevision, + AppLabelKey: appInstanceLabelKey, + AppName: a.Name, + Namespace: a.Spec.Destination.Namespace, + ApplicationSource: &source, + Repos: helmRepos, + KustomizeOptions: kustomizeOptions, + KubeVersion: serverVersion, + ApiVersions: argo.APIResourcesToStrings(apiResources, true), + HelmRepoCreds: helmCreds, + HelmOptions: helmOptions, + TrackingMethod: string(argoutil.GetTrackingMethod(s.settingsMgr)), + EnabledSourceTypes: enableGenerateManifests, + ProjectName: proj.Name, + ProjectSourceRepos: proj.Spec.SourceRepos, + AnnotationManifestGeneratePaths: a.GetAnnotation(v1alpha1.AnnotationKeyManifestGeneratePaths), } repoStreamClient, err := client.GenerateManifestWithFiles(stream.Context()) diff --git a/util/argo/argo.go b/util/argo/argo.go index 973a29418b309..2c5b132667879 100644 --- a/util/argo/argo.go +++ b/util/argo/argo.go @@ -423,8 +423,7 @@ func validateRepo(ctx context.Context, db, permittedHelmRepos, helmOptions, - app.Name, - app.Spec.Destination, + app, proj, sources, repoClient, @@ -434,7 +433,6 @@ func validateRepo(ctx context.Context, permittedHelmCredentials, enabledSourceTypes, settingsMgr, - app.Spec.HasMultipleSources(), refSources)...) return conditions, nil @@ -706,8 +704,7 @@ func verifyGenerateManifests( db db.ArgoDB, helmRepos argoappv1.Repositories, helmOptions *argoappv1.HelmOptions, - name string, - dest argoappv1.ApplicationDestination, + app *argoappv1.Application, proj *argoappv1.AppProject, sources []argoappv1.ApplicationSource, repoClient apiclient.RepoServerServiceClient, @@ -716,11 +713,10 @@ func verifyGenerateManifests( repositoryCredentials []*argoappv1.RepoCreds, enableGenerateManifests map[string]bool, settingsMgr *settings.SettingsManager, - hasMultipleSources bool, refSources argoappv1.RefTargetRevisionMapping, ) []argoappv1.ApplicationCondition { var conditions []argoappv1.ApplicationCondition - if dest.Server == "" { + if app.Spec.Destination.Server == "" { conditions = append(conditions, argoappv1.ApplicationCondition{ Type: argoappv1.ApplicationConditionInvalidSpecError, Message: errDestinationMissing, @@ -761,23 +757,24 @@ func verifyGenerateManifests( Proxy: repoRes.Proxy, NoProxy: repoRes.NoProxy, }, - Repos: helmRepos, - Revision: source.TargetRevision, - AppName: name, - Namespace: dest.Namespace, - ApplicationSource: &source, - KustomizeOptions: kustomizeOptions, - KubeVersion: kubeVersion, - ApiVersions: apiVersions, - HelmOptions: helmOptions, - HelmRepoCreds: repositoryCredentials, - TrackingMethod: string(GetTrackingMethod(settingsMgr)), - EnabledSourceTypes: enableGenerateManifests, - NoRevisionCache: true, - HasMultipleSources: hasMultipleSources, - RefSources: refSources, - ProjectName: proj.Name, - ProjectSourceRepos: proj.Spec.SourceRepos, + Repos: helmRepos, + Revision: source.TargetRevision, + AppName: app.Name, + Namespace: app.Spec.Destination.Namespace, + ApplicationSource: &source, + KustomizeOptions: kustomizeOptions, + KubeVersion: kubeVersion, + ApiVersions: apiVersions, + HelmOptions: helmOptions, + HelmRepoCreds: repositoryCredentials, + TrackingMethod: string(GetTrackingMethod(settingsMgr)), + EnabledSourceTypes: enableGenerateManifests, + NoRevisionCache: true, + HasMultipleSources: app.Spec.HasMultipleSources(), + RefSources: refSources, + ProjectName: proj.Name, + ProjectSourceRepos: proj.Spec.SourceRepos, + AnnotationManifestGeneratePaths: app.GetAnnotation(argoappv1.AnnotationKeyManifestGeneratePaths), } req.Repo.CopyCredentialsFromRepo(repoRes) req.Repo.CopySettingsFrom(repoRes) diff --git a/util/cmp/stream.go b/util/cmp/stream.go index 429bba446d0a7..d7f080004d6f4 100644 --- a/util/cmp/stream.go +++ b/util/cmp/stream.go @@ -84,12 +84,12 @@ func WithTarDoneChan(ch chan<- bool) SenderOption { } } -// SendRepoStream will compress the files under the given repoPath and send +// SendRepoStream will compress the files under the given rootPath and send // them using the plugin stream sender. -func SendRepoStream(ctx context.Context, appPath, repoPath string, sender StreamSender, env []string, excludedGlobs []string, opts ...SenderOption) error { +func SendRepoStream(ctx context.Context, appPath, rootPath string, sender StreamSender, env []string, excludedGlobs []string, opts ...SenderOption) error { opt := newSenderOption(opts...) - tgz, mr, err := GetCompressedRepoAndMetadata(repoPath, appPath, env, excludedGlobs, opt) + tgz, mr, err := GetCompressedRepoAndMetadata(rootPath, appPath, env, excludedGlobs, opt) if err != nil { return err } @@ -107,14 +107,14 @@ func SendRepoStream(ctx context.Context, appPath, repoPath string, sender Stream return nil } -func GetCompressedRepoAndMetadata(repoPath string, appPath string, env []string, excludedGlobs []string, opt *senderOption) (*os.File, *pluginclient.AppStreamRequest, error) { - // compress all files in repoPath in tgz - tgz, filesWritten, checksum, err := tgzstream.CompressFiles(repoPath, nil, excludedGlobs) +func GetCompressedRepoAndMetadata(rootPath string, appPath string, env []string, excludedGlobs []string, opt *senderOption) (*os.File, *pluginclient.AppStreamRequest, error) { + // compress all files in rootPath in tgz + tgz, filesWritten, checksum, err := tgzstream.CompressFiles(rootPath, nil, excludedGlobs) if err != nil { return nil, nil, fmt.Errorf("error compressing repo files: %w", err) } if filesWritten == 0 { - return nil, nil, fmt.Errorf("no files to send") + return nil, nil, fmt.Errorf("no files to send(%s)", rootPath) } if opt != nil && opt.tarDoneChan != nil { opt.tarDoneChan <- true @@ -125,7 +125,7 @@ func GetCompressedRepoAndMetadata(repoPath string, appPath string, env []string, if err != nil { return nil, nil, fmt.Errorf("error getting tgz stat: %w", err) } - appRelPath, err := files.RelativePath(appPath, repoPath) + appRelPath, err := files.RelativePath(appPath, rootPath) if err != nil { return nil, nil, fmt.Errorf("error building app relative path: %w", err) } From f03146d3a0652808d2d84db2b703538bc8cdd569 Mon Sep 17 00:00:00 2001 From: Cheng Fang Date: Tue, 24 Sep 2024 22:27:52 -0400 Subject: [PATCH 05/38] fix: CVE-2024-45296 Backtracking regular expressions cause ReDoS by upgrading path-to-regexp from 1.8.0 to 1.9.0 (#20087) Signed-off-by: Cheng Fang --- ui/yarn.lock | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/ui/yarn.lock b/ui/yarn.lock index fb1668982538a..e2a305a5c9132 100644 --- a/ui/yarn.lock +++ b/ui/yarn.lock @@ -6121,7 +6121,7 @@ is-wsl@^2.2.0: isarray@0.0.1: version "0.0.1" resolved "https://registry.yarnpkg.com/isarray/-/isarray-0.0.1.tgz#8a18acfca9a8f4177e09abfc6038939b05d1eedf" - integrity sha1-ihis/Kmo9Bd+Cav8YDiTmwXR7t8= + integrity sha512-D2S+3GLxWH+uhrNEcoh/fnmYeP8E8/zHl644d/jdA0g2uyXvy3sb0qxotE+ne0LtccHknQzWwZEzhak7oJ0COQ== isarray@^2.0.5: version "2.0.5" @@ -7642,9 +7642,9 @@ path-to-regexp@0.1.10: integrity sha512-7lf7qcQidTku0Gu3YDPc8DJ1q7OOucfa/BSsIwjuh56VU7katFvuM8hULfkwB3Fns/rsVF7PwPKVw1sl5KQS9w== path-to-regexp@^1.7.0: - version "1.8.0" - resolved "https://registry.yarnpkg.com/path-to-regexp/-/path-to-regexp-1.8.0.tgz#887b3ba9d84393e87a0a0b9f4cb756198b53548a" - integrity sha512-n43JRhlUKUAlibEJhPeir1ncUID16QnEjNpwzNdO3Lm4ywrBpBZ5oLD0I6br9evr1Y9JTqwRtAh7JLoOzAQdVA== + version "1.9.0" + resolved "https://registry.yarnpkg.com/path-to-regexp/-/path-to-regexp-1.9.0.tgz#5dc0753acbf8521ca2e0f137b4578b917b10cf24" + integrity sha512-xIp7/apCFJuUHdDLWe8O1HIkb0kQrOMb/0u6FXQjemHn/ii5LrIzU6bdECnsiTF/GjZkMEKg1xdiZwNqDYlZ6g== dependencies: isarray "0.0.1" From e28a05f5c04975f30eec64de38e69a20937d63f0 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 26 Sep 2024 10:24:44 +0300 Subject: [PATCH 06/38] chore(deps-dev): bump @types/node from 22.5.5 to 22.7.2 in /ui-test (#20112) Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 22.5.5 to 22.7.2. - [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases) - [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node) --- updated-dependencies: - dependency-name: "@types/node" dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ui-test/package.json | 2 +- ui-test/yarn.lock | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/ui-test/package.json b/ui-test/package.json index a37fb07511461..ca168b60c92cf 100644 --- a/ui-test/package.json +++ b/ui-test/package.json @@ -19,7 +19,7 @@ }, "devDependencies": { "@types/mocha": "^10.0.8", - "@types/node": "^22.5.5", + "@types/node": "^22.7.2", "dotenv": "^16.4.5", "mocha": "^10.7.3", "prettier": "^2.8.8", diff --git a/ui-test/yarn.lock b/ui-test/yarn.lock index e937e6532293e..aee54d23e13bd 100644 --- a/ui-test/yarn.lock +++ b/ui-test/yarn.lock @@ -43,10 +43,10 @@ resolved "https://registry.yarnpkg.com/@types/mocha/-/mocha-10.0.8.tgz#a7eff5816e070c3b4d803f1d3cd780c4e42934a1" integrity sha512-HfMcUmy9hTMJh66VNcmeC9iVErIZJli2bszuXc6julh5YGuRb/W5OnkHjwLNYdFlMis0sY3If5SEAp+PktdJjw== -"@types/node@*", "@types/node@^22.5.5": - version "22.5.5" - resolved "https://registry.yarnpkg.com/@types/node/-/node-22.5.5.tgz#52f939dd0f65fc552a4ad0b392f3c466cc5d7a44" - integrity sha512-Xjs4y5UPO/CLdzpgR6GirZJx36yScjh73+2NlLlkFRSoQN8B0DpfXPdZGnvVmLRLOsqDpOfTNv7D9trgGhmOIA== +"@types/node@*", "@types/node@^22.7.2": + version "22.7.2" + resolved "https://registry.yarnpkg.com/@types/node/-/node-22.7.2.tgz#80ed66c0a5025ffa037587fd69a816f29b54e4c7" + integrity sha512-866lXSrpGpgyHBZUa2m9YNWqHDjjM0aBTJlNtYaGEw4rqY/dcD7deRVTbBBAJelfA7oaGDbNftXF/TL/A6RgoA== dependencies: undici-types "~6.19.2" From ca91dd9d6b9cce8f9c8230aa11c1e9353cc2558e Mon Sep 17 00:00:00 2001 From: Alexandre Gaudreault Date: Thu, 26 Sep 2024 15:12:21 -0400 Subject: [PATCH 07/38] fix(extension): add header to support apps-in-any-namespace (#20123) Signed-off-by: Alexandre Gaudreault --- server/extension/extension.go | 16 +++++++++++++--- server/extension/extension_test.go | 6 ++++-- server/server.go | 2 +- 3 files changed, 18 insertions(+), 6 deletions(-) diff --git a/server/extension/extension.go b/server/extension/extension.go index 706dfbbb31abd..57e493b221052 100644 --- a/server/extension/extension.go +++ b/server/extension/extension.go @@ -33,6 +33,12 @@ const ( DefaultIdleConnectionTimeout = 60 * time.Second DefaultMaxIdleConnections = 30 + // HeaderArgoCDNamespace defines the namespace of the + // argo control plane to be passed to the extension handler. + // Example: + // Argocd-Namespace: "namespace" + HeaderArgoCDNamespace = "Argocd-Namespace" + // HeaderArgoCDApplicationName defines the name of the // expected application header to be passed to the extension // handler. The header value must follow the format: @@ -333,6 +339,7 @@ type RbacEnforcer interface { // and handling proxy extensions. type Manager struct { log *log.Entry + namespace string settings SettingsGetter application ApplicationGetter project ProjectGetter @@ -355,9 +362,10 @@ type ExtensionMetricsRegistry interface { } // NewManager will initialize a new manager. -func NewManager(log *log.Entry, sg SettingsGetter, ag ApplicationGetter, pg ProjectGetter, rbac RbacEnforcer, ug UserGetter) *Manager { +func NewManager(log *log.Entry, namespace string, sg SettingsGetter, ag ApplicationGetter, pg ProjectGetter, rbac RbacEnforcer, ug UserGetter) *Manager { return &Manager{ log: log, + namespace: namespace, settings: sg, application: ag, project: pg, @@ -740,7 +748,7 @@ func (m *Manager) CallExtension() func(http.ResponseWriter, *http.Request) { user := m.userGetter.GetUser(r.Context()) groups := m.userGetter.GetGroups(r.Context()) - prepareRequest(r, extName, app, user, groups) + prepareRequest(r, m.namespace, extName, app, user, groups) m.log.Debugf("proxing request for extension %q", extName) // httpsnoop package is used to properly wrap the responseWriter // and avoid optional intefaces issue: @@ -763,11 +771,13 @@ func registerMetrics(extName string, metrics httpsnoop.Metrics, extensionMetrics // the Argo CD extension API section from it. It provides additional information to // the backend service appending them in the outgoing request headers. The appended // headers are: +// - Control plane namespace // - Cluster destination name // - Cluster destination server // - Argo CD authenticated username -func prepareRequest(r *http.Request, extName string, app *v1alpha1.Application, username string, groups []string) { +func prepareRequest(r *http.Request, namespace string, extName string, app *v1alpha1.Application, username string, groups []string) { r.URL.Path = strings.TrimPrefix(r.URL.Path, fmt.Sprintf("%s/%s", URLPrefix, extName)) + r.Header.Set(HeaderArgoCDNamespace, namespace) if app.Spec.Destination.Name != "" { r.Header.Set(HeaderArgoCDTargetClusterName, app.Spec.Destination.Name) } diff --git a/server/extension/extension_test.go b/server/extension/extension_test.go index 300e1e89a490d..e412537eea0cd 100644 --- a/server/extension/extension_test.go +++ b/server/extension/extension_test.go @@ -150,7 +150,7 @@ func TestRegisterExtensions(t *testing.T) { logger, _ := test.NewNullLogger() logEntry := logger.WithContext(context.Background()) - m := extension.NewManager(logEntry, settMock, nil, nil, nil, nil) + m := extension.NewManager(logEntry, "", settMock, nil, nil, nil, nil) return &fixture{ settingsGetterMock: settMock, @@ -248,6 +248,7 @@ func TestCallExtension(t *testing.T) { userMock *mocks.UserGetter manager *extension.Manager } + defaultServerNamespace := "control-plane-ns" defaultProjectName := "project-name" setup := func() *fixture { @@ -260,7 +261,7 @@ func TestCallExtension(t *testing.T) { logger, _ := test.NewNullLogger() logEntry := logger.WithContext(context.Background()) - m := extension.NewManager(logEntry, settMock, appMock, projMock, rbacMock, userMock) + m := extension.NewManager(logEntry, defaultServerNamespace, settMock, appMock, projMock, rbacMock, userMock) m.AddMetricsRegistry(metricsMock) mux := http.NewServeMux() @@ -444,6 +445,7 @@ func TestCallExtension(t *testing.T) { require.NoError(t, err) actual := strings.TrimSuffix(string(body), "\n") assert.Equal(t, backendResponse, actual) + assert.Equal(t, defaultServerNamespace, resp.Header.Get(extension.HeaderArgoCDNamespace)) assert.Equal(t, clusterURL, resp.Header.Get(extension.HeaderArgoCDTargetClusterURL)) assert.Equal(t, "Bearer some-bearer-token", resp.Header.Get("Authorization")) assert.Equal(t, "some-user", resp.Header.Get(extension.HeaderArgoCDUsername)) diff --git a/server/server.go b/server/server.go index 7ded3951a37c3..400ad99ad47a3 100644 --- a/server/server.go +++ b/server/server.go @@ -328,7 +328,7 @@ func NewServer(ctx context.Context, opts ArgoCDServerOpts, appsetOpts Applicatio ag := extension.NewDefaultApplicationGetter(appLister) pg := extension.NewDefaultProjectGetter(projLister, dbInstance) ug := extension.NewDefaultUserGetter(policyEnf) - em := extension.NewManager(logger, sg, ag, pg, enf, ug) + em := extension.NewManager(logger, opts.Namespace, sg, ag, pg, enf, ug) a := &ArgoCDServer{ ArgoCDServerOpts: opts, From bc15ae89d868f6f30134575ba64563468ebeff9e Mon Sep 17 00:00:00 2001 From: Symeon Meichanetzoglou Date: Thu, 26 Sep 2024 23:14:50 +0200 Subject: [PATCH 08/38] Fix typo (#20127) Remove a redundant "is". Signed-off-by: Symeon Meichanetzoglou --- docs/user-guide/diff-strategies.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/user-guide/diff-strategies.md b/docs/user-guide/diff-strategies.md index ffd09660696ac..505be30cd6a8b 100644 --- a/docs/user-guide/diff-strategies.md +++ b/docs/user-guide/diff-strategies.md @@ -18,7 +18,7 @@ Argo CD currently has 3 different strategies to calculate diffs: ## Structured-Merge Diff *Current Status: [Beta][1] (Since v2.5.0)* -This is diff strategy is automatically used when Server-Side Apply +This diff strategy is automatically used when Server-Side Apply sync option is enabled. It uses the [structured-merge-diff][2] library used by Kubernetes to calculate diffs based on fields ownership. There are some challenges using this strategy to calculate diffs for CRDs From 159eeecd17cb6439c7888189eda7f431e504674d Mon Sep 17 00:00:00 2001 From: Linghao Su Date: Fri, 27 Sep 2024 21:15:49 +0800 Subject: [PATCH 09/38] fix(ui): add optional check to avoid undefined reference in project detail (#20044) Signed-off-by: linghaoSu --- .../app/settings/components/project-details/project-details.tsx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ui/src/app/settings/components/project-details/project-details.tsx b/ui/src/app/settings/components/project-details/project-details.tsx index e77c501b70bbc..96110c2ff9cee 100644 --- a/ui/src/app/settings/components/project-details/project-details.tsx +++ b/ui/src/app/settings/components/project-details/project-details.tsx @@ -671,7 +671,7 @@ export class ProjectDetails extends React.Component {authCtx => - authCtx.appsInAnyNamespaceEnabled && ( + authCtx?.appsInAnyNamespaceEnabled && ( this.saveProject(item)} values={proj} From ea71067059b802e1e72da0892da329ef32ee507c Mon Sep 17 00:00:00 2001 From: pasha-codefresh Date: Fri, 27 Sep 2024 16:45:58 +0300 Subject: [PATCH 10/38] chore(deps): bump Helm from 3.15.2 to 3.15.4 (#20135) * sec: upgrade helm version in order to fix critical vulnerability Signed-off-by: pashakostohrys * sec: upgrade helm version in order to fix critical vulnerability Signed-off-by: pashakostohrys --------- Signed-off-by: pashakostohrys --- docs/operator-manual/upgrading/2.12-2.13.md | 4 ++++ hack/installers/checksums/helm-v-linux-amd64.tar.gz.sha256 | 0 .../checksums/helm-v3.15.4-darwin-amd64.tar.gz.sha256 | 1 + .../checksums/helm-v3.15.4-darwin-arm64.tar.gz.sha256 | 1 + .../checksums/helm-v3.15.4-linux-amd64.tar.gz.sha256 | 1 + .../checksums/helm-v3.15.4-linux-arm64.tar.gz.sha256 | 1 + .../checksums/helm-v3.15.4-linux-ppc64le.tar.gz.sha256 | 1 + .../checksums/helm-v3.15.4-linux-s390x.tar.gz.sha256 | 1 + hack/tool-versions.sh | 2 +- 9 files changed, 11 insertions(+), 1 deletion(-) create mode 100644 hack/installers/checksums/helm-v-linux-amd64.tar.gz.sha256 create mode 100644 hack/installers/checksums/helm-v3.15.4-darwin-amd64.tar.gz.sha256 create mode 100644 hack/installers/checksums/helm-v3.15.4-darwin-arm64.tar.gz.sha256 create mode 100644 hack/installers/checksums/helm-v3.15.4-linux-amd64.tar.gz.sha256 create mode 100644 hack/installers/checksums/helm-v3.15.4-linux-arm64.tar.gz.sha256 create mode 100644 hack/installers/checksums/helm-v3.15.4-linux-ppc64le.tar.gz.sha256 create mode 100644 hack/installers/checksums/helm-v3.15.4-linux-s390x.tar.gz.sha256 diff --git a/docs/operator-manual/upgrading/2.12-2.13.md b/docs/operator-manual/upgrading/2.12-2.13.md index 14b26f22a2d70..9e918cc3deb87 100644 --- a/docs/operator-manual/upgrading/2.12-2.13.md +++ b/docs/operator-manual/upgrading/2.12-2.13.md @@ -1,5 +1,9 @@ # v2.12 to 2.13 +## Upgraded Helm Version + +Note that bundled Helm version has been upgraded from 3.15.2 to 3.15.4. + ## Custom Resource Actions for Flux Resources [`Custom Resource Actions`](../resource_actions.md#Custom-Resource-Actions) have been added for Flux Resources. diff --git a/hack/installers/checksums/helm-v-linux-amd64.tar.gz.sha256 b/hack/installers/checksums/helm-v-linux-amd64.tar.gz.sha256 new file mode 100644 index 0000000000000..e69de29bb2d1d diff --git a/hack/installers/checksums/helm-v3.15.4-darwin-amd64.tar.gz.sha256 b/hack/installers/checksums/helm-v3.15.4-darwin-amd64.tar.gz.sha256 new file mode 100644 index 0000000000000..8857c0720c0c7 --- /dev/null +++ b/hack/installers/checksums/helm-v3.15.4-darwin-amd64.tar.gz.sha256 @@ -0,0 +1 @@ +1bc3f354f7ce4d7fd9cfa5bcc701c1f32c88d27076d96c2792d5b5226062aee5 helm-v3.15.4-darwin-amd64.tar.gz diff --git a/hack/installers/checksums/helm-v3.15.4-darwin-arm64.tar.gz.sha256 b/hack/installers/checksums/helm-v3.15.4-darwin-arm64.tar.gz.sha256 new file mode 100644 index 0000000000000..4ee2beac2ea3f --- /dev/null +++ b/hack/installers/checksums/helm-v3.15.4-darwin-arm64.tar.gz.sha256 @@ -0,0 +1 @@ +88115846a1fb58f8eb8f64fec5c343d95ca394f1be811602fa54a887c98730ac helm-v3.15.4-darwin-arm64.tar.gz diff --git a/hack/installers/checksums/helm-v3.15.4-linux-amd64.tar.gz.sha256 b/hack/installers/checksums/helm-v3.15.4-linux-amd64.tar.gz.sha256 new file mode 100644 index 0000000000000..5996c0d82cf75 --- /dev/null +++ b/hack/installers/checksums/helm-v3.15.4-linux-amd64.tar.gz.sha256 @@ -0,0 +1 @@ +11400fecfc07fd6f034863e4e0c4c4445594673fd2a129e701fe41f31170cfa9 helm-v3.15.4-linux-amd64.tar.gz diff --git a/hack/installers/checksums/helm-v3.15.4-linux-arm64.tar.gz.sha256 b/hack/installers/checksums/helm-v3.15.4-linux-arm64.tar.gz.sha256 new file mode 100644 index 0000000000000..a6954894d20c0 --- /dev/null +++ b/hack/installers/checksums/helm-v3.15.4-linux-arm64.tar.gz.sha256 @@ -0,0 +1 @@ +fa419ecb139442e8a594c242343fafb7a46af3af34041c4eac1efcc49d74e626 helm-v3.15.4-linux-arm64.tar.gz diff --git a/hack/installers/checksums/helm-v3.15.4-linux-ppc64le.tar.gz.sha256 b/hack/installers/checksums/helm-v3.15.4-linux-ppc64le.tar.gz.sha256 new file mode 100644 index 0000000000000..9292b9dbe2c71 --- /dev/null +++ b/hack/installers/checksums/helm-v3.15.4-linux-ppc64le.tar.gz.sha256 @@ -0,0 +1 @@ +e4efce93723f52dd858e9046ea836c9c75f346facce1b87b8cf78c817b97e6ac helm-v3.15.4-linux-ppc64le.tar.gz diff --git a/hack/installers/checksums/helm-v3.15.4-linux-s390x.tar.gz.sha256 b/hack/installers/checksums/helm-v3.15.4-linux-s390x.tar.gz.sha256 new file mode 100644 index 0000000000000..040a3b21534c8 --- /dev/null +++ b/hack/installers/checksums/helm-v3.15.4-linux-s390x.tar.gz.sha256 @@ -0,0 +1 @@ +c6e0cdea598196895ac7b627ce972699ef9f06b0eba51dc4db7cc21b3369f24a helm-v3.15.4-linux-s390x.tar.gz diff --git a/hack/tool-versions.sh b/hack/tool-versions.sh index 28ca1cda431da..407a6dd14b88b 100644 --- a/hack/tool-versions.sh +++ b/hack/tool-versions.sh @@ -11,7 +11,7 @@ # Use ./hack/installers/checksums/add-helm-checksums.sh and # add-kustomize-checksums.sh to help download checksums. ############################################################################### -helm3_version=3.15.2 +helm3_version=3.15.4 kubectl_version=1.17.8 kubectx_version=0.6.3 kustomize5_version=5.4.3 From fa54ce221e62e881c5c7920e9b053fe80fd34792 Mon Sep 17 00:00:00 2001 From: Tony Au-Yeung Date: Fri, 27 Sep 2024 11:03:42 -0500 Subject: [PATCH 11/38] fix: oras-go client should fallback to docker config if no credentials specified (#18133) * oras-go client should fallback to docker config if no credentials specified Signed-off-by: Tony Au-Yeung * Fix tests Signed-off-by: Tony Au-Yeung * Fix lint Signed-off-by: Tony Au-Yeung * gofumpt Signed-off-by: Tony Au-Yeung * Validate auth header Signed-off-by: Tony Au-Yeung --------- Signed-off-by: Tony Au-Yeung --- util/helm/client.go | 23 +++++++--- util/helm/client_test.go | 97 ++++++++++++++++++++++++++++++++++++++-- 2 files changed, 111 insertions(+), 9 deletions(-) diff --git a/util/helm/client.go b/util/helm/client.go index 3ddbcec4333a6..d9972adb04968 100644 --- a/util/helm/client.go +++ b/util/helm/client.go @@ -25,6 +25,7 @@ import ( "gopkg.in/yaml.v2" "oras.land/oras-go/v2/registry/remote" "oras.land/oras-go/v2/registry/remote/auth" + "oras.land/oras-go/v2/registry/remote/credentials" "github.com/argoproj/argo-cd/v2/util/cache" argoio "github.com/argoproj/argo-cd/v2/util/io" @@ -447,13 +448,23 @@ func (c *nativeHelmChart) GetTags(chart string, noCache bool) (*TagsList, error) }} repoHost, _, _ := strings.Cut(tagsURL, "/") + credential := auth.StaticCredential(repoHost, auth.Credential{ + Username: c.creds.Username, + Password: c.creds.Password, + }) + + // Try to fallback to the environment config, but we shouldn't error if the file is not set + if c.creds.Username == "" && c.creds.Password == "" { + store, _ := credentials.NewStoreFromDocker(credentials.StoreOptions{}) + if store != nil { + credential = credentials.Credential(store) + } + } + repo.Client = &auth.Client{ - Client: client, - Cache: nil, - Credential: auth.StaticCredential(repoHost, auth.Credential{ - Username: c.creds.Username, - Password: c.creds.Password, - }), + Client: client, + Cache: nil, + Credential: credential, } ctx := context.Background() diff --git a/util/helm/client_test.go b/util/helm/client_test.go index f03bd15bf096d..cae4574e2e86b 100644 --- a/util/helm/client_test.go +++ b/util/helm/client_test.go @@ -9,6 +9,7 @@ import ( "net/http/httptest" "net/url" "os" + "path/filepath" "strings" "testing" @@ -214,6 +215,91 @@ func TestGetTagsFromUrl(t *testing.T) { } func TestGetTagsFromURLPrivateRepoAuthentication(t *testing.T) { + username := "my-username" + password := "my-password" + expectedAuthorization := "Basic bXktdXNlcm5hbWU6bXktcGFzc3dvcmQ=" // base64(user:password) + server := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + t.Logf("called %s", r.URL.Path) + + authorization := r.Header.Get("Authorization") + + if authorization == "" { + w.Header().Set("WWW-Authenticate", `Basic realm="helm repo to get tags"`) + w.WriteHeader(http.StatusUnauthorized) + return + } + + assert.Equal(t, expectedAuthorization, authorization) + + responseTags := TagsList{ + Tags: []string{ + "2.8.0", + "2.8.0-prerelease", + "2.8.0_build", + "2.8.0-prerelease_build", + "2.8.0-prerelease.1_build.1234", + }, + } + + w.Header().Set("Content-Type", "application/json") + w.WriteHeader(http.StatusOK) + err := json.NewEncoder(w).Encode(responseTags) + if err != nil { + t.Fatal(err) + } + })) + t.Cleanup(server.Close) + + serverURL, err := url.Parse(server.URL) + require.NoError(t, err) + + testCases := []struct { + name string + repoURL string + }{ + { + name: "should login correctly when the repo path is in the server root with http scheme", + repoURL: server.URL, + }, + { + name: "should login correctly when the repo path is not in the server root with http scheme", + repoURL: fmt.Sprintf("%s/my-repo", server.URL), + }, + { + name: "should login correctly when the repo path is in the server root without http scheme", + repoURL: serverURL.Host, + }, + { + name: "should login correctly when the repo path is not in the server root without http scheme", + repoURL: fmt.Sprintf("%s/my-repo", serverURL.Host), + }, + } + + for _, testCase := range testCases { + t.Run(testCase.name, func(t *testing.T) { + client := NewClient(testCase.repoURL, Creds{ + InsecureSkipVerify: true, + Username: username, + Password: password, + }, true, "", "") + + tags, err := client.GetTags("mychart", true) + + require.NoError(t, err) + assert.ElementsMatch(t, tags.Tags, []string{ + "2.8.0", + "2.8.0-prerelease", + "2.8.0+build", + "2.8.0-prerelease+build", + "2.8.0-prerelease.1+build.1234", + }) + }) + } +} + +func TestGetTagsFromURLEnvironmentAuthentication(t *testing.T) { + bearerToken := "Zm9vOmJhcg==" + expectedAuthorization := "Basic " + bearerToken server := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { t.Logf("called %s", r.URL.Path) @@ -224,7 +310,7 @@ func TestGetTagsFromURLPrivateRepoAuthentication(t *testing.T) { return } - t.Logf("authorization received %s", authorization) + assert.Equal(t, expectedAuthorization, authorization) responseTags := TagsList{ Tags: []string{ @@ -248,6 +334,13 @@ func TestGetTagsFromURLPrivateRepoAuthentication(t *testing.T) { serverURL, err := url.Parse(server.URL) require.NoError(t, err) + tempDir := t.TempDir() + configPath := filepath.Join(tempDir, "config.json") + t.Setenv("DOCKER_CONFIG", tempDir) + + config := fmt.Sprintf(`{"auths":{"%s":{"auth":"%s"}}}`, server.URL, bearerToken) + require.NoError(t, os.WriteFile(configPath, []byte(config), 0o666)) + testCases := []struct { name string repoURL string @@ -274,8 +367,6 @@ func TestGetTagsFromURLPrivateRepoAuthentication(t *testing.T) { t.Run(testCase.name, func(t *testing.T) { client := NewClient(testCase.repoURL, Creds{ InsecureSkipVerify: true, - Username: "my-username", - Password: "my-password", }, true, "", "") tags, err := client.GetTags("mychart", true) From 7d3661cb219136fb21eaa2fb2153d72e3aba65a8 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 30 Sep 2024 09:39:58 -0400 Subject: [PATCH 12/38] chore(deps): bump docker/build-push-action from 6.7.0 to 6.8.0 (#20154) Bumps [docker/build-push-action](https://github.com/docker/build-push-action) from 6.7.0 to 6.8.0. - [Release notes](https://github.com/docker/build-push-action/releases) - [Commits](https://github.com/docker/build-push-action/compare/5cd11c3a4ced054e52742c5fd54dca954e0edd85...32945a339266b759abcbdc89316275140b0fc960) --- updated-dependencies: - dependency-name: docker/build-push-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/image-reuse.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/image-reuse.yaml b/.github/workflows/image-reuse.yaml index f4b7a851816a8..d1cd5f113c0ef 100644 --- a/.github/workflows/image-reuse.yaml +++ b/.github/workflows/image-reuse.yaml @@ -143,7 +143,7 @@ jobs: - name: Build and push container image id: image - uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85 #v6.7.0 + uses: docker/build-push-action@32945a339266b759abcbdc89316275140b0fc960 #v6.8.0 with: context: . platforms: ${{ inputs.platforms }} From fad534bcfe11b5e2cfcc96079d19710a0754c9d6 Mon Sep 17 00:00:00 2001 From: aria Date: Mon, 30 Sep 2024 21:42:12 +0800 Subject: [PATCH 13/38] fix: Fix argocd appset generate failure due to missing clusterrole (#20162) * fix: FIx argocd-server clusterrole to allow argocd appset generate using cluster generator Signed-off-by: Pradithya Aria * fix: update generated code Signed-off-by: Pradithya Aria --------- Signed-off-by: Pradithya Aria --- manifests/cluster-rbac/server/argocd-server-clusterrole.yaml | 1 + manifests/ha/install.yaml | 1 + manifests/install.yaml | 1 + 3 files changed, 3 insertions(+) diff --git a/manifests/cluster-rbac/server/argocd-server-clusterrole.yaml b/manifests/cluster-rbac/server/argocd-server-clusterrole.yaml index b33820950fcb6..3ee074622c15c 100644 --- a/manifests/cluster-rbac/server/argocd-server-clusterrole.yaml +++ b/manifests/cluster-rbac/server/argocd-server-clusterrole.yaml @@ -15,6 +15,7 @@ rules: - delete # supports deletion a live object in UI - get # supports viewing live object manifest in UI - patch # supports `argocd app patch` + - list # supports `argocd appset generate` with cluster generator - apiGroups: - "" resources: diff --git a/manifests/ha/install.yaml b/manifests/ha/install.yaml index 334b2befea9f1..4e2456c60e464 100644 --- a/manifests/ha/install.yaml +++ b/manifests/ha/install.yaml @@ -22463,6 +22463,7 @@ rules: - delete - get - patch + - list - apiGroups: - "" resources: diff --git a/manifests/install.yaml b/manifests/install.yaml index 868793d2f8e52..beeefd0a4dd78 100644 --- a/manifests/install.yaml +++ b/manifests/install.yaml @@ -22430,6 +22430,7 @@ rules: - delete - get - patch + - list - apiGroups: - "" resources: From 8e070ce05a8520e28ee52a22c4b15e786b3f69ef Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Mon, 30 Sep 2024 13:45:23 +0000 Subject: [PATCH 14/38] [Bot] docs: Update Snyk reports (#20146) Signed-off-by: CI Co-authored-by: CI --- docs/snyk/index.md | 58 +- docs/snyk/master/argocd-iac-install.html | 24 +- .../master/argocd-iac-namespace-install.html | 24 +- docs/snyk/master/argocd-test.html | 179 +- .../master/ghcr.io_dexidp_dex_v2.41.1.html | 2 +- ..._docker_library_haproxy_2.6.17-alpine.html | 2 +- ...ws_docker_library_redis_7.0.15-alpine.html | 2 +- .../quay.io_argoproj_argocd_latest.html | 4 +- docs/snyk/master/redis_7.0.15-alpine.html | 2 +- .../argocd-iac-install.html | 2 +- .../argocd-iac-namespace-install.html | 2 +- .../{v2.10.16 => v2.10.17}/argocd-test.html | 629 +--- .../ghcr.io_dexidp_dex_v2.37.0.html | 2 +- .../haproxy_2.6.14-alpine.html | 2 +- .../quay.io_argoproj_argocd_v2.10.17.html} | 2996 ++++------------- .../redis_7.0.15-alpine.html | 2 +- .../argocd-iac-install.html | 2 +- .../argocd-iac-namespace-install.html | 2 +- .../{v2.11.8 => v2.11.9}/argocd-test.html | 406 +-- .../ghcr.io_dexidp_dex_v2.38.0.html | 2 +- .../haproxy_2.6.14-alpine.html | 2 +- .../quay.io_argoproj_argocd_v2.11.9.html} | 820 ++--- .../redis_7.0.15-alpine.html | 2 +- docs/snyk/v2.12.3/argocd-test.html | 1086 ------ .../argocd-iac-install.html | 2 +- .../argocd-iac-namespace-install.html | 2 +- docs/snyk/v2.12.4/argocd-test.html | 688 ++++ .../ghcr.io_dexidp_dex_v2.38.0.html | 2 +- ..._docker_library_haproxy_2.6.17-alpine.html | 2 +- ...ws_docker_library_redis_7.0.15-alpine.html | 2 +- .../quay.io_argoproj_argocd_v2.12.4.html} | 783 +---- .../redis_7.0.15-alpine.html | 2 +- docs/snyk/v2.13.0-rc2/argocd-iac-install.html | 2 +- .../argocd-iac-namespace-install.html | 2 +- docs/snyk/v2.13.0-rc2/argocd-test.html | 2 +- .../ghcr.io_dexidp_dex_v2.41.1.html | 2 +- ..._docker_library_haproxy_2.6.17-alpine.html | 2 +- ...ws_docker_library_redis_7.0.15-alpine.html | 2 +- .../quay.io_argoproj_argocd_v2.13.0-rc2.html | 2 +- .../snyk/v2.13.0-rc2/redis_7.0.15-alpine.html | 2 +- 40 files changed, 1810 insertions(+), 5943 deletions(-) rename docs/snyk/{v2.10.16 => v2.10.17}/argocd-iac-install.html (99%) rename docs/snyk/{v2.10.16 => v2.10.17}/argocd-iac-namespace-install.html (99%) rename docs/snyk/{v2.10.16 => v2.10.17}/argocd-test.html (85%) rename docs/snyk/{v2.10.16 => v2.10.17}/ghcr.io_dexidp_dex_v2.37.0.html (99%) rename docs/snyk/{v2.11.8 => v2.10.17}/haproxy_2.6.14-alpine.html (99%) rename docs/snyk/{v2.10.16/quay.io_argoproj_argocd_v2.10.16.html => v2.10.17/quay.io_argoproj_argocd_v2.10.17.html} (64%) rename docs/snyk/{v2.10.16 => v2.10.17}/redis_7.0.15-alpine.html (99%) rename docs/snyk/{v2.11.8 => v2.11.9}/argocd-iac-install.html (99%) rename docs/snyk/{v2.11.8 => v2.11.9}/argocd-iac-namespace-install.html (99%) rename docs/snyk/{v2.11.8 => v2.11.9}/argocd-test.html (90%) rename docs/snyk/{v2.11.8 => v2.11.9}/ghcr.io_dexidp_dex_v2.38.0.html (99%) rename docs/snyk/{v2.10.16 => v2.11.9}/haproxy_2.6.14-alpine.html (99%) rename docs/snyk/{v2.11.8/quay.io_argoproj_argocd_v2.11.8.html => v2.11.9/quay.io_argoproj_argocd_v2.11.9.html} (91%) rename docs/snyk/{v2.11.8 => v2.11.9}/redis_7.0.15-alpine.html (99%) delete mode 100644 docs/snyk/v2.12.3/argocd-test.html rename docs/snyk/{v2.12.3 => v2.12.4}/argocd-iac-install.html (99%) rename docs/snyk/{v2.12.3 => v2.12.4}/argocd-iac-namespace-install.html (99%) create mode 100644 docs/snyk/v2.12.4/argocd-test.html rename docs/snyk/{v2.12.3 => v2.12.4}/ghcr.io_dexidp_dex_v2.38.0.html (99%) rename docs/snyk/{v2.12.3 => v2.12.4}/public.ecr.aws_docker_library_haproxy_2.6.17-alpine.html (99%) rename docs/snyk/{v2.12.3 => v2.12.4}/public.ecr.aws_docker_library_redis_7.0.15-alpine.html (99%) rename docs/snyk/{v2.12.3/quay.io_argoproj_argocd_v2.12.3.html => v2.12.4/quay.io_argoproj_argocd_v2.12.4.html} (76%) rename docs/snyk/{v2.12.3 => v2.12.4}/redis_7.0.15-alpine.html (99%) diff --git a/docs/snyk/index.md b/docs/snyk/index.md index b9e7582682786..83b12c2987810 100644 --- a/docs/snyk/index.md +++ b/docs/snyk/index.md @@ -14,7 +14,7 @@ recent minor releases. | | Critical | High | Medium | Low | |---:|:--------:|:----:|:------:|:---:| | [go.mod](master/argocd-test.html) | 0 | 0 | 1 | 0 | -| [ui/yarn.lock](master/argocd-test.html) | 0 | 0 | 1 | 0 | +| [ui/yarn.lock](master/argocd-test.html) | 0 | 0 | 0 | 0 | | [dex:v2.41.1](master/ghcr.io_dexidp_dex_v2.41.1.html) | 0 | 0 | 0 | 1 | | [haproxy:2.6.17-alpine](master/public.ecr.aws_docker_library_haproxy_2.6.17-alpine.html) | 0 | 0 | 2 | 3 | | [redis:7.0.15-alpine](master/public.ecr.aws_docker_library_redis_7.0.15-alpine.html) | 0 | 0 | 0 | 0 | @@ -37,42 +37,42 @@ recent minor releases. | [install.yaml](v2.13.0-rc2/argocd-iac-install.html) | - | - | - | - | | [namespace-install.yaml](v2.13.0-rc2/argocd-iac-namespace-install.html) | - | - | - | - | -### v2.12.3 +### v2.12.4 | | Critical | High | Medium | Low | |---:|:--------:|:----:|:------:|:---:| -| [go.mod](v2.12.3/argocd-test.html) | 0 | 0 | 2 | 0 | -| [ui/yarn.lock](v2.12.3/argocd-test.html) | 0 | 1 | 2 | 0 | -| [dex:v2.38.0](v2.12.3/ghcr.io_dexidp_dex_v2.38.0.html) | 0 | 0 | 6 | 6 | -| [haproxy:2.6.17-alpine](v2.12.3/public.ecr.aws_docker_library_haproxy_2.6.17-alpine.html) | 0 | 0 | 2 | 3 | -| [redis:7.0.15-alpine](v2.12.3/public.ecr.aws_docker_library_redis_7.0.15-alpine.html) | 0 | 0 | 0 | 0 | -| [argocd:v2.12.3](v2.12.3/quay.io_argoproj_argocd_v2.12.3.html) | 0 | 0 | 8 | 8 | -| [redis:7.0.15-alpine](v2.12.3/redis_7.0.15-alpine.html) | 0 | 0 | 0 | 0 | -| [install.yaml](v2.12.3/argocd-iac-install.html) | - | - | - | - | -| [namespace-install.yaml](v2.12.3/argocd-iac-namespace-install.html) | - | - | - | - | +| [go.mod](v2.12.4/argocd-test.html) | 0 | 0 | 2 | 0 | +| [ui/yarn.lock](v2.12.4/argocd-test.html) | 0 | 0 | 0 | 0 | +| [dex:v2.38.0](v2.12.4/ghcr.io_dexidp_dex_v2.38.0.html) | 0 | 0 | 6 | 6 | +| [haproxy:2.6.17-alpine](v2.12.4/public.ecr.aws_docker_library_haproxy_2.6.17-alpine.html) | 0 | 0 | 2 | 3 | +| [redis:7.0.15-alpine](v2.12.4/public.ecr.aws_docker_library_redis_7.0.15-alpine.html) | 0 | 0 | 0 | 0 | +| [argocd:v2.12.4](v2.12.4/quay.io_argoproj_argocd_v2.12.4.html) | 0 | 0 | 3 | 8 | +| [redis:7.0.15-alpine](v2.12.4/redis_7.0.15-alpine.html) | 0 | 0 | 0 | 0 | +| [install.yaml](v2.12.4/argocd-iac-install.html) | - | - | - | - | +| [namespace-install.yaml](v2.12.4/argocd-iac-namespace-install.html) | - | - | - | - | -### v2.11.8 +### v2.11.9 | | Critical | High | Medium | Low | |---:|:--------:|:----:|:------:|:---:| -| [go.mod](v2.11.8/argocd-test.html) | 0 | 1 | 3 | 0 | -| [ui/yarn.lock](v2.11.8/argocd-test.html) | 0 | 1 | 2 | 0 | -| [dex:v2.38.0](v2.11.8/ghcr.io_dexidp_dex_v2.38.0.html) | 0 | 0 | 6 | 6 | -| [haproxy:2.6.14-alpine](v2.11.8/haproxy_2.6.14-alpine.html) | 0 | 1 | 7 | 6 | -| [argocd:v2.11.8](v2.11.8/quay.io_argoproj_argocd_v2.11.8.html) | 0 | 0 | 8 | 16 | -| [redis:7.0.15-alpine](v2.11.8/redis_7.0.15-alpine.html) | 0 | 0 | 0 | 0 | -| [install.yaml](v2.11.8/argocd-iac-install.html) | - | - | - | - | -| [namespace-install.yaml](v2.11.8/argocd-iac-namespace-install.html) | - | - | - | - | +| [go.mod](v2.11.9/argocd-test.html) | 0 | 1 | 3 | 0 | +| [ui/yarn.lock](v2.11.9/argocd-test.html) | 0 | 0 | 0 | 0 | +| [dex:v2.38.0](v2.11.9/ghcr.io_dexidp_dex_v2.38.0.html) | 0 | 0 | 6 | 6 | +| [haproxy:2.6.14-alpine](v2.11.9/haproxy_2.6.14-alpine.html) | 0 | 1 | 7 | 6 | +| [argocd:v2.11.9](v2.11.9/quay.io_argoproj_argocd_v2.11.9.html) | 0 | 0 | 4 | 17 | +| [redis:7.0.15-alpine](v2.11.9/redis_7.0.15-alpine.html) | 0 | 0 | 0 | 0 | +| [install.yaml](v2.11.9/argocd-iac-install.html) | - | - | - | - | +| [namespace-install.yaml](v2.11.9/argocd-iac-namespace-install.html) | - | - | - | - | -### v2.10.16 +### v2.10.17 | | Critical | High | Medium | Low | |---:|:--------:|:----:|:------:|:---:| -| [go.mod](v2.10.16/argocd-test.html) | 0 | 1 | 4 | 0 | -| [ui/yarn.lock](v2.10.16/argocd-test.html) | 0 | 1 | 2 | 0 | -| [dex:v2.37.0](v2.10.16/ghcr.io_dexidp_dex_v2.37.0.html) | 1 | 1 | 10 | 6 | -| [haproxy:2.6.14-alpine](v2.10.16/haproxy_2.6.14-alpine.html) | 0 | 1 | 7 | 6 | -| [argocd:v2.10.16](v2.10.16/quay.io_argoproj_argocd_v2.10.16.html) | 0 | 0 | 12 | 20 | -| [redis:7.0.15-alpine](v2.10.16/redis_7.0.15-alpine.html) | 0 | 0 | 0 | 0 | -| [install.yaml](v2.10.16/argocd-iac-install.html) | - | - | - | - | -| [namespace-install.yaml](v2.10.16/argocd-iac-namespace-install.html) | - | - | - | - | +| [go.mod](v2.10.17/argocd-test.html) | 0 | 1 | 3 | 0 | +| [ui/yarn.lock](v2.10.17/argocd-test.html) | 0 | 0 | 0 | 0 | +| [dex:v2.37.0](v2.10.17/ghcr.io_dexidp_dex_v2.37.0.html) | 1 | 1 | 10 | 6 | +| [haproxy:2.6.14-alpine](v2.10.17/haproxy_2.6.14-alpine.html) | 0 | 1 | 7 | 6 | +| [argocd:v2.10.17](v2.10.17/quay.io_argoproj_argocd_v2.10.17.html) | 0 | 0 | 4 | 17 | +| [redis:7.0.15-alpine](v2.10.17/redis_7.0.15-alpine.html) | 0 | 0 | 0 | 0 | +| [install.yaml](v2.10.17/argocd-iac-install.html) | - | - | - | - | +| [namespace-install.yaml](v2.10.17/argocd-iac-namespace-install.html) | - | - | - | - | diff --git a/docs/snyk/master/argocd-iac-install.html b/docs/snyk/master/argocd-iac-install.html index 4ffca011eadd2..e9b3556bb4240 100644 --- a/docs/snyk/master/argocd-iac-install.html +++ b/docs/snyk/master/argocd-iac-install.html @@ -456,7 +456,7 @@

                    Snyk test report

                    -

                    September 22nd 2024, 12:21:06 am (UTC+00:00)

                    +

                    September 29th 2024, 12:21:44 am (UTC+00:00)

                    Scanned the following path: @@ -933,7 +933,7 @@

                    Container could be running with outdated image

                  • - Line number: 23644 + Line number: 23650
                  @@ -1339,7 +1339,7 @@

                  Container has no CPU limit

                • - Line number: 23644 + Line number: 23650
                @@ -1455,7 +1455,7 @@

                Container has no CPU limit

              • - Line number: 23729 + Line number: 23735
              @@ -1513,7 +1513,7 @@

              Container has no CPU limit

            • - Line number: 24119 + Line number: 24125
            @@ -2127,7 +2127,7 @@

            Container is running without memory limit

          • - Line number: 23644 + Line number: 23650
          @@ -2243,7 +2243,7 @@

          Container is running without memory limit

        • - Line number: 23729 + Line number: 23735
        @@ -2301,7 +2301,7 @@

        Container is running without memory limit

      • - Line number: 24119 + Line number: 24125
      @@ -2693,7 +2693,7 @@

      Container's or Pod's UID could clash with hos
    • - Line number: 23651 + Line number: 23657

    @@ -2749,7 +2749,7 @@

    Container's or Pod's UID could clash with hos
  • - Line number: 23617 + Line number: 23623

@@ -2805,7 +2805,7 @@

Container's or Pod's UID could clash with hos
  • - Line number: 24020 + Line number: 24026
    • @@ -2861,7 +2861,7 @@

    Container's or Pod's UID could clash with hos
  • - Line number: 24320 + Line number: 24326
    • diff --git a/docs/snyk/master/argocd-iac-namespace-install.html b/docs/snyk/master/argocd-iac-namespace-install.html index a78881186e589..39fbf4fb80f17 100644 --- a/docs/snyk/master/argocd-iac-namespace-install.html +++ b/docs/snyk/master/argocd-iac-namespace-install.html @@ -456,7 +456,7 @@

    Snyk test report

    -

    September 22nd 2024, 12:21:16 am (UTC+00:00)

    +

    September 29th 2024, 12:21:54 am (UTC+00:00)

    Scanned the following path: @@ -887,7 +887,7 @@

    Container could be running with outdated image

  • - Line number: 1437 + Line number: 1443
    • @@ -1293,7 +1293,7 @@

    Container has no CPU limit

  • - Line number: 1437 + Line number: 1443
    • @@ -1409,7 +1409,7 @@

    Container has no CPU limit

  • - Line number: 1522 + Line number: 1528
    • @@ -1467,7 +1467,7 @@

    Container has no CPU limit

  • - Line number: 1912 + Line number: 1918
    • @@ -2081,7 +2081,7 @@

    Container is running without memory limit

  • - Line number: 1437 + Line number: 1443
    • @@ -2197,7 +2197,7 @@

    Container is running without memory limit

  • - Line number: 1522 + Line number: 1528
    • @@ -2255,7 +2255,7 @@

    Container is running without memory limit

  • - Line number: 1912 + Line number: 1918
    • @@ -2647,7 +2647,7 @@

    Container's or Pod's UID could clash with hos
  • - Line number: 1444 + Line number: 1450
    • @@ -2703,7 +2703,7 @@

    Container's or Pod's UID could clash with hos
  • - Line number: 1410 + Line number: 1416
    • @@ -2759,7 +2759,7 @@

    Container's or Pod's UID could clash with hos
  • - Line number: 1813 + Line number: 1819
    • @@ -2815,7 +2815,7 @@

    Container's or Pod's UID could clash with hos
  • - Line number: 2113 + Line number: 2119
    • diff --git a/docs/snyk/master/argocd-test.html b/docs/snyk/master/argocd-test.html index 0c91d6f1cb159..5cb77fa18459d 100644 --- a/docs/snyk/master/argocd-test.html +++ b/docs/snyk/master/argocd-test.html @@ -7,7 +7,7 @@ Snyk test report - + @@ -456,7 +456,7 @@

    Snyk test report

    -

    September 22nd 2024, 12:18:54 am (UTC+00:00)

    +

    September 29th 2024, 12:19:28 am (UTC+00:00)

    Scanned the following paths: @@ -467,9 +467,9 @@

    Snyk test report

    -
    2 known vulnerabilities
    -
    4 vulnerable dependency paths
    -
    2132 dependencies
    +
    1 known vulnerabilities
    +
    1 vulnerable dependency paths
    +
    2137 dependencies

    @@ -477,175 +477,6 @@

    Snyk test report

    -
    -

    Regular Expression Denial of Service (ReDoS)

    -
    - -
    - medium severity -
    - -
    - -
      -
    • - Manifest file: /argo-cd ui/yarn.lock -
      • -
    • - Package Manager: npm -
      • -
    • - Vulnerable module: - - path-to-regexp -
      • - -
    • Introduced through: - - - argo-cd-ui@1.0.0, react-router@4.3.1 and others -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - argo-cd-ui@1.0.0 - - react-router@4.3.1 - - path-to-regexp@1.8.0 - - - -
      • -
    • - Introduced through: - argo-cd-ui@1.0.0 - - react-router-dom@4.3.1 - - react-router@4.3.1 - - path-to-regexp@1.8.0 - - - -
      • -
    • - Introduced through: - argo-cd-ui@1.0.0 - - argo-ui@1.0.0 - - react-router-dom@4.3.1 - - react-router@4.3.1 - - path-to-regexp@1.8.0 - - - -
      • -
    - -
    - -
    - -

    Overview

    -

    Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) when including multiple regular expression parameters in a single segment, which will produce the regular expression /^\/([^\/]+?)-([^\/]+?)\/?$/, if two parameters within a single segment are separated by a character other than a / or .. Poor performance will block the event loop and can lead to a DoS.

    -

    Note: - While the 8.0.0 release has completely eliminated the vulnerable functionality, prior versions that have received the patch to mitigate backtracking may still be vulnerable if custom regular expressions are used. So it is strongly recommended for regular expression input to be controlled to avoid malicious performance degradation in those versions. This behavior is enforced as of version 7.1.0 via the strict option, which returns an error if a dangerous regular expression is detected.

    -

    Workaround

    -

    This vulnerability can be avoided by using a custom regular expression for parameters after the first in a segment, which excludes - and /.

    -

    PoC

    - 
    /a${'-a'.repeat(8_000)}/a
-
    -

    Details

    -

    Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.

    -

    The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.

    -

    Let’s take the following regular expression as an example:

    - 
    regex = /A(B|C+)+D/
-
    -

    This regular expression accomplishes the following:

    -
      -
    • A The string must start with the letter 'A'
      • -
    • (B|C+)+ The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the + matches one or more times). The + at the end of this section states that we can look for one or more matches of this section.
      • -
    • D Finally, we ensure this section of the string ends with a 'D'
      • -
    -

    The expression would match inputs such as ABBD, ABCCCCD, ABCBCCCD and ACCCCCD

    -

    It most cases, it doesn't take very long for a regex engine to find a match:

    - 
    $ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD")'
-        0.04s user 0.01s system 95% cpu 0.052 total
-        
-        $ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX")'
-        1.79s user 0.02s system 99% cpu 1.812 total
-
    -

    The entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.

    -

    Most Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as catastrophic backtracking.

    -

    Let's look at how our expression runs into this problem, using a shorter string: "ACCCX". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:

    -
      -
    1. CCC
      2. -
    2. CC+C
      3. -
    3. C+CC
      4. -
    4. C+C+C.
      5. -
    -

    The engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use RegEx 101 debugger to see the engine has to take a total of 38 steps before it can determine the string doesn't match.

    -

    From there, the number of steps the engine must use to validate a string just continues to grow.

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    StringNumber of C'sNumber of steps
    ACCCX338
    ACCCCX471
    ACCCCCX5136
    ACCCCCCCCCCCCCCX1465,553
    -

    By the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.

    -

    Remediation

    -

    Upgrade path-to-regexp to version 0.1.10, 1.9.0, 3.3.0, 6.3.0, 8.0.0 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -

    Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

    diff --git a/docs/snyk/master/ghcr.io_dexidp_dex_v2.41.1.html b/docs/snyk/master/ghcr.io_dexidp_dex_v2.41.1.html index 55eb2fcbe954b..487905ed8c4b4 100644 --- a/docs/snyk/master/ghcr.io_dexidp_dex_v2.41.1.html +++ b/docs/snyk/master/ghcr.io_dexidp_dex_v2.41.1.html @@ -456,7 +456,7 @@

    Snyk test report

    -

    September 22nd 2024, 12:19:01 am (UTC+00:00)

    +

    September 29th 2024, 12:19:39 am (UTC+00:00)

    Scanned the following paths: diff --git a/docs/snyk/master/public.ecr.aws_docker_library_haproxy_2.6.17-alpine.html b/docs/snyk/master/public.ecr.aws_docker_library_haproxy_2.6.17-alpine.html index d9db5c2fc73c8..c0f2ada410bc0 100644 --- a/docs/snyk/master/public.ecr.aws_docker_library_haproxy_2.6.17-alpine.html +++ b/docs/snyk/master/public.ecr.aws_docker_library_haproxy_2.6.17-alpine.html @@ -456,7 +456,7 @@

    Snyk test report

    -

    September 22nd 2024, 12:19:15 am (UTC+00:00)

    +

    September 29th 2024, 12:19:47 am (UTC+00:00)

    Scanned the following path: diff --git a/docs/snyk/master/public.ecr.aws_docker_library_redis_7.0.15-alpine.html b/docs/snyk/master/public.ecr.aws_docker_library_redis_7.0.15-alpine.html index ccf5d62549670..2bbc9c1fe82f7 100644 --- a/docs/snyk/master/public.ecr.aws_docker_library_redis_7.0.15-alpine.html +++ b/docs/snyk/master/public.ecr.aws_docker_library_redis_7.0.15-alpine.html @@ -456,7 +456,7 @@

    Snyk test report

    -

    September 22nd 2024, 12:19:21 am (UTC+00:00)

    +

    September 29th 2024, 12:19:54 am (UTC+00:00)

    Scanned the following paths: diff --git a/docs/snyk/master/quay.io_argoproj_argocd_latest.html b/docs/snyk/master/quay.io_argoproj_argocd_latest.html index b01bd7de71714..fe39f3ffd1410 100644 --- a/docs/snyk/master/quay.io_argoproj_argocd_latest.html +++ b/docs/snyk/master/quay.io_argoproj_argocd_latest.html @@ -456,7 +456,7 @@

    Snyk test report

    -

    September 22nd 2024, 12:19:38 am (UTC+00:00)

    +

    September 29th 2024, 12:20:12 am (UTC+00:00)

    Scanned the following paths: @@ -472,7 +472,7 @@

    Snyk test report

    11 known vulnerabilities
    65 vulnerable dependency paths
    -
    2355 dependencies
    +
    2360 dependencies
    diff --git a/docs/snyk/master/redis_7.0.15-alpine.html b/docs/snyk/master/redis_7.0.15-alpine.html index 86330360ca083..7a24ba6966347 100644 --- a/docs/snyk/master/redis_7.0.15-alpine.html +++ b/docs/snyk/master/redis_7.0.15-alpine.html @@ -456,7 +456,7 @@

    Snyk test report

    -

    September 22nd 2024, 12:19:42 am (UTC+00:00)

    +

    September 29th 2024, 12:20:17 am (UTC+00:00)

    Scanned the following paths: diff --git a/docs/snyk/v2.10.16/argocd-iac-install.html b/docs/snyk/v2.10.17/argocd-iac-install.html similarity index 99% rename from docs/snyk/v2.10.16/argocd-iac-install.html rename to docs/snyk/v2.10.17/argocd-iac-install.html index caf0aceb5972f..0ad5f3575300a 100644 --- a/docs/snyk/v2.10.16/argocd-iac-install.html +++ b/docs/snyk/v2.10.17/argocd-iac-install.html @@ -456,7 +456,7 @@

    Snyk test report

    -

    September 22nd 2024, 12:30:18 am (UTC+00:00)

    +

    September 29th 2024, 12:31:36 am (UTC+00:00)

    Scanned the following path: diff --git a/docs/snyk/v2.10.16/argocd-iac-namespace-install.html b/docs/snyk/v2.10.17/argocd-iac-namespace-install.html similarity index 99% rename from docs/snyk/v2.10.16/argocd-iac-namespace-install.html rename to docs/snyk/v2.10.17/argocd-iac-namespace-install.html index 1a15c2d0c5416..3ef49aa4bb894 100644 --- a/docs/snyk/v2.10.16/argocd-iac-namespace-install.html +++ b/docs/snyk/v2.10.17/argocd-iac-namespace-install.html @@ -456,7 +456,7 @@

    Snyk test report

    -

    September 22nd 2024, 12:30:27 am (UTC+00:00)

    +

    September 29th 2024, 12:31:46 am (UTC+00:00)

    Scanned the following path: diff --git a/docs/snyk/v2.10.16/argocd-test.html b/docs/snyk/v2.10.17/argocd-test.html similarity index 85% rename from docs/snyk/v2.10.16/argocd-test.html rename to docs/snyk/v2.10.17/argocd-test.html index 82f63569dbd39..2e7a617dd556f 100644 --- a/docs/snyk/v2.10.16/argocd-test.html +++ b/docs/snyk/v2.10.17/argocd-test.html @@ -7,7 +7,7 @@ Snyk test report - + @@ -456,7 +456,7 @@

    Snyk test report

    -

    September 22nd 2024, 12:28:24 am (UTC+00:00)

    +

    September 29th 2024, 12:29:38 am (UTC+00:00)

    Scanned the following paths: @@ -467,8 +467,8 @@

    Snyk test report

    -
    8 known vulnerabilities
    -
    164 vulnerable dependency paths
    +
    4 known vulnerabilities
    +
    147 vulnerable dependency paths
    2042 dependencies
    @@ -3139,329 +3139,6 @@

    References

    More about this vulnerability

    -
    -
    -

    Prototype Pollution

    -
    - -
    - high severity -
    - -
    - -
      -
    • - Manifest file: /argo-cd ui/yarn.lock -
      • -
    • - Package Manager: npm -
      • -
    • - Vulnerable module: - - dompurify -
      • - -
    • Introduced through: - - - argo-cd-ui@1.0.0, redoc@2.0.0-rc.64 and others -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - argo-cd-ui@1.0.0 - - redoc@2.0.0-rc.64 - - dompurify@2.3.6 - - - -
      • -
    - -
    - -
    - -

    Overview

    -

    dompurify is a DOM-only XSS sanitizer for HTML, MathML and SVG.

    -

    Affected versions of this package are vulnerable to Prototype Pollution due to improper user input sanitization through the depth-checking mechanism, an attacker can exploit this vulnerability by using special nesting techniques to create a malicious HTML file.

    -

    Details

    -

    Prototype Pollution is a vulnerability affecting JavaScript. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, including their magical attributes such as __proto__, constructor and prototype. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. Properties on the Object.prototype are then inherited by all the JavaScript objects through the prototype chain. When that happens, this leads to either denial of service by triggering JavaScript exceptions, or it tampers with the application source code to force the code path that the attacker injects, thereby leading to remote code execution.

    -

    There are two main ways in which the pollution of prototypes occurs:

    -
      -

    • Unsafe Object recursive merge

      -
      • -

    • Property definition by path

      -
      • -
    -

    Unsafe Object recursive merge

    -

    The logic of a vulnerable recursive merge function follows the following high-level model:

    - 
    merge (target, source)
-        
-          foreach property of source
-        
-            if property exists and is an object on both the target and the source
-        
-              merge(target[property], source[property])
-        
-            else
-        
-              target[property] = source[property]
-
    -
    - -

    When the source object contains a property named __proto__ defined with Object.defineProperty() , the condition that checks if the property exists and is an object on both the target and the source passes and the merge recurses with the target, being the prototype of Object and the source of Object as defined by the attacker. Properties are then copied on the Object prototype.

    -

    Clone operations are a special sub-class of unsafe recursive merges, which occur when a recursive merge is conducted on an empty object: merge({},source).

    -

    lodash and Hoek are examples of libraries susceptible to recursive merge attacks.

    -

    Property definition by path

    -

    There are a few JavaScript libraries that use an API to define property values on an object based on a given path. The function that is generally affected contains this signature: theFunction(object, path, value)

    -

    If the attacker can control the value of “path”, they can set this value to __proto__.myValue. myValue is then assigned to the prototype of the class of the object.

    -

    Types of attacks

    -

    There are a few methods by which Prototype Pollution can be manipulated:

    - - - - - - - - - - - - - - - - - - - - - - - -
    TypeOriginShort description
    Denial of service (DoS)ClientThis is the most likely attack.
    DoS occurs when Object holds generic functions that are implicitly called for various operations (for example, toString and valueOf).
    The attacker pollutes Object.prototype.someattr and alters its state to an unexpected value such as Int or Object. In this case, the code fails and is likely to cause a denial of service.
    For example: if an attacker pollutes Object.prototype.toString by defining it as an integer, if the codebase at any point was reliant on someobject.toString() it would fail.
    Remote Code ExecutionClientRemote code execution is generally only possible in cases where the codebase evaluates a specific attribute of an object, and then executes that evaluation.
    For example: eval(someobject.someattr). In this case, if the attacker pollutes Object.prototype.someattr they are likely to be able to leverage this in order to execute code.
    Property InjectionClientThe attacker pollutes properties that the codebase relies on for their informative value, including security properties such as cookies or tokens.
    For example: if a codebase checks privileges for someuser.isAdmin, then when the attacker pollutes Object.prototype.isAdmin and sets it to equal true, they can then achieve admin privileges.
    -

    Affected environments

    -

    The following environments are susceptible to a Prototype Pollution attack:

    -
      -

    • Application server

      -
      • -

    • Web server

      -
      • -

    • Web browser

      -
      • -
    -

    How to prevent

    -
      -

    1. Freeze the prototype— use Object.freeze (Object.prototype).

      -
      2. -

    2. Require schema validation of JSON input.

      -
      3. -

    3. Avoid using unsafe recursive merge functions.

      -
      4. -

    4. Consider using objects without prototypes (for example, Object.create(null)), breaking the prototype chain and preventing pollution.

      -
      5. -

    5. As a best practice use Map instead of Object.

      -
      6. -
    -

    For more information on this vulnerability type:

    -

    Arteau, Oliver. “JavaScript prototype pollution attack in NodeJS application.” GitHub, 26 May 2018

    -

    Remediation

    -

    Upgrade dompurify to version 2.5.4, 3.1.3 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Regular Expression Denial of Service (ReDoS)

    -
    - -
    - medium severity -
    - -
    - -
      -
    • - Manifest file: /argo-cd ui/yarn.lock -
      • -
    • - Package Manager: npm -
      • -
    • - Vulnerable module: - - path-to-regexp -
      • - -
    • Introduced through: - - - argo-cd-ui@1.0.0, react-router@4.3.1 and others -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - argo-cd-ui@1.0.0 - - react-router@4.3.1 - - path-to-regexp@1.8.0 - - - -
      • -
    • - Introduced through: - argo-cd-ui@1.0.0 - - react-router-dom@4.3.1 - - react-router@4.3.1 - - path-to-regexp@1.8.0 - - - -
      • -
    • - Introduced through: - argo-cd-ui@1.0.0 - - argo-ui@1.0.0 - - react-router-dom@4.3.1 - - react-router@4.3.1 - - path-to-regexp@1.8.0 - - - -
      • -
    - -
    - -
    - -

    Overview

    -

    Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) when including multiple regular expression parameters in a single segment, which will produce the regular expression /^\/([^\/]+?)-([^\/]+?)\/?$/, if two parameters within a single segment are separated by a character other than a / or .. Poor performance will block the event loop and can lead to a DoS.

    -

    Note: - While the 8.0.0 release has completely eliminated the vulnerable functionality, prior versions that have received the patch to mitigate backtracking may still be vulnerable if custom regular expressions are used. So it is strongly recommended for regular expression input to be controlled to avoid malicious performance degradation in those versions. This behavior is enforced as of version 7.1.0 via the strict option, which returns an error if a dangerous regular expression is detected.

    -

    Workaround

    -

    This vulnerability can be avoided by using a custom regular expression for parameters after the first in a segment, which excludes - and /.

    -

    PoC

    - 
    /a${'-a'.repeat(8_000)}/a
-
    -

    Details

    -

    Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.

    -

    The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.

    -

    Let’s take the following regular expression as an example:

    - 
    regex = /A(B|C+)+D/
-
    -

    This regular expression accomplishes the following:

    -
      -
    • A The string must start with the letter 'A'
      • -
    • (B|C+)+ The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the + matches one or more times). The + at the end of this section states that we can look for one or more matches of this section.
      • -
    • D Finally, we ensure this section of the string ends with a 'D'
      • -
    -

    The expression would match inputs such as ABBD, ABCCCCD, ABCBCCCD and ACCCCCD

    -

    It most cases, it doesn't take very long for a regex engine to find a match:

    - 
    $ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD")'
-        0.04s user 0.01s system 95% cpu 0.052 total
-        
-        $ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX")'
-        1.79s user 0.02s system 99% cpu 1.812 total
-
    -

    The entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.

    -

    Most Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as catastrophic backtracking.

    -

    Let's look at how our expression runs into this problem, using a shorter string: "ACCCX". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:

    -
      -
    1. CCC
      2. -
    2. CC+C
      3. -
    3. C+CC
      4. -
    4. C+C+C.
      5. -
    -

    The engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use RegEx 101 debugger to see the engine has to take a total of 38 steps before it can determine the string doesn't match.

    -

    From there, the number of steps the engine must use to validate a string just continues to grow.

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    StringNumber of C'sNumber of steps
    ACCCX338
    ACCCCX471
    ACCCCCX5136
    ACCCCCCCCCCCCCCX1465,553
    -

    By the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.

    -

    Remediation

    -

    Upgrade path-to-regexp to version 0.1.10, 1.9.0, 3.3.0, 6.3.0, 8.0.0 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    -

    Regular Expression Denial of Service (ReDoS)

    @@ -3789,229 +3466,6 @@

    References

    More about this vulnerability

    -
    -
    -

    Insertion of Sensitive Information into Log File

    -
    - -
    - medium severity -
    - -
    - -
      -
    • - Manifest file: /argo-cd/argoproj/argo-cd/v2 go.mod -
      • -
    • - Package Manager: golang -
      • -
    • - Vulnerable module: - - github.com/hashicorp/go-retryablehttp -
      • - -
    • Introduced through: - - github.com/argoproj/argo-cd/v2@0.0.0 and github.com/hashicorp/go-retryablehttp@0.7.4 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - github.com/argoproj/argo-cd/v2@0.0.0 - - github.com/hashicorp/go-retryablehttp@0.7.4 - - - -
      • -
    • - Introduced through: - github.com/argoproj/argo-cd/v2@0.0.0 - - github.com/argoproj/notifications-engine/pkg/services@#84b9f7913604 - - github.com/hashicorp/go-retryablehttp@0.7.4 - - - -
      • -
    • - Introduced through: - github.com/argoproj/argo-cd/v2@0.0.0 - - github.com/xanzy/go-gitlab@0.91.1 - - github.com/hashicorp/go-retryablehttp@0.7.4 - - - -
      • -
    • - Introduced through: - github.com/argoproj/argo-cd/v2@0.0.0 - - github.com/argoproj/notifications-engine/pkg/subscriptions@#84b9f7913604 - - github.com/argoproj/notifications-engine/pkg/services@#84b9f7913604 - - github.com/hashicorp/go-retryablehttp@0.7.4 - - - -
      • -
    • - Introduced through: - github.com/argoproj/argo-cd/v2@0.0.0 - - github.com/argoproj/notifications-engine/pkg/cmd@#84b9f7913604 - - github.com/argoproj/notifications-engine/pkg/services@#84b9f7913604 - - github.com/hashicorp/go-retryablehttp@0.7.4 - - - -
      • -
    • - Introduced through: - github.com/argoproj/argo-cd/v2@0.0.0 - - github.com/argoproj/notifications-engine/pkg/services@#84b9f7913604 - - github.com/opsgenie/opsgenie-go-sdk-v2/client@1.0.5 - - github.com/hashicorp/go-retryablehttp@0.7.4 - - - -
      • -
    • - Introduced through: - github.com/argoproj/argo-cd/v2@0.0.0 - - github.com/argoproj/notifications-engine/pkg/api@#84b9f7913604 - - github.com/argoproj/notifications-engine/pkg/subscriptions@#84b9f7913604 - - github.com/argoproj/notifications-engine/pkg/services@#84b9f7913604 - - github.com/hashicorp/go-retryablehttp@0.7.4 - - - -
      • -
    • - Introduced through: - github.com/argoproj/argo-cd/v2@0.0.0 - - github.com/argoproj/notifications-engine/pkg/controller@#84b9f7913604 - - github.com/argoproj/notifications-engine/pkg/subscriptions@#84b9f7913604 - - github.com/argoproj/notifications-engine/pkg/services@#84b9f7913604 - - github.com/hashicorp/go-retryablehttp@0.7.4 - - - -
      • -
    • - Introduced through: - github.com/argoproj/argo-cd/v2@0.0.0 - - github.com/argoproj/notifications-engine/pkg/subscriptions@#84b9f7913604 - - github.com/argoproj/notifications-engine/pkg/services@#84b9f7913604 - - github.com/opsgenie/opsgenie-go-sdk-v2/client@1.0.5 - - github.com/hashicorp/go-retryablehttp@0.7.4 - - - -
      • -
    • - Introduced through: - github.com/argoproj/argo-cd/v2@0.0.0 - - github.com/argoproj/notifications-engine/pkg/cmd@#84b9f7913604 - - github.com/argoproj/notifications-engine/pkg/services@#84b9f7913604 - - github.com/opsgenie/opsgenie-go-sdk-v2/client@1.0.5 - - github.com/hashicorp/go-retryablehttp@0.7.4 - - - -
      • -
    • - Introduced through: - github.com/argoproj/argo-cd/v2@0.0.0 - - github.com/argoproj/notifications-engine/pkg/api@#84b9f7913604 - - github.com/argoproj/notifications-engine/pkg/subscriptions@#84b9f7913604 - - github.com/argoproj/notifications-engine/pkg/services@#84b9f7913604 - - github.com/opsgenie/opsgenie-go-sdk-v2/client@1.0.5 - - github.com/hashicorp/go-retryablehttp@0.7.4 - - - -
      • -
    • - Introduced through: - github.com/argoproj/argo-cd/v2@0.0.0 - - github.com/argoproj/notifications-engine/pkg/controller@#84b9f7913604 - - github.com/argoproj/notifications-engine/pkg/subscriptions@#84b9f7913604 - - github.com/argoproj/notifications-engine/pkg/services@#84b9f7913604 - - github.com/opsgenie/opsgenie-go-sdk-v2/client@1.0.5 - - github.com/hashicorp/go-retryablehttp@0.7.4 - - - -
      • -
    - -
    - -
    - -

    Overview

    -

    Affected versions of this package are vulnerable to Insertion of Sensitive Information into Log File due to not sanitizing urls when writing them to the log file. This could lead to an attacker writing sensitive HTTP basic auth credentials to the log file.

    -

    Remediation

    -

    Upgrade github.com/hashicorp/go-retryablehttp to version 0.7.7 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    -

    Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

    @@ -4104,81 +3558,6 @@

    References

    -
    -

    Template Injection

    -
    - -
    - medium severity -
    - -
    - -
      -
    • - Manifest file: /argo-cd ui/yarn.lock -
      • -
    • - Package Manager: npm -
      • -
    • - Vulnerable module: - - dompurify -
      • - -
    • Introduced through: - - - argo-cd-ui@1.0.0, redoc@2.0.0-rc.64 and others -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - argo-cd-ui@1.0.0 - - redoc@2.0.0-rc.64 - - dompurify@2.3.6 - - - -
      • -
    - -
    - -
    - -

    Overview

    -

    dompurify is a DOM-only XSS sanitizer for HTML, MathML and SVG.

    -

    Affected versions of this package are vulnerable to Template Injection in purify.js, due to inconsistencies in the parsing of XML and HTML tags. Executable code can be injected in HTML inside XML CDATA blocks.

    -

    PoC

    - 
    <![CDATA[ ><img src onerror=alert(1)> ]]>
-
    -

    Remediation

    -

    Upgrade dompurify to version 2.4.9, 3.0.11 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    diff --git a/docs/snyk/v2.10.16/ghcr.io_dexidp_dex_v2.37.0.html b/docs/snyk/v2.10.17/ghcr.io_dexidp_dex_v2.37.0.html similarity index 99% rename from docs/snyk/v2.10.16/ghcr.io_dexidp_dex_v2.37.0.html rename to docs/snyk/v2.10.17/ghcr.io_dexidp_dex_v2.37.0.html index f6beb50189acb..ac80e70c96cf3 100644 --- a/docs/snyk/v2.10.16/ghcr.io_dexidp_dex_v2.37.0.html +++ b/docs/snyk/v2.10.17/ghcr.io_dexidp_dex_v2.37.0.html @@ -456,7 +456,7 @@

    Snyk test report

    -

    September 22nd 2024, 12:28:32 am (UTC+00:00)

    +

    September 29th 2024, 12:29:48 am (UTC+00:00)

    Scanned the following paths: diff --git a/docs/snyk/v2.11.8/haproxy_2.6.14-alpine.html b/docs/snyk/v2.10.17/haproxy_2.6.14-alpine.html similarity index 99% rename from docs/snyk/v2.11.8/haproxy_2.6.14-alpine.html rename to docs/snyk/v2.10.17/haproxy_2.6.14-alpine.html index 51e9cc5e39b95..5125593531156 100644 --- a/docs/snyk/v2.11.8/haproxy_2.6.14-alpine.html +++ b/docs/snyk/v2.10.17/haproxy_2.6.14-alpine.html @@ -456,7 +456,7 @@

    Snyk test report

    -

    September 22nd 2024, 12:26:22 am (UTC+00:00)

    +

    September 29th 2024, 12:29:52 am (UTC+00:00)

    Scanned the following path: diff --git a/docs/snyk/v2.10.16/quay.io_argoproj_argocd_v2.10.16.html b/docs/snyk/v2.10.17/quay.io_argoproj_argocd_v2.10.17.html similarity index 64% rename from docs/snyk/v2.10.16/quay.io_argoproj_argocd_v2.10.16.html rename to docs/snyk/v2.10.17/quay.io_argoproj_argocd_v2.10.17.html index 8ba1cd553e6c1..4c702affee2f5 100644 --- a/docs/snyk/v2.10.16/quay.io_argoproj_argocd_v2.10.16.html +++ b/docs/snyk/v2.10.17/quay.io_argoproj_argocd_v2.10.17.html @@ -7,7 +7,7 @@ Snyk test report - + @@ -456,22 +456,22 @@

    Snyk test report

    -

    September 22nd 2024, 12:28:55 am (UTC+00:00)

    +

    September 29th 2024, 12:30:13 am (UTC+00:00)

    Scanned the following paths:
      -
    • quay.io/argoproj/argocd:v2.10.16/argoproj/argocd/Dockerfile (deb)
      • -
    • quay.io/argoproj/argocd:v2.10.16/argoproj/argo-cd/v2//usr/local/bin/argocd (gomodules)
      • -
    • quay.io/argoproj/argocd:v2.10.16//usr/local/bin/kustomize (gomodules)
      • -
    • quay.io/argoproj/argocd:v2.10.16/helm/v3//usr/local/bin/helm (gomodules)
      • -
    • quay.io/argoproj/argocd:v2.10.16/git-lfs/git-lfs//usr/bin/git-lfs (gomodules)
      • +
    • quay.io/argoproj/argocd:v2.10.17/argoproj/argocd/Dockerfile (deb)
      • +
    • quay.io/argoproj/argocd:v2.10.17/argoproj/argo-cd/v2//usr/local/bin/argocd (gomodules)
      • +
    • quay.io/argoproj/argocd:v2.10.17//usr/local/bin/kustomize (gomodules)
      • +
    • quay.io/argoproj/argocd:v2.10.17/helm/v3//usr/local/bin/helm (gomodules)
      • +
    • quay.io/argoproj/argocd:v2.10.17/git-lfs/git-lfs//usr/bin/git-lfs (gomodules)
    -
    35 known vulnerabilities
    -
    241 vulnerable dependency paths
    +
    23 known vulnerabilities
    +
    169 vulnerable dependency paths
    2278 dependencies
    @@ -492,7 +492,7 @@

    Allocation of Resources Without Limits or Throttling

  • - Manifest file: quay.io/argoproj/argocd:v2.10.16/argoproj/argo-cd/v2 /usr/local/bin/argocd + Manifest file: quay.io/argoproj/argocd:v2.10.17/argoproj/argo-cd/v2 /usr/local/bin/argocd
  • Package Manager: golang @@ -572,7 +572,7 @@

    CVE-2024-41996

    • - Manifest file: quay.io/argoproj/argocd:v2.10.16/argoproj/argocd Dockerfile + Manifest file: quay.io/argoproj/argocd:v2.10.17/argoproj/argocd Dockerfile
    • Package Manager: ubuntu:22.04 @@ -585,7 +585,7 @@

      CVE-2024-41996

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 and openssl/libssl3@3.0.2-0ubuntu1.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 and openssl/libssl3@3.0.2-0ubuntu1.18
    @@ -598,77 +598,77 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 - openssl/libssl3@3.0.2-0ubuntu1.16 + openssl/libssl3@3.0.2-0ubuntu1.18
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 cyrus-sasl2/libsasl2-modules@2.1.27+dfsg2-3ubuntu1.2 - openssl/libssl3@3.0.2-0ubuntu1.16 + openssl/libssl3@3.0.2-0ubuntu1.18
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 libfido2/libfido2-1@1.10.0-1 - openssl/libssl3@3.0.2-0ubuntu1.16 + openssl/libssl3@3.0.2-0ubuntu1.18
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 openssh/openssh-client@1:8.9p1-3ubuntu0.10 - openssl/libssl3@3.0.2-0ubuntu1.16 + openssl/libssl3@3.0.2-0ubuntu1.18
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 - ca-certificates@20230311ubuntu0.22.04.1 + ca-certificates@20240203~22.04.1 - openssl@3.0.2-0ubuntu1.16 + openssl@3.0.2-0ubuntu1.18 - openssl/libssl3@3.0.2-0ubuntu1.16 + openssl/libssl3@3.0.2-0ubuntu1.18
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 git@1:2.34.1-1ubuntu1.11 - curl/libcurl3-gnutls@7.81.0-1ubuntu1.16 + curl/libcurl3-gnutls@7.81.0-1ubuntu1.18 libssh/libssh-4@0.9.6-2ubuntu0.22.04.3 - openssl/libssl3@3.0.2-0ubuntu1.16 + openssl/libssl3@3.0.2-0ubuntu1.18
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 adduser@3.118ubuntu5 @@ -680,31 +680,31 @@

      Detailed paths

      libtirpc/libtirpc3@1.3.2-2ubuntu0.1 - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.4 - krb5/libkrb5-3@1.19.2-2ubuntu0.3 + krb5/libkrb5-3@1.19.2-2ubuntu0.4 - openssl/libssl3@3.0.2-0ubuntu1.16 + openssl/libssl3@3.0.2-0ubuntu1.18
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 - openssl@3.0.2-0ubuntu1.16 + openssl@3.0.2-0ubuntu1.18
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 - ca-certificates@20230311ubuntu0.22.04.1 + ca-certificates@20240203~22.04.1 - openssl@3.0.2-0ubuntu1.16 + openssl@3.0.2-0ubuntu1.18 @@ -735,202 +735,6 @@

      References

      More about this vulnerability

    • -
    -
    -

    CVE-2024-6119

    -
    - -
    - medium severity -
    - -
    - -
      -
    • - Manifest file: quay.io/argoproj/argocd:v2.10.16/argoproj/argocd Dockerfile -
      • -
    • - Package Manager: ubuntu:22.04 -
      • -
    • - Vulnerable module: - - openssl/libssl3 -
      • - -
    • Introduced through: - - docker-image|quay.io/argoproj/argocd@v2.10.16 and openssl/libssl3@3.0.2-0ubuntu1.16 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 - - openssl/libssl3@3.0.2-0ubuntu1.16 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 - - cyrus-sasl2/libsasl2-modules@2.1.27+dfsg2-3ubuntu1.2 - - openssl/libssl3@3.0.2-0ubuntu1.16 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 - - libfido2/libfido2-1@1.10.0-1 - - openssl/libssl3@3.0.2-0ubuntu1.16 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 - - openssh/openssh-client@1:8.9p1-3ubuntu0.10 - - openssl/libssl3@3.0.2-0ubuntu1.16 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 - - ca-certificates@20230311ubuntu0.22.04.1 - - openssl@3.0.2-0ubuntu1.16 - - openssl/libssl3@3.0.2-0ubuntu1.16 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 - - git@1:2.34.1-1ubuntu1.11 - - curl/libcurl3-gnutls@7.81.0-1ubuntu1.16 - - libssh/libssh-4@0.9.6-2ubuntu0.22.04.3 - - openssl/libssl3@3.0.2-0ubuntu1.16 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 - - adduser@3.118ubuntu5 - - shadow/passwd@1:4.8.1-2ubuntu2.2 - - pam/libpam-modules@1.4.0-11ubuntu2.4 - - libnsl/libnsl2@1.3.0-2build2 - - libtirpc/libtirpc3@1.3.2-2ubuntu0.1 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - krb5/libkrb5-3@1.19.2-2ubuntu0.3 - - openssl/libssl3@3.0.2-0ubuntu1.16 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 - - openssl@3.0.2-0ubuntu1.16 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 - - ca-certificates@20230311ubuntu0.22.04.1 - - openssl@3.0.2-0ubuntu1.16 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Ubuntu. - See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

    -

    Issue summary: Applications performing certificate name checks (e.g., TLS - clients checking server certificates) may attempt to read an invalid memory - address resulting in abnormal termination of the application process.

    -

    Impact summary: Abnormal termination of an application can a cause a denial of - service.

    -

    Applications performing certificate name checks (e.g., TLS clients checking - server certificates) may attempt to read an invalid memory address when - comparing the expected name with an otherName subject alternative name of an - X.509 certificate. This may result in an exception that terminates the - application program.

    -

    Note that basic certificate chain validation (signatures, dates, ...) is not - affected, the denial of service can occur only when the application also - specifies an expected DNS name, Email address or IP address.

    -

    TLS servers rarely solicit client certificates, and even when they do, they - generally don't perform a name check against a reference identifier (expected - identity), but rather extract the presented identity after checking the - certificate chain. So TLS servers are generally not affected and the severity - of the issue is Moderate.

    -

    The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.

    -

    Remediation

    -

    Upgrade Ubuntu:22.04 openssl to version 3.0.2-0ubuntu1.18 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    -

    Information Exposure

    @@ -944,7 +748,7 @@

    Information Exposure

    • - Manifest file: quay.io/argoproj/argocd:v2.10.16/argoproj/argocd Dockerfile + Manifest file: quay.io/argoproj/argocd:v2.10.17/argoproj/argocd Dockerfile
    • Package Manager: ubuntu:22.04 @@ -957,7 +761,7 @@

      Information Exposure

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 and libgcrypt20@1.9.4-3ubuntu3 + docker-image|quay.io/argoproj/argocd@v2.10.17 and libgcrypt20@1.9.4-3ubuntu3
    @@ -970,7 +774,7 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 libgcrypt20@1.9.4-3ubuntu3 @@ -979,7 +783,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 gnupg2/dirmngr@2.2.27-3ubuntu2.1 @@ -990,7 +794,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 gnupg2/gpg@2.2.27-3ubuntu2.1 @@ -1001,11 +805,11 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 - apt@2.4.12 + apt@2.4.13 - apt/libapt-pkg6.0@2.4.12 + apt/libapt-pkg6.0@2.4.13 libgcrypt20@1.9.4-3ubuntu3 @@ -1014,9 +818,9 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 - apt@2.4.12 + apt@2.4.13 gnupg2/gpgv@2.2.27-3ubuntu2.1 @@ -1027,7 +831,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 gnupg2/gpg@2.2.27-3ubuntu2.1 @@ -1040,7 +844,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -1053,7 +857,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -1066,7 +870,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -1079,7 +883,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -1092,7 +896,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -1105,11 +909,11 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 - apt@2.4.12 + apt@2.4.13 - apt/libapt-pkg6.0@2.4.12 + apt/libapt-pkg6.0@2.4.13 systemd/libsystemd0@249.11-0ubuntu3.12 @@ -1157,7 +961,7 @@

      CVE-2024-26462

      • - Manifest file: quay.io/argoproj/argocd:v2.10.16/argoproj/argocd Dockerfile + Manifest file: quay.io/argoproj/argocd:v2.10.17/argoproj/argocd Dockerfile
      • Package Manager: ubuntu:22.04 @@ -1170,7 +974,7 @@

        CVE-2024-26462

      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 and krb5/libk5crypto3@1.19.2-2ubuntu0.3 + docker-image|quay.io/argoproj/argocd@v2.10.17 and krb5/libk5crypto3@1.19.2-2ubuntu0.4
      @@ -1183,16 +987,16 @@

      Detailed paths

      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 - krb5/libk5crypto3@1.19.2-2ubuntu0.3 + krb5/libk5crypto3@1.19.2-2ubuntu0.4
      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 adduser@3.118ubuntu5 @@ -1204,16 +1008,16 @@

        Detailed paths

        libtirpc/libtirpc3@1.3.2-2ubuntu0.1 - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.4 - krb5/libk5crypto3@1.19.2-2ubuntu0.3 + krb5/libk5crypto3@1.19.2-2ubuntu0.4
      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 adduser@3.118ubuntu5 @@ -1225,27 +1029,27 @@

        Detailed paths

        libtirpc/libtirpc3@1.3.2-2ubuntu0.1 - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.4 - krb5/libkrb5-3@1.19.2-2ubuntu0.3 + krb5/libkrb5-3@1.19.2-2ubuntu0.4 - krb5/libk5crypto3@1.19.2-2ubuntu0.3 + krb5/libk5crypto3@1.19.2-2ubuntu0.4
      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 - krb5/libkrb5-3@1.19.2-2ubuntu0.3 + krb5/libkrb5-3@1.19.2-2ubuntu0.4
      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 adduser@3.118ubuntu5 @@ -1257,64 +1061,64 @@

        Detailed paths

        libtirpc/libtirpc3@1.3.2-2ubuntu0.1 - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.4 - krb5/libkrb5-3@1.19.2-2ubuntu0.3 + krb5/libkrb5-3@1.19.2-2ubuntu0.4
      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.4
      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 openssh/openssh-client@1:8.9p1-3ubuntu0.10 - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.4
      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 git@1:2.34.1-1ubuntu1.11 - curl/libcurl3-gnutls@7.81.0-1ubuntu1.16 + curl/libcurl3-gnutls@7.81.0-1ubuntu1.18 - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.4
      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 git@1:2.34.1-1ubuntu1.11 - curl/libcurl3-gnutls@7.81.0-1ubuntu1.16 + curl/libcurl3-gnutls@7.81.0-1ubuntu1.18 libssh/libssh-4@0.9.6-2ubuntu0.22.04.3 - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.4
      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 adduser@3.118ubuntu5 @@ -1326,16 +1130,16 @@

        Detailed paths

        libtirpc/libtirpc3@1.3.2-2ubuntu0.1 - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.4
      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 - krb5/libkrb5support0@1.19.2-2ubuntu0.3 + krb5/libkrb5support0@1.19.2-2ubuntu0.4 @@ -1367,7 +1171,7 @@

        References

    -

    CVE-2024-37371

    +

    Denial of Service (DoS)

    @@ -1378,20 +1182,20 @@

    CVE-2024-37371

    • - Manifest file: quay.io/argoproj/argocd:v2.10.16/argoproj/argocd Dockerfile + Manifest file: quay.io/argoproj/argocd:v2.10.17/argoproj/argo-cd/v2 /usr/local/bin/argocd
    • - Package Manager: ubuntu:22.04 + Package Manager: golang
    • Vulnerable module: - krb5/libk5crypto3 + github.com/rs/cors
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 and krb5/libk5crypto3@1.19.2-2ubuntu0.3 + github.com/argoproj/argo-cd/v2@* and github.com/rs/cors@v1.9.0
    @@ -1404,159 +1208,161 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 - - krb5/libk5crypto3@1.19.2-2ubuntu0.3 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 - - adduser@3.118ubuntu5 - - shadow/passwd@1:4.8.1-2ubuntu2.2 - - pam/libpam-modules@1.4.0-11ubuntu2.4 - - libnsl/libnsl2@1.3.0-2build2 - - libtirpc/libtirpc3@1.3.2-2ubuntu0.1 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - krb5/libk5crypto3@1.19.2-2ubuntu0.3 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 - - adduser@3.118ubuntu5 - - shadow/passwd@1:4.8.1-2ubuntu2.2 - - pam/libpam-modules@1.4.0-11ubuntu2.4 - - libnsl/libnsl2@1.3.0-2build2 - - libtirpc/libtirpc3@1.3.2-2ubuntu0.1 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - krb5/libkrb5-3@1.19.2-2ubuntu0.3 + github.com/argoproj/argo-cd/v2@* - krb5/libk5crypto3@1.19.2-2ubuntu0.3 + github.com/rs/cors@v1.9.0
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 - - krb5/libkrb5-3@1.19.2-2ubuntu0.3 - - +
    - -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 - - adduser@3.118ubuntu5 - - shadow/passwd@1:4.8.1-2ubuntu2.2 - - pam/libpam-modules@1.4.0-11ubuntu2.4 - - libnsl/libnsl2@1.3.0-2build2 - - libtirpc/libtirpc3@1.3.2-2ubuntu0.1 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - krb5/libkrb5-3@1.19.2-2ubuntu0.3 - - +
    • - -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - +
    + +

    Overview

    +

    Affected versions of this package are vulnerable to Denial of Service (DoS) through the processing of malicious preflight requests that include a Access-Control-Request-Headers header with excessive commas. An attacker can induce excessive memory consumption and potentially crash the server by sending specially crafted requests.

    +

    PoC

    + 
    
+        func BenchmarkPreflightAdversarialACRH(b *testing.B) {
+            resps := makeFakeResponses(b.N)
+            req, _ := http.NewRequest(http.MethodOptions, dummyEndpoint, nil)
+            req.Header.Add(headerOrigin, dummyOrigin)
+            req.Header.Add(headerACRM, http.MethodGet)
+            req.Header[headerACRH] = adversarialACRH
+            handler := Default().Handler(testHandler)
         
-
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 - - openssh/openssh-client@1:8.9p1-3ubuntu0.10 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - + b.ReportAllocs() + b.ResetTimer() + for i := 0; i < b.N; i++ { + handler.ServeHTTP(resps[i], req) + } + } -
    • -
  • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 - - git@1:2.34.1-1ubuntu1.11 - - curl/libcurl3-gnutls@7.81.0-1ubuntu1.16 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - + var adversarialACRH []string -
    • -
  • + func init() { // populates adversarialACRH + n := int(math.Floor(math.Sqrt(http.DefaultMaxHeaderBytes))) + commas := strings.Repeat(",", n) + res := make([]string, n) + for i := range res { + res[i] = commas + } + adversarialACRH = res + } + +

    Details

    +

    Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

    +

    Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

    +

    One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

    +

    When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

    +

    Two common types of DoS vulnerabilities:

    +
      +

    • High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

      +
      • +

    • Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

      +
      • +
    +

    Remediation

    +

    Upgrade github.com/rs/cors to version 1.11.0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    • +
    +

    CVE-2023-4039

    +
    + +
    + medium severity +
    + +
    + +
      +
    • + Manifest file: quay.io/argoproj/argocd:v2.10.17/argoproj/argocd Dockerfile +
      • +
    • + Package Manager: ubuntu:22.04 +
      • +
    • + Vulnerable module: + + gcc-12/libstdc++6 +
      • + +
    • Introduced through: + + docker-image|quay.io/argoproj/argocd@v2.10.17 and gcc-12/libstdc++6@12.3.0-1ubuntu1~22.04 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 - - git@1:2.34.1-1ubuntu1.11 - - curl/libcurl3-gnutls@7.81.0-1ubuntu1.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 - libssh/libssh-4@0.9.6-2ubuntu0.22.04.3 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 + gcc-12/libstdc++6@12.3.0-1ubuntu1~22.04
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 - adduser@3.118ubuntu5 + apt@2.4.13 - shadow/passwd@1:4.8.1-2ubuntu2.2 + gcc-12/libstdc++6@12.3.0-1ubuntu1~22.04 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.10.17 - pam/libpam-modules@1.4.0-11ubuntu2.4 + apt@2.4.13 - libnsl/libnsl2@1.3.0-2build2 + apt/libapt-pkg6.0@2.4.13 - libtirpc/libtirpc3@1.3.2-2ubuntu0.1 + gcc-12/libstdc++6@12.3.0-1ubuntu1~22.04 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.10.17 - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 + gcc-12/gcc-12-base@12.3.0-1ubuntu1~22.04
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 - krb5/libkrb5support0@1.19.2-2ubuntu0.3 + gcc-12/libgcc-s1@12.3.0-1ubuntu1~22.04 @@ -1568,38 +1374,50 @@

      Detailed paths

      NVD Description

      -

      Note: Versions mentioned in the description apply only to the upstream krb5 package and not the krb5 package as distributed by Ubuntu. +

      Note: Versions mentioned in the description apply only to the upstream gcc-12 package and not the gcc-12 package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

      -

      In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can cause invalid memory reads during GSS message token handling by sending message tokens with invalid length fields.

      +

      DISPUTEDA failure in the -fstack-protector feature in GCC-based toolchains + that target AArch64 allows an attacker to exploit an existing buffer + overflow in dynamically-sized local variables in your application + without this being detected. This stack-protector failure only applies + to C99-style dynamically-sized local variables or those created using + alloca(). The stack-protector operates as intended for statically-sized + local variables.

      +

      The default behavior when the stack-protector + detects an overflow is to terminate your application, resulting in + controlled loss of availability. An attacker who can exploit a buffer + overflow without triggering the stack-protector might be able to change + program flow control to cause an uncontrolled loss of availability or to + go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself.

      Remediation

      -

      Upgrade Ubuntu:22.04 krb5 to version 1.19.2-2ubuntu0.4 or higher.

      +

      There is no fixed version for Ubuntu:22.04 gcc-12.

      References

      -

      More about this vulnerability

      +

      More about this vulnerability

    -
    -

    CVE-2024-37370

    +
    +

    CVE-2023-7008

    -
    - medium severity +
    + low severity
    • - Manifest file: quay.io/argoproj/argocd:v2.10.16/argoproj/argocd Dockerfile + Manifest file: quay.io/argoproj/argocd:v2.10.17/argoproj/argocd Dockerfile
    • Package Manager: ubuntu:22.04 @@ -1607,12 +1425,12 @@

      CVE-2024-37370

    • Vulnerable module: - krb5/libk5crypto3 + systemd/libsystemd0
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 and krb5/libk5crypto3@1.19.2-2ubuntu0.3 + docker-image|quay.io/argoproj/argocd@v2.10.17 and systemd/libsystemd0@249.11-0ubuntu3.12
    @@ -1625,159 +1443,110 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 - krb5/libk5crypto3@1.19.2-2ubuntu0.3 + systemd/libsystemd0@249.11-0ubuntu3.12
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 - - adduser@3.118ubuntu5 - - shadow/passwd@1:4.8.1-2ubuntu2.2 - - pam/libpam-modules@1.4.0-11ubuntu2.4 + docker-image|quay.io/argoproj/argocd@v2.10.17 - libnsl/libnsl2@1.3.0-2build2 - - libtirpc/libtirpc3@1.3.2-2ubuntu0.1 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 + apt@2.4.13 - krb5/libk5crypto3@1.19.2-2ubuntu0.3 + systemd/libsystemd0@249.11-0ubuntu3.12
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 - - adduser@3.118ubuntu5 - - shadow/passwd@1:4.8.1-2ubuntu2.2 - - pam/libpam-modules@1.4.0-11ubuntu2.4 - - libnsl/libnsl2@1.3.0-2build2 - - libtirpc/libtirpc3@1.3.2-2ubuntu0.1 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 + docker-image|quay.io/argoproj/argocd@v2.10.17 - krb5/libkrb5-3@1.19.2-2ubuntu0.3 + procps/libprocps8@2:3.3.17-6ubuntu2.1 - krb5/libk5crypto3@1.19.2-2ubuntu0.3 + systemd/libsystemd0@249.11-0ubuntu3.12
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 + + util-linux@2.37.2-4ubuntu3.4 - krb5/libkrb5-3@1.19.2-2ubuntu0.3 + systemd/libsystemd0@249.11-0ubuntu3.12
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 - - adduser@3.118ubuntu5 - - shadow/passwd@1:4.8.1-2ubuntu2.2 - - pam/libpam-modules@1.4.0-11ubuntu2.4 - - libnsl/libnsl2@1.3.0-2build2 - - libtirpc/libtirpc3@1.3.2-2ubuntu0.1 + docker-image|quay.io/argoproj/argocd@v2.10.17 - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 + util-linux/bsdutils@1:2.37.2-4ubuntu3.4 - krb5/libkrb5-3@1.19.2-2ubuntu0.3 + systemd/libsystemd0@249.11-0ubuntu3.12
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + apt@2.4.13 - openssh/openssh-client@1:8.9p1-3ubuntu0.10 + apt/libapt-pkg6.0@2.4.13 - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 + systemd/libsystemd0@249.11-0ubuntu3.12
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 - - git@1:2.34.1-1ubuntu1.11 - - curl/libcurl3-gnutls@7.81.0-1ubuntu1.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 + systemd/libudev1@249.11-0ubuntu3.12
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 - - git@1:2.34.1-1ubuntu1.11 - - curl/libcurl3-gnutls@7.81.0-1ubuntu1.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 - libssh/libssh-4@0.9.6-2ubuntu0.22.04.3 + libfido2/libfido2-1@1.10.0-1 - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 + systemd/libudev1@249.11-0ubuntu3.12
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 - - adduser@3.118ubuntu5 - - shadow/passwd@1:4.8.1-2ubuntu2.2 - - pam/libpam-modules@1.4.0-11ubuntu2.4 - - libnsl/libnsl2@1.3.0-2build2 + docker-image|quay.io/argoproj/argocd@v2.10.17 - libtirpc/libtirpc3@1.3.2-2ubuntu0.1 + util-linux@2.37.2-4ubuntu3.4 - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 + systemd/libudev1@249.11-0ubuntu3.12
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 + + apt@2.4.13 + + apt/libapt-pkg6.0@2.4.13 - krb5/libkrb5support0@1.19.2-2ubuntu0.3 + systemd/libudev1@249.11-0ubuntu3.12 @@ -1789,51 +1558,57 @@

      Detailed paths

      NVD Description

      -

      Note: Versions mentioned in the description apply only to the upstream krb5 package and not the krb5 package as distributed by Ubuntu. +

      Note: Versions mentioned in the description apply only to the upstream systemd package and not the systemd package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

      -

      In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can modify the plaintext Extra Count field of a confidential GSS krb5 wrap token, causing the unwrapped token to appear truncated to the application.

      +

      A vulnerability was found in systemd-resolved. This issue may allow systemd-resolved to accept records of DNSSEC-signed domains even when they have no signature, allowing man-in-the-middles (or the upstream DNS resolver) to manipulate records.

      Remediation

      -

      Upgrade Ubuntu:22.04 krb5 to version 1.19.2-2ubuntu0.4 or higher.

      +

      There is no fixed version for Ubuntu:22.04 systemd.

      References

      -

      More about this vulnerability

      +

      More about this vulnerability

    -
    -

    Denial of Service (DoS)

    +
    +

    Arbitrary Code Injection

    -
    - medium severity +
    + low severity
    • - Manifest file: quay.io/argoproj/argocd:v2.10.16/argoproj/argo-cd/v2 /usr/local/bin/argocd + Manifest file: quay.io/argoproj/argocd:v2.10.17/argoproj/argocd Dockerfile
    • - Package Manager: golang + Package Manager: ubuntu:22.04
    • Vulnerable module: - github.com/rs/cors + shadow/passwd
    • Introduced through: - github.com/argoproj/argo-cd/v2@* and github.com/rs/cors@v1.9.0 + docker-image|quay.io/argoproj/argocd@v2.10.17 and shadow/passwd@1:4.8.1-2ubuntu2.2
    @@ -1846,119 +1621,40 @@

    Detailed paths

    • Introduced through: - github.com/argoproj/argo-cd/v2@* + docker-image|quay.io/argoproj/argocd@v2.10.17 - github.com/rs/cors@v1.9.0 + shadow/passwd@1:4.8.1-2ubuntu2.2
      • -
    +
  • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.10.17 + + adduser@3.118ubuntu5 + + shadow/passwd@1:4.8.1-2ubuntu2.2 + + -
    • + +
  • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.10.17 + + openssh/openssh-client@1:8.9p1-3ubuntu0.10 + + shadow/passwd@1:4.8.1-2ubuntu2.2 + + -
    - -

    Overview

    -

    Affected versions of this package are vulnerable to Denial of Service (DoS) through the processing of malicious preflight requests that include a Access-Control-Request-Headers header with excessive commas. An attacker can induce excessive memory consumption and potentially crash the server by sending specially crafted requests.

    -

    PoC

    - 
    
-        func BenchmarkPreflightAdversarialACRH(b *testing.B) {
-            resps := makeFakeResponses(b.N)
-            req, _ := http.NewRequest(http.MethodOptions, dummyEndpoint, nil)
-            req.Header.Add(headerOrigin, dummyOrigin)
-            req.Header.Add(headerACRM, http.MethodGet)
-            req.Header[headerACRH] = adversarialACRH
-            handler := Default().Handler(testHandler)
-        
-            b.ReportAllocs()
-            b.ResetTimer()
-            for i := 0; i < b.N; i++ {
-                handler.ServeHTTP(resps[i], req)
-            }
-        }
-        
-        var adversarialACRH []string
-        
-        func init() { // populates adversarialACRH
-            n := int(math.Floor(math.Sqrt(http.DefaultMaxHeaderBytes)))
-            commas := strings.Repeat(",", n)
-            res := make([]string, n)
-            for i := range res {
-                res[i] = commas
-            }
-            adversarialACRH = res
-        }
-
    -

    Details

    -

    Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

    -

    Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

    -

    One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

    -

    When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

    -

    Two common types of DoS vulnerabilities:

    -
      -

    • High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

      -
      • -

    • Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

      -
      • -
    -

    Remediation

    -

    Upgrade github.com/rs/cors to version 1.11.0 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    • -
    -

    Insertion of Sensitive Information into Log File

    -
    - -
    - medium severity -
    - -
    - -
      -
    • - Manifest file: quay.io/argoproj/argocd:v2.10.16/argoproj/argo-cd/v2 /usr/local/bin/argocd -
      • -
    • - Package Manager: golang -
      • -
    • - Vulnerable module: - - github.com/hashicorp/go-retryablehttp -
      • - -
    • Introduced through: - - github.com/argoproj/argo-cd/v2@* and github.com/hashicorp/go-retryablehttp@v0.7.4 - -
      • -
    - -
    - - -

    Detailed paths

    - -
    -
    -

    CVE-2023-4039

    +
    +

    Uncontrolled Recursion

    -
    - medium severity +
    + low severity
    • - Manifest file: quay.io/argoproj/argocd:v2.10.16/argoproj/argocd Dockerfile + Manifest file: quay.io/argoproj/argocd:v2.10.17/argoproj/argocd Dockerfile
    • Package Manager: ubuntu:22.04 @@ -2006,12 +1707,12 @@

      CVE-2023-4039

    • Vulnerable module: - gcc-12/libstdc++6 + pcre3/libpcre3
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 and gcc-12/libstdc++6@12.3.0-1ubuntu1~22.04 + docker-image|quay.io/argoproj/argocd@v2.10.17 and pcre3/libpcre3@2:8.39-13ubuntu0.22.04.1
    @@ -2024,51 +1725,20 @@

    Detailed paths

    -
    +

    Integer Overflow or Wraparound

    -
    - medium severity +
    + low severity
    • - Manifest file: quay.io/argoproj/argocd:v2.10.16/argoproj/argocd Dockerfile + Manifest file: quay.io/argoproj/argocd:v2.10.17/argoproj/argocd Dockerfile
    • Package Manager: ubuntu:22.04 @@ -2131,13 +1795,13 @@

      Integer Overflow or Wraparound

    • Vulnerable module: - expat/libexpat1 + pcre2/libpcre2-8-0
    • Introduced through: + docker-image|quay.io/argoproj/argocd@v2.10.17 and pcre2/libpcre2-8-0@10.39-3ubuntu0.1 - docker-image|quay.io/argoproj/argocd@v2.10.16, git@1:2.34.1-1ubuntu1.11 and others
    @@ -2149,11 +1813,9 @@

    Detailed paths

    -
    -

    XML External Entity (XXE) Injection

    +
    +

    Release of Invalid Pointer or Reference

    -
    - medium severity +
    + low severity
    • - Manifest file: quay.io/argoproj/argocd:v2.10.16/argoproj/argocd Dockerfile + Manifest file: quay.io/argoproj/argocd:v2.10.17/argoproj/argocd Dockerfile
    • Package Manager: ubuntu:22.04 @@ -2204,13 +1866,13 @@

      XML External Entity (XXE) Injection

    • Vulnerable module: - expat/libexpat1 + patch
    • Introduced through: + docker-image|quay.io/argoproj/argocd@v2.10.17 and patch@2.7.6-7build2 - docker-image|quay.io/argoproj/argocd@v2.10.16, git@1:2.34.1-1ubuntu1.11 and others
    @@ -2222,11 +1884,9 @@

    Detailed paths

    -
    -

    Integer Overflow or Wraparound

    +
    +

    Double Free

    -
    - medium severity +
    + low severity
    • - Manifest file: quay.io/argoproj/argocd:v2.10.16/argoproj/argocd Dockerfile + Manifest file: quay.io/argoproj/argocd:v2.10.17/argoproj/argocd Dockerfile
    • Package Manager: ubuntu:22.04 @@ -2277,13 +1936,13 @@

      Integer Overflow or Wraparound

    • Vulnerable module: - expat/libexpat1 + patch
    • Introduced through: + docker-image|quay.io/argoproj/argocd@v2.10.17 and patch@2.7.6-7build2 - docker-image|quay.io/argoproj/argocd@v2.10.16, git@1:2.34.1-1ubuntu1.11 and others
    @@ -2295,11 +1954,9 @@

    Detailed paths

    -
    -

    Out-of-bounds Read

    -
    - -
    - medium severity -
    - -
    - -
      -
    • - Manifest file: quay.io/argoproj/argocd:v2.10.16/argoproj/argocd Dockerfile -
      • -
    • - Package Manager: ubuntu:22.04 -
      • -
    • - Vulnerable module: - - curl/libcurl3-gnutls -
      • - -
    • Introduced through: - - - docker-image|quay.io/argoproj/argocd@v2.10.16, git@1:2.34.1-1ubuntu1.11 and others -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 - - git@1:2.34.1-1ubuntu1.11 - - curl/libcurl3-gnutls@7.81.0-1ubuntu1.16 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Ubuntu. - See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

    -

    libcurl's ASN1 parser code has the GTime2str() function, used for parsing an - ASN.1 Generalized Time field. If given an syntactically incorrect field, the - parser might end up using -1 for the length of the time fraction, leading to - a strlen() getting performed on a pointer to a heap buffer area that is not - (purposely) null terminated.

    -

    This flaw most likely leads to a crash, but can also lead to heap contents - getting returned to the application when - CURLINFO_CERTINFO is used.

    -

    Remediation

    -

    Upgrade Ubuntu:22.04 curl to version 7.81.0-1ubuntu1.17 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    CVE-2024-8096

    -
    - -
    - medium severity -
    - -
    - -
      -
    • - Manifest file: quay.io/argoproj/argocd:v2.10.16/argoproj/argocd Dockerfile -
      • -
    • - Package Manager: ubuntu:22.04 -
      • -
    • - Vulnerable module: - - curl/libcurl3-gnutls -
      • - -
    • Introduced through: - - - docker-image|quay.io/argoproj/argocd@v2.10.16, git@1:2.34.1-1ubuntu1.11 and others -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 - - git@1:2.34.1-1ubuntu1.11 - - curl/libcurl3-gnutls@7.81.0-1ubuntu1.16 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Ubuntu. - See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

    -

    When curl is told to use the Certificate Status Request TLS extension, often referred to as OCSP stapling, to verify that the server certificate is valid, it might fail to detect some OCSP problems and instead wrongly consider the response as fine. If the returned status reports another error than 'revoked' (like for example 'unauthorized') it is not treated as a bad certficate.

    -

    Remediation

    -

    Upgrade Ubuntu:22.04 curl to version 7.81.0-1ubuntu1.18 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    CVE-2023-7008

    -
    - -
    - low severity -
    - -
    - -
      -
    • - Manifest file: quay.io/argoproj/argocd:v2.10.16/argoproj/argocd Dockerfile -
      • -
    • - Package Manager: ubuntu:22.04 -
      • -
    • - Vulnerable module: - - systemd/libsystemd0 -
      • - -
    • Introduced through: - - docker-image|quay.io/argoproj/argocd@v2.10.16 and systemd/libsystemd0@249.11-0ubuntu3.12 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 - - systemd/libsystemd0@249.11-0ubuntu3.12 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 - - apt@2.4.12 - - systemd/libsystemd0@249.11-0ubuntu3.12 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 - - procps/libprocps8@2:3.3.17-6ubuntu2.1 - - systemd/libsystemd0@249.11-0ubuntu3.12 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 - - util-linux@2.37.2-4ubuntu3.4 - - systemd/libsystemd0@249.11-0ubuntu3.12 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 - - util-linux/bsdutils@1:2.37.2-4ubuntu3.4 - - systemd/libsystemd0@249.11-0ubuntu3.12 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 - - apt@2.4.12 - - apt/libapt-pkg6.0@2.4.12 - - systemd/libsystemd0@249.11-0ubuntu3.12 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 - - systemd/libudev1@249.11-0ubuntu3.12 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 - - libfido2/libfido2-1@1.10.0-1 - - systemd/libudev1@249.11-0ubuntu3.12 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 - - util-linux@2.37.2-4ubuntu3.4 - - systemd/libudev1@249.11-0ubuntu3.12 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 - - apt@2.4.12 - - apt/libapt-pkg6.0@2.4.12 - - systemd/libudev1@249.11-0ubuntu3.12 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream systemd package and not the systemd package as distributed by Ubuntu. - See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

    -

    A vulnerability was found in systemd-resolved. This issue may allow systemd-resolved to accept records of DNSSEC-signed domains even when they have no signature, allowing man-in-the-middles (or the upstream DNS resolver) to manipulate records.

    -

    Remediation

    -

    There is no fixed version for Ubuntu:22.04 systemd.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Arbitrary Code Injection

    -
    - -
    - low severity -
    - -
    - -
      -
    • - Manifest file: quay.io/argoproj/argocd:v2.10.16/argoproj/argocd Dockerfile -
      • -
    • - Package Manager: ubuntu:22.04 -
      • -
    • - Vulnerable module: - - shadow/passwd -
      • - -
    • Introduced through: - - docker-image|quay.io/argoproj/argocd@v2.10.16 and shadow/passwd@1:4.8.1-2ubuntu2.2 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 - - shadow/passwd@1:4.8.1-2ubuntu2.2 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 - - adduser@3.118ubuntu5 - - shadow/passwd@1:4.8.1-2ubuntu2.2 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 - - openssh/openssh-client@1:8.9p1-3ubuntu0.10 - - shadow/passwd@1:4.8.1-2ubuntu2.2 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 - - shadow/login@1:4.8.1-2ubuntu2.2 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream shadow package and not the shadow package as distributed by Ubuntu. - See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

    -

    In Shadow 4.13, it is possible to inject control characters into fields provided to the SUID program chfn (change finger). Although it is not possible to exploit this directly (e.g., adding a new user fails because \n is in the block list), it is possible to misrepresent the /etc/passwd file when viewed. Use of \r manipulations and Unicode characters to work around blocking of the : character make it possible to give the impression that a new user has been added. In other words, an adversary may be able to convince a system administrator to take the system offline (an indirect, social-engineered denial of service) by demonstrating that "cat /etc/passwd" shows a rogue user account.

    -

    Remediation

    -

    There is no fixed version for Ubuntu:22.04 shadow.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Uncontrolled Recursion

    -
    - -
    - low severity -
    - -
    - -
      -
    • - Manifest file: quay.io/argoproj/argocd:v2.10.16/argoproj/argocd Dockerfile -
      • -
    • - Package Manager: ubuntu:22.04 -
      • -
    • - Vulnerable module: - - pcre3/libpcre3 -
      • - -
    • Introduced through: - - docker-image|quay.io/argoproj/argocd@v2.10.16 and pcre3/libpcre3@2:8.39-13ubuntu0.22.04.1 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 - - pcre3/libpcre3@2:8.39-13ubuntu0.22.04.1 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 - - grep@3.7-1build1 - - pcre3/libpcre3@2:8.39-13ubuntu0.22.04.1 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream pcre3 package and not the pcre3 package as distributed by Ubuntu. - See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

    -

    In PCRE 8.41, the OP_KETRMAX feature in the match function in pcre_exec.c allows stack exhaustion (uncontrolled recursion) when processing a crafted regular expression.

    -

    Remediation

    -

    There is no fixed version for Ubuntu:22.04 pcre3.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Release of Invalid Pointer or Reference

    -
    - -
    - low severity -
    - -
    - -
      -
    • - Manifest file: quay.io/argoproj/argocd:v2.10.16/argoproj/argocd Dockerfile -
      • -
    • - Package Manager: ubuntu:22.04 -
      • -
    • - Vulnerable module: - - patch -
      • - -
    • Introduced through: - - docker-image|quay.io/argoproj/argocd@v2.10.16 and patch@2.7.6-7build2 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 - - patch@2.7.6-7build2 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream patch package and not the patch package as distributed by Ubuntu. - See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

    -

    An Invalid Pointer vulnerability exists in GNU patch 2.7 via the another_hunk function, which causes a Denial of Service.

    -

    Remediation

    -

    There is no fixed version for Ubuntu:22.04 patch.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Double Free

    -
    - -
    - low severity -
    - -
    - -
      -
    • - Manifest file: quay.io/argoproj/argocd:v2.10.16/argoproj/argocd Dockerfile -
      • -
    • - Package Manager: ubuntu:22.04 -
      • -
    • - Vulnerable module: - - patch -
      • - -
    • Introduced through: - - docker-image|quay.io/argoproj/argocd@v2.10.16 and patch@2.7.6-7build2 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 - - patch@2.7.6-7build2 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream patch package and not the patch package as distributed by Ubuntu. - See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

    -

    A double free exists in the another_hunk function in pch.c in GNU patch through 2.7.6.

    -

    Remediation

    -

    There is no fixed version for Ubuntu:22.04 patch.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    CVE-2024-2511

    -
    - -
    - low severity -
    - -
    - -
      -
    • - Manifest file: quay.io/argoproj/argocd:v2.10.16/argoproj/argocd Dockerfile -
      • -
    • - Package Manager: ubuntu:22.04 -
      • -
    • - Vulnerable module: - - openssl/libssl3 -
      • - -
    • Introduced through: - - docker-image|quay.io/argoproj/argocd@v2.10.16 and openssl/libssl3@3.0.2-0ubuntu1.16 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 - - openssl/libssl3@3.0.2-0ubuntu1.16 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 - - cyrus-sasl2/libsasl2-modules@2.1.27+dfsg2-3ubuntu1.2 - - openssl/libssl3@3.0.2-0ubuntu1.16 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 - - libfido2/libfido2-1@1.10.0-1 - - openssl/libssl3@3.0.2-0ubuntu1.16 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 - - openssh/openssh-client@1:8.9p1-3ubuntu0.10 - - openssl/libssl3@3.0.2-0ubuntu1.16 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 - - ca-certificates@20230311ubuntu0.22.04.1 - - openssl@3.0.2-0ubuntu1.16 - - openssl/libssl3@3.0.2-0ubuntu1.16 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 - - git@1:2.34.1-1ubuntu1.11 - - curl/libcurl3-gnutls@7.81.0-1ubuntu1.16 - - libssh/libssh-4@0.9.6-2ubuntu0.22.04.3 - - openssl/libssl3@3.0.2-0ubuntu1.16 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 - - adduser@3.118ubuntu5 - - shadow/passwd@1:4.8.1-2ubuntu2.2 - - pam/libpam-modules@1.4.0-11ubuntu2.4 - - libnsl/libnsl2@1.3.0-2build2 - - libtirpc/libtirpc3@1.3.2-2ubuntu0.1 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - krb5/libkrb5-3@1.19.2-2ubuntu0.3 - - openssl/libssl3@3.0.2-0ubuntu1.16 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 - - openssl@3.0.2-0ubuntu1.16 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 - - ca-certificates@20230311ubuntu0.22.04.1 - - openssl@3.0.2-0ubuntu1.16 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Ubuntu. - See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

    -

    Issue summary: Some non-default TLS server configurations can cause unbounded - memory growth when processing TLSv1.3 sessions

    -

    Impact summary: An attacker may exploit certain server configurations to trigger - unbounded memory growth that would lead to a Denial of Service

    -

    This problem can occur in TLSv1.3 if the non-default SSL_OP_NO_TICKET option is - being used (but not if early_data support is also configured and the default - anti-replay protection is in use). In this case, under certain conditions, the - session cache can get into an incorrect state and it will fail to flush properly - as it fills. The session cache will continue to grow in an unbounded manner. A - malicious client could deliberately create the scenario for this failure to - force a Denial of Service. It may also happen by accident in normal operation.

    -

    This issue only affects TLS servers supporting TLSv1.3. It does not affect TLS - clients.

    -

    The FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue. OpenSSL - 1.0.2 is also not affected by this issue.

    -

    Remediation

    -

    Upgrade Ubuntu:22.04 openssl to version 3.0.2-0ubuntu1.17 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    CVE-2024-4603

    -
    - -
    - low severity -
    - -
    - -
      -
    • - Manifest file: quay.io/argoproj/argocd:v2.10.16/argoproj/argocd Dockerfile -
      • -
    • - Package Manager: ubuntu:22.04 -
      • -
    • - Vulnerable module: - - openssl/libssl3 -
      • - -
    • Introduced through: - - docker-image|quay.io/argoproj/argocd@v2.10.16 and openssl/libssl3@3.0.2-0ubuntu1.16 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 - - openssl/libssl3@3.0.2-0ubuntu1.16 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 - - cyrus-sasl2/libsasl2-modules@2.1.27+dfsg2-3ubuntu1.2 - - openssl/libssl3@3.0.2-0ubuntu1.16 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 - - libfido2/libfido2-1@1.10.0-1 - - openssl/libssl3@3.0.2-0ubuntu1.16 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 - - openssh/openssh-client@1:8.9p1-3ubuntu0.10 - - openssl/libssl3@3.0.2-0ubuntu1.16 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 - - ca-certificates@20230311ubuntu0.22.04.1 - - openssl@3.0.2-0ubuntu1.16 - - openssl/libssl3@3.0.2-0ubuntu1.16 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 - - git@1:2.34.1-1ubuntu1.11 - - curl/libcurl3-gnutls@7.81.0-1ubuntu1.16 - - libssh/libssh-4@0.9.6-2ubuntu0.22.04.3 - - openssl/libssl3@3.0.2-0ubuntu1.16 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 - - adduser@3.118ubuntu5 - - shadow/passwd@1:4.8.1-2ubuntu2.2 - - pam/libpam-modules@1.4.0-11ubuntu2.4 - - libnsl/libnsl2@1.3.0-2build2 - - libtirpc/libtirpc3@1.3.2-2ubuntu0.1 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - krb5/libkrb5-3@1.19.2-2ubuntu0.3 - - openssl/libssl3@3.0.2-0ubuntu1.16 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 - - openssl@3.0.2-0ubuntu1.16 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 - - ca-certificates@20230311ubuntu0.22.04.1 - - openssl@3.0.2-0ubuntu1.16 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Ubuntu. - See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

    -

    Issue summary: Checking excessively long DSA keys or parameters may be very - slow.

    -

    Impact summary: Applications that use the functions EVP_PKEY_param_check() - or EVP_PKEY_public_check() to check a DSA public key or DSA parameters may - experience long delays. Where the key or parameters that are being checked - have been obtained from an untrusted source this may lead to a Denial of - Service.

    -

    The functions EVP_PKEY_param_check() or EVP_PKEY_public_check() perform - various checks on DSA parameters. Some of those computations take a long time - if the modulus (p parameter) is too large.

    -

    Trying to use a very large modulus is slow and OpenSSL will not allow using - public keys with a modulus which is over 10,000 bits in length for signature - verification. However the key and parameter check functions do not limit - the modulus size when performing the checks.

    -

    An application that calls EVP_PKEY_param_check() or EVP_PKEY_public_check() - and supplies a key or parameters obtained from an untrusted source could be - vulnerable to a Denial of Service attack.

    -

    These functions are not called by OpenSSL itself on untrusted DSA keys so - only applications that directly call these functions may be vulnerable.

    -

    Also vulnerable are the OpenSSL pkey and pkeyparam command line applications - when using the -check option.

    -

    The OpenSSL SSL/TLS implementation is not affected by this issue.

    -

    The OpenSSL 3.0 and 3.1 FIPS providers are affected by this issue.

    -

    Remediation

    -

    Upgrade Ubuntu:22.04 openssl to version 3.0.2-0ubuntu1.17 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    CVE-2024-4741

    -
    - -
    - low severity -
    - -
    - -
      -
    • - Manifest file: quay.io/argoproj/argocd:v2.10.16/argoproj/argocd Dockerfile -
      • -
    • - Package Manager: ubuntu:22.04 -
      • -
    • - Vulnerable module: - - openssl/libssl3 -
      • - -
    • Introduced through: - - docker-image|quay.io/argoproj/argocd@v2.10.16 and openssl/libssl3@3.0.2-0ubuntu1.16 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 - - openssl/libssl3@3.0.2-0ubuntu1.16 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 - - cyrus-sasl2/libsasl2-modules@2.1.27+dfsg2-3ubuntu1.2 - - openssl/libssl3@3.0.2-0ubuntu1.16 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 - - libfido2/libfido2-1@1.10.0-1 - - openssl/libssl3@3.0.2-0ubuntu1.16 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 - - openssh/openssh-client@1:8.9p1-3ubuntu0.10 - - openssl/libssl3@3.0.2-0ubuntu1.16 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 - - ca-certificates@20230311ubuntu0.22.04.1 - - openssl@3.0.2-0ubuntu1.16 - - openssl/libssl3@3.0.2-0ubuntu1.16 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 - - git@1:2.34.1-1ubuntu1.11 - - curl/libcurl3-gnutls@7.81.0-1ubuntu1.16 - - libssh/libssh-4@0.9.6-2ubuntu0.22.04.3 - - openssl/libssl3@3.0.2-0ubuntu1.16 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 - - adduser@3.118ubuntu5 - - shadow/passwd@1:4.8.1-2ubuntu2.2 - - pam/libpam-modules@1.4.0-11ubuntu2.4 - - libnsl/libnsl2@1.3.0-2build2 - - libtirpc/libtirpc3@1.3.2-2ubuntu0.1 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - krb5/libkrb5-3@1.19.2-2ubuntu0.3 - - openssl/libssl3@3.0.2-0ubuntu1.16 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 - - openssl@3.0.2-0ubuntu1.16 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 - - ca-certificates@20230311ubuntu0.22.04.1 - - openssl@3.0.2-0ubuntu1.16 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    This vulnerability has not been analyzed by NVD yet.

    -

    Remediation

    -

    Upgrade Ubuntu:22.04 openssl to version 3.0.2-0ubuntu1.17 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    CVE-2024-5535

    -
    - -
    - low severity -
    - -
    - -
      -
    • - Manifest file: quay.io/argoproj/argocd:v2.10.16/argoproj/argocd Dockerfile -
      • -
    • - Package Manager: ubuntu:22.04 -
      • -
    • - Vulnerable module: - - openssl/libssl3 -
      • - -
    • Introduced through: - - docker-image|quay.io/argoproj/argocd@v2.10.16 and openssl/libssl3@3.0.2-0ubuntu1.16 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 - - openssl/libssl3@3.0.2-0ubuntu1.16 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 - - cyrus-sasl2/libsasl2-modules@2.1.27+dfsg2-3ubuntu1.2 - - openssl/libssl3@3.0.2-0ubuntu1.16 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 - - libfido2/libfido2-1@1.10.0-1 - - openssl/libssl3@3.0.2-0ubuntu1.16 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 - - openssh/openssh-client@1:8.9p1-3ubuntu0.10 - - openssl/libssl3@3.0.2-0ubuntu1.16 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 - - ca-certificates@20230311ubuntu0.22.04.1 - - openssl@3.0.2-0ubuntu1.16 - - openssl/libssl3@3.0.2-0ubuntu1.16 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 - - git@1:2.34.1-1ubuntu1.11 - - curl/libcurl3-gnutls@7.81.0-1ubuntu1.16 - - libssh/libssh-4@0.9.6-2ubuntu0.22.04.3 - - openssl/libssl3@3.0.2-0ubuntu1.16 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 - - adduser@3.118ubuntu5 - - shadow/passwd@1:4.8.1-2ubuntu2.2 - - pam/libpam-modules@1.4.0-11ubuntu2.4 - - libnsl/libnsl2@1.3.0-2build2 - - libtirpc/libtirpc3@1.3.2-2ubuntu0.1 - - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 - - krb5/libkrb5-3@1.19.2-2ubuntu0.3 - - openssl/libssl3@3.0.2-0ubuntu1.16 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 - - openssl@3.0.2-0ubuntu1.16 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 - - ca-certificates@20230311ubuntu0.22.04.1 - - openssl@3.0.2-0ubuntu1.16 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Ubuntu. - See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

    -

    Issue summary: Calling the OpenSSL API function SSL_select_next_proto with an - empty supported client protocols buffer may cause a crash or memory contents to - be sent to the peer.

    -

    Impact summary: A buffer overread can have a range of potential consequences - such as unexpected application beahviour or a crash. In particular this issue - could result in up to 255 bytes of arbitrary private data from memory being sent - to the peer leading to a loss of confidentiality. However, only applications - that directly call the SSL_select_next_proto function with a 0 length list of - supported client protocols are affected by this issue. This would normally never - be a valid scenario and is typically not under attacker control but may occur by - accident in the case of a configuration or programming error in the calling - application.

    -

    The OpenSSL API function SSL_select_next_proto is typically used by TLS - applications that support ALPN (Application Layer Protocol Negotiation) or NPN - (Next Protocol Negotiation). NPN is older, was never standardised and - is deprecated in favour of ALPN. We believe that ALPN is significantly more - widely deployed than NPN. The SSL_select_next_proto function accepts a list of - protocols from the server and a list of protocols from the client and returns - the first protocol that appears in the server list that also appears in the - client list. In the case of no overlap between the two lists it returns the - first item in the client list. In either case it will signal whether an overlap - between the two lists was found. In the case where SSL_select_next_proto is - called with a zero length client list it fails to notice this condition and - returns the memory immediately following the client list pointer (and reports - that there was no overlap in the lists).

    -

    This function is typically called from a server side application callback for - ALPN or a client side application callback for NPN. In the case of ALPN the list - of protocols supplied by the client is guaranteed by libssl to never be zero in - length. The list of server protocols comes from the application and should never - normally be expected to be of zero length. In this case if the - SSL_select_next_proto function has been called as expected (with the list - supplied by the client passed in the client/client_len parameters), then the - application will not be vulnerable to this issue. If the application has - accidentally been configured with a zero length server list, and has - accidentally passed that zero length server list in the client/client_len - parameters, and has additionally failed to correctly handle a "no overlap" - response (which would normally result in a handshake failure in ALPN) then it - will be vulnerable to this problem.

    -

    In the case of NPN, the protocol permits the client to opportunistically select - a protocol when there is no overlap. OpenSSL returns the first client protocol - in the no overlap case in support of this. The list of client protocols comes - from the application and should never normally be expected to be of zero length. - However if the SSL_select_next_proto function is accidentally called with a - client_len of 0 then an invalid memory pointer will be returned instead. If the - application uses this output as the opportunistic protocol then the loss of - confidentiality will occur.

    -

    This issue has been assessed as Low severity because applications are most - likely to be vulnerable if they are using NPN instead of ALPN - but NPN is not - widely used. It also requires an application configuration or programming error. - Finally, this issue would not typically be under attacker control making active - exploitation unlikely.

    -

    The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.

    -

    Due to the low severity of this issue we are not issuing new releases of - OpenSSL at this time. The fix will be included in the next releases when they - become available.

    -

    Remediation

    -

    Upgrade Ubuntu:22.04 openssl to version 3.0.2-0ubuntu1.17 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    +

    More about this vulnerability

    @@ -3817,7 +2003,7 @@

    CVE-2023-50495

    • - Manifest file: quay.io/argoproj/argocd:v2.10.16/argoproj/argocd Dockerfile + Manifest file: quay.io/argoproj/argocd:v2.10.17/argoproj/argocd Dockerfile
    • Package Manager: ubuntu:22.04 @@ -3830,7 +2016,7 @@

      CVE-2023-50495

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 and ncurses/libtinfo6@6.3-2ubuntu0.1 + docker-image|quay.io/argoproj/argocd@v2.10.17 and ncurses/libtinfo6@6.3-2ubuntu0.1
    @@ -3843,7 +2029,7 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 ncurses/libtinfo6@6.3-2ubuntu0.1 @@ -3852,7 +2038,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 bash@5.1-6ubuntu1.1 @@ -3863,7 +2049,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 ncurses/libncursesw6@6.3-2ubuntu0.1 @@ -3874,7 +2060,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 less@590-1ubuntu0.22.04.3 @@ -3885,7 +2071,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 libedit/libedit2@3.1-20210910-1build1 @@ -3896,7 +2082,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 ncurses/libncurses6@6.3-2ubuntu0.1 @@ -3907,7 +2093,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 ncurses/ncurses-bin@6.3-2ubuntu0.1 @@ -3918,7 +2104,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 procps@2:3.3.17-6ubuntu2.1 @@ -3929,7 +2115,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 util-linux@2.37.2-4ubuntu3.4 @@ -3940,7 +2126,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 gnupg2/gpg@2.2.27-3ubuntu2.1 @@ -3955,7 +2141,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -3970,7 +2156,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 ncurses/libncursesw6@6.3-2ubuntu0.1 @@ -3979,7 +2165,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 procps@2:3.3.17-6ubuntu2.1 @@ -3990,7 +2176,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -4005,7 +2191,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 ncurses/libncurses6@6.3-2ubuntu0.1 @@ -4014,7 +2200,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 procps@2:3.3.17-6ubuntu2.1 @@ -4025,7 +2211,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 ncurses/ncurses-base@6.3-2ubuntu0.1 @@ -4034,7 +2220,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 ncurses/ncurses-bin@6.3-2ubuntu0.1 @@ -4081,7 +2267,7 @@

      CVE-2023-45918

      • - Manifest file: quay.io/argoproj/argocd:v2.10.16/argoproj/argocd Dockerfile + Manifest file: quay.io/argoproj/argocd:v2.10.17/argoproj/argocd Dockerfile
      • Package Manager: ubuntu:22.04 @@ -4094,7 +2280,7 @@

        CVE-2023-45918

      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 and ncurses/libtinfo6@6.3-2ubuntu0.1 + docker-image|quay.io/argoproj/argocd@v2.10.17 and ncurses/libtinfo6@6.3-2ubuntu0.1
      @@ -4107,7 +2293,7 @@

      Detailed paths

      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 ncurses/libtinfo6@6.3-2ubuntu0.1 @@ -4116,7 +2302,7 @@

        Detailed paths

      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 bash@5.1-6ubuntu1.1 @@ -4127,7 +2313,7 @@

        Detailed paths

      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 ncurses/libncursesw6@6.3-2ubuntu0.1 @@ -4138,7 +2324,7 @@

        Detailed paths

      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 less@590-1ubuntu0.22.04.3 @@ -4149,7 +2335,7 @@

        Detailed paths

      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 libedit/libedit2@3.1-20210910-1build1 @@ -4160,7 +2346,7 @@

        Detailed paths

      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 ncurses/libncurses6@6.3-2ubuntu0.1 @@ -4171,7 +2357,7 @@

        Detailed paths

      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 ncurses/ncurses-bin@6.3-2ubuntu0.1 @@ -4182,7 +2368,7 @@

        Detailed paths

      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 procps@2:3.3.17-6ubuntu2.1 @@ -4193,7 +2379,7 @@

        Detailed paths

      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 util-linux@2.37.2-4ubuntu3.4 @@ -4204,7 +2390,7 @@

        Detailed paths

      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 gnupg2/gpg@2.2.27-3ubuntu2.1 @@ -4219,7 +2405,7 @@

        Detailed paths

      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -4234,7 +2420,7 @@

        Detailed paths

      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 ncurses/libncursesw6@6.3-2ubuntu0.1 @@ -4243,7 +2429,7 @@

        Detailed paths

      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 procps@2:3.3.17-6ubuntu2.1 @@ -4254,7 +2440,7 @@

        Detailed paths

      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -4269,7 +2455,7 @@

        Detailed paths

      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 ncurses/libncurses6@6.3-2ubuntu0.1 @@ -4278,7 +2464,7 @@

        Detailed paths

      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 procps@2:3.3.17-6ubuntu2.1 @@ -4289,7 +2475,7 @@

        Detailed paths

      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 ncurses/ncurses-base@6.3-2ubuntu0.1 @@ -4298,7 +2484,7 @@

        Detailed paths

      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 ncurses/ncurses-bin@6.3-2ubuntu0.1 @@ -4343,7 +2529,7 @@

        Resource Exhaustion

        • - Manifest file: quay.io/argoproj/argocd:v2.10.16/argoproj/argocd Dockerfile + Manifest file: quay.io/argoproj/argocd:v2.10.17/argoproj/argocd Dockerfile
        • Package Manager: ubuntu:22.04 @@ -4356,7 +2542,7 @@

          Resource Exhaustion

        • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 and libzstd/libzstd1@1.4.8+dfsg-3build1 + docker-image|quay.io/argoproj/argocd@v2.10.17 and libzstd/libzstd1@1.4.8+dfsg-3build1
        @@ -4369,7 +2555,7 @@

        Detailed paths

        • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 libzstd/libzstd1@1.4.8+dfsg-3build1 @@ -4420,7 +2606,7 @@

          Integer Overflow or Wraparound

          • - Manifest file: quay.io/argoproj/argocd:v2.10.16/argoproj/argocd Dockerfile + Manifest file: quay.io/argoproj/argocd:v2.10.17/argoproj/argocd Dockerfile
          • Package Manager: ubuntu:22.04 @@ -4433,7 +2619,7 @@

            Integer Overflow or Wraparound

          • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 and krb5/libk5crypto3@1.19.2-2ubuntu0.3 + docker-image|quay.io/argoproj/argocd@v2.10.17 and krb5/libk5crypto3@1.19.2-2ubuntu0.4
          @@ -4446,16 +2632,16 @@

          Detailed paths

          • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 - krb5/libk5crypto3@1.19.2-2ubuntu0.3 + krb5/libk5crypto3@1.19.2-2ubuntu0.4
          • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 adduser@3.118ubuntu5 @@ -4467,16 +2653,16 @@

            Detailed paths

            libtirpc/libtirpc3@1.3.2-2ubuntu0.1 - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.4 - krb5/libk5crypto3@1.19.2-2ubuntu0.3 + krb5/libk5crypto3@1.19.2-2ubuntu0.4
          • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 adduser@3.118ubuntu5 @@ -4488,27 +2674,27 @@

            Detailed paths

            libtirpc/libtirpc3@1.3.2-2ubuntu0.1 - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.4 - krb5/libkrb5-3@1.19.2-2ubuntu0.3 + krb5/libkrb5-3@1.19.2-2ubuntu0.4 - krb5/libk5crypto3@1.19.2-2ubuntu0.3 + krb5/libk5crypto3@1.19.2-2ubuntu0.4
          • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 - krb5/libkrb5-3@1.19.2-2ubuntu0.3 + krb5/libkrb5-3@1.19.2-2ubuntu0.4
          • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 adduser@3.118ubuntu5 @@ -4520,64 +2706,64 @@

            Detailed paths

            libtirpc/libtirpc3@1.3.2-2ubuntu0.1 - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.4 - krb5/libkrb5-3@1.19.2-2ubuntu0.3 + krb5/libkrb5-3@1.19.2-2ubuntu0.4
          • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.4
          • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 openssh/openssh-client@1:8.9p1-3ubuntu0.10 - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.4
          • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 git@1:2.34.1-1ubuntu1.11 - curl/libcurl3-gnutls@7.81.0-1ubuntu1.16 + curl/libcurl3-gnutls@7.81.0-1ubuntu1.18 - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.4
          • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 git@1:2.34.1-1ubuntu1.11 - curl/libcurl3-gnutls@7.81.0-1ubuntu1.16 + curl/libcurl3-gnutls@7.81.0-1ubuntu1.18 libssh/libssh-4@0.9.6-2ubuntu0.22.04.3 - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.4
          • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 adduser@3.118ubuntu5 @@ -4589,16 +2775,16 @@

            Detailed paths

            libtirpc/libtirpc3@1.3.2-2ubuntu0.1 - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.4
          • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 - krb5/libkrb5support0@1.19.2-2ubuntu0.3 + krb5/libkrb5support0@1.19.2-2ubuntu0.4 @@ -4644,7 +2830,7 @@

            CVE-2024-26461

            • - Manifest file: quay.io/argoproj/argocd:v2.10.16/argoproj/argocd Dockerfile + Manifest file: quay.io/argoproj/argocd:v2.10.17/argoproj/argocd Dockerfile
            • Package Manager: ubuntu:22.04 @@ -4657,7 +2843,7 @@

              CVE-2024-26461

            • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 and krb5/libk5crypto3@1.19.2-2ubuntu0.3 + docker-image|quay.io/argoproj/argocd@v2.10.17 and krb5/libk5crypto3@1.19.2-2ubuntu0.4
            @@ -4670,16 +2856,16 @@

            Detailed paths

            • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 - krb5/libk5crypto3@1.19.2-2ubuntu0.3 + krb5/libk5crypto3@1.19.2-2ubuntu0.4
            • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 adduser@3.118ubuntu5 @@ -4691,16 +2877,16 @@

              Detailed paths

              libtirpc/libtirpc3@1.3.2-2ubuntu0.1 - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.4 - krb5/libk5crypto3@1.19.2-2ubuntu0.3 + krb5/libk5crypto3@1.19.2-2ubuntu0.4
            • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 adduser@3.118ubuntu5 @@ -4712,27 +2898,27 @@

              Detailed paths

              libtirpc/libtirpc3@1.3.2-2ubuntu0.1 - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.4 - krb5/libkrb5-3@1.19.2-2ubuntu0.3 + krb5/libkrb5-3@1.19.2-2ubuntu0.4 - krb5/libk5crypto3@1.19.2-2ubuntu0.3 + krb5/libk5crypto3@1.19.2-2ubuntu0.4
            • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 - krb5/libkrb5-3@1.19.2-2ubuntu0.3 + krb5/libkrb5-3@1.19.2-2ubuntu0.4
            • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 adduser@3.118ubuntu5 @@ -4744,64 +2930,64 @@

              Detailed paths

              libtirpc/libtirpc3@1.3.2-2ubuntu0.1 - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.4 - krb5/libkrb5-3@1.19.2-2ubuntu0.3 + krb5/libkrb5-3@1.19.2-2ubuntu0.4
            • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.4
            • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 openssh/openssh-client@1:8.9p1-3ubuntu0.10 - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.4
            • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 git@1:2.34.1-1ubuntu1.11 - curl/libcurl3-gnutls@7.81.0-1ubuntu1.16 + curl/libcurl3-gnutls@7.81.0-1ubuntu1.18 - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.4
            • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 git@1:2.34.1-1ubuntu1.11 - curl/libcurl3-gnutls@7.81.0-1ubuntu1.16 + curl/libcurl3-gnutls@7.81.0-1ubuntu1.18 libssh/libssh-4@0.9.6-2ubuntu0.22.04.3 - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.4
            • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 adduser@3.118ubuntu5 @@ -4813,16 +2999,16 @@

              Detailed paths

              libtirpc/libtirpc3@1.3.2-2ubuntu0.1 - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.4
            • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 - krb5/libkrb5support0@1.19.2-2ubuntu0.3 + krb5/libkrb5support0@1.19.2-2ubuntu0.4 @@ -4865,7 +3051,7 @@

              CVE-2024-26458

              • - Manifest file: quay.io/argoproj/argocd:v2.10.16/argoproj/argocd Dockerfile + Manifest file: quay.io/argoproj/argocd:v2.10.17/argoproj/argocd Dockerfile
              • Package Manager: ubuntu:22.04 @@ -4878,7 +3064,7 @@

                CVE-2024-26458

              • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 and krb5/libk5crypto3@1.19.2-2ubuntu0.3 + docker-image|quay.io/argoproj/argocd@v2.10.17 and krb5/libk5crypto3@1.19.2-2ubuntu0.4
              @@ -4891,16 +3077,16 @@

              Detailed paths

              • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 - krb5/libk5crypto3@1.19.2-2ubuntu0.3 + krb5/libk5crypto3@1.19.2-2ubuntu0.4
              • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 adduser@3.118ubuntu5 @@ -4912,16 +3098,16 @@

                Detailed paths

                libtirpc/libtirpc3@1.3.2-2ubuntu0.1 - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.4 - krb5/libk5crypto3@1.19.2-2ubuntu0.3 + krb5/libk5crypto3@1.19.2-2ubuntu0.4
              • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 adduser@3.118ubuntu5 @@ -4933,27 +3119,27 @@

                Detailed paths

                libtirpc/libtirpc3@1.3.2-2ubuntu0.1 - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.4 - krb5/libkrb5-3@1.19.2-2ubuntu0.3 + krb5/libkrb5-3@1.19.2-2ubuntu0.4 - krb5/libk5crypto3@1.19.2-2ubuntu0.3 + krb5/libk5crypto3@1.19.2-2ubuntu0.4
              • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 - krb5/libkrb5-3@1.19.2-2ubuntu0.3 + krb5/libkrb5-3@1.19.2-2ubuntu0.4
              • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 adduser@3.118ubuntu5 @@ -4965,64 +3151,64 @@

                Detailed paths

                libtirpc/libtirpc3@1.3.2-2ubuntu0.1 - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.4 - krb5/libkrb5-3@1.19.2-2ubuntu0.3 + krb5/libkrb5-3@1.19.2-2ubuntu0.4
              • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.4
              • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 openssh/openssh-client@1:8.9p1-3ubuntu0.10 - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.4
              • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 git@1:2.34.1-1ubuntu1.11 - curl/libcurl3-gnutls@7.81.0-1ubuntu1.16 + curl/libcurl3-gnutls@7.81.0-1ubuntu1.18 - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.4
              • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 git@1:2.34.1-1ubuntu1.11 - curl/libcurl3-gnutls@7.81.0-1ubuntu1.16 + curl/libcurl3-gnutls@7.81.0-1ubuntu1.18 libssh/libssh-4@0.9.6-2ubuntu0.22.04.3 - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.4
              • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 adduser@3.118ubuntu5 @@ -5034,16 +3220,16 @@

                Detailed paths

                libtirpc/libtirpc3@1.3.2-2ubuntu0.1 - krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.3 + krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.4
              • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 - krb5/libkrb5support0@1.19.2-2ubuntu0.3 + krb5/libkrb5support0@1.19.2-2ubuntu0.4 @@ -5086,7 +3272,7 @@

                Out-of-bounds Write

                • - Manifest file: quay.io/argoproj/argocd:v2.10.16/argoproj/argocd Dockerfile + Manifest file: quay.io/argoproj/argocd:v2.10.17/argoproj/argocd Dockerfile
                • Package Manager: ubuntu:22.04 @@ -5099,7 +3285,7 @@

                  Out-of-bounds Write

                • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 and gnupg2/gpgv@2.2.27-3ubuntu2.1 + docker-image|quay.io/argoproj/argocd@v2.10.17 and gnupg2/gpgv@2.2.27-3ubuntu2.1
                @@ -5112,7 +3298,7 @@

                Detailed paths

                • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 gnupg2/gpgv@2.2.27-3ubuntu2.1 @@ -5121,9 +3307,9 @@

                  Detailed paths

                • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 - apt@2.4.12 + apt@2.4.13 gnupg2/gpgv@2.2.27-3ubuntu2.1 @@ -5132,7 +3318,7 @@

                  Detailed paths

                • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -5143,7 +3329,7 @@

                  Detailed paths

                • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 gnupg2/dirmngr@2.2.27-3ubuntu2.1 @@ -5154,7 +3340,7 @@

                  Detailed paths

                • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 gnupg2/gpg@2.2.27-3ubuntu2.1 @@ -5165,7 +3351,7 @@

                  Detailed paths

                • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -5178,7 +3364,7 @@

                  Detailed paths

                • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -5191,7 +3377,7 @@

                  Detailed paths

                • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 gnupg2/dirmngr@2.2.27-3ubuntu2.1 @@ -5200,7 +3386,7 @@

                  Detailed paths

                • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -5211,7 +3397,7 @@

                  Detailed paths

                • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -5224,7 +3410,7 @@

                  Detailed paths

                • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 gnupg2/gnupg-l10n@2.2.27-3ubuntu2.1 @@ -5233,7 +3419,7 @@

                  Detailed paths

                • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -5244,7 +3430,7 @@

                  Detailed paths

                • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 gnupg2/gnupg-utils@2.2.27-3ubuntu2.1 @@ -5253,7 +3439,7 @@

                  Detailed paths

                • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -5264,7 +3450,7 @@

                  Detailed paths

                • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 gnupg2/gpg@2.2.27-3ubuntu2.1 @@ -5273,7 +3459,7 @@

                  Detailed paths

                • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -5284,7 +3470,7 @@

                  Detailed paths

                • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -5297,7 +3483,7 @@

                  Detailed paths

                • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -5310,7 +3496,7 @@

                  Detailed paths

                • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 gnupg2/gpg-agent@2.2.27-3ubuntu2.1 @@ -5319,7 +3505,7 @@

                  Detailed paths

                • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -5330,7 +3516,7 @@

                  Detailed paths

                • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -5343,7 +3529,7 @@

                  Detailed paths

                • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -5356,7 +3542,7 @@

                  Detailed paths

                • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 gnupg2/gpg-wks-client@2.2.27-3ubuntu2.1 @@ -5365,7 +3551,7 @@

                  Detailed paths

                • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -5376,7 +3562,7 @@

                  Detailed paths

                • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 gnupg2/gpg-wks-server@2.2.27-3ubuntu2.1 @@ -5385,7 +3571,7 @@

                  Detailed paths

                • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -5396,7 +3582,7 @@

                  Detailed paths

                • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 gnupg2/gpgsm@2.2.27-3ubuntu2.1 @@ -5405,7 +3591,7 @@

                  Detailed paths

                • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -5416,7 +3602,7 @@

                  Detailed paths

                • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -5465,7 +3651,7 @@

                  Allocation of Resources Without Limits or Throttling

                • - Manifest file: quay.io/argoproj/argocd:v2.10.16/argoproj/argocd Dockerfile + Manifest file: quay.io/argoproj/argocd:v2.10.17/argoproj/argocd Dockerfile
                • Package Manager: ubuntu:22.04 @@ -5478,7 +3664,7 @@

                  Allocation of Resources Without Limits or Throttling

                  Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 and glibc/libc-bin@2.35-0ubuntu3.8 + docker-image|quay.io/argoproj/argocd@v2.10.17 and glibc/libc-bin@2.35-0ubuntu3.8
                @@ -5491,7 +3677,7 @@

                Detailed paths

                • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 glibc/libc-bin@2.35-0ubuntu3.8 @@ -5500,7 +3686,7 @@

                  Detailed paths

                • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 glibc/libc6@2.35-0ubuntu3.8 @@ -5546,7 +3732,7 @@

                  Improper Input Validation

                  • - Manifest file: quay.io/argoproj/argocd:v2.10.16/argoproj/argocd Dockerfile + Manifest file: quay.io/argoproj/argocd:v2.10.17/argoproj/argocd Dockerfile
                  • Package Manager: ubuntu:22.04 @@ -5560,7 +3746,7 @@

                    Improper Input Validation

                  • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16, git@1:2.34.1-1ubuntu1.11 and others + docker-image|quay.io/argoproj/argocd@v2.10.17, git@1:2.34.1-1ubuntu1.11 and others
                  @@ -5572,7 +3758,7 @@

                  Detailed paths

                  • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 git@1:2.34.1-1ubuntu1.11 @@ -5583,7 +3769,7 @@

                    Detailed paths

                  • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 git@1:2.34.1-1ubuntu1.11 @@ -5592,7 +3778,7 @@

                    Detailed paths

                  • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 git-lfs@3.0.2-1ubuntu0.2 @@ -5639,7 +3825,7 @@

                    Uncontrolled Recursion

                    • - Manifest file: quay.io/argoproj/argocd:v2.10.16/argoproj/argocd Dockerfile + Manifest file: quay.io/argoproj/argocd:v2.10.17/argoproj/argocd Dockerfile
                    • Package Manager: ubuntu:22.04 @@ -5652,7 +3838,7 @@

                      Uncontrolled Recursion

                    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 and gcc-12/libstdc++6@12.3.0-1ubuntu1~22.04 + docker-image|quay.io/argoproj/argocd@v2.10.17 and gcc-12/libstdc++6@12.3.0-1ubuntu1~22.04
                    @@ -5665,7 +3851,7 @@

                    Detailed paths

                    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 gcc-12/libstdc++6@12.3.0-1ubuntu1~22.04 @@ -5674,9 +3860,9 @@

                      Detailed paths

                    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 - apt@2.4.12 + apt@2.4.13 gcc-12/libstdc++6@12.3.0-1ubuntu1~22.04 @@ -5685,11 +3871,11 @@

                      Detailed paths

                    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 - apt@2.4.12 + apt@2.4.13 - apt/libapt-pkg6.0@2.4.12 + apt/libapt-pkg6.0@2.4.13 gcc-12/libstdc++6@12.3.0-1ubuntu1~22.04 @@ -5698,7 +3884,7 @@

                      Detailed paths

                    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 gcc-12/gcc-12-base@12.3.0-1ubuntu1~22.04 @@ -5707,7 +3893,7 @@

                      Detailed paths

                    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 gcc-12/libgcc-s1@12.3.0-1ubuntu1~22.04 @@ -5754,7 +3940,7 @@

                      Improper Input Validation

                      • - Manifest file: quay.io/argoproj/argocd:v2.10.16/argoproj/argocd Dockerfile + Manifest file: quay.io/argoproj/argocd:v2.10.17/argoproj/argocd Dockerfile
                      • Package Manager: ubuntu:22.04 @@ -5767,7 +3953,7 @@

                        Improper Input Validation

                      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 and coreutils@8.32-4.1ubuntu1.2 + docker-image|quay.io/argoproj/argocd@v2.10.17 and coreutils@8.32-4.1ubuntu1.2
                      @@ -5780,7 +3966,7 @@

                      Detailed paths

                      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.10.16 + docker-image|quay.io/argoproj/argocd@v2.10.17 coreutils@8.32-4.1ubuntu1.2 diff --git a/docs/snyk/v2.10.16/redis_7.0.15-alpine.html b/docs/snyk/v2.10.17/redis_7.0.15-alpine.html similarity index 99% rename from docs/snyk/v2.10.16/redis_7.0.15-alpine.html rename to docs/snyk/v2.10.17/redis_7.0.15-alpine.html index a425e2171384a..e8cd91da460fa 100644 --- a/docs/snyk/v2.10.16/redis_7.0.15-alpine.html +++ b/docs/snyk/v2.10.17/redis_7.0.15-alpine.html @@ -456,7 +456,7 @@

                        Snyk test report

                        -

                        September 22nd 2024, 12:28:59 am (UTC+00:00)

                        +

                        September 29th 2024, 12:30:18 am (UTC+00:00)

                        Scanned the following paths: diff --git a/docs/snyk/v2.11.8/argocd-iac-install.html b/docs/snyk/v2.11.9/argocd-iac-install.html similarity index 99% rename from docs/snyk/v2.11.8/argocd-iac-install.html rename to docs/snyk/v2.11.9/argocd-iac-install.html index e3753708b8045..b62e07a600cc5 100644 --- a/docs/snyk/v2.11.8/argocd-iac-install.html +++ b/docs/snyk/v2.11.9/argocd-iac-install.html @@ -456,7 +456,7 @@

                        Snyk test report

                        -

                        September 22nd 2024, 12:28:02 am (UTC+00:00)

                        +

                        September 29th 2024, 12:29:17 am (UTC+00:00)

                        Scanned the following path: diff --git a/docs/snyk/v2.11.8/argocd-iac-namespace-install.html b/docs/snyk/v2.11.9/argocd-iac-namespace-install.html similarity index 99% rename from docs/snyk/v2.11.8/argocd-iac-namespace-install.html rename to docs/snyk/v2.11.9/argocd-iac-namespace-install.html index 1e254b4038b83..a0959c9fb14e8 100644 --- a/docs/snyk/v2.11.8/argocd-iac-namespace-install.html +++ b/docs/snyk/v2.11.9/argocd-iac-namespace-install.html @@ -456,7 +456,7 @@

                        Snyk test report

                        -

                        September 22nd 2024, 12:28:10 am (UTC+00:00)

                        +

                        September 29th 2024, 12:29:27 am (UTC+00:00)

                        Scanned the following path: diff --git a/docs/snyk/v2.11.8/argocd-test.html b/docs/snyk/v2.11.9/argocd-test.html similarity index 90% rename from docs/snyk/v2.11.8/argocd-test.html rename to docs/snyk/v2.11.9/argocd-test.html index ed53a51bfbfd9..437aafe1de9f6 100644 --- a/docs/snyk/v2.11.8/argocd-test.html +++ b/docs/snyk/v2.11.9/argocd-test.html @@ -7,7 +7,7 @@ Snyk test report - + @@ -456,7 +456,7 @@

                        Snyk test report

                        -

                        September 22nd 2024, 12:26:11 am (UTC+00:00)

                        +

                        September 29th 2024, 12:27:16 am (UTC+00:00)

                        Scanned the following paths: @@ -467,8 +467,8 @@

                        Snyk test report

                        -
                        7 known vulnerabilities
                        -
                        158 vulnerable dependency paths
                        +
                        4 known vulnerabilities
                        +
                        153 vulnerable dependency paths
                        2041 dependencies
                        @@ -3139,329 +3139,6 @@

                        References

                        More about this vulnerability

                        -
                        -
                        -

                        Prototype Pollution

                        -
                        - -
                        - high severity -
                        - -
                        - -
                          -
                        • - Manifest file: /argo-cd ui/yarn.lock -
                          • -
                        • - Package Manager: npm -
                          • -
                        • - Vulnerable module: - - dompurify -
                          • - -
                        • Introduced through: - - - argo-cd-ui@1.0.0, redoc@2.0.0-rc.64 and others -
                          • -
                        - -
                        - - -

                        Detailed paths

                        - -
                          -
                        • - Introduced through: - argo-cd-ui@1.0.0 - - redoc@2.0.0-rc.64 - - dompurify@2.3.6 - - - -
                          • -
                        - -
                        - -
                        - -

                        Overview

                        -

                        dompurify is a DOM-only XSS sanitizer for HTML, MathML and SVG.

                        -

                        Affected versions of this package are vulnerable to Prototype Pollution due to improper user input sanitization through the depth-checking mechanism, an attacker can exploit this vulnerability by using special nesting techniques to create a malicious HTML file.

                        -

                        Details

                        -

                        Prototype Pollution is a vulnerability affecting JavaScript. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, including their magical attributes such as __proto__, constructor and prototype. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. Properties on the Object.prototype are then inherited by all the JavaScript objects through the prototype chain. When that happens, this leads to either denial of service by triggering JavaScript exceptions, or it tampers with the application source code to force the code path that the attacker injects, thereby leading to remote code execution.

                        -

                        There are two main ways in which the pollution of prototypes occurs:

                        -
                          -

                        • Unsafe Object recursive merge

                          -
                          • -

                        • Property definition by path

                          -
                          • -
                        -

                        Unsafe Object recursive merge

                        -

                        The logic of a vulnerable recursive merge function follows the following high-level model:

                        - 
                        merge (target, source)
-        
-          foreach property of source
-        
-            if property exists and is an object on both the target and the source
-        
-              merge(target[property], source[property])
-        
-            else
-        
-              target[property] = source[property]
-
                        -
                        - -

                        When the source object contains a property named __proto__ defined with Object.defineProperty() , the condition that checks if the property exists and is an object on both the target and the source passes and the merge recurses with the target, being the prototype of Object and the source of Object as defined by the attacker. Properties are then copied on the Object prototype.

                        -

                        Clone operations are a special sub-class of unsafe recursive merges, which occur when a recursive merge is conducted on an empty object: merge({},source).

                        -

                        lodash and Hoek are examples of libraries susceptible to recursive merge attacks.

                        -

                        Property definition by path

                        -

                        There are a few JavaScript libraries that use an API to define property values on an object based on a given path. The function that is generally affected contains this signature: theFunction(object, path, value)

                        -

                        If the attacker can control the value of “path”, they can set this value to __proto__.myValue. myValue is then assigned to the prototype of the class of the object.

                        -

                        Types of attacks

                        -

                        There are a few methods by which Prototype Pollution can be manipulated:

                        - - - - - - - - - - - - - - - - - - - - - - - -
                        TypeOriginShort description
                        Denial of service (DoS)ClientThis is the most likely attack.
                        DoS occurs when Object holds generic functions that are implicitly called for various operations (for example, toString and valueOf).
                        The attacker pollutes Object.prototype.someattr and alters its state to an unexpected value such as Int or Object. In this case, the code fails and is likely to cause a denial of service.
                        For example: if an attacker pollutes Object.prototype.toString by defining it as an integer, if the codebase at any point was reliant on someobject.toString() it would fail.
                        Remote Code ExecutionClientRemote code execution is generally only possible in cases where the codebase evaluates a specific attribute of an object, and then executes that evaluation.
                        For example: eval(someobject.someattr). In this case, if the attacker pollutes Object.prototype.someattr they are likely to be able to leverage this in order to execute code.
                        Property InjectionClientThe attacker pollutes properties that the codebase relies on for their informative value, including security properties such as cookies or tokens.
                        For example: if a codebase checks privileges for someuser.isAdmin, then when the attacker pollutes Object.prototype.isAdmin and sets it to equal true, they can then achieve admin privileges.
                        -

                        Affected environments

                        -

                        The following environments are susceptible to a Prototype Pollution attack:

                        -
                          -

                        • Application server

                          -
                          • -

                        • Web server

                          -
                          • -

                        • Web browser

                          -
                          • -
                        -

                        How to prevent

                        -
                          -

                        1. Freeze the prototype— use Object.freeze (Object.prototype).

                          -
                          2. -

                        2. Require schema validation of JSON input.

                          -
                          3. -

                        3. Avoid using unsafe recursive merge functions.

                          -
                          4. -

                        4. Consider using objects without prototypes (for example, Object.create(null)), breaking the prototype chain and preventing pollution.

                          -
                          5. -

                        5. As a best practice use Map instead of Object.

                          -
                          6. -
                        -

                        For more information on this vulnerability type:

                        -

                        Arteau, Oliver. “JavaScript prototype pollution attack in NodeJS application.” GitHub, 26 May 2018

                        -

                        Remediation

                        -

                        Upgrade dompurify to version 2.5.4, 3.1.3 or higher.

                        -

                        References

                        - - -
                        - -
                        -

                        More about this vulnerability

                        -
                        - -
                        -
                        -

                        Regular Expression Denial of Service (ReDoS)

                        -
                        - -
                        - medium severity -
                        - -
                        - -
                          -
                        • - Manifest file: /argo-cd ui/yarn.lock -
                          • -
                        • - Package Manager: npm -
                          • -
                        • - Vulnerable module: - - path-to-regexp -
                          • - -
                        • Introduced through: - - - argo-cd-ui@1.0.0, react-router@4.3.1 and others -
                          • -
                        - -
                        - - -

                        Detailed paths

                        - -
                          -
                        • - Introduced through: - argo-cd-ui@1.0.0 - - react-router@4.3.1 - - path-to-regexp@1.8.0 - - - -
                          • -
                        • - Introduced through: - argo-cd-ui@1.0.0 - - react-router-dom@4.3.1 - - react-router@4.3.1 - - path-to-regexp@1.8.0 - - - -
                          • -
                        • - Introduced through: - argo-cd-ui@1.0.0 - - argo-ui@1.0.0 - - react-router-dom@4.3.1 - - react-router@4.3.1 - - path-to-regexp@1.8.0 - - - -
                          • -
                        - -
                        - -
                        - -

                        Overview

                        -

                        Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) when including multiple regular expression parameters in a single segment, which will produce the regular expression /^\/([^\/]+?)-([^\/]+?)\/?$/, if two parameters within a single segment are separated by a character other than a / or .. Poor performance will block the event loop and can lead to a DoS.

                        -

                        Note: - While the 8.0.0 release has completely eliminated the vulnerable functionality, prior versions that have received the patch to mitigate backtracking may still be vulnerable if custom regular expressions are used. So it is strongly recommended for regular expression input to be controlled to avoid malicious performance degradation in those versions. This behavior is enforced as of version 7.1.0 via the strict option, which returns an error if a dangerous regular expression is detected.

                        -

                        Workaround

                        -

                        This vulnerability can be avoided by using a custom regular expression for parameters after the first in a segment, which excludes - and /.

                        -

                        PoC

                        - 
                        /a${'-a'.repeat(8_000)}/a
-
                        -

                        Details

                        -

                        Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.

                        -

                        The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.

                        -

                        Let’s take the following regular expression as an example:

                        - 
                        regex = /A(B|C+)+D/
-
                        -

                        This regular expression accomplishes the following:

                        -
                          -
                        • A The string must start with the letter 'A'
                          • -
                        • (B|C+)+ The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the + matches one or more times). The + at the end of this section states that we can look for one or more matches of this section.
                          • -
                        • D Finally, we ensure this section of the string ends with a 'D'
                          • -
                        -

                        The expression would match inputs such as ABBD, ABCCCCD, ABCBCCCD and ACCCCCD

                        -

                        It most cases, it doesn't take very long for a regex engine to find a match:

                        - 
                        $ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD")'
-        0.04s user 0.01s system 95% cpu 0.052 total
-        
-        $ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX")'
-        1.79s user 0.02s system 99% cpu 1.812 total
-
                        -

                        The entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.

                        -

                        Most Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as catastrophic backtracking.

                        -

                        Let's look at how our expression runs into this problem, using a shorter string: "ACCCX". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:

                        -
                          -
                        1. CCC
                          2. -
                        2. CC+C
                          3. -
                        3. C+CC
                          4. -
                        4. C+C+C.
                          5. -
                        -

                        The engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use RegEx 101 debugger to see the engine has to take a total of 38 steps before it can determine the string doesn't match.

                        -

                        From there, the number of steps the engine must use to validate a string just continues to grow.

                        - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                        StringNumber of C'sNumber of steps
                        ACCCX338
                        ACCCCX471
                        ACCCCCX5136
                        ACCCCCCCCCCCCCCX1465,553
                        -

                        By the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.

                        -

                        Remediation

                        -

                        Upgrade path-to-regexp to version 0.1.10, 1.9.0, 3.3.0, 6.3.0, 8.0.0 or higher.

                        -

                        References

                        - - -
                        - -
                        -

                        More about this vulnerability

                        -
                        -

                        Denial of Service (DoS)

                        @@ -3889,81 +3566,6 @@

                        References

    -
    -

    Template Injection

    -
    - -
    - medium severity -
    - -
    - -
      -
    • - Manifest file: /argo-cd ui/yarn.lock -
      • -
    • - Package Manager: npm -
      • -
    • - Vulnerable module: - - dompurify -
      • - -
    • Introduced through: - - - argo-cd-ui@1.0.0, redoc@2.0.0-rc.64 and others -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - argo-cd-ui@1.0.0 - - redoc@2.0.0-rc.64 - - dompurify@2.3.6 - - - -
      • -
    - -
    - -
    - -

    Overview

    -

    dompurify is a DOM-only XSS sanitizer for HTML, MathML and SVG.

    -

    Affected versions of this package are vulnerable to Template Injection in purify.js, due to inconsistencies in the parsing of XML and HTML tags. Executable code can be injected in HTML inside XML CDATA blocks.

    -

    PoC

    - 
    <![CDATA[ ><img src onerror=alert(1)> ]]>
-
    -

    Remediation

    -

    Upgrade dompurify to version 2.4.9, 3.0.11 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    diff --git a/docs/snyk/v2.11.8/ghcr.io_dexidp_dex_v2.38.0.html b/docs/snyk/v2.11.9/ghcr.io_dexidp_dex_v2.38.0.html similarity index 99% rename from docs/snyk/v2.11.8/ghcr.io_dexidp_dex_v2.38.0.html rename to docs/snyk/v2.11.9/ghcr.io_dexidp_dex_v2.38.0.html index 3c41c7b540880..6d0b619f0d3f8 100644 --- a/docs/snyk/v2.11.8/ghcr.io_dexidp_dex_v2.38.0.html +++ b/docs/snyk/v2.11.9/ghcr.io_dexidp_dex_v2.38.0.html @@ -456,7 +456,7 @@

    Snyk test report

    -

    September 22nd 2024, 12:26:16 am (UTC+00:00)

    +

    September 29th 2024, 12:27:25 am (UTC+00:00)

    Scanned the following paths: diff --git a/docs/snyk/v2.10.16/haproxy_2.6.14-alpine.html b/docs/snyk/v2.11.9/haproxy_2.6.14-alpine.html similarity index 99% rename from docs/snyk/v2.10.16/haproxy_2.6.14-alpine.html rename to docs/snyk/v2.11.9/haproxy_2.6.14-alpine.html index 9020dc61d54b1..264da1c984cfc 100644 --- a/docs/snyk/v2.10.16/haproxy_2.6.14-alpine.html +++ b/docs/snyk/v2.11.9/haproxy_2.6.14-alpine.html @@ -456,7 +456,7 @@

    Snyk test report

    -

    September 22nd 2024, 12:28:38 am (UTC+00:00)

    +

    September 29th 2024, 12:27:33 am (UTC+00:00)

    Scanned the following path: diff --git a/docs/snyk/v2.11.8/quay.io_argoproj_argocd_v2.11.8.html b/docs/snyk/v2.11.9/quay.io_argoproj_argocd_v2.11.9.html similarity index 91% rename from docs/snyk/v2.11.8/quay.io_argoproj_argocd_v2.11.8.html rename to docs/snyk/v2.11.9/quay.io_argoproj_argocd_v2.11.9.html index 0a77724bd2238..e90dee98a37b2 100644 --- a/docs/snyk/v2.11.8/quay.io_argoproj_argocd_v2.11.8.html +++ b/docs/snyk/v2.11.9/quay.io_argoproj_argocd_v2.11.9.html @@ -7,7 +7,7 @@ Snyk test report - + @@ -456,22 +456,22 @@

    Snyk test report

    -

    September 22nd 2024, 12:26:39 am (UTC+00:00)

    +

    September 29th 2024, 12:27:53 am (UTC+00:00)

    Scanned the following paths:
      -
    • quay.io/argoproj/argocd:v2.11.8/argoproj/argocd/Dockerfile (deb)
      • -
    • quay.io/argoproj/argocd:v2.11.8/argoproj/argo-cd/v2//usr/local/bin/argocd (gomodules)
      • -
    • quay.io/argoproj/argocd:v2.11.8//usr/local/bin/kustomize (gomodules)
      • -
    • quay.io/argoproj/argocd:v2.11.8/helm/v3//usr/local/bin/helm (gomodules)
      • -
    • quay.io/argoproj/argocd:v2.11.8/git-lfs/git-lfs//usr/bin/git-lfs (gomodules)
      • +
    • quay.io/argoproj/argocd:v2.11.9/argoproj/argocd/Dockerfile (deb)
      • +
    • quay.io/argoproj/argocd:v2.11.9/argoproj/argo-cd/v2//usr/local/bin/argocd (gomodules)
      • +
    • quay.io/argoproj/argocd:v2.11.9//usr/local/bin/kustomize (gomodules)
      • +
    • quay.io/argoproj/argocd:v2.11.9/helm/v3//usr/local/bin/helm (gomodules)
      • +
    • quay.io/argoproj/argocd:v2.11.9/git-lfs/git-lfs//usr/bin/git-lfs (gomodules)
    -
    27 known vulnerabilities
    -
    173 vulnerable dependency paths
    +
    24 known vulnerabilities
    +
    170 vulnerable dependency paths
    2280 dependencies
    @@ -492,7 +492,7 @@

    Allocation of Resources Without Limits or Throttling

  • - Manifest file: quay.io/argoproj/argocd:v2.11.8/argoproj/argo-cd/v2 /usr/local/bin/argocd + Manifest file: quay.io/argoproj/argocd:v2.11.9/argoproj/argo-cd/v2 /usr/local/bin/argocd
  • Package Manager: golang @@ -572,7 +572,7 @@

    CVE-2024-41996

    • - Manifest file: quay.io/argoproj/argocd:v2.11.8/argoproj/argocd Dockerfile + Manifest file: quay.io/argoproj/argocd:v2.11.9/argoproj/argocd Dockerfile
    • Package Manager: ubuntu:22.04 @@ -585,7 +585,7 @@

      CVE-2024-41996

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 and openssl/libssl3@3.0.2-0ubuntu1.18 + docker-image|quay.io/argoproj/argocd@v2.11.9 and openssl/libssl3@3.0.2-0ubuntu1.18
    @@ -598,7 +598,7 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 openssl/libssl3@3.0.2-0ubuntu1.18 @@ -607,7 +607,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 cyrus-sasl2/libsasl2-modules@2.1.27+dfsg2-3ubuntu1.2 @@ -618,7 +618,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 libfido2/libfido2-1@1.10.0-1 @@ -629,7 +629,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 openssh/openssh-client@1:8.9p1-3ubuntu0.10 @@ -640,9 +640,9 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 - ca-certificates@20230311ubuntu0.22.04.1 + ca-certificates@20240203~22.04.1 openssl@3.0.2-0ubuntu1.18 @@ -653,11 +653,11 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 git@1:2.34.1-1ubuntu1.11 - curl/libcurl3-gnutls@7.81.0-1ubuntu1.17 + curl/libcurl3-gnutls@7.81.0-1ubuntu1.18 libssh/libssh-4@0.9.6-2ubuntu0.22.04.3 @@ -668,7 +668,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 adduser@3.118ubuntu5 @@ -691,7 +691,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 openssl@3.0.2-0ubuntu1.18 @@ -700,9 +700,9 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 - ca-certificates@20230311ubuntu0.22.04.1 + ca-certificates@20240203~22.04.1 openssl@3.0.2-0ubuntu1.18 @@ -748,7 +748,7 @@

      Information Exposure

      • - Manifest file: quay.io/argoproj/argocd:v2.11.8/argoproj/argocd Dockerfile + Manifest file: quay.io/argoproj/argocd:v2.11.9/argoproj/argocd Dockerfile
      • Package Manager: ubuntu:22.04 @@ -761,7 +761,7 @@

        Information Exposure

      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 and libgcrypt20@1.9.4-3ubuntu3 + docker-image|quay.io/argoproj/argocd@v2.11.9 and libgcrypt20@1.9.4-3ubuntu3
      @@ -774,7 +774,7 @@

      Detailed paths

      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 libgcrypt20@1.9.4-3ubuntu3 @@ -783,7 +783,7 @@

        Detailed paths

      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 gnupg2/dirmngr@2.2.27-3ubuntu2.1 @@ -794,7 +794,7 @@

        Detailed paths

      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 gnupg2/gpg@2.2.27-3ubuntu2.1 @@ -805,7 +805,7 @@

        Detailed paths

      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 apt@2.4.13 @@ -818,7 +818,7 @@

        Detailed paths

      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 apt@2.4.13 @@ -831,7 +831,7 @@

        Detailed paths

      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 gnupg2/gpg@2.2.27-3ubuntu2.1 @@ -844,7 +844,7 @@

        Detailed paths

      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -857,7 +857,7 @@

        Detailed paths

      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -870,7 +870,7 @@

        Detailed paths

      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -883,7 +883,7 @@

        Detailed paths

      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -896,7 +896,7 @@

        Detailed paths

      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -909,7 +909,7 @@

        Detailed paths

      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 apt@2.4.13 @@ -961,7 +961,7 @@

        CVE-2024-26462

        • - Manifest file: quay.io/argoproj/argocd:v2.11.8/argoproj/argocd Dockerfile + Manifest file: quay.io/argoproj/argocd:v2.11.9/argoproj/argocd Dockerfile
        • Package Manager: ubuntu:22.04 @@ -974,7 +974,7 @@

          CVE-2024-26462

        • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 and krb5/libk5crypto3@1.19.2-2ubuntu0.4 + docker-image|quay.io/argoproj/argocd@v2.11.9 and krb5/libk5crypto3@1.19.2-2ubuntu0.4
        @@ -987,7 +987,7 @@

        Detailed paths

        • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 krb5/libk5crypto3@1.19.2-2ubuntu0.4 @@ -996,7 +996,7 @@

          Detailed paths

        • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 adduser@3.118ubuntu5 @@ -1017,7 +1017,7 @@

          Detailed paths

        • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 adduser@3.118ubuntu5 @@ -1040,7 +1040,7 @@

          Detailed paths

        • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 krb5/libkrb5-3@1.19.2-2ubuntu0.4 @@ -1049,7 +1049,7 @@

          Detailed paths

        • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 adduser@3.118ubuntu5 @@ -1070,7 +1070,7 @@

          Detailed paths

        • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.4 @@ -1079,7 +1079,7 @@

          Detailed paths

        • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 openssh/openssh-client@1:8.9p1-3ubuntu0.10 @@ -1090,11 +1090,11 @@

          Detailed paths

        • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 git@1:2.34.1-1ubuntu1.11 - curl/libcurl3-gnutls@7.81.0-1ubuntu1.17 + curl/libcurl3-gnutls@7.81.0-1ubuntu1.18 krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.4 @@ -1103,11 +1103,11 @@

          Detailed paths

        • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 git@1:2.34.1-1ubuntu1.11 - curl/libcurl3-gnutls@7.81.0-1ubuntu1.17 + curl/libcurl3-gnutls@7.81.0-1ubuntu1.18 libssh/libssh-4@0.9.6-2ubuntu0.22.04.3 @@ -1118,7 +1118,7 @@

          Detailed paths

        • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 adduser@3.118ubuntu5 @@ -1137,7 +1137,7 @@

          Detailed paths

        • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 krb5/libkrb5support0@1.19.2-2ubuntu0.4 @@ -1182,7 +1182,7 @@

          Denial of Service (DoS)

          • - Manifest file: quay.io/argoproj/argocd:v2.11.8/argoproj/argo-cd/v2 /usr/local/bin/argocd + Manifest file: quay.io/argoproj/argocd:v2.11.9/argoproj/argo-cd/v2 /usr/local/bin/argocd
          • Package Manager: golang @@ -1292,7 +1292,7 @@

            Insertion of Sensitive Information into Log File

            • - Manifest file: quay.io/argoproj/argocd:v2.11.8/argoproj/argo-cd/v2 /usr/local/bin/argocd + Manifest file: quay.io/argoproj/argocd:v2.11.9/argoproj/argo-cd/v2 /usr/local/bin/argocd
            • Package Manager: golang @@ -1360,7 +1360,7 @@

              CVE-2023-4039

              • - Manifest file: quay.io/argoproj/argocd:v2.11.8/argoproj/argocd Dockerfile + Manifest file: quay.io/argoproj/argocd:v2.11.9/argoproj/argocd Dockerfile
              • Package Manager: ubuntu:22.04 @@ -1373,7 +1373,7 @@

                CVE-2023-4039

              • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 and gcc-12/libstdc++6@12.3.0-1ubuntu1~22.04 + docker-image|quay.io/argoproj/argocd@v2.11.9 and gcc-12/libstdc++6@12.3.0-1ubuntu1~22.04
              @@ -1386,7 +1386,7 @@

              Detailed paths

              • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 gcc-12/libstdc++6@12.3.0-1ubuntu1~22.04 @@ -1395,7 +1395,7 @@

                Detailed paths

              • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 apt@2.4.13 @@ -1406,7 +1406,7 @@

                Detailed paths

              • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 apt@2.4.13 @@ -1419,7 +1419,7 @@

                Detailed paths

              • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 gcc-12/gcc-12-base@12.3.0-1ubuntu1~22.04 @@ -1428,7 +1428,7 @@

                Detailed paths

              • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 gcc-12/libgcc-s1@12.3.0-1ubuntu1~22.04 @@ -1472,299 +1472,6 @@

                References

                More about this vulnerability

    • -
    -
    -

    Integer Overflow or Wraparound

    -
    - -
    - medium severity -
    - -
    - -
      -
    • - Manifest file: quay.io/argoproj/argocd:v2.11.8/argoproj/argocd Dockerfile -
      • -
    • - Package Manager: ubuntu:22.04 -
      • -
    • - Vulnerable module: - - expat/libexpat1 -
      • - -
    • Introduced through: - - - docker-image|quay.io/argoproj/argocd@v2.11.8, git@1:2.34.1-1ubuntu1.11 and others -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 - - git@1:2.34.1-1ubuntu1.11 - - expat/libexpat1@2.4.7-1ubuntu0.3 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream expat package and not the expat package as distributed by Ubuntu. - See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

    -

    An issue was discovered in libexpat before 2.6.3. dtdCopy in xmlparse.c can have an integer overflow for nDefaultAtts on 32-bit platforms (where UINT_MAX equals SIZE_MAX).

    -

    Remediation

    -

    Upgrade Ubuntu:22.04 expat to version 2.4.7-1ubuntu0.4 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    XML External Entity (XXE) Injection

    -
    - -
    - medium severity -
    - -
    - -
      -
    • - Manifest file: quay.io/argoproj/argocd:v2.11.8/argoproj/argocd Dockerfile -
      • -
    • - Package Manager: ubuntu:22.04 -
      • -
    • - Vulnerable module: - - expat/libexpat1 -
      • - -
    • Introduced through: - - - docker-image|quay.io/argoproj/argocd@v2.11.8, git@1:2.34.1-1ubuntu1.11 and others -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 - - git@1:2.34.1-1ubuntu1.11 - - expat/libexpat1@2.4.7-1ubuntu0.3 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream expat package and not the expat package as distributed by Ubuntu. - See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

    -

    An issue was discovered in libexpat before 2.6.3. xmlparse.c does not reject a negative length for XML_ParseBuffer.

    -

    Remediation

    -

    Upgrade Ubuntu:22.04 expat to version 2.4.7-1ubuntu0.4 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Integer Overflow or Wraparound

    -
    - -
    - medium severity -
    - -
    - -
      -
    • - Manifest file: quay.io/argoproj/argocd:v2.11.8/argoproj/argocd Dockerfile -
      • -
    • - Package Manager: ubuntu:22.04 -
      • -
    • - Vulnerable module: - - expat/libexpat1 -
      • - -
    • Introduced through: - - - docker-image|quay.io/argoproj/argocd@v2.11.8, git@1:2.34.1-1ubuntu1.11 and others -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 - - git@1:2.34.1-1ubuntu1.11 - - expat/libexpat1@2.4.7-1ubuntu0.3 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream expat package and not the expat package as distributed by Ubuntu. - See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

    -

    An issue was discovered in libexpat before 2.6.3. nextScaffoldPart in xmlparse.c can have an integer overflow for m_groupSize on 32-bit platforms (where UINT_MAX equals SIZE_MAX).

    -

    Remediation

    -

    Upgrade Ubuntu:22.04 expat to version 2.4.7-1ubuntu0.4 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    CVE-2024-8096

    -
    - -
    - medium severity -
    - -
    - -
      -
    • - Manifest file: quay.io/argoproj/argocd:v2.11.8/argoproj/argocd Dockerfile -
      • -
    • - Package Manager: ubuntu:22.04 -
      • -
    • - Vulnerable module: - - curl/libcurl3-gnutls -
      • - -
    • Introduced through: - - - docker-image|quay.io/argoproj/argocd@v2.11.8, git@1:2.34.1-1ubuntu1.11 and others -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 - - git@1:2.34.1-1ubuntu1.11 - - curl/libcurl3-gnutls@7.81.0-1ubuntu1.17 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Ubuntu. - See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

    -

    When curl is told to use the Certificate Status Request TLS extension, often referred to as OCSP stapling, to verify that the server certificate is valid, it might fail to detect some OCSP problems and instead wrongly consider the response as fine. If the returned status reports another error than 'revoked' (like for example 'unauthorized') it is not treated as a bad certficate.

    -

    Remediation

    -

    Upgrade Ubuntu:22.04 curl to version 7.81.0-1ubuntu1.18 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    -

    CVE-2023-7008

    @@ -1778,7 +1485,7 @@

    CVE-2023-7008

    • - Manifest file: quay.io/argoproj/argocd:v2.11.8/argoproj/argocd Dockerfile + Manifest file: quay.io/argoproj/argocd:v2.11.9/argoproj/argocd Dockerfile
    • Package Manager: ubuntu:22.04 @@ -1791,7 +1498,7 @@

      CVE-2023-7008

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 and systemd/libsystemd0@249.11-0ubuntu3.12 + docker-image|quay.io/argoproj/argocd@v2.11.9 and systemd/libsystemd0@249.11-0ubuntu3.12
    @@ -1804,7 +1511,7 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 systemd/libsystemd0@249.11-0ubuntu3.12 @@ -1813,7 +1520,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 apt@2.4.13 @@ -1824,7 +1531,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 procps/libprocps8@2:3.3.17-6ubuntu2.1 @@ -1835,7 +1542,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 util-linux@2.37.2-4ubuntu3.4 @@ -1846,7 +1553,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 util-linux/bsdutils@1:2.37.2-4ubuntu3.4 @@ -1857,7 +1564,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 apt@2.4.13 @@ -1870,7 +1577,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 systemd/libudev1@249.11-0ubuntu3.12 @@ -1879,7 +1586,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 libfido2/libfido2-1@1.10.0-1 @@ -1890,7 +1597,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 util-linux@2.37.2-4ubuntu3.4 @@ -1901,7 +1608,7 @@

      Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 apt@2.4.13 @@ -1956,7 +1663,7 @@

      Arbitrary Code Injection

      • - Manifest file: quay.io/argoproj/argocd:v2.11.8/argoproj/argocd Dockerfile + Manifest file: quay.io/argoproj/argocd:v2.11.9/argoproj/argocd Dockerfile
      • Package Manager: ubuntu:22.04 @@ -1969,7 +1676,7 @@

        Arbitrary Code Injection

      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 and shadow/passwd@1:4.8.1-2ubuntu2.2 + docker-image|quay.io/argoproj/argocd@v2.11.9 and shadow/passwd@1:4.8.1-2ubuntu2.2
      @@ -1982,7 +1689,7 @@

      Detailed paths

      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 shadow/passwd@1:4.8.1-2ubuntu2.2 @@ -1991,7 +1698,7 @@

        Detailed paths

      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 adduser@3.118ubuntu5 @@ -2002,7 +1709,7 @@

        Detailed paths

      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 openssh/openssh-client@1:8.9p1-3ubuntu0.10 @@ -2013,7 +1720,7 @@

        Detailed paths

      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 shadow/login@1:4.8.1-2ubuntu2.2 @@ -2060,7 +1767,7 @@

        Uncontrolled Recursion

        • - Manifest file: quay.io/argoproj/argocd:v2.11.8/argoproj/argocd Dockerfile + Manifest file: quay.io/argoproj/argocd:v2.11.9/argoproj/argocd Dockerfile
        • Package Manager: ubuntu:22.04 @@ -2073,7 +1780,7 @@

          Uncontrolled Recursion

        • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 and pcre3/libpcre3@2:8.39-13ubuntu0.22.04.1 + docker-image|quay.io/argoproj/argocd@v2.11.9 and pcre3/libpcre3@2:8.39-13ubuntu0.22.04.1
        @@ -2086,7 +1793,7 @@

        Detailed paths

        • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 pcre3/libpcre3@2:8.39-13ubuntu0.22.04.1 @@ -2095,7 +1802,7 @@

          Detailed paths

        • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 grep@3.7-1build1 @@ -2135,6 +1842,77 @@

          References

          More about this vulnerability

    +
    +
    +

    Integer Overflow or Wraparound

    +
    + +
    + low severity +
    + +
    + +
      +
    • + Manifest file: quay.io/argoproj/argocd:v2.11.9/argoproj/argocd Dockerfile +
      • +
    • + Package Manager: ubuntu:22.04 +
      • +
    • + Vulnerable module: + + pcre2/libpcre2-8-0 +
      • + +
    • Introduced through: + + docker-image|quay.io/argoproj/argocd@v2.11.9 and pcre2/libpcre2-8-0@10.39-3ubuntu0.1 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v2.11.9 + + pcre2/libpcre2-8-0@10.39-3ubuntu0.1 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream pcre2 package and not the pcre2 package as distributed by Ubuntu. + See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

    +

    Integer overflow vulnerability in pcre2test before 10.41 allows attackers to cause a denial of service or other unspecified impacts via negative input.

    +

    Remediation

    +

    There is no fixed version for Ubuntu:22.04 pcre2.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    +

    Release of Invalid Pointer or Reference

    @@ -2148,7 +1926,7 @@

    Release of Invalid Pointer or Reference

    • - Manifest file: quay.io/argoproj/argocd:v2.11.8/argoproj/argocd Dockerfile + Manifest file: quay.io/argoproj/argocd:v2.11.9/argoproj/argocd Dockerfile
    • Package Manager: ubuntu:22.04 @@ -2161,7 +1939,7 @@

      Release of Invalid Pointer or Reference

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 and patch@2.7.6-7build2 + docker-image|quay.io/argoproj/argocd@v2.11.9 and patch@2.7.6-7build2
    @@ -2174,7 +1952,7 @@

    Detailed paths

    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 patch@2.7.6-7build2 @@ -2218,7 +1996,7 @@

      Double Free

      • - Manifest file: quay.io/argoproj/argocd:v2.11.8/argoproj/argocd Dockerfile + Manifest file: quay.io/argoproj/argocd:v2.11.9/argoproj/argocd Dockerfile
      • Package Manager: ubuntu:22.04 @@ -2231,7 +2009,7 @@

        Double Free

      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 and patch@2.7.6-7build2 + docker-image|quay.io/argoproj/argocd@v2.11.9 and patch@2.7.6-7build2
      @@ -2244,7 +2022,7 @@

      Detailed paths

      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 patch@2.7.6-7build2 @@ -2293,7 +2071,7 @@

        CVE-2023-50495

        • - Manifest file: quay.io/argoproj/argocd:v2.11.8/argoproj/argocd Dockerfile + Manifest file: quay.io/argoproj/argocd:v2.11.9/argoproj/argocd Dockerfile
        • Package Manager: ubuntu:22.04 @@ -2306,7 +2084,7 @@

          CVE-2023-50495

        • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 and ncurses/libtinfo6@6.3-2ubuntu0.1 + docker-image|quay.io/argoproj/argocd@v2.11.9 and ncurses/libtinfo6@6.3-2ubuntu0.1
        @@ -2319,7 +2097,7 @@

        Detailed paths

        • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 ncurses/libtinfo6@6.3-2ubuntu0.1 @@ -2328,7 +2106,7 @@

          Detailed paths

        • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 bash@5.1-6ubuntu1.1 @@ -2339,7 +2117,7 @@

          Detailed paths

        • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 ncurses/libncursesw6@6.3-2ubuntu0.1 @@ -2350,7 +2128,7 @@

          Detailed paths

        • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 less@590-1ubuntu0.22.04.3 @@ -2361,7 +2139,7 @@

          Detailed paths

        • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 libedit/libedit2@3.1-20210910-1build1 @@ -2372,7 +2150,7 @@

          Detailed paths

        • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 ncurses/libncurses6@6.3-2ubuntu0.1 @@ -2383,7 +2161,7 @@

          Detailed paths

        • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 ncurses/ncurses-bin@6.3-2ubuntu0.1 @@ -2394,7 +2172,7 @@

          Detailed paths

        • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 procps@2:3.3.17-6ubuntu2.1 @@ -2405,7 +2183,7 @@

          Detailed paths

        • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 util-linux@2.37.2-4ubuntu3.4 @@ -2416,7 +2194,7 @@

          Detailed paths

        • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 gnupg2/gpg@2.2.27-3ubuntu2.1 @@ -2431,7 +2209,7 @@

          Detailed paths

        • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -2446,7 +2224,7 @@

          Detailed paths

        • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 ncurses/libncursesw6@6.3-2ubuntu0.1 @@ -2455,7 +2233,7 @@

          Detailed paths

        • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 procps@2:3.3.17-6ubuntu2.1 @@ -2466,7 +2244,7 @@

          Detailed paths

        • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -2481,7 +2259,7 @@

          Detailed paths

        • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 ncurses/libncurses6@6.3-2ubuntu0.1 @@ -2490,7 +2268,7 @@

          Detailed paths

        • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 procps@2:3.3.17-6ubuntu2.1 @@ -2501,7 +2279,7 @@

          Detailed paths

        • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 ncurses/ncurses-base@6.3-2ubuntu0.1 @@ -2510,7 +2288,7 @@

          Detailed paths

        • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 ncurses/ncurses-bin@6.3-2ubuntu0.1 @@ -2557,7 +2335,7 @@

          CVE-2023-45918

          • - Manifest file: quay.io/argoproj/argocd:v2.11.8/argoproj/argocd Dockerfile + Manifest file: quay.io/argoproj/argocd:v2.11.9/argoproj/argocd Dockerfile
          • Package Manager: ubuntu:22.04 @@ -2570,7 +2348,7 @@

            CVE-2023-45918

          • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 and ncurses/libtinfo6@6.3-2ubuntu0.1 + docker-image|quay.io/argoproj/argocd@v2.11.9 and ncurses/libtinfo6@6.3-2ubuntu0.1
          @@ -2583,7 +2361,7 @@

          Detailed paths

          • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 ncurses/libtinfo6@6.3-2ubuntu0.1 @@ -2592,7 +2370,7 @@

            Detailed paths

          • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 bash@5.1-6ubuntu1.1 @@ -2603,7 +2381,7 @@

            Detailed paths

          • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 ncurses/libncursesw6@6.3-2ubuntu0.1 @@ -2614,7 +2392,7 @@

            Detailed paths

          • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 less@590-1ubuntu0.22.04.3 @@ -2625,7 +2403,7 @@

            Detailed paths

          • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 libedit/libedit2@3.1-20210910-1build1 @@ -2636,7 +2414,7 @@

            Detailed paths

          • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 ncurses/libncurses6@6.3-2ubuntu0.1 @@ -2647,7 +2425,7 @@

            Detailed paths

          • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 ncurses/ncurses-bin@6.3-2ubuntu0.1 @@ -2658,7 +2436,7 @@

            Detailed paths

          • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 procps@2:3.3.17-6ubuntu2.1 @@ -2669,7 +2447,7 @@

            Detailed paths

          • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 util-linux@2.37.2-4ubuntu3.4 @@ -2680,7 +2458,7 @@

            Detailed paths

          • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 gnupg2/gpg@2.2.27-3ubuntu2.1 @@ -2695,7 +2473,7 @@

            Detailed paths

          • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -2710,7 +2488,7 @@

            Detailed paths

          • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 ncurses/libncursesw6@6.3-2ubuntu0.1 @@ -2719,7 +2497,7 @@

            Detailed paths

          • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 procps@2:3.3.17-6ubuntu2.1 @@ -2730,7 +2508,7 @@

            Detailed paths

          • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -2745,7 +2523,7 @@

            Detailed paths

          • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 ncurses/libncurses6@6.3-2ubuntu0.1 @@ -2754,7 +2532,7 @@

            Detailed paths

          • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 procps@2:3.3.17-6ubuntu2.1 @@ -2765,7 +2543,7 @@

            Detailed paths

          • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 ncurses/ncurses-base@6.3-2ubuntu0.1 @@ -2774,7 +2552,7 @@

            Detailed paths

          • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 ncurses/ncurses-bin@6.3-2ubuntu0.1 @@ -2819,7 +2597,7 @@

            Resource Exhaustion

            • - Manifest file: quay.io/argoproj/argocd:v2.11.8/argoproj/argocd Dockerfile + Manifest file: quay.io/argoproj/argocd:v2.11.9/argoproj/argocd Dockerfile
            • Package Manager: ubuntu:22.04 @@ -2832,7 +2610,7 @@

              Resource Exhaustion

            • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 and libzstd/libzstd1@1.4.8+dfsg-3build1 + docker-image|quay.io/argoproj/argocd@v2.11.9 and libzstd/libzstd1@1.4.8+dfsg-3build1
            @@ -2845,7 +2623,7 @@

            Detailed paths

            • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 libzstd/libzstd1@1.4.8+dfsg-3build1 @@ -2896,7 +2674,7 @@

              Integer Overflow or Wraparound

              • - Manifest file: quay.io/argoproj/argocd:v2.11.8/argoproj/argocd Dockerfile + Manifest file: quay.io/argoproj/argocd:v2.11.9/argoproj/argocd Dockerfile
              • Package Manager: ubuntu:22.04 @@ -2909,7 +2687,7 @@

                Integer Overflow or Wraparound

              • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 and krb5/libk5crypto3@1.19.2-2ubuntu0.4 + docker-image|quay.io/argoproj/argocd@v2.11.9 and krb5/libk5crypto3@1.19.2-2ubuntu0.4
              @@ -2922,7 +2700,7 @@

              Detailed paths

              • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 krb5/libk5crypto3@1.19.2-2ubuntu0.4 @@ -2931,7 +2709,7 @@

                Detailed paths

              • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 adduser@3.118ubuntu5 @@ -2952,7 +2730,7 @@

                Detailed paths

              • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 adduser@3.118ubuntu5 @@ -2975,7 +2753,7 @@

                Detailed paths

              • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 krb5/libkrb5-3@1.19.2-2ubuntu0.4 @@ -2984,7 +2762,7 @@

                Detailed paths

              • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 adduser@3.118ubuntu5 @@ -3005,7 +2783,7 @@

                Detailed paths

              • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.4 @@ -3014,7 +2792,7 @@

                Detailed paths

              • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 openssh/openssh-client@1:8.9p1-3ubuntu0.10 @@ -3025,11 +2803,11 @@

                Detailed paths

              • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 git@1:2.34.1-1ubuntu1.11 - curl/libcurl3-gnutls@7.81.0-1ubuntu1.17 + curl/libcurl3-gnutls@7.81.0-1ubuntu1.18 krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.4 @@ -3038,11 +2816,11 @@

                Detailed paths

              • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 git@1:2.34.1-1ubuntu1.11 - curl/libcurl3-gnutls@7.81.0-1ubuntu1.17 + curl/libcurl3-gnutls@7.81.0-1ubuntu1.18 libssh/libssh-4@0.9.6-2ubuntu0.22.04.3 @@ -3053,7 +2831,7 @@

                Detailed paths

              • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 adduser@3.118ubuntu5 @@ -3072,7 +2850,7 @@

                Detailed paths

              • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 krb5/libkrb5support0@1.19.2-2ubuntu0.4 @@ -3120,7 +2898,7 @@

                CVE-2024-26461

                • - Manifest file: quay.io/argoproj/argocd:v2.11.8/argoproj/argocd Dockerfile + Manifest file: quay.io/argoproj/argocd:v2.11.9/argoproj/argocd Dockerfile
                • Package Manager: ubuntu:22.04 @@ -3133,7 +2911,7 @@

                  CVE-2024-26461

                • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 and krb5/libk5crypto3@1.19.2-2ubuntu0.4 + docker-image|quay.io/argoproj/argocd@v2.11.9 and krb5/libk5crypto3@1.19.2-2ubuntu0.4
                @@ -3146,7 +2924,7 @@

                Detailed paths

                • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 krb5/libk5crypto3@1.19.2-2ubuntu0.4 @@ -3155,7 +2933,7 @@

                  Detailed paths

                • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 adduser@3.118ubuntu5 @@ -3176,7 +2954,7 @@

                  Detailed paths

                • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 adduser@3.118ubuntu5 @@ -3199,7 +2977,7 @@

                  Detailed paths

                • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 krb5/libkrb5-3@1.19.2-2ubuntu0.4 @@ -3208,7 +2986,7 @@

                  Detailed paths

                • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 adduser@3.118ubuntu5 @@ -3229,7 +3007,7 @@

                  Detailed paths

                • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.4 @@ -3238,7 +3016,7 @@

                  Detailed paths

                • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 openssh/openssh-client@1:8.9p1-3ubuntu0.10 @@ -3249,11 +3027,11 @@

                  Detailed paths

                • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 git@1:2.34.1-1ubuntu1.11 - curl/libcurl3-gnutls@7.81.0-1ubuntu1.17 + curl/libcurl3-gnutls@7.81.0-1ubuntu1.18 krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.4 @@ -3262,11 +3040,11 @@

                  Detailed paths

                • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 git@1:2.34.1-1ubuntu1.11 - curl/libcurl3-gnutls@7.81.0-1ubuntu1.17 + curl/libcurl3-gnutls@7.81.0-1ubuntu1.18 libssh/libssh-4@0.9.6-2ubuntu0.22.04.3 @@ -3277,7 +3055,7 @@

                  Detailed paths

                • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 adduser@3.118ubuntu5 @@ -3296,7 +3074,7 @@

                  Detailed paths

                • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 krb5/libkrb5support0@1.19.2-2ubuntu0.4 @@ -3341,7 +3119,7 @@

                  CVE-2024-26458

                  • - Manifest file: quay.io/argoproj/argocd:v2.11.8/argoproj/argocd Dockerfile + Manifest file: quay.io/argoproj/argocd:v2.11.9/argoproj/argocd Dockerfile
                  • Package Manager: ubuntu:22.04 @@ -3354,7 +3132,7 @@

                    CVE-2024-26458

                  • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 and krb5/libk5crypto3@1.19.2-2ubuntu0.4 + docker-image|quay.io/argoproj/argocd@v2.11.9 and krb5/libk5crypto3@1.19.2-2ubuntu0.4
                  @@ -3367,7 +3145,7 @@

                  Detailed paths

                  • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 krb5/libk5crypto3@1.19.2-2ubuntu0.4 @@ -3376,7 +3154,7 @@

                    Detailed paths

                  • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 adduser@3.118ubuntu5 @@ -3397,7 +3175,7 @@

                    Detailed paths

                  • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 adduser@3.118ubuntu5 @@ -3420,7 +3198,7 @@

                    Detailed paths

                  • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 krb5/libkrb5-3@1.19.2-2ubuntu0.4 @@ -3429,7 +3207,7 @@

                    Detailed paths

                  • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 adduser@3.118ubuntu5 @@ -3450,7 +3228,7 @@

                    Detailed paths

                  • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.4 @@ -3459,7 +3237,7 @@

                    Detailed paths

                  • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 openssh/openssh-client@1:8.9p1-3ubuntu0.10 @@ -3470,11 +3248,11 @@

                    Detailed paths

                  • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 git@1:2.34.1-1ubuntu1.11 - curl/libcurl3-gnutls@7.81.0-1ubuntu1.17 + curl/libcurl3-gnutls@7.81.0-1ubuntu1.18 krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.4 @@ -3483,11 +3261,11 @@

                    Detailed paths

                  • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 git@1:2.34.1-1ubuntu1.11 - curl/libcurl3-gnutls@7.81.0-1ubuntu1.17 + curl/libcurl3-gnutls@7.81.0-1ubuntu1.18 libssh/libssh-4@0.9.6-2ubuntu0.22.04.3 @@ -3498,7 +3276,7 @@

                    Detailed paths

                  • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 adduser@3.118ubuntu5 @@ -3517,7 +3295,7 @@

                    Detailed paths

                  • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 krb5/libkrb5support0@1.19.2-2ubuntu0.4 @@ -3562,7 +3340,7 @@

                    Out-of-bounds Write

                    • - Manifest file: quay.io/argoproj/argocd:v2.11.8/argoproj/argocd Dockerfile + Manifest file: quay.io/argoproj/argocd:v2.11.9/argoproj/argocd Dockerfile
                    • Package Manager: ubuntu:22.04 @@ -3575,7 +3353,7 @@

                      Out-of-bounds Write

                    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 and gnupg2/gpgv@2.2.27-3ubuntu2.1 + docker-image|quay.io/argoproj/argocd@v2.11.9 and gnupg2/gpgv@2.2.27-3ubuntu2.1
                    @@ -3588,7 +3366,7 @@

                    Detailed paths

                    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 gnupg2/gpgv@2.2.27-3ubuntu2.1 @@ -3597,7 +3375,7 @@

                      Detailed paths

                    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 apt@2.4.13 @@ -3608,7 +3386,7 @@

                      Detailed paths

                    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -3619,7 +3397,7 @@

                      Detailed paths

                    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 gnupg2/dirmngr@2.2.27-3ubuntu2.1 @@ -3630,7 +3408,7 @@

                      Detailed paths

                    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 gnupg2/gpg@2.2.27-3ubuntu2.1 @@ -3641,7 +3419,7 @@

                      Detailed paths

                    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -3654,7 +3432,7 @@

                      Detailed paths

                    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -3667,7 +3445,7 @@

                      Detailed paths

                    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 gnupg2/dirmngr@2.2.27-3ubuntu2.1 @@ -3676,7 +3454,7 @@

                      Detailed paths

                    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -3687,7 +3465,7 @@

                      Detailed paths

                    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -3700,7 +3478,7 @@

                      Detailed paths

                    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 gnupg2/gnupg-l10n@2.2.27-3ubuntu2.1 @@ -3709,7 +3487,7 @@

                      Detailed paths

                    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -3720,7 +3498,7 @@

                      Detailed paths

                    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 gnupg2/gnupg-utils@2.2.27-3ubuntu2.1 @@ -3729,7 +3507,7 @@

                      Detailed paths

                    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -3740,7 +3518,7 @@

                      Detailed paths

                    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 gnupg2/gpg@2.2.27-3ubuntu2.1 @@ -3749,7 +3527,7 @@

                      Detailed paths

                    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -3760,7 +3538,7 @@

                      Detailed paths

                    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -3773,7 +3551,7 @@

                      Detailed paths

                    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -3786,7 +3564,7 @@

                      Detailed paths

                    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 gnupg2/gpg-agent@2.2.27-3ubuntu2.1 @@ -3795,7 +3573,7 @@

                      Detailed paths

                    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -3806,7 +3584,7 @@

                      Detailed paths

                    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -3819,7 +3597,7 @@

                      Detailed paths

                    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -3832,7 +3610,7 @@

                      Detailed paths

                    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 gnupg2/gpg-wks-client@2.2.27-3ubuntu2.1 @@ -3841,7 +3619,7 @@

                      Detailed paths

                    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -3852,7 +3630,7 @@

                      Detailed paths

                    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 gnupg2/gpg-wks-server@2.2.27-3ubuntu2.1 @@ -3861,7 +3639,7 @@

                      Detailed paths

                    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -3872,7 +3650,7 @@

                      Detailed paths

                    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 gnupg2/gpgsm@2.2.27-3ubuntu2.1 @@ -3881,7 +3659,7 @@

                      Detailed paths

                    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -3892,7 +3670,7 @@

                      Detailed paths

                    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 gnupg2/gnupg@2.2.27-3ubuntu2.1 @@ -3941,7 +3719,7 @@

                      Allocation of Resources Without Limits or Throttling

                    • - Manifest file: quay.io/argoproj/argocd:v2.11.8/argoproj/argocd Dockerfile + Manifest file: quay.io/argoproj/argocd:v2.11.9/argoproj/argocd Dockerfile
                    • Package Manager: ubuntu:22.04 @@ -3954,7 +3732,7 @@

                      Allocation of Resources Without Limits or Throttling

                      Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 and glibc/libc-bin@2.35-0ubuntu3.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 and glibc/libc-bin@2.35-0ubuntu3.8
                    @@ -3967,7 +3745,7 @@

                    Detailed paths

                    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 glibc/libc-bin@2.35-0ubuntu3.8 @@ -3976,7 +3754,7 @@

                      Detailed paths

                    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 glibc/libc6@2.35-0ubuntu3.8 @@ -4022,7 +3800,7 @@

                      Improper Input Validation

                      • - Manifest file: quay.io/argoproj/argocd:v2.11.8/argoproj/argocd Dockerfile + Manifest file: quay.io/argoproj/argocd:v2.11.9/argoproj/argocd Dockerfile
                      • Package Manager: ubuntu:22.04 @@ -4036,7 +3814,7 @@

                        Improper Input Validation

                      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8, git@1:2.34.1-1ubuntu1.11 and others + docker-image|quay.io/argoproj/argocd@v2.11.9, git@1:2.34.1-1ubuntu1.11 and others
                      @@ -4048,7 +3826,7 @@

                      Detailed paths

                      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 git@1:2.34.1-1ubuntu1.11 @@ -4059,7 +3837,7 @@

                        Detailed paths

                      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 git@1:2.34.1-1ubuntu1.11 @@ -4068,7 +3846,7 @@

                        Detailed paths

                      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 git-lfs@3.0.2-1ubuntu0.2 @@ -4115,7 +3893,7 @@

                        Uncontrolled Recursion

                        • - Manifest file: quay.io/argoproj/argocd:v2.11.8/argoproj/argocd Dockerfile + Manifest file: quay.io/argoproj/argocd:v2.11.9/argoproj/argocd Dockerfile
                        • Package Manager: ubuntu:22.04 @@ -4128,7 +3906,7 @@

                          Uncontrolled Recursion

                        • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 and gcc-12/libstdc++6@12.3.0-1ubuntu1~22.04 + docker-image|quay.io/argoproj/argocd@v2.11.9 and gcc-12/libstdc++6@12.3.0-1ubuntu1~22.04
                        @@ -4141,7 +3919,7 @@

                        Detailed paths

                        • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 gcc-12/libstdc++6@12.3.0-1ubuntu1~22.04 @@ -4150,7 +3928,7 @@

                          Detailed paths

                        • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 apt@2.4.13 @@ -4161,7 +3939,7 @@

                          Detailed paths

                        • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 apt@2.4.13 @@ -4174,7 +3952,7 @@

                          Detailed paths

                        • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 gcc-12/gcc-12-base@12.3.0-1ubuntu1~22.04 @@ -4183,7 +3961,7 @@

                          Detailed paths

                        • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 gcc-12/libgcc-s1@12.3.0-1ubuntu1~22.04 @@ -4230,7 +4008,7 @@

                          Improper Input Validation

                          • - Manifest file: quay.io/argoproj/argocd:v2.11.8/argoproj/argocd Dockerfile + Manifest file: quay.io/argoproj/argocd:v2.11.9/argoproj/argocd Dockerfile
                          • Package Manager: ubuntu:22.04 @@ -4243,7 +4021,7 @@

                            Improper Input Validation

                          • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 and coreutils@8.32-4.1ubuntu1.2 + docker-image|quay.io/argoproj/argocd@v2.11.9 and coreutils@8.32-4.1ubuntu1.2
                          @@ -4256,7 +4034,7 @@

                          Detailed paths

                          • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.11.8 + docker-image|quay.io/argoproj/argocd@v2.11.9 coreutils@8.32-4.1ubuntu1.2 diff --git a/docs/snyk/v2.11.8/redis_7.0.15-alpine.html b/docs/snyk/v2.11.9/redis_7.0.15-alpine.html similarity index 99% rename from docs/snyk/v2.11.8/redis_7.0.15-alpine.html rename to docs/snyk/v2.11.9/redis_7.0.15-alpine.html index 1a6806f71cefa..b16cf040d4add 100644 --- a/docs/snyk/v2.11.8/redis_7.0.15-alpine.html +++ b/docs/snyk/v2.11.9/redis_7.0.15-alpine.html @@ -456,7 +456,7 @@

                            Snyk test report

                            -

                            September 22nd 2024, 12:26:43 am (UTC+00:00)

                            +

                            September 29th 2024, 12:27:58 am (UTC+00:00)

                            Scanned the following paths: diff --git a/docs/snyk/v2.12.3/argocd-test.html b/docs/snyk/v2.12.3/argocd-test.html deleted file mode 100644 index c5ace95defe54..0000000000000 --- a/docs/snyk/v2.12.3/argocd-test.html +++ /dev/null @@ -1,1086 +0,0 @@ - - - - - - - - - Snyk test report - - - - - - - - - -
                            -
                            -
                            -
                            - - - Snyk - Open Source Security - - - - - - - -
                            -

                            Snyk test report

                            - -

                            September 22nd 2024, 12:23:57 am (UTC+00:00)

                            -
                            -
                            - Scanned the following paths: -
                              -
                            • /argo-cd/argoproj/argo-cd/v2/go.mod (gomodules)
                              • -
                            • /argo-cd/ui/yarn.lock (yarn)
                              • -
                            -
                            - -
                            -
                            5 known vulnerabilities
                            -
                            7 vulnerable dependency paths
                            -
                            2061 dependencies
                            -
                            -
                            -
                            -
                            - -
                            -
                            -
                            -

                            Prototype Pollution

                            -
                            - -
                            - high severity -
                            - -
                            - -
                              -
                            • - Manifest file: /argo-cd ui/yarn.lock -
                              • -
                            • - Package Manager: npm -
                              • -
                            • - Vulnerable module: - - dompurify -
                              • - -
                            • Introduced through: - - - argo-cd-ui@1.0.0, redoc@2.0.0-rc.64 and others -
                              • -
                            - -
                            - - -

                            Detailed paths

                            - -
                              -
                            • - Introduced through: - argo-cd-ui@1.0.0 - - redoc@2.0.0-rc.64 - - dompurify@2.3.6 - - - -
                              • -
                            - -
                            - -
                            - -

                            Overview

                            -

                            dompurify is a DOM-only XSS sanitizer for HTML, MathML and SVG.

                            -

                            Affected versions of this package are vulnerable to Prototype Pollution due to improper user input sanitization through the depth-checking mechanism, an attacker can exploit this vulnerability by using special nesting techniques to create a malicious HTML file.

                            -

                            Details

                            -

                            Prototype Pollution is a vulnerability affecting JavaScript. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, including their magical attributes such as __proto__, constructor and prototype. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. Properties on the Object.prototype are then inherited by all the JavaScript objects through the prototype chain. When that happens, this leads to either denial of service by triggering JavaScript exceptions, or it tampers with the application source code to force the code path that the attacker injects, thereby leading to remote code execution.

                            -

                            There are two main ways in which the pollution of prototypes occurs:

                            -
                              -

                            • Unsafe Object recursive merge

                              -
                              • -

                            • Property definition by path

                              -
                              • -
                            -

                            Unsafe Object recursive merge

                            -

                            The logic of a vulnerable recursive merge function follows the following high-level model:

                            - 
                            merge (target, source)
-        
-          foreach property of source
-        
-            if property exists and is an object on both the target and the source
-        
-              merge(target[property], source[property])
-        
-            else
-        
-              target[property] = source[property]
-
                            -
                            - -

                            When the source object contains a property named __proto__ defined with Object.defineProperty() , the condition that checks if the property exists and is an object on both the target and the source passes and the merge recurses with the target, being the prototype of Object and the source of Object as defined by the attacker. Properties are then copied on the Object prototype.

                            -

                            Clone operations are a special sub-class of unsafe recursive merges, which occur when a recursive merge is conducted on an empty object: merge({},source).

                            -

                            lodash and Hoek are examples of libraries susceptible to recursive merge attacks.

                            -

                            Property definition by path

                            -

                            There are a few JavaScript libraries that use an API to define property values on an object based on a given path. The function that is generally affected contains this signature: theFunction(object, path, value)

                            -

                            If the attacker can control the value of “path”, they can set this value to __proto__.myValue. myValue is then assigned to the prototype of the class of the object.

                            -

                            Types of attacks

                            -

                            There are a few methods by which Prototype Pollution can be manipulated:

                            - - - - - - - - - - - - - - - - - - - - - - - -
                            TypeOriginShort description
                            Denial of service (DoS)ClientThis is the most likely attack.
                            DoS occurs when Object holds generic functions that are implicitly called for various operations (for example, toString and valueOf).
                            The attacker pollutes Object.prototype.someattr and alters its state to an unexpected value such as Int or Object. In this case, the code fails and is likely to cause a denial of service.
                            For example: if an attacker pollutes Object.prototype.toString by defining it as an integer, if the codebase at any point was reliant on someobject.toString() it would fail.
                            Remote Code ExecutionClientRemote code execution is generally only possible in cases where the codebase evaluates a specific attribute of an object, and then executes that evaluation.
                            For example: eval(someobject.someattr). In this case, if the attacker pollutes Object.prototype.someattr they are likely to be able to leverage this in order to execute code.
                            Property InjectionClientThe attacker pollutes properties that the codebase relies on for their informative value, including security properties such as cookies or tokens.
                            For example: if a codebase checks privileges for someuser.isAdmin, then when the attacker pollutes Object.prototype.isAdmin and sets it to equal true, they can then achieve admin privileges.
                            -

                            Affected environments

                            -

                            The following environments are susceptible to a Prototype Pollution attack:

                            -
                              -

                            • Application server

                              -
                              • -

                            • Web server

                              -
                              • -

                            • Web browser

                              -
                              • -
                            -

                            How to prevent

                            -
                              -

                            1. Freeze the prototype— use Object.freeze (Object.prototype).

                              -
                              2. -

                            2. Require schema validation of JSON input.

                              -
                              3. -

                            3. Avoid using unsafe recursive merge functions.

                              -
                              4. -

                            4. Consider using objects without prototypes (for example, Object.create(null)), breaking the prototype chain and preventing pollution.

                              -
                              5. -

                            5. As a best practice use Map instead of Object.

                              -
                              6. -
                            -

                            For more information on this vulnerability type:

                            -

                            Arteau, Oliver. “JavaScript prototype pollution attack in NodeJS application.” GitHub, 26 May 2018

                            -

                            Remediation

                            -

                            Upgrade dompurify to version 2.5.4, 3.1.3 or higher.

                            -

                            References

                            - - -
                            - -
                            -

                            More about this vulnerability

                            -
                            - -
                            -
                            -

                            Regular Expression Denial of Service (ReDoS)

                            -
                            - -
                            - medium severity -
                            - -
                            - -
                              -
                            • - Manifest file: /argo-cd ui/yarn.lock -
                              • -
                            • - Package Manager: npm -
                              • -
                            • - Vulnerable module: - - path-to-regexp -
                              • - -
                            • Introduced through: - - - argo-cd-ui@1.0.0, react-router@4.3.1 and others -
                              • -
                            - -
                            - - -

                            Detailed paths

                            - -
                              -
                            • - Introduced through: - argo-cd-ui@1.0.0 - - react-router@4.3.1 - - path-to-regexp@1.8.0 - - - -
                              • -
                            • - Introduced through: - argo-cd-ui@1.0.0 - - react-router-dom@4.3.1 - - react-router@4.3.1 - - path-to-regexp@1.8.0 - - - -
                              • -
                            • - Introduced through: - argo-cd-ui@1.0.0 - - argo-ui@1.0.0 - - react-router-dom@4.3.1 - - react-router@4.3.1 - - path-to-regexp@1.8.0 - - - -
                              • -
                            - -
                            - -
                            - -

                            Overview

                            -

                            Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) when including multiple regular expression parameters in a single segment, which will produce the regular expression /^\/([^\/]+?)-([^\/]+?)\/?$/, if two parameters within a single segment are separated by a character other than a / or .. Poor performance will block the event loop and can lead to a DoS.

                            -

                            Note: - While the 8.0.0 release has completely eliminated the vulnerable functionality, prior versions that have received the patch to mitigate backtracking may still be vulnerable if custom regular expressions are used. So it is strongly recommended for regular expression input to be controlled to avoid malicious performance degradation in those versions. This behavior is enforced as of version 7.1.0 via the strict option, which returns an error if a dangerous regular expression is detected.

                            -

                            Workaround

                            -

                            This vulnerability can be avoided by using a custom regular expression for parameters after the first in a segment, which excludes - and /.

                            -

                            PoC

                            - 
                            /a${'-a'.repeat(8_000)}/a
-
                            -

                            Details

                            -

                            Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.

                            -

                            The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.

                            -

                            Let’s take the following regular expression as an example:

                            - 
                            regex = /A(B|C+)+D/
-
                            -

                            This regular expression accomplishes the following:

                            -
                              -
                            • A The string must start with the letter 'A'
                              • -
                            • (B|C+)+ The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the + matches one or more times). The + at the end of this section states that we can look for one or more matches of this section.
                              • -
                            • D Finally, we ensure this section of the string ends with a 'D'
                              • -
                            -

                            The expression would match inputs such as ABBD, ABCCCCD, ABCBCCCD and ACCCCCD

                            -

                            It most cases, it doesn't take very long for a regex engine to find a match:

                            - 
                            $ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD")'
-        0.04s user 0.01s system 95% cpu 0.052 total
-        
-        $ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX")'
-        1.79s user 0.02s system 99% cpu 1.812 total
-
                            -

                            The entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.

                            -

                            Most Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as catastrophic backtracking.

                            -

                            Let's look at how our expression runs into this problem, using a shorter string: "ACCCX". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:

                            -
                              -
                            1. CCC
                              2. -
                            2. CC+C
                              3. -
                            3. C+CC
                              4. -
                            4. C+C+C.
                              5. -
                            -

                            The engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use RegEx 101 debugger to see the engine has to take a total of 38 steps before it can determine the string doesn't match.

                            -

                            From there, the number of steps the engine must use to validate a string just continues to grow.

                            - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                            StringNumber of C'sNumber of steps
                            ACCCX338
                            ACCCCX471
                            ACCCCCX5136
                            ACCCCCCCCCCCCCCX1465,553
                            -

                            By the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.

                            -

                            Remediation

                            -

                            Upgrade path-to-regexp to version 0.1.10, 1.9.0, 3.3.0, 6.3.0, 8.0.0 or higher.

                            -

                            References

                            - - -
                            - -
                            -

                            More about this vulnerability

                            -
                            - -
                            -
                            -

                            Denial of Service (DoS)

                            -
                            - -
                            - medium severity -
                            - -
                            - -
                              -
                            • - Manifest file: /argo-cd/argoproj/argo-cd/v2 go.mod -
                              • -
                            • - Package Manager: golang -
                              • -
                            • - Vulnerable module: - - github.com/rs/cors -
                              • - -
                            • Introduced through: - - - github.com/argoproj/argo-cd/v2@0.0.0, github.com/improbable-eng/grpc-web/go/grpcweb@0.15.0 and others -
                              • -
                            - -
                            - - -

                            Detailed paths

                            - -
                              -
                            • - Introduced through: - github.com/argoproj/argo-cd/v2@0.0.0 - - github.com/improbable-eng/grpc-web/go/grpcweb@0.15.0 - - github.com/rs/cors@1.9.0 - - - -
                              • -
                            - -
                            - -
                            - -

                            Overview

                            -

                            Affected versions of this package are vulnerable to Denial of Service (DoS) through the processing of malicious preflight requests that include a Access-Control-Request-Headers header with excessive commas. An attacker can induce excessive memory consumption and potentially crash the server by sending specially crafted requests.

                            -

                            PoC

                            - 
                            
-        func BenchmarkPreflightAdversarialACRH(b *testing.B) {
-            resps := makeFakeResponses(b.N)
-            req, _ := http.NewRequest(http.MethodOptions, dummyEndpoint, nil)
-            req.Header.Add(headerOrigin, dummyOrigin)
-            req.Header.Add(headerACRM, http.MethodGet)
-            req.Header[headerACRH] = adversarialACRH
-            handler := Default().Handler(testHandler)
-        
-            b.ReportAllocs()
-            b.ResetTimer()
-            for i := 0; i < b.N; i++ {
-                handler.ServeHTTP(resps[i], req)
-            }
-        }
-        
-        var adversarialACRH []string
-        
-        func init() { // populates adversarialACRH
-            n := int(math.Floor(math.Sqrt(http.DefaultMaxHeaderBytes)))
-            commas := strings.Repeat(",", n)
-            res := make([]string, n)
-            for i := range res {
-                res[i] = commas
-            }
-            adversarialACRH = res
-        }
-
                            -

                            Details

                            -

                            Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

                            -

                            Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

                            -

                            One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

                            -

                            When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

                            -

                            Two common types of DoS vulnerabilities:

                            -
                              -

                            • High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

                              -
                              • -

                            • Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

                              -
                              • -
                            -

                            Remediation

                            -

                            Upgrade github.com/rs/cors to version 1.11.0 or higher.

                            -

                            References

                            - - -
                            - -
                            -

                            More about this vulnerability

                            -
                            - -
                            -
                            -

                            Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

                            -
                            - -
                            - medium severity -
                            - -
                            - -
                              -
                            • - Manifest file: /argo-cd/argoproj/argo-cd/v2 go.mod -
                              • -
                            • - Package Manager: golang -
                              • -
                            • - Vulnerable module: - - github.com/Azure/azure-sdk-for-go/sdk/azidentity -
                              • - -
                            • Introduced through: - - - github.com/argoproj/argo-cd/v2@0.0.0, github.com/Azure/kubelogin/pkg/token@0.0.20 and others -
                              • -
                            - -
                            - - -

                            Detailed paths

                            - -
                              -
                            • - Introduced through: - github.com/argoproj/argo-cd/v2@0.0.0 - - github.com/Azure/kubelogin/pkg/token@0.0.20 - - github.com/Azure/azure-sdk-for-go/sdk/azidentity@1.1.0 - - - -
                              • -
                            - -
                            - -
                            - -

                            Overview

                            -

                            github.com/Azure/azure-sdk-for-go/sdk/azidentity is a module that provides Microsoft Entra ID (formerly Azure Active Directory) token authentication support across the Azure SDK. It includes a set of TokenCredential implementations, which can be used with Azure SDK clients supporting token authentication.

                            -

                            Affected versions of this package are vulnerable to Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') in the authentication process. An attacker can elevate privileges by exploiting race conditions during the token validation steps. This is only exploitable if the application is configured to use multiple threads or processes for handling authentication requests.

                            -

                            Notes:

                            -
                              -

                            1. An attacker who successfully exploited the vulnerability could elevate privileges and read any file on the file system with SYSTEM access permissions;

                              -
                              2. -

                            2. An attacker who successfully exploits this vulnerability can only obtain read access to the system files by exploiting this vulnerability. The attacker cannot perform write or delete operations on the files;

                              -
                              3. -

                            3. The vulnerability exists in the following credential types: DefaultAzureCredential and ManagedIdentityCredential;

                              -
                              4. -

                            4. The vulnerability exists in the following credential types:

                              -
                              5. -
                            -

                            ManagedIdentityApplication (.NET)

                            -

                            ManagedIdentityApplication (Java)

                            -

                            ManagedIdentityApplication (Node.js)

                            -

                            Remediation

                            -

                            Upgrade github.com/Azure/azure-sdk-for-go/sdk/azidentity to version 1.6.0 or higher.

                            -

                            References

                            - - -
                            - -
                            -

                            More about this vulnerability

                            -
                            - -
                            -
                            -

                            Template Injection

                            -
                            - -
                            - medium severity -
                            - -
                            - -
                              -
                            • - Manifest file: /argo-cd ui/yarn.lock -
                              • -
                            • - Package Manager: npm -
                              • -
                            • - Vulnerable module: - - dompurify -
                              • - -
                            • Introduced through: - - - argo-cd-ui@1.0.0, redoc@2.0.0-rc.64 and others -
                              • -
                            - -
                            - - -

                            Detailed paths

                            - -
                              -
                            • - Introduced through: - argo-cd-ui@1.0.0 - - redoc@2.0.0-rc.64 - - dompurify@2.3.6 - - - -
                              • -
                            - -
                            - -
                            - -

                            Overview

                            -

                            dompurify is a DOM-only XSS sanitizer for HTML, MathML and SVG.

                            -

                            Affected versions of this package are vulnerable to Template Injection in purify.js, due to inconsistencies in the parsing of XML and HTML tags. Executable code can be injected in HTML inside XML CDATA blocks.

                            -

                            PoC

                            - 
                            <![CDATA[ ><img src onerror=alert(1)> ]]>
-
                            -

                            Remediation

                            -

                            Upgrade dompurify to version 2.4.9, 3.0.11 or higher.

                            -

                            References

                            - - -
                            - -
                            -

                            More about this vulnerability

                            -
                            - -
                            -
                            -
                            -
                            - - - diff --git a/docs/snyk/v2.12.3/argocd-iac-install.html b/docs/snyk/v2.12.4/argocd-iac-install.html similarity index 99% rename from docs/snyk/v2.12.3/argocd-iac-install.html rename to docs/snyk/v2.12.4/argocd-iac-install.html index 268b77b876e08..b5b02ee0ca563 100644 --- a/docs/snyk/v2.12.3/argocd-iac-install.html +++ b/docs/snyk/v2.12.4/argocd-iac-install.html @@ -456,7 +456,7 @@

                            Snyk test report

                            -

                            September 22nd 2024, 12:25:50 am (UTC+00:00)

                            +

                            September 29th 2024, 12:26:46 am (UTC+00:00)

                            Scanned the following path: diff --git a/docs/snyk/v2.12.3/argocd-iac-namespace-install.html b/docs/snyk/v2.12.4/argocd-iac-namespace-install.html similarity index 99% rename from docs/snyk/v2.12.3/argocd-iac-namespace-install.html rename to docs/snyk/v2.12.4/argocd-iac-namespace-install.html index aab9b5b3686cb..da248ba9dee64 100644 --- a/docs/snyk/v2.12.3/argocd-iac-namespace-install.html +++ b/docs/snyk/v2.12.4/argocd-iac-namespace-install.html @@ -456,7 +456,7 @@

                            Snyk test report

                            -

                            September 22nd 2024, 12:25:59 am (UTC+00:00)

                            +

                            September 29th 2024, 12:26:56 am (UTC+00:00)

                            Scanned the following path: diff --git a/docs/snyk/v2.12.4/argocd-test.html b/docs/snyk/v2.12.4/argocd-test.html new file mode 100644 index 0000000000000..e0497b9c4f1fb --- /dev/null +++ b/docs/snyk/v2.12.4/argocd-test.html @@ -0,0 +1,688 @@ + + + + + + + + + Snyk test report + + + + + + + + + +
                            +
                            +
                            +
                            + + + Snyk - Open Source Security + + + + + + + +
                            +

                            Snyk test report

                            + +

                            September 29th 2024, 12:24:45 am (UTC+00:00)

                            +
                            +
                            + Scanned the following paths: +
                              +
                            • /argo-cd/argoproj/argo-cd/v2/go.mod (gomodules)
                              • +
                            • /argo-cd/ui/yarn.lock (yarn)
                              • +
                            +
                            + +
                            +
                            2 known vulnerabilities
                            +
                            2 vulnerable dependency paths
                            +
                            2061 dependencies
                            +
                            +
                            +
                            +
                            + +
                            +
                            +
                            +

                            Denial of Service (DoS)

                            +
                            + +
                            + medium severity +
                            + +
                            + +
                              +
                            • + Manifest file: /argo-cd/argoproj/argo-cd/v2 go.mod +
                              • +
                            • + Package Manager: golang +
                              • +
                            • + Vulnerable module: + + github.com/rs/cors +
                              • + +
                            • Introduced through: + + + github.com/argoproj/argo-cd/v2@0.0.0, github.com/improbable-eng/grpc-web/go/grpcweb@0.15.0 and others +
                              • +
                            + +
                            + + +

                            Detailed paths

                            + +
                              +
                            • + Introduced through: + github.com/argoproj/argo-cd/v2@0.0.0 + + github.com/improbable-eng/grpc-web/go/grpcweb@0.15.0 + + github.com/rs/cors@1.9.0 + + + +
                              • +
                            + +
                            + +
                            + +

                            Overview

                            +

                            Affected versions of this package are vulnerable to Denial of Service (DoS) through the processing of malicious preflight requests that include a Access-Control-Request-Headers header with excessive commas. An attacker can induce excessive memory consumption and potentially crash the server by sending specially crafted requests.

                            +

                            PoC

                            + 
                            
+        func BenchmarkPreflightAdversarialACRH(b *testing.B) {
+            resps := makeFakeResponses(b.N)
+            req, _ := http.NewRequest(http.MethodOptions, dummyEndpoint, nil)
+            req.Header.Add(headerOrigin, dummyOrigin)
+            req.Header.Add(headerACRM, http.MethodGet)
+            req.Header[headerACRH] = adversarialACRH
+            handler := Default().Handler(testHandler)
+        
+            b.ReportAllocs()
+            b.ResetTimer()
+            for i := 0; i < b.N; i++ {
+                handler.ServeHTTP(resps[i], req)
+            }
+        }
+        
+        var adversarialACRH []string
+        
+        func init() { // populates adversarialACRH
+            n := int(math.Floor(math.Sqrt(http.DefaultMaxHeaderBytes)))
+            commas := strings.Repeat(",", n)
+            res := make([]string, n)
+            for i := range res {
+                res[i] = commas
+            }
+            adversarialACRH = res
+        }
+
                            +

                            Details

                            +

                            Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

                            +

                            Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

                            +

                            One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

                            +

                            When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

                            +

                            Two common types of DoS vulnerabilities:

                            +
                              +

                            • High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

                              +
                              • +

                            • Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

                              +
                              • +
                            +

                            Remediation

                            +

                            Upgrade github.com/rs/cors to version 1.11.0 or higher.

                            +

                            References

                            + + +
                            + +
                            +

                            More about this vulnerability

                            +
                            + +
                            +
                            +

                            Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

                            +
                            + +
                            + medium severity +
                            + +
                            + +
                              +
                            • + Manifest file: /argo-cd/argoproj/argo-cd/v2 go.mod +
                              • +
                            • + Package Manager: golang +
                              • +
                            • + Vulnerable module: + + github.com/Azure/azure-sdk-for-go/sdk/azidentity +
                              • + +
                            • Introduced through: + + + github.com/argoproj/argo-cd/v2@0.0.0, github.com/Azure/kubelogin/pkg/token@0.0.20 and others +
                              • +
                            + +
                            + + +

                            Detailed paths

                            + +
                              +
                            • + Introduced through: + github.com/argoproj/argo-cd/v2@0.0.0 + + github.com/Azure/kubelogin/pkg/token@0.0.20 + + github.com/Azure/azure-sdk-for-go/sdk/azidentity@1.1.0 + + + +
                              • +
                            + +
                            + +
                            + +

                            Overview

                            +

                            github.com/Azure/azure-sdk-for-go/sdk/azidentity is a module that provides Microsoft Entra ID (formerly Azure Active Directory) token authentication support across the Azure SDK. It includes a set of TokenCredential implementations, which can be used with Azure SDK clients supporting token authentication.

                            +

                            Affected versions of this package are vulnerable to Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') in the authentication process. An attacker can elevate privileges by exploiting race conditions during the token validation steps. This is only exploitable if the application is configured to use multiple threads or processes for handling authentication requests.

                            +

                            Notes:

                            +
                              +

                            1. An attacker who successfully exploited the vulnerability could elevate privileges and read any file on the file system with SYSTEM access permissions;

                              +
                              2. +

                            2. An attacker who successfully exploits this vulnerability can only obtain read access to the system files by exploiting this vulnerability. The attacker cannot perform write or delete operations on the files;

                              +
                              3. +

                            3. The vulnerability exists in the following credential types: DefaultAzureCredential and ManagedIdentityCredential;

                              +
                              4. +

                            4. The vulnerability exists in the following credential types:

                              +
                              5. +
                            +

                            ManagedIdentityApplication (.NET)

                            +

                            ManagedIdentityApplication (Java)

                            +

                            ManagedIdentityApplication (Node.js)

                            +

                            Remediation

                            +

                            Upgrade github.com/Azure/azure-sdk-for-go/sdk/azidentity to version 1.6.0 or higher.

                            +

                            References

                            + + +
                            + +
                            +

                            More about this vulnerability

                            +
                            + +
                            +
                            +
                            +
                            + + + diff --git a/docs/snyk/v2.12.3/ghcr.io_dexidp_dex_v2.38.0.html b/docs/snyk/v2.12.4/ghcr.io_dexidp_dex_v2.38.0.html similarity index 99% rename from docs/snyk/v2.12.3/ghcr.io_dexidp_dex_v2.38.0.html rename to docs/snyk/v2.12.4/ghcr.io_dexidp_dex_v2.38.0.html index c40058cb449a2..ff73127613d42 100644 --- a/docs/snyk/v2.12.3/ghcr.io_dexidp_dex_v2.38.0.html +++ b/docs/snyk/v2.12.4/ghcr.io_dexidp_dex_v2.38.0.html @@ -456,7 +456,7 @@

                            Snyk test report

                            -

                            September 22nd 2024, 12:24:06 am (UTC+00:00)

                            +

                            September 29th 2024, 12:24:56 am (UTC+00:00)

                            Scanned the following paths: diff --git a/docs/snyk/v2.12.3/public.ecr.aws_docker_library_haproxy_2.6.17-alpine.html b/docs/snyk/v2.12.4/public.ecr.aws_docker_library_haproxy_2.6.17-alpine.html similarity index 99% rename from docs/snyk/v2.12.3/public.ecr.aws_docker_library_haproxy_2.6.17-alpine.html rename to docs/snyk/v2.12.4/public.ecr.aws_docker_library_haproxy_2.6.17-alpine.html index bed01faa336f7..a425d27f80fba 100644 --- a/docs/snyk/v2.12.3/public.ecr.aws_docker_library_haproxy_2.6.17-alpine.html +++ b/docs/snyk/v2.12.4/public.ecr.aws_docker_library_haproxy_2.6.17-alpine.html @@ -456,7 +456,7 @@

                            Snyk test report

                            -

                            September 22nd 2024, 12:24:09 am (UTC+00:00)

                            +

                            September 29th 2024, 12:25:00 am (UTC+00:00)

                            Scanned the following path: diff --git a/docs/snyk/v2.12.3/public.ecr.aws_docker_library_redis_7.0.15-alpine.html b/docs/snyk/v2.12.4/public.ecr.aws_docker_library_redis_7.0.15-alpine.html similarity index 99% rename from docs/snyk/v2.12.3/public.ecr.aws_docker_library_redis_7.0.15-alpine.html rename to docs/snyk/v2.12.4/public.ecr.aws_docker_library_redis_7.0.15-alpine.html index dbc79e2e50588..31fc282e6b849 100644 --- a/docs/snyk/v2.12.3/public.ecr.aws_docker_library_redis_7.0.15-alpine.html +++ b/docs/snyk/v2.12.4/public.ecr.aws_docker_library_redis_7.0.15-alpine.html @@ -456,7 +456,7 @@

                            Snyk test report

                            -

                            September 22nd 2024, 12:24:12 am (UTC+00:00)

                            +

                            September 29th 2024, 12:25:05 am (UTC+00:00)

                            Scanned the following paths: diff --git a/docs/snyk/v2.12.3/quay.io_argoproj_argocd_v2.12.3.html b/docs/snyk/v2.12.4/quay.io_argoproj_argocd_v2.12.4.html similarity index 76% rename from docs/snyk/v2.12.3/quay.io_argoproj_argocd_v2.12.3.html rename to docs/snyk/v2.12.4/quay.io_argoproj_argocd_v2.12.4.html index 0bd0879c74d78..29d9c98c8cccb 100644 --- a/docs/snyk/v2.12.3/quay.io_argoproj_argocd_v2.12.3.html +++ b/docs/snyk/v2.12.4/quay.io_argoproj_argocd_v2.12.4.html @@ -7,7 +7,7 @@ Snyk test report - + @@ -456,22 +456,22 @@

                            Snyk test report

                            -

                            September 22nd 2024, 12:24:27 am (UTC+00:00)

                            +

                            September 29th 2024, 12:25:23 am (UTC+00:00)

                            Scanned the following paths:
                              -
                            • quay.io/argoproj/argocd:v2.12.3/argoproj/argocd/Dockerfile (deb)
                              • -
                            • quay.io/argoproj/argocd:v2.12.3/argoproj/argo-cd/v2//usr/local/bin/argocd (gomodules)
                              • -
                            • quay.io/argoproj/argocd:v2.12.3//usr/local/bin/kustomize (gomodules)
                              • -
                            • quay.io/argoproj/argocd:v2.12.3/helm/v3//usr/local/bin/helm (gomodules)
                              • -
                            • quay.io/argoproj/argocd:v2.12.3/git-lfs/git-lfs//usr/bin/git-lfs (gomodules)
                              • +
                            • quay.io/argoproj/argocd:v2.12.4/argoproj/argocd/Dockerfile (deb)
                              • +
                            • quay.io/argoproj/argocd:v2.12.4/argoproj/argo-cd/v2//usr/local/bin/argocd (gomodules)
                              • +
                            • quay.io/argoproj/argocd:v2.12.4//usr/local/bin/kustomize (gomodules)
                              • +
                            • quay.io/argoproj/argocd:v2.12.4/helm/v3//usr/local/bin/helm (gomodules)
                              • +
                            • quay.io/argoproj/argocd:v2.12.4/git-lfs/git-lfs//usr/bin/git-lfs (gomodules)
                            -
                            17 known vulnerabilities
                            -
                            81 vulnerable dependency paths
                            +
                            12 known vulnerabilities
                            +
                            66 vulnerable dependency paths
                            2292 dependencies
                            @@ -492,7 +492,7 @@

                            CVE-2024-41996

                            • - Manifest file: quay.io/argoproj/argocd:v2.12.3/argoproj/argocd Dockerfile + Manifest file: quay.io/argoproj/argocd:v2.12.4/argoproj/argocd Dockerfile
                            • Package Manager: ubuntu:24.04 @@ -505,7 +505,7 @@

                              CVE-2024-41996

                            • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.12.3 and openssl/libssl3t64@3.0.13-0ubuntu3.3 + docker-image|quay.io/argoproj/argocd@v2.12.4 and openssl/libssl3t64@3.0.13-0ubuntu3.4
                            @@ -518,135 +518,135 @@

                            Detailed paths

                            • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.12.3 + docker-image|quay.io/argoproj/argocd@v2.12.4 - openssl/libssl3t64@3.0.13-0ubuntu3.3 + openssl/libssl3t64@3.0.13-0ubuntu3.4
                            • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.12.3 + docker-image|quay.io/argoproj/argocd@v2.12.4 coreutils@9.4-3ubuntu6 - openssl/libssl3t64@3.0.13-0ubuntu3.3 + openssl/libssl3t64@3.0.13-0ubuntu3.4
                            • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.12.3 + docker-image|quay.io/argoproj/argocd@v2.12.4 cyrus-sasl2/libsasl2-modules@2.1.28+dfsg1-5ubuntu3.1 - openssl/libssl3t64@3.0.13-0ubuntu3.3 + openssl/libssl3t64@3.0.13-0ubuntu3.4
                            • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.12.3 + docker-image|quay.io/argoproj/argocd@v2.12.4 libfido2/libfido2-1@1.14.0-1build3 - openssl/libssl3t64@3.0.13-0ubuntu3.3 + openssl/libssl3t64@3.0.13-0ubuntu3.4
                            • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.12.3 + docker-image|quay.io/argoproj/argocd@v2.12.4 openssh/openssh-client@1:9.6p1-3ubuntu13.5 - openssl/libssl3t64@3.0.13-0ubuntu3.3 + openssl/libssl3t64@3.0.13-0ubuntu3.4
                            • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.12.3 + docker-image|quay.io/argoproj/argocd@v2.12.4 ca-certificates@20240203 - openssl@3.0.13-0ubuntu3.3 + openssl@3.0.13-0ubuntu3.4 - openssl/libssl3t64@3.0.13-0ubuntu3.3 + openssl/libssl3t64@3.0.13-0ubuntu3.4
                            • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.12.3 + docker-image|quay.io/argoproj/argocd@v2.12.4 git@1:2.43.0-1ubuntu7.1 - curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.3 + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.4 libssh/libssh-4@0.10.6-2build2 - openssl/libssl3t64@3.0.13-0ubuntu3.3 + openssl/libssl3t64@3.0.13-0ubuntu3.4
                            • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.12.3 + docker-image|quay.io/argoproj/argocd@v2.12.4 git@1:2.43.0-1ubuntu7.1 - curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.3 + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.4 krb5/libgssapi-krb5-2@1.20.1-6ubuntu2.1 krb5/libkrb5-3@1.20.1-6ubuntu2.1 - openssl/libssl3t64@3.0.13-0ubuntu3.3 + openssl/libssl3t64@3.0.13-0ubuntu3.4
                            • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.12.3 + docker-image|quay.io/argoproj/argocd@v2.12.4 git@1:2.43.0-1ubuntu7.1 - curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.3 + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.4 openldap/libldap2@2.6.7+dfsg-1~exp1ubuntu8 cyrus-sasl2/libsasl2-2@2.1.28+dfsg1-5ubuntu3.1 - openssl/libssl3t64@3.0.13-0ubuntu3.3 + openssl/libssl3t64@3.0.13-0ubuntu3.4
                            • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.12.3 + docker-image|quay.io/argoproj/argocd@v2.12.4 - openssl@3.0.13-0ubuntu3.3 + openssl@3.0.13-0ubuntu3.4
                            • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.12.3 + docker-image|quay.io/argoproj/argocd@v2.12.4 ca-certificates@20240203 - openssl@3.0.13-0ubuntu3.3 + openssl@3.0.13-0ubuntu3.4 @@ -677,224 +677,6 @@

                              References

                              More about this vulnerability

                            -
                            -
                            -

                            CVE-2024-6119

                            -
                            - -
                            - medium severity -
                            - -
                            - -
                              -
                            • - Manifest file: quay.io/argoproj/argocd:v2.12.3/argoproj/argocd Dockerfile -
                              • -
                            • - Package Manager: ubuntu:24.04 -
                              • -
                            • - Vulnerable module: - - openssl/libssl3t64 -
                              • - -
                            • Introduced through: - - docker-image|quay.io/argoproj/argocd@v2.12.3 and openssl/libssl3t64@3.0.13-0ubuntu3.3 - -
                              • -
                            - -
                            - - -

                            Detailed paths

                            - -
                              -
                            • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.12.3 - - openssl/libssl3t64@3.0.13-0ubuntu3.3 - - - -
                              • -
                            • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.12.3 - - coreutils@9.4-3ubuntu6 - - openssl/libssl3t64@3.0.13-0ubuntu3.3 - - - -
                              • -
                            • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.12.3 - - cyrus-sasl2/libsasl2-modules@2.1.28+dfsg1-5ubuntu3.1 - - openssl/libssl3t64@3.0.13-0ubuntu3.3 - - - -
                              • -
                            • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.12.3 - - libfido2/libfido2-1@1.14.0-1build3 - - openssl/libssl3t64@3.0.13-0ubuntu3.3 - - - -
                              • -
                            • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.12.3 - - openssh/openssh-client@1:9.6p1-3ubuntu13.5 - - openssl/libssl3t64@3.0.13-0ubuntu3.3 - - - -
                              • -
                            • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.12.3 - - ca-certificates@20240203 - - openssl@3.0.13-0ubuntu3.3 - - openssl/libssl3t64@3.0.13-0ubuntu3.3 - - - -
                              • -
                            • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.12.3 - - git@1:2.43.0-1ubuntu7.1 - - curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.3 - - libssh/libssh-4@0.10.6-2build2 - - openssl/libssl3t64@3.0.13-0ubuntu3.3 - - - -
                              • -
                            • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.12.3 - - git@1:2.43.0-1ubuntu7.1 - - curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.3 - - krb5/libgssapi-krb5-2@1.20.1-6ubuntu2.1 - - krb5/libkrb5-3@1.20.1-6ubuntu2.1 - - openssl/libssl3t64@3.0.13-0ubuntu3.3 - - - -
                              • -
                            • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.12.3 - - git@1:2.43.0-1ubuntu7.1 - - curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.3 - - openldap/libldap2@2.6.7+dfsg-1~exp1ubuntu8 - - cyrus-sasl2/libsasl2-2@2.1.28+dfsg1-5ubuntu3.1 - - openssl/libssl3t64@3.0.13-0ubuntu3.3 - - - -
                              • -
                            • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.12.3 - - openssl@3.0.13-0ubuntu3.3 - - - -
                              • -
                            • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.12.3 - - ca-certificates@20240203 - - openssl@3.0.13-0ubuntu3.3 - - - -
                              • -
                            - -
                            - -
                            - -

                            NVD Description

                            -

                            Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Ubuntu. - See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

                            -

                            Issue summary: Applications performing certificate name checks (e.g., TLS - clients checking server certificates) may attempt to read an invalid memory - address resulting in abnormal termination of the application process.

                            -

                            Impact summary: Abnormal termination of an application can a cause a denial of - service.

                            -

                            Applications performing certificate name checks (e.g., TLS clients checking - server certificates) may attempt to read an invalid memory address when - comparing the expected name with an otherName subject alternative name of an - X.509 certificate. This may result in an exception that terminates the - application program.

                            -

                            Note that basic certificate chain validation (signatures, dates, ...) is not - affected, the denial of service can occur only when the application also - specifies an expected DNS name, Email address or IP address.

                            -

                            TLS servers rarely solicit client certificates, and even when they do, they - generally don't perform a name check against a reference identifier (expected - identity), but rather extract the presented identity after checking the - certificate chain. So TLS servers are generally not affected and the severity - of the issue is Moderate.

                            -

                            The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.

                            -

                            Remediation

                            -

                            Upgrade Ubuntu:24.04 openssl to version 3.0.13-0ubuntu3.4 or higher.

                            -

                            References

                            - - -
                            - -
                            -

                            More about this vulnerability

                            -
                            -

                            Information Exposure

                            @@ -908,7 +690,7 @@

                            Information Exposure

                            • - Manifest file: quay.io/argoproj/argocd:v2.12.3/argoproj/argocd Dockerfile + Manifest file: quay.io/argoproj/argocd:v2.12.4/argoproj/argocd Dockerfile
                            • Package Manager: ubuntu:24.04 @@ -921,7 +703,7 @@

                              Information Exposure

                            • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.12.3 and libgcrypt20@1.10.3-2build1 + docker-image|quay.io/argoproj/argocd@v2.12.4 and libgcrypt20@1.10.3-2build1
                            @@ -934,7 +716,7 @@

                            Detailed paths

                            • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.12.3 + docker-image|quay.io/argoproj/argocd@v2.12.4 libgcrypt20@1.10.3-2build1 @@ -943,7 +725,7 @@

                              Detailed paths

                            • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.12.3 + docker-image|quay.io/argoproj/argocd@v2.12.4 gnupg2/dirmngr@2.4.4-2ubuntu17 @@ -954,7 +736,7 @@

                              Detailed paths

                            • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.12.3 + docker-image|quay.io/argoproj/argocd@v2.12.4 gnupg2/gpg@2.4.4-2ubuntu17 @@ -965,7 +747,7 @@

                              Detailed paths

                            • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.12.3 + docker-image|quay.io/argoproj/argocd@v2.12.4 gnupg2/gpg-agent@2.4.4-2ubuntu17 @@ -976,7 +758,7 @@

                              Detailed paths

                            • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.12.3 + docker-image|quay.io/argoproj/argocd@v2.12.4 apt@2.7.14build2 @@ -989,7 +771,7 @@

                              Detailed paths

                            • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.12.3 + docker-image|quay.io/argoproj/argocd@v2.12.4 apt@2.7.14build2 @@ -1002,7 +784,7 @@

                              Detailed paths

                            • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.12.3 + docker-image|quay.io/argoproj/argocd@v2.12.4 gnupg2/gpg@2.4.4-2ubuntu17 @@ -1015,7 +797,7 @@

                              Detailed paths

                            • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.12.3 + docker-image|quay.io/argoproj/argocd@v2.12.4 apt@2.7.14build2 @@ -1071,7 +853,7 @@

                              CVE-2024-26462

                              • - Manifest file: quay.io/argoproj/argocd:v2.12.3/argoproj/argocd Dockerfile + Manifest file: quay.io/argoproj/argocd:v2.12.4/argoproj/argocd Dockerfile
                              • Package Manager: ubuntu:24.04 @@ -1085,7 +867,7 @@

                                CVE-2024-26462

                              • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.12.3, git@1:2.43.0-1ubuntu7.1 and others + docker-image|quay.io/argoproj/argocd@v2.12.4, git@1:2.43.0-1ubuntu7.1 and others
                              @@ -1097,11 +879,11 @@

                              Detailed paths

                              • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.12.3 + docker-image|quay.io/argoproj/argocd@v2.12.4 git@1:2.43.0-1ubuntu7.1 - curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.3 + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.4 krb5/libgssapi-krb5-2@1.20.1-6ubuntu2.1 @@ -1112,11 +894,11 @@

                                Detailed paths

                              • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.12.3 + docker-image|quay.io/argoproj/argocd@v2.12.4 git@1:2.43.0-1ubuntu7.1 - curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.3 + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.4 krb5/libgssapi-krb5-2@1.20.1-6ubuntu2.1 @@ -1129,11 +911,11 @@

                                Detailed paths

                              • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.12.3 + docker-image|quay.io/argoproj/argocd@v2.12.4 git@1:2.43.0-1ubuntu7.1 - curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.3 + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.4 krb5/libgssapi-krb5-2@1.20.1-6ubuntu2.1 @@ -1144,11 +926,11 @@

                                Detailed paths

                              • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.12.3 + docker-image|quay.io/argoproj/argocd@v2.12.4 git@1:2.43.0-1ubuntu7.1 - curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.3 + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.4 krb5/libgssapi-krb5-2@1.20.1-6ubuntu2.1 @@ -1161,11 +943,11 @@

                                Detailed paths

                              • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.12.3 + docker-image|quay.io/argoproj/argocd@v2.12.4 git@1:2.43.0-1ubuntu7.1 - curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.3 + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.4 krb5/libgssapi-krb5-2@1.20.1-6ubuntu2.1 @@ -1180,11 +962,11 @@

                                Detailed paths

                              • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.12.3 + docker-image|quay.io/argoproj/argocd@v2.12.4 git@1:2.43.0-1ubuntu7.1 - curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.3 + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.4 krb5/libgssapi-krb5-2@1.20.1-6ubuntu2.1 @@ -1195,7 +977,7 @@

                                Detailed paths

                              • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.12.3 + docker-image|quay.io/argoproj/argocd@v2.12.4 openssh/openssh-client@1:9.6p1-3ubuntu13.5 @@ -1206,11 +988,11 @@

                                Detailed paths

                              • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.12.3 + docker-image|quay.io/argoproj/argocd@v2.12.4 git@1:2.43.0-1ubuntu7.1 - curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.3 + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.4 krb5/libgssapi-krb5-2@1.20.1-6ubuntu2.1 @@ -1219,11 +1001,11 @@

                                Detailed paths

                              • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.12.3 + docker-image|quay.io/argoproj/argocd@v2.12.4 git@1:2.43.0-1ubuntu7.1 - curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.3 + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.4 libssh/libssh-4@0.10.6-2build2 @@ -1234,7 +1016,7 @@

                                Detailed paths

                              • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.12.3 + docker-image|quay.io/argoproj/argocd@v2.12.4 krb5/krb5-locales@1.20.1-6ubuntu2.1 @@ -1279,7 +1061,7 @@

                                Denial of Service (DoS)

                                • - Manifest file: quay.io/argoproj/argocd:v2.12.3/argoproj/argo-cd/v2 /usr/local/bin/argocd + Manifest file: quay.io/argoproj/argocd:v2.12.4/argoproj/argo-cd/v2 /usr/local/bin/argocd
                                • Package Manager: golang @@ -1376,299 +1158,6 @@

                                  References

                                  More about this vulnerability

                            -
                            -
                            -

                            Integer Overflow or Wraparound

                            -
                            - -
                            - medium severity -
                            - -
                            - -
                              -
                            • - Manifest file: quay.io/argoproj/argocd:v2.12.3/argoproj/argocd Dockerfile -
                              • -
                            • - Package Manager: ubuntu:24.04 -
                              • -
                            • - Vulnerable module: - - expat/libexpat1 -
                              • - -
                            • Introduced through: - - - docker-image|quay.io/argoproj/argocd@v2.12.3, git@1:2.43.0-1ubuntu7.1 and others -
                              • -
                            - -
                            - - -

                            Detailed paths

                            - -
                              -
                            • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.12.3 - - git@1:2.43.0-1ubuntu7.1 - - expat/libexpat1@2.6.1-2build1 - - - -
                              • -
                            - -
                            - -
                            - -

                            NVD Description

                            -

                            Note: Versions mentioned in the description apply only to the upstream expat package and not the expat package as distributed by Ubuntu. - See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

                            -

                            An issue was discovered in libexpat before 2.6.3. dtdCopy in xmlparse.c can have an integer overflow for nDefaultAtts on 32-bit platforms (where UINT_MAX equals SIZE_MAX).

                            -

                            Remediation

                            -

                            Upgrade Ubuntu:24.04 expat to version 2.6.1-2ubuntu0.1 or higher.

                            -

                            References

                            - - -
                            - -
                            -

                            More about this vulnerability

                            -
                            - -
                            -
                            -

                            XML External Entity (XXE) Injection

                            -
                            - -
                            - medium severity -
                            - -
                            - -
                              -
                            • - Manifest file: quay.io/argoproj/argocd:v2.12.3/argoproj/argocd Dockerfile -
                              • -
                            • - Package Manager: ubuntu:24.04 -
                              • -
                            • - Vulnerable module: - - expat/libexpat1 -
                              • - -
                            • Introduced through: - - - docker-image|quay.io/argoproj/argocd@v2.12.3, git@1:2.43.0-1ubuntu7.1 and others -
                              • -
                            - -
                            - - -

                            Detailed paths

                            - -
                              -
                            • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.12.3 - - git@1:2.43.0-1ubuntu7.1 - - expat/libexpat1@2.6.1-2build1 - - - -
                              • -
                            - -
                            - -
                            - -

                            NVD Description

                            -

                            Note: Versions mentioned in the description apply only to the upstream expat package and not the expat package as distributed by Ubuntu. - See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

                            -

                            An issue was discovered in libexpat before 2.6.3. xmlparse.c does not reject a negative length for XML_ParseBuffer.

                            -

                            Remediation

                            -

                            Upgrade Ubuntu:24.04 expat to version 2.6.1-2ubuntu0.1 or higher.

                            -

                            References

                            - - -
                            - -
                            -

                            More about this vulnerability

                            -
                            - -
                            -
                            -

                            Integer Overflow or Wraparound

                            -
                            - -
                            - medium severity -
                            - -
                            - -
                              -
                            • - Manifest file: quay.io/argoproj/argocd:v2.12.3/argoproj/argocd Dockerfile -
                              • -
                            • - Package Manager: ubuntu:24.04 -
                              • -
                            • - Vulnerable module: - - expat/libexpat1 -
                              • - -
                            • Introduced through: - - - docker-image|quay.io/argoproj/argocd@v2.12.3, git@1:2.43.0-1ubuntu7.1 and others -
                              • -
                            - -
                            - - -

                            Detailed paths

                            - -
                              -
                            • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.12.3 - - git@1:2.43.0-1ubuntu7.1 - - expat/libexpat1@2.6.1-2build1 - - - -
                              • -
                            - -
                            - -
                            - -

                            NVD Description

                            -

                            Note: Versions mentioned in the description apply only to the upstream expat package and not the expat package as distributed by Ubuntu. - See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

                            -

                            An issue was discovered in libexpat before 2.6.3. nextScaffoldPart in xmlparse.c can have an integer overflow for m_groupSize on 32-bit platforms (where UINT_MAX equals SIZE_MAX).

                            -

                            Remediation

                            -

                            Upgrade Ubuntu:24.04 expat to version 2.6.1-2ubuntu0.1 or higher.

                            -

                            References

                            - - -
                            - -
                            -

                            More about this vulnerability

                            -
                            - -
                            -
                            -

                            CVE-2024-8096

                            -
                            - -
                            - medium severity -
                            - -
                            - -
                              -
                            • - Manifest file: quay.io/argoproj/argocd:v2.12.3/argoproj/argocd Dockerfile -
                              • -
                            • - Package Manager: ubuntu:24.04 -
                              • -
                            • - Vulnerable module: - - curl/libcurl3t64-gnutls -
                              • - -
                            • Introduced through: - - - docker-image|quay.io/argoproj/argocd@v2.12.3, git@1:2.43.0-1ubuntu7.1 and others -
                              • -
                            - -
                            - - -

                            Detailed paths

                            - -
                              -
                            • - Introduced through: - docker-image|quay.io/argoproj/argocd@v2.12.3 - - git@1:2.43.0-1ubuntu7.1 - - curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.3 - - - -
                              • -
                            - -
                            - -
                            - -

                            NVD Description

                            -

                            Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Ubuntu. - See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

                            -

                            When curl is told to use the Certificate Status Request TLS extension, often referred to as OCSP stapling, to verify that the server certificate is valid, it might fail to detect some OCSP problems and instead wrongly consider the response as fine. If the returned status reports another error than 'revoked' (like for example 'unauthorized') it is not treated as a bad certficate.

                            -

                            Remediation

                            -

                            Upgrade Ubuntu:24.04 curl to version 8.5.0-2ubuntu10.4 or higher.

                            -

                            References

                            - - -
                            - -
                            -

                            More about this vulnerability

                            -
                            -

                            Release of Invalid Pointer or Reference

                            @@ -1682,7 +1171,7 @@

                            Release of Invalid Pointer or Reference

                            • - Manifest file: quay.io/argoproj/argocd:v2.12.3/argoproj/argocd Dockerfile + Manifest file: quay.io/argoproj/argocd:v2.12.4/argoproj/argocd Dockerfile
                            • Package Manager: ubuntu:24.04 @@ -1695,7 +1184,7 @@

                              Release of Invalid Pointer or Reference

                            • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.12.3 and patch@2.7.6-7build3 + docker-image|quay.io/argoproj/argocd@v2.12.4 and patch@2.7.6-7build3
                            @@ -1708,7 +1197,7 @@

                            Detailed paths

                            • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.12.3 + docker-image|quay.io/argoproj/argocd@v2.12.4 patch@2.7.6-7build3 @@ -1752,7 +1241,7 @@

                              Double Free

                              • - Manifest file: quay.io/argoproj/argocd:v2.12.3/argoproj/argocd Dockerfile + Manifest file: quay.io/argoproj/argocd:v2.12.4/argoproj/argocd Dockerfile
                              • Package Manager: ubuntu:24.04 @@ -1765,7 +1254,7 @@

                                Double Free

                              • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.12.3 and patch@2.7.6-7build3 + docker-image|quay.io/argoproj/argocd@v2.12.4 and patch@2.7.6-7build3
                              @@ -1778,7 +1267,7 @@

                              Detailed paths

                              • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.12.3 + docker-image|quay.io/argoproj/argocd@v2.12.4 patch@2.7.6-7build3 @@ -1827,7 +1316,7 @@

                                CVE-2024-26458

                                • - Manifest file: quay.io/argoproj/argocd:v2.12.3/argoproj/argocd Dockerfile + Manifest file: quay.io/argoproj/argocd:v2.12.4/argoproj/argocd Dockerfile
                                • Package Manager: ubuntu:24.04 @@ -1841,7 +1330,7 @@

                                  CVE-2024-26458

                                • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.12.3, git@1:2.43.0-1ubuntu7.1 and others + docker-image|quay.io/argoproj/argocd@v2.12.4, git@1:2.43.0-1ubuntu7.1 and others
                                @@ -1853,11 +1342,11 @@

                                Detailed paths

                                • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.12.3 + docker-image|quay.io/argoproj/argocd@v2.12.4 git@1:2.43.0-1ubuntu7.1 - curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.3 + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.4 krb5/libgssapi-krb5-2@1.20.1-6ubuntu2.1 @@ -1868,11 +1357,11 @@

                                  Detailed paths

                                • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.12.3 + docker-image|quay.io/argoproj/argocd@v2.12.4 git@1:2.43.0-1ubuntu7.1 - curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.3 + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.4 krb5/libgssapi-krb5-2@1.20.1-6ubuntu2.1 @@ -1885,11 +1374,11 @@

                                  Detailed paths

                                • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.12.3 + docker-image|quay.io/argoproj/argocd@v2.12.4 git@1:2.43.0-1ubuntu7.1 - curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.3 + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.4 krb5/libgssapi-krb5-2@1.20.1-6ubuntu2.1 @@ -1900,11 +1389,11 @@

                                  Detailed paths

                                • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.12.3 + docker-image|quay.io/argoproj/argocd@v2.12.4 git@1:2.43.0-1ubuntu7.1 - curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.3 + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.4 krb5/libgssapi-krb5-2@1.20.1-6ubuntu2.1 @@ -1917,11 +1406,11 @@

                                  Detailed paths

                                • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.12.3 + docker-image|quay.io/argoproj/argocd@v2.12.4 git@1:2.43.0-1ubuntu7.1 - curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.3 + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.4 krb5/libgssapi-krb5-2@1.20.1-6ubuntu2.1 @@ -1936,11 +1425,11 @@

                                  Detailed paths

                                • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.12.3 + docker-image|quay.io/argoproj/argocd@v2.12.4 git@1:2.43.0-1ubuntu7.1 - curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.3 + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.4 krb5/libgssapi-krb5-2@1.20.1-6ubuntu2.1 @@ -1951,7 +1440,7 @@

                                  Detailed paths

                                • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.12.3 + docker-image|quay.io/argoproj/argocd@v2.12.4 openssh/openssh-client@1:9.6p1-3ubuntu13.5 @@ -1962,11 +1451,11 @@

                                  Detailed paths

                                • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.12.3 + docker-image|quay.io/argoproj/argocd@v2.12.4 git@1:2.43.0-1ubuntu7.1 - curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.3 + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.4 krb5/libgssapi-krb5-2@1.20.1-6ubuntu2.1 @@ -1975,11 +1464,11 @@

                                  Detailed paths

                                • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.12.3 + docker-image|quay.io/argoproj/argocd@v2.12.4 git@1:2.43.0-1ubuntu7.1 - curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.3 + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.4 libssh/libssh-4@0.10.6-2build2 @@ -1990,7 +1479,7 @@

                                  Detailed paths

                                • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.12.3 + docker-image|quay.io/argoproj/argocd@v2.12.4 krb5/krb5-locales@1.20.1-6ubuntu2.1 @@ -2035,7 +1524,7 @@

                                  CVE-2024-26461

                                  • - Manifest file: quay.io/argoproj/argocd:v2.12.3/argoproj/argocd Dockerfile + Manifest file: quay.io/argoproj/argocd:v2.12.4/argoproj/argocd Dockerfile
                                  • Package Manager: ubuntu:24.04 @@ -2049,7 +1538,7 @@

                                    CVE-2024-26461

                                  • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.12.3, git@1:2.43.0-1ubuntu7.1 and others + docker-image|quay.io/argoproj/argocd@v2.12.4, git@1:2.43.0-1ubuntu7.1 and others
                                  @@ -2061,11 +1550,11 @@

                                  Detailed paths

                                  • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.12.3 + docker-image|quay.io/argoproj/argocd@v2.12.4 git@1:2.43.0-1ubuntu7.1 - curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.3 + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.4 krb5/libgssapi-krb5-2@1.20.1-6ubuntu2.1 @@ -2076,11 +1565,11 @@

                                    Detailed paths

                                  • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.12.3 + docker-image|quay.io/argoproj/argocd@v2.12.4 git@1:2.43.0-1ubuntu7.1 - curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.3 + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.4 krb5/libgssapi-krb5-2@1.20.1-6ubuntu2.1 @@ -2093,11 +1582,11 @@

                                    Detailed paths

                                  • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.12.3 + docker-image|quay.io/argoproj/argocd@v2.12.4 git@1:2.43.0-1ubuntu7.1 - curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.3 + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.4 krb5/libgssapi-krb5-2@1.20.1-6ubuntu2.1 @@ -2108,11 +1597,11 @@

                                    Detailed paths

                                  • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.12.3 + docker-image|quay.io/argoproj/argocd@v2.12.4 git@1:2.43.0-1ubuntu7.1 - curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.3 + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.4 krb5/libgssapi-krb5-2@1.20.1-6ubuntu2.1 @@ -2125,11 +1614,11 @@

                                    Detailed paths

                                  • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.12.3 + docker-image|quay.io/argoproj/argocd@v2.12.4 git@1:2.43.0-1ubuntu7.1 - curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.3 + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.4 krb5/libgssapi-krb5-2@1.20.1-6ubuntu2.1 @@ -2144,11 +1633,11 @@

                                    Detailed paths

                                  • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.12.3 + docker-image|quay.io/argoproj/argocd@v2.12.4 git@1:2.43.0-1ubuntu7.1 - curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.3 + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.4 krb5/libgssapi-krb5-2@1.20.1-6ubuntu2.1 @@ -2159,7 +1648,7 @@

                                    Detailed paths

                                  • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.12.3 + docker-image|quay.io/argoproj/argocd@v2.12.4 openssh/openssh-client@1:9.6p1-3ubuntu13.5 @@ -2170,11 +1659,11 @@

                                    Detailed paths

                                  • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.12.3 + docker-image|quay.io/argoproj/argocd@v2.12.4 git@1:2.43.0-1ubuntu7.1 - curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.3 + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.4 krb5/libgssapi-krb5-2@1.20.1-6ubuntu2.1 @@ -2183,11 +1672,11 @@

                                    Detailed paths

                                  • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.12.3 + docker-image|quay.io/argoproj/argocd@v2.12.4 git@1:2.43.0-1ubuntu7.1 - curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.3 + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.4 libssh/libssh-4@0.10.6-2build2 @@ -2198,7 +1687,7 @@

                                    Detailed paths

                                  • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.12.3 + docker-image|quay.io/argoproj/argocd@v2.12.4 krb5/krb5-locales@1.20.1-6ubuntu2.1 @@ -2243,7 +1732,7 @@

                                    Out-of-bounds Write

                                    • - Manifest file: quay.io/argoproj/argocd:v2.12.3/argoproj/argocd Dockerfile + Manifest file: quay.io/argoproj/argocd:v2.12.4/argoproj/argocd Dockerfile
                                    • Package Manager: ubuntu:24.04 @@ -2256,7 +1745,7 @@

                                      Out-of-bounds Write

                                    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.12.3 and gnupg2/gpgv@2.4.4-2ubuntu17 + docker-image|quay.io/argoproj/argocd@v2.12.4 and gnupg2/gpgv@2.4.4-2ubuntu17
                                    @@ -2269,7 +1758,7 @@

                                    Detailed paths

                                    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.12.3 + docker-image|quay.io/argoproj/argocd@v2.12.4 gnupg2/gpgv@2.4.4-2ubuntu17 @@ -2278,7 +1767,7 @@

                                      Detailed paths

                                    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.12.3 + docker-image|quay.io/argoproj/argocd@v2.12.4 apt@2.7.14build2 @@ -2289,7 +1778,7 @@

                                      Detailed paths

                                    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.12.3 + docker-image|quay.io/argoproj/argocd@v2.12.4 gnupg2/dirmngr@2.4.4-2ubuntu17 @@ -2300,7 +1789,7 @@

                                      Detailed paths

                                    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.12.3 + docker-image|quay.io/argoproj/argocd@v2.12.4 gnupg2/gpg-agent@2.4.4-2ubuntu17 @@ -2311,7 +1800,7 @@

                                      Detailed paths

                                    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.12.3 + docker-image|quay.io/argoproj/argocd@v2.12.4 gnupg2/gpg@2.4.4-2ubuntu17 @@ -2322,7 +1811,7 @@

                                      Detailed paths

                                    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.12.3 + docker-image|quay.io/argoproj/argocd@v2.12.4 gnupg2/dirmngr@2.4.4-2ubuntu17 @@ -2331,7 +1820,7 @@

                                      Detailed paths

                                    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.12.3 + docker-image|quay.io/argoproj/argocd@v2.12.4 gnupg2/gpg@2.4.4-2ubuntu17 @@ -2340,7 +1829,7 @@

                                      Detailed paths

                                    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.12.3 + docker-image|quay.io/argoproj/argocd@v2.12.4 gnupg2/gpg-agent@2.4.4-2ubuntu17 @@ -2389,7 +1878,7 @@

                                      Allocation of Resources Without Limits or Throttling

                                    • - Manifest file: quay.io/argoproj/argocd:v2.12.3/argoproj/argocd Dockerfile + Manifest file: quay.io/argoproj/argocd:v2.12.4/argoproj/argocd Dockerfile
                                    • Package Manager: ubuntu:24.04 @@ -2402,7 +1891,7 @@

                                      Allocation of Resources Without Limits or Throttling

                                      Introduced through: - docker-image|quay.io/argoproj/argocd@v2.12.3 and glibc/libc-bin@2.39-0ubuntu8.3 + docker-image|quay.io/argoproj/argocd@v2.12.4 and glibc/libc-bin@2.39-0ubuntu8.3
                                    @@ -2415,7 +1904,7 @@

                                    Detailed paths

                                    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.12.3 + docker-image|quay.io/argoproj/argocd@v2.12.4 glibc/libc-bin@2.39-0ubuntu8.3 @@ -2424,7 +1913,7 @@

                                      Detailed paths

                                    • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.12.3 + docker-image|quay.io/argoproj/argocd@v2.12.4 glibc/libc6@2.39-0ubuntu8.3 @@ -2470,7 +1959,7 @@

                                      Improper Input Validation

                                      • - Manifest file: quay.io/argoproj/argocd:v2.12.3/argoproj/argocd Dockerfile + Manifest file: quay.io/argoproj/argocd:v2.12.4/argoproj/argocd Dockerfile
                                      • Package Manager: ubuntu:24.04 @@ -2484,7 +1973,7 @@

                                        Improper Input Validation

                                      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.12.3, git@1:2.43.0-1ubuntu7.1 and others + docker-image|quay.io/argoproj/argocd@v2.12.4, git@1:2.43.0-1ubuntu7.1 and others
                                      @@ -2496,7 +1985,7 @@

                                      Detailed paths

                                      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.12.3 + docker-image|quay.io/argoproj/argocd@v2.12.4 git@1:2.43.0-1ubuntu7.1 @@ -2507,7 +1996,7 @@

                                        Detailed paths

                                      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.12.3 + docker-image|quay.io/argoproj/argocd@v2.12.4 git@1:2.43.0-1ubuntu7.1 @@ -2516,7 +2005,7 @@

                                        Detailed paths

                                      • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.12.3 + docker-image|quay.io/argoproj/argocd@v2.12.4 git-lfs@3.4.1-1ubuntu0.1 @@ -2563,7 +2052,7 @@

                                        Improper Input Validation

                                        • - Manifest file: quay.io/argoproj/argocd:v2.12.3/argoproj/argocd Dockerfile + Manifest file: quay.io/argoproj/argocd:v2.12.4/argoproj/argocd Dockerfile
                                        • Package Manager: ubuntu:24.04 @@ -2576,7 +2065,7 @@

                                          Improper Input Validation

                                        • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.12.3 and coreutils@9.4-3ubuntu6 + docker-image|quay.io/argoproj/argocd@v2.12.4 and coreutils@9.4-3ubuntu6
                                        @@ -2589,7 +2078,7 @@

                                        Detailed paths

                                        • Introduced through: - docker-image|quay.io/argoproj/argocd@v2.12.3 + docker-image|quay.io/argoproj/argocd@v2.12.4 coreutils@9.4-3ubuntu6 diff --git a/docs/snyk/v2.12.3/redis_7.0.15-alpine.html b/docs/snyk/v2.12.4/redis_7.0.15-alpine.html similarity index 99% rename from docs/snyk/v2.12.3/redis_7.0.15-alpine.html rename to docs/snyk/v2.12.4/redis_7.0.15-alpine.html index e3cc28e76700f..9139f30084537 100644 --- a/docs/snyk/v2.12.3/redis_7.0.15-alpine.html +++ b/docs/snyk/v2.12.4/redis_7.0.15-alpine.html @@ -456,7 +456,7 @@

                                          Snyk test report

                                          -

                                          September 22nd 2024, 12:24:31 am (UTC+00:00)

                                          +

                                          September 29th 2024, 12:25:26 am (UTC+00:00)

                                          Scanned the following paths: diff --git a/docs/snyk/v2.13.0-rc2/argocd-iac-install.html b/docs/snyk/v2.13.0-rc2/argocd-iac-install.html index 1fb9ff7afdb66..fb4b43cc79848 100644 --- a/docs/snyk/v2.13.0-rc2/argocd-iac-install.html +++ b/docs/snyk/v2.13.0-rc2/argocd-iac-install.html @@ -456,7 +456,7 @@

                                          Snyk test report

                                          -

                                          September 22nd 2024, 12:23:23 am (UTC+00:00)

                                          +

                                          September 29th 2024, 12:24:13 am (UTC+00:00)

                                          Scanned the following path: diff --git a/docs/snyk/v2.13.0-rc2/argocd-iac-namespace-install.html b/docs/snyk/v2.13.0-rc2/argocd-iac-namespace-install.html index ecec28af1a8cd..9b42e5dc50945 100644 --- a/docs/snyk/v2.13.0-rc2/argocd-iac-namespace-install.html +++ b/docs/snyk/v2.13.0-rc2/argocd-iac-namespace-install.html @@ -456,7 +456,7 @@

                                          Snyk test report

                                          -

                                          September 22nd 2024, 12:23:32 am (UTC+00:00)

                                          +

                                          September 29th 2024, 12:24:22 am (UTC+00:00)

                                          Scanned the following path: diff --git a/docs/snyk/v2.13.0-rc2/argocd-test.html b/docs/snyk/v2.13.0-rc2/argocd-test.html index 339b8e739fba1..750766d752f84 100644 --- a/docs/snyk/v2.13.0-rc2/argocd-test.html +++ b/docs/snyk/v2.13.0-rc2/argocd-test.html @@ -456,7 +456,7 @@

                                          Snyk test report

                                          -

                                          September 22nd 2024, 12:21:26 am (UTC+00:00)

                                          +

                                          September 29th 2024, 12:22:06 am (UTC+00:00)

                                          Scanned the following paths: diff --git a/docs/snyk/v2.13.0-rc2/ghcr.io_dexidp_dex_v2.41.1.html b/docs/snyk/v2.13.0-rc2/ghcr.io_dexidp_dex_v2.41.1.html index 6a121eec05819..63580ba9dad08 100644 --- a/docs/snyk/v2.13.0-rc2/ghcr.io_dexidp_dex_v2.41.1.html +++ b/docs/snyk/v2.13.0-rc2/ghcr.io_dexidp_dex_v2.41.1.html @@ -456,7 +456,7 @@

                                          Snyk test report

                                          -

                                          September 22nd 2024, 12:21:32 am (UTC+00:00)

                                          +

                                          September 29th 2024, 12:22:11 am (UTC+00:00)

                                          Scanned the following paths: diff --git a/docs/snyk/v2.13.0-rc2/public.ecr.aws_docker_library_haproxy_2.6.17-alpine.html b/docs/snyk/v2.13.0-rc2/public.ecr.aws_docker_library_haproxy_2.6.17-alpine.html index 8197e5ec4909e..99aca1ca4114f 100644 --- a/docs/snyk/v2.13.0-rc2/public.ecr.aws_docker_library_haproxy_2.6.17-alpine.html +++ b/docs/snyk/v2.13.0-rc2/public.ecr.aws_docker_library_haproxy_2.6.17-alpine.html @@ -456,7 +456,7 @@

                                          Snyk test report

                                          -

                                          September 22nd 2024, 12:21:37 am (UTC+00:00)

                                          +

                                          September 29th 2024, 12:22:16 am (UTC+00:00)

                                          Scanned the following path: diff --git a/docs/snyk/v2.13.0-rc2/public.ecr.aws_docker_library_redis_7.0.15-alpine.html b/docs/snyk/v2.13.0-rc2/public.ecr.aws_docker_library_redis_7.0.15-alpine.html index 26e6ff3618a3f..4403830f0a515 100644 --- a/docs/snyk/v2.13.0-rc2/public.ecr.aws_docker_library_redis_7.0.15-alpine.html +++ b/docs/snyk/v2.13.0-rc2/public.ecr.aws_docker_library_redis_7.0.15-alpine.html @@ -456,7 +456,7 @@

                                          Snyk test report

                                          -

                                          September 22nd 2024, 12:21:40 am (UTC+00:00)

                                          +

                                          September 29th 2024, 12:22:20 am (UTC+00:00)

                                          Scanned the following paths: diff --git a/docs/snyk/v2.13.0-rc2/quay.io_argoproj_argocd_v2.13.0-rc2.html b/docs/snyk/v2.13.0-rc2/quay.io_argoproj_argocd_v2.13.0-rc2.html index 043d857a863c8..ee84c04cd08da 100644 --- a/docs/snyk/v2.13.0-rc2/quay.io_argoproj_argocd_v2.13.0-rc2.html +++ b/docs/snyk/v2.13.0-rc2/quay.io_argoproj_argocd_v2.13.0-rc2.html @@ -456,7 +456,7 @@

                                          Snyk test report

                                          -

                                          September 22nd 2024, 12:21:56 am (UTC+00:00)

                                          +

                                          September 29th 2024, 12:22:45 am (UTC+00:00)

                                          Scanned the following paths: diff --git a/docs/snyk/v2.13.0-rc2/redis_7.0.15-alpine.html b/docs/snyk/v2.13.0-rc2/redis_7.0.15-alpine.html index 9ce4786034705..38236b67234de 100644 --- a/docs/snyk/v2.13.0-rc2/redis_7.0.15-alpine.html +++ b/docs/snyk/v2.13.0-rc2/redis_7.0.15-alpine.html @@ -456,7 +456,7 @@

                                          Snyk test report

                                          -

                                          September 22nd 2024, 12:22:00 am (UTC+00:00)

                                          +

                                          September 29th 2024, 12:22:49 am (UTC+00:00)

                                          Scanned the following paths: From 52c3f93010e835693d56d893d6a13531402c3bd6 Mon Sep 17 00:00:00 2001 From: Dan Garfield Date: Mon, 30 Sep 2024 07:54:58 -0600 Subject: [PATCH 15/38] fix: repo generate paths value in namespace install is incorrectly formatted (#20139) * Fix repo generate paths value in namespace install Signed-off-by: todaywasawesome * Fix in base and regen Signed-off-by: todaywasawesome --------- Signed-off-by: todaywasawesome --- .../repo-server/argocd-repo-server-deployment.yaml | 8 ++++---- manifests/core-install.yaml | 12 ++++++------ manifests/ha/install.yaml | 11 ++++++----- manifests/ha/namespace-install.yaml | 11 ++++++----- manifests/install.yaml | 12 ++++++------ manifests/namespace-install.yaml | 12 ++++++------ 6 files changed, 34 insertions(+), 32 deletions(-) diff --git a/manifests/base/repo-server/argocd-repo-server-deployment.yaml b/manifests/base/repo-server/argocd-repo-server-deployment.yaml index f6a073c32d6e9..2457fa7bcb742 100644 --- a/manifests/base/repo-server/argocd-repo-server-deployment.yaml +++ b/manifests/base/repo-server/argocd-repo-server-deployment.yaml @@ -151,10 +151,10 @@ spec: optional: true - name: ARGOCD_REPO_SERVER_PLUGIN_USE_MANIFEST_GENERATE_PATHS valueFrom: - configMapKeyRef: - key: reposerver.plugin.use.manifest.generate.paths - name: argocd-cmd-params-cm - optional: true + configMapKeyRef: + key: reposerver.plugin.use.manifest.generate.paths + name: argocd-cmd-params-cm + optional: true - name: ARGOCD_REPO_SERVER_ALLOW_OUT_OF_BOUNDS_SYMLINKS valueFrom: configMapKeyRef: diff --git a/manifests/core-install.yaml b/manifests/core-install.yaml index b9d59aae424d0..5c88298530060 100644 --- a/manifests/core-install.yaml +++ b/manifests/core-install.yaml @@ -22857,12 +22857,12 @@ spec: key: reposerver.plugin.tar.exclusions name: argocd-cmd-params-cm optional: true - - configMapKeyRef: - key: reposerver.plugin.use.manifest.generate.paths - name: argocd-cmd-params-cm - optional: true - name: ARGOCD_REPO_SERVER_PLUGIN_USE_MANIFEST_GENERATE_PATHS - valueFrom: null + - name: ARGOCD_REPO_SERVER_PLUGIN_USE_MANIFEST_GENERATE_PATHS + valueFrom: + configMapKeyRef: + key: reposerver.plugin.use.manifest.generate.paths + name: argocd-cmd-params-cm + optional: true - name: ARGOCD_REPO_SERVER_ALLOW_OUT_OF_BOUNDS_SYMLINKS valueFrom: configMapKeyRef: diff --git a/manifests/ha/install.yaml b/manifests/ha/install.yaml index 4e2456c60e464..5d6e05f8542b2 100644 --- a/manifests/ha/install.yaml +++ b/manifests/ha/install.yaml @@ -24453,11 +24453,12 @@ spec: key: reposerver.plugin.tar.exclusions name: argocd-cmd-params-cm optional: true - - configMapKeyRef: - key: reposerver.plugin.use.manifest.generate.paths - name: argocd-cmd-params-cm - optional: true - name: ARGOCD_REPO_SERVER_PLUGIN_USE_MANIFEST_GENERATE_PATHS + - name: ARGOCD_REPO_SERVER_PLUGIN_USE_MANIFEST_GENERATE_PATHS + valueFrom: + configMapKeyRef: + key: reposerver.plugin.use.manifest.generate.paths + name: argocd-cmd-params-cm + optional: true - name: ARGOCD_REPO_SERVER_ALLOW_OUT_OF_BOUNDS_SYMLINKS valueFrom: configMapKeyRef: diff --git a/manifests/ha/namespace-install.yaml b/manifests/ha/namespace-install.yaml index eb8efee763024..c7d298bcbe8bd 100644 --- a/manifests/ha/namespace-install.yaml +++ b/manifests/ha/namespace-install.yaml @@ -2245,11 +2245,12 @@ spec: key: reposerver.plugin.tar.exclusions name: argocd-cmd-params-cm optional: true - - configMapKeyRef: - key: reposerver.plugin.use.manifest.generate.paths - name: argocd-cmd-params-cm - optional: true - name: ARGOCD_REPO_SERVER_PLUGIN_USE_MANIFEST_GENERATE_PATHS + - name: ARGOCD_REPO_SERVER_PLUGIN_USE_MANIFEST_GENERATE_PATHS + valueFrom: + configMapKeyRef: + key: reposerver.plugin.use.manifest.generate.paths + name: argocd-cmd-params-cm + optional: true - name: ARGOCD_REPO_SERVER_ALLOW_OUT_OF_BOUNDS_SYMLINKS valueFrom: configMapKeyRef: diff --git a/manifests/install.yaml b/manifests/install.yaml index beeefd0a4dd78..cea128e02d95d 100644 --- a/manifests/install.yaml +++ b/manifests/install.yaml @@ -23523,12 +23523,12 @@ spec: key: reposerver.plugin.tar.exclusions name: argocd-cmd-params-cm optional: true - - configMapKeyRef: - key: reposerver.plugin.use.manifest.generate.paths - name: argocd-cmd-params-cm - optional: true - name: ARGOCD_REPO_SERVER_PLUGIN_USE_MANIFEST_GENERATE_PATHS - valueFrom: null + - name: ARGOCD_REPO_SERVER_PLUGIN_USE_MANIFEST_GENERATE_PATHS + valueFrom: + configMapKeyRef: + key: reposerver.plugin.use.manifest.generate.paths + name: argocd-cmd-params-cm + optional: true - name: ARGOCD_REPO_SERVER_ALLOW_OUT_OF_BOUNDS_SYMLINKS valueFrom: configMapKeyRef: diff --git a/manifests/namespace-install.yaml b/manifests/namespace-install.yaml index 905bd717f05b9..afabb286c5769 100644 --- a/manifests/namespace-install.yaml +++ b/manifests/namespace-install.yaml @@ -1315,12 +1315,12 @@ spec: key: reposerver.plugin.tar.exclusions name: argocd-cmd-params-cm optional: true - - configMapKeyRef: - key: reposerver.plugin.use.manifest.generate.paths - name: argocd-cmd-params-cm - optional: true - name: ARGOCD_REPO_SERVER_PLUGIN_USE_MANIFEST_GENERATE_PATHS - valueFrom: null + - name: ARGOCD_REPO_SERVER_PLUGIN_USE_MANIFEST_GENERATE_PATHS + valueFrom: + configMapKeyRef: + key: reposerver.plugin.use.manifest.generate.paths + name: argocd-cmd-params-cm + optional: true - name: ARGOCD_REPO_SERVER_ALLOW_OUT_OF_BOUNDS_SYMLINKS valueFrom: configMapKeyRef: From 5d89339c1471db16668fdf3f4576e527ec3ad082 Mon Sep 17 00:00:00 2001 From: Dillen Padhiar <38965141+dpadhiar@users.noreply.github.com> Date: Mon, 30 Sep 2024 07:01:17 -0700 Subject: [PATCH 16/38] feat: introduce pause/unpause actions for Numaplane CRDs (#20128) * feat: introduce pause/unpause actions for Numaplane CRDs Signed-off-by: Dillen Padhiar * test: fixed incorrect file names Signed-off-by: Dillen Padhiar * chore: codegen Signed-off-by: Dillen Padhiar * fix: empty check for lifecycle Signed-off-by: Dillen Padhiar * fix: nil check Signed-off-by: Dillen Padhiar * fix: nil checks Signed-off-by: Dillen Padhiar * test: testing different starting spec Signed-off-by: Dillen Padhiar * feat: add nil checks for all possible nil fields Signed-off-by: Dillen Padhiar * chore: rerun tests Signed-off-by: Dillen Padhiar --------- Signed-off-by: Dillen Padhiar --- .../resource_actions_builtin.md | 4 ++ .../actions/action_test.yaml | 7 +++ .../MonoVertexRollout/actions/discovery.lua | 14 +++++ .../actions/pause/action.lua | 5 ++ .../actions/testdata/rollout-paused.yaml | 49 +++++++++++++++ .../actions/testdata/rollout-running.yaml | 49 +++++++++++++++ .../actions/testdata/rollout.yaml | 47 ++++++++++++++ .../actions/unpause/action.lua | 2 + .../PipelineRollout/actions/action_test.yaml | 7 +++ .../PipelineRollout/actions/discovery.lua | 14 +++++ .../PipelineRollout/actions/pause/action.lua | 5 ++ .../actions/testdata/rollout-paused.yaml | 63 +++++++++++++++++++ .../actions/testdata/rollout-running.yaml | 63 +++++++++++++++++++ .../actions/testdata/rollout.yaml | 61 ++++++++++++++++++ .../actions/unpause/action.lua | 2 + 15 files changed, 392 insertions(+) create mode 100644 resource_customizations/numaplane.numaproj.io/MonoVertexRollout/actions/action_test.yaml create mode 100644 resource_customizations/numaplane.numaproj.io/MonoVertexRollout/actions/discovery.lua create mode 100644 resource_customizations/numaplane.numaproj.io/MonoVertexRollout/actions/pause/action.lua create mode 100644 resource_customizations/numaplane.numaproj.io/MonoVertexRollout/actions/testdata/rollout-paused.yaml create mode 100644 resource_customizations/numaplane.numaproj.io/MonoVertexRollout/actions/testdata/rollout-running.yaml create mode 100644 resource_customizations/numaplane.numaproj.io/MonoVertexRollout/actions/testdata/rollout.yaml create mode 100644 resource_customizations/numaplane.numaproj.io/MonoVertexRollout/actions/unpause/action.lua create mode 100644 resource_customizations/numaplane.numaproj.io/PipelineRollout/actions/action_test.yaml create mode 100644 resource_customizations/numaplane.numaproj.io/PipelineRollout/actions/discovery.lua create mode 100644 resource_customizations/numaplane.numaproj.io/PipelineRollout/actions/pause/action.lua create mode 100644 resource_customizations/numaplane.numaproj.io/PipelineRollout/actions/testdata/rollout-paused.yaml create mode 100644 resource_customizations/numaplane.numaproj.io/PipelineRollout/actions/testdata/rollout-running.yaml create mode 100644 resource_customizations/numaplane.numaproj.io/PipelineRollout/actions/testdata/rollout.yaml create mode 100644 resource_customizations/numaplane.numaproj.io/PipelineRollout/actions/unpause/action.lua diff --git a/docs/operator-manual/resource_actions_builtin.md b/docs/operator-manual/resource_actions_builtin.md index 46230a879a875..7e149ecfe18f6 100644 --- a/docs/operator-manual/resource_actions_builtin.md +++ b/docs/operator-manual/resource_actions_builtin.md @@ -33,6 +33,10 @@ - [notification.toolkit.fluxcd.io/Receiver/reconcile](https://github.com/argoproj/argo-cd/blob/master/resource_customizations/notification.toolkit.fluxcd.io/Receiver/actions/reconcile/action.lua) - [notification.toolkit.fluxcd.io/Receiver/resume](https://github.com/argoproj/argo-cd/blob/master/resource_customizations/notification.toolkit.fluxcd.io/Receiver/actions/resume/action.lua) - [notification.toolkit.fluxcd.io/Receiver/suspend](https://github.com/argoproj/argo-cd/blob/master/resource_customizations/notification.toolkit.fluxcd.io/Receiver/actions/suspend/action.lua) +- [numaplane.numaproj.io/MonoVertexRollout/pause](https://github.com/argoproj/argo-cd/blob/master/resource_customizations/numaplane.numaproj.io/MonoVertexRollout/actions/pause/action.lua) +- [numaplane.numaproj.io/MonoVertexRollout/unpause](https://github.com/argoproj/argo-cd/blob/master/resource_customizations/numaplane.numaproj.io/MonoVertexRollout/actions/unpause/action.lua) +- [numaplane.numaproj.io/PipelineRollout/pause](https://github.com/argoproj/argo-cd/blob/master/resource_customizations/numaplane.numaproj.io/PipelineRollout/actions/pause/action.lua) +- [numaplane.numaproj.io/PipelineRollout/unpause](https://github.com/argoproj/argo-cd/blob/master/resource_customizations/numaplane.numaproj.io/PipelineRollout/actions/unpause/action.lua) - [source.toolkit.fluxcd.io/Bucket/reconcile](https://github.com/argoproj/argo-cd/blob/master/resource_customizations/source.toolkit.fluxcd.io/Bucket/actions/reconcile/action.lua) - [source.toolkit.fluxcd.io/Bucket/resume](https://github.com/argoproj/argo-cd/blob/master/resource_customizations/source.toolkit.fluxcd.io/Bucket/actions/resume/action.lua) - [source.toolkit.fluxcd.io/Bucket/suspend](https://github.com/argoproj/argo-cd/blob/master/resource_customizations/source.toolkit.fluxcd.io/Bucket/actions/suspend/action.lua) diff --git a/resource_customizations/numaplane.numaproj.io/MonoVertexRollout/actions/action_test.yaml b/resource_customizations/numaplane.numaproj.io/MonoVertexRollout/actions/action_test.yaml new file mode 100644 index 0000000000000..13a1e7cdffc9f --- /dev/null +++ b/resource_customizations/numaplane.numaproj.io/MonoVertexRollout/actions/action_test.yaml @@ -0,0 +1,7 @@ +actionTests: +- action: pause + inputPath: testdata/rollout.yaml + expectedOutputPath: testdata/rollout-paused.yaml +- action: unpause + inputPath: testdata/rollout-paused.yaml + expectedOutputPath: testdata/rollout-running.yaml \ No newline at end of file diff --git a/resource_customizations/numaplane.numaproj.io/MonoVertexRollout/actions/discovery.lua b/resource_customizations/numaplane.numaproj.io/MonoVertexRollout/actions/discovery.lua new file mode 100644 index 0000000000000..2961869dbdcc0 --- /dev/null +++ b/resource_customizations/numaplane.numaproj.io/MonoVertexRollout/actions/discovery.lua @@ -0,0 +1,14 @@ +local actions = {} +actions["pause"] = {["disabled"] = true} +actions["unpause"] = {["disabled"] = true} + +local paused = false +if obj.spec.monoVertex.spec.lifecycle ~= nil and obj.spec.monoVertex.spec.lifecycle.desiredPhase ~= nil and obj.spec.monoVertex.spec.lifecycle.desiredPhase == "Paused" then + paused = true +end +if paused then + actions["unpause"]["disabled"] = false +else + actions["pause"]["disabled"] = false +end +return actions \ No newline at end of file diff --git a/resource_customizations/numaplane.numaproj.io/MonoVertexRollout/actions/pause/action.lua b/resource_customizations/numaplane.numaproj.io/MonoVertexRollout/actions/pause/action.lua new file mode 100644 index 0000000000000..6e86a8dfd29e6 --- /dev/null +++ b/resource_customizations/numaplane.numaproj.io/MonoVertexRollout/actions/pause/action.lua @@ -0,0 +1,5 @@ +if obj.spec.monoVertex.spec.lifecycle == nil then + obj.spec.monoVertex.spec.lifecycle = {} +end +obj.spec.monoVertex.spec.lifecycle.desiredPhase = "Paused" +return obj \ No newline at end of file diff --git a/resource_customizations/numaplane.numaproj.io/MonoVertexRollout/actions/testdata/rollout-paused.yaml b/resource_customizations/numaplane.numaproj.io/MonoVertexRollout/actions/testdata/rollout-paused.yaml new file mode 100644 index 0000000000000..2035d668963cc --- /dev/null +++ b/resource_customizations/numaplane.numaproj.io/MonoVertexRollout/actions/testdata/rollout-paused.yaml @@ -0,0 +1,49 @@ +apiVersion: numaplane.numaproj.io/v1alpha1 +kind: MonoVertexRollout +metadata: + annotations: + kubectl.kubernetes.io/last-applied-configuration: > + {"apiVersion":"numaplane.numaproj.io/v1alpha1","kind":"MonoVertexRollout","metadata":{"annotations":{},"labels":{"argocd.argoproj.io/instance":"demo-app"},"name":"my-monovertex","namespace":"example-namespace"},"spec":{"monoVertex":{"spec":{"sink":{"udsink":{"container":{"image":"quay.io/numaio/numaflow-java/simple-sink:stable"}}},"source":{"transformer":{"container":{"image":"quay.io/numaio/numaflow-rs/source-transformer-now:stable"}},"udsource":{"container":{"image":"quay.io/numaio/numaflow-java/source-simple-source:stable"}}}}}}} + creationTimestamp: '2024-08-21T20:44:18Z' + finalizers: + - numaplane.numaproj.io/numaplane-controller + generation: 1 + labels: + argocd.argoproj.io/instance: demo-app + name: my-monovertex + namespace: example-namespace + resourceVersion: '947414' + uid: a63f377e-1500-437e-9267-579f4a790518 +spec: + monoVertex: + spec: + lifecycle: + desiredPhase: Paused + sink: + udsink: + container: + image: 'quay.io/numaio/numaflow-java/simple-sink:stable' + source: + transformer: + container: + image: 'quay.io/numaio/numaflow-rs/source-transformer-now:stable' + udsource: + container: + image: 'quay.io/numaio/numaflow-java/source-simple-source:stable' +status: + conditions: + - lastTransitionTime: '2024-08-21T20:44:18Z' + message: Successful + observedGeneration: 1 + reason: Successful + status: 'True' + type: ChildResourceDeployed + - lastTransitionTime: '2024-08-22T21:10:23Z' + message: Successful + observedGeneration: 1 + reason: Successful + status: 'True' + type: ChildResourcesHealthy + message: Deployed + observedGeneration: 1 + phase: Deployed \ No newline at end of file diff --git a/resource_customizations/numaplane.numaproj.io/MonoVertexRollout/actions/testdata/rollout-running.yaml b/resource_customizations/numaplane.numaproj.io/MonoVertexRollout/actions/testdata/rollout-running.yaml new file mode 100644 index 0000000000000..e1f47e521846e --- /dev/null +++ b/resource_customizations/numaplane.numaproj.io/MonoVertexRollout/actions/testdata/rollout-running.yaml @@ -0,0 +1,49 @@ +apiVersion: numaplane.numaproj.io/v1alpha1 +kind: MonoVertexRollout +metadata: + annotations: + kubectl.kubernetes.io/last-applied-configuration: > + {"apiVersion":"numaplane.numaproj.io/v1alpha1","kind":"MonoVertexRollout","metadata":{"annotations":{},"labels":{"argocd.argoproj.io/instance":"demo-app"},"name":"my-monovertex","namespace":"example-namespace"},"spec":{"monoVertex":{"spec":{"sink":{"udsink":{"container":{"image":"quay.io/numaio/numaflow-java/simple-sink:stable"}}},"source":{"transformer":{"container":{"image":"quay.io/numaio/numaflow-rs/source-transformer-now:stable"}},"udsource":{"container":{"image":"quay.io/numaio/numaflow-java/source-simple-source:stable"}}}}}}} + creationTimestamp: '2024-08-21T20:44:18Z' + finalizers: + - numaplane.numaproj.io/numaplane-controller + generation: 1 + labels: + argocd.argoproj.io/instance: demo-app + name: my-monovertex + namespace: example-namespace + resourceVersion: '947414' + uid: a63f377e-1500-437e-9267-579f4a790518 +spec: + monoVertex: + spec: + lifecycle: + desiredPhase: Running + sink: + udsink: + container: + image: 'quay.io/numaio/numaflow-java/simple-sink:stable' + source: + transformer: + container: + image: 'quay.io/numaio/numaflow-rs/source-transformer-now:stable' + udsource: + container: + image: 'quay.io/numaio/numaflow-java/source-simple-source:stable' +status: + conditions: + - lastTransitionTime: '2024-08-21T20:44:18Z' + message: Successful + observedGeneration: 1 + reason: Successful + status: 'True' + type: ChildResourceDeployed + - lastTransitionTime: '2024-08-22T21:10:23Z' + message: Successful + observedGeneration: 1 + reason: Successful + status: 'True' + type: ChildResourcesHealthy + message: Deployed + observedGeneration: 1 + phase: Deployed \ No newline at end of file diff --git a/resource_customizations/numaplane.numaproj.io/MonoVertexRollout/actions/testdata/rollout.yaml b/resource_customizations/numaplane.numaproj.io/MonoVertexRollout/actions/testdata/rollout.yaml new file mode 100644 index 0000000000000..ee9d76c826dc4 --- /dev/null +++ b/resource_customizations/numaplane.numaproj.io/MonoVertexRollout/actions/testdata/rollout.yaml @@ -0,0 +1,47 @@ +apiVersion: numaplane.numaproj.io/v1alpha1 +kind: MonoVertexRollout +metadata: + annotations: + kubectl.kubernetes.io/last-applied-configuration: > + {"apiVersion":"numaplane.numaproj.io/v1alpha1","kind":"MonoVertexRollout","metadata":{"annotations":{},"labels":{"argocd.argoproj.io/instance":"demo-app"},"name":"my-monovertex","namespace":"example-namespace"},"spec":{"monoVertex":{"spec":{"sink":{"udsink":{"container":{"image":"quay.io/numaio/numaflow-java/simple-sink:stable"}}},"source":{"transformer":{"container":{"image":"quay.io/numaio/numaflow-rs/source-transformer-now:stable"}},"udsource":{"container":{"image":"quay.io/numaio/numaflow-java/source-simple-source:stable"}}}}}}} + creationTimestamp: '2024-08-21T20:44:18Z' + finalizers: + - numaplane.numaproj.io/numaplane-controller + generation: 1 + labels: + argocd.argoproj.io/instance: demo-app + name: my-monovertex + namespace: example-namespace + resourceVersion: '947414' + uid: a63f377e-1500-437e-9267-579f4a790518 +spec: + monoVertex: + spec: + sink: + udsink: + container: + image: 'quay.io/numaio/numaflow-java/simple-sink:stable' + source: + transformer: + container: + image: 'quay.io/numaio/numaflow-rs/source-transformer-now:stable' + udsource: + container: + image: 'quay.io/numaio/numaflow-java/source-simple-source:stable' +status: + conditions: + - lastTransitionTime: '2024-08-21T20:44:18Z' + message: Successful + observedGeneration: 1 + reason: Successful + status: 'True' + type: ChildResourceDeployed + - lastTransitionTime: '2024-08-22T21:10:23Z' + message: Successful + observedGeneration: 1 + reason: Successful + status: 'True' + type: ChildResourcesHealthy + message: Deployed + observedGeneration: 1 + phase: Deployed \ No newline at end of file diff --git a/resource_customizations/numaplane.numaproj.io/MonoVertexRollout/actions/unpause/action.lua b/resource_customizations/numaplane.numaproj.io/MonoVertexRollout/actions/unpause/action.lua new file mode 100644 index 0000000000000..c5aa23b690586 --- /dev/null +++ b/resource_customizations/numaplane.numaproj.io/MonoVertexRollout/actions/unpause/action.lua @@ -0,0 +1,2 @@ +obj.spec.monoVertex.spec.lifecycle.desiredPhase = "Running" +return obj \ No newline at end of file diff --git a/resource_customizations/numaplane.numaproj.io/PipelineRollout/actions/action_test.yaml b/resource_customizations/numaplane.numaproj.io/PipelineRollout/actions/action_test.yaml new file mode 100644 index 0000000000000..13a1e7cdffc9f --- /dev/null +++ b/resource_customizations/numaplane.numaproj.io/PipelineRollout/actions/action_test.yaml @@ -0,0 +1,7 @@ +actionTests: +- action: pause + inputPath: testdata/rollout.yaml + expectedOutputPath: testdata/rollout-paused.yaml +- action: unpause + inputPath: testdata/rollout-paused.yaml + expectedOutputPath: testdata/rollout-running.yaml \ No newline at end of file diff --git a/resource_customizations/numaplane.numaproj.io/PipelineRollout/actions/discovery.lua b/resource_customizations/numaplane.numaproj.io/PipelineRollout/actions/discovery.lua new file mode 100644 index 0000000000000..7b692ccef05fc --- /dev/null +++ b/resource_customizations/numaplane.numaproj.io/PipelineRollout/actions/discovery.lua @@ -0,0 +1,14 @@ +local actions = {} +actions["pause"] = {["disabled"] = true} +actions["unpause"] = {["disabled"] = true} + +local paused = false +if obj.spec.pipeline.spec.lifecycle ~= nil and obj.spec.pipeline.spec.lifecycle.desiredPhase ~= nil and obj.spec.pipeline.spec.lifecycle.desiredPhase == "Paused" then + paused = true +end +if paused then + actions["unpause"]["disabled"] = false +else + actions["pause"]["disabled"] = false +end +return actions \ No newline at end of file diff --git a/resource_customizations/numaplane.numaproj.io/PipelineRollout/actions/pause/action.lua b/resource_customizations/numaplane.numaproj.io/PipelineRollout/actions/pause/action.lua new file mode 100644 index 0000000000000..d3d378a853527 --- /dev/null +++ b/resource_customizations/numaplane.numaproj.io/PipelineRollout/actions/pause/action.lua @@ -0,0 +1,5 @@ +if obj.spec.pipeline.spec.lifecycle == nil then + obj.spec.pipeline.spec.lifecycle = {} +end +obj.spec.pipeline.spec.lifecycle.desiredPhase = "Paused" +return obj \ No newline at end of file diff --git a/resource_customizations/numaplane.numaproj.io/PipelineRollout/actions/testdata/rollout-paused.yaml b/resource_customizations/numaplane.numaproj.io/PipelineRollout/actions/testdata/rollout-paused.yaml new file mode 100644 index 0000000000000..ac89952fbca54 --- /dev/null +++ b/resource_customizations/numaplane.numaproj.io/PipelineRollout/actions/testdata/rollout-paused.yaml @@ -0,0 +1,63 @@ +apiVersion: numaplane.numaproj.io/v1alpha1 +kind: PipelineRollout +metadata: + annotations: + kubectl.kubernetes.io/last-applied-configuration: | + {"apiVersion":"numaplane.numaproj.io/v1alpha1","kind":"PipelineRollout","metadata":{"annotations":{},"name":"my-pipeline","namespace":"example-namespace"},"spec":{"pipeline":{"spec":{"edges":[{"from":"in","to":"cat"},{"from":"cat","to":"out"}],"interStepBufferServiceName":"my-isbsvc","vertices":[{"name":"in","source":{"generator":{"duration":"1s","rpu":5}}},{"name":"cat","udf":{"builtin":{"name":"cat"}}},{"name":"out","sink":{"log":{}}}]}}}} + creationTimestamp: "2024-09-26T20:54:55Z" + finalizers: + - numaplane.numaproj.io/numaplane-controller + generation: 1 + name: my-pipeline + namespace: example-namespace + resourceVersion: "14008" + uid: ab9286a1-f453-433e-846e-48900ab2068a +spec: + pipeline: + spec: + lifecycle: + desiredPhase: Paused + edges: + - from: in + to: cat + - from: cat + to: out + interStepBufferServiceName: my-isbsvc + vertices: + - name: in + source: + generator: + duration: 1s + rpu: 5 + - name: cat + udf: + builtin: + name: cat + - name: out + sink: + log: {} +status: + conditions: + - lastTransitionTime: "2024-09-26T20:54:55Z" + message: Successful + observedGeneration: 1 + reason: Successful + status: "True" + type: ChildResourceDeployed + - lastTransitionTime: "2024-09-26T20:55:07Z" + message: Pipeline Phase=Failed + observedGeneration: 1 + reason: PipelineFailed + status: "False" + type: ChildResourcesHealthy + - lastTransitionTime: "2024-09-26T20:54:55Z" + message: Pipeline unpaused + observedGeneration: 1 + reason: Unpaused + status: "False" + type: PipelinePausingOrPaused + message: Deployed + nameCount: 0 + observedGeneration: 1 + pauseStatus: {} + phase: Deployed \ No newline at end of file diff --git a/resource_customizations/numaplane.numaproj.io/PipelineRollout/actions/testdata/rollout-running.yaml b/resource_customizations/numaplane.numaproj.io/PipelineRollout/actions/testdata/rollout-running.yaml new file mode 100644 index 0000000000000..81504a82da4df --- /dev/null +++ b/resource_customizations/numaplane.numaproj.io/PipelineRollout/actions/testdata/rollout-running.yaml @@ -0,0 +1,63 @@ +apiVersion: numaplane.numaproj.io/v1alpha1 +kind: PipelineRollout +metadata: + annotations: + kubectl.kubernetes.io/last-applied-configuration: | + {"apiVersion":"numaplane.numaproj.io/v1alpha1","kind":"PipelineRollout","metadata":{"annotations":{},"name":"my-pipeline","namespace":"example-namespace"},"spec":{"pipeline":{"spec":{"edges":[{"from":"in","to":"cat"},{"from":"cat","to":"out"}],"interStepBufferServiceName":"my-isbsvc","vertices":[{"name":"in","source":{"generator":{"duration":"1s","rpu":5}}},{"name":"cat","udf":{"builtin":{"name":"cat"}}},{"name":"out","sink":{"log":{}}}]}}}} + creationTimestamp: "2024-09-26T20:54:55Z" + finalizers: + - numaplane.numaproj.io/numaplane-controller + generation: 1 + name: my-pipeline + namespace: example-namespace + resourceVersion: "14008" + uid: ab9286a1-f453-433e-846e-48900ab2068a +spec: + pipeline: + spec: + lifecycle: + desiredPhase: Running + edges: + - from: in + to: cat + - from: cat + to: out + interStepBufferServiceName: my-isbsvc + vertices: + - name: in + source: + generator: + duration: 1s + rpu: 5 + - name: cat + udf: + builtin: + name: cat + - name: out + sink: + log: {} +status: + conditions: + - lastTransitionTime: "2024-09-26T20:54:55Z" + message: Successful + observedGeneration: 1 + reason: Successful + status: "True" + type: ChildResourceDeployed + - lastTransitionTime: "2024-09-26T20:55:07Z" + message: Pipeline Phase=Failed + observedGeneration: 1 + reason: PipelineFailed + status: "False" + type: ChildResourcesHealthy + - lastTransitionTime: "2024-09-26T20:54:55Z" + message: Pipeline unpaused + observedGeneration: 1 + reason: Unpaused + status: "False" + type: PipelinePausingOrPaused + message: Deployed + nameCount: 0 + observedGeneration: 1 + pauseStatus: {} + phase: Deployed \ No newline at end of file diff --git a/resource_customizations/numaplane.numaproj.io/PipelineRollout/actions/testdata/rollout.yaml b/resource_customizations/numaplane.numaproj.io/PipelineRollout/actions/testdata/rollout.yaml new file mode 100644 index 0000000000000..7011e9fd73bad --- /dev/null +++ b/resource_customizations/numaplane.numaproj.io/PipelineRollout/actions/testdata/rollout.yaml @@ -0,0 +1,61 @@ +apiVersion: numaplane.numaproj.io/v1alpha1 +kind: PipelineRollout +metadata: + annotations: + kubectl.kubernetes.io/last-applied-configuration: | + {"apiVersion":"numaplane.numaproj.io/v1alpha1","kind":"PipelineRollout","metadata":{"annotations":{},"name":"my-pipeline","namespace":"example-namespace"},"spec":{"pipeline":{"spec":{"edges":[{"from":"in","to":"cat"},{"from":"cat","to":"out"}],"interStepBufferServiceName":"my-isbsvc","vertices":[{"name":"in","source":{"generator":{"duration":"1s","rpu":5}}},{"name":"cat","udf":{"builtin":{"name":"cat"}}},{"name":"out","sink":{"log":{}}}]}}}} + creationTimestamp: "2024-09-26T20:54:55Z" + finalizers: + - numaplane.numaproj.io/numaplane-controller + generation: 1 + name: my-pipeline + namespace: example-namespace + resourceVersion: "14008" + uid: ab9286a1-f453-433e-846e-48900ab2068a +spec: + pipeline: + spec: + edges: + - from: in + to: cat + - from: cat + to: out + interStepBufferServiceName: my-isbsvc + vertices: + - name: in + source: + generator: + duration: 1s + rpu: 5 + - name: cat + udf: + builtin: + name: cat + - name: out + sink: + log: {} +status: + conditions: + - lastTransitionTime: "2024-09-26T20:54:55Z" + message: Successful + observedGeneration: 1 + reason: Successful + status: "True" + type: ChildResourceDeployed + - lastTransitionTime: "2024-09-26T20:55:07Z" + message: Pipeline Phase=Failed + observedGeneration: 1 + reason: PipelineFailed + status: "False" + type: ChildResourcesHealthy + - lastTransitionTime: "2024-09-26T20:54:55Z" + message: Pipeline unpaused + observedGeneration: 1 + reason: Unpaused + status: "False" + type: PipelinePausingOrPaused + message: Deployed + nameCount: 0 + observedGeneration: 1 + pauseStatus: {} + phase: Deployed \ No newline at end of file diff --git a/resource_customizations/numaplane.numaproj.io/PipelineRollout/actions/unpause/action.lua b/resource_customizations/numaplane.numaproj.io/PipelineRollout/actions/unpause/action.lua new file mode 100644 index 0000000000000..5f0802bc9b743 --- /dev/null +++ b/resource_customizations/numaplane.numaproj.io/PipelineRollout/actions/unpause/action.lua @@ -0,0 +1,2 @@ +obj.spec.pipeline.spec.lifecycle.desiredPhase = "Running" +return obj \ No newline at end of file From 92e0b553a752096fee93af7ac73e7a529cfb123b Mon Sep 17 00:00:00 2001 From: Daco Date: Mon, 30 Sep 2024 16:22:49 +0200 Subject: [PATCH 17/38] feat(appset): Add a cache layer for Argo Projects to speed-up application validation (#18703) * feat(appset): Add a cache layer for Argo Projects to speed-up application validation Signed-off-by: Philippe Da Costa * Use local client rather than custom cache Signed-off-by: Philippe Da Costa * Clean go.mod Signed-off-by: Philippe Da Costa * Merge master Signed-off-by: Philippe Da Costa * Fix after merging master Signed-off-by: Philippe Da Costa Signed-off-by: Philippe Da Costa * Initialize appProject variable inside loop Signed-off-by: Philippe Da Costa * Remove unused ArgoAppClientset field Signed-off-by: Philippe Da Costa Signed-off-by: Philippe Da Costa * Fix linter issue Signed-off-by: Philippe Da Costa Signed-off-by: Philippe Da Costa --------- Signed-off-by: Philippe Da Costa --- .../controllers/applicationset_controller.go | 9 +- .../applicationset_controller_test.go | 227 ++++++------------ .../commands/applicationset_controller.go | 3 - 3 files changed, 78 insertions(+), 161 deletions(-) diff --git a/applicationset/controllers/applicationset_controller.go b/applicationset/controllers/applicationset_controller.go index d3911f1e0c7c4..f817dc49ed12a 100644 --- a/applicationset/controllers/applicationset_controller.go +++ b/applicationset/controllers/applicationset_controller.go @@ -52,7 +52,6 @@ import ( "github.com/argoproj/argo-cd/v2/util/db" argov1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1" - appclientset "github.com/argoproj/argo-cd/v2/pkg/client/clientset/versioned" argoutil "github.com/argoproj/argo-cd/v2/util/argo" "github.com/argoproj/argo-cd/v2/util/argo/normalizers" @@ -79,7 +78,6 @@ type ApplicationSetReconciler struct { Recorder record.EventRecorder Generators map[string]generators.Generator ArgoDB db.ArgoDB - ArgoAppClientset appclientset.Interface KubeClientset kubernetes.Interface Policy argov1alpha1.ApplicationsSyncPolicy EnablePolicyOverride bool @@ -97,6 +95,7 @@ type ApplicationSetReconciler struct { // +kubebuilder:rbac:groups=argoproj.io,resources=applicationsets/status,verbs=get;update;patch func (r *ApplicationSetReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) { + startReconcile := time.Now() logCtx := log.WithField("applicationset", req.NamespacedName) var applicationSetInfo argov1alpha1.ApplicationSet @@ -334,7 +333,7 @@ func (r *ApplicationSetReconciler) Reconcile(ctx context.Context, req ctrl.Reque requeueAfter = ReconcileRequeueOnValidationError } - logCtx.WithField("requeueAfter", requeueAfter).Info("end reconcile") + logCtx.WithField("requeueAfter", requeueAfter).Info("end reconcile in ", time.Since(startReconcile)) return ctrl.Result{ RequeueAfter: requeueAfter, @@ -472,7 +471,9 @@ func (r *ApplicationSetReconciler) validateGeneratedApplications(ctx context.Con errorsByIndex[i] = fmt.Errorf("ApplicationSet %s contains applications with duplicate name: %s", applicationSetInfo.Name, app.Name) continue } - _, err := r.ArgoAppClientset.ArgoprojV1alpha1().AppProjects(r.ArgoCDNamespace).Get(ctx, app.Spec.GetProject(), metav1.GetOptions{}) + + appProject := &argov1alpha1.AppProject{} + err := r.Client.Get(ctx, types.NamespacedName{Name: app.Spec.Project, Namespace: r.ArgoCDNamespace}, appProject) if err != nil { if apierr.IsNotFound(err) { errorsByIndex[i] = fmt.Errorf("application references project %s which does not exist", app.Spec.Project) diff --git a/applicationset/controllers/applicationset_controller_test.go b/applicationset/controllers/applicationset_controller_test.go index 02608175245b4..1b3a225398587 100644 --- a/applicationset/controllers/applicationset_controller_test.go +++ b/applicationset/controllers/applicationset_controller_test.go @@ -37,7 +37,6 @@ import ( appsetmetrics "github.com/argoproj/argo-cd/v2/applicationset/metrics" "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1" - appclientset "github.com/argoproj/argo-cd/v2/pkg/client/clientset/versioned/fake" dbmocks "github.com/argoproj/argo-cd/v2/util/db/mocks" "github.com/argoproj/argo-cd/v2/pkg/apis/application" @@ -48,9 +47,6 @@ func TestCreateOrUpdateInCluster(t *testing.T) { err := v1alpha1.AddToScheme(scheme) require.NoError(t, err) - err = v1alpha1.AddToScheme(scheme) - require.NoError(t, err) - for _, c := range []struct { // name is human-readable test name name string @@ -1091,9 +1087,6 @@ func TestRemoveFinalizerOnInvalidDestination_FinalizerTypes(t *testing.T) { err := v1alpha1.AddToScheme(scheme) require.NoError(t, err) - err = v1alpha1.AddToScheme(scheme) - require.NoError(t, err) - for _, c := range []struct { // name is human-readable test name name string @@ -1214,9 +1207,6 @@ func TestRemoveFinalizerOnInvalidDestination_DestinationTypes(t *testing.T) { err := v1alpha1.AddToScheme(scheme) require.NoError(t, err) - err = v1alpha1.AddToScheme(scheme) - require.NoError(t, err) - for _, c := range []struct { // name is human-readable test name name string @@ -1371,9 +1361,6 @@ func TestRemoveOwnerReferencesOnDeleteAppSet(t *testing.T) { err := v1alpha1.AddToScheme(scheme) require.NoError(t, err) - err = v1alpha1.AddToScheme(scheme) - require.NoError(t, err) - for _, c := range []struct { // name is human-readable test name name string @@ -1447,9 +1434,6 @@ func TestCreateApplications(t *testing.T) { err := v1alpha1.AddToScheme(scheme) require.NoError(t, err) - err = v1alpha1.AddToScheme(scheme) - require.NoError(t, err) - testCases := []struct { name string appSet v1alpha1.ApplicationSet @@ -1653,8 +1637,6 @@ func TestDeleteInCluster(t *testing.T) { scheme := runtime.NewScheme() err := v1alpha1.AddToScheme(scheme) require.NoError(t, err) - err = v1alpha1.AddToScheme(scheme) - require.NoError(t, err) for _, c := range []struct { // appSet is the application set on which the delete function is called @@ -1809,8 +1791,6 @@ func TestGetMinRequeueAfter(t *testing.T) { scheme := runtime.NewScheme() err := v1alpha1.AddToScheme(scheme) require.NoError(t, err) - err = v1alpha1.AddToScheme(scheme) - require.NoError(t, err) client := fake.NewClientBuilder().WithScheme(scheme).Build() metrics := appsetmetrics.NewFakeAppsetMetrics(client) @@ -1913,12 +1893,6 @@ func TestValidateGeneratedApplications(t *testing.T) { err := v1alpha1.AddToScheme(scheme) require.NoError(t, err) - err = v1alpha1.AddToScheme(scheme) - require.NoError(t, err) - - client := fake.NewClientBuilder().WithScheme(scheme).Build() - metrics := appsetmetrics.NewFakeAppsetMetrics(client) - // Valid cluster myCluster := v1alpha1.Cluster{ Server: "https://kubernetes.default.svc", @@ -1945,6 +1919,9 @@ func TestValidateGeneratedApplications(t *testing.T) { }, } + client := fake.NewClientBuilder().WithScheme(scheme).WithObjects(myProject).Build() + metrics := appsetmetrics.NewFakeAppsetMetrics(client) + // Test a subset of the validations that 'validateGeneratedApplications' performs for _, cc := range []struct { name string @@ -2094,21 +2071,15 @@ func TestValidateGeneratedApplications(t *testing.T) { myCluster, }}, nil) - argoObjs := []runtime.Object{myProject} - for _, app := range cc.apps { - argoObjs = append(argoObjs, &app) - } - r := ApplicationSetReconciler{ - Client: client, - Scheme: scheme, - Recorder: record.NewFakeRecorder(1), - Generators: map[string]generators.Generator{}, - ArgoDB: &argoDBMock, - ArgoCDNamespace: "namespace", - ArgoAppClientset: appclientset.NewSimpleClientset(argoObjs...), - KubeClientset: kubeclientset, - Metrics: metrics, + Client: client, + Scheme: scheme, + Recorder: record.NewFakeRecorder(1), + Generators: map[string]generators.Generator{}, + ArgoDB: &argoDBMock, + ArgoCDNamespace: "namespace", + KubeClientset: kubeclientset, + Metrics: metrics, } appSetInfo := v1alpha1.ApplicationSet{} @@ -2150,8 +2121,6 @@ func TestReconcilerValidationProjectErrorBehaviour(t *testing.T) { scheme := runtime.NewScheme() err := v1alpha1.AddToScheme(scheme) require.NoError(t, err) - err = v1alpha1.AddToScheme(scheme) - require.NoError(t, err) project := v1alpha1.AppProject{ ObjectMeta: metav1.ObjectMeta{Name: "good-project", Namespace: "argocd"}, @@ -2190,9 +2159,8 @@ func TestReconcilerValidationProjectErrorBehaviour(t *testing.T) { kubeclientset := kubefake.NewSimpleClientset() argoDBMock := dbmocks.ArgoDB{} - argoObjs := []runtime.Object{&project} - client := fake.NewClientBuilder().WithScheme(scheme).WithObjects(&appSet).WithStatusSubresource(&appSet).WithIndex(&v1alpha1.Application{}, ".metadata.controller", appControllerIndexer).Build() + client := fake.NewClientBuilder().WithScheme(scheme).WithObjects(&appSet, &project).WithStatusSubresource(&appSet).WithIndex(&v1alpha1.Application{}, ".metadata.controller", appControllerIndexer).Build() metrics := appsetmetrics.NewFakeAppsetMetrics(client) goodCluster := v1alpha1.Cluster{Server: "https://good-cluster", Name: "good-cluster"} badCluster := v1alpha1.Cluster{Server: "https://bad-cluster", Name: "bad-cluster"} @@ -2210,12 +2178,11 @@ func TestReconcilerValidationProjectErrorBehaviour(t *testing.T) { Generators: map[string]generators.Generator{ "List": generators.NewListGenerator(), }, - ArgoDB: &argoDBMock, - ArgoAppClientset: appclientset.NewSimpleClientset(argoObjs...), - KubeClientset: kubeclientset, - Policy: v1alpha1.ApplicationsSyncPolicySync, - ArgoCDNamespace: "argocd", - Metrics: metrics, + ArgoDB: &argoDBMock, + KubeClientset: kubeclientset, + Policy: v1alpha1.ApplicationsSyncPolicySync, + ArgoCDNamespace: "argocd", + Metrics: metrics, } req := ctrl.Request{ @@ -2246,8 +2213,6 @@ func TestSetApplicationSetStatusCondition(t *testing.T) { scheme := runtime.NewScheme() err := v1alpha1.AddToScheme(scheme) require.NoError(t, err) - err = v1alpha1.AddToScheme(scheme) - require.NoError(t, err) testCases := []struct { appset v1alpha1.ApplicationSet @@ -2395,7 +2360,6 @@ func TestSetApplicationSetStatusCondition(t *testing.T) { kubeclientset := kubefake.NewSimpleClientset([]runtime.Object{}...) argoDBMock := dbmocks.ArgoDB{} - argoObjs := []runtime.Object{} for _, testCase := range testCases { client := fake.NewClientBuilder().WithScheme(scheme).WithObjects(&testCase.appset).WithIndex(&v1alpha1.Application{}, ".metadata.controller", appControllerIndexer).WithStatusSubresource(&testCase.appset).Build() @@ -2409,10 +2373,9 @@ func TestSetApplicationSetStatusCondition(t *testing.T) { Generators: map[string]generators.Generator{ "List": generators.NewListGenerator(), }, - ArgoDB: &argoDBMock, - ArgoAppClientset: appclientset.NewSimpleClientset(argoObjs...), - KubeClientset: kubeclientset, - Metrics: metrics, + ArgoDB: &argoDBMock, + KubeClientset: kubeclientset, + Metrics: metrics, } for _, condition := range testCase.conditions { @@ -2428,8 +2391,6 @@ func applicationsUpdateSyncPolicyTest(t *testing.T, applicationsSyncPolicy v1alp scheme := runtime.NewScheme() err := v1alpha1.AddToScheme(scheme) require.NoError(t, err) - err = v1alpha1.AddToScheme(scheme) - require.NoError(t, err) defaultProject := v1alpha1.AppProject{ ObjectMeta: metav1.ObjectMeta{Name: "default", Namespace: "argocd"}, @@ -2469,9 +2430,8 @@ func applicationsUpdateSyncPolicyTest(t *testing.T, applicationsSyncPolicy v1alp kubeclientset := kubefake.NewSimpleClientset() argoDBMock := dbmocks.ArgoDB{} - argoObjs := []runtime.Object{&defaultProject} - client := fake.NewClientBuilder().WithScheme(scheme).WithObjects(&appSet).WithStatusSubresource(&appSet).WithIndex(&v1alpha1.Application{}, ".metadata.controller", appControllerIndexer).Build() + client := fake.NewClientBuilder().WithScheme(scheme).WithObjects(&appSet, &defaultProject).WithStatusSubresource(&appSet).WithIndex(&v1alpha1.Application{}, ".metadata.controller", appControllerIndexer).Build() metrics := appsetmetrics.NewFakeAppsetMetrics(client) goodCluster := v1alpha1.Cluster{Server: "https://good-cluster", Name: "good-cluster"} argoDBMock.On("GetCluster", mock.Anything, "https://good-cluster").Return(&goodCluster, nil) @@ -2489,7 +2449,6 @@ func applicationsUpdateSyncPolicyTest(t *testing.T, applicationsSyncPolicy v1alp }, ArgoDB: &argoDBMock, ArgoCDNamespace: "argocd", - ArgoAppClientset: appclientset.NewSimpleClientset(argoObjs...), KubeClientset: kubeclientset, Policy: v1alpha1.ApplicationsSyncPolicySync, EnablePolicyOverride: allowPolicyOverride, @@ -2593,8 +2552,6 @@ func applicationsDeleteSyncPolicyTest(t *testing.T, applicationsSyncPolicy v1alp scheme := runtime.NewScheme() err := v1alpha1.AddToScheme(scheme) require.NoError(t, err) - err = v1alpha1.AddToScheme(scheme) - require.NoError(t, err) defaultProject := v1alpha1.AppProject{ ObjectMeta: metav1.ObjectMeta{Name: "default", Namespace: "argocd"}, @@ -2634,9 +2591,8 @@ func applicationsDeleteSyncPolicyTest(t *testing.T, applicationsSyncPolicy v1alp kubeclientset := kubefake.NewSimpleClientset() argoDBMock := dbmocks.ArgoDB{} - argoObjs := []runtime.Object{&defaultProject} - client := fake.NewClientBuilder().WithScheme(scheme).WithObjects(&appSet).WithStatusSubresource(&appSet).WithIndex(&v1alpha1.Application{}, ".metadata.controller", appControllerIndexer).Build() + client := fake.NewClientBuilder().WithScheme(scheme).WithObjects(&appSet, &defaultProject).WithStatusSubresource(&appSet).WithIndex(&v1alpha1.Application{}, ".metadata.controller", appControllerIndexer).Build() metrics := appsetmetrics.NewFakeAppsetMetrics(client) goodCluster := v1alpha1.Cluster{Server: "https://good-cluster", Name: "good-cluster"} argoDBMock.On("GetCluster", mock.Anything, "https://good-cluster").Return(&goodCluster, nil) @@ -2654,7 +2610,6 @@ func applicationsDeleteSyncPolicyTest(t *testing.T, applicationsSyncPolicy v1alp }, ArgoDB: &argoDBMock, ArgoCDNamespace: "argocd", - ArgoAppClientset: appclientset.NewSimpleClientset(argoObjs...), KubeClientset: kubeclientset, Policy: v1alpha1.ApplicationsSyncPolicySync, EnablePolicyOverride: allowPolicyOverride, @@ -2752,9 +2707,6 @@ func TestPolicies(t *testing.T) { err := v1alpha1.AddToScheme(scheme) require.NoError(t, err) - err = v1alpha1.AddToScheme(scheme) - require.NoError(t, err) - defaultProject := v1alpha1.AppProject{ ObjectMeta: metav1.ObjectMeta{Name: "default", Namespace: "argocd"}, Spec: v1alpha1.AppProjectSpec{SourceRepos: []string{"*"}, Destinations: []v1alpha1.ApplicationDestination{{Namespace: "*", Server: "https://kubernetes.default.svc"}}}, @@ -2767,7 +2719,6 @@ func TestPolicies(t *testing.T) { kubeclientset := kubefake.NewSimpleClientset() argoDBMock := dbmocks.ArgoDB{} argoDBMock.On("GetCluster", mock.Anything, "https://kubernetes.default.svc").Return(&myCluster, nil) - argoObjs := []runtime.Object{&defaultProject} for _, c := range []struct { name string @@ -2839,7 +2790,7 @@ func TestPolicies(t *testing.T) { }, } - client := fake.NewClientBuilder().WithScheme(scheme).WithObjects(&appSet).WithStatusSubresource(&appSet).WithIndex(&v1alpha1.Application{}, ".metadata.controller", appControllerIndexer).Build() + client := fake.NewClientBuilder().WithScheme(scheme).WithObjects(&appSet, &defaultProject).WithStatusSubresource(&appSet).WithIndex(&v1alpha1.Application{}, ".metadata.controller", appControllerIndexer).Build() metrics := appsetmetrics.NewFakeAppsetMetrics(client) r := ApplicationSetReconciler{ @@ -2850,12 +2801,11 @@ func TestPolicies(t *testing.T) { Generators: map[string]generators.Generator{ "List": generators.NewListGenerator(), }, - ArgoDB: &argoDBMock, - ArgoCDNamespace: "argocd", - ArgoAppClientset: appclientset.NewSimpleClientset(argoObjs...), - KubeClientset: kubeclientset, - Policy: policy, - Metrics: metrics, + ArgoDB: &argoDBMock, + ArgoCDNamespace: "argocd", + KubeClientset: kubeclientset, + Policy: policy, + Metrics: metrics, } req := ctrl.Request{ @@ -2923,12 +2873,9 @@ func TestSetApplicationSetApplicationStatus(t *testing.T) { scheme := runtime.NewScheme() err := v1alpha1.AddToScheme(scheme) require.NoError(t, err) - err = v1alpha1.AddToScheme(scheme) - require.NoError(t, err) kubeclientset := kubefake.NewSimpleClientset([]runtime.Object{}...) argoDBMock := dbmocks.ArgoDB{} - argoObjs := []runtime.Object{} for _, cc := range []struct { name string @@ -3012,10 +2959,9 @@ func TestSetApplicationSetApplicationStatus(t *testing.T) { Generators: map[string]generators.Generator{ "List": generators.NewListGenerator(), }, - ArgoDB: &argoDBMock, - ArgoAppClientset: appclientset.NewSimpleClientset(argoObjs...), - KubeClientset: kubeclientset, - Metrics: metrics, + ArgoDB: &argoDBMock, + KubeClientset: kubeclientset, + Metrics: metrics, } err = r.setAppSetApplicationStatus(context.TODO(), log.NewEntry(log.StandardLogger()), &cc.appSet, cc.appStatuses) @@ -3031,9 +2977,6 @@ func TestBuildAppDependencyList(t *testing.T) { err := v1alpha1.AddToScheme(scheme) require.NoError(t, err) - err = v1alpha1.AddToScheme(scheme) - require.NoError(t, err) - client := fake.NewClientBuilder().WithScheme(scheme).Build() metrics := appsetmetrics.NewFakeAppsetMetrics(client) @@ -3766,17 +3709,15 @@ func TestBuildAppDependencyList(t *testing.T) { t.Run(cc.name, func(t *testing.T) { kubeclientset := kubefake.NewSimpleClientset([]runtime.Object{}...) argoDBMock := dbmocks.ArgoDB{} - argoObjs := []runtime.Object{} r := ApplicationSetReconciler{ - Client: client, - Scheme: scheme, - Recorder: record.NewFakeRecorder(1), - Generators: map[string]generators.Generator{}, - ArgoDB: &argoDBMock, - ArgoAppClientset: appclientset.NewSimpleClientset(argoObjs...), - KubeClientset: kubeclientset, - Metrics: metrics, + Client: client, + Scheme: scheme, + Recorder: record.NewFakeRecorder(1), + Generators: map[string]generators.Generator{}, + ArgoDB: &argoDBMock, + KubeClientset: kubeclientset, + Metrics: metrics, } appDependencyList, appStepMap := r.buildAppDependencyList(log.NewEntry(log.StandardLogger()), cc.appSet, cc.apps) @@ -3791,9 +3732,6 @@ func TestBuildAppSyncMap(t *testing.T) { err := v1alpha1.AddToScheme(scheme) require.NoError(t, err) - err = v1alpha1.AddToScheme(scheme) - require.NoError(t, err) - client := fake.NewClientBuilder().WithScheme(scheme).Build() metrics := appsetmetrics.NewFakeAppsetMetrics(client) @@ -4357,17 +4295,15 @@ func TestBuildAppSyncMap(t *testing.T) { t.Run(cc.name, func(t *testing.T) { kubeclientset := kubefake.NewSimpleClientset([]runtime.Object{}...) argoDBMock := dbmocks.ArgoDB{} - argoObjs := []runtime.Object{} r := ApplicationSetReconciler{ - Client: client, - Scheme: scheme, - Recorder: record.NewFakeRecorder(1), - Generators: map[string]generators.Generator{}, - ArgoDB: &argoDBMock, - ArgoAppClientset: appclientset.NewSimpleClientset(argoObjs...), - KubeClientset: kubeclientset, - Metrics: metrics, + Client: client, + Scheme: scheme, + Recorder: record.NewFakeRecorder(1), + Generators: map[string]generators.Generator{}, + ArgoDB: &argoDBMock, + KubeClientset: kubeclientset, + Metrics: metrics, } appSyncMap := r.buildAppSyncMap(cc.appSet, cc.appDependencyList, cc.appMap) @@ -4381,9 +4317,6 @@ func TestUpdateApplicationSetApplicationStatus(t *testing.T) { err := v1alpha1.AddToScheme(scheme) require.NoError(t, err) - err = v1alpha1.AddToScheme(scheme) - require.NoError(t, err) - for _, cc := range []struct { name string appSet v1alpha1.ApplicationSet @@ -5144,20 +5077,18 @@ func TestUpdateApplicationSetApplicationStatus(t *testing.T) { t.Run(cc.name, func(t *testing.T) { kubeclientset := kubefake.NewSimpleClientset([]runtime.Object{}...) argoDBMock := dbmocks.ArgoDB{} - argoObjs := []runtime.Object{} client := fake.NewClientBuilder().WithScheme(scheme).WithObjects(&cc.appSet).WithStatusSubresource(&cc.appSet).Build() metrics := appsetmetrics.NewFakeAppsetMetrics(client) r := ApplicationSetReconciler{ - Client: client, - Scheme: scheme, - Recorder: record.NewFakeRecorder(1), - Generators: map[string]generators.Generator{}, - ArgoDB: &argoDBMock, - ArgoAppClientset: appclientset.NewSimpleClientset(argoObjs...), - KubeClientset: kubeclientset, - Metrics: metrics, + Client: client, + Scheme: scheme, + Recorder: record.NewFakeRecorder(1), + Generators: map[string]generators.Generator{}, + ArgoDB: &argoDBMock, + KubeClientset: kubeclientset, + Metrics: metrics, } appStatuses, err := r.updateApplicationSetApplicationStatus(context.TODO(), log.NewEntry(log.StandardLogger()), &cc.appSet, cc.apps, cc.appStepMap) @@ -5178,9 +5109,6 @@ func TestUpdateApplicationSetApplicationStatusProgress(t *testing.T) { err := v1alpha1.AddToScheme(scheme) require.NoError(t, err) - err = v1alpha1.AddToScheme(scheme) - require.NoError(t, err) - for _, cc := range []struct { name string appSet v1alpha1.ApplicationSet @@ -5898,20 +5826,18 @@ func TestUpdateApplicationSetApplicationStatusProgress(t *testing.T) { t.Run(cc.name, func(t *testing.T) { kubeclientset := kubefake.NewSimpleClientset([]runtime.Object{}...) argoDBMock := dbmocks.ArgoDB{} - argoObjs := []runtime.Object{} client := fake.NewClientBuilder().WithScheme(scheme).WithObjects(&cc.appSet).WithStatusSubresource(&cc.appSet).Build() metrics := appsetmetrics.NewFakeAppsetMetrics(client) r := ApplicationSetReconciler{ - Client: client, - Scheme: scheme, - Recorder: record.NewFakeRecorder(1), - Generators: map[string]generators.Generator{}, - ArgoDB: &argoDBMock, - ArgoAppClientset: appclientset.NewSimpleClientset(argoObjs...), - KubeClientset: kubeclientset, - Metrics: metrics, + Client: client, + Scheme: scheme, + Recorder: record.NewFakeRecorder(1), + Generators: map[string]generators.Generator{}, + ArgoDB: &argoDBMock, + KubeClientset: kubeclientset, + Metrics: metrics, } appStatuses, err := r.updateApplicationSetApplicationStatusProgress(context.TODO(), log.NewEntry(log.StandardLogger()), &cc.appSet, cc.appSyncMap, cc.appStepMap) @@ -5932,9 +5858,6 @@ func TestUpdateResourceStatus(t *testing.T) { err := v1alpha1.AddToScheme(scheme) require.NoError(t, err) - err = v1alpha1.AddToScheme(scheme) - require.NoError(t, err) - for _, cc := range []struct { name string appSet v1alpha1.ApplicationSet @@ -6114,20 +6037,18 @@ func TestUpdateResourceStatus(t *testing.T) { t.Run(cc.name, func(t *testing.T) { kubeclientset := kubefake.NewSimpleClientset([]runtime.Object{}...) argoDBMock := dbmocks.ArgoDB{} - argoObjs := []runtime.Object{} client := fake.NewClientBuilder().WithScheme(scheme).WithStatusSubresource(&cc.appSet).WithObjects(&cc.appSet).Build() metrics := appsetmetrics.NewFakeAppsetMetrics(client) r := ApplicationSetReconciler{ - Client: client, - Scheme: scheme, - Recorder: record.NewFakeRecorder(1), - Generators: map[string]generators.Generator{}, - ArgoDB: &argoDBMock, - ArgoAppClientset: appclientset.NewSimpleClientset(argoObjs...), - KubeClientset: kubeclientset, - Metrics: metrics, + Client: client, + Scheme: scheme, + Recorder: record.NewFakeRecorder(1), + Generators: map[string]generators.Generator{}, + ArgoDB: &argoDBMock, + KubeClientset: kubeclientset, + Metrics: metrics, } err := r.updateResourcesStatus(context.TODO(), log.NewEntry(log.StandardLogger()), &cc.appSet, cc.apps) @@ -6206,20 +6127,18 @@ func TestResourceStatusAreOrdered(t *testing.T) { t.Run(cc.name, func(t *testing.T) { kubeclientset := kubefake.NewSimpleClientset([]runtime.Object{}...) argoDBMock := dbmocks.ArgoDB{} - argoObjs := []runtime.Object{} client := fake.NewClientBuilder().WithScheme(scheme).WithStatusSubresource(&cc.appSet).WithObjects(&cc.appSet).Build() metrics := appsetmetrics.NewFakeAppsetMetrics(client) r := ApplicationSetReconciler{ - Client: client, - Scheme: scheme, - Recorder: record.NewFakeRecorder(1), - Generators: map[string]generators.Generator{}, - ArgoDB: &argoDBMock, - ArgoAppClientset: appclientset.NewSimpleClientset(argoObjs...), - KubeClientset: kubeclientset, - Metrics: metrics, + Client: client, + Scheme: scheme, + Recorder: record.NewFakeRecorder(1), + Generators: map[string]generators.Generator{}, + ArgoDB: &argoDBMock, + KubeClientset: kubeclientset, + Metrics: metrics, } err := r.updateResourcesStatus(context.TODO(), log.NewEntry(log.StandardLogger()), &cc.appSet, cc.apps) diff --git a/cmd/argocd-applicationset-controller/commands/applicationset_controller.go b/cmd/argocd-applicationset-controller/commands/applicationset_controller.go index d2f4ce36d98cf..e1adc4bf71834 100644 --- a/cmd/argocd-applicationset-controller/commands/applicationset_controller.go +++ b/cmd/argocd-applicationset-controller/commands/applicationset_controller.go @@ -38,7 +38,6 @@ import ( appsetmetrics "github.com/argoproj/argo-cd/v2/applicationset/metrics" "github.com/argoproj/argo-cd/v2/applicationset/services" appv1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1" - appclientset "github.com/argoproj/argo-cd/v2/pkg/client/clientset/versioned" "github.com/argoproj/argo-cd/v2/util/cli" "github.com/argoproj/argo-cd/v2/util/db" "github.com/argoproj/argo-cd/v2/util/errors" @@ -162,7 +161,6 @@ func NewCommand() *cobra.Command { errors.CheckError(err) argoSettingsMgr := argosettings.NewSettingsManager(ctx, k8sClient, namespace) - appSetConfig := appclientset.NewForConfigOrDie(mgr.GetConfig()) argoCDDB := db.NewDB(namespace, argoSettingsMgr, k8sClient) scmConfig := generators.NewSCMConfig(scmRootCAPath, allowedScmProviders, enableScmProviders, github_app.NewAuthCredentials(argoCDDB.(db.RepoCredsDB))) @@ -211,7 +209,6 @@ func NewCommand() *cobra.Command { Renderer: &utils.Render{}, Policy: policyObj, EnablePolicyOverride: enablePolicyOverride, - ArgoAppClientset: appSetConfig, KubeClientset: k8sClient, ArgoDB: argoCDDB, ArgoCDNamespace: namespace, From 0cd5ac473c4f3dad5094c6fd9cbb9e8e559e79d7 Mon Sep 17 00:00:00 2001 From: Crumbs <44215646+Crumb5@users.noreply.github.com> Date: Tue, 1 Oct 2024 00:26:04 +1000 Subject: [PATCH 18/38] docs: added note re. arch of example application on getting_started.md (#20143) added warning that example application may not run on all archs Signed-off-by: Crumbs <44215646+Crumb5@users.noreply.github.com> --- docs/getting_started.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/docs/getting_started.md b/docs/getting_started.md index ce0d9688e7963..74623e3f08209 100644 --- a/docs/getting_started.md +++ b/docs/getting_started.md @@ -141,6 +141,9 @@ service account token to perform its management tasks (i.e. deploy/monitoring). An example repository containing a guestbook application is available at [https://github.com/argoproj/argocd-example-apps.git](https://github.com/argoproj/argocd-example-apps.git) to demonstrate how Argo CD works. +!!! note + Note: The following example application may only be compatible with AMD64 architecture. If you are running on a different architecture (such as ARM64 or ARMv7), you may encounter issues with dependencies or container images that are not built for your platform. Consider verifying the compatibility of the application or building architecture-specific images if necessary. + ### Creating Apps Via CLI First we need to set the current namespace to argocd running the following command: From 0681098299246215d091b027719774863d44857e Mon Sep 17 00:00:00 2001 From: ABBOUD Moncef Date: Mon, 30 Sep 2024 17:28:05 +0200 Subject: [PATCH 19/38] fix(ui): hide resource actions menu if it's empty (#20051) Signed-off-by: cef --- .../resource-details/resource-details.tsx | 23 +++++----- ui/src/app/applications/components/utils.tsx | 42 ++++++++----------- 2 files changed, 31 insertions(+), 34 deletions(-) diff --git a/ui/src/app/applications/components/resource-details/resource-details.tsx b/ui/src/app/applications/components/resource-details/resource-details.tsx index 59774fa459872..79bbce2c133ae 100644 --- a/ui/src/app/applications/components/resource-details/resource-details.tsx +++ b/ui/src/app/applications/components/resource-details/resource-details.tsx @@ -284,7 +284,8 @@ export const ResourceDetails = (props: ResourceDetailsProps) => { const logsAllowed = await services.accounts.canI('logs', 'get', application.spec.project + '/' + application.metadata.name); const execAllowed = execEnabled && (await services.accounts.canI('exec', 'create', application.spec.project + '/' + application.metadata.name)); const links = await services.applications.getResourceLinks(application.metadata.name, application.metadata.namespace, selectedNode).catch(() => null); - return {controlledState, liveState, events, podState, execEnabled, execAllowed, logsAllowed, links, childResources}; + const resourceActionsMenuItems = await AppUtils.getResourceActionsMenuItems(selectedNode, application.metadata, appContext); + return {controlledState, liveState, events, podState, execEnabled, execAllowed, logsAllowed, links, childResources, resourceActionsMenuItems}; }}> {data => ( @@ -314,15 +315,17 @@ export const ResourceDetails = (props: ResourceDetailsProps) => { className='argo-button argo-button--base'> DELETE - ( - - )}> - {() => AppUtils.renderResourceActionMenu(selectedNode, application, appContext)} - + {data.resourceActionsMenuItems?.length > 0 && ( + ( + + )}> + {() => AppUtils.renderResourceActionMenu(data.resourceActionsMenuItems)} + + )}
                                          { +export function getResourceActionsMenuItems(resource: ResourceTreeNode, metadata: models.ObjectMeta, apis: ContextApis): Promise { return services.applications .getResourceActions(metadata.name, metadata.namespace, resource) .then(actions => { @@ -683,30 +683,24 @@ export function renderResourceMenu( ); } -export function renderResourceActionMenu(resource: ResourceTreeNode, application: appModels.Application, apis: ContextApis): React.ReactNode { - const menuItems = getResourceActionsMenuItems(resource, application.metadata, apis); - +export function renderResourceActionMenu(menuItems: ActionMenuItem[]): React.ReactNode { return ( - menuItems}> - {items => ( -
                                            - {items.map((item, i) => ( -
                                          • { - e.stopPropagation(); - if (!item.disabled) { - item.action(); - document.body.click(); - } - }}> - {item.iconClassName && } {item.title} -
                                            • - ))} -
                                          - )} -                                           +
                                            + {menuItems.map((item, i) => ( +
                                          • { + e.stopPropagation(); + if (!item.disabled) { + item.action(); + document.body.click(); + } + }}> + {item.iconClassName && } {item.title} +
                                            • + ))} +
                                          ); } From 04e47cd5d468701e6ba4498d49cf0f948dce4713 Mon Sep 17 00:00:00 2001 From: appiepollo14 Date: Mon, 30 Sep 2024 22:39:23 +0200 Subject: [PATCH 20/38] Fixes minor typo which lead to using the bearer token as api URL and was obviously not working. (#20169) Signed-off-by: asjervanasten --- applicationset/generators/pull_request.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/applicationset/generators/pull_request.go b/applicationset/generators/pull_request.go index 209e09950e581..3392480bf419b 100644 --- a/applicationset/generators/pull_request.go +++ b/applicationset/generators/pull_request.go @@ -168,7 +168,7 @@ func (g *PullRequestGenerator) selectServiceProvider(ctx context.Context, genera if err != nil { return nil, fmt.Errorf("error fetching Secret Bearer token: %w", err) } - return pullrequest.NewBitbucketServiceBearerToken(ctx, providerConfig.API, appToken, providerConfig.Project, providerConfig.Repo, g.scmRootCAPath, providerConfig.Insecure, caCerts) + return pullrequest.NewBitbucketServiceBearerToken(ctx, appToken, providerConfig.API, providerConfig.Project, providerConfig.Repo, g.scmRootCAPath, providerConfig.Insecure, caCerts) } else if providerConfig.BasicAuth != nil { password, err := utils.GetSecretRef(ctx, g.client, providerConfig.BasicAuth.PasswordRef, applicationSetInfo.Namespace) if err != nil { From fc1986e3e5848e6170da9c5135634b9f1d684827 Mon Sep 17 00:00:00 2001 From: Josh Soref <2119212+jsoref@users.noreply.github.com> Date: Mon, 30 Sep 2024 19:37:51 -0400 Subject: [PATCH 21/38] chore: Try to make CodeQL happy (#20094) (#20129) * chore(common): Split const from unrelated util/clusterauth const Signed-off-by: Josh Soref * chore: Try to make CodeQL happy Signed-off-by: Josh Soref --------- Signed-off-by: Josh Soref --- .../commands/admin/redis_initial_password.go | 23 +++++++++++-------- common/common.go | 23 +++++++++++-------- common/common_test.go | 10 ++++---- 3 files changed, 33 insertions(+), 23 deletions(-) diff --git a/cmd/argocd/commands/admin/redis_initial_password.go b/cmd/argocd/commands/admin/redis_initial_password.go index 3f89b54010659..f54741773fa21 100644 --- a/cmd/argocd/commands/admin/redis_initial_password.go +++ b/cmd/argocd/commands/admin/redis_initial_password.go @@ -45,9 +45,14 @@ func NewRedisInitialPasswordCommand() *cobra.Command { namespace, _, err := clientConfig.Namespace() errors.CheckError(err) - redisInitialPasswordSecretName := common.DefaultRedisInitialPasswordSecretName - redisInitialPasswordKey := common.DefaultRedisInitialPasswordKey - fmt.Printf("Checking for initial Redis password in secret %s/%s at key %s. \n", namespace, redisInitialPasswordSecretName, redisInitialPasswordKey) + // redisInitialCredentials is the kubernetes secret containing + // the redis password + redisInitialCredentials := common.RedisInitialCredentials + + // redisInitialCredentialsKey is the key in the redisInitialCredentials + // secret which maps to the redis password + redisInitialCredentialsKey := common.RedisInitialCredentialsKey + fmt.Printf("Checking for initial Redis password in secret %s/%s at key %s. \n", namespace, redisInitialCredentials, redisInitialCredentialsKey) config, err := clientConfig.ClientConfig() errors.CheckError(err) @@ -59,11 +64,11 @@ func NewRedisInitialPasswordCommand() *cobra.Command { errors.CheckError(err) data := map[string][]byte{ - redisInitialPasswordKey: []byte(randomPassword), + redisInitialCredentialsKey: []byte(randomPassword), } secret := &corev1.Secret{ ObjectMeta: metav1.ObjectMeta{ - Name: redisInitialPasswordSecretName, + Name: redisInitialCredentials, Namespace: namespace, }, Data: data, @@ -74,14 +79,14 @@ func NewRedisInitialPasswordCommand() *cobra.Command { errors.CheckError(err) } - fmt.Println("Argo CD Redis secret state confirmed: secret name argocd-redis.") - secret, err = kubeClientset.CoreV1().Secrets(namespace).Get(context.Background(), redisInitialPasswordSecretName, v1.GetOptions{}) + fmt.Printf("Argo CD Redis secret state confirmed: secret name %s.\n", redisInitialCredentials) + secret, err = kubeClientset.CoreV1().Secrets(namespace).Get(context.Background(), redisInitialCredentials, v1.GetOptions{}) errors.CheckError(err) - if _, ok := secret.Data[redisInitialPasswordKey]; ok { + if _, ok := secret.Data[redisInitialCredentialsKey]; ok { fmt.Println("Password secret is configured properly.") } else { - err := fmt.Errorf("key %s doesn't exist in secret %s. \n", redisInitialPasswordKey, redisInitialPasswordSecretName) + err := fmt.Errorf("key %s doesn't exist in secret %s. \n", redisInitialCredentialsKey, redisInitialCredentials) errors.CheckError(err) } }, diff --git a/common/common.go b/common/common.go index 79fcdba195eb6..3fe5601849817 100644 --- a/common/common.go +++ b/common/common.go @@ -315,7 +315,10 @@ const ( // Constants used by util/clusterauth package const ( ClusterAuthRequestTimeout = 10 * time.Second - BearerTokenTimeout = 30 * time.Second +) + +const ( + BearerTokenTimeout = 30 * time.Second ) const ( @@ -425,8 +428,10 @@ var PermissionDeniedAPIError = status.Error(codes.PermissionDenied, "permission // Redis password consts const ( - DefaultRedisInitialPasswordSecretName = "argocd-redis" - DefaultRedisInitialPasswordKey = "auth" + // RedisInitialCredentials is the name for the argocd kubernetes secret which will have the redis password + RedisInitialCredentials = "argocd-redis" + // RedisInitialCredentialsKey is the key for the argocd kubernetes secret that maps to the redis password + RedisInitialCredentialsKey = "auth" ) /* @@ -435,17 +440,17 @@ SetOptionalRedisPasswordFromKubeConfig sets the optional Redis password if it ex We specify kubeClient as kubernetes.Interface to allow for mocking in tests, but this should be treated as a kubernetes.Clientset param. */ func SetOptionalRedisPasswordFromKubeConfig(ctx context.Context, kubeClient kubernetes.Interface, namespace string, redisOptions *redis.Options) error { - secret, err := kubeClient.CoreV1().Secrets(namespace).Get(ctx, DefaultRedisInitialPasswordSecretName, v1.GetOptions{}) + secret, err := kubeClient.CoreV1().Secrets(namespace).Get(ctx, RedisInitialCredentials, v1.GetOptions{}) if err != nil { - return fmt.Errorf("failed to get secret %s/%s: %w", namespace, DefaultRedisInitialPasswordSecretName, err) + return fmt.Errorf("failed to get secret %s/%s: %w", namespace, RedisInitialCredentials, err) } if secret == nil { - return fmt.Errorf("failed to get secret %s/%s: secret is nil", namespace, DefaultRedisInitialPasswordSecretName) + return fmt.Errorf("failed to get secret %s/%s: secret is nil", namespace, RedisInitialCredentials) } - _, ok := secret.Data[DefaultRedisInitialPasswordKey] + _, ok := secret.Data[RedisInitialCredentialsKey] if !ok { - return fmt.Errorf("secret %s/%s does not contain key %s", namespace, DefaultRedisInitialPasswordSecretName, DefaultRedisInitialPasswordKey) + return fmt.Errorf("secret %s/%s does not contain key %s", namespace, RedisInitialCredentials, RedisInitialCredentialsKey) } - redisOptions.Password = string(secret.Data[DefaultRedisInitialPasswordKey]) + redisOptions.Password = string(secret.Data[RedisInitialCredentialsKey]) return nil } diff --git a/common/common_test.go b/common/common_test.go index 1021a30a14f60..3f822bd2354ab 100644 --- a/common/common_test.go +++ b/common/common_test.go @@ -63,24 +63,24 @@ func TestSetOptionalRedisPasswordFromKubeConfig(t *testing.T) { expectedPassword: "password123", expectedErr: "", secret: &corev1.Secret{ - ObjectMeta: metav1.ObjectMeta{Name: DefaultRedisInitialPasswordSecretName}, - Data: map[string][]byte{DefaultRedisInitialPasswordKey: []byte("password123")}, + ObjectMeta: metav1.ObjectMeta{Name: RedisInitialCredentials}, + Data: map[string][]byte{RedisInitialCredentialsKey: []byte("password123")}, }, }, { name: "Secret does not exist", namespace: "default", expectedPassword: "", - expectedErr: fmt.Sprintf("failed to get secret default/%s", DefaultRedisInitialPasswordSecretName), + expectedErr: fmt.Sprintf("failed to get secret default/%s", RedisInitialCredentials), secret: nil, }, { name: "Secret exists without correct key", namespace: "default", expectedPassword: "", - expectedErr: fmt.Sprintf("secret default/%s does not contain key %s", DefaultRedisInitialPasswordSecretName, DefaultRedisInitialPasswordKey), + expectedErr: fmt.Sprintf("secret default/%s does not contain key %s", RedisInitialCredentials, RedisInitialCredentialsKey), secret: &corev1.Secret{ - ObjectMeta: metav1.ObjectMeta{Name: DefaultRedisInitialPasswordSecretName}, + ObjectMeta: metav1.ObjectMeta{Name: RedisInitialCredentials}, Data: map[string][]byte{}, }, }, From afcc71be238f3d25e054916d85f3575665a0fdc5 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 1 Oct 2024 04:50:35 -0400 Subject: [PATCH 22/38] chore(deps): bump docker/build-push-action from 6.8.0 to 6.9.0 (#20174) Bumps [docker/build-push-action](https://github.com/docker/build-push-action) from 6.8.0 to 6.9.0. - [Release notes](https://github.com/docker/build-push-action/releases) - [Commits](https://github.com/docker/build-push-action/compare/32945a339266b759abcbdc89316275140b0fc960...4f58ea79222b3b9dc2c8bbdd6debcef730109a75) --- updated-dependencies: - dependency-name: docker/build-push-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/image-reuse.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/image-reuse.yaml b/.github/workflows/image-reuse.yaml index d1cd5f113c0ef..8b418cab7d58d 100644 --- a/.github/workflows/image-reuse.yaml +++ b/.github/workflows/image-reuse.yaml @@ -143,7 +143,7 @@ jobs: - name: Build and push container image id: image - uses: docker/build-push-action@32945a339266b759abcbdc89316275140b0fc960 #v6.8.0 + uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 #v6.9.0 with: context: . platforms: ${{ inputs.platforms }} From 5796a7c22dbef279e0f6e69c311c8b4e8f8b385d Mon Sep 17 00:00:00 2001 From: Suraj yadav Date: Tue, 1 Oct 2024 16:58:29 +0530 Subject: [PATCH 23/38] feat(ui): make name property for repos (#20077) * name-option-added Signed-off-by: Surajyadav * lint Signed-off-by: Surajyadav --------- Signed-off-by: Surajyadav --- .../components/repo-details/repo-details.tsx | 13 ++++++------- .../settings/components/repos-list/repos-list.tsx | 9 +++++++-- 2 files changed, 13 insertions(+), 9 deletions(-) diff --git a/ui/src/app/settings/components/repo-details/repo-details.tsx b/ui/src/app/settings/components/repo-details/repo-details.tsx index 017d87bede789..613d469c81612 100644 --- a/ui/src/app/settings/components/repo-details/repo-details.tsx +++ b/ui/src/app/settings/components/repo-details/repo-details.tsx @@ -17,6 +17,11 @@ export const RepoDetails = (props: {repo: models.Repository; save?: (params: New title: 'Repository URL', view: repository.repo }, + { + title: 'Name', + view: repository.name || '', + edit: (formApi: FormApi) => + }, { title: 'Username (optional)', view: repository.username || '', @@ -29,13 +34,6 @@ export const RepoDetails = (props: {repo: models.Repository; save?: (params: New } ]; - if (repository.name) { - items.splice(1, 0, { - title: 'NAME', - view: repository.name - }); - } - if (repository.project) { items.splice(repository.name ? 2 : 1, 0, { title: 'Project', @@ -86,6 +84,7 @@ export const RepoDetails = (props: {repo: models.Repository; save?: (params: New })} save={async input => { const params: NewHTTPSRepoParams = {...newRepo}; + params.name = input.name || ''; params.username = input.username || ''; params.password = input.password || ''; save(params); diff --git a/ui/src/app/settings/components/repos-list/repos-list.tsx b/ui/src/app/settings/components/repos-list/repos-list.tsx index 6b79ab490e359..876bf5378f957 100644 --- a/ui/src/app/settings/components/repos-list/repos-list.tsx +++ b/ui/src/app/settings/components/repos-list/repos-list.tsx @@ -470,9 +470,14 @@ export class ReposList extends React.Component<
                                          - {formApi.getFormState().values.type === 'helm' && ( + {(formApi.getFormState().values.type === 'helm' || formApi.getFormState().values.type === 'git') && (
                                          - +
                                          )}
                                          From 2d8659b466aa02e2c10d3a3958f93e5edc5f0007 Mon Sep 17 00:00:00 2001 From: pasha-codefresh Date: Tue, 1 Oct 2024 17:20:01 +0300 Subject: [PATCH 24/38] feat: basic e2e tests in order to verify notification service health (#20182) * feat: basic e2e tests in order to verify notification service health Signed-off-by: pashakostohrys * feat: basic e2e tests in order to verify notification service health Signed-off-by: pashakostohrys --------- Signed-off-by: pashakostohrys --- test/e2e/fixture/fixture.go | 7 +++++++ test/e2e/fixture/http.go | 10 +++++++--- test/e2e/fixture/notification/actions.go | 11 +++++++++++ test/e2e/fixture/notification/consequences.go | 6 ++++++ test/e2e/notification_test.go | 10 ++++++++++ 5 files changed, 41 insertions(+), 3 deletions(-) diff --git a/test/e2e/fixture/fixture.go b/test/e2e/fixture/fixture.go index 24d0e4ce74d71..c02cc233e5d20 100644 --- a/test/e2e/fixture/fixture.go +++ b/test/e2e/fixture/fixture.go @@ -46,6 +46,9 @@ const ( ArgoCDNamespace = "argocd-e2e" ArgoCDAppNamespace = "argocd-e2e-external" + // notifications controller, metrics server port + defaultNotificationServer = "localhost:9001" + // ensure all repos are in one directory tree, so we can easily clean them up TmpDir = "/tmp/argo-e2e" repoDir = "testdata.git" @@ -1020,6 +1023,10 @@ func GetApiServerAddress() string { return apiServerAddress } +func GetNotificationServerAddress() string { + return defaultNotificationServer +} + func GetToken() string { return token } diff --git a/test/e2e/fixture/http.go b/test/e2e/fixture/http.go index 00c123ab5d893..68e674f9f8b36 100644 --- a/test/e2e/fixture/http.go +++ b/test/e2e/fixture/http.go @@ -12,13 +12,17 @@ import ( ) // DoHttpRequest executes a http request against the Argo CD API server -func DoHttpRequest(method string, path string, data ...byte) (*http.Response, error) { +func DoHttpRequest(method string, path string, host string, data ...byte) (*http.Response, error) { reqUrl, err := url.Parse(path) if err != nil { return nil, err } reqUrl.Scheme = "http" - reqUrl.Host = apiServerAddress + if host != "" { + reqUrl.Host = host + } else { + reqUrl.Host = apiServerAddress + } var body io.Reader if data != nil { body = bytes.NewReader(data) @@ -41,7 +45,7 @@ func DoHttpRequest(method string, path string, data ...byte) (*http.Response, er // DoHttpJsonRequest executes a http request against the Argo CD API server and unmarshals the response body as JSON func DoHttpJsonRequest(method string, path string, result interface{}, data ...byte) error { - resp, err := DoHttpRequest(method, path, data...) + resp, err := DoHttpRequest(method, path, "", data...) if err != nil { return err } diff --git a/test/e2e/fixture/notification/actions.go b/test/e2e/fixture/notification/actions.go index 4b3c328f7ed29..622032441ee75 100644 --- a/test/e2e/fixture/notification/actions.go +++ b/test/e2e/fixture/notification/actions.go @@ -12,6 +12,8 @@ import ( // using the Then() type Actions struct { context *Context + + healthy bool } func (a *Actions) SetParamInNotificationConfigMap(key, value string) *Actions { @@ -25,3 +27,12 @@ func (a *Actions) Then() *Consequences { time.Sleep(1 * time.Second) return &Consequences{a.context, a} } + +func (a *Actions) Healthcheck() *Actions { + a.context.t.Helper() + _, err := fixture.DoHttpRequest("GET", + "/metrics", + fixture.GetNotificationServerAddress()) + a.healthy = err == nil + return a +} diff --git a/test/e2e/fixture/notification/consequences.go b/test/e2e/fixture/notification/consequences.go index bfc4b4b0e0988..46e09a4249327 100644 --- a/test/e2e/fixture/notification/consequences.go +++ b/test/e2e/fixture/notification/consequences.go @@ -19,6 +19,12 @@ func (c *Consequences) Services(block func(services *notification.ServiceList, e return c } +func (c *Consequences) Healthy(block func(healthy bool)) *Consequences { + c.context.t.Helper() + block(c.actions.healthy) + return c +} + func (c *Consequences) Triggers(block func(services *notification.TriggerList, err error)) *Consequences { c.context.t.Helper() block(c.listTriggers()) diff --git a/test/e2e/notification_test.go b/test/e2e/notification_test.go index e4dd855a107e3..11ed412a39dca 100644 --- a/test/e2e/notification_test.go +++ b/test/e2e/notification_test.go @@ -40,3 +40,13 @@ func TestNotificationsListTriggers(t *testing.T) { assert.Equal(t, []*notification.Trigger{{Name: ptr.To("on-created")}}, triggers.Items) }) } + +func TestNotificationsHealthcheck(t *testing.T) { + ctx := notifFixture.Given(t) + ctx.When(). + Healthcheck(). + Then(). + Healthy(func(healthy bool) { + assert.True(t, healthy) + }) +} From f869d235cbcf58fdf046e6b617436b8943d0d365 Mon Sep 17 00:00:00 2001 From: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com> Date: Tue, 1 Oct 2024 10:51:29 -0400 Subject: [PATCH 25/38] chore: document credentials server (#20078) Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com> --- reposerver/askpass/server.go | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/reposerver/askpass/server.go b/reposerver/askpass/server.go index 2eb9f89869776..b6a1bbfc48de2 100644 --- a/reposerver/askpass/server.go +++ b/reposerver/askpass/server.go @@ -22,6 +22,20 @@ type Server interface { Run(path string) error } +// server is a gRPC server that provides a way for an external process (usually git) to access credentials without those +// credentials being set directly in the git process's environment. Before invoking git, the caller invokes Add to add a +// new credential, which returns a unique id. The caller then sets the GIT_ASKPASS environment variable to the path of +// the argocd-git-ask-pass binary and sets the ASKPASS_NONCE environment variable to the id. When git needs credentials, +// it will invoke the argocd-git-ask-pass binary, which will use the ASKPASS_NONCE to look up the credentials and return +// them to git. After the git process completes, the caller should invoke Remove to remove the credential. +// +// This is meant to solve a class of problems that was demonstrated by an old bug in Kustomize. We needed to enable +// Kustomize to invoke git to fetch a private repository. But Kustomize had a bug that allowed a user to dump the +// environment variables of the process into manifests, which would expose the credentials. Kustomize eventually fixed +// the bug. But to prevent this from happening again, we now only set the ASKPASS_NONCE environment variable instead of +// directly passing the git credentials via environment variables. Even if the nonce leaks, 1) the user probably doesn't +// have access to the server to look up the corresponding git credentials, and 2) the nonce should be deleted from +// the server before the user even sees the manifests. type server struct { lock sync.Mutex creds map[string]Creds From ab8fdb8a6d17a09fa3161ce6ddfa2163d86b35ca Mon Sep 17 00:00:00 2001 From: l2h Date: Wed, 2 Oct 2024 01:13:05 +0900 Subject: [PATCH 26/38] feat: Add nodeSelector for Linux nodes (#20148) * feat: Add nodeSelector for Linux nodes in application-controller, applicationset-controller, and repo-server Signed-off-by: leehosu * refactor : Reversal the wrong part and correct it. Signed-off-by: leehosu * Update argocd-application-controller-statefulset.yaml Signed-off-by: l2h * feat: Add nodeSelector for Linux nodes in dex-server, argo-server Signed-off-by: leehosu * refactor: update code to resolving for intergration test Signed-off-by: leehosu * refactor: update code to resolving for codegen Signed-off-by: leehosu * Run make manifests-local and then commit Signed-off-by: leehosu --------- Signed-off-by: leehosu Signed-off-by: l2h --- .../argocd-application-controller-deployment.yaml | 2 ++ .../argocd-application-controller-statefulset.yaml | 4 +++- ...rgocd-applicationset-controller-deployment.yaml | 2 ++ .../base/dex/argocd-dex-server-deployment.yaml | 2 ++ ...argocd-notifications-controller-deployment.yaml | 2 ++ manifests/base/redis/argocd-redis-deployment.yaml | 2 ++ .../repo-server/argocd-repo-server-deployment.yaml | 2 ++ .../base/server/argocd-server-deployment.yaml | 2 ++ manifests/core-install.yaml | 8 ++++++++ manifests/ha/install.yaml | 12 ++++++++++++ manifests/ha/namespace-install.yaml | 12 ++++++++++++ manifests/install.yaml | 14 ++++++++++++++ manifests/namespace-install.yaml | 14 ++++++++++++++ 13 files changed, 77 insertions(+), 1 deletion(-) diff --git a/manifests/base/application-controller-deployment/argocd-application-controller-deployment.yaml b/manifests/base/application-controller-deployment/argocd-application-controller-deployment.yaml index 619c4ca4817b8..d0de4c9a5b812 100644 --- a/manifests/base/application-controller-deployment/argocd-application-controller-deployment.yaml +++ b/manifests/base/application-controller-deployment/argocd-application-controller-deployment.yaml @@ -264,3 +264,5 @@ spec: items: - key: controller.profile.enabled path: profiler.enabled + nodeSelector: + kubernetes.io/os: linux \ No newline at end of file diff --git a/manifests/base/application-controller/argocd-application-controller-statefulset.yaml b/manifests/base/application-controller/argocd-application-controller-statefulset.yaml index ca09f482c35f7..cebe2006558fb 100644 --- a/manifests/base/application-controller/argocd-application-controller-statefulset.yaml +++ b/manifests/base/application-controller/argocd-application-controller-statefulset.yaml @@ -272,4 +272,6 @@ spec: name: argocd-cmd-params-cm items: - key: controller.profile.enabled - path: profiler.enabled \ No newline at end of file + path: profiler.enabled + nodeSelector: + kubernetes.io/os: linux \ No newline at end of file diff --git a/manifests/base/applicationset-controller/argocd-applicationset-controller-deployment.yaml b/manifests/base/applicationset-controller/argocd-applicationset-controller-deployment.yaml index 6bade745f76c1..a2fc34bb0ea70 100644 --- a/manifests/base/applicationset-controller/argocd-applicationset-controller-deployment.yaml +++ b/manifests/base/applicationset-controller/argocd-applicationset-controller-deployment.yaml @@ -211,3 +211,5 @@ spec: path: tls.key - key: ca.crt path: ca.crt + nodeSelector: + kubernetes.io/os: linux \ No newline at end of file diff --git a/manifests/base/dex/argocd-dex-server-deployment.yaml b/manifests/base/dex/argocd-dex-server-deployment.yaml index f2d77c6ac1f6a..87d7d0a2fbbd8 100644 --- a/manifests/base/dex/argocd-dex-server-deployment.yaml +++ b/manifests/base/dex/argocd-dex-server-deployment.yaml @@ -104,3 +104,5 @@ spec: matchLabels: app.kubernetes.io/part-of: argocd topologyKey: kubernetes.io/hostname + nodeSelector: + kubernetes.io/os: linux \ No newline at end of file diff --git a/manifests/base/notification/argocd-notifications-controller-deployment.yaml b/manifests/base/notification/argocd-notifications-controller-deployment.yaml index b13acf718f93c..c3a533e5a4350 100644 --- a/manifests/base/notification/argocd-notifications-controller-deployment.yaml +++ b/manifests/base/notification/argocd-notifications-controller-deployment.yaml @@ -89,3 +89,5 @@ spec: runAsNonRoot: true seccompProfile: type: RuntimeDefault + nodeSelector: + kubernetes.io/os: linux \ No newline at end of file diff --git a/manifests/base/redis/argocd-redis-deployment.yaml b/manifests/base/redis/argocd-redis-deployment.yaml index c591db0d0aa4a..cbfebb8a2127c 100644 --- a/manifests/base/redis/argocd-redis-deployment.yaml +++ b/manifests/base/redis/argocd-redis-deployment.yaml @@ -77,3 +77,5 @@ spec: matchLabels: app.kubernetes.io/part-of: argocd topologyKey: kubernetes.io/hostname + nodeSelector: + kubernetes.io/os: linux \ No newline at end of file diff --git a/manifests/base/repo-server/argocd-repo-server-deployment.yaml b/manifests/base/repo-server/argocd-repo-server-deployment.yaml index 2457fa7bcb742..02a11fabe9715 100644 --- a/manifests/base/repo-server/argocd-repo-server-deployment.yaml +++ b/manifests/base/repo-server/argocd-repo-server-deployment.yaml @@ -336,3 +336,5 @@ spec: matchLabels: app.kubernetes.io/part-of: argocd topologyKey: kubernetes.io/hostname + nodeSelector: + kubernetes.io/os: linux \ No newline at end of file diff --git a/manifests/base/server/argocd-server-deployment.yaml b/manifests/base/server/argocd-server-deployment.yaml index 56b479fdcfd44..328dfcb2146f6 100644 --- a/manifests/base/server/argocd-server-deployment.yaml +++ b/manifests/base/server/argocd-server-deployment.yaml @@ -385,3 +385,5 @@ spec: matchLabels: app.kubernetes.io/part-of: argocd topologyKey: kubernetes.io/hostname + nodeSelector: + kubernetes.io/os: linux \ No newline at end of file diff --git a/manifests/core-install.yaml b/manifests/core-install.yaml index 5c88298530060..fa0d4904e02bc 100644 --- a/manifests/core-install.yaml +++ b/manifests/core-install.yaml @@ -22588,6 +22588,8 @@ spec: name: tmp - mountPath: /app/config/reposerver/tls name: argocd-repo-server-tls + nodeSelector: + kubernetes.io/os: linux serviceAccountName: argocd-applicationset-controller volumes: - configMap: @@ -22688,6 +22690,8 @@ spec: runAsNonRoot: true seccompProfile: type: RuntimeDefault + nodeSelector: + kubernetes.io/os: linux securityContext: runAsNonRoot: true runAsUser: 999 @@ -23001,6 +23005,8 @@ spec: volumeMounts: - mountPath: /var/run/argocd name: var-files + nodeSelector: + kubernetes.io/os: linux serviceAccountName: argocd-repo-server volumes: - configMap: @@ -23287,6 +23293,8 @@ spec: - mountPath: /home/argocd/params name: argocd-cmd-params-cm workingDir: /home/argocd + nodeSelector: + kubernetes.io/os: linux serviceAccountName: argocd-application-controller volumes: - emptyDir: {} diff --git a/manifests/ha/install.yaml b/manifests/ha/install.yaml index 5d6e05f8542b2..417a649f1fe05 100644 --- a/manifests/ha/install.yaml +++ b/manifests/ha/install.yaml @@ -23932,6 +23932,8 @@ spec: name: tmp - mountPath: /app/config/reposerver/tls name: argocd-repo-server-tls + nodeSelector: + kubernetes.io/os: linux serviceAccountName: argocd-applicationset-controller volumes: - configMap: @@ -24054,6 +24056,8 @@ spec: name: static-files - mountPath: /tmp name: dexconfig + nodeSelector: + kubernetes.io/os: linux serviceAccountName: argocd-dex-server volumes: - emptyDir: {} @@ -24143,6 +24147,8 @@ spec: - mountPath: /app/config/reposerver/tls name: argocd-repo-server-tls workingDir: /app + nodeSelector: + kubernetes.io/os: linux securityContext: runAsNonRoot: true seccompProfile: @@ -24597,6 +24603,8 @@ spec: volumeMounts: - mountPath: /var/run/argocd name: var-files + nodeSelector: + kubernetes.io/os: linux serviceAccountName: argocd-repo-server volumes: - configMap: @@ -24980,6 +24988,8 @@ spec: name: tmp - mountPath: /home/argocd/params name: argocd-cmd-params-cm + nodeSelector: + kubernetes.io/os: linux serviceAccountName: argocd-server volumes: - emptyDir: {} @@ -25273,6 +25283,8 @@ spec: - mountPath: /home/argocd/params name: argocd-cmd-params-cm workingDir: /home/argocd + nodeSelector: + kubernetes.io/os: linux serviceAccountName: argocd-application-controller volumes: - emptyDir: {} diff --git a/manifests/ha/namespace-install.yaml b/manifests/ha/namespace-install.yaml index c7d298bcbe8bd..881f8e8d31f31 100644 --- a/manifests/ha/namespace-install.yaml +++ b/manifests/ha/namespace-install.yaml @@ -1724,6 +1724,8 @@ spec: name: tmp - mountPath: /app/config/reposerver/tls name: argocd-repo-server-tls + nodeSelector: + kubernetes.io/os: linux serviceAccountName: argocd-applicationset-controller volumes: - configMap: @@ -1846,6 +1848,8 @@ spec: name: static-files - mountPath: /tmp name: dexconfig + nodeSelector: + kubernetes.io/os: linux serviceAccountName: argocd-dex-server volumes: - emptyDir: {} @@ -1935,6 +1939,8 @@ spec: - mountPath: /app/config/reposerver/tls name: argocd-repo-server-tls workingDir: /app + nodeSelector: + kubernetes.io/os: linux securityContext: runAsNonRoot: true seccompProfile: @@ -2389,6 +2395,8 @@ spec: volumeMounts: - mountPath: /var/run/argocd name: var-files + nodeSelector: + kubernetes.io/os: linux serviceAccountName: argocd-repo-server volumes: - configMap: @@ -2772,6 +2780,8 @@ spec: name: tmp - mountPath: /home/argocd/params name: argocd-cmd-params-cm + nodeSelector: + kubernetes.io/os: linux serviceAccountName: argocd-server volumes: - emptyDir: {} @@ -3065,6 +3075,8 @@ spec: - mountPath: /home/argocd/params name: argocd-cmd-params-cm workingDir: /home/argocd + nodeSelector: + kubernetes.io/os: linux serviceAccountName: argocd-application-controller volumes: - emptyDir: {} diff --git a/manifests/install.yaml b/manifests/install.yaml index cea128e02d95d..24077892317dd 100644 --- a/manifests/install.yaml +++ b/manifests/install.yaml @@ -23049,6 +23049,8 @@ spec: name: tmp - mountPath: /app/config/reposerver/tls name: argocd-repo-server-tls + nodeSelector: + kubernetes.io/os: linux serviceAccountName: argocd-applicationset-controller volumes: - configMap: @@ -23171,6 +23173,8 @@ spec: name: static-files - mountPath: /tmp name: dexconfig + nodeSelector: + kubernetes.io/os: linux serviceAccountName: argocd-dex-server volumes: - emptyDir: {} @@ -23260,6 +23264,8 @@ spec: - mountPath: /app/config/reposerver/tls name: argocd-repo-server-tls workingDir: /app + nodeSelector: + kubernetes.io/os: linux securityContext: runAsNonRoot: true seccompProfile: @@ -23354,6 +23360,8 @@ spec: runAsNonRoot: true seccompProfile: type: RuntimeDefault + nodeSelector: + kubernetes.io/os: linux securityContext: runAsNonRoot: true runAsUser: 999 @@ -23667,6 +23675,8 @@ spec: volumeMounts: - mountPath: /var/run/argocd name: var-files + nodeSelector: + kubernetes.io/os: linux serviceAccountName: argocd-repo-server volumes: - configMap: @@ -24048,6 +24058,8 @@ spec: name: tmp - mountPath: /home/argocd/params name: argocd-cmd-params-cm + nodeSelector: + kubernetes.io/os: linux serviceAccountName: argocd-server volumes: - emptyDir: {} @@ -24341,6 +24353,8 @@ spec: - mountPath: /home/argocd/params name: argocd-cmd-params-cm workingDir: /home/argocd + nodeSelector: + kubernetes.io/os: linux serviceAccountName: argocd-application-controller volumes: - emptyDir: {} diff --git a/manifests/namespace-install.yaml b/manifests/namespace-install.yaml index afabb286c5769..79fa17daf99e9 100644 --- a/manifests/namespace-install.yaml +++ b/manifests/namespace-install.yaml @@ -841,6 +841,8 @@ spec: name: tmp - mountPath: /app/config/reposerver/tls name: argocd-repo-server-tls + nodeSelector: + kubernetes.io/os: linux serviceAccountName: argocd-applicationset-controller volumes: - configMap: @@ -963,6 +965,8 @@ spec: name: static-files - mountPath: /tmp name: dexconfig + nodeSelector: + kubernetes.io/os: linux serviceAccountName: argocd-dex-server volumes: - emptyDir: {} @@ -1052,6 +1056,8 @@ spec: - mountPath: /app/config/reposerver/tls name: argocd-repo-server-tls workingDir: /app + nodeSelector: + kubernetes.io/os: linux securityContext: runAsNonRoot: true seccompProfile: @@ -1146,6 +1152,8 @@ spec: runAsNonRoot: true seccompProfile: type: RuntimeDefault + nodeSelector: + kubernetes.io/os: linux securityContext: runAsNonRoot: true runAsUser: 999 @@ -1459,6 +1467,8 @@ spec: volumeMounts: - mountPath: /var/run/argocd name: var-files + nodeSelector: + kubernetes.io/os: linux serviceAccountName: argocd-repo-server volumes: - configMap: @@ -1840,6 +1850,8 @@ spec: name: tmp - mountPath: /home/argocd/params name: argocd-cmd-params-cm + nodeSelector: + kubernetes.io/os: linux serviceAccountName: argocd-server volumes: - emptyDir: {} @@ -2133,6 +2145,8 @@ spec: - mountPath: /home/argocd/params name: argocd-cmd-params-cm workingDir: /home/argocd + nodeSelector: + kubernetes.io/os: linux serviceAccountName: argocd-application-controller volumes: - emptyDir: {} From f78e741220d173dd2e725eb61ed9800285dfc7b1 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 1 Oct 2024 13:08:33 -0400 Subject: [PATCH 27/38] chore(deps): bump github.com/cyphar/filepath-securejoin (#20173) Bumps [github.com/cyphar/filepath-securejoin](https://github.com/cyphar/filepath-securejoin) from 0.3.2 to 0.3.3. - [Release notes](https://github.com/cyphar/filepath-securejoin/releases) - [Changelog](https://github.com/cyphar/filepath-securejoin/blob/main/CHANGELOG.md) - [Commits](https://github.com/cyphar/filepath-securejoin/compare/v0.3.2...v0.3.3) --- updated-dependencies: - dependency-name: github.com/cyphar/filepath-securejoin dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 2d020f68e928a..906f702f736aa 100644 --- a/go.mod +++ b/go.mod @@ -22,7 +22,7 @@ require ( github.com/cespare/xxhash/v2 v2.3.0 github.com/chainguard-dev/git-urls v1.0.2 github.com/coreos/go-oidc/v3 v3.11.0 - github.com/cyphar/filepath-securejoin v0.3.2 + github.com/cyphar/filepath-securejoin v0.3.3 github.com/dustin/go-humanize v1.0.1 github.com/evanphx/json-patch v5.9.0+incompatible github.com/expr-lang/expr v1.16.9 diff --git a/go.sum b/go.sum index 74da7903bd3dd..7e9fae0288c48 100644 --- a/go.sum +++ b/go.sum @@ -205,8 +205,8 @@ github.com/creack/pty v1.1.7/go.mod h1:lj5s0c3V2DBrqTV7llrYr5NG6My20zk30Fl46Y7Do github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= github.com/creack/pty v1.1.18 h1:n56/Zwd5o6whRC5PMGretI4IdRLlmBXYNjScPaBgsbY= github.com/creack/pty v1.1.18/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4= -github.com/cyphar/filepath-securejoin v0.3.2 h1:QhZu5AxQ+o1XZH0Ye05YzvJ0kAdK6VQc0z9NNMek7gc= -github.com/cyphar/filepath-securejoin v0.3.2/go.mod h1:F7i41x/9cBF7lzCrVsYs9fuzwRZm4NQsGTBdpp6mETc= +github.com/cyphar/filepath-securejoin v0.3.3 h1:lofZkCEVFIBe0KcdQOzFs8Soy9oaHOWl4gGtPI+gCFc= +github.com/cyphar/filepath-securejoin v0.3.3/go.mod h1:8s/MCNJREmFK0H02MF6Ihv1nakJe4L/w3WZLHNkvlYM= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM= From 9e9c9a9aca2d43f5dbebb074394dd154b5c21603 Mon Sep 17 00:00:00 2001 From: rumstead <37445536+rumstead@users.noreply.github.com> Date: Tue, 1 Oct 2024 21:26:08 -0400 Subject: [PATCH 28/38] feat(appset): parameterize requeue time #20063 (#20064) --- .../controllers/applicationset_controller.go | 2 +- .../controllers/requeue_after_test.go | 69 ++++++++++++++++--- applicationset/generators/duck_type.go | 2 +- applicationset/generators/git.go | 2 +- applicationset/generators/interface.go | 7 +- applicationset/generators/interface_test.go | 29 ++++++++ .../operator-manual/argocd-cmd-params-cm.yaml | 2 + ...-applicationset-controller-deployment.yaml | 6 ++ manifests/core-install.yaml | 6 ++ manifests/ha/install.yaml | 6 ++ manifests/ha/namespace-install.yaml | 6 ++ manifests/install.yaml | 6 ++ manifests/namespace-install.yaml | 6 ++ 13 files changed, 137 insertions(+), 12 deletions(-) create mode 100644 applicationset/generators/interface_test.go diff --git a/applicationset/controllers/applicationset_controller.go b/applicationset/controllers/applicationset_controller.go index f817dc49ed12a..fbba4212a0d2a 100644 --- a/applicationset/controllers/applicationset_controller.go +++ b/applicationset/controllers/applicationset_controller.go @@ -1485,7 +1485,7 @@ func getOwnsHandlerPredicates(enableProgressiveSyncs bool) predicate.Funcs { return false } requeue := shouldRequeueApplicationSet(appOld, appNew, enableProgressiveSyncs) - logCtx.WithField("requeue", requeue).Debugf("requeue: %t caused by application %s\n", requeue, appNew.Name) + logCtx.WithField("requeue", requeue).Debugf("requeue: %t caused by application %s", requeue, appNew.Name) return requeue }, GenericFunc: func(e event.GenericEvent) bool { diff --git a/applicationset/controllers/requeue_after_test.go b/applicationset/controllers/requeue_after_test.go index fd922f53566a5..674a7ff074bcc 100644 --- a/applicationset/controllers/requeue_after_test.go +++ b/applicationset/controllers/requeue_after_test.go @@ -100,7 +100,8 @@ func TestRequeueAfter(t *testing.T) { } type args struct { - appset *argov1alpha1.ApplicationSet + appset *argov1alpha1.ApplicationSet + requeueAfterOverride string } tests := []struct { name string @@ -108,11 +109,13 @@ func TestRequeueAfter(t *testing.T) { want time.Duration wantErr assert.ErrorAssertionFunc }{ - {name: "Cluster", args: args{appset: &argov1alpha1.ApplicationSet{ - Spec: argov1alpha1.ApplicationSetSpec{ - Generators: []argov1alpha1.ApplicationSetGenerator{{Clusters: &argov1alpha1.ClusterGenerator{}}}, - }, - }}, want: generators.NoRequeueAfter, wantErr: assert.NoError}, + {name: "Cluster", args: args{ + appset: &argov1alpha1.ApplicationSet{ + Spec: argov1alpha1.ApplicationSetSpec{ + Generators: []argov1alpha1.ApplicationSetGenerator{{Clusters: &argov1alpha1.ClusterGenerator{}}}, + }, + }, requeueAfterOverride: "", + }, want: generators.NoRequeueAfter, wantErr: assert.NoError}, {name: "ClusterMergeNested", args: args{&argov1alpha1.ApplicationSet{ Spec: argov1alpha1.ApplicationSetSpec{ Generators: []argov1alpha1.ApplicationSetGenerator{ @@ -127,7 +130,7 @@ func TestRequeueAfter(t *testing.T) { }}, }, }, - }}, want: generators.DefaultRequeueAfterSeconds, wantErr: assert.NoError}, + }, ""}, want: generators.DefaultRequeueAfterSeconds, wantErr: assert.NoError}, {name: "ClusterMatrixNested", args: args{&argov1alpha1.ApplicationSet{ Spec: argov1alpha1.ApplicationSetSpec{ Generators: []argov1alpha1.ApplicationSetGenerator{ @@ -142,15 +145,65 @@ func TestRequeueAfter(t *testing.T) { }}, }, }, - }}, want: generators.DefaultRequeueAfterSeconds, wantErr: assert.NoError}, + }, ""}, want: generators.DefaultRequeueAfterSeconds, wantErr: assert.NoError}, {name: "ListGenerator", args: args{appset: &argov1alpha1.ApplicationSet{ Spec: argov1alpha1.ApplicationSetSpec{ Generators: []argov1alpha1.ApplicationSetGenerator{{List: &argov1alpha1.ListGenerator{}}}, }, }}, want: generators.NoRequeueAfter, wantErr: assert.NoError}, + {name: "DuckGenerator", args: args{appset: &argov1alpha1.ApplicationSet{ + Spec: argov1alpha1.ApplicationSetSpec{ + Generators: []argov1alpha1.ApplicationSetGenerator{{ClusterDecisionResource: &argov1alpha1.DuckTypeGenerator{}}}, + }, + }}, want: generators.DefaultRequeueAfterSeconds, wantErr: assert.NoError}, + {name: "OverrideRequeueDuck", args: args{ + appset: &argov1alpha1.ApplicationSet{ + Spec: argov1alpha1.ApplicationSetSpec{ + Generators: []argov1alpha1.ApplicationSetGenerator{{ClusterDecisionResource: &argov1alpha1.DuckTypeGenerator{}}}, + }, + }, requeueAfterOverride: "1h", + }, want: 1 * time.Hour, wantErr: assert.NoError}, + {name: "OverrideRequeueGit", args: args{&argov1alpha1.ApplicationSet{ + Spec: argov1alpha1.ApplicationSetSpec{ + Generators: []argov1alpha1.ApplicationSetGenerator{ + {Git: &argov1alpha1.GitGenerator{}}, + }, + }, + }, "1h"}, want: 1 * time.Hour, wantErr: assert.NoError}, + {name: "OverrideRequeueMatrix", args: args{&argov1alpha1.ApplicationSet{ + Spec: argov1alpha1.ApplicationSetSpec{ + Generators: []argov1alpha1.ApplicationSetGenerator{ + {Clusters: &argov1alpha1.ClusterGenerator{}}, + {Merge: &argov1alpha1.MergeGenerator{ + Generators: []argov1alpha1.ApplicationSetNestedGenerator{ + { + Clusters: &argov1alpha1.ClusterGenerator{}, + Git: &argov1alpha1.GitGenerator{}, + }, + }, + }}, + }, + }, + }, "5m"}, want: 5 * time.Minute, wantErr: assert.NoError}, + {name: "OverrideRequeueMerge", args: args{&argov1alpha1.ApplicationSet{ + Spec: argov1alpha1.ApplicationSetSpec{ + Generators: []argov1alpha1.ApplicationSetGenerator{ + {Clusters: &argov1alpha1.ClusterGenerator{}}, + {Merge: &argov1alpha1.MergeGenerator{ + Generators: []argov1alpha1.ApplicationSetNestedGenerator{ + { + Clusters: &argov1alpha1.ClusterGenerator{}, + Git: &argov1alpha1.GitGenerator{}, + }, + }, + }}, + }, + }, + }, "12s"}, want: 12 * time.Second, wantErr: assert.NoError}, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { + t.Setenv("ARGOCD_APPLICATIONSET_CONTROLLER_REQUEUE_AFTER", tt.args.requeueAfterOverride) assert.Equalf(t, tt.want, r.getMinRequeueAfter(tt.args.appset), "getMinRequeueAfter(%v)", tt.args.appset) }) } diff --git a/applicationset/generators/duck_type.go b/applicationset/generators/duck_type.go index d7ceafd31de3b..7bd78a07146b2 100644 --- a/applicationset/generators/duck_type.go +++ b/applicationset/generators/duck_type.go @@ -52,7 +52,7 @@ func (g *DuckTypeGenerator) GetRequeueAfter(appSetGenerator *argoprojiov1alpha1. return time.Duration(*appSetGenerator.ClusterDecisionResource.RequeueAfterSeconds) * time.Second } - return DefaultRequeueAfterSeconds + return getDefaultRequeueAfter() } func (g *DuckTypeGenerator) GetTemplate(appSetGenerator *argoprojiov1alpha1.ApplicationSetGenerator) *argoprojiov1alpha1.ApplicationSetTemplate { diff --git a/applicationset/generators/git.go b/applicationset/generators/git.go index 74fe02044b473..d119824f40174 100644 --- a/applicationset/generators/git.go +++ b/applicationset/generators/git.go @@ -48,7 +48,7 @@ func (g *GitGenerator) GetRequeueAfter(appSetGenerator *argoprojiov1alpha1.Appli return time.Duration(*appSetGenerator.Git.RequeueAfterSeconds) * time.Second } - return DefaultRequeueAfterSeconds + return getDefaultRequeueAfter() } func (g *GitGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha1.ApplicationSetGenerator, appSet *argoprojiov1alpha1.ApplicationSet, client client.Client) ([]map[string]interface{}, error) { diff --git a/applicationset/generators/interface.go b/applicationset/generators/interface.go index ea105c7842279..88853c73b2b56 100644 --- a/applicationset/generators/interface.go +++ b/applicationset/generators/interface.go @@ -7,6 +7,7 @@ import ( "sigs.k8s.io/controller-runtime/pkg/client" argoprojiov1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1" + "github.com/argoproj/argo-cd/v2/util/env" ) // Generator defines the interface implemented by all ApplicationSet generators. @@ -30,7 +31,11 @@ var ( NoRequeueAfter time.Duration ) -// DefaultRequeueAfterSeconds is used when GetRequeueAfter is not specified, it is the default time to wait before the next reconcile loop const ( DefaultRequeueAfterSeconds = 3 * time.Minute ) + +func getDefaultRequeueAfter() time.Duration { + // Default is 3 minutes, min is 1 second, max is 1 year + return env.ParseDurationFromEnv("ARGOCD_APPLICATIONSET_CONTROLLER_REQUEUE_AFTER", DefaultRequeueAfterSeconds, 1*time.Second, 8760*time.Hour) +} diff --git a/applicationset/generators/interface_test.go b/applicationset/generators/interface_test.go new file mode 100644 index 0000000000000..d27111bc1453c --- /dev/null +++ b/applicationset/generators/interface_test.go @@ -0,0 +1,29 @@ +package generators + +import ( + "testing" + "time" + + "github.com/stretchr/testify/assert" +) + +func Test_getDefaultRequeueAfter(t *testing.T) { + tests := []struct { + name string + requeueAfterEnv string + want time.Duration + }{ + {name: "Default", requeueAfterEnv: "", want: DefaultRequeueAfterSeconds}, + {name: "Min", requeueAfterEnv: "1s", want: 1 * time.Second}, + {name: "Max", requeueAfterEnv: "8760h", want: 8760 * time.Hour}, + {name: "Override", requeueAfterEnv: "10m", want: 10 * time.Minute}, + {name: "LessThanMin", requeueAfterEnv: "1ms", want: DefaultRequeueAfterSeconds}, + {name: "MoreThanMax", requeueAfterEnv: "8761h", want: DefaultRequeueAfterSeconds}, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + t.Setenv("ARGOCD_APPLICATIONSET_CONTROLLER_REQUEUE_AFTER", tt.requeueAfterEnv) + assert.Equalf(t, tt.want, getDefaultRequeueAfter(), "getDefaultRequeueAfter()") + }) + } +} diff --git a/docs/operator-manual/argocd-cmd-params-cm.yaml b/docs/operator-manual/argocd-cmd-params-cm.yaml index 348677b1cb065..17808b1f85a74 100644 --- a/docs/operator-manual/argocd-cmd-params-cm.yaml +++ b/docs/operator-manual/argocd-cmd-params-cm.yaml @@ -241,6 +241,8 @@ data: applicationsetcontroller.enable.scm.providers: "false" # Number of webhook requests processed concurrently (default 50) applicationsetcontroller.webhook.parallelism.limit: "50" + # Override the default requeue time for the controller. (default 3m) + applicationsetcontroller.requeue.after: "3m" ## Argo CD Notifications Controller Properties # Set the logging level. One of: debug|info|warn|error (default "info") diff --git a/manifests/base/applicationset-controller/argocd-applicationset-controller-deployment.yaml b/manifests/base/applicationset-controller/argocd-applicationset-controller-deployment.yaml index a2fc34bb0ea70..8886c1587916b 100644 --- a/manifests/base/applicationset-controller/argocd-applicationset-controller-deployment.yaml +++ b/manifests/base/applicationset-controller/argocd-applicationset-controller-deployment.yaml @@ -163,6 +163,12 @@ spec: name: argocd-cmd-params-cm key: applicationsetcontroller.webhook.parallelism.limit optional: true + - name: ARGOCD_APPLICATIONSET_CONTROLLER_REQUEUE_AFTER + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: applicationsetcontroller.requeue.after + optional: true volumeMounts: - mountPath: /app/config/ssh name: ssh-known-hosts diff --git a/manifests/core-install.yaml b/manifests/core-install.yaml index fa0d4904e02bc..662230f5a3f80 100644 --- a/manifests/core-install.yaml +++ b/manifests/core-install.yaml @@ -22558,6 +22558,12 @@ spec: key: applicationsetcontroller.webhook.parallelism.limit name: argocd-cmd-params-cm optional: true + - name: ARGOCD_APPLICATIONSET_CONTROLLER_REQUEUE_AFTER + valueFrom: + configMapKeyRef: + key: applicationsetcontroller.requeue.after + name: argocd-cmd-params-cm + optional: true image: quay.io/argoproj/argocd:latest imagePullPolicy: Always name: argocd-applicationset-controller diff --git a/manifests/ha/install.yaml b/manifests/ha/install.yaml index 417a649f1fe05..a7002d16fdafd 100644 --- a/manifests/ha/install.yaml +++ b/manifests/ha/install.yaml @@ -23902,6 +23902,12 @@ spec: key: applicationsetcontroller.webhook.parallelism.limit name: argocd-cmd-params-cm optional: true + - name: ARGOCD_APPLICATIONSET_CONTROLLER_REQUEUE_AFTER + valueFrom: + configMapKeyRef: + key: applicationsetcontroller.requeue.after + name: argocd-cmd-params-cm + optional: true image: quay.io/argoproj/argocd:latest imagePullPolicy: Always name: argocd-applicationset-controller diff --git a/manifests/ha/namespace-install.yaml b/manifests/ha/namespace-install.yaml index 881f8e8d31f31..9f282cd5bdc4f 100644 --- a/manifests/ha/namespace-install.yaml +++ b/manifests/ha/namespace-install.yaml @@ -1694,6 +1694,12 @@ spec: key: applicationsetcontroller.webhook.parallelism.limit name: argocd-cmd-params-cm optional: true + - name: ARGOCD_APPLICATIONSET_CONTROLLER_REQUEUE_AFTER + valueFrom: + configMapKeyRef: + key: applicationsetcontroller.requeue.after + name: argocd-cmd-params-cm + optional: true image: quay.io/argoproj/argocd:latest imagePullPolicy: Always name: argocd-applicationset-controller diff --git a/manifests/install.yaml b/manifests/install.yaml index 24077892317dd..3e312f184f1ed 100644 --- a/manifests/install.yaml +++ b/manifests/install.yaml @@ -23019,6 +23019,12 @@ spec: key: applicationsetcontroller.webhook.parallelism.limit name: argocd-cmd-params-cm optional: true + - name: ARGOCD_APPLICATIONSET_CONTROLLER_REQUEUE_AFTER + valueFrom: + configMapKeyRef: + key: applicationsetcontroller.requeue.after + name: argocd-cmd-params-cm + optional: true image: quay.io/argoproj/argocd:latest imagePullPolicy: Always name: argocd-applicationset-controller diff --git a/manifests/namespace-install.yaml b/manifests/namespace-install.yaml index 79fa17daf99e9..2b8220f28363f 100644 --- a/manifests/namespace-install.yaml +++ b/manifests/namespace-install.yaml @@ -811,6 +811,12 @@ spec: key: applicationsetcontroller.webhook.parallelism.limit name: argocd-cmd-params-cm optional: true + - name: ARGOCD_APPLICATIONSET_CONTROLLER_REQUEUE_AFTER + valueFrom: + configMapKeyRef: + key: applicationsetcontroller.requeue.after + name: argocd-cmd-params-cm + optional: true image: quay.io/argoproj/argocd:latest imagePullPolicy: Always name: argocd-applicationset-controller From d3a3fe5e688460d0994f08c6f33e97a87a2e16e6 Mon Sep 17 00:00:00 2001 From: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com> Date: Wed, 2 Oct 2024 00:02:07 -0400 Subject: [PATCH 29/38] chore(ci): better handling of Go and Node dependency bumps (#20168) * chore(ci): better handling of Go and Node dependency bumps Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com> temporarily remove condition Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com> quit early if there are no changes Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com> use latest checkout action and actually test version change Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com> use github token Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com> workflow for node Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com> clean up after changing node version Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com> revert temporary changes Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com> more docs Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com> * bump linter version Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com> --------- Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com> --- .github/dependabot.yml | 6 ++++ .github/workflows/ci-build.yaml | 6 ++-- .github/workflows/image.yaml | 4 +-- .github/workflows/release.yaml | 4 +-- .github/workflows/update-go.yaml | 42 +++++++++++++++++++++++++++ .github/workflows/update-node.yaml | 42 +++++++++++++++++++++++++++ Dockerfile | 6 ++-- Makefile | 8 +++++ hack/installers/install-lint-tools.sh | 2 +- hack/update-go.sh | 38 ++++++++++++++++++++++++ hack/update-node.sh | 33 +++++++++++++++++++++ test/container/Dockerfile | 4 +-- test/remote/Dockerfile | 2 +- ui-test/Dockerfile | 2 +- 14 files changed, 184 insertions(+), 15 deletions(-) create mode 100644 .github/workflows/update-go.yaml create mode 100644 .github/workflows/update-node.yaml create mode 100755 hack/update-go.sh create mode 100755 hack/update-node.sh diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 6205c1098d1f9..56b7ce0e23f5d 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -31,6 +31,12 @@ updates: directory: "/" schedule: interval: "daily" + ignore: + # We use consistent go and node versions across a lot of different files, and updating via dependabot would cause + # drift among those files. + # Use `make update-go` and `make update-node` to update these versions. + - dependency-name: "library/golang" + - dependency-name: "library/node" - package-ecosystem: "docker" directory: "/test/container/" diff --git a/.github/workflows/ci-build.yaml b/.github/workflows/ci-build.yaml index 5fe31bf6ca9f9..a2ad92dcc4ed5 100644 --- a/.github/workflows/ci-build.yaml +++ b/.github/workflows/ci-build.yaml @@ -13,7 +13,7 @@ on: env: # Golang version to use across CI steps - GOLANG_VERSION: '1.22' + GOLANG_VERSION: '1.23.1' concurrency: group: ${{ github.workflow }}-${{ github.ref }} @@ -110,7 +110,7 @@ jobs: - name: Run golangci-lint uses: golangci/golangci-lint-action@aaa42aa0628b4ae2578232a66b541047968fac86 # v6.1.0 with: - version: v1.58.2 + version: v1.61.0 args: --verbose test-go: @@ -305,7 +305,7 @@ jobs: - name: Setup NodeJS uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4 with: - node-version: '21.6.1' + node-version: '22.8.0' - name: Restore node dependency cache id: cache-dependencies uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 diff --git a/.github/workflows/image.yaml b/.github/workflows/image.yaml index 3102e8361aa06..9f7628a61c04d 100644 --- a/.github/workflows/image.yaml +++ b/.github/workflows/image.yaml @@ -52,7 +52,7 @@ jobs: uses: ./.github/workflows/image-reuse.yaml with: # Note: cannot use env variables to set go-version (https://docs.github.com/en/actions/using-workflows/reusing-workflows#limitations) - go-version: 1.22 + go-version: 1.23.1 platforms: ${{ needs.set-vars.outputs.platforms }} push: false @@ -68,7 +68,7 @@ jobs: quay_image_name: quay.io/argoproj/argocd:latest ghcr_image_name: ghcr.io/argoproj/argo-cd/argocd:${{ needs.set-vars.outputs.image-tag }} # Note: cannot use env variables to set go-version (https://docs.github.com/en/actions/using-workflows/reusing-workflows#limitations) - go-version: 1.22 + go-version: 1.23.1 platforms: ${{ needs.set-vars.outputs.platforms }} push: true secrets: diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index a30e44ec0ec7a..a127c0d746d22 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -10,7 +10,7 @@ on: permissions: {} env: - GOLANG_VERSION: '1.22' # Note: go-version must also be set in job argocd-image.with.go-version + GOLANG_VERSION: '1.23.1' # Note: go-version must also be set in job argocd-image.with.go-version jobs: argocd-image: @@ -23,7 +23,7 @@ jobs: with: quay_image_name: quay.io/argoproj/argocd:${{ github.ref_name }} # Note: cannot use env variables to set go-version (https://docs.github.com/en/actions/using-workflows/reusing-workflows#limitations) - go-version: 1.22 + go-version: 1.23.1 platforms: linux/amd64,linux/arm64,linux/s390x,linux/ppc64le push: true secrets: diff --git a/.github/workflows/update-go.yaml b/.github/workflows/update-go.yaml new file mode 100644 index 0000000000000..ef4edac0a87d3 --- /dev/null +++ b/.github/workflows/update-go.yaml @@ -0,0 +1,42 @@ +# Update golang version on a daily basis and open a PR. +name: Update Go +on: + schedule: + - cron: '0 0 * * *' + +permissions: + contents: read + +jobs: + update-go: + permissions: + contents: write + pull-requests: write + if: github.repository == 'argoproj/argo-cd' + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 + with: + token: ${{ secrets.GITHUB_TOKEN }} + - uses: imjasonh/setup-crane@31b88efe9de28ae0ffa220711af4b60be9435f6e # v0.4 + - name: Update Go + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + make update-go + + # If there are no changes, quit early. + if [[ -z $(git status -s) ]]; then + echo "No changes detected" + exit 0 + fi + + pr_branch="update-go-$(echo $RANDOM | md5sum | head -c 20)" + git checkout -b "$pr_branch" + git config --global user.email 'ci@argoproj.com' + git config --global user.name 'CI' + git add . + git commit -m "[Bot] chore(dep): Update Go" --signoff + git push --set-upstream origin "$pr_branch" + gh pr create -B master -H "$pr_branch" --title '[Bot] chore(dep): Update Go' --body '' diff --git a/.github/workflows/update-node.yaml b/.github/workflows/update-node.yaml new file mode 100644 index 0000000000000..3a641b1d5a82c --- /dev/null +++ b/.github/workflows/update-node.yaml @@ -0,0 +1,42 @@ +# Update Node version on a daily basis and open a PR. +name: Update Node +on: + schedule: + - cron: '0 0 * * *' + +permissions: + contents: read + +jobs: + update-node: + permissions: + contents: write + pull-requests: write + if: github.repository == 'argoproj/argo-cd' + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 + with: + token: ${{ secrets.GITHUB_TOKEN }} + - uses: imjasonh/setup-crane@31b88efe9de28ae0ffa220711af4b60be9435f6e # v0.4 + - name: Update Node + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + make update-node + + # If there are no changes, quit early. + if [[ -z $(git status -s) ]]; then + echo "No changes detected" + exit 0 + fi + + pr_branch="update-node-$(echo $RANDOM | md5sum | head -c 20)" + git checkout -b "$pr_branch" + git config --global user.email 'ci@argoproj.com' + git config --global user.name 'CI' + git add . + git commit -m "[Bot] chore(dep): Update Node" --signoff + git push --set-upstream origin "$pr_branch" + gh pr create -B master -H "$pr_branch" --title '[Bot] chore(dep): Update Node' --body '' diff --git a/Dockerfile b/Dockerfile index bc4e6debbfaa1..758bd5756364e 100644 --- a/Dockerfile +++ b/Dockerfile @@ -4,7 +4,7 @@ ARG BASE_IMAGE=docker.io/library/ubuntu:24.04@sha256:3f85b7caad41a95462cf5b787d8 # Initial stage which pulls prepares build dependencies and CLI tooling we need for our final image # Also used as the image in CI jobs so needs all dependencies #################################################################################################### -FROM docker.io/library/golang:1.23.1@sha256:2fe82a3f3e006b4f2a316c6a21f62b66e1330ae211d039bb8d1128e12ed57bf1 AS builder +FROM docker.io/library/golang:1.23.1@sha256:4f063a24d429510e512cc730c3330292ff49f3ade3ae79bda8f84a24fa25ecb0 AS builder RUN echo 'deb http://archive.debian.org/debian buster-backports main' >> /etc/apt/sources.list @@ -83,7 +83,7 @@ WORKDIR /home/argocd #################################################################################################### # Argo CD UI stage #################################################################################################### -FROM --platform=$BUILDPLATFORM docker.io/library/node:22.9.0@sha256:cbe2d5f94110cea9817dd8c5809d05df49b4bd1aac5203f3594d88665ad37988 AS argocd-ui +FROM --platform=$BUILDPLATFORM docker.io/library/node:22.9.0@sha256:69e667a79aa41ec0db50bc452a60e705ca16f35285eaf037ebe627a65a5cdf52 AS argocd-ui WORKDIR /src COPY ["ui/package.json", "ui/yarn.lock", "./"] @@ -101,7 +101,7 @@ RUN HOST_ARCH=$TARGETARCH NODE_ENV='production' NODE_ONLINE_ENV='online' NODE_OP #################################################################################################### # Argo CD Build stage which performs the actual build of Argo CD binaries #################################################################################################### -FROM --platform=$BUILDPLATFORM docker.io/library/golang:1.23.1@sha256:2fe82a3f3e006b4f2a316c6a21f62b66e1330ae211d039bb8d1128e12ed57bf1 AS argocd-build +FROM --platform=$BUILDPLATFORM docker.io/library/golang:1.23.1@sha256:4f063a24d429510e512cc730c3330292ff49f3ade3ae79bda8f84a24fa25ecb0 AS argocd-build WORKDIR /go/src/github.com/argoproj/argo-cd diff --git a/Makefile b/Makefile index d6f8cdf62d5d8..d6c097a87cfe3 100644 --- a/Makefile +++ b/Makefile @@ -631,6 +631,14 @@ snyk-non-container-tests: snyk-report: ./hack/snyk-report.sh $(target_branch) +.PHONY: update-go +update-go: + ./hack/update-go.sh + +.PHONY: update-node +update-node: + ./hack/update-node.sh + .PHONY: help help: @echo 'Note: Generally an item w/ (-local) will run inside docker unless you use the -local variant' diff --git a/hack/installers/install-lint-tools.sh b/hack/installers/install-lint-tools.sh index 54e7b725478c8..e00ccda637517 100755 --- a/hack/installers/install-lint-tools.sh +++ b/hack/installers/install-lint-tools.sh @@ -1,4 +1,4 @@ #!/bin/bash set -eux -o pipefail -GO111MODULE=on go install github.com/golangci/golangci-lint/cmd/golangci-lint@v1.58.2 +GO111MODULE=on go install github.com/golangci/golangci-lint/cmd/golangci-lint@v1.61.0 diff --git a/hack/update-go.sh b/hack/update-go.sh new file mode 100755 index 0000000000000..08ea85d7d2f2c --- /dev/null +++ b/hack/update-go.sh @@ -0,0 +1,38 @@ +#!/usr/bin/env bash + +# This script is used to update the Go version in the project. +# We use this because Dependabot doesn't support updating the Go version in all the places we use Go. + +set -e + +echo "Getting latest Go version..." + +# Get the current stable Go version. This assumes the JSON is sorted newest-to-oldest. +GO_VERSION=$(curl -s https://go.dev/dl/?mode=json | jq 'map(select(.stable == true))[0].version' -r) + +# Make sure the version number is semver. +if [[ ! "$GO_VERSION" =~ ^go[0-9]+\.[0-9]+\.[0-9]+$ ]]; then + echo "Failed to get the latest Go version." + exit 1 +fi + +# Remove the 'go' prefix from the version number. +GO_VERSION=${GO_VERSION#go} + +# Get the digest of the Go image. +DIGEST=$(crane digest "docker.io/library/golang:$GO_VERSION") + +echo "Updating to Go version $GO_VERSION with digest $DIGEST..." + +# Replace the Go image in the Dockerfile. +sed -r -i.bak "s/docker\.io\/library\/golang:[0-9.]+@sha256:[0-9a-f]+/docker.io\/library\/golang:$GO_VERSION@$DIGEST/" Dockerfile test/container/Dockerfile test/remote/Dockerfile +rm Dockerfile.bak test/container/Dockerfile.bak test/remote/Dockerfile.bak + +# Update the go version in ci-build.yaml, image.yaml, and release.yaml. +sed -r -i.bak "s/go-version: [0-9.]+/go-version: $GO_VERSION/" .github/workflows/ci-build.yaml .github/workflows/image.yaml .github/workflows/release.yaml +rm .github/workflows/ci-build.yaml.bak .github/workflows/image.yaml.bak .github/workflows/release.yaml.bak + +# Repeat for env var instead of go-version. +sed -r -i.bak "s/GOLANG_VERSION: '[0-9.]+'/GOLANG_VERSION: '$GO_VERSION'/" .github/workflows/ci-build.yaml .github/workflows/image.yaml .github/workflows/release.yaml +rm .github/workflows/ci-build.yaml.bak .github/workflows/image.yaml.bak .github/workflows/release.yaml.bak + diff --git a/hack/update-node.sh b/hack/update-node.sh new file mode 100755 index 0000000000000..42cfffad84fba --- /dev/null +++ b/hack/update-node.sh @@ -0,0 +1,33 @@ +#!/usr/bin/env bash + +# This script is used to update the node version in the project. +# We use this because Dependabot doesn't support updating the Node version in all the places we use Node. + +set -e + +echo "Getting latest Node version..." + +# Get the current LTS node version. This assumes the JSON is sorted newest-to-oldest. +NODE_VERSION=$(curl -s https://nodejs.org/download/release/index.json | jq '.[0].version' -r) + +# Make sure the version number is semver with a preceding 'v'. +if [[ ! "$NODE_VERSION" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then + echo "Failed to get the latest Node version." + exit 1 +fi + +# Strip the preceding 'v' from the version number. +NODE_VERSION=${NODE_VERSION#v} + +# Get the manifest SHA of the library/node image. +DIGEST=$(crane digest "docker.io/library/node:$NODE_VERSION") + +echo "Updating to Node version $NODE_VERSION with digest $DIGEST..." + +# Replace the node image in the Dockerfiles. +sed -r -i.bak "s/docker\.io\/library\/node:[0-9.]+@sha256:[0-9a-f]+/docker.io\/library\/node:$NODE_VERSION@$DIGEST/" Dockerfile ui-test/Dockerfile test/container/Dockerfile +rm Dockerfile.bak ui-test/Dockerfile.bak test/container/Dockerfile.bak + +# Replace node version in ci-build.yaml. +sed -r -i.bak "s/node-version: '[0-9.]+'/node-version: '$NODE_VERSION'/" .github/workflows/ci-build.yaml +rm .github/workflows/ci-build.yaml.bak diff --git a/test/container/Dockerfile b/test/container/Dockerfile index ad22c720bbb81..9bc0cdb5f745f 100644 --- a/test/container/Dockerfile +++ b/test/container/Dockerfile @@ -6,9 +6,9 @@ FROM docker.io/library/redis:7.4.0@sha256:eadf354977d428e347d93046bb1a5569d701e8 RUN ln -s /usr/lib/$(uname -m)-linux-gnu /usr/lib/linux-gnu # Please make sure to also check the contained yarn version and update the references below when upgrading this image's version -FROM docker.io/library/node:22.9.0@sha256:cbe2d5f94110cea9817dd8c5809d05df49b4bd1aac5203f3594d88665ad37988 as node +FROM docker.io/library/node:22.9.0@sha256:69e667a79aa41ec0db50bc452a60e705ca16f35285eaf037ebe627a65a5cdf52 as node -FROM docker.io/library/golang:1.23@sha256:2fe82a3f3e006b4f2a316c6a21f62b66e1330ae211d039bb8d1128e12ed57bf1 as golang +FROM docker.io/library/golang:1.23.1@sha256:4f063a24d429510e512cc730c3330292ff49f3ade3ae79bda8f84a24fa25ecb0 as golang FROM docker.io/library/registry:2.8@sha256:ac0192b549007e22998eb74e8d8488dcfe70f1489520c3b144a6047ac5efbe90 as registry diff --git a/test/remote/Dockerfile b/test/remote/Dockerfile index fa649805767cc..035f51917f957 100644 --- a/test/remote/Dockerfile +++ b/test/remote/Dockerfile @@ -1,6 +1,6 @@ ARG BASE_IMAGE=docker.io/library/ubuntu:24.04@sha256:3f85b7caad41a95462cf5b787d8a04604c8262cdcdf9a472b8c52ef83375fe15 -FROM docker.io/library/golang:1.23.1@sha256:2fe82a3f3e006b4f2a316c6a21f62b66e1330ae211d039bb8d1128e12ed57bf1 AS go +FROM docker.io/library/golang:1.23.1@sha256:4f063a24d429510e512cc730c3330292ff49f3ade3ae79bda8f84a24fa25ecb0 AS go RUN go install github.com/mattn/goreman@latest && \ go install github.com/kisielk/godepgraph@latest diff --git a/ui-test/Dockerfile b/ui-test/Dockerfile index c0fbd1be9b711..edbd2becbdf00 100644 --- a/ui-test/Dockerfile +++ b/ui-test/Dockerfile @@ -1,4 +1,4 @@ -FROM docker.io/library/node:22.9.0@sha256:cbe2d5f94110cea9817dd8c5809d05df49b4bd1aac5203f3594d88665ad37988 as node +FROM docker.io/library/node:22.9.0@sha256:69e667a79aa41ec0db50bc452a60e705ca16f35285eaf037ebe627a65a5cdf52 as node RUN apt-get update && apt-get install --no-install-recommends -y \ software-properties-common From 48551b3746510123285b3ce4aae324b41fd37652 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 2 Oct 2024 04:17:08 +0000 Subject: [PATCH 30/38] chore(deps): bump codecov/codecov-action from 4.5.0 to 4.6.0 (#20188) Bumps [codecov/codecov-action](https://github.com/codecov/codecov-action) from 4.5.0 to 4.6.0. - [Release notes](https://github.com/codecov/codecov-action/releases) - [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/codecov/codecov-action/compare/e28ff129e5465c2c0dcc6f003fc735cb6ae0c673...b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238) --- updated-dependencies: - dependency-name: codecov/codecov-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/ci-build.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci-build.yaml b/.github/workflows/ci-build.yaml index a2ad92dcc4ed5..3d1ba42c3e7de 100644 --- a/.github/workflows/ci-build.yaml +++ b/.github/workflows/ci-build.yaml @@ -373,7 +373,7 @@ jobs: run: | go tool covdata percent -i=test-results,e2e-code-coverage/applicationset-controller,e2e-code-coverage/repo-server,e2e-code-coverage/app-controller -o test-results/full-coverage.out - name: Upload code coverage information to codecov.io - uses: codecov/codecov-action@e28ff129e5465c2c0dcc6f003fc735cb6ae0c673 # v4.5.0 + uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238 # v4.6.0 with: file: test-results/full-coverage.out fail_ci_if_error: true From 6b19f10e7f0ee3f43d2b262c5837b3c4453e76a2 Mon Sep 17 00:00:00 2001 From: 1102 <90682513+nueavv@users.noreply.github.com> Date: Wed, 2 Oct 2024 21:59:48 +0900 Subject: [PATCH 31/38] docs(ui): sorting version (#20181) Signed-off-by: nueavv --- docs/assets/versions.js | 80 ++++++++++++++++++++++++++++++++++++++--- 1 file changed, 75 insertions(+), 5 deletions(-) diff --git a/docs/assets/versions.js b/docs/assets/versions.js index b9f0b13e8d013..af95a7140a442 100644 --- a/docs/assets/versions.js +++ b/docs/assets/versions.js @@ -32,23 +32,41 @@ function initializeVersionDropdown() { window[callbackName] = function(response) { const div = document.createElement('div'); div.innerHTML = response.html; - document.querySelector(".md-header__inner > .md-header__title").appendChild(div); + const headerTitle = document.querySelector(".md-header__inner > .md-header__title"); + if (headerTitle) { + headerTitle.appendChild(div); + } + const container = div.querySelector('.rst-versions'); + if (!container) return; // Exit if container not found + + // Add caret icon var caret = document.createElement('div'); caret.innerHTML = ""; caret.classList.add('dropdown-caret'); - div.querySelector('.rst-current-version').appendChild(caret); + const currentVersionElem = div.querySelector('.rst-current-version'); + if (currentVersionElem) { + currentVersionElem.appendChild(caret); + } - div.querySelector('.rst-current-version').addEventListener('click', function() { - container.classList.toggle('shift-up'); - }); + // Add click listener to toggle dropdown + if (currentVersionElem && container) { + currentVersionElem.addEventListener('click', function() { + container.classList.toggle('shift-up'); + }); + } + + // Sorting Logic + sortVersionLinks(container); }; + // Load CSS var CSSLink = document.createElement('link'); CSSLink.rel = 'stylesheet'; CSSLink.href = '/assets/versions.css'; document.getElementsByTagName('head')[0].appendChild(CSSLink); + // Load JSONP Script var script = document.createElement('script'); const currentVersion = getCurrentVersion(); script.src = 'https://argo-cd.readthedocs.io/_/api/v2/footer_html/?' + @@ -56,6 +74,58 @@ function initializeVersionDropdown() { document.getElementsByTagName('head')[0].appendChild(script); } +// Function to sort version links +function sortVersionLinks(container) { + // Find all
                                          elements within the container + const dlElements = container.querySelectorAll('dl'); + + dlElements.forEach(dl => { + const dt = dl.querySelector('dt'); + if (dt && dt.textContent.trim().toLowerCase() === 'versions') { + // Found the Versions
                                          + const ddElements = Array.from(dl.querySelectorAll('dd')); + + // Define sorting criteria + ddElements.sort((a, b) => { + const aText = a.textContent.trim().toLowerCase(); + const bText = b.textContent.trim().toLowerCase(); + + // Prioritize 'latest' and 'stable' + if (aText === 'latest') return -1; + if (bText === 'latest') return 1; + if (aText === 'stable') return -1; + if (bText === 'stable') return 1; + + // Extract version numbers (e.g., release-2.9) + const aVersionMatch = aText.match(/release-(\d+(\.\d+)*)/); + const bVersionMatch = bText.match(/release-(\d+(\.\d+)*)/); + + if (aVersionMatch && bVersionMatch) { + const aVersion = aVersionMatch[1].split('.').map(Number); + const bVersion = bVersionMatch[1].split('.').map(Number); + + for (let i = 0; i < Math.max(aVersion.length, bVersion.length); i++) { + const aNum = aVersion[i] || 0; + const bNum = bVersion[i] || 0; + if (aNum > bNum) return -1; + if (aNum < bNum) return 1; + } + return 0; + } + + // Fallback to alphabetical order + return aText.localeCompare(bText); + }); + + // Remove existing
                                          elements + ddElements.forEach(dd => dl.removeChild(dd)); + + // Append sorted
                                          elements + ddElements.forEach(dd => dl.appendChild(dd)); + } + }); +} + // VERSION WARNINGS window.addEventListener("DOMContentLoaded", function() { var margin = 30; From 1dcf3a56653c907f8b6d6dbadc8e2c66a61f3236 Mon Sep 17 00:00:00 2001 From: Phong Do Date: Wed, 2 Oct 2024 20:01:37 +0700 Subject: [PATCH 32/38] docs: add outpost24 to users.md (#20197) Signed-off-by: Phong Do --- USERS.md | 1 + 1 file changed, 1 insertion(+) diff --git a/USERS.md b/USERS.md index ab5dbc8c745c1..0452befb389ea 100644 --- a/USERS.md +++ b/USERS.md @@ -242,6 +242,7 @@ Currently, the following organizations are **officially** using Argo CD: 1. [Optoro](https://www.optoro.com/) 1. [Orbital Insight](https://orbitalinsight.com/) 1. [Oscar Health Insurance](https://hioscar.com/) +1. [Outpost24](https://outpost24.com/) 1. [p3r](https://www.p3r.one/) 1. [Packlink](https://www.packlink.com/) 1. [PagerDuty](https://www.pagerduty.com/) From 807b6fb472845767604549bf4abc8d899589ad4c Mon Sep 17 00:00:00 2001 From: Olivier Wenger <14903492+owngr@users.noreply.github.com> Date: Wed, 2 Oct 2024 16:58:57 +0200 Subject: [PATCH 33/38] docs: Update argocd path for command in notifification in troubleshooting docs (#20120) Co-authored-by: Dan Garfield --- docs/operator-manual/notifications/troubleshooting.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/operator-manual/notifications/troubleshooting.md b/docs/operator-manual/notifications/troubleshooting.md index 616cd4b024e82..b128e8244acc9 100644 --- a/docs/operator-manual/notifications/troubleshooting.md +++ b/docs/operator-manual/notifications/troubleshooting.md @@ -65,7 +65,7 @@ configuration. **Example** ```bash kubectl exec -it argocd-notifications-controller- \ - /app/argocd admin notifications trigger get + /usr/local/bin/argocd admin notifications trigger get ``` ## Commands From 2e9532d79b1fbdfa6c0da9df3206e2090bca9281 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 2 Oct 2024 18:35:27 +0300 Subject: [PATCH 34/38] chore(deps): bump google.golang.org/grpc from 1.67.0 to 1.67.1 (#20190) Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.67.0 to 1.67.1. - [Release notes](https://github.com/grpc/grpc-go/releases) - [Commits](https://github.com/grpc/grpc-go/compare/v1.67.0...v1.67.1) --- updated-dependencies: - dependency-name: google.golang.org/grpc dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 906f702f736aa..4bf546841849f 100644 --- a/go.mod +++ b/go.mod @@ -91,7 +91,7 @@ require ( golang.org/x/term v0.24.0 golang.org/x/time v0.6.0 google.golang.org/genproto/googleapis/api v0.0.0-20240903143218-8af14fe29dc1 - google.golang.org/grpc v1.67.0 + google.golang.org/grpc v1.67.1 google.golang.org/protobuf v1.34.2 gopkg.in/yaml.v2 v2.4.0 gopkg.in/yaml.v3 v3.0.1 diff --git a/go.sum b/go.sum index 7e9fae0288c48..4c4b903bcd87e 100644 --- a/go.sum +++ b/go.sum @@ -1365,8 +1365,8 @@ google.golang.org/grpc v1.29.1/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3Iji google.golang.org/grpc v1.32.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= google.golang.org/grpc v1.33.1/go.mod h1:fr5YgcSWrqhRRxogOsw7RzIpsmvOZ6IcH4kBYTpR3n0= google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc= -google.golang.org/grpc v1.67.0 h1:IdH9y6PF5MPSdAntIcpjQ+tXO41pcQsfZV2RxtQgVcw= -google.golang.org/grpc v1.67.0/go.mod h1:1gLDyUQU7CTLJI90u3nXZ9ekeghjeM7pTDZlqFNg2AA= +google.golang.org/grpc v1.67.1 h1:zWnc1Vrcno+lHZCOofnIMvycFcc0QRGIzm9dhnDX68E= +google.golang.org/grpc v1.67.1/go.mod h1:1gLDyUQU7CTLJI90u3nXZ9ekeghjeM7pTDZlqFNg2AA= google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGjtUeSXeh4= google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c= From 54bd69463b5b1f129943fa59711a4504f23f82f0 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 2 Oct 2024 18:35:47 +0300 Subject: [PATCH 35/38] chore(deps): bump chromedriver from 129.0.0 to 129.0.2 in /ui-test (#20189) Bumps [chromedriver](https://github.com/giggio/node-chromedriver) from 129.0.0 to 129.0.2. - [Commits](https://github.com/giggio/node-chromedriver/compare/129.0.0...129.0.2) --- updated-dependencies: - dependency-name: chromedriver dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- ui-test/package.json | 2 +- ui-test/yarn.lock | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/ui-test/package.json b/ui-test/package.json index ca168b60c92cf..6e2d5b9a70863 100644 --- a/ui-test/package.json +++ b/ui-test/package.json @@ -14,7 +14,7 @@ "dependencies": { "@types/selenium-webdriver": "^4.1.26", "assert": "^2.1.0", - "chromedriver": "^129.0.0", + "chromedriver": "^129.0.2", "selenium-webdriver": "^4.24.1" }, "devDependencies": { diff --git a/ui-test/yarn.lock b/ui-test/yarn.lock index aee54d23e13bd..607d441b531e7 100644 --- a/ui-test/yarn.lock +++ b/ui-test/yarn.lock @@ -267,10 +267,10 @@ chokidar@^3.5.3: optionalDependencies: fsevents "~2.3.2" -chromedriver@^129.0.0: - version "129.0.0" - resolved "https://registry.yarnpkg.com/chromedriver/-/chromedriver-129.0.0.tgz#28d7ede5ab372b868ac0db5efff7036646b4d603" - integrity sha512-B1ccqD6hDjNrw94FeqdynIotn1ZV/TnFrkRz2Rync2kzSnq6D6IrSkN1w5Pnuvnc98QhN2xujxDXxkqEqy/PWg== +chromedriver@^129.0.2: + version "129.0.2" + resolved "https://registry.yarnpkg.com/chromedriver/-/chromedriver-129.0.2.tgz#950bb0a7d1095bc9c7a6f61e5f18e02e27875477" + integrity sha512-rUEFCJAmAwOdFfaDFtveT97fFeA7NOxlkgyPyN+G09Ws4qGW39aLDxMQBbS9cxQQHhTihqZZobgF5CLVYXnmGA== dependencies: "@testim/chrome-version" "^1.1.4" axios "^1.7.4" From 109473fca4e0c6acf63f3d8d33a520de384fc50f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 2 Oct 2024 16:37:40 +0000 Subject: [PATCH 36/38] chore(deps): bump bitnami/kubectl in /test/container (#20191) Bumps bitnami/kubectl from `da4a986` to `b509ab6`. --- updated-dependencies: - dependency-name: bitnami/kubectl dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Dan Garfield --- test/container/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/container/Dockerfile b/test/container/Dockerfile index 9bc0cdb5f745f..5a372b46baf2d 100644 --- a/test/container/Dockerfile +++ b/test/container/Dockerfile @@ -12,7 +12,7 @@ FROM docker.io/library/golang:1.23.1@sha256:4f063a24d429510e512cc730c3330292ff49 FROM docker.io/library/registry:2.8@sha256:ac0192b549007e22998eb74e8d8488dcfe70f1489520c3b144a6047ac5efbe90 as registry -FROM docker.io/bitnami/kubectl:1.31@sha256:da4a9868e20d941636087cb8624a4bb441f5249d69e8f3d27e53c7d4d280a5f3 as kubectl +FROM docker.io/bitnami/kubectl:1.31@sha256:b509ab6000477ebe788df3509a8c4177e91238ee3003f33edea0931be3794340 as kubectl FROM docker.io/library/ubuntu:24.04@sha256:3f85b7caad41a95462cf5b787d8a04604c8262cdcdf9a472b8c52ef83375fe15 From 1a84db5dad2c27e9d32747a383c5b4a40c4cb2ec Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 2 Oct 2024 16:38:27 +0000 Subject: [PATCH 37/38] chore(deps): bump library/busybox in /test/e2e/multiarch-container (#20193) Bumps library/busybox from `c230832` to `768e5c6`. --- updated-dependencies: - dependency-name: library/busybox dependency-type: direct:production ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- test/e2e/multiarch-container/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/e2e/multiarch-container/Dockerfile b/test/e2e/multiarch-container/Dockerfile index ad49d66dc585c..62cd7fef56e04 100644 --- a/test/e2e/multiarch-container/Dockerfile +++ b/test/e2e/multiarch-container/Dockerfile @@ -1,2 +1,2 @@ -FROM docker.io/library/busybox@sha256:c230832bd3b0be59a6c47ed64294f9ce71e91b327957920b6929a0caa8353140 +FROM docker.io/library/busybox@sha256:768e5c6f5cb6db0794eec98dc7a967f40631746c32232b78a3105fb946f3ab83 CMD exec sh -c "trap : TERM INT; echo 'Hi' && tail -f /dev/null" From 3070297d6b50d619f3a1dfca03db0d5db7dc22d1 Mon Sep 17 00:00:00 2001 From: KangManJoo Date: Thu, 3 Oct 2024 04:04:22 +0900 Subject: [PATCH 38/38] fix(helm): escape consecutive commas in cleanSetParameters (#19269) (#20113) Signed-off-by: KangManJoo Signed-off-by: daengdaengLee Co-authored-by: daengdaengLee --- util/helm/cmd.go | 29 +++++++++++++++++++++++------ util/helm/helm_test.go | 2 ++ 2 files changed, 25 insertions(+), 6 deletions(-) diff --git a/util/helm/cmd.go b/util/helm/cmd.go index 6b0e30ed2fe75..55d9e8670b461 100644 --- a/util/helm/cmd.go +++ b/util/helm/cmd.go @@ -342,19 +342,36 @@ type TemplateOpts struct { SkipCrds bool } -var ( - re = regexp.MustCompile(`([^\\]),`) - apiVersionsRemover = regexp.MustCompile(`(--api-versions [^ ]+ )+`) -) - func cleanSetParameters(val string) string { // `{}` equal helm list parameters format, so don't escape `,`. if strings.HasPrefix(val, `{`) && strings.HasSuffix(val, `}`) { return val } - return re.ReplaceAllString(val, `$1\,`) + + val = replaceAllWithLookbehind(val, ',', `\,`, '\\') + return val } +func replaceAllWithLookbehind(val string, old rune, new string, lookbehind rune) string { + var result strings.Builder + var prevR rune + for _, r := range val { + if r == old { + if prevR != lookbehind { + result.WriteString(new) + } else { + result.WriteRune(old) + } + } else { + result.WriteRune(r) + } + prevR = r + } + return result.String() +} + +var apiVersionsRemover = regexp.MustCompile(`(--api-versions [^ ]+ )+`) + func (c *Cmd) template(chartPath string, opts *TemplateOpts) (string, string, error) { if callback, err := cleanupChartLockFile(filepath.Clean(path.Join(c.WorkDir, chartPath))); err == nil { defer callback() diff --git a/util/helm/helm_test.go b/util/helm/helm_test.go index 8468b9f36624b..58dd273481f27 100644 --- a/util/helm/helm_test.go +++ b/util/helm/helm_test.go @@ -166,6 +166,8 @@ func TestHelmArgCleaner(t *testing.T) { `not, clean`: `not\, clean`, `a\,b,c`: `a\,b\,c`, `{a,b,c}`: `{a,b,c}`, + `,,,,,\,`: `\,\,\,\,\,\,`, + `\,,\\,,`: `\,\,\\,\,`, } { cleaned := cleanSetParameters(input) assert.Equal(t, expected, cleaned)